CRO, GDPR and e-privacy regulations optimisation with a risk

CRO – Optimisation with a risk

In the world of marketing, CRO stands for ‘Conversion Ratio Optimisation’. A quick search on Wikipedia for the definition of CRO, yields a different result. Here, the abbreviation CRO is also explained as standing for ‘Chief Risk Officer’. That same Wikipedia explains the main task of a CRO as: “To ensure that the organisation is in full compliance with applicable regulations and to analyse all risk related issues”.

Considering the impending GDPR and e-privacy regulation, each marketer looking to improve his conversation ratio, should first look to that other CRO. Similarly, each CRO should pay a visit to the marketing department to see what happens there. Time for a short introduction for both.

What is CRO?
Conversion Ratio Optimisation is a generic term for a combination of processes and techniques that aim to optimise the conversion ratio. Often, improving the customer experience is named as the target for these processes, but eventually this improved CX is supposed to lead to a higher conversion ratio.

Coen Huijsmans, strategist at TamTam, gave a good explanation (Dutch) of what CRO entails and what it takes to get the best results. Google Analytics is hailed as ‘your best friend in CRO’.

On the contrary, for the CRO, Google Analytics is the biggest enemy. When you use Google Analytics, you share personal information with Google and where personal information is used, consent needs to be obtained. When you just use Google Analytics for Analytics and don’t collect Personally Identifying Information (PII), you can do this before asking consent, though you’ll still need to pay close attention to the settings in Google Analytics. However, Google Analytics is fairly easily integrated with marketing tools like Google Doubleclick and Google Optimze. As soon as you start doing this, Google Analytics will have to be used only after asking users’ consent. If you fail to obtain this consent and continue to measure using Google Analytics, you are in violation of the GDPR and risk being sanctioned.

GDPR and e-Privacy Regulations
By now, nearly everyone in our sector knows that the GDPR comes into effect May 2018. At that same moment, the e-Privacy Regulation will also come into force. For the e-Privacy Regulation might be accompanied by a two-year transitional period, but that is by no means a guarantee.

The e-Privacy Regulation complements the GDPR and mostly concerns the things a marketer seeks to do online. According to the GDPR, direct marketing is allowed without consent, but the e-Privacy Regulation clearly states that so called ‘unsolicited marketing’ without consent isn’t allowed. A direct mailing per post is therefore allowed, but for a DM using e-mail you will need to ask consent first.

The sanctions for violating both laws are the same. They can be enforced per violation, so when you continue to violate one or both of the laws, you can encounter the same sanction again. When we talk about GDPR sanctions, fines may seem like the biggest threat. In relation to CRO, you could make a business case: how high is the fine and what does the optimisation bring us? However, in this case, don’t forget to take damage to your reputation into account for this business case. How many clients leave the company and how difficult will it be to find (and bind) new clients, after you’ve been caught breaching regulations. This impact, of course, depends on what kind of business you are. A big dating-site will suffer more reputational damage than a fairly small web shop.

Of course, we would never advise anyone to purposefully violate the law. If you decide to this, any decent CRO will prevent you from giving in to this temptation! A good thing, because one of the most dangerous sanctions is rarely discussed, but will most definitely still be enforced: a ban on the collection and processing of personal information.

Let that sink in. A complete ban on processing personal information. What can you do if you are no longer allowed to process personal information. Does your company even have a ground for existing in that case, or would you need to close shop immediately?

It is viable to optimise conversion ratios, improve customer experiences and (re)target your campaigns under the GDPR. A lot is still possible, but not without a concerted effort. Only after obtaining consent in a valid way, are you allowed to use data for this purpose. Do you tell your customers in your consent pop-up that you use Google Analytics for analytics purposes? Then you’re not allowed to use the data for targeting and can not link your Google Analytics to Doubleclick or Optimize. Did you tell your customers that you measure your customer’s behavior to increase your conversion ratio and have customers consented to this? Then nothing is stopping you in optimising your conversion ratio.

A final word: if you link your Google Analytics to Google Optimize, you are only allowed to use Google Analytics after a visitor has given consent for the tracking of his behavior for marketing purposes. This is because when you send ID’s from Google Analytics to Optimize, Google assumes that all ID’s have already given their consent.

Shopping Basket

Let's talk

I’m Here To Assist You

Feel free to contact me, and I will be more than happy to answer all of your questions.

We implement your privacy-compliance data services together with domain experts. Do you need services in data engineering, customer and data analytics, privacy compliance reports or consulting services? Our marketplace service manager is here to guide you through the process and ensure that you find the solution that fits perfectly your organization.

Gijs Kooij – Marketplace manager

Get in contact

Mail me on and i’ll get back to you to schedule a call or call me on 0850867060 during office hours


Book a 30 minute introduction call

Let’s talk about solutions that meet your requirements.  

Together, based on your profile we can determine the best course of action to ensure compliance and data security for your company.