Try Riddle – a fully GDPR-compliant quiz maker (& CCPA)

15 min read

Do you use quizzes to collect leads? You’ll need a GDPR-compliant quiz maker to handle all that personal data.

Quizzes are powerful lead generation tools – but they are at high risk to the GDPR, the EU’s sweeping privacy regulation, as well as California’s CCPA.

Quick read links for your privacy compliance checks:

• Riddle Data Processing Agreement (DPA)
• List of cookies used in our creation tools and our embed

Quick privacy checks:

1. All data is hosted in Europe on our own servers (main server in Frankfurt/Main, Germany, live backup server in Luxembourg)
2. No trackers in the embed code
3. All personal identifiable data you choose collect with your Riddles is only accessible by yourself. If you choose to store it on our servers, it will be encrypted and cannot be accessed by Riddle staff

Video: Riddle’s comprehensive approach to the GDPR

You can watch our co-founder Mike – as he gives a high-level overview of Riddle’s approach to GDPR-compliance.

7 ways we’re a GDPR-compliant quiz maker

(Side note: We used our own quiz creator to make this listicle – it’s a handy way to summarize and present information.)

If you prefer text to our listicle:

1. 100% EU – everything runs on our own servers, located in a banking-grade, super-secure data center in Frankfurt, Germany with backup servers in Luxembourg. No cloud storage with AWS or Google – which are U.S.-owned companies so this would be non-compliant.
2. You own all your data – Riddle staff has no access to the data you collect from your quizzes.
3. You own all the content you create – We just provide the quiz tools; we’ll never sell or distribute your quizzes.
4. All personal data is encrypted – all personal data you collect from your quizzes is encrypted and only accessible by the quiz creator. No Riddle employees can access it.
5. Data processing agreement – you can download and sign our DPA (Data processing agreement) here.
6. Tracker-free quizzes – No trackers in the quiz content you embed on your website, so we don’t collect personal data like IP addresses. Even our Google fonts loaded locally from our server.
7. No IP address tracking – we don’t EVER collect your quiz takers’ IP addresses or attach customer-specific cookies. Check out our cookie policy here.
8. No Google Analytics – we use a self-hosted version of Matomo to keep your personal data safe. The embed code has no analytics code from us. We will never steal your users, analyze your traffic or try to gain knowledge of how you are using Riddle.
9. Unlimited quiz creation/views/leads – as an added benefit, there are no limits in our plans in terms of how many quizzes you can create or how many leads you collect.
   

The good news is that Riddle is a fully GDPR-compliant quiz maker – we also comply with other global privacy regulation like the CCPA.

Updated: EU-US ‘Privacy Shield’ not sufficient for GDPR compliance

This is a BIG deal. The EU has ruled that the ‘Privacy Shield’ no longer counts for GDPR-compliance.

How might this impact you? The Privacy Shield was a way for companies to bulk send consumer information to the US for processing – for things like Amazon Web Services (AWS), Google Analytics, or any number of SaaS providers. The EU has ruled that this is no longer sufficient – so you should immediately look to review how your business handles data.

What does this mean for Riddle? We were proud to be a GDPR-compliant quiz maker. Being 100% based in the EU, we’re hyper-aware of how important this topic is. We know there will be a lot of fast-moving developments as the implications sink in – and will constantly update this post going forward.

Fortunately, we’re already ahead of the game in compliance:

• No cloud servers – all our web servers are based in Germany and Luxembourg in a secure, banking-grade data center. We are operating our own server infrastructure and are not running on shared services.
• No trackers – the Riddle embed code (the piece of code you put on your website to run the quiz) does not contain any trackers or cookies other than a necessary session cookie.
• No IP address tracking – we don’t EVER collect your quiz takers’ IP addresses or attach customer-specific cookies. Check out our cookie policy here.
• Personal info collected by the quiz creator via lead forms only – with each user’s specific opt-in and the form data can be stored encrypted on Riddles servers, where only the quiz creator has access to them.
• Sign our DPA – creators can sign a Data Processing Agreement (DPA) with us in case you need our staff to access any personal information associated with your account.
• No Google font tracking – we are serving all Google fonts from our own servers and have removed all Google tracking.
• No more Google Analytics – we removed our Google Analytics and Google Tag manager on Nov 11th, 2017. We use our own self-hosted solution to keep all data in-house.
• Almost zero cookies – whenever possible, we have removed cookies from Riddle’s online quiz builder and embedded quizzes.
  • If we have to use cookies in a Riddle embed, we make sure to never use it to collect and store any personal identifiable data. We use only seesion cookies in our quizzes – an anonymous, randomly generated value that doesn’t collect any personal info… not even IP addresses.
  • You can read more about our cookies here: https://www.riddle.com/docs/creators/quiz-maker-cookies-tracking/
• No individual tracking of data – all tracking will be EU-based on Riddle’s all-German servers; we only track aggregate data but never individual quiz takers’ information. We cover this more below.

