Technology

Personalisation – data privacy considerations

Silhouette of young woman using smartphone next to window with cityscape thumbnail

Another trend that we raised in our article Data trends to watch for the Retail, Hospitality and Leisure sector in The Collective annual business report (a copy of which can be downloaded from here), is the personalisation of the customer experience.

Personalisation is a key tool not only to engage with customers while in store and online but also to make a brand’s communications more relevant. Personalisation is all about understanding customer behaviour and using that knowledge to enhance their experience with the brand. In order to gain that understanding of a particular customer, brands need to create a profile about the customer or otherwise keep a record of the customer’s behaviour. They will then be able to use this information to understand the customer’s preferences and work out how best to engage with them. For example, analysing a customer’s use of their loyalty card to understand which loyalty rewards to offer or analysing their browsing history to understand what products they engage with, in order to educate what advertising is displayed to them going forwards. Many brands do not have the luxury of oodles of first party data and therefore are heavily reliant on third party data to help inform them about their existing or potential customer base.

Brands may choose to argue that this type of a data processing is purely for the customer’s benefit to ensure they have the best experience when engaging with the brand. However, many customers may find tracking their behaviour and preferences and using it to guide future brand experiences creepy (particular if this type of processing of their personal data has not been brought to their attention and/or has been acquired from the customer’s interactions with third parties).

For that reason if brands wish to engage with this kind of activity it is critical that they remain on the right side of the data protection law, not only from a compliance perspective, but also from a customer relationship perspective.

In terms of compliance, the same key principles apply when processing personal data for personalisation that we discussed in our Data trends article, namely:

  1. ensuring transparency (providing individuals with information about how their data is being used) and giving them control over how you can use it;
  2. ensuring a lawful basis exists for processing their data for such purposes;
  3. maintaining appropriate levels of security around the data being collected; and
  4. carrying out appropriate due diligence on third party data brokers and carrying out DPIAs where appropriate (e.g. where the profiling is particularly intrusive).

One of the trickier issues that a lot of brands grapple with when it comes to personalisation is what the most appropriate lawful basis is and whether customers should be required to opt in or opt out of personalisation. In other words, do they need consent, or can they rely on legitimate interest? Unhelpfully the ICO has said that where the personalisation is based on profiling, there is a risk that the individuals may not know this is happening or fully understand what is involved, or that it may restrict or undermine an individual’s freedom to choose. Therefore, legitimate interests may not be the appropriate lawful basis and consent may be required. However, they have ultimately left it for the brands to decide.

Unfortunately, there is not hard and fast answer and our advice in this area will always turn on the facts. Factors that we encourage brands to consider when deciding whether to go down an opt in or opt out route include:

  • how intrusive is the profiling? (i.e. how much information is being collected about the customer?);
  • how likely is the profiling to be in the reasonable expectation of the customer? (i.e. what has the customer been told?);
  • how is the profiling being carried out? (i.e. where has the data been collected from and how?);
  • what is the decision being made on the back of the profiling and how has it been carried out? (i.e. is it an automated decision that has a significant effect?); and
  • is the decision being made off the back of the profiling likely to result in a risk of harm to the customer?

Although determining a lawful basis might not be straightforward, it should certainly not deter brands from engaging in these types of activities, as they can have a significant impact on engagement and ultimately sales. As long as you engage in this activity in an open and transparent manner, respecting data subject choices if they do object, and document your thinking on trickier elements such as lawful basis, you should be able to navigate this tricky terrain without too much apprehension.

Want to join The Collective, and contribute to the debate?

Email us at: The.Collective@lewissilkin.com