Marketing was hitting a dead end. Not making ends meet and failing to hit their quarterly KPIs.

The ROI on ads was dropping to the point where it wasn't sustainable.

On-site conversions were stagnant no matter how much they were optimising.

Up-sells were non-existent.

And nothing the team did was helping.

They had it all. The data. The analytics. The mailing list.

And then the legal team started butting in.

What fun.

"You can’t send those emails - they are considered marketing emails."

"You can’t track that user - they did not consent,"

It was shit, at best.

Then on top of that, legal wanted to bring in a consultant (me!) to help marketing “understand privacy”.

Needless to say, I was not well received.

And why would I be? They didn’t know me. They thought of me as just another privacy fanatic. Or, even worse, a lawyer.

It took getting to know each other.

Time to realise that I used do doe the same exact job they did. That I understood them and their hesitancies when it came to all that regulation.

Most importantly, it took the time to understand that we all wanted the same thing.

I wanted growth, I wanted the business to thrive.

Just like marketing did.

So how did we turn it all around? How did we nurture growth?

And how did we do that all by making it about privacy?

Step 1: What do we actually need?

It was back to the drawing board. We gathered everything. From clicks to emails. From pixels to payment processors.

We collect all.

And then we had a moment, taking it all in.

It was a lot.

Did we really need all that? Were we taking actions on all of that data?

Maybe a ¼ of it, if that.

Step 2: Back to basics

We trashed most of it.

We turned off all tracking not required.

We stopped spending money where there was no ROI.

We stopped working with third party vendors we didn’t think helped us.

It was scary. It was ballsy. It got our adrenaline flowing.

And suddenly making decisions on data was so much easier.

Step 3: Start respecting the customer

Now that we actually understood what was going on we started brainstorming how we can make it about the customer - for real.

Really respect them and their data - not just say we do.

We reworked content, we made sure we were transparent about what we do with data, we were accessible, we were clear.

No legalese anywhere (we worked with legal to rework everything).

In the end…

Customers were happier.

Customers spent more money (while my client spent less).

We sent less emails but increased revenue from emails.

The money we spent had actual ROI.

This is privacy-first marketing.

It’s putting the customer first.

It’s respecting their data.

It’s respect.

I booked an AirBnB.

Self check-in. Cute. Good coffee. Great location. Beautifully designed.

It was a dream.

At the end of my first day, brain dead, I stumbled up the stairs. Opened the door and dropped everything on the floor and collapsed on the bed.

Then, out of nowhere, my iPhone had one of those I-need-you-to-pay-attention-to-me-right now alerts. Those that make you jump.

I scramble to find it in the heap of things on the floor.

It says:

Someone is tracking you.

Wait? What?

What do you mean - tracking me?

I click on the message and this is what I see.

I was a bit confused.

But then, slowly, it sunk in.

Someone was tracking my every move since 4AM!!!! They can see my every move on a detailed map. Every single place I’ve been.

I looked everywhere for a tag.

Dumped my bag.

Searched all pockets.

Finally found it, hidden in the keychain.

Clearly the owner has had some issues with people loosing their keys (at least I hoped that was the reason) and thought this was the solution.

He clearly didn’t first think:

• What would someone feel like if they found out they are being tracked?

• Why do I need to track them?

• Is there a better way?

• Should I be transparent about tracking them?

In marketing it’s similar. We want all the info.

We don’t first think:

• What do we need it for?

• Do we really need all of it?

• Does it have to be that invasive?

• Are we being transparent about it?

• Is there another way we can make this campaign successful?

• How would I feel about it?

And it’s not only that. It’s not only about respecting the user and their privacy.

It’s also not exclusively about following the principles of data minimisation, and purpose limitation.

It’s about the consequences.

Do you know the first thing I did once I realised that someone decided to track my every move while I was renting an apartment from him (no, there were no notices of this anywhere - I looked for them)?

