All the information you need in one place

Is Nelio A/B Testing compliant with GDPR?

The General Data Protection Regulation (GDPR) is a key regulation that aims to strengthen and unify data protection and privacy in the European Union and the European Economic Area. We use the necessary business and technology privacy controls to protect data and comply with the GDPR.

Here’s what to look out for to make sure you use Nelio A/B testing in compliance with GDPR.

Processing Personal Data & Data Processing Agreement

Within the context of Nelio A/B Testing, we act as data processor of the information collected through your campaigns executed through Nelio A/B Testing by means of A/B tests, heatmaps, and (if applicable) session recordings.

As data processors, when you subscribe and/or accept the Terms and Conditions to use Nelio A/B Testing, these also includes the Data Processing Agreement (DPA) that outlines the terms and conditions that determine how we process personal data on your behalf including the following key points considered to be compliance with the GDPR:

  1. Our obligations as data processor: we only process personal data on documented instructions from you, unless required to do so by law. we notify you without undue delay after becoming aware of a personal data breach. We specify the procedures for terminating the agreement and deleting personal data upon termination.
  2. Your obligations as data controller: you ensure that the processing activities comply with applicable data protection laws and regulations including GDPR. (See also Cookie Consent section for more details).
  3. Security measures: we implement appropriate technical and organizational measures to ensure the security of personal data they process.
  4. Data subject rights assistance and audit: Processors should assist controllers in fulfilling their obligations to respond to data subject rights requests, such as access, rectification, erasure, data portability, and review the technical and organizational measures to process your data.
  5. Subprocessing: we outline the conditions under which we may engage subprocessors and specify the obligations of subprocessors.
  6. International Transfers: the terms of the Standard Contractual Clauses (SCCs) for the transfer of process to processors pursuant to the European Commission’s decision (EU) 2021/914 are incorporated and apply to any transfers of personal data to a third country.

The DPA also includes the details of the processing, the technical and operational security measures taken by us, the list of sub-processors and the SCCs.

We recommend that you review the above documentation for all the details of processing personal data but below we would like to highlight a few points that we believe may be of interest to you.

What personal data is processed by Nelio A/B Testing

The Nelio A/B Testing plugin passively collects information gathered by analyzing page views and user navigation through cookies and other analytics.

Note that from the perspective of the Client’s visitors, no user-identified information is stored at all. From the Client’s perspective, this is what we store:

  • The URL of the site in which the plugin was or is installed.
  • The tests it run in the past or are currently running: its name, description, IDs of the variants (the variant itself is stored in your WordPress server), and other data.
  • A summary of results without user-identifying information: page views, conversions, clicks, scroll, mouse movements, device, browser, country, language and other data to exclude the user from participate in tests.

How is this data collected?

In order to Nelio A/B Testing work properly, Nelio A/B Testing assigns the variants your visitors are supposed to see in their browser and stores that information as a cookie (not in a session). This ensures, , as we explained here, the proper behavior of Nelio A/B Testing, making sure that a certain visitor will always see the same variant (as long as cookies are enabled). In addition, it sets additional cookies to check if the current visitor participates in your test, and to keep track of all relevant events that occur on your page.

What Cookies does Nelio A/B Testing set?

The list of the cookies that is described in the following article.

What should I do to comply with GDPR using Nelio A/B Testing?

Under GDPR, your website visitors should be informed of the use of cookies or similar technologies, for example through your Privacy Notice.

In addition, visitors must be able to decide whether they want to be tracked by your website or not.

Under GDPR, visitors must be able to decide whether they want to be tracked by your website or not.

However, to find out whether this consent should be made by opt-in or opt-out consent, please note that the data protection authority in each European country may have issued updated guidelines on the use of cookies to comply with the new European Data Protection Board’s new directives.

Example: GDPR and cookies in Spain

Please note that this is an example and is not intended as legal advice.

