Try Riddle – a fully GDPR-compliant quiz maker (& CCPA)

11 min read

Do you use quizzes to collect leads? You’ll want a GDPR-compliant quiz maker to handle all that personal data.

Quizzes are powerful lead generation tools – but they are at high risk to the GDPR, the EU’s sweeping privacy regulation, as well as California’s CCPA.

(Side note: We used our own quiz creator to make this listicle – it’s a handy way to summarize and present information.)

If you prefer text to our listicle:

100% EU – everything runs on our own servers, located in a banking-grade, super-secure data center in Frankfurt, Germany with backup servers in Luxembourg. No cloud storage with AWS or Google – which are U.S.-owned companies so this would be non-compliant.
You own all your data – Riddle staff has no access to the data you collect from your quizzes.
You own all the content you create – We just provide the quiz tools; we’ll never sell or distribute your quizzes.
All personal data is encrypted – all personal data you collect from your quizzes is encrypted and only accessible by the quiz creator. No Riddle employees can access it.
Data processing agreement – you can download and sign our DPA (Data processing agreement) here.
Tracker-free quizzes – No trackers in the quiz content you embed on your website, so we don’t collect personal data like IP addresses. Even our Google fonts loaded locally from our server.
No IP address tracking – we don’t EVER collect your quiz takers’ IP addresses or attach customer-specific cookies. Check out our cookie policy here.
No Google Analytics – we use a self-hosted version of Matomo to keep your personal data safe.
Unlimited quiz creation/views/leads – as an added benefit, there are no limits in our plans in terms of how many quizzes you can create or how many leads you collect.

GDPR-compliant quiz maker - and CCPA too

The good news is that Riddle is a fully GDPR-compliant quiz maker – we also comply with other global privacy regulation like the CCPA.

This is a BIG deal. The EU has ruled that the ‘Privacy Shield’ no longer counts for GDPR-compliance.

How might this impact you? The Privacy Shield was a way for companies to bulk send consumer information to the US for processing – for things like Amazon Web Services (AWS), Google Analytics, or any number of SaaS providers. The EU has ruled that this is no longer sufficient – so you should immediately look to review how your business handles data.

What does this mean for Riddle? We were proud to be a GDPR-compliant quiz maker. Being 100% based in the EU, we’re hyper-aware of how important this topic is. We know there will be a lot fast-moving developments as the implications sink in – and will constantly update this post going forward.

Fortunately, we’re already ahead of the game in compliance:

No cloud servers – all our web servers are based in Germany and Luxembourg in a secure, banking-grade data center. We are operating our own server infrastructure and are not running on shared services.
No trackers – the Riddle embed code (the piece of code you put on your website to run the quiz) does not contain any trackers or cookies other than a necessary session cookie.
No IP address tracking – we don’t EVER collect your quiz takers’ IP addresses or attach customer-specific cookies. Check out our cookie policy here.
Personal info collected by the quiz creator via lead forms only – with each user’s specific opt-in and the form data can be stored encrypted on Riddles servers, where only the quiz creator has access to them.
Sign our DPA – creators can sign a Data Processing Agreement (DPA) with us in case you need our staff to access any personal information associated with your account.
No Google font tracking – we are serving all Google fonts from our own servers and have removed all Google tracking.
No Google Analytics – we don’t track you or your quiz takers on our main site, our quiz creator, or our quiz embeds. We use a self-hosted version of Matomo Analytics for necessary usage tracking on our site only. However, our quiz embed codes have absolutely no trackers, from Google Analytics or from anyone else.
(You can read more about our GDPR-compliance further down the page.)

Upcoming changes for Riddle:

This will be an evolving list – but here’s what’s on our immediate radar after the Privacy Shield ruling:

Switching our billing software to a 100% EU vendor – this has proven surprisingly tricky, since every vendor uses cloud storage (AWS or Google) which is not compliant.
We’ve now decided to simply build our own – to be 100% sure we continue to be a GDPR-compliant quiz maker.

Plus, we’ve got a team of some of the best German data protection lawyers around – they keep us up to date with changes.

The GDPR has been joined by other privacy regulations worldwide. There’s California’s CCPA, Canada’s PIPEDA, and more coming all the time.

The good news? If you follow the GDPR, you should be generally be compliant with these as well. But of course – check with a lawyer about your own particular use case, just in (ahem) case.

