How Littledata helps Shopify stores comply with GDPR

When the GDPR regulation comes into effect later this month, it will impact all websites trading with EU citizens. That means any ecommerce site with customers in Europe! Is your Shopify store ready to comply? We recently updated our Shopify app (since release 7.8) to help Shopify stores which use Google Analytics comply with GDPR. In addition to automatic fixes to help your store comply, we include recommendations for how to update your site content (such as Terms and Conditions), and how to deal with the new 'two year rule'. If you're running a Shopify store, the time to act is now. Automatic fixes with our Shopify app The first two steps are done automatically when you install our GDPR-ready Shopify app. If you're already using Littledata's Shopify app, these two fixes can be applied when you upgrade to our latest tracking script (version 3.2). Here's what they address. 1. Anonymise customer IP addresses The IP address of your website visitor is considered personal information under GDPR, and to remove any risk that this is sent to Google’s servers in the USA, our script scrambles the last few digits of the IP address. Google already promises not to store the IP address, so this step is an extra level of safety. This slightly reduces the accuracy of tracking which city your visitor came from -- but we believe that this is a small price to pay for ensuring anonymity. 2. Filter personal emails and ZIP/postcodes from pageviews Many sites accidentally send personal data in the page URLs or titles tracked by Google Analytics. For example, apps with their own checkout often send the user email as a URL parameter like ‘/url?email=myname@gmail.com’. Our script now filters that personal data out at source, so the page path you’ll see in Google Analytics is ‘/url?email=REMOVED’. Additional manual steps There are two additional manual steps to ensure that Google Analytics for your Shopify store is GDPR-compliant. 3. Update your terms and conditions You need to update your website T&Cs to ensure users are aware of the Google Analytics Advertising Features that our Shopify app activates and Google uses to identify user demographics, such as gender and interests. We are not lawyers, but we suggest using something similar to these sentences to describe what data is collected, how you (and we) use the data, and how how users can opt out: Our site uses Google Analytics Advertising Features to deduce your gender, age group and interests based on other types of websites you have visited. We use this in aggregate to understand which demographics engage with areas of our website. You can opt out with Google's browser add-on. 4. Remove user-specific information after 2 years You should also change the data retention period for your Google Analytics web property, so that Google removes all user-specific information from their database after 2 years. To make this change, logging to your GA account and go to the Settings cog, and then Property > Tracking info > Data Retention. Use the 'data retention' drop-down menu to select to keep user data for 26 months, and mark 'reset on new activity' to ON. This means that after 26 months, if the user has not come back to your website, any user cookie will be deleted. We think this sensible to comply with the Right to Erasure without making any practical limits to your analysis. [subscribe] Right to Erasure feature coming soon! We're also working on a feature to help websites comply with the Right to Erasure or Right to be Forgotten. Here's a summary of that aspect of the regulation, from the summary of key changes at EUGDPR.org. Right to be Forgotten Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subject's withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests. Littledata's Right to Erasure feature will ensure that when you delete a customer from your Shopify admin interface, any references to that customer are deleted from Google Analytics. This won’t affect aggregate reporting, such as number of web sessions or transactions. When do GDPR regulations take effect? The official enforcement date for General Data Protection Regulation (GDPR) is 25 May 2018. At that time any organisations in non-compliance may face heavy fines. In short, we recommend implementing the fixes above ASAP for your Shopify store. All you need is Google Analytics account and our Shopify app. And do check our blog regularly for updates. This is the best place to hear about new Littledata features relating to GDPR, as well as news and analysis about how the regulations affect different types of online businesses, including ecommerce websites, subscription businesses, and membership-based sites such as large charities and nonprofits. Looking for additional support? Contact us about GDPR consulting for analytics setup.