I started checking for:

• cameras

• baby monitors

• other tags

• notices that I’m being tracked

• wondering if the key code entry was transmitting anything

And I definitely didn’t sleep well that night. And I cleared out of there quick. Found another place to stay.

The same happens with our customers if we are not clear about what we are doing.

If we abuse their trust.

If we track them without concern.

When they find out they run.

They think about all the other invasive things you could be doing.

You loose them, for life.

Is it worth it?

A quick read on how to detect you are being tracked by an AirTag if you are outside of the Apple ecosystem.

So, how did it all end?

I wanted to believe that the owner of the AirBnB just didn't think it through. After bringing this up (no I was not a b*tch about it)

I got the following response:

Starting my LLM (no I never went to law school before this) has pushed me to the edge in terms of time and new learnings. I'm needing to retain things I never thought I would care to. So I created a system to organise, as best I can, my cases, notes, laws, regulations, and articles. To create a "Legal Brain" that I can reference as I write case notes, papers, and start working on my thesis.

Whenever I mention this most imagine that I have this mega spreadsheet or Airtable with all my cases listed and tagged.

I tried that in Week 1. Wasn't going to work for me.

You see, the point is not to have a list of cases.

The point is not to have all the directives, regulations, proposals, opinions, and guidelines in one place.

The point is that you can easily reference whichever case, guideline, opinion, article, etc is appropriate to whatever you are researching or questioning.

That can't be done with a list.

A list doesn't help you make connections. It just list things you usually need to know about to find.

So I create my system. My Legal Brain.

It's quite simple once you think about it but life changing once implemented.

The main idea is to allow yourself to find anything that is related to anything within the "brain" or network. Everything should be and is connected and it should be open to receiving more connections as they are made.

To allow these connection to occur I need the ability to be able to find things by case, topic, regulation, etc.

To allow for this to work I need a solid structure of tags and queries.

The Basics

(note: I use Tana to do this and it is heavily inspired by the SN(A)CK system created for Tana by Theo Køppen)

I use a few supertags which I extend as needed. (A super tag is a tag that can have others nested below it. Those below reference the above tag but can have their own unique parameters as well)

Each of the tags has a set of fields to help me condense my thoughts. Fields range from simple "date decided" to "case summary".

Queries are build around these tags and fields to allow me to find connections and clusters of information. It's what allows me to see connections, generate ideas, and build relationships.

The workflow

My workflow, let's say during a lecture, would look something like this.

Take notes (#lecturenote) and as a case is mentioned tag it #case.

As a questions arises that I want to ask later tag it #question.

Any note of interest that I want to be able to refer back to easily is tagged #note.

Any legal act of sorts is tagged either #regulation, #directive, etc. which are all an extension of a supertag called #legal-instrument.

Each of the above tags have one mandatory field that ties it all together called "related to". It acts as the connector.

The topics, along with the cases, regulations, articles, etc are all kept in my Legal Brain.

Once all the information is there I can explore any cluster.

Let's say I am writing on Legitimate Interest, I would look into that topic within my notes and see all related cases, notes, articles, etc to have a starting point to reference. If that is not enough I can happily go down the rabbit hole of related cases to the cases mentioned, related topics to those mentioned, or related articles to those mentioned.

This is not limited to topics but can be done for all. i.e I can go to a case a see all related cases and articles. I can go to an article of the GDPR and fine all related cases and notes. Etc.

In short, everything is connected and as long as I allow myself to explore I can find those relationships and create more as I dig deeper.

I let my brain go down rabbit holes to explore the connections and relationships that may, or may not, be relevant.

This system has created a way for me to more consistently be able to find those relationships and connections.

Closing Note

My Legal Brain, like my own, is alive. It's changing all the time. It get's adjusted. It allows for fluidity.

The moment I let it die and don't maintain it it looses it's usefulness. It's not designed to be just another list of things I might, but will never, reference.

TikTok, Fortnight, Facebook - they all got slammed for dark patterns.

