Are Machine-Learning and Personalisation Compromised by Data Privacy?
Customer Surveillance vs Brand Trust
The Austrian Data Protection Authority (DPA) decided (22nd December, 2021) that the use of Google Analytics violates GDPR. The decision is being reviewed by other EU governments.
NOYB.EU, a data privacy activist organisation, triggered this action through their complaint. Additionally, NOYB is preparing 10,000 more complaints. It can be assumed that regulatory measures will pick up pace.
The DPA (Austrian Data Protection Authority) did not assess what Google does as per personal data processing, but the activities until the point of data transfer to Google. A separate legal proceeding was initiated over this matter. Interestingly, the German Data Protection Conference (Datenschutzkonferenz or “DSK”) assumes joint controllership role from Google Analytics.
What does this mean for the wealth of digital solutions, customer data platforms, analytics and experience platforms out there?
GDPR states that both controllers and processors must ensure that (-See Articles 4(4), 9, 22 and Recitals 71, 72-):
Processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the envisaged consequences.
Use appropriate mathematical or statistical procedures for the profiling.
Implement appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors.
Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects.
As per Recital 162 — Processing for Statistical Purposes, the use of data to serve collective or Wisdom of the Crowd capabilities such as contextualisation or trends, is regulated and permitted, given that “the result of processing for statistical purposes is not personal data”, but aggregate data. Therefore, when the models are built on collective non-personal data and their outcome is not applied differently to individuals, these are permitted.
Personalisation and Hyper-Localisation:
A growing percentage of users are aware of their privacy rights and claim to be active when it comes to cookie management (Deloitte. The next chapter of data privacy).
If most EU cookie consent notices were not to be manipulative (Ruhr-University Bochum, Germany, and the University of Michigan in the US — (Un)informed Consent: Studying GDPR), only 30% of visitors would consent to the cookies that fuel key digital innovations such as personalisation, recommendations and hyper-localisation.
If only 30% of visitors were analysable, tested, geolocated or personalised, the effect of these digital advancements would be reduced in value by a proportional 70%. Under this hypothesis, these capabilities would be significantly less relevant.
Customer Surveillance vs Brand Trust
If consent notices are not adequately presented, then brand trust is compromised. On the other hand, if these notices are properly communicated in the interest of trust, then features such as user-based analytics, one to one personalisation, or localisation experiences are cut down to a minor effect.
Applying ‘second hand car salesman’ techniques to nudge customers towards certain choices, like using a colour to highlight the ‘agree’ button, not only presents unusable and confusing notifications, but it also sends a poor message to customers.
EU law on cookie consent is clear. Web users must be presented with crystal clear choices. However, most sites still choose to make a mockery of the law and their customers through skewed consent UIs.
As Data Protection authorities continue to ramp up their actions (see Austrian’s and Dutch’s over Google Analytics), more and more retailers will adapt their complex consent wiring into legal by design approaches. Consequently, the percentage of consented visitors will continue to decrease.
Retailers have to position themselves between compromising brand trust and reducing user-based experiences and analytics.
Retailers need to take a stand, think beyond compliance, and give strong signs that speak trust, ethics and duty.
