Optimizely Privacy: How Does Optimizely Handle Privacy?
As A/B testing platforms become more sophisticated, so do privacy concerns surrounding them.
Optimizely is one of the most popular optimization platforms in the A/B testing space, so it’s important to understand its stance on privacy. With great power comes great responsibility. And with great responsibility comes a greater need for privacy.
In this article, we evaluate how Optimizely approaches privacy and what you need to know before choosing this digital experience platform.
Let’s start by analyzing whether Optimizely complies with major privacy laws today.
Is Optimizely GDPR Compliant?
The General Data Protection Regulation (GDPR) is a key regulation that aims to strengthen and unify data protection and privacy in the European Union and the European Economic Area. Optimizely uses the necessary business and technology privacy controls to protect data and comply with the GDPR.
How Is Optimizely GDPR Ready?
GDPR compliance is an essential part of Optimizely’s service and design. Here are some steps it has taken to become GDPR compliant:
- Identified product and business areas impacted by the GDPR
- Appointed a Data Protection Officer (DPO)
- Rewrote its Data Processing Agreement
- Improved and changed its products, services, processes, and procedures to meet GDPR requirements
- Reviewed its sub-processors
- Finalized and communicated full compliance to the Data Protection Authority (DPA)
Is Optimizely Ready to Handle ePrivacy Regulation?
The ePrivacy Regulation (ePR) is an upcoming privacy law to transform rules around cookie consent, direct marketing, and business-to-business (B2B) communications. Unlike GDPR, it’ll regulate even non-personal data in electronic communications.
As companies grapple with the GDPR, it’s interesting to see if they’re ready for this new regulation. To determine whether Optimizely is equipped to deal with ePrivacy, we first need to assess the data it collects.
Visitor Data
Optimizely tracks visits to a website and collects information about user behavior. This aggregated information is known as “visitor data” and includes:
- User-agent data: Data based on a device’s properties, including details about the web browser type and operating systems visitors use.
- Web address: Information about a web page’s location.
- Event data: Logs user behavior and examines whether a visitor clicked a button on a website or performed similar action. This can also include custom attributes and event tags.
- Timestamp: The date and time an event occurs.
- End User ID (or Visitor ID): A randomly generated identification number (ID) assigned to a visitor per project. This corresponds to the optimizelyEndUserId cookie for experimentation and personalization.
- Experiment and variation IDs: Determine where the visitor bucketed while visiting a website.
- External geodata: Elements associated with a visitor’s IP address, including country, city, region, and so on.
Optimizely organizes its services so that its customers can specify data categories they wish to share and receive. These categories don’t necessarily reveal user identity. However, if the URLs Optimizely collects contain personally identifiable information (PII), such as name or phone number, or if it links to pages containing PII, it may collect this information as well.
As an open platform, Optimizely provides you with additional visitor data, such as repeat buyer attributes. It collects data based on specific features and configuration, such as:
- Dynamic Customer Profiles (DCP)
- List attributes
- Adaptive audiences
- Feature flags
- Integrations
To minimize the amount of personal data it collects, Optimizely prohibits visitors from providing additional personal or sensitive information, such as health information.
Product User Data
Optimizely collects some basic information, such as username, name, work email, work contact, job title, and so on, when users create an account or sign up for its webinar or newsletter. This is called Product User Data, and it’s itemized as follows:
- When registering and creating an account: Optimizelyvisitors can read product and service descriptions without disclosing any personally identifiable information. However, you need to create an account and set up a profile to transact with Optimizely and become a customer. When signing up, it asks for your name, your organization’s name, its street address, and your email address. It also requires you to select a password. Once you’re a registered user, you can update your profile and provide further information such as a nickname and certain user preferences.
- When registering for a webinar or requesting a newsletter: Bothvisitors and customers can register for an Optimizely webinar or request a newsletter. Optimizely stores only email addresses for reference.
ePrivacy restricts collecting PII data, and since Optimizely allows users to pass this data to URLs via visitor data, it isn’t really ePrivacy compliant. Instead, it still has a long way to go in preparing for many upcoming regulations.
Is Optimizely a Good Choice for Privacy-conscious Brands in the EU?
As mentioned earlier, the ePrivacy Regulation isn’t yet a data protection law. However, once passed, it’ll be adopted within 20 days of its publication in the EU Official Journal, followed by a two-year grace period before enforcement.
Therefore, contrary to what most businesses think, ePrivacy Regulation will complement, not replace the GDPR, when it comes into force.
So, until the effective date, all privacy-conscious brands in the EU and worldwide can use Optimizely. However, Optimizely needs to buckle up and make some coherent changes to the data it collects to stay relevant and suitable for companies with high privacy standards.
Which A/B testing tool provider has the best track record when it comes to respecting user privacy? See how Optimizely fares against Convert Experiences, VWO and AB Tasty.
Optimizely HIPAA Compliance
Healthcare providers struggle with delivering personalized content across digital platforms due to the data security risks associated with healthcare information. The Health Insurance Portability and Accountability Act (HIPAA) takes the pressure off the healthcare companies and provides them some much-needed guidance.