The EDPB (European Data Protection Board) has issued guidelines that revolved around dark patters such as how they affect Cookie Banners and how to recognise and avoid dark patterns in social media platforms.

To say the least - dark patterns are, and will, be on the forefront of privacy and data protection minds. It will also influence fines and penalties.

Marketers use dark patterns without thinking twice. Callingl it "marketing psychology" or "cognitive biases".

Let's dive into some of the more common ones and how we can adjust for them to be more compliant when it comes to privacy and, ultimately, respect our users decision about what to do with the personal data.

What are Dark Patterns:

According to Harry Brignull, the designer who coined the term, dark patters are “tricks used in websites and apps that make you do things that you didn't mean to, like buying or signing up for something.”

Relating to privacy specifically they are deceptive design practices used by websites and apps to collect more personal or sensitive data from you.

Marketing and Dark Patterns

• Marketers use dark patters to get people to:

• Opt in to emails and messages

• Give uniformed consent

• Take risky decisions in regards to their privacy

• Share more data, or buy more, than they intended

A recent McKinsey study in North American showed that people prefer companies that limit their use of personal data. Even more of a reason to consider being open and transparent about what you are doing instead of tricking the user with deceptive design.

So what can marketers do instead:

• Use language that is easy for consumers to read and understand.

• Avoid friction when consumers cancel, unsubscribe or refuse to subscribe.

• Explain consequences in a neutral way.

• Offer balances and symmetric choice.

• Don't use pre-selected check boxes to get consent.

• Avoid manipulative interface and language that might steer consumers in a certain way.

• Make sure privacy notices, T& C's, etc are easy to find and disclosed at the appropriate point within the users journey.

• Use design to enable user to make an informed choice.

• Allow for users to have a privacy first experience on a given website or app.

• Include a privacy expert within your design process.

Top Types Dark Patterns

Confirmshaming

This dark pattern is simple. You are guilting a user into something they don't necessarily intent to do.

It's a classic used to get people to give you an email in exchange for a discount. It's everywhere.

The "No, I don't want a discount" link we need to click on.

Or this:

What to do instead?

We can offer a clear and informed choice. Let the user determine what they want.

Ways to do this is to:

Inform the user as to what you are collecting and why to help make an informed decision.

Use symmetric design and wording such as "Yes" and "No" instead of "Yes" and "No, I don't want to save money".

Misdirection

Misdirection is using confusing wording or making one choice more prominent than the other.

Such as TikTok.

They want:

Access to your friends lists

Your email

Show personalised ads

Confusing for sure - there is just way to much going on. And then you only have two choices: a clearly preferred "OK" and then the greyed out "Don't Allow"

What to do instead?

Only ask for the data you actually need. Not more.

Let the user know why you need the data and what you will do with it.

Only ask for one thing at a time or give the user a choice as to which elements they want to opt in and out of.

Make your options balanced (as mentioned above).

Roach motel design

The roach motel design is just like a roach - easy to get, hard to get rid of. It's providing an easy path to get in but a difficult path to get out, such as when it’s easy to sign up to a subscription but much less easy to cancel.

For example when you are trying to cancel a software trial:

First you click on Cancel Trial (usually greyed out or hard to find).

After finding, and clicking on the button, you come to a new page with the option to Downgrade with a list of features you might loose. Time to find the Cancel button again - usually hidden and tiny somewhere on the bottom of the page.

Wait, Why you want to downgrade? (It's all in the name of user research) Give them a reason and get ready to be asked - again - if you don't want to stay on. They will provide a Major Discount.

Find the Continue to Cancel button again.

Finally.

You've made it.

You've cancelled your free trial.

Now imagine that flow when a user wants to withdraw consent for tracking.

What to do instead?

It's simple. Make it as easy to opt out, cancel, unsubscribe, as it was to get onboard.

Show a clear unsubscribe button and honour it.

Allow users to cancel easily without making them jump through hoops.

