Visitor data can be incredibly valuable to a website but it needs to be captured without compromising the visitor experience and in a way that complies with the data protection regulations in your visitors’ countries of residence.





Return to contents

Your website has the potential to collect and store a lot of really valuable information about your visitors and their behaviours. This information can help you learn a lot about who they are and what they need from your site, ultimately enabling you to make improvements and better meet their needs. However, data collection should not come at the expense of the visitor’s experience, and you have a duty to remain transparent about what you’re collecting and keep it securely stored.

In this guide we’re going to cover three things:

  1. Capturing data.

  2. Managing, controlling and storing data.

  3. Visitor consent and notification.

Data capture might not be a particularly glamorous topic (even for me as someone who has made a career out of doing it), but it is incredibly important to understand the benefits of doing it and how to do it properly. Collecting the right information gives you a unique opportunity to improve your visitor experience, but data protection regulation and legislation is now tighter than ever. The European General Data Protection Regulation (GDPR), for example, officially came into force in May 2018 and has the power to levy massive fines for non-compliance and breaches (up to €20 million or 4% of your annual turnover - whichever is higher). We’ll discuss both the benefits of data collection, and your legal responsibilities surrounding it, in this guide.



Return to contents

In essence, there are two ways you might capture data from your visitors:

  1. Explicitly - data actively provided by the visitor with their full knowledge and input.

  2. Implicitly - data passively collected from the visitor without their knowledge or input.


Explicit data capture

The most common method of explicit data capture is through the use of forms that the visitor willingly completes. We’ve already covered the mechanics of how to build a good form (for a recap, take a look back at the guide on the shopping basket and checkout pages), but we’ve spoken less about what it is that you should actually capture.

It is tempting to capture absolutely every last bit of visitor data that you can, but you should really only ask for data that you absolutely need. This means the visitor doesn't waste time by sharing too much, but it also means that less data is held overall, reducing the risk of damage that could come from a data breach if one were to occur.

Visitors will largely be happy to provide you with most of the information you ask for - few will question why you might need their email address, for example. However, if you need bits of information that they might not be expecting to share with you, then you should give a clear reason why you’re asking for it and how it will be used. Examples of this type of information are phone number (do you really need this if you have a valid email address?), date of birth or gender.

Another example of an explicit data capture mechanism is the visitor feedback survey. These allow you to ask visitors questions about their experience of using your website, pages that they might have struggled with, or their reason for visit. There are lots of great free survey tools available which means that any website can now benefit from direct visitor feedback. The best known of these tools is SurveyMonkey, but your website builder might even have its own tool or plugin, so that’s also worth exploring if you’re keen to find out more.

Nowadays, visitors are absolutely bombarded with requests for their feedback, to the point that it can become tiresome and frustrating. As such, if you’re going to ask for feedback then it’s best to follow a few key guidelines:

  • Limit the number of questions you ask. Some surveys are much, much longer, but you can get a great deal of what you need from two or three focussed questions.

  • Keep your questions simple. As with every bit of content, keep the wording concise and free of jargon. If someone can’t understand the question then it’s unlikely that they are going to give a valuable answer.

  • Keep your questions relevant to the visitor’s experience. If, for example, they weren’t visiting to make a purchase then don’t ask them how they found the checkout page. Allow visitors to skip questions they don’t want to ask.

  • Think carefully about how you’re going to invite people to give feedback. If you’re using a pop-up for this purpose, make sure it triggers once the visitor has had a good chance to properly browse the site. If you are using a static link then ensure its position on the site will give you feedback that is representative of the average visitor’s visit.


Implicit data capture

Implicit data is data you capture without the visitor knowing they are giving it at that particular moment. The most common form of this is data captured and processed through analytical software such as Adobe Analytics or Google Analytics (the second of which is completely free). These types of analytical tools allow you to collect some incredibly valuable data such as:

  • Which of your pages are most commonly accessed.

  • Geographical and demographic information on your visitor.

  • How visitors are accessing your site - for example through Google, through other links on other sites or directly through their address bar.

  • What the exit rate is on each of your pages - indicating where you might have problems on your site.


Google Analytics has the added benefit of being extremely easy to install (search your provider’s help guides for how to do this). As it’s free, easy to install, easy to use and incredibly valuable, you should consider implementing it as soon as possible (if you haven’t already).



