5 ways to comply with GDPR without harming your conversion rate

Dave Gowans
August 17, 2017

The General Data Protection Regulation (GDPR) is new legislation coming into force for the UK and EU countries in May 2018 which will place far stricter requirements on how businesses store and process data. It’s a major change to privacy laws and businesses can’t afford to not comply - the Information Commissioner (ICO) has the ability to fine a company who is in breach up to €20 million or 4% of worldwide turnover (whichever is greater).

Note that this article represents the views of the author solely, and is not intended to constitute legal advice.

A lot has been written about the preparations companies need to be making, but how does this affect digital marketers? The main part of the legislation which affects conversion optimisation is the new Consent rules which regulate how businesses can get consent from users to process their data (and contact them for marketing purposes).

Specifically, consent under the GDPR must be:

  • A freely given, specific, informed and unambiguous indication of the individual’s wishes
  • Some form of affirmative action - no more pre-ticked boxes
  • Separate from terms and conditions

Simply put, that means no more implicit consent through combined Terms & Conditions and Privacy Policy boxes like this one from Econsultancy:

Econsultancy's Terms & Conditions and Privacy Policy prompt
Econsultancy asks users to agree to terms and conditions and privacy policy in the same action

No more services which require you to accept marketing communications in order to use the service, such as Glasgow Airport’s Wifi:

Glasgow Airport requires users to agree to marketing messages
Glasgow airport won't let users sign up to wifi without accepting marketing messages

And no more double negatives and boxes where you have to think hard to work out whether you’re giving consent or not:

Curry's consent boxes have two opposite actions
Using a double negative or giving two consent boxes different meanings when checked will be forbidden

But everyone in CRO knows that, although they’re not user friendly and are often quite deceptive, these work for increasing conversion rates and increasing marketing opt-in rates.

This will become even more important with the implementation of the GDPR as you must ask for specific consent. And we all know that customers don’t like signing up for marketing messages. So how can you be compliant with GDPR without significantly decreasing your conversion rate?

How do I comply with the GDPR?

The key points for complying are that consent must be:

  • Unbundled - separate from other terms and conditions and not a precondition of signing up to a service (unless necessary for that service)
  • Active opt-in - you can’t have a pre-ticked box any more
  • Granular - give options to consent separately for different types of processing (e.g. marketing messages and surveys)
  • Named - both the organisation and third parties must be named (or a well defined category of companies given for third parties)
  • Easy to withdraw - it must be as easy to withdraw consent as it is to give it

How to comply with GDPR without harming your conversion rate

The big challenges for marketers are that these new restrictions mean an end to simple checkboxes. The more complex requirements may lead to long textual explanations which will be confusing and off-putting for users, especially on mobile.

Even the ICO’s example is daunting compared to the simple checkboxes we see now:

The ICO's recommendation for complying with the GDPR is comprehensive but difficult for users to understand
‍The ICO's recommendation for complying with the GDPR is comprehensive but difficult for users to understand

Not only that, but very few consumers willingly agree to give their details for marketing purposes. Often consent is only gathered through inaction (pre-checked boxes). How can optimisers ensure that we don’t harm conversion rates and also keep opt-in rates high?

#1 Sell the benefits to customers

Getting people to opt-in to marketing messages is going to change from an exercise in deception to one in selling - and that’s definitely a good thing for consumers. As explicit consent is required, sites need to spend time explaining why they should accept marketing.

British Airways’ Executive Club signup does a good job of this:

British Airways' prompt for marketing messages gives users benefits to getting emails
British Airways explains the benefits to users of why they should accept email communications

By offering benefits such as getting reward flights faster and increasing reward points, customers will be more likely to agree to be contacted. Medical charity Doctors Without Borders has managed to find a way to encourage users to share information with third parties by  appealing to their desire to maximise the value of their donation:

Doctors Without Borders explain that by sharing details with other charities you can reduce their costs
Doctors Without Borders explain that giving your details to third parties reduces their costs so is a good thing for people donating

#2 Keep it simple

There are lots of complicated approaches (including the ICO’s example), but the RNLI do a good job of keeping this as simple as possible. Ultimately the GDPR will mean more details are needed, but it’s still possible to do this in a clear way. WaterAid’s approach is very clear and easy for users to understand (although their ‘negative’ checkbox for postal contact isn’t compliant at the moment):

WaterAid's simple opt in box gives a list of methods
WaterAid presents a simple set of options to users and offers more information through a popup

#3 Force a decision to avoid users skipping

People’s minds are very good at blocking out things which aren’t relevant. A 2013 study showed that 86% of consumers suffer from “banner blindness” and don’t pay any attention to ads on pages.

In the same way, privacy checkboxes are likely to become standardised and, safe in the knowledge that the GDPR means you can’t be automatically opted in, consumers will just ignore a standard row of checkboxes like those used by the RSPCA:

The RSPCA's site offers simple checkboxes for each contact method
The RSPCA's approach to consent is simple but looks so standardised that users may not bother to read it

Instead, you can force the user to take an action by using a radio button or switch. Although this may not make people more likely to say Yes, you’ll at least force them to consider the offer:

Mockup asking users for consent using radio buttons
By using radio buttons to ask for consent it forces the user to consider the decision rather than simply skipping it

#4 Only ask about the most valuable options

Do you really need to contact people by email, post, phone and text message? This is a clear trade-off opportunity. Instead of asking for everything, consider which methods are most valuable to you or most likely to get users to opt in.

For example, email and post may not feel as intrusive to users so there may be less resistance to allowing these methods than phone or text messages. Testing how many options you offer to users will allow you to find that sweet spot where you get most users to opt into at least one method.

Using ‘progressive reveal’ may also work well as shown below. Rather than daunting the user with lots of options, start with a simple, non-intrusive one then add the more difficult ones. When a user chooses “No” simply stop revealing options.

Mockup showing different contact methods being progressively revealed as users select "Yes"
By progressively revealing more options as the user opts in, the potential of getting at least one "Yes" is maximised

Use the withdrawal of consent as a selling point

The GDPR makes provision for allowing people to withdraw their consent easily, preferably via the same method they gave it (online). Although the implementation of this may be a headache for some businesses, it gives a huge opportunity to reduce resistance for users.

WaterAid have a simple popup explaining that you can change your mind at any time. This addresses the fear of commitment. Anything that reduces this fear will help to convince users to agree to the marketing messages. A decision you can change later is a much easier one to make.

WaterAid's popup message explains how to change your preferences
By explaining how to opt out of marketing, WaterAid reduce the perceived risk for users and make them more likely to consent

What’s next?

Companies need to start preparing now for the GDPR. The guidelines are clear, so now is the time for businesses to start testing different implementations. Running some A/B tests to understand which approaches give the least impact on signups and the best results for marketing opt-ins will give sites the best chance of success. Although May 2018 implementation may seem a long way away, it’s only through testing these approaches that you can be sure you’re not going to significantly harm your conversion rate.