Skip to main content
Balancing privacy and personalization

Balancing privacy and personalization - how can marketers stay compliant

May 12, 2020
Reading time: 
6 minutes
Frédéric de Todaro
Fred De Todaro
Fred is Kameleoon's Chief Product Officer and leads the company's A/B testing, feature management, and personalization product strategy. Leading product teams across Europe and North America, he regularly shares his advice on product trends in experimentation and how best to deploy Kameleoon technology.

Today, brands face a dilemma when it comes to customer data and how they use it. On one hand consumers are demanding a more personalized, tailored experience that provides them with the information, products and services that best meet their needs. Yet, at the same time they want to protect their personal data while they are online and keep it safe, secure and private.

In this blog I want to explain how marketers can balance privacy and personalization, while ensuring compliance with regulations such as the GDPR and CCPA when it comes to A/B testing, experimentation and personalization.

With online channels, consumers leave a detailed digital footprint behind when they browse, engage and buy from websites or interact on social media. The use of this data enables brands to better understand their website visitors and provide them with personalized offers, adverts and information.

The benefits of personalization

Consumers increasingly want personalization – in fact 63% said they now expect it as standard when interacting with brands. Personalization helps them:

  • Navigate an expanding universe of information online to find what is relevant
  • Maximize their time by delivering relevant content and offers without lengthy searches
  • Ensure a better user experience by prioritizing the right content, especially on small screen mobile devices
  • Strengthen the relationship with brands and make them feel valued as an individual

Successful personalization has corresponding bottom-line benefits from brands – as our new Complete Guide to Personalization explains, it enables marketers to:

  • Increase visitor engagement
  • Increase conversion rates
  • Boost lead generation
  • Retain customers
  • Reduce churn

The need for privacy

However, consumers and regulators have become increasingly concerned about how personal data is collected, stored and used by brands. Consumers want to protect their privacy online and ensure that they are in control of their personal information and how it is used.

Regulations, such as GDPR and CCPA, are tightening how brands collect and use personal data, with the emphasis shifting to (informed) consent.

2 The growth of data privacy regulations


By now every marketer is familiar with the General Data Protection Regulation (GDPR), which covers all citizens within the European Union. Brands engaging, marketing or selling to these citizens need to follow the GDPR, wherever they themselves are based, risking potentially large fines if they fail to comply. Data needs to be collected openly and honestly, and requires informed consent for its use in many scenarios. Any breaches have to be reported promptly and transparently.


Since the beginning of 2020, the GDPR has been joined by the California Consumer Protection Act (CCPA) which has similar aims and objectives, granting consumers new rights to know what data is collected on them, to have information deleted and to prevent their personal data being sold.

Other countries, and US states, are also looking at tightening or introducing privacy regulations, all potentially impacting how brands manage and use consumer data.

3 Browser technology becomes privacy-first

Reacting to the needs of consumers and regulators, many technology companies are changing their approach to privacy – particularly around cookies and how they are used:

Apple’s Intelligent Tracking Prevention (ITP)

ITP sits within the Safari browser, which has a 50% mobile market share in countries such as the US and UK. It tightens restrictions on JavaScript and now Local Storage-based cookies, limiting them to a seven day lifespan. So, any data on the visitor stored in cookies (and now Local Storage) is now automatically deleted after seven days.

This has an impact on A/B testing in particular - if a visitor returns after seven days they will be seen as a new visitor, and therefore potentially not linked to any A/B variations that they saw on their first visit. Therefore A/B tests don’t provide reliable results for Safari visitors, a major source of traffic for many sites.

There’s more on ITP, including its latest version, ITP 2.3, in our developer documentation section.

Google Chrome and Mozilla Firefox

Google has announced it will ban third-party cookies by 2022 within Chrome, although this does not have an impact on experimentation platforms.

Mozilla Firefox’s Enhanced Tracking Protection (ETP) technology has banned third-party cookies in June 2019 by using an approach similar to adblockers.

4 The impact on testing and personalization

As we’ve seen testing and personalization aims to improve the overall experience for individual consumers, benefiting their browsing and visitor journey. However, marketers need to focus on two areas when it comes to their experimentation strategies.

Be sure of your test results

As we’ve seen Apple ITP in particular means that the results from testing and analytics platforms may not be accurate - in fact 1 in 2 of your mobile visitors may be classified incorrectly. It is the equivalent of buying a new car, yet not being sure that the speedometer is always showing the correct speed. To overcome this, brands need to work with their technology provider to ensure they are able to satisfactorily run experiments across all browsers.

A requirement for informed consent

One of the key principles of the GDPR is that sites should only collect the information required to deliver the service to the visitor. Therefore:

  • Some actions don’t require consent at all as they relate to the data/operational layer of the website.
  • For other actions consumers don’t have to give explicit consent
  • While for others they need to give informed consent

The need for consumers to provide informed consent has a major impact on both personalization and A/B testing.

However, to complicate matters, different European countries appear to be interpreting the GDPR differently when it comes to consent around personalization and testing, while the CCPA does not require prior consent for the use of cookies. However, it does have a requirement of clear disclosure along with a need to provide the visitor with the ability to opt-out of cookie usage.

Levels of consent

Under the GDPR, A/B testing consent is classed within the Audience and Statistics Measurement category of cookies, which means that in many countries (such as France) it does not require informed consent.

Personalization sits under the Advertising and Content Personalization category, and therefore does require informed consent - normally through the pop-in that appears when a consumer visits a site for the first time.

This means your experimentation platform has to offer different consent management policies depending on the uses cases that need to be delivered on the website:

  • Technical ones (no consent required)
  • A/B testing - inform through a banner or ask for explicit consent depending on the country
  • Personalization – ask for explicit, informed consent

5 The benefits of behavioral data to deliver efficient personalization

GDPR and CCPA both focus on data that identifies the visitor. However, when it comes to delivering personalization, Kameleoon’s platform offers a compliant alternative.

Hot anonymized data

In its standard setup, Kameleoon doesn't collect or process any personal data as defined by the GDPR. The only data collected is ‘hot’ anonymized browsing data which doesn't allow a visitor to be identified. If customers inject existing ‘cold’ personal data from their technology ecosystem (such as CRM or DMP solution) into Kameleoon, then this does need to be covered in a GDPR compliant manner.

Examples of hot data

  • Visitor behavior on website
  • Information on the visitor’s device, location, browser
  • Wider information based on location (e.g. weather, season, time of day)

Hot behavioral data delivers a real-time picture of what a visitor is looking for – their intent at that exact moment. It is therefore central to delivering the personalization that visitors want - while safeguarding their anonymity. In fact using this Kameleoon’s platform can predict the conversion intent of completely new visitors within 15 seconds of them arriving on your website.

Successfully balancing privacy and personalization

Consumers increasingly want to engage with brands that they trust – and that starts with how their data is collected and used. Therefore companies must focus on ensuring compliance, while still delivering the personalization that is essential to continually improving the user experience. That requires following best practice and partnering with technology providers that can provide experimentation platforms that can balance the need for personalization with consumer consent.

New Call-to-action
Topics covered by this article
Frédéric de Todaro
Fred De Todaro
Fred is Kameleoon's Chief Product Officer and leads the company's A/B testing, feature management, and personalization product strategy. Leading product teams across Europe and North America, he regularly shares his advice on product trends in experimentation and how best to deploy Kameleoon technology.