Thanks to Katri from FROSMO for sharing!
You know the General Data Protection Regulation (GDPR), right? Yes, you have likely spent days, perhaps entire weeks preparing for it. Your organization has tackled documentation requirements and technical changes, and implemented processes where no processes were before. Along the way, you’ve probably realized that life doesn’t end on May 25 when the GDPR becomes enforceable. No - it continues, and you still need to engage visitors and drive conversions on your website.
Most commercial websites rely heavily on profiling and personalization to drive conversions. According to the GDPR, profiling is:
● Automated data processing
● Carried out on personal data
● Performed to evaluate personal aspects about a natural person
This means that gathering personal data on a site is not profiling as such, but becomes profiling when that data is processed to make decisions regarding a data subject or predict the subject’s behaviors and preferences. For example, tracking and segmenting a visitor based on their location and the products they have viewed on a retail site is not profiling. Using the segments to provide the visitor with personalized content (such as relevant products for the climate of the visitor’s location) is profiling since the data is used to predict the data subject’s interests.
However, to be qualified as profiling, these decisions and predictions must have “a legal effect or similar”. What is considered a legal effect is somewhat open to interpretation. For example, if a gaming site shows gambling ads to a visitor based on their previous behavior on the site, there is no legal effect by definition. But if that visitor happens to be a problem gambler already in debt because of their habit, the gaming site may be considered liable in case the visitor gambles on the site and as a result, gets into even more financial trouble.
Can you continue reaping the benefits of profiling without losing your GDPR compliance? You absolutely can. Profiling and personalization is allowed under the GDPR, as long as you have a legal basis for processing personal data in such a way.
There are several lawful grounds for personal data processing under the GDPR. For example, if you have a contract with the data subject that involves invoicing them, you have a lawful basis. You may also need personal data to comply with a legal obligation or a public task. You may have “legitimate interests” - a genuine reason (including commercial benefit) to process personal data. The reason can be related to security, employment, crime prevention, or product development, for example, but online data tracking rarely fulfills the criteria.
In case you don’t have any other lawful basis for processing data, you can explicitly seek consent from the data subjects. This is normally done by providing the site visitors with an opt-in choice in a pop-up, sticky banner, or a privacy settings page. You must ask your visitors to actively accept data processing and/or profiling. Do not use default settings such as pre-checked boxes, or an opt-out. Instead, give options to consent to each type of data usage for complete clarity and user-control.
Life continues! You can absolutely keep improving your site’s user experience (UX) through profiling and personalization. Just make sure you’re doing it in a GDPR-compliant way.