Does GDPR spell the beginning of the end for hyper-personalisation?

By Will Robertson, Partner, Osborne Clarke

We all like to feel special, particularly when it comes to our customer experience; be it when shopping online or reading the news, we want it to be relevant to our interests and needs without having to fill in forms or answer long-winded questionnaires.

Nowadays, we have come to expect a personalised experience when browsing online. However, in a post-GDPR world, there is a growing concern that the days of hyper-personalisation are numbered, and with new e-privacy laws on the way, organisations are starting to re-evaluate how they can best build and maintain customer relationships, whilst staying on the right side of the law.

Hyper-personalisation is achieved through companies analysing real-time data produced uniquely by each user to define and understand their needs, interests and habits. This information is then used to deliver targeted content to them across multiple channels.

But today a consumer’s journey is fragmented: it can start on an app on their phone, then continue on a laptop and the final purchase could be made in-store. The customer expects a seamless integration of personalisation across all these platforms, regardless of their choices.

The line between consumer love and frustration is very thin; therefore, the timing of these interactions must be perfect, as even the slightest mistiming can irritate them. To ensure the success of online communications, retailers need to be sure they have the best quality data and that it is processed securely and accurately in order to generate correct insight, relevant both for the customer and the retailer.

For hyper-personalisation to work smoothly you need data, specifically personal data, and its use is regulated by GDPR. Personal data includes information that can directly identify an individual, such as a name, address or email, but also data that can indirectly identify them when combined with other data, such as an IP address or cookies.

The processing involved with hyper-personalisation (for example, aggregating and profiling them into segments, such as a male between 25-35 interested in golf) needs a legal basis, and there's an ongoing debate whether this should be based on consent or legitimate interests.

Historically, advertisers have relied on their legitimate interests to strengthen relationships with customers and raise brand awareness when engaging in personalised advertising. They have argued that consumers prefer and benefit more from relevant and engaging content rather than blanket spam messaging.

Critics argue that organisations have abused legitimate interests and now the level of processing involved in hyper-personalisation is much more intrusive than an average consumer would come to expect. Indeed, there are a number of ongoing regulatory complaints against the adtech industry that specifically takes aim at the online personalised advertising system as a whole.

"Can a retailer comply with GDPR and engage in hyper-personalisation? For the time being, pending any regulatory enforcement in the area, yes, but those wishing to succeed should stay subject to certain safeguards"

In the absence of legitimate interests, the only other legal basis available for hyper-personalisation is likely to be consent. It is a very high bar to achieve in practice post-GDPR, as it must be specific, informed and unambiguous.

GDPR also introduced transparency obligations that require retailers (as data controllers) to provide mandatory information to consumers about their data processing activities including the categories of data collected, processing activities, legal bases relied upon and how long the data is retained for.

This can be very challenging to comply with for retailers that don't have a direct relationship with consumers. For those who do, it's difficult to strike the right balance between providing detailed and specific information against simplicity and ease of comprehension for consumers.

Additionally, we're barely 12 months into a post-GDPR world and there's new privacy legislation on the horizon in the form of the e-Privacy Regulation. The new Regulation will change the existing law that governs the use of cookies and other tracking technologies (the Privacy and Electronic Communications Regulations), the use of which is integral to hyper-personalisation, particularly when applied to advertising the regulation is likely to clarify the rules around consent, which is causing a compliance headache for many organisations, particularly as the UK currently requires GDPR-grade consent to cookies, which is extremely difficult to obtain in practice.

Based on the current draft, cookies for targeted advertising will need 'acceptance' which may replace the need for GDPR-grade consent. However, the new Regulation is still very much in draft form and is not expected to be finalised until late 2019 at the earliest. In addition to a proposed two-year implementation period, this would mean it wouldn't be in force in the UK before 2021, subject of course to Brexit!

So, can a retailer comply with GDPR and engage in hyper-personalisation? For the time being, pending any regulatory enforcement in the area, yes, but those wishing to succeed should stay subject to certain safeguards including the following:

• Only process the data you really need – segregate your marketing database from your transactional database, and if you don't engage in, for example, postal or email marketing, then don't have this data in your marketing database – data minimisation is key;

• Don't keep data longer than needed – if you're not seeing customer engagement, then the data you hold doesn't have value and holding on to it creates unnecessary compliance risks;

• Do your homework on your data suppliers – if you engage third-party suppliers to provide hyper-personalisation services such as programmatic advertising on your behalf, make sure you have robust contractual provisions within your agreements concerning data privacy compliance, and only engage with reputable suppliers who champion data security. Be careful in particular of buying-in third-party data sets from questionable sources;

• Undertake a thorough legitimate interests assessment if you conclude that legitimate interests are the most appropriate legal basis to rely upon for your hyper-personalisation activities. The Information Commissioner’s Office (ICO) has published a user-friendly template you can use to be certain;

• Consider a data protection impact assessment if you plan on using new technologies for hyper-personalisation purposes. Again, the ICO has published a user-friendly template so you can weigh-up all the pros and cons, and assess what risk mitigation measures you can take;

• Be transparent with customers about your hyper-personalisation processing activities and update your customer privacy notice to explain the data collection and processing activities in a clear and intelligible language; and

• Monitor legal developments, such as the ePrivacy Regulation, and keep an eye out for any enforcement action by European data regulators that concern the use of personal data for hyper-personalisation. As mentioned above, there are several ongoing regulatory complaints that may change the regulatory landscape, so retailers need to have their finger on the pulse or risk non-compliance.

GDPR-compliance should be at the heart of all decision-making for retailers, particularly when it involves the use of customer data. Whilst the allure of new CRM tools for hyper-personalisation purposes can be strong, it's important to remember that consumers are much more wary of how their personal data is used in a post-GDPR world, and those brands that prioritise data protection by design and default are more likely to build long-term and trusting relationships with customers.