With growing scrutiny over data privacy, many companies have prepared themselves for the new era of data protection regulations.

In this blog, we look at some of the practical challenges of defining online consent under GDPR, alternatives to consent as a lawful basis for data collection and processing, and whether legitimate interests has more significance on personalized marketing than we initially expected.

The issue of online consent has always been contentious. There is seemingly a paradox between the (quite reasonable) requirement for consent to be explicit, informed, and freely giveable, and the practical reality that none of us have time to read the privacy policies or cookie notices for every website we visit.

Is it possible to truly consent to something without knowing what you’re consenting to? In almost any other area of life, treating consent the way we do online simply wouldn’t make sense. It would quickly stop having any meaning at all.

Most people don’t read all the terms and conditions. But does that mean every website today is non-compliant with data protection law?

Increased fines for GDPR complaints (up to 4% of a company’s worldwide turnover) have forced all website operators to re-examine their practices as the potential consequences for getting this wrong are now so much greater.

For many companies, obtaining consent will still be the preferred approach under the GDPR requirements. Indeed, Andrus Ansip, the EU commissioner responsible for the Digital Single Market, specifically referenced consent in February when he said that all companies should be able to use user data to make money.

However, the fact remains that achieving consent under the GDPR is not straightforward.

Consent can only be seen as an appropriate law basis — if an end-user is given the control and power to accept or decline the terms offered without any detriment. Without providing this control, consent becomes an illusory and invalid basis for data processing — rendering the activity unlawful.

At the very least, it is therefore worth considering whether there is any alternative to consent. And if so, what does that mean for personalization under the GDPR Article 1?

Under the GDPR , consent is just one of six lawful bases to process personal information. Most, such as ‘necessary for the performance of a task carried out in the public interest or exercise of official authority’ are highly unlikely to apply to personalization.

But there are two which may be more promising:

  • processing being “necessary for the performance of a contract” (GDPR Article 6(1) (b), or;
  • processing being “necessary for the legitimate interests pursued by the controller or by a third party” (GDPR Article 6(1)(f).

Let’s deal with each of these in turn.

“necessary for the performance of a contract”

First, can personalization ever be “necessary for the performance of a contract”?

The crucial word here is ‘necessary’.

Guidance issued by the regulator indicates that even where a company has a number of potentially relevant activities that form part of a contract with an end-user, these considerations alone are not sufficient to meet the standard of ‘necessity’ for the purposes of the GDPR.

The following is given as an example of profiling that does not meet GDPR Article 6(1)(b) basis for processing:

Example – A user buys some items from an online retailer. T to fulfil the contract, the retailer must process the user’s credit card information for payment purposes and the user’s address to deliver the goods. Completion of the contract is not dependent upon building a profile of the visitors tastes and lifestyle choices based on their visits to the website. Even if profiling is specifically mentioned in the small print of the contract, this fact alone does not make it ‘necessary’ for the performance of the contract. Source (PDF)

In other words, although personalization may be involved during the formation of a contract with an end user, it is unlikely to be strictly necessary. For the purposes of providing personalized recommendations, an alternative basis of processing is therefore required.

“necessary for the legitimate interests pursued by the controller or by a third party”

GDPR Article 6(1)(f) allows a company to process personal data if it’s necessary for legitimate interests pursued by that company.

Recital 47 of the GDPR clarifies that “The processing of customer data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Similarly, the regulators have stated that companies “may have a legitimate interest in getting to know their customers’ preferences so as to enable them to better personalize their offers and ultimately offer a more relevant customer experience.”

This same logic may be applied to other forms of personalization, such as targeted advertising based on an end user’s interaction with the site. Many websites make money like this. As noted by the Centre for Information Policy Leadership, “Without personalization, many services would lose business as their customers and users rely on personalization as one of the value propositions of the service. Therefore, controllers should be able to rely on legitimate interest as the basis for processing of the personal data of their users for personalization of content and offerings.”

However, having legitimate interest is not enough in itself. After identifying such an interest, a company must then assess whether their interests are overridden by the data subject’s interests or fundamental rights and freedoms. In doing so, the regulators ask companies to consider the following:

  • Level of detail and comprehensiveness of the profile;
  • Impact of the profiling (the effects on the data subject); and
  • Safeguards aimed at ensuring fairness, non-discrimination and accuracy in the profiling process.

The following factors may be persuasive:

  • Level of detail and comprehensiveness of the profile
  • Constrained set of user data, such as browsing habits, previous purchases, etc.

Good profiling creates genuine value for end users by improving their understanding of the website, or by helping them discover new products and services. But even bad personalization is unlikely to have any material adverse effect on an end user.

Below are few safeguards aimed at ensuring fairness, non-discrimination and accuracy in the profiling process.

  • Personalization is a core feature of many of the world’s most popular online services, creating an expectation — and an appetite — for experiences on websites and apps which use personal data for personalization
  • Privacy risks can be mitigated by ensuring that personal data is processed at all times in line with the GDPR’s data protection principles; for example, by offering end-users high levels of transparency and more granular controls over how their data is processed
  • Companies can ensure that only trusted vendors that have adopted appropriate data handling practices are engaged, which will further mitigate the privacy risks involved in personalization

In balancing a company’s legitimate interests in personalization with end-user rights and freedoms, the practical challenges of relying on other lawful bases for processing are also relevant.

Remember where we started this discussion: some companies may conclude that obtaining consent online is simply not possible.

And even if consent is technically possible, where multiple parties are involved it may not be feasible for every one of these parties to obtain individuals’ consent (and provide the mechanism for withdrawal) that the GDPR requires.

Additionally, requiring each of these parties to obtain consent could result in end-users being overwhelmed by consent requests and burdened by having to manage them all. For example, with cookie notices we’ve seen that end users are increasingly unlikely to pay attention to notices and consents, and more likely to simply click through to receive a service or access information they want.

This could leave end-users in a position where they’re actually less empowered than they would be under an approach that relies on legitimate interests.

What’s The Best Way To Process Customer Data Under GDPR Regulations?

The GDPR requires companies to determine (and document) which lawful basis for processing is appropriate for each processing activity they undertake. There is no one-size-fits-all solution to GDPR compliance. No two companies are the same in terms of the data they collect, what they use it for, how they store it, who they share it with, and so on.

Unfortunately, regulators have confirmed that companies should avoid seeking to rely on multiple lawful bases for the same activity (preventing us hedging our bets). Accordingly, we must choose a basis, and stick to it.

Many companies will undoubtedly shoot for consent, and there is nothing wrong with concluding that the arguments above for legitimate interests are not convincing. After all, consent has been the prevailing justification for almost all data protection practices for decades. Moving away from it now takes courage, and a firm conviction that an alternative basis of processing is more appropriate.

However, the discussion above should show that a viable alternative to consent does exist. Provided the reasons for your decision are properly documented and justified, this should meet the requirements under the GDPR.

1. Note that discussion in this blog is confined to personalization practices that do not meet the stricter requirements of Article 22(1) (automated processing, including profiling, which produces legal effects on a data subject).