CX Insights

GDPR II: What can you Still do With Customer Feedback?

GDPR II: What Can You Still Do with User Feedback?Photo Credit for featured image: Convert GDPR.
4 min read

As May 25th is approaching, you might want to know how the new law affects collecting and processing user feedback. The good news is: you can continue to gather valuable insights while being GDPR-compliant.

Want to know more about the regulation? Read our previous GDPR article that outlines the most important pointers and how to deal with them.

The Essentials: Keep Collecting Feedback While Being GDPR-Compliant

Collecting customer insights might feel like walking a tightrope under GDPR strict personal data rules, but simply asking for someone’s opinion or feedback is not an infringement on their privacy. However, the way you gather and store customer insights will determine how privacy-sensitive the information is.

Examples of survey questions that you can use safely:

  1.   NPS Score

GDPR II: What Can You Still Do with User Feedback?

  1.    Check out Survey

GDPR II: What Can You Still Do with User Feedback?

The first step is to avoid asking for unnecessary personal information. Ask yourself: “what do I really need to know?” For instance, stay away from e-mail addresses, usernames or zip codes if you don’t need them in the process of handling feedback.

The second step is to consider eliminating technical metadata like IP address and location. Here’s the reassurance: As Usabilla believes in privacy by design, we have disabled collecting IP addresses and location data by default.

Screenshots might contain privacy-sensitive data as well. Because they are essential in adding valuable information to a feedback item, we implement a mask feature to stay on the safe side when it comes to personal details.

If there are specific situations that you would rather not collect a screenshot, we offer a switch-off option on the feedback form.

The third step is about data retention. GDPR forces companies to (re)-think long-term data storage. The regulation states that personal data shall be kept for no longer than necessary. To help you manage the collected data, we have implemented a new feature which enables you to set the data retention period.

The Details: How to Deal With Privacy-Sensitive Information

GDPR II: What Can You Still Do with User Feedback?

As discussed in “The Essentials,” when collecting feedback, you might have to deal with three critical categories that are privacy-sensitive. We list them below together with advice on how to proceed.

On a general note, it is recommendable to attach a privacy statement to feedback forms. You can avoid being obtrusive by using hover-over copy.

IP Addresses

With a good reason, you can collect IP addresses. Otherwise, it’s better to avoid doing so. For example, you might be confronted with the need to obtain IP addresses to distinguish your employees from actual customers. We advise using a custom form that targets specific IP addresses, behind the scenes. All items coming in via this form will get a recognizable label so that you don’t need to collect and store IP addresses proactively.


It’s not a problem to collect location-based information providing you have a valid reason. For example, you need to know user location to show them the right language to leave feedback. Our language-specific form is customized for all customers and using it means no need to collect and store location information.

However, there are still situations in which it is legitimate and compliant to store this type of data. When you’d like to have better insights, like digital KPIs, in a region of your customer base, storing user location is unavoidable. You won’t get a fine for doing so.

Email Addresses

The same principle applies: With a valid reason, you can continue to collect this information to close the loop of your customer feedback. An example is when you need to get back to someone about a specific issue or question. To be on the safe side, you can adjoin a short text explaining to customers why you ask for their email addresses. (Note that this often excludes (re-) marketing purposes).

Custom Variables

You can use custom variables for feedback items and campaigns. They help to enrich your collected insights and target the right audience. They are no default settings and require extra attention when it comes to privacy. So, when working with them, be aware of privacy-sensitive data like usernames, customer id or screen recordings that they might contain. You can continue using custom variables, as long as it is essential for the purpose you process them.

GDPR II: What Can You Still Do with User Feedback?

Key Takeaways

  •   Personal opinion is not personal data
  •   Data minimization: no unnecessary data storage
  •   Collect and store only if you can justify your action
  •   Keep users informed about what you do with their data
  •   Use our checklist to find out if you are collecting data GDPR proof


Should you have questions or concerns, we are always happy to help, and you can connect with us.

Read more about Usabilla’s commitment to the GDPR.

Usabilla: Request a demo

Photo Credit for featured image: Convert GDPR.

Usabilla blog
Sharing our insights and expertise on all things customer experience and data management.