8 min read

Create quizzes and collect leads with Riddle: a fully GDPR-safe (and CCPA) quiz maker

Do you use quizzes to collect leads?

Quizzes are powerful lead generation tools – but they are at high risk to the EU’s new GDPR regulation, as well as California’s CCPA.

The good news is that Riddle is a fully GDPR-compliant quiz maker – we also comply with other global privacy regulation like the CCPA.

Updated: July 29, 2020 – EU-US ‘Privacy Shield’ not sufficient for GDPR compliance

This is a BIG deal. The EU has ruled that the ‘Privacy Shield’ no longer counts for GDPR-compliance.

How might this impact you? The Privacy Shield was a way for companies to bulk send consumer information to the US for processing – for things like Amazon Web Services (AWS), Google Analytics, or any number of SaaS providers. The EU has ruled that this is no longer sufficient – so you should immediately look to review how your business handles data.

What does this mean for Riddle? We were proud to be one of the very first GDPR-compliant quiz makers. Being 100% based in the EU, we’re hyper-aware of how important this topic is. We know there will be a lot fast-moving developments as the implications sink in – and will constantly update this post going forward.

Fortunately, we’re already ahead of the game in compliance:

• No cloud servers – all our web servers are based in Germany and Luxembourg in a secure, banking-grade data center. We are operating our own server infrastructure and are not running on shared services.
• No trackers – the Riddle embed code (the piece of code you put on your website to run the quiz) does not contain any trackers or cookies other than a necessary session cookie.
• No IP address tracking – we don’t EVER collect your quiz takers’ IP addresses or attach customer-specific cookies. Check out our cookie policy here.
• Personal info collected by the quiz creator via lead forms only – with each user’s specific opt-in and the form data can be stored encrypted on Riddles servers, where only the quiz creator has access to them.
• Sign our DPA – creators can sign a Data Processing Agreement (DPA) with us in case you need our staff to access any personal information associated with your account.
• No Google font tracking – we are serving all Google fonts from our own servers and have removed all Google tracking.
• No Google Analytics – we don’t track you or your quiz takers on our main site, our quiz creator, or our quiz embeds. We use a self-hosted version of Matomo Analytics for necessary usage tracking on our site only. However, our quiz embed codes have absolutely no trackers, from Google Analytics or from anyone else.
• (You can read more about our GDPR-compliance further down the page.)

Upcoming changes for Riddle:

This will be an evolving list – but here’s what’s on our immediate radar after the Privacy Shield ruling:

• Switching our billing software to a 100% EU vendor

Plus, we’ve got a team of some of the best German data protection lawyers around – they keep us up to date with changes.

Why choose an GDPR-compliant quiz maker?

The GDPR has been joined by other privacy regulations worldwide. There’s California’s CCPA, Canada’s PIPEDA, and more coming all the time.

The good news? If you follow the GDPR, you should be generally be compliant with these as well. But of course – check with a lawyer about your own particular use case, just in (ahem) case.

Any sites that gather personal information from EU visitors face huge fines of up to 20 million euros ($23M) – whether based in the EU or not

• The good news? Riddle’s quiz maker is fully GDPR-compliant.
• We power the quizzes for the BBC, Red Bull, Manchester United, Shopify, and hundreds more.

Get started – in three steps:

1. Create a quiz
2. Easily embed on your site
3. Collect leads and send to any marketing software

How is Riddle a GDPR compliant quiz maker?

The good news is that Riddle is already a safe GDPR quiz maker.

We’re big data protection geeks – we’re one of the only quiz builders to meet these GDPR core qualifications:

1. No individual or personal data from quiz takers is being stored by Riddle quizzes – unless you are using our current Riddle lead form,  in which case you are also covered as the data is encrypted and stored in your own private webspace, not accessible by anyone but you and hosted in a secure Frankfurt, Germany data center.
2. When you use Riddle to build your quiz you are creating your content in your own private webspace and your quiz takers data is stored in your private space. No one else has access to that data. This means, you are fully responsible for how you use Riddle. Our toolkit provides you with everything you need to keep your quizzes compliant with GDPR, but if you are based outside of Europe and have no European visitors on your sites, you might not need all these warnings and messages, so we are giving you the option to not show them.
3. All Riddle servers are EU-based in Germany – and we are not using Google, Amazon or any other non-European cloud provider to store data. Our data center is ISO 27001 certified (see below for more info on our data center certifications).
4. Riddle is a German company  – with the snappy name of Riddle Technologies AG.
5. No more Google Analytics – we removed our Google Analytics and Google Tag manager on Nov 11th, 2017.
6. No individual tracking of data – all tracking will be EU-based on Riddle’s all-German servers; we will only track aggregate data – never individual quiz taker information.

Riddle never stores individual responses to any quiz, personality test, poll or any other type of Riddle content.

We only store aggregate quiz data – with no additional information added, unless you include an opt-in lead form.

For example, imagine 1,000 people take your quiz – 600 fill in your lead form, and 400 opt-out:

• For the 400 quiz takers who do not complete the form:
  • We would store just the total count of quiz answers and overall results (1,000 people answer the quiz in this way).
  • We would not save the specific responses from each user.
• For your 600 leads:
  • We would collect their quiz responses, such as ‘Bob (bob@yoursite.com) answered the questions for Quiz 12345 in this way’.

If you want to collect individual quiz takers’ data, no problem. You easily can do that with our lead generations forms in a GDPR-compliant way. To store the data, we suggest you either:

• store the data with Riddle
• use our our webhook to send the data to your own GDPR compliant storage solution

We also suggest that you also add an opt-in field to the lead form:

• Ask permission to store the lead’s quiz data along with the form data (like name, email, etc.)
• If the user fills in the lead form, but does not give permissioni, we will still store the lead data for you, but will show all quiz data as ‘withheld’.

