“Consumers have stronger rights to be informed about how organizations use their personal data” ― Elizabeth Denham, information commissioner, ICO
For data-driven companies, the question is not “will GDPR impact day-to-day business operations” but “how significantly?”
What many CMOs fear is how GDPR will affect their ability to use customer information in the analytical activities that are must-haves for marketing and customer experience activities. These apprehensions are not completely misguided as the GDPR term “profiling” and the industry term “customer analytics” are quite similar.
Article 4 of the GDPR defines profiling as follows: "Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
If that sounds a lot like customer analytics, that's because it is: "Customer analytics, also called customer data analytics, is the systematic examination of a company’s customer information and customer behavior to identify, attract and retain the most profitable customers.”
Related Article: Will There Still Be Marketing After GDPR?
What the GDPR Says About Profiling
Because GDPR specifically calls out the analysis or prediction aspects of profiling, the reasonable conclusion is that for GDPR, most forms of customer analytics and profiling are one and the same. The Working Party, an independent European advisory body tasked with providing guidance on GDPR, makes this clarifying distinction: Simply classifying customers according to personal information such as age or gender for statistical purposes or to develop an aggregated overview of the customer base is not profiling. However, when the purpose transitions to assessing individual characteristics or making predictions and drawing conclusions about any individual (e.g., customer analytics), it lands squarely in the profiling arena.
Several articles in the GDPR relate specifically to processing and profiling of personal information and lay out the ground rules:
Article 13: Information to be provided where personal data are collected from the data subject
Article 13 stipulates that when personal information is collected, the company must tell consumers what it will be used for, how long it will be kept, and if it will be used for profiling — what the legal basis is under GDPR for doing that profiling (e.g., which of the permitted reasons is the company using). If the data is used in any type of automated decision making, meaningful information about the logic used in the algorithms must also be specified if the customer asks.
Bottom Line? This essentially means that marketers must know how they will use personal information as they collect it and that they must notify the consumer and ask for consent if certain types of profiling are intended.
Article 6: Lawfulness of Processing
Article 6 spells out the conditions under which processing of information (profiling included) can be done, including when a consumer has given consent and when the data is needed for performance of a contract. There is a third condition however that introduces some confusion and has been the subject of varying interpretations of what is legal:
“The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data.”
The GDPR says that legitimate interests include processing for direct marketing purposes, which suggests that direct marketing is OK (without permission from the consumer). However, the Working Party has qualified this guidance by also saying that companies must assess whether their legitimate interests are overridden by the consumer’s interests or fundamental rights and freedoms. They suggest that if the profiling practices are intrusive or if tracking for marketing involves looking across multiple websites, locations, devices or data-brokering services, then legitimate interest would not apply.
The DMA has also weighed in with the interpretation that most profiling for purposes of direct marketing is not considered under the GDPR to have a legal or significant impact. However, they too have hedged, focusing on the fairness aspects. For example, the DMA suggests that if a consumer struggling with debt is offered a high-interest, high-risk loan product, such as a payday loan which may worsen their situation in the long run, the potential negative impacts on the consumer would override the company’s legitimate interest to conduct the direct marketing activity.
Bottom line? While profiling for fraud prevention, completion of a contract and with consumer consent is fine, the jury is out on other types of profiling without obtaining consent, particularly for direct marketing. The more detailed the profile, the closer to the line (requiring consent) it becomes. If the consumer perceives the result of the profiling to be negative rather than positive for them personally, it could be viewed as outside the legitimate interest of the company, and thus be termed a violation. Be prepared to ask for consent.
Related Article: How Marketers Can Prepare for the GDPR
Article 22: Automated Individual Decision Making, Including Profiling
This article stipulates that consumers have the right to ask for human intervention when automated decisions are made using personal information and profiling. For Article 22 to be in effect, the decision must either infringe on the person’s legal rights, lead to some sort of discrimination or have significant impact on the person.
In terms of online advertising (e.g., the automated decision about what to offer someone based on profiling), the Working Party offers much the same (confusing) guidance as it did for Article 6. Many online direct marketing activities will not result in impacts significant enough to justify a consumer asking why they have received the offer or for human intervention. However, the caveats around fairness, potential exclusion of a person or group from an offer, and the intrusiveness of the profiling process (tracking across multiple devices or websites) are also suggested here.
Bottom line? Consumers have the right to ask for human intervention in automated decisions — with the qualification that the decision must have significant impact or could be viewed by the consumer as being unfair. However, despite some general guidance, there is no clear line over which the right becomes absolute. If you use automation involving personal information to make decisions, you should be prepared to talk about the automated methods (data used, general parameters, etc.) used in the decision, as well as provide a human to review all salient factors if asked by the consumer.