Personalization in the Age of GDPR

Personalization in the Age of GDPR

When it comes to digital marketing, we know that personalization is key. We read about it everywhere, customers want personalization – they need personalization.

75% of consumers

But customers also want and need the protection of their personal data, which is where May 2018’s implementation of GDPR (General Data Protection Regulation) comes in. The new EU law is designed to enable individuals to have more control over their personal information. So when customers get more control over their personal data, are we still able to personalize? Can personalization thrive in an age of GDPR? That’s what we all want to know.

In short, yes. It just takes care. One of the most important GDPR quotes is: “the processing of personal data for direct marketing purposes may be regarded as carried out for legitimate interest”.

Legitimate Interest, Permission and Individual Rights

These are core GDPR concepts for marketers.

Legitimate Interest means doing only what’s necessary and good manners.

If you have a legitimate interest to do something, then you don’t need permission. For example, when a shopper comes to your eCommerce website and you need to market to them efficiently, including presenting and personalizing offers, so you don’t need permission to use personal data for this. Then if they start buying, they expect your website to lead them through the purchase process, ask for their details, and send transactional emails such as purchase confirmation and cart and browse abandonment, so this doesn’t need permission either.

Permission is needed for everything else.

For example, when a shopper buys from you, you cannot automatically subscribe them to a newsletter because that’s not necessary for the purchase – you must get permission. The rule seems to be that, whenever you try to do several things with one action, permission for the main thing is automatic but for the others, you need to get separate permission. For example, if one form is both a step on the way to a purchase and also subscribes you to several newsletters, you should show a pair of radio buttons (Yes or No) for each of the newsletters.

Individual Rights

The GDPR introduces several individual rights, which people invoke by contacting you and proving their identity. The “right to erasure” means you simply delete all their data, then they will be treated as a new user when they next visit your site. The “right to object” means you need to permanently stop all permission-based marketing and personalizing for them.

Rather than a threat to personalization, you should view GDPR as an opportunity to make your marketing increasingly targeted and to tune into the type of content that your shoppers best engage with and that adds the most value to their experience.

57% of consumers

Enriching your Existing Data in the GDPR Age

An inevitable challenge of the introduction of GDPR is going to be sourcing personal data that you are legally able to collect, use, and share, by receiving permission from individuals, or because you have a legitimate interest. Mostly this is about being transparent.

You must tell shoppers how you use data, clearly and plainly. The GDPR says:

“It should be transparent to natural persons [in the EU] that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing.”

How does this affect your existing data post-GDPR?


Check your current website etc. and ask yourself whether it tells shoppers how you use data, clearly and plainly. And if you use third-party data, did those people know, clearly and plainly, how their data would be shared and used? If no to either of these, then data/permissions may not be usable post-GDPR, and re-permissioning may not be valid unless you fix your website etc first.


Some types of marketing can be normally done as a legitimate interest (e.g. personalization), while some normally require opt-in permission (e.g. bulk email), and you may not have collected those permissions. So you need to think about confirming those permissions, so you can contact people after GDPR.

You may find it harder to source usable personal data (any data about an identifiable individual in the EU)  if fewer individuals give consent for marketing, more people request data is erased, or object to processing. However, you can and should utilize your existing GDPR compliant data to create highly targeted segmentation groups that leverage the most relevant dynamic marketing content. The development of your understanding of customers and visitors will allow you to continue using personalization successfully while you continue to build your list in the age of GDPR.

Getting to know existing customers in this detail will also enable you to understand how to gain consent from individuals to access and process their personal information and continue creating personalized marketing campaigns and content.

The Fresh Relevance personalization platform uses person data (including a small amount of personal data in the GDPR) to create personalized content to be served in your emails and on your website. We fully support the GDPR, including the Individual Rights. There is more information here.

Data Hygiene Focus

This is also a good time to consider your organization’s data hygiene practices to ensure that your email list is kept clean, increasing your open and click rates. You should treat disengaged addresses differently from engaged, for example reducing the send rate and only sending your most engaging content. If you don’t have a data hygiene strategy in place, now is the time to focus on the processes and the resources required to maintain a clean list in the years to come.

Refining your data hygiene is a good fit with the work to become GDPR compliant, and it will also help to focus on your active customers and prospects and their contact details in your email lists.

Build Trust with your Viewers and Customers.

