The GDPR, consent and personalization
In our recent webinar GDPR: Personal data and personalization, Qubit General Counsel Jack Carvel looked at consent under the GDPR, and examined some practical examples of how companies have started preparing for the new rules. In this blog, Jack covers the practical challenges of online consent under the GDPR, the alternatives to consent as a lawful basis for processing data and whether legitimate interests may be more significant to personalization than expected.
The issue of online consent has always been contentious. There is seemingly a paradox between the (quite reasonable) requirement for consent to be specific, informed and freely given, and the practical reality that none of us have time to read the privacy policies or cookie notices for every website we visit.
Can it be possible to truly consent to something without knowing what you’re consenting to? In almost any other area of life, treating consent the way we do online simply wouldn’t make sense, and consent would quickly stop having any meaning at all.
However, does that mean that no website has ever got real consent to its online terms and conditions? Is every website non-compliant with data protection law?
This debate is not new, but the increased fines under the GDPR (up to 4% of a company’s worldwide turnover) have forced all website operators to re-examine their practices as the potential consequences for getting this wrong are now so much greater.
For many companies, consent will still be the preferred approach under the GDPR. Indeed, Andrus Ansip, the EU commissioner responsible for the Digital Single Market, specifically referenced consent in February when he said that all companies should be able to use user data to make money.
That’s why, in our webinar GDPR: Personal data and personalization, I looked at some practical examples of how some companies have started changing their approach to consent in preparation for the GDPR, and what norms have started emerging.
However, the fact remains that achieving consent under the GDPR is not straightforward.
Generally, consent can only be an appropriate lawful basis if an end user is offered control and a genuine choice with regard to accepting or declining the terms offered, or declining them without detriment. Without providing this control, consent becomes illusory and will be an invalid basis for processing, rendering the processing activity unlawful.
At the very least, it is therefore worth considering whether there is any alternative to consent. And if so, what does that mean for personalization under the GDPR1?
Alternatives to consent
Under the GDPR, consent is just one of six lawful bases to process personal data. Most, such as ‘necessary for the performance of a task carried out in the public interest or exercise of official authority’ are highly unlikely to apply to personalization. But there are two which may be more promising: processing being “necessary for the performance of a contract” (Article 6(1) (b)) or “necessary for the legitimate interests pursued by the controller or by a third party” (Article 6(1)(f)).
Let’s deal with each of these in turn.
“necessary for the performance of a contract”
First, can personalization ever be “necessary for the performance of a contract”?
The crucial word here is ‘necessary’. Guidance issued by the regulators indicates that even where a company has a number of potentially relevant activities that form part of a contract with an end user, these considerations alone are not sufficient to meet the standard of ‘necessity’ for the purposes of the GDPR.
The following is given as an example of profiling that does not meet the Article 6(1)(b) basis for processing:
A user buys some items from an online retailer. In order to fulfil the contract, the retailer must process the user’s credit card information for payment purposes and the user’s address to deliver the goods. Completion of the contract is not dependent upon building a profile of the user’s tastes and lifestyle choices based on his or her visits to the website. Even if profiling is specifically mentioned in the small print of the contract, this fact alone does not make it ‘necessary’ for the performance of the contract.
In other words, although personalization may be involved during the formation of a contract with an end user, it is unlikely to be strictly necessary. For the purposes of personalization, an alternative basis of processing is therefore required.
“necessary for the legitimate interests pursued by the controller or by a third party”
Article 6(1)(f) allows a company to process personal data if such processing is necessary for legitimate interests pursued by that company.
Recital 47 of the GDPR clarifies that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Similarly, the regulators have stated that companies “may have a legitimate interest in getting to know their customers’ preferences so as to enable them to better personalise their offers and ultimately, offer products and services that better meet the needs and desires of the customers.”
This same logic may be applied to other forms of personalization, such as targeted advertising based on an end user’s interaction with the site. Indeed, such activities are the primary way many websites make money from their site. As noted by the Centre for Information Policy Leadership, “Without personalisation, many services would lose business as their customers and users rely on personalisation as one of the value propositions of the service. Therefore, controllers should be able to rely on legitimate interest as the basis for processing of the personal data of their users for personalisation of content and offerings.”
It is reasonable, therefore, to conclude that processing certain types of personal data is necessary for the legitimate interest of website personalization.
However, having a legitimate interest is not enough in itself. After identifying such an interest, a company must then assess whether their interests are overridden by the data subject’s interests or fundamental rights and freedoms. In doing so, the regulators ask companies to consider the following:
- the level of detail and comprehensiveness of the profile;
- the impact of the profiling (the effects on the data subject); and
- the safeguards aimed at ensuring fairness, non-discrimination and accuracy in the profiling process.
The following factors may be persuasive:
The level of detail and comprehensiveness of the profile
- personalization typically relies on a relatively constrained set of user data, such as browsing habits, previous purchases, etc.
The impact of the profiling (the effects on the data subject)
- when done properly, personalization creates genuine value for end users by helping them better engage with and understand a website, or discover new products and services. But even bad personalization is unlikely to have any material adverse effect on an end user
The safeguards aimed at ensuring fairness, non-discrimination and accuracy in the profiling process.
- personalization is a core feature of many of the world’s most popular online services, creating an expectation—and an appetite—for experiences on websites and apps which use personal data for personalization
- privacy risks can be mitigated by ensuring that personal data is processed at all times in line with the GDPR’s data protection principles, for example, by offering end users high levels of transparency and more granular controls over how their data is processed
- companies can ensure that only trusted vendors that have adopted appropriate data handling practices are engaged, which will further mitigate the privacy risks involved in personalization
In balancing a company’s legitimate interests in personalization with end user rights and freedoms, the practical challenges of relying on other lawful bases for processing are also relevant.
Remember where we started this discussion – some companies may conclude that obtaining consent online is simply not possible.
And even if consent is technically possible, where multiple parties are involved it may not be feasible for every one of these parties to obtain individuals’ consent (and provide the mechanism for withdrawal) that the GDPR requires.
Additionally, requiring each of these parties to obtain consent could result in end users being overwhelmed by consent requests and burdened by having to manage them all. We have seen with cookie notices that end users are increasingly unlikely to pay attention to notices and consents and more likely to simply click through in order to receive a service or access information they want. This could leave end users in a position where they are actually less empowered than they would be under an approach that relies on legitimate interests.
So which is it? Consent or legitimate interests?
The GDPR requires companies to determine (and document) which lawful basis for processing is appropriate for each processing activity they undertake. There is no one-size-fits-all solution to GDPR compliance, because no two companies are the same in terms of the data they collect, what they use it for, how they store it, who they share it with, and so on.
Unfortunately, the regulators have confirmed that companies should avoid seeking to rely on multiple lawful bases for the same activity (preventing us hedging our bets). Accordingly, we must choose a basis, and stick to it.
Many companies will undoubtedly shoot for consent, and there is nothing wrong with concluding that the arguments above for legitimate interests are not convincing. After all, consent has been the prevailing justification for almost all data protection practices for decades. Moving away from it now takes courage, and a firm conviction that an alternative basis of processing is more appropriate.
However, the discussion above should show that a viable alternative to consent does exist. Provided the reasons for your decision are properly documented and justified, this should meet the requirements under the GDPR.
1. Note that discussion in this blog is confined to personalization practices that do not meet the stricter requirements of Article 22(1) (automated processing, including profiling, which produces legal effects on a data subject).