Plus, we’ve got a team of some of the best German data protection lawyers around – they keep us up to date with changes.

Why choose an GDPR-compliant online quiz maker?

The GDPR has been joined by other privacy regulations worldwide. There’s California’s CCPA, Canada’s PIPEDA, and more coming all the time.

The good news? If you follow the GDPR, you should generally be compliant with these as well. But of course – check with a lawyer about your own particular use case, just in (ahem) case.

Any sites that gather personal information from EU visitors face huge fines of up to 20 million euros ($23M) – whether based in the EU or not.

Amazon recently got hit with an $887M fine regarding data misuse; the EU is definitely not messing around about enforcing the GDPR.

• The good news? Riddle is a fully GDPR-compliant quiz maker.
• We power the quizzes for the privacy-conscious BBC, Manchester United, Shopify, and hundreds more.

How is Riddle a GDPR-compliant quiz maker?

Okay – let’s dive into the finer details.

We’ve been around since 2014, and are a 100% European company (officially, we’re Riddle Technologies AG and Riddle Technologies Ltd.).

Protecting our clients’ data has been our top priority since we launched.

We’re big data protection geeks – we’re one of the only online quiz builders to meet these GDPR core qualifications:

1. No individual or personal data from quiz takers is being stored by Riddle – this applies for 95% of our use cases; data is sent directly to your marketing tools (with integrations like Mailchimp or ActiveCampaign) without ever being stored on Riddle’s servers.
   • The only exception – if you decide to use our ‘Save to Riddle’ option, you’re choosing to store data with us.
   • Even in this case, you’re covered – as the data is encrypted and stored in your own private webspace. It is hosted in a secure Frankfurt, Germany data center – and is not accessible by us or anyone else.
2. When you use Riddle to build your quiz you are creating your content in your own private webspace and your quiz takers data is stored in your private space. No one else has access to that data. This means, you are fully responsible for how you use Riddle. Our toolkit provides you with everything you need to keep your quizzes compliant with GDPR, but if you are based outside of Europe and have no European visitors on your sites, you might not need all these warnings and messages, so we are giving you the option to not show them.
3. All Riddle servers are EU-based in Germany with our live backup servers in Luxembourg – and we are not using Google, Amazon or any other non-European cloud provider to store data. Our data center is ISO 27001 certified (see below for more info on our data center certifications).
4. Riddle is a German company  – with the snappy name of Riddle Technologies AG.
5. No more Google Analytics – we removed our Google Analytics and Google Tag manager on Nov 11th, 2017.
6. No individual tracking of data – all tracking will be EU-based on Riddle’s all-German servers; we will only track aggregate data but never individual quiz takers’ information. We cover this more below.

Only aggregate, anonymous data is collected

As a GDPR-compliant quiz maker, we only store aggregate quiz data – with no additional information added, unless you include an opt-in lead form.

For example, imagine 1,000 people take your quiz – 600 fill in your lead form, and 400 opt-out:

• For the 400 quiz takers who do not complete the form:
  • We would store just the total count of quiz answers and overall results (1,000 people answer the quiz in this way).
  • We would not save the specific responses from each user.
• For your 600 leads:
  • We would collect their quiz responses, such as ‘Bob (bob@yoursite.com) answered the questions for Quiz 12345 in this way’.

If you want to collect individual quiz takers’ data, no problem.

You easily can do that with our lead generations forms in a GDPR-compliant way, either:

• Store the data with Riddle
• Use our our webhook to send the data directly to your own GDPR compliant storage solution – never touching our servers.

Add an opt-in field to any lead form

We also suggest that you also add an opt-in field to the lead form:

• Ask permission to store the lead’s quiz data along with the form data (like name, email, etc.)
• If the user fills in the lead form, but does not give permissioni, we will still store the lead data for you, but will show all quiz data as ‘withheld’.

Also, make sure to use our built-in double-opt-in feature – where each lead had to click an email confirmation. Only data from confirmed email addresses will be stored that way.

Why the GDPR matters – worldwide

Based outside the EU? You may think that GDPR doesn’t concern you.

However, you may still be liable under the GDPR (facing fines up to €20 million or 4% of your worldwide turnover) – unless you are actively preventing any Europeans from visiting the page (blocking EU visitors by IP or the like) where you embed your Riddle quiz.

How is Riddle a GDPR-compliant quiz maker?

• Our Riddle embeds contain absolutely no tracking tools like Google Analytics or Facebook Pixels.
• For lead generation data storage, we offer two great options – storing on our servers or sending data to a tool of your choice.
• A template data processing agreement – keep your lawyers happy. Download, add your company info – then submit to us for signature. We will sign verifying that we are compliant with the GDPR.