2018-05-02

Tracking the online customer journey for luxury ecommerce

Today I'm excited to be participating in the Innovation Meets Fashion event in Lugano, Switzerland. As an increasing amount of luxury and fashion retail moves online, high-end brands are finding it complicated to track the complete customer journey. In many cases, difficulties in tracking customers through to eventual purchase are holding back investment in the digital experience and online marketing. But it doesn't have to be this way. We've found a straightforward correlation in ecommerce between the average ticket price of the item being purchased and the number of web pages or sessions before that purchase is made. Simply put, customers spend longer considering big ticket items than they do with smaller ticket items and impulse purchases. [subscribe] Luxury retail involves many touch points with the brand across your websites, social sites and physical stores. The problem is that the longer than online customer journey, the harder it is to get consistent data on which top-of-funnel experiences are leading to purchasing. So first the bad news: since many potential customers browse anonymously, perfect ecommerce tracking across a long online and offline journey is not possible. Tracking browsers based on first-party cookies (such as Google Analytics) will fail when customers use multiple devices, clear their cookies or browse in-app (such as from Facebook). Yet there are three ways we have seen retailers selling high value items increase the reliability of their online behavioural data. 1. Track online shopping behaviour in detail Understanding whether customers browse certain products, view the detail of product variants and even add-to-cart is a good proxy for seeing which campaigns eventually convert. Does your brand have a good understanding of how each marketing channel influences browsing behaviour, after the landing page but before the checkout? 2. Offer a good reason to get customers to login before buying VIP offers, registering for events and discounts all offer a good way of getting customers to login from different devices. With the correct analytics setup, this login information can be used (without infringing the users’ privacy) to link together different interactions they make across multiple devices 3. Make the most of your email list Even without having a login before purchase, customers clicking through links in a marketing email can allow the same stitching together of sessions. This means that if a customer visits a link from their mobile device, and on another week from their home laptop, these two devices can be linked as belonging to the same email – and therefore the same person. Luxury online retail involves a complex journey. Littledata is here to make your tracking and reporting both easy and accurate. Sign up today to get started with our complete analytics suite, and feel free to reach out to our Google Analytics consultants with questions about best practices for luxury ecommerce. Your success is our success!

2018-03-26

GDPR compliance for ecommerce businesses

Ecommerce companies typically store lots of personally identifiable information (PII), so how can you make compliance easier without compromising analysis? With the deadline for GDPR compliance looming, I wanted to expand on my previous article on GDPR and Google Analytics to focus on ecommerce. Firstly, who does this apply to? GDPR is European Union legislation that applies to any company trading in Europe: so if you sell online and deliver to European Union member countries, the regulations apply to you. It's essential that you understand how your online business is collecting and storing PII. Splitting PII from anonymous data points Your goal should be to maintain two separate data stores: one that contains customer details, from where you can look up what a specific customer bought, and one that contains anonymous data points, from where you can see performance and trends. The data store for the customer details will typically be your ecommerce back-end and/or CRM (see below). This will include name, email, address, purchase history, etc. It will link those with a customer number and orders numbers. If a customer wants the right of access all the relevant details should be in this store. We use Google Analytics as the anonymous data store (although you may have a different ecommerce analytics platform). There you can store data which only refers to the customer record. These are called pseudo-anonymous data points under GDPR: they are only identifiable to a customer if you can link the customer number or order number back to your ecommerce back-end. Pseudo-anonymous data points you can safely send to Google Analytics include: Order number / transaction ID Order value / transaction amount Tax & shipping Product names and quantities Customer number Hashed email address (possibly a more flexible to link back to the customer record) If a customer exercises their right to removal, removing them from the ecommerce back-end will be sufficient. You do not also have to remove them from your Google Analytics, since the order number and customer number now have nothing to refer to. You do still need due process to ensure access to Google Analytics is limited, as in extreme circumstances a combination of dimensions such as products, country / city and browser, could identify the customer. [subscribe] Isn’t it simpler to just have one store? Every extra data store you maintain increases the risk of data breaches and complexity of compliance – so why not just analyse a single customer data store? I can think of three reasons not to do so: Marketing agencies (and other third parties) need access to the ecommerce conversion data, but not the underlying customer data Removing a customer’s order history on request would impact your historic revenue and purchase volumes – not desirable Your CRM / ecommerce platform is not built for large scale analysis: it may lack the tools, speed and integrations needed to get meaningful insights Beware of accidental transfers There are a few danger areas where you may inadvertently be sending PII data to Google Analytics: Customer emails captured in a signup event A customised product name – e.g. ‘engraving for Edward Upton’ Address or name captured in a custom dimension Our PII audit check is a quick, free way to make sure that’s not happening. Multiple stores of customer details GDPR compliance becomes difficult when your customer record is fragmented across multiple data stores. For example, you may have product and order information in your ecommerce database, with further customer contact details in a CRM. The simplest advice is to set up automatic two-way integrations between the data stores, so updating the CRM updates the ecommerce platform and visa-versa. Removing customer records from one system should remove them from the other. If that’s not possible, then you need clear processes to update both systems when customer details change, so you can comply with the right to rectification. Conclusion GDPR compliance need not require changing analytics tools or databases, just a clear process for separating out personally identifiable information – and training for the staff involved in handing that data. I hope this brief overview has been helpful. For further advice on how your ecommerce systems comply, please contact us for a free consultation. Littledata has experience with every major analytics platform and a wide range of custom setups. However, as a number of global companies are concurrently prepping for compliance, we highly recommend that you get in touch sooner rather than later!

