The ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. – Wikipedia
Relevance in CRO
People don’t like being spied on, but let’s face it… this is basically what us CRO folks do. In our heads, we justify it with a more palatable spin. We tell ourselves that we’re improving and optimizing the user experience; making the lives of our users easier (or harder if you’re a terrible unethical person that employs dark patterns). Heatmaps, session replays, A/B tests, analytics… these are the tools of our trade. They all collect huge amounts of user behavior data. All of this data is valuable; that’s the whole reason systems have been set up to collect it in the first place. Current user behavior data is evaluated in order to determine how best to affect future user behavior, usually with the goal of creating some business benefit. What, you’re not an altruistic A/B tester?
A huge concern with collecting massive amounts of data is that it can be used to identify individuals; either through sufficiently unique data points such as email addresses, usernames, or IP addresses, or through profiling techniques like fingerprinting. Bad actors can use this data for manipulation, fraud, scams, etc. Data breaches are an all too common occurrence and garner bad press. Users do not trust companies to have good data handling and security. There has been increasing public outcry that individuals want control over the data that they create, hence laws like GDPR and CCPA. With more on the horizon, privacy laws are here to stay.
Consent, transparency, and control are the cornerstones of privacy.
- Consent: any entity that wishes to collect data must ask for permission from the user
- Transparency: the user must be informed about what data the entity has collected about them
- Control: the user must be able to delete data that the entity has collected about them
This is the broad strokes, there are exceptions carved out and inconsistencies between laws in different regions. Does this mean an end for optimization and A/B testing? Most certainly not. There are still ways to test and be legally compliant. Some laws recognize experimentation as a valid use-case for collecting data. They allow for serving variations, as long as behavior data is collected only if consent is given. It’s all about the order of operations: serve the variations, request permission to track, start tracking after permission is given. This is not an insurmountable hurdle by any means.
- Running Smarter A/B Tests Carefully – Mixpanel
- How to A/B Test to Optimize the Data Collection Consent Experience for Users – InfoTrust
- Convert Blog Articles Discussing Privacy – Convert Experiences
- Analytics and A/B Testing Cookies – Dennis van der Heijden
- GDPR -GDPR.eu
- CCPA – California’s Office of the Attorney General