The General Data Protection Regulation (GDPR) is new legislation coming into force for the UK and EU countries in May 2018 which will place far stricter requirements on how businesses store and process data. It’s a major change to privacy laws and businesses can’t afford to not comply – the Information Commissioner (ICO) has the ability to fine a company who is in breach up to €20 million or 4% of worldwide turnover (whichever is greater).
Note that this article represents the views of the author solely, and is not intended to constitute legal advice.
A lot has been written about the preparations companies need to be making, but how does this affect digital marketers? The main part of the legislation which affects conversion optimisation is the new Consent rules which regulate how businesses can get consent from users to process their data (and contact them for marketing purposes).
Specifically, consent under the GDPR must be:
Simply put, that means no more implicit consent through combined Terms & Conditions and Privacy Policy boxes like this one from Econsultancy:
No more services which require you to accept marketing communications in order to use the service, such as Glasgow Airport’s Wifi:
And no more double negatives and boxes where you have to think hard to work out whether you’re giving consent or not:
But everyone in CRO knows that, although they’re not user friendly and are often quite deceptive, these work for increasing conversion rates and increasing marketing opt-in rates.
This will become even more important with the implementation of the GDPR as you must ask for specific consent. And we all know that customers don’t like signing up for marketing messages. So how can you be compliant with GDPR without significantly decreasing your conversion rate?
The key points for complying are that consent must be:
The big challenges for marketers are that these new restrictions mean an end to simple checkboxes. The more complex requirements may lead to long textual explanations which will be confusing and off-putting for users, especially on mobile.
Even the ICO’s example is daunting compared to the simple checkboxes we see now:
Not only that, but very few consumers willingly agree to give their details for marketing purposes. Often consent is only gathered through inaction (pre-checked boxes). How can optimisers ensure that we don’t harm conversion rates and also keep opt-in rates high?
Getting people to opt-in to marketing messages is going to change from an exercise in deception to one in selling – and that’s definitely a good thing for consumers. As explicit consent is required, sites need to spend time explaining why they should accept marketing.
British Airways’ Executive Club signup does a good job of this:
By offering benefits such as getting reward flights faster and increasing reward points, customers will be more likely to agree to be contacted. Medical charity Doctors Without Borders has managed to find a way to encourage users to share information with third parties by appealing to their desire to maximise the value of their donation:
There are lots of complicated approaches (including the ICO’s example), but the RNLI do a good job of keeping this as simple as possible. Ultimately the GDPR will mean more details are needed, but it’s still possible to do this in a clear way. WaterAid’s approach is very clear and easy for users to understand (although their ‘negative’ checkbox for postal contact isn’t compliant at the moment):
People’s minds are very good at blocking out things which aren’t relevant. A 2013 study showed that 86% of consumers suffer from “banner blindness” and don’t pay any attention to ads on pages.
In the same way, privacy checkboxes are likely to become standardised and, safe in the knowledge that the GDPR means you can’t be automatically opted in, consumers will just ignore a standard row of checkboxes like those used by the RSPCA:
Instead, you can force the user to take an action by using a radio button or switch. Although this may not make people more likely to say Yes, you’ll at least force them to consider the offer:
Do you really need to contact people by email, post, phone and text message? This is a clear trade-off opportunity. Instead of asking for everything, consider which methods are most valuable to you or most likely to get users to opt in.
For example, email and post may not feel as intrusive to users so there may be less resistance to allowing these methods than phone or text messages. Testing how many options you offer to users will allow you to find that sweet spot where you get most users to opt into at least one method.
Using ‘progressive reveal’ may also work well as shown below. Rather than daunting the user with lots of options, start with a simple, non-intrusive one then add the more difficult ones. When a user chooses “No” simply stop revealing options.
The GDPR makes provision for allowing people to withdraw their consent easily, preferably via the same method they gave it (online). Although the implementation of this may be a headache for some businesses, it gives a huge opportunity to reduce resistance for users.
WaterAid have a simple popup explaining that you can change your mind at any time. This addresses the fear of commitment. Anything that reduces this fear will help to convince users to agree to the marketing messages. A decision you can change later is a much easier one to make.
Companies need to start preparing now for the GDPR. The guidelines are clear, so now is the time for businesses to start testing different implementations. Running some A/B tests to understand which approaches give the least impact on signups and the best results for marketing opt-ins will give sites the best chance of success. Although May 2018 implementation may seem a long way away, it’s only through testing these approaches that you can be sure you’re not going to significantly harm your conversion rate.