2018-02-13

The 5 worst arguments for boosting Bitcoin

I’m exasperated reading dodgy logic justifying the heady ascent of Bitcoin. What are the worst 5 arguments I’ve heard? Full disclosure: I don’t own any Bitcoin, or have any bets on its rise or otherwise. 1. Bitcoin is an insurance against the collapse of capitalism The booster The rise of artificial intelligence and mass joblessness will sweep away much of the old order of nation states and their currencies. Bitcoin is independent of government and will survive the coming storm. A grain of truth I believe big change in the relative value of labour and capital, and how they contribute to the tax base, is coming faster than politicians expect. And the reactionary backlash in affected countries, such as those voting for Donald Trump, won’t stop this trend. The sceptic Bitcoin relies on a chain of other technologies which may well get disrupted with the collapse of capitalism: cheap power supply, a global internet and secure online vaults to hold the private keys and transact the Bitcoin. If you’re betting on the end of the world as we know it, hunting and farming skills are going to be more useful!   2. Bitcoin’s limited supply makes it deflationary by default The booster Unlike fiat money (e.g. the US dollar) which can be printed at will by central banks, the total number of Bitcoin is mathematically limited to 21 million. That means, as other currencies inflate, Bitcoin will hold its value – i.e. it’s digital gold A grain of truth As developed countries around the world are forced to borrow themselves out of the hole of shrinking tax bases and increasing healthcare costs, they may try to inflate their currencies to erode the debt. The sceptic Central banks have a positive inflation target for a reason: in a deflationary currency, no-one wants to spend the currency and so there’s no circulation of wealth. If one Bitcoin could have bought me a coffee in 2016, but at the time of writing could have bought a car, why would I ever spend it? And if no one spends the currency then it has no tangible value. [subscribe] 3. Bitcoin is the leader of the blockchain revolution The booster Blockchain is one of the few game-changing technologies to be invented the last two decades. It will revolutionise the world of finance, and you need to own Bitcoin to be part of that. A grain of truth The blockchain ledger, keeping a public record of all transactions, and reducing the possibility for fraud or interception, will certainly change many aspects of finance. There are many projects underway in financial trading and government. The sceptic Just because Bitcoin was the first use-case of the technology, does not make it essential to newer blockchains. Equally, its first-mover advantage may not even make it the winning cryptocurrency. That said, I wouldn’t go out buying a basket of other cryptocurrencies just yet – they are all overinflated by Bitcoin’s rise.   4. The increasing mining cost of Bitcoin underpins its value The booster New bitcoin gets exponentially harder to mine, so since the cost of electricity for the miner’s servers won’t fall, the cost per bitcoin mine is rising all the time. And if you can’t mine them, you’ll have to buy them. The sceptic Yes.. but what if no one needs Bitcoins at all? Mining gold is subject to the same economic forces, but if the gold goes out of fashion as a value store (as it did an the turn of the Millennium) it still had industrial value for conducting electricity and aesthetic value for jewellery. Bitcoin has neither of those.   5. The rise of bitcoin is 2017 shows it has won out as the cryptocurrency of choice The argument Bitcoin is now the established alternative store of value, which is why it has risen so fast in 2017. And what if all the pension funds and institutional investors now buy up a slice to ensure an allocation of this new asset class? A grain of truth There’s no rational way to value Bitcoin: it does not pay dividends or have intrinsic worth (see point 4). So it could be worth anything .. or nothing. The sceptic Every decade a new mania comes along for investors to follow. The vast chatter on LinkedIn, Facebook and other forums only heightens the mania by allowing unchecked falsehoods to flourish. You only have to look at the South Sea Bubble and Tulip mania to see there is nothing new under the sun. Enjoy the roller-coaster ride up .. because everything that goes up, must come down.      