For example, our company is based in Barcelona, Spain. All websites with Spanish visitors are now required to adhere to these updated guidelines, which have been mandatory since January 11, 2024.

Under these new guidelines, there are certain situations where websites and/or apps don’t need to obtain explicit consent from users to use cookies. Specifically, cookies that are used to obtain traffic or performance statistics may be exempt from consent requirements when specific conditions are met.

  • Data collected is limited to only that which is strictly necessary for provision of the service.
  • Processing must be carried out exclusively on behalf of the publisher.
  • Processing can only be used to produce anonymous statistical data.
  • Use of these cookies or similar technologies must not result in data being matched with other processing operations.
  • Data collected by these cookies or similar technologies must not be transmitted to third parties.
  • Use of these cookies or similar technologies must not allow aggregate tracking of a user’s navigation while browsing different websites or using other applications.

Per the first condition, the Spanish Data Protection Authority (AEPD) considers only the following measures as strictly necessary for the proper administration of a website:

  • page by page audience measurement
  • the list of pages from which a link has been followed to request the current page (referrer), whether internal or external to the site, per page and aggregated daily
  • determination of visitors’ device type, browser, screen size, per page and aggregated daily
  • page load time statistics, per page and aggregated hourly
  • statistics on time spent per page, bounce rate, scroll depth, per page and aggregated daily
  • statistics on user actions (clicks, selections), per page and aggregated daily
  • statistics on the geographical area of origin of the requests, per page and aggregated daily

Nelio A/B Testing cookies that are used to obtain the information of your experiments meet the specific conditions to be exempt from consent requirements under the Spanish Laws. However, note that if you use Nelio Session Recordings Addon within your subscription, this exemption would not apply as described here.

In addition, as service providers, we comply with all the guarantees set out in said guidelines:

  1. The lifetime of these cookies or similar technologies is limited to a period of time that allow for meaningful comparison of audiences over time, such as a duration of thirteen months, and which will not be automatically extended on new visits;
  2. The information collected through these cookies or similar technologies will be kept for a maximum period of twenty-five months;
  3. The aforementioned lifespan and retention period shall be subject to periodically reviewed to be limited to what is strictly necessary.
  4. We have a contractual commitment with you that complies with the requirements of Article 28 of the GDPR in which it is made explicit:
    • The obligation not to reuse the data collected under any circumstances, within the framework of the contract.
    • To restrict the processing of the data to the purposes set out above as strictly necessary as strictly necessary.
    • To comply with the guarantees established in the case of providing services to multiple publishers.
    • That any transfer of data outside the European Union complies with the conditions of compliance conditions of compliance established in the GDPR.
  5. We conduct and document an assessment, by ourselves or by an independent third party, whether the tools provided by us can be and are configured to ensure compliance with the GDPR by us to ensure compliance with the requirements listed in the previous paragraph.

Therefore, within this context, you do not need explicit prior consent from the visitor in order to run and collect information from the A/B tests and/or heatmaps you create with Nelio A/B Testing. However, note that the visitor still has the right to explicitly indicate not to be tracked and, therefore, you must offer them in an easy way (as for example, through a opt-out cookie consent), to indicate that they don’t want cookies to be used while browsing your website.

As we said, under GDPR, visitors must be able to decide whether they want to be tracked by your website or not. Therefore, it is your obligation to have a mechanism on your website, for example, one way to do this is to display a cookie consent pop-up, banner or form and keep the consent in a cookie.

To integrate such consent with Nelio A/B Testing, and make sure that our tool only tracks information when consent has been given, you have a GDPR Cookie setting which, briefly put, checks if your website has a certain cookie (with, optionally, a specific value) set. If so, the plugin assumes that your visitor has given you consent and you can track it; if not, Nelio will not track anything.

Remember that it is your responsibility to make this adjustment to ensure that you are using Nelio A/B Testing in compliance with GDPR.

We explain the details of how Nelio A/B Testing is integrated with the cookie consent in this FAQ.