Experimentation & Consumer Protection: 3 Steps to guarantee Compliance and build Trust

Experimentation is essential for businesses to improve customer journeys on websites, apps, and beyond. Organizations are boosting conversions and revenue per visit, as well as enhancing performance indicators that drive customer satisfaction and engagement. However, each experiment brings its own set of limitations. The excitement of innovation can quickly turn into concern when a gap arises between technology and consumer trust. Without clear communication and privacy safeguards, organizations risk losing user confidence, ultimately impacting engagement and long-term success. Therefore, you have to consider the ethical and legal aspects of online consumer protection as early as possible in the testing and experimentation process, in order to help you to ensure compliance and foster trust.

1. Step into the Consumer’s Shoes

In today’s digital era, earning consumer trust has become necessary for encouraging the sharing of personal data. Full transparency helps the consumer to feel comfortable providing their information and contributing to a succesful experiment.

Online environments should be structured with clear, neutral standard settings that are non-misleading, ensuring fairness-by-design. This could mean, for example, using understandable language, clear FAQ’s and avoiding unnecessary jargon. Clear design could for example prevent automatic clicking behavior: the website should be designed in a way that consumers do not make unintended choices out of habit. Ensure clear buttons and selection menus and avoid misleading designs. Make sure the average consumer understands what they are clicking on and what the consequences of their choices are.

Transparency is not just about providing information: it is about offering complete and accurate details in an accessible format, especially when it comes to consent and opt-ins. For instance, the Dutch Data Protection Authority emphasizes that options should be clearly presented in cookiebanners, without hidden options or pre-selected checkboxes. Avoid hiding crucial information within the general terms and conditions or privacy policy.

2. Do a GDPR Pre-Check

Before embarking on any data collection journeys, it is critical to ensure compliance with the GDPR. Conducting a thorough review to ensure compliance with GDPR requirements can help prevent potential legal issues and build trust with consumers.

• Start by understanding the type of data you’re collecting.
  Is it really personal data you are dealing with? Is it information relating to an identified or identifiable natural person, such as a name or an identification number? If the data is anonymized, for example data from interviews, ensure it is truly anonymous under GDPR standards, meaning it cannot reasonably be traced back to an individual, even when combined with other datasets. Also, recognizing the nature of the data helps in deciding the privacy and security measures needed.
• Then clearly define your purpose.
  A specific, explicitly defined, and legitimate purpose is required for personal data. This data cannot be further processed in ways that are incompatible with the original purposes, unless the ‘new purpose’ is consistent with the ‘original purpose.’ For instance, this could apply when both purposes are related to recommendation algorithms, with one focused on personalized advertising and the other on optimized ad delivery.
• Ensure you apply the principle of data minimization by only collecting the data that is necessary.
  Data minimization is a key principle of GDPR, meaning only the data necessary for the specified purpose should be collected.
• Choose the appropriate legal basis for processing.
  When processing personal data for marketing purposes, three legal bases in the GDPR are namely relevant: consent, legitimate interest, and the performance of a contract.

3. Align with All Rules

Ensure compliance with all relevant rules, not just the rules from the GDPR. For example, laws regulating cookies and the advertisement of products and services are also important to consider during experimentation. The ePrivacy Directive is relevant in the field of marketing, since it regulates (amongst other things) email, telemarketing and cookies. Remember that consent is required unless the cookies are strictly necessary or technical. Also not required for analytical purposes in the Netherlands, when these cookies are privacy friendly. A useful tip would be to categorize analytical cookies into two groups: those that are privacy-friendly and don’t require consent, and those that require user consent due to their possible impact on privacy.

Other relevant regulations include self-regulatory codes, such as the Advertising Code for email marketing and telemarketing, as well as rules governing AI, including transparency obligations.

Allisha Hosli

Junior Legal Counsel