It safeguards protected health information (PHI), such as name, address, contact details, and more disclosed to a third-party service provider.
Is Optimizely HIPAA Compliant?
To be HIPAA compliant, all third-party vendors and healthcare providers must enter into a Business Associate Agreement (BAA), a written contract designed to protect sensitive healthcare data.
Does Optimizely need to be HIPAA compliant?
Whether Optimizely requires HIPAA compliance depends on the type of data it collects and uses. Essentially, Optimizely isn’t HIPAA compliant and specifically states non-compliance in its Terms of Service Agreement.
HIPAA non-compliance. Customer acknowledges that Optimizely is not a Business Associate or subcontractor (as those terms are defined in HIPAA) and that the Optimizely Service is not HIPAA compliant. “HIPAA” means the Health Insurance Portability and Accountability Act and related amendments and regulations as updated or replaced. “Regulated Data” includes HIPAA-regulated data and data covered under the Gramm-Leach-Bliley Act (or related rules or regulations) as updated or replaced.
How Does Optimizely Compensate for HIPAA Non-compliance?
Optimizely’s Content Recommendations address data security concerns and make up for their non-compliance with HIPAA in the following ways:
- Storing PHI: Its in-session personalization doesn’t require PHI to personalize content.
- Cross-personalization: Personalization stops when a session expires.
- Episerver content intelligence: It gives you first-party intent data on every site visit so you can scale your engagement’s impact.
- Scaling personalization: Rules can’t keep pace with the changing patient landscape and medical advancements. Optimizely uses machine learning (ML) algorithms to decide who gets what content without bogging your team down with endless “if/else” rules.
Optimizely-Episerver Content Recommendations comes to the rescue and provides an effective solution for cross-personalization and dynamic healthcare.
Can Visitors Opt-out of Optimizely Tracking?
Visitors can easily opt-out of Optimizely tracking via the Optimizely API call.
What does opting out mean?
- The user won’t get bucketed into an experiment
- They won’t see any variation changes
- Project JS will not run on the page
- The user will not be tracked
- They will remain opted out (i.e., all points above apply) wherever Optimizely runs
Using Optimizely Web Without a Tag Manager
If you don’t use a Tag Manager on your site, you can instruct Optimizely not to track a site visitor by setting a cookie called optimizelyOptOut to “true”. Optimizely checks for this cookie before executing the JavaScript snippet content. It’s better to use the officially supported optOut API rather than setting the cookie directly.
You need to add the code above the Optimizely snippet on your page. Otherwise, the Javascript snippet runs and sets your visitors’ tracking cookie(s) and storage items.
Let’s see how to use the optOut API.
<script>
window["optimizely"] = window["optimizely"] || [];
window["optimizely"].push({
"type": "optOut",
"isOptOut": true
});
</script>
<script src=”https://cdn.optimizely.com/js/{project_id].js”></script>
If a visitor opts-in for cookie tracking, you can re-enable tracking that visitor by rewriting the optimizelyOptOut cookie value to “false”.
For example, if you display a cookie banner (an overlay element that seeks visitor tracking consent), you might rewrite the optOut cookie value to false after obtaining consent with the following code.
window["optimizely"] = window["optimizely"] || [];
window["optimizely"].push({
"type": "optOut",
"isOptOut": false
});
Technically, tie this API into the logic that runs when the visitor consents to tracking.
Using Optimizely Web With a Tag Manager
Using a Tag Manager, you can use conditional logic to load the Optimizely JavaScript snippet only when a visitor provides consent.
Since a cookie opt-in isn’t required in all regions or for all cookies, Optimizely doesn’t set the optimizelyOptOut cookie by default. As a site owner, you’re responsible for determining whether you need to set this cookie or use one of the methods above where required.
If you set optimizelyOptOut to “true” by default (as indicated above), the Optimizely snippet runs “normally” (tracks visitors on your site) only when the optOut API is set to “false”.
With the opt-in solutions, the Optimizely Javascript snippet activates on the page reload after a visitor opts-in, as it’s disabled on initial page load.
Optimizely Full Stack
Optimizely Full Stack doesn’t rely on cookies for experiments, so the ePrivacy Regulation’s cookie-related requirements won’t impact this feature.
Nevertheless, Full Stack users in the EU should ensure they comply with the GDPR. It requires companies to have “legitimate interests” for processing personal data within the EU.
As a data controller, it’s a company’s responsibility to meet legal obligations for processing the consent before including any personal data in an Optimizely Full Stack experiment.
For this, you need to clearly state that your experiments involve first-party efforts to improve the user experience and that you will not share user data with third parties (such as advertising partners).
You should also exclude users from full-stack experiments if they withdraw consent.
How Does Optimizely Stack Up Against Its Competitors in Privacy?
Optimizely might be a digital experience giant, but it still has to watch out for its alternatives, especially when dealing with privacy. It also has a history of leaving customers in the dark about sudden pricing changes. So no wonder many companies look at alternative providers.
