7 min read

Create quizzes and collect leads with Riddle: a fully GDPR-safe quiz maker

Do you use quizzes to collect leads?

Quizzes are powerful lead generation tools – but they are at high risk to the EU’s new GDPR regulation.

Updated: July 29, 2020 – EU-US ‘Privacy Shield’ not sufficient for GDPR compliance

This is a BIG deal. The EU has ruled that the ‘Privacy Shield’ no longer counts for GDPR-compliance.

How might this impact you? The Privacy Shield was a way for companies to bulk send consumer information to the US for processing – for things like Amazon Web Services (AWS), Google Analytics, or any number of SaaS providers. The EU has ruled that this is no longer sufficient – so you should immediately look to review how your business handles data.

What does this mean for Riddle? We were proud to be one of the very first GDPR-compliant quiz makers. Being 100% based in the EU, we’re hyper-aware of how important this topic is. We know there will be a lot fast-moving developments as the implications sink in – and will constantly update this post going forward.

Fortunately, we’re already ahead of the game in compliance:

• No cloud servers – all our web servers are based in Germany and Luxembourg in a secure, banking-grade data center. We are operating our own server infrastructure and are not running on shared services.
• We don’t EVER collect your quiz takers’ IP addresses or attach customer-specific cookies. Check out our cookie policy here.
• Personal info is only collected by the quiz creator via lead forms – with each user’s specific opt-in and the form data can be stored encrypted on Riddles servers, where only the quiz creator has access to them.
• Creators can sign a Data Processing Agreement with us in case you need our staff to access any personal information associated with your account.
• (You can read more about our GDPR-compliance further down the page.)

Upcoming changes for Riddle (August 2020):

This will be an evolving list – but here’s what’s on our immediate radar after the Privacy Shield ruling:

• We’re changing our support software provider – from US-based Intercom to a fully EU-based alternative.
• Improving our use of Google Fonts – from serving them from Google to hosting directly on Riddle (and removing all tracking)
• Switching our billing software to a 100% EU vendor

Plus, we’ve got a team of some of the best German data protection lawyers around – they keep us up to date with changes.

Why choose an GDPR-compliant quiz maker?

The GDPR has been joined by other privacy regulations worldwide. There’s California’s CCPA, Canada’s PIPEDA, and more coming all the time. The good news? If you follow the GDPR, you should be generally be compliant with these as well. But of course – check with a lawyer about your own particular use case, just in (ahem) case.

Any sites that gather personal information from EU visitors face huge fines of up to $23M – whether based in the EU or not

• The good news? Riddle’s quiz maker is fully GDPR-compliant.
• We power the quizzes for the BBC, Arsenal FC, the Tate and more.

Get started – in three steps:

1. Create a quiz
2. Easily embed on your site
3. Collect leads and send to any marketing software

How is Riddle a GDPR compliant quiz maker?

The good news is that Riddle is already a safe GDPR quiz maker.

We’re big data protection geeks – we already meet these core qualifications for the GDPR:

1. No individual or personal data from quiz takers is being stored by Riddle quizzes – unless you are using our current Riddle lead form,  in which case you are also covered as the data is stored in your own private webspace, not accessible by anyone but you and hosted in a secure Frankfurt, Germany data center.
2. When you use Riddle to build your quiz you are creating your content in your own private webspace and your quiz takers data is stored in your private space. No one else has access to that data. This means, you are fully responsible for how you use Riddle. Our toolkit provides you with everything you need to keep your quizzes compliant with GDPR, but if you are based outside of Europe and have no European visitors on your sites, you might not need all these warnings and messages, so we are giving you the option to not show them.
3. All Riddle servers are EU-based in Germany – and we are not using Google, Amazon or any other non-European cloud provider to store data. Our data center is ISO 27001 certified (see below for more info on our data center certifications).
4. Riddle is a German company  – with the snappy name of Riddle Technologies AG.
5. No more Google Analytics – we removed our Google Analytics and Google Tag manager on Nov 11th, 2017.
6. No individual tracking of data – all tracking will be EU-based on Riddle’s all-German servers; we will only track aggregate data – never individual quiz taker information.

Riddle never stores individual responses to any quiz, personality test, poll or any other type of Riddle content.

We only store aggregate quiz data – with no additional information added.

For example, if 1,000 people take your quiz, we store just the total count of quiz answers and overall results – not the specific responses from each user. For example, we will never store data like: Person A answered the questions for Quiz 11343 in this order.

(Riddle supports this option using our Zapier app, our webhook or our new lead forms – but you will need to store that data outside of Riddle using a tool like DropBox, in a way that is GDPR-compliant.)

Why the GDPR matters – worldwide:

Based outside the EU? You may think that GDPR doesn’t concern you.

However, you may still be liable under the GDPR (facing fines up to €20 million or 4% of your worldwide turnover) – unless you are actively preventing any Europeans from visiting the page where you embed the Riddle quiz.

