Home Blog User profiling accor ...

User profiling according to the new privacy rules


written by Valerio Sabelli

Most companies that use email as their main marketing tool use some form of user profiling. Several types of approach can be followed, but the most used is undoubtedly the psychographic one: we are talking about identifying various market segments based on “demographic” information including age, gender, geographical location, but also interests, opinions and – in some cases – social background.

Another kind of approach is based on the type of customer, focusing on the reason why a certain purchase is made (loyalty to a brand, search for a special offer, need or simple wish to buy something new). Finally, a segment of users can also be identified on the basis of the characteristics of the buyers.

The latter can indeed make choices based on convenience (for example, buying online to save time), on the sense of community in reading reviews or opinions on a certain brand, or on the customization of the user experience and of the product itself, in order to accommodate their needs.

Whichever is the most suitable approach for us, the most important thing is to engage the targets of our marketing campaigns and communicate in a personalized way, in order to achieve greater ROI (Return on Investment).

However, the European rules relating to the GDPR (General Data Protection Regulation) have been effective since May 2018. This new privacy legislation has been covering many uncertain areas of personal data processing, thus inevitably leading to a series of questions on behalf of those people who work with those data every day: what is still allowed and what has been prohibited?

What is profiling according to the GDPR?

The GDPR 2016/679 is a regulation in European Union law regarding data protection and privacy throughout the European Union (EU). The standard was defined in 2016 and has been effective, as already mentioned, starting from mid-2018.

Specifically, by user profiling we mean the construction of a “profile” aimed at categorizing customers or users of a certain type of service. Therefore, based on this categorization, forecasts are made regarding the behavior and interests of our targets. These forecasts will ultimately be used for marketing related purposes (customized advertising, offer updates) or for automated decision-making tools.

When is profiling allowed?

Data are usually collected for reasons other than user profiling (website cookies, orders on online stores or sending newsletters). Consequently, the processing of personal data and user profiling is only allowed on a legal basis. By defining the concept of profiling in a precise way, the GDPR distinguishes between the version used for automatic decisions and the one used for its own sake.

When automatic choices are made on the basis of user profiling and these choices have legal consequences for the people involved (as in case of the approval or denial of a sales contract or loan), then profiling is only allowed in certain cases: if an agreement must be carried out (for example a mortgage) or in case of explicit consent given by the person involved.

In addition, the company that carries out user profiling must organize a Privacy Impact Assessment (PIA) so as to trace the risks to privacy before starting any profiling activity.

The risks are assessed by analyzing the processes of data detention, collection and processing, in order to ensure compliance with law provisions. Obviously, this process also aims at finding any possible ideas for improvement in all data management.

Necessary conditions for profiling

When the main goal of profiling is marketing, i.e. advertising or personalized newsletters, profiling can be carried out, of course, if you get the explicit permission by the end user. The main disadvantage of this kind of approach is that the user may subsequently deny or withdraw the consent. However, from a legal point of view, no further justification shall be needed for profiling.

Another case in which user profiling is allowed is when there is a justified interest. This approach is often used in the case of automated e-mail marketing. Although specific consent may be required for sending emails only, it won’t be necessary to request any consent to customize content.

Of course, the limit in this case is that profiling must not have “negative” effects on the target, for example by showing higher prices than usual. The disadvantage in this case is the following: it is always necessary to confirm the fact that the marketing interest for the user is much greater than the personal data that are being used.

Regardless of the reasons for which user profiling is carried out, the following principles must always be applied:

  • the person involved must always be informed (via a so-called privacy statement). This information, for example in the form of a banner, must refer to a page that displays all the basic information regarding user profiling.
  • the person involved must always have the chance to deny or withdraw consent and always be aware of having this right
  • it is not allowed to process more personal data than necessary. Rather, a selection of the data stored in our databases will be needed to exploit the smallest possible subset of information necessary for the purpose.

How to manage the rights of the users involved?

Any person involved in user profiling activities for marketing purposes must follow the rules dictated by the new standards in force. If activities or data (such as clicks, pages visited or email addresses) are intrinsically tracked by the tools used, the only option is to give the user the ability to unsubscribe.

At this point, it will be necessary to remove all non-anonymised data or follow an approach that anonymizes and “deletes” traces of the users themselves.

Ultimately, as long as marketing activities respect the limits imposed by the GDPR, personal data processing will continue to be an essential source of information for targeting customers.