GDPR Legislation impact on A/B Testing
How is the discipline of A/B Testing impacted by the GDPR legislation and the lack of a legal framework for data transfers between the EU and US?
Please reach out to the previous article of The Marketing Analyst to firstly understand the legal framework of the GDPR.
What does A/B Testing mean?
A/B testing is a method of comparing two versions of a webpage or app against each other to determine which one performs better. The goal is to optimize the customer journey against a certain business objective. A/B testing technology will help you create different variants, assign website visitors to one of those variants and provides statistical analysis on which variant performed best.
Consent needed?
Whether A/B testing falls under the lawful bases of consent or not depends very much on the type of experiment you want to run.
A research design in which website visitors are randomly assigned to one of the variants can, in principle, take place without the need for explicit consent. Please note that most A/B testing solutions work with cookies and that the user will have to grant permission for these cookies to be placed.
However, an experiment that is based on certain profile characteristics of a visitor or on historical behavioural data falls under profiling. This does require consent.
Since most A/B testing solutions offer the possibility of setting up tests based on a profile, it is safer to assume that consent is required before the A/B testing scripts can be loaded.
Data transfers
Since A/B testing solutions largely have the same tracking capabilities as offered by digital analytics solutions, it is advisable to assume the same reasoning applies: for the European DPAs, tracking of conversions in combination with a cookie ID, will be sufficient to consider it an illegal data transfer to the US.
However, this remains a theoretical discussion and the chance that this type of data is actually relevant for the surveillance services is very small.
Our advice
Think critically about what A/B testing technology is used for within your organisation:
- Is it purely about randomly assigned experiments?
→ You could apply the same rules to the use of A/B testing technology as you do to your digital analytics solution. - Is it used to personalise the user experience?
→ You could provide a specific consent category for the use of A/B testing technology. After all, the user has the right not to be approached personally. And there is a difference in purpose between reporting and personalisation.
In terms of data transfers, the same logic applies as with digital analytics solutions: they collect cookie IDs and have access to the User Agent and IP address. However, A/B testing technologies are less well known to the general public and they are also considered less intrusive by privacy activists. Therefore, the chance of receiving complaints because of an A/B testing solution is smaller than with digital analytics solutions.
European alternatives
If you prefer to switch towards an European alternative, you might want to consider one of the following A/B testing solutions:
→ Kameleoon (headquarters in Paris, France)
→ Ablyft (headquarters in Kiel, Germany)
→ Optimizely (EMEA headquarters in Stockholm, Sweden)
→ Convert (headquarters in Delaware, USA — but all data is stored in
→ Frankfurt and they claim that none of the data is transferred outside the EEA)
Last word
Please realise that the context in which we work today will continue to evolve. It is therefore important that you approach this topic from a strategic point of view and do not see it as a one-off thought exercise.
It is time to take responsibility when collecting data. However banal it may sometimes seem. Make sure you have the right knowledge of the technologies you use and stay abreast of new developments both legally and technologically.
We hope this article has given you the tools to have an informed discussion within your organisation. Other impacted disciplines of the GDPR legislation were discussed in the following links:
Does all this seem very challenging to you? Then do not hesitate to call on specialised parties. For example, deJuristen in case of the legal framework and Stitchd for the technical possibilities. They support many organisations, both large and small, specifically in this area.