For reference, we’ll compare Optimizely’s privacy options to those of Convert Experiences and VWO. We also examine:
- Each tool’s server location
- How they treat third-party cookies
- Default cross-domain tracking
- Whether they allow users to opt-out of tracking
| Optimizely | Convert Experiences |
VWO | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Single Sign-On (SSO) | ✓ | ✓ | ✓ | ||||||||||||||||||||
| EU Based Servers | X | ✓ | X | ||||||||||||||||||||
| Non-PII Cookie Lifetime | 6 months | 6 months | 100 days | ||||||||||||||||||||
| Third-party Cookies | ✓ | X | ✓ | ||||||||||||||||||||
| Do Not Track Browser Setting | ✓ | ✓ | ✓ | ||||||||||||||||||||
| Opt-out Feature | ✓ | ✓ | ✓ | ||||||||||||||||||||
| GDPR Compliance In-app Guidance | X | ✓ | X | ||||||||||||||||||||
| Data Processing Agreement (DPA) | ✓ | ✓ | ✓ | ||||||||||||||||||||
| PCI-DSS Compliance | ✓ | ✓ | ✓ | ||||||||||||||||||||
| ePrivacy Compliance | X | ✓ | X | ||||||||||||||||||||
| Data Anonymization | ✓ | ✓ | ✓ | ||||||||||||||||||||
| Cross-domain Tracking Allowed by Default | ✓ | X | ✓ | ||||||||||||||||||||
| Segmentation Allowed by Default | ✓ | X | ✓ | ||||||||||||||||||||
| Right to be Forgotten | ✓ | ✓ | ✓ | ||||||||||||||||||||
| Data Breach Notifications | ✓ | ✓ | ✓ | ||||||||||||||||||||
| Designation of a Data Protection Officer | ✓ | ✓ | ✓ | ||||||||||||||||||||
| Cross-border Data Transfers | EU-U.S. and SwissU.S. Privacy Shield frameworks | EU-U.S. and SwissU.S. Privacy Shield frameworks | EU-U.S. and SwissU.S. Privacy Shield frameworks | ||||||||||||||||||||
| Data Protection by Design and Default | ✓ | ✓ | ✓ | ||||||||||||||||||||
| Sensitive Personal Data | X | X | X |
What Changes Has Optimizely Made to Privacy Post Episerver Acquisition?
In September 2020, Episerver announced acquiring Optimizely. A year later, Episerver reintroduced itself as Optimizely to increase brand recognition.
The Optimizely acquisition and rebranding created opportunities for both Episerver and Optimizely customers as the need for personalization and commerce functionalities became more evident.
In terms of privacy, Optimizely has grown significantly since the acquisition.
- Episerver respects privacy by design and default. It releases new policies every week to ensure it stays compliant with the GDPR and other applicable privacy laws.
- It hosts annual meetings, training, seminars, webinars, and educational series on data protection, security, privacy, and personal information.
- Episerver also updated Optimizely’s Data Processing Agreement (DPA) for all new applicable vendors to sign and ensure compliance with data protection and privacy regulations.
- Episerver enhanced Optimizely’s privacy statement and policy for data subject access and erasure requests under the GDPR and the California Consumer Privacy Act (CCPA), offering access and deletion rights to the EU and California residents. It now has a clear model for obtaining consent and removing information when needed.
- Episerver’s Security Incident Response Team (SIRT) can handle potential security or privacy incidents. It categorizes all security incidents as high-priority (P1) and escalates them to the dedicated team.
- Episerver launched the Episerver Trust Center, highlighting unified security, compliance, and privacy controls to protect customer data.
Episerver revamped Optimizely, raising the bar for GDPR compliance and privacy practices to provide a strong legal basis.
Episerver has made GDPR compliance an everyday priority in both product development and managed services globally.
Peter Yeung, Vice President, General Counsel, and Global Data Protection Officer, Episerver
Peter further added that Episerver has a long history of pioneering in highly regulated industries and countries, resulting in solutions designed built with compliance in mind. It combines years of extensive cloud infrastructure experience and knowledge with a deep commitment to data protection, security, and compliance.
Stepping up to Future Challenges
Optimizely has made great efforts to comply with the GDPR, CCPA, the General Personal Data Protection Law (LGPD), and other applicable privacy laws.
It may have stepped up to ensure data privacy and security after its acquisition, but it’s hardly considering the upcoming ePrivacy Regulation. Optimizely needs to level up for experimentation and data collection.
Data drives everything from developing a test hypothesis to delivering a more personalized user experience and tracking a test’s efficacy. This means experimentation teams must prioritize data privacy.
The GDPR only deals with general (personal) data, whereas ePrivacy intends to complement the GDPR, covering and auditing data privacy broadly. The ePrivacy Regulation covers marketing, a whole list of tracking technologies (including but not limited to cookies), and aims to combat profiling and behavioral advertising with transparency and affirmative consent.
As long as Optimizely doesn’t take ePrivacy into account, it’s missing an essential piece of the puzzle. And even if it starts today, getting this piece in place won’t be easy.