Any sites that gather personal information from EU visitors face huge fines of up to 20 million euros ($23M) – whether based in the EU or not.

The good news? Riddle is a fully GDPR-compliant quiz maker.
We power the quizzes for the privacy-conscious BBC, Red Bull, Manchester United, Shopify, and hundreds more.

Okay – let’s dive into the finer details.

We’ve been around since 2014, and are a 100% European company (officially, we’re Riddle Technologies AG and Riddle Technologies Ltd.).

Protecting our clients’ data has been our top priority since we launched.

We’re big data protection geeks – we’re one of the only quiz builders to meet these GDPR core qualifications:

No individual or personal data from quiz takers is being stored by Riddle – this applies for 95% of our use cases; data is sent directly to your marketing tools (with integrations like Mailchimp or ActiveCampaign) without ever being stored on Riddle’s servers.
- The only exception – if you decide to use our ‘Save to Riddle’ option, you’re choosing to store data with us.
- Even in this case, you’re covered – as the data is encrypted and stored in your own private webspace. It is hosted in a secure Frankfurt, Germany data center – and is not accessible by us or anyone else.
When you use Riddle to build your quiz you are creating your content in your own private webspace and your quiz takers data is stored in your private space. No one else has access to that data. This means, you are fully responsible for how you use Riddle. Our toolkit provides you with everything you need to keep your quizzes compliant with GDPR, but if you are based outside of Europe and have no European visitors on your sites, you might not need all these warnings and messages, so we are giving you the option to not show them.
All Riddle servers are EU-based in Germany and Luxembourg – and we are not using Google, Amazon or any other non-European cloud provider to store data. Our data center is ISO 27001 certified (see below for more info on our data center certifications).
Riddle is a German company – with the snappy name of Riddle Technologies AG.
No more Google Analytics – we removed our Google Analytics and Google Tag manager on Nov 11th, 2017.
No individual tracking of data – all tracking will be EU-based on Riddle’s all-German servers; we will only track aggregate data but never individual quiz takers’ information. We cover this more below.

GDPR-compliant quiz maker - data storage

As a GDPR-compliant quiz maker, we only store aggregate quiz data – with no additional information added, unless you include an opt-in lead form.

For example, imagine 1,000 people take your quiz – 600 fill in your lead form, and 400 opt-out:

For the 400 quiz takers who do not complete the form:
- We would store just the total count of quiz answers and overall results (1,000 people answer the quiz in this way).
- We would not save the specific responses from each user.
For your 600 leads:
- We would collect their quiz responses, such as ‘Bob (bob@yoursite.com) answered the questions for Quiz 12345 in this way’.

If you want to collect individual quiz takers’ data, no problem.

You easily can do that with our lead generations forms in a GDPR-compliant way, either:

Store the data with Riddle
Use our our webhook to send the data directly to your own GDPR compliant storage solution – never touching our servers.

Add an opt-in field to any lead form

We also suggest that you also add an opt-in field to the lead form:

Ask permission to store the lead’s quiz data along with the form data (like name, email, etc.)
If the user fills in the lead form, but does not give permissioni, we will still store the lead data for you, but will show all quiz data as ‘withheld’.

Also, make sure to use our built-in double-opt-in feature – where each lead had to click an email confirmation. Only data from confirmed email addresses will be stored that way.

Based outside the EU? You may think that GDPR doesn’t concern you.

However, you may still be liable under the GDPR (facing fines up to €20 million or 4% of your worldwide turnover) – unless you are actively preventing any Europeans from visiting the page (blocking EU visitors by IP or the like) where you embed your Riddle quiz.

Our Riddle embeds contain absolutely no tracking tools like Google Analytics or Facebook Pixels.
For lead generation data storage, we offer two great options – storing on our servers or sending data to a tool of your choice.
A template data processing agreement – keep your lawyers happy. Download, add your company info – then submit to us for signature. We will sign verifying that we are compliant with the GDPR.

Data collection via Riddle

Our lead collection tools have been rebuilt from the ground up to be fully compliant with these global privacy regulations.

Featuring a drag/drop form builder, they are more flexible, powerful, and user-friendly than ever.

Option A: Store leads and quiz data yourself (Most popular / our recommendation)

Riddle’s quiz lead generation technology lets you collect quiz leads and responses – without ever storing them on our servers. But note that after the cancellation of the EU-US Privacy Shield agreement, we believe that the only compliant way to store data externally is using our webhook to send data to a compliant storage solution.