2017-12-19

Retailers traded 2.4 times normal volumes during Black Friday week 2017

The results are in, and this year's Black Friday sales prove that things are continuing to look up for ecommerce. Across 570 online stores, the average store did 2.4 times their normal sales in Black Friday week 2017, compared with only 2.2 times in 2016 – and a greater proportion of stores participated in the sales. Following our post on pre-Black Friday trends, Littledata looked again at what happened from Thanksgiving Thursday 2017 through to the following Wednesday (the week including Black Friday and Cyber Monday) – versus a control period of November & December in 2016. Compared with 2016, we found a bigger number of stores participating in Black Friday sales this year: 53% of stores were trading more than 1.5 times their normal volumes, compared with only 49% in the equivalent week in 2016. [subscribe] For those stores which promoted heavily in 2016, the median boost was 2.5 times normal. And those in the bottom quartile of sales in 2016 still traded 108% their normal volumes. How did Black Friday promotions work for your store? Use our industry benchmarks to find out how your online store is performing against the competition.

2017-11-30

Black Friday discounting increases next season’s purchasing

I knew Black Friday had reached ‘late adopter’ stage this week when a company I’d bought fencing panels from - fencing panels – emailed me their holiday season promotions. But the real question is whether all these promotions serve to drive customer loyalty or just attract bargain hunters? At Littledata we looked at aggregate data from 143 retailers who participated most in 2016 Black Friday, versus 143 retailers who did not. For the first 23 days of November 2017 – before Black Friday – the median year-on-year increase in sales was 13% for those pushing discounts the previous year, versus only 1% growth for those avoiding Black Friday discounting *. Our conclusion is that retailers who discounted most heavily on Black Friday 2016 saw a lasting benefit in extra sales a year after the sales period. However, we don’t know whether these extra sales were profitable enough to pay for the seasonal promotions. Another possible explanation is that higher-growth retailers are more active in marketing Black Friday, but in either event the discount season has done them no harm over the following year. In a follow up post next week we’ll compare the peak discount trading – and see if on average these same stores increased their participation this year or reigned it back. Looking at 2016, it seems Black Friday was bigger than the year before for our cohort of 270 UK retailers – but at the expense of sales later in the season. Yet in the UK we are not close to US-levels of hysteria yet, where a much greater proportion of the last quarter’s sales are done on that weekend. The other interesting question is what sectors does Black Friday affect? Reflecting back on my 2016 post, it may be a surprise that the biggest boost of over 100% average increase in sales comes for Health & Beauty stores; whereas technology and computer stores on average saw a boost of 40% for the week. (The graph shows the difference with the average sales volumes in November & December, by sector, for 3 selected weeks.) And perhaps I shouldn’t have been surprised by those fencing panels: business and industrial sites saw a big boost too! Interested in tracking online sales activity for your own site this holiday shopping season? Littledata's ecommerce analytics software provides accurate data and automated reporting to help you track promotions and drive conversions and customer loyalty. [subscribe] * The statistical detail I took a group of 573 retailers we have tracked for at least 2 years, and looked at the ratio of Black Friday weekend sales (Friday, Saturday, Sunday, Monday) to the 2 month average for November and December. Those in the top quartile (trading 2.6 times above average during the Black Friday season) were deemed to have participated; those in the bottom quartile, showing a dip in trading over that weekend were deemed not to have participated. I then looked at the year-on-year growth in revenue between November 2016 (first 23 days) and the same period in November 2017, for the discount versus non-discount group. A t-test between the groups found a 18% probability that the two groups had the same mean, not allowing us to dismiss the null hypothesis.  