Data collection via Riddle

Our lead collection tools have been rebuilt from the ground up to be fully compliant with these global privacy regulations.

Featuring a drag/drop form builder, they are more flexible, powerful, and user-friendly than ever.

Option A: Store leads and quiz data yourself (Most popular / our recommendation)

Riddle’s quiz lead generation technology lets you collect quiz leads and responses – without ever storing them on our servers. But note that after the cancellation of the EU-US Privacy Shield agreement, we believe that the only compliant way to store data externally is using our webhook to send data to a compliant storage solution.

• Please make sure to consult with your own legal team about the compliance of services like MailChimp, Google Sheets, etc. – you can either:
  • Send leads to any Google Sheet you control
  • Connect and send leads to a wide range of CRM tools with our build in connectors (like ActiveCampaign, MailChimp, and AWeber).
  • Push leads via our webhook to directly to your software – choice, where you can process them internally
  • Send leads to Zapier.com – connect to 1500+ tools with no coding

Option B: Store data on Riddle’s servers in Germany and Luxembourg

Want to download quiz data and leads as a CSV or XLS file?

• No problem – your data will be on our servers in but in a “walled garden” in your own account. Only you will control who has access to this data.
• To comply with the GPPR, you can use our form builder to add a message to your form, informing the users where you are storing their data.
• As GDPR requires, we include links to our privacy policy on the form – as well as our contact information.
• Any quiz taker can ask for details about what info is stored about them –  and also can request deletion of all data.

A quick note about using a GDPR-compliant quiz maker

Please note – sending leads to a tool or location of your choice does not make you automatically GDPR compliant.

It just ensures that both you and Riddle are compliant as far as the quiz maker part goes – we won’t be storing any personal customer information anymore.

You’ll still need to make sure you’re compliant on your side. Here are some other resources from the UK’s Information Commissioner’s Office.

Background info on the EU’s GDPR

So what is all the fuss about with the GDPR anyway?

Here’s a quick summary of the GDPR in an easy-to-digest format – with a focus on being a GDPR-compliant online quiz maker.

• One more pesky legal disclaimer… remember, this is not legal advice, and this article on GDPR is for informational purposes only – we are not accountable for what we say here.
• It’s entirely possible we missed some stuff or gave you incorrect info for your particular situation.
• Please, please, please get a lawyer and data protection specialist to work with you to ensure that your company and website is GDPR-compliant. We are doing the same for Riddle.

The GDPR applies to any organization that collects or processes personal data of EU residents – no matter where the company is located.

GDPR: What is considered personal data?

According to the GDPR, personal data is anything that relates to a person’s private, professional or public life, including:

• Name
• Address
• Photos
• Email address
• Bank details
• Posts on social network sites
• Medical information
• Computer’s IP address
  • (Seriously – IP addresses are now considered personal data – so make sure you have your tracking software to not collect these.)

Your responsibilities under the GDPR

1. You will need to provide your customers with contact information for a data controller and you need to provide a data protection officer.
2. EU citizens have the right to request information and ask for the deletion of all data stored about them. You need to make sure that you can comply with these requests.
3. You also need to make sure to encrypt or pseudonymize data you store. When you choose a tool to store your lead data outside of Riddle, make sure they are compliant.

Any time someone asks the team at Riddle for details about their information – or for information deletion, we’ll pass the request on to you the quiz creator.

However if you have opted in to store lead data with Riddle (Option A listed above), we will provide the info directly to the end user and delete their data upon request.

• We’re happy to handle requests for your account as part of our customer service.
• But being transparent – if we start getting loads of requests for your account, we will work with you to either get the data onto your servers or work out a reasonable fee to cover our costs to handle these requests.

Sanctions and fines

Okay – so what happens if you’re caught breaching the GDPR?

Check out these outcomes and possible sanctions:

• Written warning in case of a unintentional first offense
• Regular data audits (these will hurt)
• Fine up to 10 million EUR or up to 2% of your annual worldwide turnover (whichever is greater)
• Fine of up to 20 million EUR or up to 4% of your annual worldwide turnover (whichever is greater)

As you can see, the fines are pretty drastic.

Sure – the EU might have a difficult time collecting these if your business is based outside the EU, with no business relationship with any EU-based entity or person.

But is it worth the risk? At the very least, it might put a huge damper on your next romantic trip to Paris if you get arrested when entering the EU.

Riddle’s data center certifications

Our data center is certified as follows:

• ISO 9001:2016 and ISO/IEC 27001:2013
• Payment Card Industry Data Security Standard (PCI DSS)
• ISO 14001:2015, OHSAS 18001:2007 and ISO 50001:2011

Any questions about our GDPR-compliant quiz maker?

If you have any questions about our being a GDPR-compliant quiz maker – or would like copies of our data certificates, please drop us an email to hello@www.riddle.com/blog – or ask us on support chat.