Let them opt-out with one click and without consequences.

Privacy Zuckering

Named after Facebook CEO Mark Zuckerberg, this dark pattern tricks users into sharing more information than they intend to. It's used a lot when agreeing to new terms and conditions, such as the WhatsApp example below.

What do to instead?

Be clear about changes up front.

Don't pre-tick boxes that are accepting something the user might not understand.

Use simple language when communicating any changes.

Highlight changes in the privacy policy or T&Cs that have changed since the last time for the user to easily understand.

Consider offering the conditions in other languages for ease of understanding.

These are by no means all the dark patters there are but hopefully this shows you how to think about alternative ways to market all while respecting your user.

What is LTP?

Link Tracking Protection will remove all parameters from the URL that identify a user.

So if you have a URL with campaignID you're ok.

A URL that also adds a clickID is not.

The link will still work but it will have the clickID stripped.

This is for all user specific tracking parameters, not only clickID.

Before:

https://mytestsite.com/ad_engage?click_id=YG586KGE9kh35&campaign_id=26

After:

https://mytestsite.com/ad_engage?campaign_id=26

LTP will be automatically enabled from Mail, Messenger, and Safari.

Why do we care?

Because Apple Mail is about 58% of the market share.

Not only that in the USA messenger has a significant market share (16% as of 2020) that is going up every year. And we all know Safari has around 20% worldwide across all platforms (27% Mobile only).

But forget all the data for now.

Remember what happened with iOS14?

Your open rates went to shit.

That's about to happen with attribution too - unless you work on a more privacy focused attribution model.

Ok great, now what?

Here are some of of the steps that I would take to start preparing for the change (Appel usually releases their new iOS in September or October and you'll have a few months before adoption becomes significant):

• Understand what share of your users will be affected.

• Research Private Click Measurement (Apples tracking solution) and other solutions.

• Reconsider your attribution model.

• Adopt more privacy focused attribution methods.

We see it a lot. It’s a common reason for a fine. Usually lumped together with a bunch of other Article 5 violations.

So what is it all about. 

Article 5(1)(c) of the GDRP is also know as the Data Minimisation principle and states:

(Personal data shall be…)

“(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”

And it’s not limited to the GDPR. Most US privacy laws also contain data minimisation regulation of some sort such such as:

“(c) A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”

And Data Minimisation, as you can see above, usually does not live alone. It’s combined with purpose limitation as well as storage (or retention) limitation. 

But first, what is Data Minimisation?

Essentially, it's means to only collect the data needed to run your business - not more.

What does that mean for marketing?

Only collect that data you can action on, that drives decision making.

It means that you need to develop a clear data strategy and fully understand what the purpose of each data point is that you collect.

There has to be a purpose behind every piece of personal data you are collecting.

Why?

Well, it’s hard to practice the principle of Data Minimisation of you don’t understand the purpose of your data nor have a retention strategy. 

If you don’t have a purpose for the personal data you collect, then you shouldn’t collect it.

If you don’t have a retention schedule for the personal data you collect, then you should not collect it. 

It all comes down to strategy. Needing to have a clear data minimisation strategy is becoming essential if you want to stay compliant.

You should:

• only collect what you really need

• have a clear purpose to collect it

• have a retention schedule defined for each data point

How does this look in real life?

Let’s take a simple eCommerce transaction that requires you to ship the customer a t-shirt. 

What do we need?

Name - to know who to ship it to

Address - to know where to ship it 

Credit Card Info - to run the payment for the purchase

Retention of data is driven by various elements but in the above case we need to keep all the above information on file for returns, refunds, chargebacks, and tax reasons (depending on country up to 7 years)

Or consider you are asking users to sign up to download a white paper.

What do we need to collect?

We don’t need to collect anything really. We could just let them download the paper. But let’s assume you are using the white paper to expand your email list, then what?

