One year after the GDPR — the world has not ended yet.

6 min readJun 20, 2019

Early 2018, any website owner went a little crazy over implementing the fuzzy rules of GDPR. I went along with the craze and shut down a bunch of my just for fun blogs as I could not afford to spend the time and effort to make them GDPR safe. By now, they are so hopelessly out of date, that I will most likely never launch them again.

For my core business — the quiz maker riddle.com — we had no choice but to implement measures to follow the GDPR rules. Our quizzes are used by top brands to both engage their audience and collect leads — gathering the email address and other personal information from each person who chooses to fill in the form.

Fortunately, we started early 2017 to implement the most critical measures and also got outside help from a top privacy law firm to help us not messing up.

In the wake of the Cambridge Analytica scandal, we also needed to make sure that quizzes our customers create are fully GDPR safe so that quiz takers can rest assured that their data is not being misused.

How much did it cost?

We probably spent well over 100,000 euros — counting all the development and legal time spent in making our own site and the SaaS tools we offer GDPR safe, plus creating things such as a privacy policy and a data processing agreement..

This was a huge expense in both time and money; we would have much rather spent on making our core product better (or on coffee and beer). Forbes estimated that large British firms have spent $1.1 billion prepping for GDPR; with American companies sinking in $7.8 billion. That sounds pretty crazy to me, to be honest.

Did the GDPR change anything for the better?

So, a year on — are there any positive effects from GDPR?

Now that the dust has settled a bit — let’s review.

The underlying ideas behind GDPR were:

less data misuse
less spam
less data collection

My personal big hope was that spam would be reduced (both phone and email spam). So far, that has not panned out.

I am seeing no reduction in email spam and phone spam feels like it has gone up. Spamhouse.org put up a great article on why GDPR had little to no effect on spam.

In a nutshell, serious email senders have reduced the amount of mail sent, but these amount only to a tiny percentage of the total spam mail volume. The hardcore spammers just don’t care, as no one is out there going after them anyway.

As far as less data misuse and less data collection are concerned, GDPR has also failed to deliver. Your data is still misused and collected, with the big difference being that you have now probably opted-in to it.

You will always face a trade-off between using an online service that requires your data vs. not using the service and protecting your data. Before, the service would quietly collect data on you without telling. The main change now is that they now present an opt-in box where you have to agree that your data will be used. The kicker? Not agreeing most often means that you cannot use the service.

To me, the only positive change from GDPR is that people are becoming a bit more sensitive and conscious about their data, while big companies like Apple are starting to implement measures that prevent free-for-all data collection by app developers

And for all of the threats of big fines in the run-up to the GDPR, so far there have been no huge fines issued by the EU or no mass legal actions against companies for GDPR violations.

The ugly face of GDPR

With almost no measurable positive effects, there are countless negative examples of where GDPR is making life (in the EU) a lot more complicated than it has to be.

Doing business with banks, insurance companies, telcos or just about any big company that needs your name and address now involves filling out a massive amount of extra paperwork, which honestly no one ever reads.

The bottom line is that if you need a bank account, you will sign the bank’s GDPR paperwork.

The environmental impact is not trivial. I could not find any hard data on this, but if you assume that the average data processing agreement (DPA) has 7 pages, is often printed and signed in 2 copies, you get 14 pages of paper per DPA. There are probably a million of these signed each month — that is 140 trees gone each month, just for DPAs.

I have personally witnessed other crazy stuff like doctors no longer calling out patients’ names in the waiting room — or large apartment buildings removing name tags from doorbells.

This is probably not what the lawmakers had in mind when they cooked up GDPR.

But the total net effect?

After a lot of craziness in the first months, folks are starting to ignore GDPR and just go on with their business as usual. While we offer all the necessary tools to make your quizzes and other interactive content fully GDPR-compliant, we see many of our creators ignore them.

What did Riddle do to support GDPR for its quiz creators?

Like it or not, the GDPR is here to stay. We worked with our lawyers to offer a quiz maker that allows you to be fully GDPR-compliant. Granted, your quiz will look a little slicker and your completion rates might be better if you ignore GDPR, but we totally leave that choice up to you.

If you’re creating a quiz to collect leads, here are the steps you’ll need to make it fully GDPR safe:

Are you using Facebook pixels to optimize your ad spend and build a re-targeting audience? We recommend adding a Facebook pixel warning that lets quiz takers agree to be tracked by Facebook before firing the pixel.
Add a message to your lead capture form — alerting quiz takers that their data is processed on the Riddle servers and sign a data processing agreement with Riddle before publishing the quiz.
Place a link to your own privacy policy. If you don’t have one yet, here is a great tool that allows you to build one for free. The form is in German, but the output is available in English, French, and German. Use Google Translate to fill out the form.
Make sure to check all the third-party services you are using like Google Ads or Riddleenable double-opt-in. If the link in the email confirmation is not clicked, no personal data gets saved.
Ask readers to opt-in to save their quiz answers along with the lead data. This is probably a hard sell to most people filling out a quiz, but if you offer prizes for correct answers, your readers might be inclined to check this box to enter your prize draw.

At Riddle.com, we believe that the privacy of quiz takers is of critical importance. We make sure that we can never access personal data collected by our creators. We go further — never tracking our creators’ quizzes or quiz takers.

One year after the GDPR — should you collect leads with quizzes?

The good news though is that you can continue to create quizzes to collect leads.

Whether using Riddle’s GDPR features or another quiz creator, make sure to let users opt-in for everything, you should be on the safe side and can continue to collect data from your quizzes to build highly targeted audiences.

It is worth the effort.

After all, quizzes are almost 20X more effective for lead generation than most other methods. For comparison, a pop-up newsletter sign up for tends to get 2% completion rates. Showing a lead form at the end of a quiz, prior to showing the quiz results, will see you get from 24% to 35% form completes.

Why? Your quiz will have each reader answering questions for a few minutes. By the time they finish the quiz and the form appears, it is just another question to answer. Rather than interrupting users, the lead form fits naturally in the flow so it is not nearly as annoying as those pop-ups that appear when you read an article.

But brace yourself.

Now that the GDPR hype is slowing dying down, we all should start worrying about “Upload filters” — the latest craziness coming from the EU.

Sigh.