Return to contents

As mentioned earlier, you have a legal obligation to manage, control and store visitor data in the right way. The exact requirements for this will depend on where your visitors are visiting fro (note I didn’t say ‘where your site is hosted’ or ‘where your business operates’). As already referenced, the most wide-sweeping regulation is the European GDPR. If you have any visitors from Europe (even a single one) then you need to abide by its guidelines or face the risk of large penalties and fines. 

Many large companies have invested significant time and money understanding and complying with these new regulations. As I am by no means an expert (I can give just enough information to start you off), I recommend that you supplement this guide with your own research. Your provider’s help pages are a great place to start.

To give you a very brief overview; there are several key principals of GDPR to understand (many of which are common across other data protection regulations). If you are in the vast minority of sites and don’t capture any data about your visitors (explicitly or implicitly), then you don’t need to worry about this until you start doing so.

  1. Lawfulness, fairness and transparency. The first of these words basically means that websites need to process data in a way that is, funnily enough, complaint with GDPR regulations. Fairness and transparency mean you have to tell your visitors what data you are collecting from them and also how it will be used.

  2. Purpose limitations. Only process the data you capture in the way you tell visitors you are going to process it. You are not allowed to collect data on visitors and use it for reasons you haven’t informed them about - for example, you can’t start sharing data with third parties unless you have previously expressively told your visitors you would do that.

  3. Data minimisation. Only collect the data you absolutely need for the purpose of whatever it is you’re doing. Everything you collect needs to have a purpose otherwise it shouldn’t be collected.

  4. Accuracy. Any data you collect about visitors must be kept accurate and up-to-date. If you realise it isn’t, you need to amend the data or destroy it.

  5. Storage limitations. You should only hold data for as long as you need it, and you must destroy it when you have finished processing it. You should proactively review the data you hold and look to delete old data. It is also best practice to tell visitors how long you intend to store their data.

  6. Integrity and confidentiality. You must keep any visitor data you hold secure and safe. There are lots of ways to do this including password protecting it, encrypting the devices it’s stored on and anonymising the data where possible. Failure to comply with this aspect of legislation is typically where the largest fines come from and where the greatest reputational damage can occur, so it’s incredibly important to ensure your compliance.

  7. Accountability and compliance. You need to show, if asked, how you go about doing all of the above. If you’re a larger organisation this means having written policies in place, training employees and ensuring everyone knows their role. You should take a proactive approach to compliance - neither ignorance nor lack of time is an excuse.



Return to contents

In the section above we covered areas of data protection regulation that you need to comply with. This is incredibly important, and you should definitely make sure you do so, but, strictly speaking, this regulation doesn’t impact on the visitor’s on-the-day experience of your site.

The exception to this is how you uphold your duty to inform the visitor of what data is being collected and why. Different websites handle this to different extents; from a simple notification at the bottom of the page, to a fuller modal window in the middle of the page allowing the visitor to manage their privacy preferences. However, the latter is likely excessive and unrealistic to implement for smaller sites (although do check with your website builder as they might have some inbuilt functionality for you to use). Instead, to find a balance between your legal obligations and the visitor experience I recommend:

  • Using a small, fixed footer or top header notification bar (rather than a modal window).

  • Informing the visitor that you are collecting data (explicitly or implicitly) or if you’re using cookies. It’s worth reading up more about the EU Cookie Law to ensure full compliance with this, but it essentially states that you must tell visitors if you are using them.

  • Link to your privacy policy. This is a page on your site which informs visitors what data you are collecting, why you’re collecting it, what it will be used for, and how and for how long it’ll be stored. To find more detail on how to write one of these, seek guidance from your website builder or search ‘writing a privacy policy’.

  • Give a clear way to close the notification - for example through a ‘Continue’ or ‘I agree’ button. This notification should then not show again for the visitor until they clear their cookies or changes to the privacy policy need to be communicated.



Return to contents

  1. Ensure you fully understand the data protection regulations your website needs to adhere to.

  2. Consider implementing Google Analytics and leveraging short, simple and relevant website satisfaction surveys to learn more about your visitor.

  3. Never capture any visitor data you don’t need or are not intending to use.

  4. Be transparent with your visitors by informing them what data you are collecting on them and how it’ll be used.

  5. Don’t use visitor data for any purposes other than those you have expressively told your visitors about.

  6. Keep visitors’ data stored safely, securely and ensure it is kept up-to-date.

  7. Delete any visitor data you no longer need to process.

  8. The first time your visitor arrives on your site, use a small, fixed footer or header notification to communicate your privacy policy and usage of cookies.

Found this content valuable?

Want to get in touch?

Contact us by email or Twitter.