Personalization, privacy and the European GDPR law

    Blog
    Opinion
  • Personalization, privacy and the European GDPR law

The impact of the strict EU privacy laws ("GDPR") on personalization - and "profiling" in particular.

Personalization, privacy and the GDPR laws

Video transcript

Hi, I am Sander, CEO at Unless.com.

Today i would like to discuss the legal aspects of privacy when you personalize your website, using Unless or any other personalization service. And take note, this is just a very short video, so this is by no means proper legal advise!

Personalization and privacy are not mutually exclusive. It really depends on how you execute it.

Let's discuss this topic with the European GDPR law in mind. Now that these new privacy laws have kicked in, you could say that the European privacy standards are the strictest on the globe.

The first question you should ask yourself is where your data sits. Make sure to pick a provider that stores your data in a country that abides to the EU laws - the easiest way to do that is to pick one that stores data inside the EU.

Personalization within the GDPR law requires a lawful basis for using "profiling". Under the GDPR law, profiling is more or less defined as any automated processing of personal data to analyse or predict things about that person, like health, preferences, interests, behaviour, location and so on. Typically the stuff you need for personalization.

So, what would be an appropriate lawful basis? You can do two things: ask for explicit consent or have a legitimate interest.

Consent is the easiest one to explain. You just use a consent popup or something, which you probably need to do anyway. Take note: up front consent is required only if the personalization is not part of the normal procedure of your service. Example: creating an account before buying a book on Amazon does not require explicit consent for profiling. Without consent, they may send you messages about the order - but not about “other people liked these books as well”.

On to Legitimate interest. If the interest of the customer is really high, this may trump the consent rule. For example, if I order my meds from an online pharmacy and they know I will run out of meds in 3 months, they can send me a marketing message right before the 3 months are over to tell me this. In this case, legitimate interest counts as a legal basis for processing my data to create this personalized message. However, if I go to the supermarket to buy milk and I have a loyalty card that stores my purchasing history, the supermarket chain would not be able to use the same basis to send me marketing messages reminding me to purchase more milk.” Because milk is not essential to me.

To make things easier, many personalization service providers, like Unless, offer tools that can help you abide all applicable laws. Also, there is an Unless article upcoming, about GDPR specifically.

So... Come to Unless.com and check it out!

Frequently asked questions