What you need to know about Experimentation and Consumer Privacy

Consumer privacy, particularly the use of cookies to track user behavior, has been at the forefront of the privacy debate for some time. The European Union’s response was to enact GDPR (European General Data Protection Regulation) in 2018. During the same time frame, California put the California Consumer Privacy Act (CCPA) into law. Apple has also taken a firm stance on privacy, particularly with Intelligent Tracking Prevention (ITP), a privacy feature that allows its Safari web browser (on mobile and desktop) to block cookies that track users throughout the Internet. Open-source browsers such as Mozilla’s Firefox, also allow cookies to be blocked easily or greatly limit the duration in which they remain on a user’s device.

With legislation, regulation, and technology providers all affecting consumer privacy, it may be difficult to keep up. This guide is intended to focus specifically on how consumer privacy affects launching experiments on your website, and how Cro Metrics approaches privacy and compliance with both laws and the limitations of web browser technology.

Experimentation and Cookies

First, it’s helpful to understand how cookies work. Cookies typically come in two flavors: First-Party and Third-Party. 

Third-Party cookies are what Facebook might use to track your web browsing habits throughout the Internet. These have been at the forefront of the privacy debate. Most platforms that Cro Metrics uses to deliver experiments, such as Optimizely, Convert, VWO, A/B Tasty, Adobe Target, etc. do not generate Third-Party cookies for the purpose of rendering different experiences (experiment variations) on websites.

For the purposes of experimentation, First-Party cookies are used to uniquely identify visitors, track and attribute actions to experiments, and deliver consistent experiences across page views. They are typically combined with a feature called “local storage,” which is similar to cookies in that information about the user's behavior and interactions with the site are stored on their local device, and then referenced as needed by the experiment platform. In addition, local storage is also subject to privacy laws and technical restrictions.

Privacy and Cookie Consent

GDPR in particular requires consent to the use of all cookies (it’s worth noting that the cookie consent requirement relative to GDPR comes from the ePrivacy Directive, not from GDPR directly). This is often achieved by first performing a Geo IP lookup to determine if the user is subject to GDPR (do they reside in the EU), and then presenting them with an accept/deny prompt. However, many sites simply prompt users regardless of their geographical location. Similar to your website and company Privacy Policies, your particular implementation and legal interpretation of GDPR, CCPA, or any other cookie consent method is a decision that neither Cro Metrics, nor the experimentation platform can make or has any influence over. We offer no legal advice on the handling of cookies. What we can affect is how compliance to both cookie acceptance and privacy are implemented when it comes to the ability to properly enable and render experiments on your website. 

The use of Cookies/LocalStorage

Essentially, cookies are required to execute experiments. If a user does not consent to cookies, that user will be opted out of any experiments.

The larger concern is typically preventing a cookie from being issued prior to consent, along with alleviating any flicker (a condition where a page may load, then flicker as new page elements are rendered, causing a disruptive user experience) that may occur as a result of the action of consent.

At Cro Metrics we’ve developed some techniques when working with cookie consent. We’ve tackled this in a few ways, and our approach may vary by platform.

One method is to activate the experiment platform snippet before the GDPR script, but immediately and completely remove all data in the event an EU individual chooses not to consent to cookies. In other words, we’re setting the required cookie, and the visitor anonymous user ID still gets set alongside any local storage info, but none of the info is sent back to the experiment platform prior to consent.

Another method is to load the experiment platform snippet in a manner that determines if the browser request comes from the EU. For non-EU requests and for users who have opted-in, the server returns the original experimentation platform snippet (sets the cookie). Otherwise, the server returns a dummy script. This server may be independent from your website's hosting. By combining the jurisdiction decision with the loading of the script, one roundtrip is saved and latency is reduced, therefore reducing flicker. (Note this method is based on IP accuracy using a CDN such as Cloudflare.)

Next Steps

If you have questions about the use of cookies or require GDPR compliance, we’re here to help! We typically recommend a meeting to first discuss your requirements. From there, we’ll provide you with options that you can consider internally. We’re also happy to meet with any stakeholders, including representatives from your legal team. You can initiate a conversation with your Program Manager, or with Business Development, and they’ll help coordinate with the right members of our team. Depending on your experiment platform, we may also consult members of their privacy team for assistance.

References

Data privacy, GDPR and related topics are dense and this guide certainly may not answer all your questions. While we’ll do the best we can to assist you, the following references may also be helpful.

General information on cookies can be found here. Platform specific information can be found below.