Please make sure to consult with your own legal team about the compliance of services like MailChimp, Google Sheets, etc. – you can either:
- Send leads to any Google Sheet you control
- Connect and send leads to a wide range of CRM tools with our build in connectors (like ActiveCampaign, MailChimp, and AWeber).
- Push leads via our webhook to directly to your software – choice, where you can process them internally
- Send leads to Zapier.com – connect to 1500+ tools with no coding

Option B: Store data on Riddle’s servers in Germany and Luxembourg

Want to download quiz data and leads as a CSV or XLS file?

No problem – your data will be on our servers in but in a “walled garden” in your own account. Only you will control who has access to this data.
To comply with the GPPR, you can use our form builder to add a message to your form, informing the users where you are storing their data.
As GDPR requires, we include links to our privacy policy on the form – as well as our contact information.
Any quiz taker can ask for details about what info is stored about them – and also can request deletion of all data.

Please note – sending leads to a tool or location of your choice does not make you automatically GDPR compliant.

It just ensures that both you and Riddle are compliant as far as the quiz maker part goes – we won’t be storing any personal customer information anymore.

You’ll still need to make sure you’re compliant on your side. Here are some other resources from the UK’s Information Commissioner’s Office.

So what is all the fuss about with the GDPR anyways?

Here’s a quick summary of the GDPR in an easy to digest format – with a focus on being a GDPR-compliant quiz maker.

One more pesky legal disclaimer… remember, this is not legal advice, and this article on GDPR is for informational purposes only – we are not accountable for what we say here.
It’s entirely possible we missed some stuff or gave you incorrect info for your particular situation.
Please, please, please get a lawyer and data protection specialist to work with you to ensure that your company and website is GDPR-compliant. We are doing the same for Riddle.

According to the GDPR, personal data is anything that relates to a person’s private, professional or public life, including:

Name
Address
Photos
Email address
Bank details
Posts on social network sites
Medical information
Computer’s IP address
- (Seriously – IP addresses are now considered personal data – so make sure you have your tracking software to not collect these.)

You will need to provide your customers with contact information for a data controller and you need to provide a data protection officer.
EU citizens have the right to request information and ask for the deletion of all data stored about them. You need to make sure that you can comply with these requests.
You also need to make sure to encrypt or pseudonymize data you store. When you choose a tool to store your lead data outside of Riddle, make sure they are compliant.

Any time someone asks the team at Riddle for details about their information – or for information deletion, we’ll pass the request on to you the quiz creator.

However if you have opted in to store lead data with Riddle (Option A listed above), we will provide the info directly to the end user and delete their data upon request.

We’re happy to handle requests for your account as part of our customer service.
But being transparent – if we start getting loads of requests for your account, we will work with you to either get the data onto your servers or work out a reasonable fee to cover our costs to handle these requests.

Sanctions and fines

Okay – so what happens if you’re caught breaching the GDPR?

Check out these outcomes and possible sanctions:

Written warning in case of a unintentional first offense
Regular data audits (these will hurt)
Fine up to 10 million EUR or up to 2% of your annual worldwide turnover (whichever is greater)
Fine of up to 20 million EUR or up to 4% of your annual worldwide turnover (whichever is greater)

As you can see, the fines are pretty drastic.

Sure – the EU might have a difficult time collecting these if your business is based outside the EU, with no business relationship with any EU-based entity or person.

But is it worth the risk? At the very least, it might put a huge damper on your next romantic trip to Paris if you get arrested when entering the EU.

Riddle’s data center certifications

Our data center is certified as follows:

ISO 9001:2016 and ISO/IEC 27001:2013
Payment Card Industry Data Security Standard (PCI DSS)
ISO 14001:2015, OHSAS 18001:2007 and ISO 50001:2011

If you have any questions about our being a GDPR-compliant quiz maker – or would like copies of our data certificates, please drop us an email to hello@riddle.com – or ask us on support chat.

(Our co-founders Mike and Boris race the rest of our team to answer messages first – we respond in under 2 minutes. Boom!)

Download our free e-book

Create your own (awesome) quiz

PDF of this article without images

Try Riddle – a fully GDPR-compliant quiz maker (& CCPA)