Email - so we can send the email (providing they opt in)

Anything else? - No

You get the point, we only need to collect very little data and the less we collect the less risk there is. 

But we also need to grow and build a successful business, part of which is email marketing, building lead sources, re-marketing, etc.

So how do we find a balance as to what to collect and what not?

How can we still grow and honour the data minimisation principle?

Create a data minimisation strategy

Create a strategy that clearly defines:

• what data has to be collected

• why the data has to be collected

• what action will be taken on the data being collected

• how the data will affect decision making internally

• what functions the data has

• how long the data will be stored for 

• the reason the data is being stored for a certain length (i.e tax, transaction, marketing)

Is Data Minimisation worth it?

100%. I’ve been telling clients for years to only collect the data that they can action on - data that drives decisions. It allows for clarity and reduces the time looking for insights - it's easy to get lost in a table full of useless data.

Here are some additional ways data minimisation can help you:

• It helps you determine what data to collect, process, and store (and for how long to store it).

• It helps you discover what unnecessary data you are collecting.

• It helps expose any risks your data is exposed to while collecting, processing, and storing.

• It helps limit the amount of personal data you are collecting.

• It helps reduce the risk of a breach by limiting the amount of data you are collecting, processing, and storing.

• It helps reduce time spent looking for insights in your larger-than-life data mess.

Data minimisation is not only about privacy, compliance, and reducing risks. It's about making your data more accessible and being able to action on the data you have.

Let me tell you, it’s CCTV central - you can’t do anything without being watched. It's making me uncomfortable.

It's also making me appreciate that it's not the case where I am.

But they do warn you, everywhere, so at least you're in the know.

But to the point: my thoughts on ChatGPT.

What’s the deal with ChatGPT - other than being the new shiny toy everyone wants to play with?

Personally, I think the leaps forward in AI are amazing.

Yes, even ChatGPT.

There are so many ways that it can help us without causing any harm nor misrepresenting anything.

ChatGPT can help people with dyslexia write professional emails.

AI can help diagnose rare diseases.

And, of course, it can always help generate user personas off of a data set you feed it - or pull any insights out of any dataset you have providing none of that data includes personal data.

And that’s the thing.

No personal data!

We are so excited about ChatGPT, and the possibilities of AI in general, that we are going all in. We feed it meeting minutes that contain top secrete data, import data sets that include personal data to help us gather insights, and supply it with our company financials to generate quick reports.

I want to say STOP it all.

But that’s not really an option if we want to keep growing.

Where do we draw the line?

What can, can’t, and shouldn’t we do?

How can we allow for innovation and still respect the right to privacy?

I don’t have the answers.

I do know that there is a clear line and we are overstepping it.

We are sooooooooo excited that we have forgotten to think clearly about what we are doing, what the consequences are.

When it comes to using ChatGPT to help us in marketing the possibilities are endless but how does that impact our users and customers personal data - how do we approach using ChatGPT (or anything similar) while still respecting privacy?

When feeding ChatGPT data we need a purpose for the processing of the data. We need a legal basis such as consent, legitimate interest, performance of a contract, etc.

We also need to be transparent about it.

AND we need to be able to respect our users rights when it comes to their data (think „delete all my data“, „what data do you hold of mine“, etc.)

So what do we do when we upload user surveys into ChatGPT to help us generate customer personas?

If there is no personal data involve then great, you’re in the clear.

(Remember, personal data is a big, all encompassing, term. It’s any data that relates to an identified or identifiable person. The more data points you have the more likely they are, in combination, to be personal data.)

So what if you do want to upload personal data into ChatGPT?

In short, don’t.

Still want to…then think about the following:

• What is your purpose behind processing the data with ChatGPT?

• What is your legal basis?

• Do you have the users consent?

• Are you being open and transparent with your users that you are using ChatGPT to help you?

• How will you handle the situation if the user wants their data deleted?

• How can you get their personal data deleted from ChatGPT?