Complying with GDPR will not only avoid embarrassment and a possible hefty fine if you get caught out, it will also enable you to instill trust in your customers and prospects. If they see that your company is making a point of following the newly laid-down law, they are more likely to see the brand as trustworthy, making it easier for them to make the decision to opt-in or provide you with more personal information – thus allowing you to continue using and growing personalization within this new age of privacy.

While GDPR is likely to pose some challenges to you, your business, it will soon make for a much more effective use of your time and efforts.

Losing Contacts doesn’t have to mean Losing Customers.

You may have a long list of contacts currently, some engage, and some don’t. If the ones who don’t engage are lost after GDPR due to not opting-in, it might just save you from wasting your breath, because it’s pointless attempting to engage with people who don’t want to engage with you and your brand. Take this opportunity to focus on the quality of your customer connections, rather than the quantity of them.

A New Era of Content is Upon Us.

Fresh Relevance Strategic Marketing Consultant, Justis Saayman adds that with consumers wanting a more personalized experience across the marketplace and GDPR limiting how and what data we can keep, we now have the opportunity to reconsider our content marketing strategies to make it all more relevant.

Because users will be more selective/considered about giving us more information, we as marketers would need to up our game in terms of the content we provide. This will serve as great personalized and relevant content for use in multiple sections of our marketing campaigns and the better the content, the better the results in areas like conversion rates, SEO, or Social Engagement.

Using Personalization to Increase Data

The GDPR requires you to explain to visitors what data you will collect, and how it will be used, clearly and plainly. And some types of information can’t really be collected automatically, so you want visitors to enter it.

Personal data collection is a two-way street, the individual has to gain something from giving you their information. Make them want to sign up by offering them personalized product recommendations and individual coupon codes if they do. Receiving personalized content as a result of giving their details will also make them less likely to retract their data, which is something that GDPR enables individuals to do freely. You should also use bold Calls To Action (CTA’s) guiding website viewers and making it as easy as possible for them to sign-up. Popovers that prompt signing up when visitors view your website are another great way to make signing up easier for them, encouraging them to do it then and there. Pottery Barn has used popovers well, enticing visitors with an offer of a discount for signing up, and making the process easy with clear instructions and a bold CTA that reads “SUBMIT”.


Privacy policies tend to be long and complicated, and it’s often accepted that most people won’t read the documents in their entirety, if at all. As we said above, the GDPR requires “any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used”. But your lawyers will want legal clarity which is very different. So you should maybe provide a clear and plain notice, which is the one normally seen, and the full legalese linked from that.

Two ideas for these notices are:

  • The use of layers

Using layering can make the notice easy to follow for your users by allowing the user to break up the information you are providing them with. Use clear headings, such as “how we will use the information we collect” or “who will be able to access the data we collect”. Follow this heading with a second layer of the basic facts. This could be a list of organizations that will have access to the data, or a list of ways in which the data will be used by you. This needn’t be long but it should be clear and easy to understand. A third layer could be a link for the user to follow if they wish to find out more information, giving them the opportunity to know as much as possible about the way in which their personal data will be used, stored, or shared. Below is a prototype of layering by the ICO.


  • Just-in-time notices

This is when relevant information is displayed to the user as a pop-up or hint when they engage with a data field. This is a good way to provide a notice to your users because it notifies them as they are about to provide their personal data in the field selected. Therefore, if the notice pops up they will see before they enter their data, why they need to provide the information, how it is going to be used, and by whom. The ICO uses a gif of just-in-time notices as an example, shown below.


Find out more about making great privacy notices here.

Personalization Without ID

While GDPR might make it more challenging for you to build your email list, there are still website personalization tools that you can put in place to engage with your visitors without needing to collect and store even their person information. Countdown timers are one way you to excite your visitors and use time pressure to encourage sign-ups or purchases. Wiggle has used countdown timers on the homepage of their website, allowing them to use real-time dynamic content without requiring visitors’ person information.


To make your website more engaging, use weather to incorporate real-time weather forecasts into your website content, and relating it to your brand and products. Popovers are another way you can engage with your visitors without needing their information to start with, they are also good for encouraging people who haven’t signed up already to do so. Garnet Hill has used a popover well to offer visitors a discount as a reward for signing up. This is another example of dynamic content that can be used without collecting and using your visitors’ person information.


Want to learn how Fresh Relevance can help you personalize alongside GDPR?

contact us →

Calendar Icon 03/18/2021