What should you keep in mind when analysing your customers in order to optimize marketing?
Retail companies that sell products or services online may have thousands of consumers in their databases. To increase sales, one e-commerce strategy is to create more personalized communication with the consumers by sending customized advertising. Big tech companies as well as start-ups rely on customer analysis and segmentation of the customer database in order to send such customized advertising. This strategy, which more or less has become the new normal, often include personalized marketing in emails, banners or ads.
In this context; which privacy issues arise and what should companies think about when analysing their customers?
According to the GDPR, profiling means any form of automated processing of personal data to evaluate certain personal aspects, in particular to analyse or predict personal preferences, e.g. economy, interests, online behaviour or physical location.
This means that customer segmentation and analysis in order to market products or services that match a customer's preferences or interests, constitute profiling in the sense of GDPR.
In essence, companies must identify a legal basis for conducting customer analysis and profiling, which could be consent, contract or legitimate interest. Information about the legal basis must be included in the privacy notice, which shall be concise and easily accessible on the website or the app.
Traditionally, many companies have chosen to obtain consent for all kinds of processing of personal data by the customer approving general terms and conditions in one "click". This is not possible under GDPR. Companies relying on consent for profiling must keep in mind that a consent shall be freely given, specific, informed and unambiguous. This entails that consent for profiling must be obtained separately of the acceptance of general terms and conditions, e.g. through checking a box with basic information about profiling, and preferably with a link to the full-text privacy notice containing further details about profiling. Companies relying on consent should design the online customer journey and consent mechanism with care, and make sure that a simple solution is deployed for withdrawing consent.
In some cases, profiling may be required to fulfil the contract that the customer has accepted, i.e. profiling is strictly necessary to deliver the services that the customer has ordered. This could be the case if a company provides a dating app where profiling is required to match users, for a music app that recommends songs based on previously consumed content, a customer club with offers based on purchased goods, and more. Companies relying on contract as legal basis for profiling must be able to demonstrate that it is strictly necessary to carry out the described profiling in order to provide the services. Note that profiling cannot be included in the services to avoid obtaining consent. Companies may in such case risk not having legal basis for its profiling.
In practice, a separate consent for profiling may be difficult to obtain and contract is not always an available option for profiling. It means companies may need to rely on legitimate interest as legal basis, which requires a balancing of interest that must be documented in writing by the company.
Irrespective of the legal basis for profiling, customers have the right to object at any time to profiling for direct marketing purposes. This must be brought to the attention of the customer clearly and separately from any other information.
Once a company has established a legal basis for its profiling and informed customers in a transparent way, it is time to carry out customer analysis and send out marketing in different online channels. This is regulated by marketing laws and a new consent may be required regardless of whether the company has previously collected consent for profiling or opted for contract or legitimate interest as legal basis. A marketing consent may not be required if the company has received the email address of the customer in connection with the sale of a product or service, the new marketing relates to similar product or service, and the customer has been given the opportunity to opt out of marketing.
Breach of GDPR may lead to penalties or claim for damages from customers. Failure to ensure adequate legal basis for customer profiling can lead to lack of trust among customers and create bad-will for the company. As we have seen, other rules such as marketing laws may also come into play in the course of profiling and online marketing activities. Any company considering or performing profiling as part of their marketing strategy, should carefully assess how to manoeuvre GDPR in combination with marketing consent, as well designing an adequate and compliant online customer experience.