These are the questions you need to ask yourself as you get excited over the possibilities of how marketing will benefit from AI.

There are plenty of ways we can use it to help us, and I hope that we will use it to be better and more efficient marketers.

I’m also asking that you think about what should and should not be done.

So as you explore all your opportunities also explore what needs to be put in place for you and your team to act responsibly and not but any personal data at risk.

You'll get a fine unless you switch to an alternative

You hear it everywhere.

So....

Let's set the record straight.

Nothing is banned - the Data Protection Authorities don't have the authority to ban a tool or product.

But then what is the issue with Google Analytics?

This is where things get confusing.

- is it Personal Data?

- is it the transfer of data?

- is it a data residency or data jurisdiction?

It's a bit of all.

Personal data encompasses a lot of data points - and I mean A LOT. Any unique identifier, IP address, location, email, name, etc. It's practically a guarantee that you are processing personal data within your GA account, especially if you are linking to other Google tools such as GoogleAds.

Then we have the transfer issue. In short, the US (where Google is based) is not considered an "adequate" country - a country that is not considered up to par in regards to it's data protection and human rights according to the EU.

What does that really mean? It means we are not allowed to send personal data to the US unless we enter into a contract with standard contractual clauses that provide the data subject with a number of safeguards and rights in relation to their personal data. (Google does this btw.)

But the rights and safeguards needs to be equal to that what the EU provide. And that is a problem mainly due to FISA (The Foreign Intelligence Surveillance Act).

FISA allows the US to gather data and information on non-US citizens from any company within the US - which leads us to the next issue.

Data jurisdiction.

Where the data is located does not matter as much as what laws the data is being goverened by. Any US based company (such as Google) will need to hand the data to the US, if requested, regardless of where the data is actually stored.

To sum it up, it looks something like this:

Google Analytics collects personal data

AND

Google transfers that data to the US (this is the case for UA, for GA4 its debatable)

AND

Google is a US company so the US could have access to the data.

So now what?

So, what do you do now? Stick with Google Analytics and hope that the US-EU issues figure themselves out?

Believe Google when they say GA4 is privacy-focused and that's that?

Switch analytics providers?

It really comes down to what you business requires and your appetite for risk.

You'll need to ask your self a few questions:

What data do you really need?

List the data that you actually use. The data points you can action on. Not the "I want if/maybe....".

Something as simple as an agency site doesn't need much. eCommerce a bit more.

Look at your data and understand what you really need.

How valuable is that data to you?

What value does that data give to the business?

How valuable is that data to making decisions that affect the bottom line?

For example: For a company that relies heavily on Ads the data collected to understand the ROI of advertising campaigns have high value.

How much risk are you comfortable with?

How much risk are you willing to take?

Consider elements such as fines and what could happen if you are breached (this is a PR nightmare).

Weigh your odds

If, after the first question, you realise you don't need anything as complex as GA you've got the easy end of the stick; move on and find a simple alternative that gives you just what you need.

If you do need something such as GA4 and, none of the alternatives work for you, it's time to weigh your odds.

Does the value your data provides outweigh the risks?

A Note on Tools

Most tools do not work out-of-the-box. They all need some initial configurations to become compliant (yes, even GA).

Additional Resources:

CNIL guide on how to make GA compliant by using a proxy server

CNIL guidance and configuration guide for various analytics tools(mostly if you want to collect data before consent instead of relying on user consent)

Google support document on GA4 and it's EU privacy measures

A list of case summaries revolving around Google Analytics

What about consent?

Consent for cookies is an ePrivacy Directive issue. Protecting personal data of the user is GDPR. Above we focused on the GDPR issues around Google Analytics. Some SA's (Supervisory Authorities), France and Latvia for example, allow for a site to collect limited analytics data without consent arguing that basic audience measurement are strictly necessary - other SA's don't agree. Either way you will need to make sure you configure your analytics software to comply as out of the box it will not.