************

Video transcript:

(Our community has some fast readers in it – who ask us to include a transcript of any video we pop into our blog. So if you prefer speed-reading to listening/watching – here you go.) 🙂

Hi there, my name’s Mike and I’m one of the co-founders here at Riddle. In this video, I’m going to give you a quick walkthrough on how Riddle is a GDPR-compliant quiz maker.

First off, we are a European company; we’re a German AG were based out of Saarbrucken, Germany. All of our servers are based in Germany and Luxembourg. Plus, we do not use cloud software and no data goes to the US. So the recently cancelled EU US Privacy Shield doesn’t apply to us because all personal data will remain in Europe.

That’s the most important overview. But now let’s dove into some of the other more specific features around being a GDPR-compliant quiz maker.

Now, if you are using Riddle.com, you are probably using it for two reasons. One is for engagement and the other is for collecting leads and quiz responses. So I’m just going to demonstrate with this cybersecurity quiz template that we have here.

I’ll just copy this to my account now with Riddle. If you’re just asking questions to people visiting your website and you are not using this collect emails module, we don’t collect any personal data. We don’t collect IP addresses, personal data, we collect nothing.

All we collect is this aggregate anonymous data. So you’ll know, “Hey, we have thirty eight thousand people look at the quiz.”

We had 25000 people finish it. We also know that three and a half thousand got five out of eight correct. And we also know that on question one, for example, 4800 people answered the year 2011 whereas 23,900 got 2013.

See? Just anonymous aggregate data. Now where GDPR comes in most specifically is when people want to use Riddle for quiz lead generation. And we make it super easy to do that.

What you’ll do is go to collect emails step – where you can use our drag and drop form builder to make and design your form. When it comes to GDPR compliance, we have Riddle.com set up so that all your personal data, every time someone fills in the form, gives their name, their email address, things like that, you can send it to AWeber, MailChimp, ActiveCampaign.

You can also use Zapier. I think they are up to three thousand different software tools.

But the main thing is that all of this data will go directly to your software and will never touch Riddle.com servers.

So from a GDPR perspective, we never see your personal data. That is one less thing you need to inform your users about because all the data goes directly to you. Your standard privacy policy will most likely apply. OK, so that’s if you’re using our standard forms.

There is one exception. If you are using our what we call our ‘‘Save to Riddle’’ option.

And now this is pretty old school.

This is a feature we designed when we launched Riddle back in 2014. Essentially, it saves everything as a spreadsheet and it saves on Riddle.com servers. So obviously, if you’re saving to Riddle, you need to let people know from a GDPR perspective, “Hey, Riddle also will be keeping a copy of your data.”

So in this case, we actually have a warning that is automatically put in to your lead form. If you are selecting ‘‘Save to Riddle’’, they will have this automatic notification. I’ll show you how that looks.

Here’s our standard quiz. And I’m just going to go through very quickly and I will get to the lead form next.

OK, so I had paused while I was going through all the questions, but now I have the last question of this quiz. I’m answering it.

And if you decided to collect emails, this is where the form will appear. You’ll see here that we have this default notification because you are saving to Riddle.

Again, just to make sure it’s clear if you are using MailChimp, ActiveCampaign any of these other connections, you won’t need to use this because again, the data goes directly to your software.

OK, so that’s essentially how we are compliant.

• We’re EU-based.
• All of our servers are based in Germany and Luxembourg.
• We don’t add cookies or trackers to collect any personal data.
• We also do not use Google Analytics or any other dog tracking that will collect personal data in another system.
• We use our own tools that are based on our servers.

Now, the last part of the GDPR equation is that users will ask you sometimes, “Hey, I would like you to delete my personal information.” We make it easy.

So, again, if you are having data go to your software, you can do it there.

But if you are using our ‘Save to Riddle’ option, you can also delete it here. So you’ll just go to our manage leads.

Let’s step click on search and then you can search and delete any person who as requested, I would like my personal data to be removed. You could click it deleted. It’s forever gone.

OK, that’s Riddle. That’s our approach to GDPR-compliance.

One thing I always forget to mention is that we are so focused on the GDPR – even your lead data from the ‘Save to Riddle’ option on Riddle.com servers, it is encrypted. We can’t ever look at it. It’s only ever visible to you and your colleagues.

OK, that’s a long-winded overview about Riddle and our GDPR compliance.

Any questions? Just use our support chat. You’ll find myself, my co-founder Boris, and the rest of our team. We are super-fast at responding.

We’re so fast, in fact, because when people use our support chat, all our phones will vibrate and we race each other to respond.

(There’s a beer competition involved, so you’ll get a fast answer to any questions about GDPR.)

OK, thanks so much and any questions? Of course, we look forward to hearing from you.