2017-11-24

6 essential benchmarks for Shopify stores

Understanding how your website performs versus similar sites is the best way to prioritise what to improve. In this post we take a look at 6 top benchmarks for optimising Shopify store performance. Accurate benchmark data is especially useful to the increasing number of ecommerce companies using web performance benchmarks, such as bounce rates and home page reliance, as core elements of their sales and marketing KPIs. Understanding benchmarks is a key to success. To put together this new benchmarking report, we analysed current data from 470 Shopify retailers. If you're wondering how you compare, check out our Shopify analytics app. Average order value Average order value (AOV) or Average revenue per paying user (ARPU) is the total monthly revenue divided by the number of users which transacted that month. It is a measure of how well you are up-selling and cross-selling your products, depending on your product mix. What is a good average order value for Shopify stores? The benchmark is $69. The average is slightly lower ($63.50) if you are a smaller Shopify store. More than $120 AOV would put you in the top quartile, and one of our top-performing stores in the luxury ecommerce sector is averaging $2,080 per order! If your Shopify store has a lower AOV than the benchmark, you might try increasing your average checkout value by cross-selling other products, offering free shipping above a minimum threshold or increasing pricing on selected products. Ecommerce conversion rate Ecommerce conversion is the number of purchases divided by the total number of sessions. Most visitors will take more than one session to decide to purchase, but this is the standard measure of conversion rate. It is a measure of how good a fit your traffic is for your products, and how well your site converts this traffic into customers. What is a good ecommerce conversion rate for Shopify stores? The benchmark is 1.75%. Larger stores have pushed this to 1.85%, and if you are more than 2.8% you are in the top quartile. The highest conversion rate we’ve seen on Shopify is 8%. Can you increase the conversion rate with more attractive product displays, or improving the checkout process? Enhanced ecommerce tracking will help you identify exactly where the blockers lie. Bounce rate from mobile search Since more than 60% of Google searches are now done on mobile, ensuring your site design works on a small screen is important for branding and sales. Bounce rate is the percent of visits of only one page – and will be high if your landing pages do not engage. Google will even adjust your mobile ranking for a given keyword depending on what proportion of visitors stick on your page - a good indication that your link was useful. What is a good bounce rate from mobile search for Shopify stores? The benchmark is 47.5%. The biggest Shopify stores have got this below 40%, and overall large retailers have 38% mobile bounce rate. So it’s not a problem with the Shopify platform, so much as a problem with the store theme – or how the options and products are displayed on a smaller screen. Can you improve the first impressions of the landing pages, put key content higher up the page, or decrease the page load speed to reduce that bounce rate? [subscribe] Delay before page content appears The delay between a page request by the user and them being to read or click on that page. This is more important than full page load speed for AJAX / lazy loading sites (also called the ‘DOM Interactive Time’). What is a good delay time before page content appears? The benchmark for Shopify stores is 2.75 seconds. Even larger retailers have this down to 2.8 seconds, so Shopify sites do well on this score. Anything less than 3 seconds is generally acceptable. Internet users are increasingly intolerant of slow sites. Your developers could look at Google PageSpeed Insights for more details. Often the delay will be down to extra scripts which could be delayed or removed. Server response time This is the part of the page load speed which is entirely outside of your control – and due to the speed of the servers your site runs on. What is a good server response time for Shopify stores? The benchmark is 322ms. The average for larger ecommerce is 542ms – so Shopify’s server infrastructure is serving you well here. Reliance on the homepage This is the percent of visitors who land on your homepage. If this is below 40% you rely heavily on your homepage to capture brand or paid search traffic. Google increasingly rewards sites with a greater volume of landing pages targeting more specific keyword phrases. What is a good reliance on homepage percentage for Shopify stores? The benchmark is 32%. Larger Shopify stores, with many more landing pages, have reduced this to 7.3% of traffic landing on the homepage on average. Can you build out product landing pages and inbound links to copy their advantage? Ready to benchmark your own website, stop playing guessing games and start scaling your ecommerce business? Our Shopify reporting app is the easiest way to get accurate benchmarking. Install Littledata today and you'll get instant access to up to 20 relevant industry benchmarks for ecommerce sites, plus the tools you need to fix your analytics for accurate tracking, so you'll always know for sure where your website stands. It's all about smart data that helps you focus on making changes that drive revenue and increase conversions. We're here to help you grow!

2017-11-14

Is Google Analytics compliant with GDPR?

