Profiling: what is it, and what is allowed/not allowed in accordance with the GDPR?

Most organisations that utilise email marketing automation, use profiling to a degree, whether it is at a large-scale or not. After all: it is important to address your customer in a personalised and relevant manner. The more personalised the communication along the customer’s journey, the higher the ROI.

The new privacy legislation raised many questions. What does the new legislation still allow and what is no longer permitted? We like to respect everyone’s right to privacy, but bulk emails are not the way forward.

Imagine you have a web shop that sells all manner of items, from books to shoes and makeup. You measure click and opening behaviour and offer more relevant content to the subscribers of your newsletters based on the results. Is this allowed? We will answer this question by first formulating the answer to the following questions:

1) What is GDPR’s definition of profiling?

2) When are you allowed to carry out profiling?

3) How do you manage the rights of those involved?

4) Conclusion: is the web shop permitted to continue offering personalised content?

5) Three extra examples

Profiling involves the processing of personal data. This is why you have to act in accordance with the GDPR (General Data Protection Regulation, also known in the Netherlands as ‘Algemene Verordening Gegevensbescherming’ or AVG). Profiling is the compilation of profiles for the purpose of categorising people, based on which predictions can be made on behaviour and interests. This may be done for direct marketing purposes (such as the provision of personalised advertisements, newsletters and offers), but also for generating automated decisions (such as in recruitment procedures or for credit applications).

According to GDPR, automated decision-making refers to: ‘Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. In this case, a decision is taken automatically on the basis of automated processing.’

Based on the GDPR, processing of personal data, including profiling, is only permitted when a legal basis exists. Usually, personal data are not just processed for profiling; these date have been gathered for a different purpose (this could be cookies, processing web shop orders, or sending a newsletter).

When determining the rationale for profiling, the GDPR distinguishes between profiling used to make automated decisions and profiling as a standalone activity.

When automated decisions are made on the basis of profiling that have legal consequences for those involved (such as approval/refusal for a sales contract or a loan), or that significantly affect those involved (such as being offered higher prices, or a first-round recruitment process entirely managed by a computer via Internet), then this is only permitted if a legal basis exists, if it is necessary for the implementation of an agreement (for instance, a mortgage) or if the person involved has given their explicit consent. Furthermore, the accountable person must first carry out a Privacy Impact Assessment (PIA) to chart the privacy risks, before initiating any form of profiling as mentioned above.

When profiling is used for direct marketing purposes (such as displaying personalised advertisements or sending personalised emails/newsletters) and if this profiling has no significant impact on those involved, profiling can occur on the basis of:

1: Permission from the person involved: the advantage of obtaining permission as a legal basis for profiling is that a balance of interests is not required, nor is its substantiation. The disadvantage is that the person involved might not give permission, or rescinds the permission. The requirements for profiling permission for direct marketing purposes is equal to the general requirements for providing permission in accordance with GDPR.

2: Justified interest: profiling within email marketing automation is permitted in most cases based on the basis of ‘justified interest’. This applies to the profiling itself. However, permission will still be required for sending emails; but separate permission for the personalisation of those emails is not required. The condition for profiling as part of justified interest is that the profiling must not significantly affect the person involved. For instance, you must not display prices that are higher than usual.

The disadvantage of this basis is that you must constantly substantiate that the direct marketing interest outweighs the privacy interest of the person involved. Because as the privacy interests of those involved increase, the direct marketing interest becomes less plausible as the overriding interest.

The DDMA has the following to say on profiling: ‘As both the legal text of the AVG and the explanation (the WG29) are not yet able to offer complete clarity on profiling, it is logical that many organisation are worried about what will soon be allowed or disallowed. This is why we recommend using logical thought processes in this case – separate from the specific rules. These basic principles will help:

• sustainable marketing adds value: think about the added value to the consumer. How does this improve the customer’s experience?
• a customer relationship is based on trust: estimate the consumer’s expectations and ensure that you take these into account;
• The creepy test: does my marketing sound creepy or weird when I explain it to an average consumer? Of course it could be that as a marketeer, your scale of weird or creepy is less sensitive than the average consumer – bear this in mind.
• Finally, ask yourself: would this feel right to me if I was the consumer?