How is Riddle GDPR-compliant?

• Our Riddle embeds contain absolutely no tracking tools like Google Analytics or Facebook Pixels.
• For lead generation data storage, we offer two great options – storing on our servers or sending data to a tool of your choice.
• A template data processing agreement – keep your lawyers happy. Download, add your company info – then submit to us for signature. We will sign verifying that we are compliant with the GDPR.

Data collection via our GDPR compliant quiz maker:

Our lead collection tools have been rebuilt from the ground up.

Featuring a drag/drop form builder, they are more flexible, powerful, and user-friendly than ever. Save your data in two ways:

• Option A: Storing data on our servers in Germany
  • Want to download quiz data and leads with a CSV or XLS file?
  • No problem – your data will be on our servers but in a “walled garden” in your own account. Only you control who has access to this data.
  • To comply with the GPPR, you can use our form builder to add a message to your form, informing the users where you are storing their data.
  • As GDPR requires, we include links to our privacy policy – as well as our contact information. Any quiz taker can ask for details about what info is stored about them –  and also can request deletion of all data.
• Option B: Store leads and data yourself
  • Riddle’s new lead generation processing features will let you:
    • Store leads in your very own Dropbox account
    • Send leads to a Google Spreadsheet that you control
    • Connect and send leads to a wide range of CRM tools with our build in connectors.
    • Push leads via webhook to a URL of your choice, where you can process them internally
    • Send leads to Zapier.com

A quick note about GDPR compliance:

Please note – sending leads to a tool or location of your choice does not make you automatically GDPR compliant.

It just ensures that both you and Riddle are compliant as far as the quiz maker part goes – we won’t be storing any personal customer information anymore.

You’ll still need to make sure you’re compliant on your side. Here are some other resources from the UK’s Information Commissioner’s Office.

Background info on the GDPR

So what is all the GDPR about anyways?

Here’s a quick summary of the GDPR in an easy to digest format – with a focus on being a GDPR compliant quiz maker.(One more pesky legal disclaimer… remember, this is not legal advice, and this article on GDPR is for informational purposes only – we are not accountable for what we say here. It’s entirely possible we missed some stuff or gave you incorrect info for your particular situation. Please, please, please get a lawyer and data protection specialist to work with you to ensure that your company and website is GDPR-compliant. We are doing the same for Riddle.)

The GDPR applies to any organization that collects or processes personal data of EU residents – no matter where the company is located.

 

GDPR: What is considered personal data?

According to the GDPR, personal data is anything that relates to a person’s private, professional or public life, including:

• Name
• Address
• Photos
• Email address
• Bank details
• Posts on social network sites
• Medical information
• Computer’s IP address
  • (Seriously – IP addresses are now considered personal data – so make sure you have your Google Analytics or other tracking software to not collect these.)

Your responsibilities relating to the GDPR

1. You will need to provide your customers with contact information for a data controller and you need to provide a data protection officer.
2. EU citizens have the right to request information and ask for the deletion of all data stored about them. You need to make sure that you can comply with these requests.
3. You also need to make sure to encrypt or pseudonymize data you store. When you choose a tool to store your lead data outside of Riddle, make sure they are compliant.

Any time someone asks the team at Riddle for details about their information – or for information deletion, we’ll pass the request on to you the quiz creator.

However if you have opted in to store lead data with Riddle (Option A listed above), we will provide the info directly to the end user and delete their data upon request.

• We’re happy to handle requests for your account as part of our customer service.
• But being transparent – if we start getting loads of requests for your account, we will work with you to either get the data onto your servers or work out a reasonable fee to cover our costs to handle these requests.

Sanctions and fines

Okay – so what happens if you’re caught breaching the GDPR?

Check out these outcomes and possible sanctions:

• Written warning in case of a unintentional first offense
• Regular data audits (these will hurt)
• Fine up to 10 million EUR or up to 2% of your annual worldwide turnover (whichever is greater)
• Fine of up to 20 million EUR or up to 4% of your annual worldwide turnover (whichever is greater)

As you can see, the fines are pretty drastic.

Sure – the EU might have a difficult time collecting these if your business is based outside the EU, with no business relationship with any EU-based entity or person.

But is it worth the risk? At the very least, it might put a huge damper on your next romantic trip to Paris if you get arrested when entering the EU.

Any questions about the GDPR and your quiz maker?

Drop us a line at hello@riddle.com – we’re not lawyers, but we super-friendly and can probably help with most questions. 🙂

Our data center certifications

Our data center is certified as follows:

• ISO 9001:2016 and ISO/IEC 27001:2013
• Payment Card Industry Data Security Standard (PCI DSS)
• ISO 14001:2015, OHSAS 18001:2007 and ISO 50001:2011

If you require copies of the certificates please write to hello@riddle.com