The General Data Protection Regulation, GDPR, and accompanying revised ePrivacy Regulation, previously known colloquially as ‘the cookie law’ have been very much in the forefront of small business minds recently, and particularly as a web developer I’ve been doing my best to help affected clients navigate the meaning of the regulations in the context of their online presence.
While I am in no position to offer explicit legal advice, and would not want to do so, there are plenty of good resources available for small business starting with the ICO Website, and a number of well-informed legal articles about compliance can also be found online.
The most obvious effect of the legislation that came into force today, as many readers will be aware, has been a deluge of emails asking for re-consent to remain on various mailing lists. The necessity of that will depend on the business of course and how those email addresses have been collected. The assumption by many businesses that they must ask for re-consent regardless however I believe to be wrong (the Guardian picked up on this a couple of days ago also), and also potentially damaging to the businesses in question. I have seen a number of comments on blogs, social media, and in press articles from small business owners complaining how damaging the new regulation is to their business as they’ve now lost most of their mailing list through lack of response to those re-consent emails.
This post is not about whether or not a business needed to ask for re-consent or not, that horse has long ago left the proverbial stable, however GDPR goes beyond keeping people on newsletter mailing lists and in the context of raised public awareness about privacy issues when done right I think it is also an opportunity to build trust in your business through transparency, and does not necessarily have to lead to a catastrophic loss of engagement. It does however mean that it is more important than ever to understand how people interact with your website, and realise that even small changes can make a big difference. I think for many fine-tuning how you handle the requirements of GDPR on your website should not be a one-shot deal but should instead be an iterative process of monitoring and adjustment. I will use a case study to illustrate my point.
One of my e-commerce clients is very proactive with regard to understanding how people use the website, and uses a Customer Relations Management (CRM) tool extensively to understand both how customers are using the products and services on offer, but also with regard to maximising engagement through carefully targeted marketing emails, amongst other techniques, for example.
One of the events that happens when a customer checks-out on the website is that a couple of days after the purchase an action is triggered in the CRM to send a follow-up / support email to that customer with content specifically related to the products purchased. It is a combination of both post-purchase support and marketing email, and has proven to be highly effective. With the introduction of GDPR one of the things we changed was to change the automatic opt-in to that follow-up email to a soft-optin. While GDPR is primarily organised around the pervading concept of a positive opt-in in this case because the follow-up email is a first-party email generated directly as a result of the customer entering into a transaction, and being related to that transaction a “soft opt-in” is acceptable (ICO guidance here).
In this case the customer is presented with an opt-out during the checkout in the form of a box to check if they do not wish to receive any follow-up communication. Initially that box was placed on the final page of the checkout at the point the customer commits to the purchase. The accompanying text label said “We like to contact our customers about their order to offer support or related information. If you do not wish to receive such communications please check this box.”
The checkbox happened to be on the same page as a box to check confirming adherence to Terms and Conditions of sale at the very last step of the checkout. It is never a great idea to include two differing checkbox paradigms in the same place e.g. where the preference would be for one box to be ticked and the other to remain unticked, so the two boxes were separated on the page to try and minimise instances where people might just tick a box without really reading the label.
Now, when a purchase is completed a flag is sent to the CRM indicating whether or not that customer has opted out of the follow-up email sequence so we were able to understand very quickly how many people were opting out of the follow up emails. Within the first couple of days the ratio of people opting out to those not opting out was quite high, around 35%. The time period was too small if looking to get a statistically meaningful sample however it was good enough, and higher than we wanted so a small change was made to see if we could improve that.
The opt-out checkbox was moved to the same early point in the checkout where a customer provides their email address and wrapped into a new section called “Communication Preferences” along with the general email newsletter opt-in check box. The label was also subtly changed to put more emphasis on the post-purchase support aspect of the email. A tiny change that took about 10 minutes to make but that has had a significant impact on the number of people choosing to opt-out of the follow up marketing emails, the new percentage of people opting out having dropped to just 9% in a couple of days. Over the long term that is a very significant change.
I’m no psychologist so I do not know for sure why this small change has had such a big impact. Perhaps it is because at the final commitment stage of a checkout the customer is already being asked to make a commitment decision - i.e the accept the T’s & Cs and commit to the spend - and asking for another decision/commitment at that point is too much. I do not know but what it does illustrate is how seemingly tiny changes can make a big difference to how customers interact with your website
Making the understanding of your visitor behaviour a process of continuous monitoring, experimentation and improvement has the potential to bring significant reward. By way of another small example, a couple of years ago I changed the operation of the shopping cart on the site. The summary in the header used to show a cart total, number of items and, on hover, the items in the cart - in common with the majority of e-commerce sites. I changed it such that each time the customer added a product to the cart, while still on the product page, it showed a popup of the cart contents and total spend without leaving the product page. I’m not sure what the psychological effect was but the overall trend immediately afterwards was for increased order sizes. Perhaps something to do with being reminded of the state of the cart at each point keeping the customer away from the cart page itself - from which it can be hard to entice someone back into more shopping.
By way of a summary then - if you are concerned about the impact of complying with GDPR on your online business then it pays to be pro-active and experiment a little with regard to how you achieve that compliance. For the broader picture, just because your website has been delivered and is up and running, don’t assume that you don’t need to do anything more to it or that you need to spend a lot of money to have a significant influence on your visitors.