Also, make sure to use our built-in double-opt-in feature – where each lead had to click an email confirmation. Only data from confirmed email addresses will be stored that way.

Why the GDPR matters – worldwide:

Based outside the EU? You may think that GDPR doesn’t concern you.

However, you may still be liable under the GDPR (facing fines up to €20 million or 4% of your worldwide turnover) – unless you are actively preventing any Europeans from visiting the page where you embed the Riddle quiz.

How is Riddle GDPR-compliant?

• Our Riddle embeds contain absolutely no tracking tools like Google Analytics or Facebook Pixels.
• For lead generation data storage, we offer two great options – storing on our servers or sending data to a tool of your choice.
• A template data processing agreement – keep your lawyers happy. Download, add your company info – then submit to us for signature. We will sign verifying that we are compliant with the GDPR.

Data collection via our GDPR-compliant quiz maker:

Our lead collection tools have been rebuilt from the ground up to be fully compliant with these global privacy regulations.

Featuring a drag/drop form builder, they are more flexible, powerful, and user-friendly than ever.

Option A: Store leads and quiz data yourself (Most popular / our recommendation)

• Riddle’s quiz lead generation technology lets you collect quiz leads and responses – without ever storing them on our servers. Please note that after the cancellation of the privacy shield agreement, we believe that the only compliant way to store data externally is using our webhook to send data to a compliant storage solution. Please make sure to consult with your own legal team about the compliance of services like MailChimp, Google Sheets, etc. You have the choice to:
  • Send leads to any Google Sheet you control
  • Connect and send leads to a wide range of CRM tools with our build in connectors (like ActiveCampaign, MailChimp, and AWeber).
  • Push leads via our webhook to directly to your software – choice, where you can process them internally
  • Send leads to Zapier.com – connect to 1500+ tools with no coding

Option B: Store data on Riddle’s servers in Germany and Luxembourg

• Want to download quiz data and leads as a CSV or XLS file?
  • No problem – your data will be on our servers in but in a “walled garden” in your own account. Only you will control who has access to this data.
  • To comply with the GPPR, you can use our form builder to add a message to your form, informing the users where you are storing their data.
  • As GDPR requires, we include links to our privacy policy on the form – as well as our contact information.
  • Any quiz taker can ask for details about what info is stored about them –  and also can request deletion of all data.

A quick note about GDPR compliance:

Please note – sending leads to a tool or location of your choice does not make you automatically GDPR compliant.

It just ensures that both you and Riddle are compliant as far as the quiz maker part goes – we won’t be storing any personal customer information anymore.

You’ll still need to make sure you’re compliant on your side. Here are some other resources from the UK’s Information Commissioner’s Office.

Background info on the GDPR

So what is all the fuss about with the GDPR anyways?

Here’s a quick summary of the GDPR in an easy to digest format – with a focus on being a GDPR-compliant quiz maker.

• One more pesky legal disclaimer… remember, this is not legal advice, and this article on GDPR is for informational purposes only – we are not accountable for what we say here.
• It’s entirely possible we missed some stuff or gave you incorrect info for your particular situation.
• Please, please, please get a lawyer and data protection specialist to work with you to ensure that your company and website is GDPR-compliant. We are doing the same for Riddle.

The GDPR applies to any organization that collects or processes personal data of EU residents – no matter where the company is located.

GDPR: What is considered personal data?

According to the GDPR, personal data is anything that relates to a person’s private, professional or public life, including:

• Name
• Address
• Photos
• Email address
• Bank details
• Posts on social network sites
• Medical information
• Computer’s IP address
  • (Seriously – IP addresses are now considered personal data – so make sure you have your tracking software to not collect these.)

Your responsibilities under the GDPR

1. You will need to provide your customers with contact information for a data controller and you need to provide a data protection officer.
2. EU citizens have the right to request information and ask for the deletion of all data stored about them. You need to make sure that you can comply with these requests.
3. You also need to make sure to encrypt or pseudonymize data you store. When you choose a tool to store your lead data outside of Riddle, make sure they are compliant.

Any time someone asks the team at Riddle for details about their information – or for information deletion, we’ll pass the request on to you the quiz creator.

However if you have opted in to store lead data with Riddle (Option A listed above), we will provide the info directly to the end user and delete their data upon request.

• We’re happy to handle requests for your account as part of our customer service.
• But being transparent – if we start getting loads of requests for your account, we will work with you to either get the data onto your servers or work out a reasonable fee to cover our costs to handle these requests.

Sanctions and fines

Okay – so what happens if you’re caught breaching the GDPR?

Check out these outcomes and possible sanctions:

• Written warning in case of a unintentional first offense
• Regular data audits (these will hurt)
• Fine up to 10 million EUR or up to 2% of your annual worldwide turnover (whichever is greater)
• Fine of up to 20 million EUR or up to 4% of your annual worldwide turnover (whichever is greater)

As you can see, the fines are pretty drastic.

Sure – the EU might have a difficult time collecting these if your business is based outside the EU, with no business relationship with any EU-based entity or person.

But is it worth the risk? At the very least, it might put a huge damper on your next romantic trip to Paris if you get arrested when entering the EU.

Riddle’s data center certifications

Our data center is certified as follows:

• ISO 9001:2016 and ISO/IEC 27001:2013
• Payment Card Industry Data Security Standard (PCI DSS)
• ISO 14001:2015, OHSAS 18001:2007 and ISO 50001:2011

Any questions about the GDPR and your quiz maker?

If you have any questions about quizzes or the GDPR would like copies of our data certificates, please drop us an email to hello@riddle.com – or ask us on support chat.

(Our cofounders Mike and Boris race the rest of our team to answer messages first – we respond in under 2 minutes. Boom!)