From May 2018 the new General Data Protection Regulations (GDPR) will come into force in the European Union, causing all marketers and data engineers to re-consider how they store, transmit and manage data – including Google Analytics. If your company uses Google Analytics, and you have customers in Europe, then this guide will help you check compliance. The rights enshrined by GDPR relate to any data your company holds which is personally identifiable: that is, can be tied back to a customer who contacts you. The simplest form of compliance, and what Google requires in the GA Terms of Use, is that you do not store any personally identifiable information. Imagine a customer calls your company and using the right of access asks what web analytics you hold on them. If it is impossible for anyone at your company (or from your agencies) to identify that customer in GA, then the other right of rectification and right of erasure cannot apply. Since it is not possible to selectively delete data in GA (without deleting the entire web property history) this is also the only practical way to comply. The tasks needed to meet depends on your meaning of ‘impossible to identify’! Basic Compliance Any customer data sent ‘in the clear’ to GA is a clear break of their terms, and can result in Google deleting all your analytics for that period. This would include: User names sent in page URLs Phone numbers captured during form completion events Email addresses used as customer identifiers in custom dimensions If you’re not sure, our analytics audit tool includes a check for all these types of personally identifiable information. You need to filter out the names and emails on the affected pages, in the browser; applying a filter within GA itself is not sufficient. But I prefer a belt-and-braces approach to compliance, so you should also look at who has access to the Google Analytics account, and ensure that all those with access are aware of the need not to capture personal data and GDPR more generally. You should check your company actually owns the Google Analytics account (not an agency), and if not transfer it back. At the web property level, you should check only a limited number of admins have permission to add and remove users, and that all the users only have permission to the websites they are directly involved in. Or you could talk to us about integrations with your internal systems to automatically add and remove users to GA based on roles in the company. [subscribe] Full Compliance Other areas which could possibly be personally identifiable and you may need to discuss are: IP addresses Postcodes/ZIP codes Long URLs with lots of user-specific attributes The customer’s IP address is not stored by Google in a database, or accessible to any client company, but it could potentially be accessed by a Google employee. If you’re concerned there is a plug-in to anonymise the last part of the IP address, which still allows Google to detect the user’s rough location. ZIP codes are unlikely to be linked to a user, but in the UK some postcodes could be linked to an individual household – and to a person, in combination with the web pages they visited. As with IPs, the best solution is to only send the first few digits (the ‘outcode’) to GA, which still allows segmenting by location. Long URLs are problematic in reporting (since GA does not allow more than 50,000 different URL variants in a report) but also because, as with postcodes, a combination of lots of marginally personal information could lead to a person. For example, if the URL was mysite.com/form?gender=female&birthdate=31-12-1980&companyName=Facebook&homeCity=Winchester This could allow anyone viewing those page paths in GA to identify the person. The solution is to replace long URLs with a shortened version like mysite.com/form And for bonus points... All European websites are required to get visitors to opt in to a cookie policy, which covers the use of the GA tracker cookie. But does your site log whether that cookie policy was accepted, by using a custom event? Doing so would protect you from a web-savvy user in the future who wanted to know what information has been stored against the client ID used in his Google cookie. I feel this client ID is outside the scope of GDPR, but guaranteeing that the user on GA can be linked to opt-in consent of the cookie will help protect against any future data litigation. The final area of contention is hashing emails. This is the process used to convert a plain email like ‘me@gmail.com’ into a unique string like ‘uDpWb89gxRkWmZLgD’. The theory is that hashing is a one-way process, so I can’t regenerate the original personal email from the hash, rendering it not personal. The problem is that some common hashing algorithms can be cracked, so actually the original email can be deduced from a seemingly-random string. The result is that under GDPR, such email hashes are considered 'pseudonymized' - the resulting data can be more widely shared for analysis, but still needs to be handled with care. For extra security, you could add a ‘salt’ to the hashing, but this might negate the whole reason why you want to store a user email in the first place – to link together different actions or campaigns from the same user, without actually naming the user. There are ways around that strike a compromise. Contact Littledata for a free initial consultation or a GDPR compliance audit.

2017-10-19

Get the Littledata analytics app

Complete picture of your ecommerce business. Free Google Analytics connection, audit and benchmarks.

Sign up