Online advertising increasingly relies on automated tools and involves solely automated decision making. In many typical cases targeted advertising does not have a significant effect on individuals, for example an advertisement for a mainstream online fashion outlet based on a simple demographic profile: ‘women in the Brussels region’. However it is possible that it may do, depending upon the particular characteristics of the case, including:
- the intrusiveness of the profiling process;
- the expectations and wishes of the individuals concerned;
- the way the advert is delivered; or
- the particular vulnerabilities of the data subjects targeted.
Processing that might have little impact on individuals generally may in fact have a significant effect on certain groups of society, such as minority groups or vulnerable adults. For example, someone in financial difficulties who is regularly shown adverts for on-line gambling may sign up for these offers and potentially incur further debt. Even where advertising or marketing practices do not fall under Article 22, data controllers must comply with the general legal framework applicable to profiling under the GDPR. The provisions of the proposed e-Privacy Regulation may also be relevant in many cases. Furthermore, children require enhanced protection. Automated decision making that results in differential pricing could also have a significant effect if, for example, prohibitively high prices effectively bar someone from certain goods or services.
Organisations will need to comply with the GDPR if they are targeting online adverts at individual users using their personal data – which might apply if, for example, they display personalised adverts based on browsing history, purchase history, or log-in information. However, non-targeted marketing (i.e. the same marketing displayed to every user) or contextual marketing (i.e. targeted to the content of the page itself rather than the identity or characteristics of users) is unlikely to be subject to the GDPR.
If your email marketing programme uses personal data for profiling, segmentation and dynamic content then, under the GDPR you will need to let people know about it and let them exercise some control over that data use. Firstly, you would need to gain consent for the marketing. Then you must set the expectation at the point of sign-up that the content of your emails contain curated content and recommendations based on what they like. Ensure that you provide a link to your privacy notice which explains everything as per the GDPR’s requirements for profiling. Separate the curated from the non-curated content. In that way, if they currently don’t want to be tracked and profiled, they can still be an email subscriber.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018