The UK's data watchdog had asked for feedback on profiling, and the main thrust of the DMA's submission s that the ICO should apply a light touch when interpreting the profiling sections of the GDPR.
However, it's very difficult to see how marketers are going to be able to justify examining data and putting customers in refined subsections without some form of consent.
Last Friday's response from the DMA pointed out, quite rightly, that consent is not the only basis upon which a company can store and interpret customer data. The alternatives it gives to consent, however, look so defined that it would be difficult to imagine they would have mass-market use. Fulfilling a contract better is one alternative, and combating fraud is another. Both might lend themselves well in financial services, but outside, not so much.
The DMA has been very keen to point out to its members and to the ICO that consent is not everything. Its previous response to guidance and requests for opinion pointed out that there are legitimate ways to store and act on data without consent, such as the necessity to provide a better service.
However, when it comes to profiling -- and I'm reading between the lines here -- the DMA isn't making a major case for an alternative to consent. In fact, it acknowledges that profiling without a person's knowledge can be detrimental. It even cites the cases of charities that were fined by the ICO for taking personal data and "wealth screening" it without their knowledge.
So I have read through the response a couple of times, and don't get me wrong -- it's a very robust message to the ICO and should not hamper marketers as they seek to refine data sets so they can better target audiences. It's presented, rightly, as a classic win-win. Marketers will achieve improved performance with less waste, and consumers will get better offers.
But with the whole consent issue, it is hard to see how any of this can be done without explicit permissions. Storing data is one thing -- it might be a case of you having to have someone's email address to provide them with a service -- but to match this email address to other behaviours and put that person in a demographic box, further refined by location, income and interests? That, to me, must be done with consent. Certainly, the couple of cases where the DMA believes consent may not apply are pretty much limited to preventing fraud and improving a financial service.
So in case you were thinking consent may not be the only way to operate an email marketing campaign after GDPR fines come in to place in May 2018, you may need to think again. If you want to avoid annoying customers with messages that don't apply to them and would prefer instead to target campaigns that resonate better and encourage people to remain on your lists, then you're going to need to profile customers.
it's hard to see how that can be done without consent and so sign up tick boxes will have to make it very clear that you match offers to the people who would be most receptive. A lawyer can help you find the right words but it's hard to see how you can profile people without acknowledging it upfront, and requesting approval, when they sign up for a list. It can be positively spun, don't get me wrong, to "tick here and we'll send you the offers we think you'll find the most tempting." Without that permission, it is difficult to see how email campaigns can go on being targeted.