- Privacy in A/B testing is an architectural decision, not a policy document — how the tool is built determines its privacy footprint
- Three technical dimensions separate platforms: cookie architecture, data routing, and tracking layer design
- Varify.io's architecture is privacy-first by design: no cookies, client-side assignment, evaluation in your analytics — zero additional data collection
- Tools that retrofit privacy onto cookie-based architectures can't match the coverage and simplicity of natively cookie-free tools
Privacy policies are easy to write. Privacy-first architecture is hard to build. When evaluating A/B testing platforms for data privacy, the technical implementation matters far more than the marketing claims. Two tools can both claim "GDPR compliance" while having fundamentally different privacy footprints: one sets zero cookies and processes no personal data, the other sets multiple cookies and transfers data to US servers — both "compliant" under different legal interpretations.
This technical comparison examines the architectural differences that determine real-world privacy outcomes. Varify.io represents the privacy-first architecture: cookie-free, EU-hosted, no proprietary tracking. For the evaluation checklist, see our privacy evaluation guide.
Cookie architecture — the fundamental divider
Cookie-free (Varify.io)
Varify doesn't set any cookies. Variant assignment uses sessionStorage/localStorage — no cross-site tracking, no consent requirement, no CMP integration needed. The snippet loads immediately without waiting for consent, eliminating flicker risk and CMP latency.
First-party cookies (Convert, Kameleoon optional)
First-party cookies persist variant assignment across sessions on the same domain. Less invasive than third-party cookies, but still require consent under GDPR's ePrivacy directive. CMP must fire before the testing script loads, adding 100-500ms latency.
Multiple cookies (VWO, Optimizely)
These platforms set multiple cookies for visitor identification, session tracking, and experiment assignment. Full consent is mandatory. The testing script must wait for CMP approval, creating a 20-40% audience loss from declined/ignored consent.
| Architecture | Consent needed? | Audience coverage | CMP latency |
|---|---|---|---|
| Cookie-free (Varify) | No | 100% | 0ms |
| First-party (Convert) | Yes (reduced) | 70-85% | 100-300ms |
| Multi-cookie (VWO/Optimizely) | Yes (full) | 60-80% | 200-500ms |
Source: Claude Research, May 2026
Data routing — where does experiment data travel?
Integration-first: data stays in your stack
Varify sends experiment assignment events to your analytics tool (GA4, Matomo, BigQuery). The data never touches Varify's servers for storage. Your analytics tool is the only system that processes visitor data. Data routing: visitor → your analytics → Varify dashboard reads from your analytics.
Proprietary tracking: data goes through the vendor
VWO, Optimizely, and Kameleoon collect visitor data through their own tracking scripts. Data flows from the visitor's browser to the vendor's servers (often US-based), is processed, stored, and then made available in the vendor's dashboard. Data routing: visitor → vendor's servers → vendor's analytics → you.
The privacy difference is stark: with integration-first tools, visitor data never leaves your infrastructure. With proprietary tracking, every visitor interaction is sent to and processed by a third party.
Tracking layer design — single vs. dual source of truth
The tracking layer architecture determines both privacy footprint and data quality:
- No additional tracking (Varify): Varify handles experiment delivery only. All measurement happens in your existing analytics. Zero additional data collection = zero additional privacy risk. One source of truth for all data.
- Parallel tracking (VWO, Optimizely): These tools run their own analytics alongside yours. Two tracking scripts, two data pipelines, two sets of cookies. Double the privacy footprint, and the two systems inevitably produce different numbers for the same metrics.
From a DPO perspective, every additional tracking layer requires a separate entry in your processing register, a separate DPA, and a separate impact assessment. Reducing tracking layers directly reduces compliance workload.
Zero cookies. Zero additional tracking. Zero compliance risk.
Privacy by architecture, not by policy. From €149/mo.
Practical implications for your privacy setup
These technical differences translate to concrete operational impacts:
- Consent management: Cookie-free tools need zero CMP integration for A/B testing. Cookie-based tools require CMP coordination, conditional script loading, and ongoing maintenance when consent rules change.
- DPA complexity: Integration-first tools (Varify) need a simple DPA covering experiment delivery only. Proprietary-tracking tools need DPAs covering full visitor data processing, potentially including transatlantic transfers.
- Audit trail: When all experiment data lives in your analytics, audit trails are straightforward. When data is split between your analytics and a vendor's system, audits require coordinating with the vendor.
- Incident response: If a cookie-free tool has a security incident, no visitor personal data is at risk (because none was collected). If a cookie-based tool is breached, visitor profiles, session data, and behavioral patterns may be exposed.
For regulated industries, these differences aren't theoretical — they determine whether your testing program passes or fails compliance audits.