We take a look at what makes a personalization GDPR compliant and more specifically, the legal basis for consent and legitimate interest.
Europe’s General Data Protection Directive went into effect on May 25, 2018, but a recent research by Demandbase showed that 23% of marketers surveyed were not even aware of the law. At Unless, we’ve worked hard to help our customers understand the implications of the directive and have written extensively on the subject. In this post, we’ll summarize our findings and point you to some valuable resources. Before we get on with the details, please note that this is by no means legal advice.
In GDPR-speak, you, or your company, as the website owner are a “controller.” Plugins or tools are called “processors.” Common processors are, for example, Google Analytics, Mixpanel, Intercom, or any other third-party plugin or service that collects data on your behalf - including Unless.
As we explain in this video, personalization can be interpreted as a “profiling” activity under GDPR law. Article 4(4) defines profiling as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
Consequently, personalization needs a legal basis.
In total, the GDPR gives six possible legal grounds for processing data. The most commonly used legal grounds for personalization are “consent” and “legitimate interest.” To understand these we spoke with Ilham Ouajnan, Privacy Expert CIPP/E at PwC. Let’s start with consent.
According to Ouajnan, websites generally need a user’s (i.e. data subject’s) consent to place third-party cookies (such as personalization, profiling, and tracking cookies) on their device. She illustrates: “If you buy a book from a website like Amazon.com and you create an account, they don’t need your consent to gather the data needed to complete your order. They are also allowed to send you generic, direct marketing messages about books. However, if they want to personalize their offer by placing a tracking cookie on your device, they will need your consent up-front (regardless of whether you have a contract with them or not).”
To summarize, if you choose consent, you should bear in mind that it can only be an appropriate lawful basis if the end user is offered control and free choice to refuse or withdraw consent.
What about legitimate interest? In Ouajnan’s view, legitimate interest is highly dependent on context. She offered an example of when it could count as a legal basis for data processing: “If I order my meds from an online pharmacy and they know I will run out of them in 3 months, they can send me a marketing message right before the 3 months are over, reminding me to renew my subscription. In this case, legitimate interest counts as a legal basis for processing my data to create this personalized message. However, if I go to the supermarket to buy milk and I have a loyalty card that stores my purchasing history, the supermarket chain would not be able to use the same basis [legitimate interest] to send me marketing messages reminding me to purchase more milk.”
I’m afraid there is no one right answer here. Companies should determine which lawful basis is appropriate on a case-by-case basis. For each data processing activity you undertake, it might be different. We recommend that you contact a lawyer if you have specific questions about your legal basis of processing.
As the data “controller,” you have the legal responsibility to make sure that your visitors can explicitly give their okay to your data processing. A common way to do this is through a cookie warning. You can use tools like Cookie Consent or Cookie Choices to implement this for several cookie scripts. We offer advice to our customers when it comes to this. Additionally, in the future we may offer some solutions for this.
A data subject whose data you collect or process should be able to access the data you store, and the data stored by all “processors” or third party software vendors. To ensure data portability, this data must be offered in machine-readable format.
Your customers also have the right to be forgotten under GDPR. This means they can request that you as a “controller” or any of the “processors” you work with, delete their data.
If you feel like you could brush up your GDPR knowledge, we recommend that you check out: