Many times have we heard that data is the new oil. If you know how to use it right, it will offer you endless opportunities. Online customer data is no different. If you possess large amounts of data about Internet users and the right customer group profiles, you have every possibility to make people interested in your products and services.
Businesses use profiles for gaining a better understanding of their (potential) customers. In so-called indirect profiling operations, vast amounts of click-stream and customer provided data have been collected and (hopefully) anonymised*, patterns have been detected and specific customer group profiles have been constructed. When a website visitor’s characteristics match those of a group profile, the group profile will be applied to that visitor and he will be categorised accordingly. Because the data of the visitor correlates with that of the group profile, you can suddenly infer a lot of information about that visitor. Suddenly, the visitor has become incredibly transparent. Much of the inferred data will be valuable and accurate but some of it can be very private or even false. So how do you make sure your profiling campaigns respect the privacy of Internet users?
As a data controller, you need to help your customers understand what you intend to do with their data. The EU General Data Protection Regulation (GDPR) requires organisations to inform individuals about the consequences and logics of profiling operations. The most effective way to do this is to construct user-friendly and layered privacy notices. In your privacy notices, also remember to explain why an accurate profile gives your customers a better user experience. And do offer them the possibility to opt-out of profiling. Yes, it may be difficult to specify the logics and purposes of your profiling operation, but how can we expect consumers to trust us if we don’t take our time to explain how profiling works?
The GDPR strongly propagates transparency and individual control over personal data. Embed these principles in your operations and live up to them.
* Effective anonymization is a challenge of its own – which anonymisation technique to choose, how to mitigate residual risks and eventually – how to prevent the pitfalls of re-identification relating to linkability, singling out and interference in a dataset.