Closing Thoughts

Choosing (or leaving) an analytics tool is never easy and it's always easier to go with the mainstream option. But do you really need all that data?

Data for data sake is worth nothing, a waste of space, and increases risk. Any measurement strategy should start with the data you need - not want. The data you will work with. The data that will drive your decisions. The data you will action on.

Once you have a strategy in place, a reason and purpose for the data, only then is it time to consider compliance and what tools are right for your use case.

In short - it’s essential to growth.

A/B tests show a specific treatment - and change you have made and want to validate - to random users while measuring how the change affects the metrics you are testing for. To make sure any specific user sees the same version of the experiment for the whole duration of the test a cookie is set that stores all sorts of information and behaviours related to the experiment.

A big question for businesses in established (located or targeting EU based users)in the EU is if one can run an A/B test considering that it requires you to drop cookies.

The ePrivacy Directive (this is not really a GDPR issue) says that you need to get consent for all not strictly necessary cookies. Yes, that is even for cookies that do not hold any personal data.

To make it all more fun the ePrivacy Directive is interpreted slightly different by all individual EU member states but most agree that strictly necessary means anything that is required to make the site function - nothing else.

Load-balancing is ok but analytics is not.

This would imply that you can not drop a cookie for you A/B test unless you have consent. And since you can not drop a cookie pre-consent so you have to wait to get consent before loading a test.

This eliminates running an experiment on your home page or landing page as you don't want to re-load a page and show the experiment once a user has given consent. It also limits your sample size to the users who do consent.

A Solution (or rather, my way of thinking on this)

(This is not legal advice and always check with your DPO or legal team first)

In short - run the experiment.

Or, consider a soft-opt in for A/B test cookies.

Yes, I’m essentially saying that even thought you are dropping a cookie and you did not ask you users consent you should run the experiment. Especially if you are eCommerce or SaaS.

Why?

Because countries are not on the same page regarding if A/B testing is an exemption to the "strictly necessary" cookie rule.

The ePrivacy directive is applied by each country as it is not a regulation that has to be enforced in the same manner across the EU.

For example the CNIL - that is the supervisory authority in France - has an exemption for cookies used for A/B testing. Whereas the ICO, the Brits, say clearly that you can’t use an exemption for A/B testing.

Some other countries have not been tested or have not voiced their opinion.

CNIL

…and the ICO

What do I do if I'm not in France?

You evaluate your risk.

It’s essential, when making any privacy vs growth decisions, to evaluate the risks involved.

In most scenarios I would say the risk is quite low for A/B testing considering:

• Tests is only run for a limited time

• One usually only collects aggregated data with no intention to understand users individual behaviours

• Testing is expected by the user as it is a technique utilised to improve their user experience.

So....How?

(Again, make sure you run this by your legal team or DPO - I am not a lawyer and this is not legal advice.)

When trying evaluate if it is an experiment that could be run, keep it simple.

Ask your self the following:

What is my consent rate?

If your consent rate is above 50-60% and that is enough traffic to reach a decent sample size only run the experiment when you have consent.

Risk level: almost none

Is soft-opt in an option?

Can you use soft opt in to gather consent for testing?

Check you local laws (or the laws of the country you are targeting)

Is it possible to be clear and transparent so that the user knows what we are tracking and not?

Clearly communicate what it is you are doing when asking for soft-opt in.

What are the risks to your users data when running the experiment?

Mitigate any risks to your users data and only collect as little as you can get a way with.

When using soft opt-in make sure to:

• Be clear and transparent about what you are doing

• State why you are doing it (the purpose)

• Add experimentation to your Privacy Notice

• Make it easy to opt out

Risk level: medium-low

If all of the above fail

You don't have enough traffic with consent only and you don't think soft opt-in is an option?

Now what?

It all comes down to the amount of risk you are comfortable with. If the test is high value and the risk is relatively low (placing cookies with fast expiration, no personal data, etc.) then it might be worth it to run the test anyway.