Profiling and automated decision-making under GDPR
This is probably the hottest potato within the digital marketing industry right now and especially the programmatic advertising these days. If you are a marketer, this concerns you too.
As site owners’ challenge these days is to ensure compliance on digital assets, you should know that most of the apps you use for marketing purposes do profiling, including the very popular Facebook Pixel, Google Ads, and various codes/tags you get from your agency or retargeting services.
Simply put, GDPR requires you to be transparent with your users and let them know what’s happening. Plus, they must agree for this type of processing before you those apps start running on your site.
So, what is profiling?
Profiling is as an automated form of processing personal data for evaluating various aspects, especially to analyze or make predictions about individuals.
Profiling practices construct knowledge from huge sets of data, that is commonly used by marketers to make or inform decisions (especially nowadays considering the ubiquitous consumer profiling, the programmatic media buying based on data segments and all the real-time personalization features).
It usually implies three distinct stages:
- data collection;
- automated analysis to identify correlations;
- applying the correlation to identify individuals’ characteristics of present or future behavior.
Through profiling, personal information can be deducted, derived or predicted with certain degrees of accuracy. As a result, data about a person’s behavior can be used to generate inferred information (about his or her likely identity, attributes, behavior, interests, or personality traits) and activated in marketing campaigns.
Automated decision-making means using technology to decide various things without substantive input from a human decision-maker.
Automated decision-making is not expressly defined in the GDPR, but the European Data Protection Board shed some light on the matter.
Most marketing technology providers fall under this category, especially marketing automation tools, data management platforms (DMP), media buying platforms (DSP), content personalization and product recommendation engines, retargeting pixels and so on.
Put it simply, it’s about applications that track people online in order to create profiles based on their behavior and use those profiles to better target advertising content.
To sum it up, most of the marketing tools you may be using do profiling.
They are tracking, collecting, analyzing massive amounts of data in order to create individual profiles that are later being used for various purposes
This includes Facebook Pixel, Google Ads, DoubleClick, Segmentify, Data Management Platforms such as Lotame, Bluekai, Cxense, Krux, Avandor, and most DSPs and personalization tools out there.
As this may sometimes lead to significant effects for some users (e.g. discrimination or denial of opportunities), often beyond your control and beyond your knowledge, you as site owner and data controller, should thoroughly inform and ask for explicit consent from your users for this type of processing, before starting the applications. Be nice and avoid running such apps before asking for consent, ok?
To achieve this, you normally need to integrate a consent manager with a tag manager (or directly with your site’s code). Avandor Consent fortunately manages both consent and tags from a single platform, so why not check it out?