If you observe these principles, there is less chance you end up in a grey area with your profiling or online advertisements, where you have to ask yourself whether what you are doing is legally allowed. The basis of the GDPR is that consumers are better protected and have more rights. Those who utilise marketing to genuinely create added value, will take steps towards compliance on their own account.’

Additional conditions for profiling in accordance with the GDPR:

Additional conditions for profiling in accordance with the GDPR, regardless of basis, are that:

• the person involved must always be informed (by way of a privacy statement, for example: see also this blog item on processing);

The privacy statement must contain all required information on profiling. A template for showing people involved for the purpose of displaying personalised advertisements could be:

“We personalise the offers in our emails to ensure they are as relevant as possible to your interests. If you would like to know more about how we do this, further handling of your personal data, and how you can cancel this personalisation, Read our privacy statement (link).’

• the person involved always has the right to appeal, and must also be explicitly informed of this right;

Those involved must be offered an opt-out option (appeal provisions). This could be by way of showing a pre-ticked checkbox when the information of a person involved is collected (for example by using cookies or sending a newsletter), or by sending a ‘service message’ to existing customers.

• it is not permitted to process more personal data than necessary.

You are not allowed to just use all fields from your database for direct marketing profiling. You will have to make a selection. You are allowed to profile for a well-defined purpose that must be determined beforehand and should lead the process. And – within the framework of data minimalisation and purpose limitation, it is therefore not about ‘enrichment for the sake of enrichment’, where you will decide what to do with it at a later date.

If a person involved objects to profiling for direct marketing purposes, you (as the accountable person) will always have to comply. If opens and clicks on an individual level (email address or email address/name) are logged, these are in fact evidently personal data. This means that the person involved has the right to objection and removal.

In most email tools (including Tripolis), opens and clicks are logged at email level or a combination of email address and name. If someone asks you to stop only the processing of clicks&opens, it is reasonable to indicate that this is technically impossible. The alternative available is that this person can unsubscribe.

If a person exercises the so-called right to be forgotten, you will have to remove non-anonymised clicks & opens, or anonymise them, including the email address. So, this will always involve unsubscribing the newsletter. It is reasonable to explain to someone that this will result in no more newsletters being sent, and to offer them the option of making some exceptions for certain processing.

Profiling for direct marketing purposes is permitted both on the basis of consent from the person involved and on the basis of the justified interest of the accountable person. In case of profiling on the basis of consent, this consent must comply with all requirements as laid out by GDPR. Preconditions for the justified interest do include the ability to substantiate that the significance to direct marketing outweighs the privacy interest of persons involved and also, that sufficient privacy safeguards are offered (including at least an opt-out + provision of information).

In the situation as described in thee intro, there is automated processing of interests/behaviour/preferences to enable certain content for people. This is a prediction (how favourable is this person to this proposition?) and as such, profiling from a GDPR perspective. We could say that this is akin to ‘profiling light’, which could be regarded as regular processing based on the justified interest.

After all, this does not involve automated decisions with legal consequences or similar consequences (the more severe legal category). For instance, profiling that results in a person being shown more books will not mean this person becomes addicted to books. You are not harming anyone and the impact of showing different content is not considerable. This means it is unlikely you are categorised as more severe. However, this could happen if you start to charge higher prices for some prospects (price differentiation or price personalisation per member on the basis of customer profile), or if you start to advertise aggressively to individuals.

* Jan always clicks on links for luxury holidays in a travel agency’s newsletter, which results in him being shown more luxury holidays in subsequent newsletters. Is this allowed?

–   Yes, this is allowed.

* Jan lives in an expensive neighbourhood in the centre of Amsterdam, and as a result, is offered the same holiday at a higher price than Nel who lives in a neighbourhood with mostly social housing. Is this allowed?

–   No, this is not allowed without permission for price personalisation. Price personalisation is a form of profiling which involves automated decision-making. It follows that price personalisation cannot be based on a justified interest, as the balance is more likely to tip in favour of protection of those involved. The most suitable legal basis for price personalisation will mainly be explicit consent.

Under the GDPR (which has entered into force on May 25th, 2018), you will have to be able to demonstrate how permission was obtained and exactly what that permission pertains to. This applies to new registrants, but also applies retroactively to your existing database. Thankfully, Tripolis has developed the GDPR Version Manager and the GDPR Easy Consent Manager, which will ensure that all of your email marketing from now on is fully GDPR-compliant.