TNW València is here 🇪🇸 Pre-register for 2024

This article was published on July 28, 2018

This is how you can personalize marketing campaigns — without violating GDPR

This is how you can personalize marketing campaigns — without violating GDPR
Yvonne Koleczek
Story by

Yvonne Koleczek

Yvonne Koleczek is an expert in consumer insights and data segmentation. She writes about analytics, personalization, and growth marketing. Yvonne Koleczek is an expert in consumer insights and data segmentation. She writes about analytics, personalization, and growth marketing.

GDPR — no other four letters are giving tech companies a bigger headache this year. So many articles have been written about it, you might wonder why you should read this one.

It’s simple, really, you shouldn’t unless you are one of the 92 percent of marketers who according to a recent study by Evergage Inc use digital personalization. Instead of boring you with yet another generic explanation of what the GDPR is, I’d like to address the new regulations through the looking-glass of personalization and more specifically, website personalization.

Let’s start with the good news; personalization is permitted under the GDPR, provided it is conducted in a GDPR-compliant manner.

Even though there’s been a lot of scaremongering around the GDPR, we should not forget that the new regulations provide a much needed update to the outdated Data Protection Directive from 1995 — a time when we would have to wait 10 minutes for a cat picture to load.

Previous data protection laws, drafted at a time when the internet was still in its infancy, simply didn’t foresee the possibilities modern marketing technology would offer us. In personalization, this led to a grey area that is finally demystified with this updated legal framework.

Choosing a legal basis for personalization

Overall, the GDPR gives six possible legal grounds that enable processing data, with two of them being most relevant in the context of personalization: “user consent” and “legitimate interest” [Article 6 of the GDPR]. Companies should determine which lawful basis is appropriate on a case-by-case basis.

If you choose consent, you should bear in mind that it can only be an appropriate lawful basis if the end user is offered control and free choice to refuse or withdraw consent. Getting this right requires a lot of effort, so you might think that using legitimate interest as a legal basis for personalization is the better choice.

In fact, regulators state that companies “may have a legitimate interest in getting to know their customers’ preferences so as to enable them to better personalise their offers and ultimately, offer products and services that better meet the needs and desires of the customers.”

So, can we conclude that legitimate interest is an appropriate legal basis for processing data when it comes to website personalization? The truth is, it depends. If you have a contract in place with a customer, you could argue that legitimate interest is a valid legal basis for processing their data to personalize their website experience. But you cannot use legitimate interest as a legal basis for processing all visitor data.

Legitimate interest is highly dependent on context. Let me give you an example. If I buy some medicine from an online pharmacy and they know I will run out of it in three months, they can send me a marketing email right before the three months are over reminding me to re-order my drugs. In this case, legitimate interest can be the legal basis for processing my data and creating this personalized message.

However, if I go to the supermarket to buy milk and I have a loyalty card that stores my purchasing history, the supermarket chain could process my purchase history, but would not be able to use the same legal basis [legitimate interest] to send me marketing messages reminding me to purchase more milk. In that case, they would need a different lawful basis for processing and using my data for personalized marketing — consent.

In short, you will probably end up using more than one legal basis to make your personalizations GDPR-compliant. Remember that while the legal basis is key, there are other requirements that need to be taken into account under the GDPR — such as transparency, purpose limitation, appropriate security measures, and data subjects’ access rights.

How do you do personalization right and still abide by the rules?

When done right, personalization can be delightfully persuasive and result in increased engagement. When done wrong, it can be uncomfortable, annoying, and downright creepy. To get it right while respecting the law, follow these best practices:

1. Be relevant

When personalizing, make sure you stay relevant by focusing on context. Don’t personalize for the sake of personalization, do it to improve user experience. A good anchor point is personalizing based on a visitor’s objective. Here are three examples:

  • If someone opens your newsletter and clicks through to your website, hide the newsletter opt-in and show them an interesting ebook instead
  • If a customer returns to your website, replace your promo video with a video about your newly released features
  • If you are using social proof, localize it, so visitors see recommendations from companies and people they can relate to

2. Be subtle

Another key thing about personalization is that it shouldn’t be intrusive. Sorry for getting all biblical here but simply follow the golden rule. Treat others the same way you want them to treat you.

Would you be comfortable on a website that is constantly pestering you with recommendations for products that are exactly like the product you bought there last week? Does greeting a returning visitor by their first name really help you sell your product? Most likely not.

On the other hand, if you’re searching for furniture online and you arrive at a landing page that says “Free delivery to {{city}},” you’ll be delighted by the subtle personalization.  

3. Be transparent

Consumers demand transparency these days and GDPR requires it. Audit your website and carefully assess which visitor data you need.

Are you being explicit enough about the type of data you collect and how you use it? Is your request for consent specific enough? Is your privacy policy easy to find and can users easily request their data?

4. Be compliant

This is a no-brainer. No one wants to risk a €20 million fine or lose four percent of their annual revenue. Make sure to document under which legal basis you use what kind of data for personalization.


If you collected personal data before and will expand the use of that data for purposes other than the original one, you’ll need to investigate whether you can use one of the lawful grounds from Article 6 of the GDPR, or whether you need to get your customers’ permission for this new purpose.

Likewise, if someone reaches out to your DPO (data protection officer) and they ask your company to erase their data, any identifiers used for personalization (such as cookies) need to be deleted too. As a result, there should be no user profile for the person and they should be treated as a new visitor when returning to your website.

The bottom line is, personalization is a powerful tool to get your message across effectively. It can work wonders in improving your user experience. But it shouldn’t be abused. Make sure to be compliant, seek legal counsel if you’re in doubt, and work with software vendors that take privacy and data protection seriously.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with