Skip to main content
Successful A/B testing in compliance-heavy industries: What you need to know

How to do successful A/B testing in compliance-heavy industries

February 26, 2021
Reading time: 
5 minutes
Chris Measures
Chris Measures
Chris is responsible for creating Kameleoon content across the areas of personalization, experimentation and digital marketing. He covers a wide range of topics, with the aim of better informing marketers and brands and helping them increase conversions and revenues.

Banks, insurers and healthcare companies are guardians of some of our most sensitive personal data covering our financial affairs and medical histories. Rightly, they have to comply with tough compliance regulations while A/B testing, such as HIPAA in healthcare, as well as GDPR and CCPA. 

The problem isn’t going away. According to Gartner, “by year-end 2023, 75% of the world’s population will have its personal data covered under modern privacy regulations, up from 25% today.” And that’s a good thing, as André Morys of KonversionsKRAFT points out, “GDPR isn't a tedious compliance issue that costs time and money; it is an opportunity to strengthen your consumer audience, provided you have the right optimization programs in place.”

Being able to experiment and optimize with A/B testing and personalization is critical for legacy brands operating in compliant-heavy industries. But this focus on compliance seems to stifle many companies. It can lead to blanket bans on using any data for experimentation and personalization, holding back efforts to create customer-centric businesses that truly deliver what consumers want.

Meanwhile, nimbler brands are rocketing past them – using exactly the same type of data to build customer-centric businesses. Perhaps that’s why the global fintech market is expected to grow at a rate of nearly 25% by 2022, well above traditional players in the financial services space.

Both sorts of businesses face the same compliance challenges around customer data, so why is this gap developing?

Essentially, there are two types of customer data: ‘hot’, anonymized information (such as behavioral data), and ‘cold’ data based on customer details and history from your CRM or DMP. Fail to understand the difference and companies risk missing out on the opportunities for optimization.

This article explains what brands in compliance-heavy industries need to know about compliance when implementing A/B testing and personalization. It’s the start of a 2021 series by Kameleoon dedicated to helping companies unlock the power of digital experimentation.

1 A/B testing and personalization does not require using personally identifiable data (PII)

Every business has an ever-increasing range and volume of data about their customers and website visitors. Some of this is personally identifiable information (PII) which is clearly subject to tight compliance rules. But you don’t need this to optimize and experiment – what innovators understand is that the majority of the data they have, such as behavioral, contextual and trend information is anonymous and therefore NOT subject to the same levels of compliance.

That’s why they use it to experiment with everything from the experience visitors receive on their landing page to the messages and offers that are triggered by their behavior on a website. One online credit provider tested multiple calls-to-action on its home page – and saw a 15% improvement in leads generated. It also used behavioral data to identify visitors about to leave the site – by triggering personalized messages to this segment it reduced churn and increased credit applications by 8.3%.

Forrester research backs this up – it recommends all brands take a four-stage approach to harnessing customer data, starting with the low-hanging fruit. Only once you’ve gained maturity and quick wins do you need to incorporate PII into your strategy. 

Four stages to successfully harnessing customer data


Start by reviewing your current activities that support personalization, such as A/B testing, segmentation, recommendation engines and rules-based personalization. Create and document best practices and use your results to create a business case for AI-driven personalization.


As you become more mature extend your operations by adding data science skills and more sophisticated AI-based technologies. These should use low-risk, anonymized sources, such as behavioral data to deliver maximum value for your business. At the same time build your data governance capabilities, ready for moving to include more identifiable and high-risk data into your activities.


Once you have data governance measures in place, you can look to begin to use identifiable data safely within AI-based personalization. Start with known visitors (such as existing customers logged into your website) to build use cases that are simple for stakeholders to understand and where you remain in complete control.


By the time you reach stage 4, you will possess a mature and robust set of data science and data governance processes, coupled with advanced technologies that allow you to deploy more sophisticated algorithms that can work with sensitive data safely. This enables you to deliver truly individualized experiences, totally personalized to each and every consumer that interacts with your brand.

Innovators are taking a data-driven test and learn approach by tapping into non-PII – they’re succeeding where many traditional brands are falling behind due to ‘data ignorance.’

2 Products and services need to be built based on customer behavior and feedback

61% of mobile banking users said they’d switch to a rival if their bank offered a poor mobile experience. But too many traditional players build ‘perfect’ products and services in isolation - without then optimizing them based on customer feedback and responses. And then wonder why they fail. Demonstrating this 64% of patients say they use a digital device to manage their health – yet 50% of mHealth apps see usage drop off by nearly two-thirds after just 30 days. Clearly, they’re not getting the experience they want – and providers aren’t delivering the improvements necessary to keep them engaged.

Keep experimenting to drive improvements

Only by testing hypotheses – large and small – will the experience be optimized and customers stay with you.

The irony is that traditional players have access to huge volumes of data, built up over decades of operation. And in many cases, they have trust as well, because of the rules and regulations that they have to meet – but you need to be customer-centric to keep trust current.

Marc Schwartz, Director, Growth Marketing at Providence Health and Services explains more in a blog article by Widerfunnel, “One of the assumptions that people have about healthcare companies is that we’re going to be trustworthy and reliable. Because HIPAA exists, that’s implicit. We also found that consumers give more data use latitude to a healthcare company if it helps them. So it puts the onus on the healthcare company to ask, ‘Is what I’m doing helpful for the consumer?’ It should never just be helpful to you.”

3 A customer-centric, test-and-learn culture stimulates innovation AND reduces risk

Building a culture that encourages experimentation AND the responsible use of data is essential to moving through Forrester’s stages and successfully deploying PII in a compliant manner to drive a personalized, optimized experience to all customers.

The danger for traditional players is too much caution means a culture of avoiding risk trumps the need for experimentation. Some financial services companies create a vision and invest in experimentation tools - and then don’t have the culture and processes that let them put plans into action.

Showing the gaps, while some banks experiment with the experience that first-time visitors on their website receive, they don’t go further and test different experiences when customers are securely logged-in – even if their experimentation platforms are certified as secure by their IT team. Showing the value this brings, one major credit provider used previous history and behavior to offer tailored loan amounts to logged-in customers, increasing applications by 20%.

At best, many players in compliance-heavy industries have a sporadic, limited approach to optimization, launching one-off tests hoping to see results, rather than investing for the long-term. James Flory of Widerfunnel explains, “A better way to approach experimentation is through repeatable, scalable processes that prioritize insights and learning. Experimentation is the act of consistently, purposefully mining for minerals, not striking gold.”

Now is the time to change

For decades traditional banks, insurers, and healthcare providers faced limited competition – but digital has changed all that, enabling new, more agile rivals to quickly start and scale. Many brands say they “put the customer first.” To turn that from a slogan to reality, traditional players need to stop thinking that compliance is an excuse to not rapidly embrace A/B testing and personalization. Upstart competitors know that regulation and optimization are not zero-sum/exclusive. In fact, successful companies are using regulation to create even richer customer segmentation and targeting.

If you're in financial services or healthcare, get in touch. 

HIPAA, CCPA, GDPR compliant, Kameleoon is focusing on how to help compliance-heavy industries harness the power of customer experience optimization (CXO). If you're interested in the intersection of compliance and A/B testing and personalization, please get in touch. Say [email protected] or subscribe to our newsletter as our coverage on CXO and compliance begins this spring.

Topics covered by this article
Chris Measures
Chris Measures
Chris is responsible for creating Kameleoon content across the areas of personalization, experimentation and digital marketing. He covers a wide range of topics, with the aim of better informing marketers and brands and helping them increase conversions and revenues.
New call-to-action
Recommended articles for you