Does the EU’s new privacy law restrict the use of A.I.?
2017 was the breakout year for Artificial Intelligence (A.I.) in digital marketing
By combining data from multiple sources, and have these data analysed by A.I., a wealth of information becomes available. This makes it a lot easier to send highly personalised emails.
This benefits the consumer because they will only receive information and offers of interest to them. Imagine an airline like Air France/KLM – flying to 599 destinations – being able to tailor offers to an individual, based on past bookings and favourite holidays? Or a large web shop like Wehkamp – offering over 180.000 articles- being able to pick just those of interest to a specific client, to include in a personal newsletter?
Helpful or annoying
While Artificial Intelligence allows email marketers to take relevance to the next level, there is a danger it might go too far when collecting and combining personal data from many different sources.
What if what you pay for car insurance is influenced by your online behaviour (looking for auto repair shops or information about traffic fines) or your social media posts (here’s a selfie of me with my dented car)? What is in the interest of the insurance company, is probably undesirable from the client’s point of view.
A factor that could impact the use of A.I. in marketing is the EU’s privacy law, the General Data Protection Regulation (GDPR), that went into effect on May 25, 2018. This legislation is intended to be future-proof for the digital age.
Why a General Data Protection Regulation?
Before the GDPR, companies that do business across multiple member states, had to comply with different privacy laws in each one. This took a lot of research time and resulted in high legal costs. With the GDPR, the EU aims to simplify privacy laws for businesses and at the same time to better protect its citizens’ privacy.
In the past, every member state of the European Union had its own privacy law. These individual laws were based on a EU directive dating from 1995. At that time the EU had 15 members (in 2017, there are -still- 28). Cast your mind back: This was the year Sony introduced the Play Station, Star Trek Voyager premiered on American TV and the DVD was launched. Only 0,6% of the world’s population had internet access (in 2014 this had risen to 39% and it has exploded since smartphones became the norm).
What’s covered in the GDPR?
All separate privacy laws within the EU were replaced by the GDPR on May 25, 2018. Sections of the law of special interest to marketers are:
What are personal data? The definition of personal data covers all information that belongs to and can be traced to an individual. This includes identifiers like a customer ID, email address, telephone number, online nickname, IP- and MAC-addresses.
Citizens’ rights: Every natural person is owner of his or her data. He or she has the right of inspection, improvement of, addition to and removal of data (‘right to be forgotten’) held by any organisation or service provider. Included in these rights is data portability: a person can ask to receive his data in a standard format, in order to move it to a different organisation or service provider.
Permission: To obtain permission for the use of data, an active action (like clicking on a link or ticking a box) is required. Every specific use of data needs a separate permission. For minors under 16, additional parental consent is needed.
Liability: Third parties that process data for owners can also be held accountable in the case of a data breach. It is, therefore, necessary to draw up a solid data processing agreement with all parties concerned.
How to comply
Every organisation that collects and processes personal data has to be able to prove they are fully compliant with the GDPR. This calls for careful administration. Fines of up to 20 million Euro, or 4% of the worldwide revenue (whichever is highest) can be imposed in case of infringement. If you are a marketer or a data processor, you need to be aware of the following points:
DPO and PIA: Organisations that collect and/or process data, may need to appoint a Data Protection Officer (DPO). In the case of large-scale or sensitive projects, it might be a good idea to conduct a Privacy Impact Assessment (PIA).
Mandatory notification of data breaches: Under the GDPR, any data breach has to be reported within 72 hours to the Dutch Data Protection Authority (or its equivalent in the EU country where the data breach took place).
Documentation, Privacy by Design and Privacy by Default: Opt-ins need to be meticulously administrated. Your data processing systems need to be set up according to these principles: Only data relevant to the intended use may be collected and default settings must be designed with privacy in mind (pre-ticked boxes are not allowed). For each different use of personal data, a separate opt-in is needed. Opt-out needs to be as easy to do as opt-in.
Data processing agreement: All parties need to enter into an agreement that defines the purpose of the data processing, the nature of the data to be processed, anyone with access to the data, safety measures, audits and the returning or destruction of the data after processing.
Record of Data Processing Activities: Under the GDPR, keeping a written record of all data processing activities is mandatory for both Controller and Processor. Details about the content of this record can be found here.
To help you comply with the GDPR, we have compiled a handy checklist, which you can download in pdf format.
Can digital marketers rely on their marketing automation platforms to abide by the law? Can self-learning Artificial Intelligence be contained, or will it develop independently and take a path we cannot follow? All the large Marketing Automation platforms are compliant with the GDPR and are continuously updating to stay that way. That said: you should be constantly monitoring your data processes to ensure you are not falling foul of the law.
But what about personal responsibility?
In our opinion, consumers also have a personal responsibility to be careful with their data. Your mobile phone, thermostat, tv, even your washing machine is connected to the internet. But you are paying a price for convenience by (sometimes unknowingly) sharing data through these and other smart devices.
In the past couple of years, producers and consumers have been investing in developing and buying smart products. (Unfortunately, hackers are also starting to explore the possibilities of the Internet of Things.) It might be a good idea for the EU to organize a campaign to raise awareness among consumers about managing personal data, ahead of the implementation of the new law.
Anja Bart and Pim van den Boogaard
This article has been updated on August 15 2019
White & Case, a British law firm, has compiled an extensive dossier on the GDPR.
Autoriteit Persoonsgegevens (the Dutch Data Protection Authority)