GDPR in eCommerce: from Compliance to Opportunity

When Personal Data becomes truly Personal

Today, online stores use many complex data automation processes to be more relevant to every user.

These tools used in eCommerce to “Personalise Experiences” feed from Cookies (which constitute “online identifiers”) and heavily profiled location data (IPs). GDPR explicitly includes in its Definitions (see Art.4 (1)) this type of Data as Personal Data.

These tools depend on automated decision making and profiling and these automated decisions can’t damage the user, not legally, nor similarly. (See Articles 4(4), 9, 22 and Recitals 71, 72).

What does GDPR say about profiling?

GDPR defines profiling as the automated processing that is intended to evaluate personal aspects of the user.

From the pre-defined aspects, these are those that affect eCommerce:

  1. Economic Situation: by tracking User purchases, price percentiles and related calculations.
  2. Personal Preferences: whether captured explicitly or implicitly through tagging.
  3. Behaviour: same as above as affinities for products, brands or categories.
  4. Location / Movements: IPs could be affected (which were already considered, when enriched with the above Personal Data).

How does profiling under GDPR definition affect eCommerce? With Transparency by Design

Online Stores (as Personal Data Controllers) and Vendors (as Processors), must ensure, when profiling that:

  • Processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the envisaged consequences.
  • Use appropriate mathematical or statistical procedures for the profiling.
  • Implement appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors.
  • Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects.

Some online stores are starting to provide information about the involved logic, look for example at Amazon Manage History and how is starting to introduce elements of fairness and transparency.

Amazon access to swtich profiling off under Manage History (UK Site Oct 2017)

Transparency by Design assimilates compliance into opportunity. This shift from automated hidden processing of profiling Data into showing to the user what you know about them, not only complies with GDPR but empowers the user with a sense of control and trust.

At EmpathyBroker Layer (Universal UI for Search) we have also been experimenting through transparently showing to the users why they see Contextualised (or personalised) results.

How would things change if users were given access to knowledge of how their Personal Data is utilised?

Would they delete it? Change it? Port it?

One thing is clear to me, they will feel empowered, building trust and therefore connecting with the brand.

We will see in the coming months great developments in Transparency by Design (of which I like to believe EmpathyBroker is a pioneer).


Our industry is passionate and curious, it creates as it needs new disruptions and innovations, it feeds from them. In many ways, GDPR energizes this need for a new future.

I have heard fun predictions about GDPR, but these long term hypothesis, shall not eclipse the most immediate changes; the things that are already happening like Transparency by Design.

I hope to be able to share more around these exciting concepts in the coming weeks. Stay tuned :)