For most companies, data-driven target group analyses and customer segmentation are part of the “ABC” of the customer-centric orientation of their products and advertising. A recent fining decision by the Lower Saxony data protection authority highlights the considerable data protection risks associated with such data processing in Germany. Find out here what exactly your fine risks could be.
What is at stake?
On July 28, 2022, the data protection authority of Lower Saxony announced in a press release that it had imposed a fine of EUR 900,000.00 on a credit institution. Apparently, this decision has received little attention so far. This is quite surprising, given the fact that the Lower Saxony supervisory authority imposed this fine for data processing, which is a widespread practice of marketing departments, advertising agencies, and business consultants and appears perfectly legitimate from a business perspective.
The credit institution had analyzed the digital usage behavior of its existing customers to assess which of its customers are “online-savvy” and should therefore be served and advertised primarily via electronic channels in the future. To this end, it evaluated, among other things, the total volume of purchases in app stores, the frequency of use of account statement printers, and the total amount of transfers in online banking compared with the use of analog branch services. In addition, the results of the analysis were “compared with data of a credit agency and enriched from there”.
Even though the authority’s fining decision may have depended on details that cannot be inferred from the press release, it ultimately describes common methods of target group analysis and customer segmentation for customer-centric marketing. It is crucial for the economic success of a company to align its products and marketing measures with the needs of its customers. However, companies – especially in the online sector – today reach an increasingly large number of heterogeneous users and the individual needs of these customers can vary greatly. There is therefore a great need to identify distinguishing characteristics of customers and then form specific customer segments characterized by common features. However, the mere identification of a characteristic by which customers can be clustered says nothing about its relevance for marketing. That’s why companies and their marketing consultants are increasingly using data-driven analytics (e.g., an RFM analysis or ML-based scores) and third-party statistical data and scores. This enables them to improve their customer segmentation and targeting through insights from market research as well as a better understanding of individual customers. In the context of data protection law, this is referred to as the creation and enrichment of customer profiles and so-called profiling. Art. 4(4) GDPR defines profiling as “any automated processing of personal data consisting of the use of personal data to evaluate, (…) analyze or predict certain personal aspects relating to a natural person”.
What is the legal situation?
Profiling is by no means prohibited under the GDPR – on the contrary. Article 21 (1) and (2) of the GDPR gives the data subject the right to object to profiling (“opt-out”) and thus presupposes that profiling is legally permissible even without the prior consent of the data subject, namely based on legitimate interests of the controller (Article 6 (1) sentence 1 letter f of the GDPR). Controversial however is, at what extent of profiling the rights and fundamental freedoms of the data subjects outweigh the legitimate interest of the entrepreneur so that prior consent of the data subject within the meaning of 6 (1) sentence 1 letter a, 7 DSGVO (“opt-in”) is required. The German data protection authorities, in particular, take a decidedly restrictive view of this – for example, in the Guidelines on Direct Marketing from February 2022. According to this, profiling should generally always require the customer’s consent if it is associated with
- behavioral predictions or analyses that lead to additional insights
- or automated selection procedures for the creation of detailed profiles
- or the creation of a profile using external data sources (e.g., information from social networks) for direct marketing purposes (advertising scores).
These criteria are decidedly vague and of little practical use. Profiling that does not lead to any additional insights is pointless, and automated selection procedures are ultimately inherent in such data processing within the meaning of Article 4(4) of the GDPR. The thus often decisive question as to when exactly a customer profile is “detailed” is in turn associated with considerable legal uncertainty. For instance, the mere addition of the characteristic of online affinity to a customer profile should not in itself lead to the assumption that it is a detailed profile. In its press release, however, the authority in Lower Saxony focuses on the fact that “large data sets were evaluated”.
Finally, contrary to the view of the Lower Saxony authority, profiling should not be subject to consent simply because “external data sources are used”. This criterion is not found in the relevant guidelines of the European Art. 29 Data Protection Working Party. And in the case of the use of third-party advertising scores, a distinction should at least be made as to the extent to which these are based on real data from the data subject or the mere statistical evaluation of aggregated data (i.e., mere market research knowledge).
The data protection limits of profiling without the consent of the data subject are therefore anything but clear-cut. In this respect, it is quite surprising that the Lower Saxony authority has imposed such a severe fine. In the end, these legal issues will have to be decided by the European Court of Justice – but unfortunately, in this specific case, it is not expected that the fined credit institution will challenge this administrative act in court.
What is the practical problem?
Now, one might think that the problem could be easily solved by the company obtaining prior consent from the data subjects – as recommended by the data protection authorities. However, this encounters considerable difficulties in practice.
A statistically significant identification of target groups and customer segments requires a comparatively large number of customer data records, and building up such databases is a lengthy process. The company may attempt to ask existing customers for consent after the fact, long after their data has been collected, but before profiling begins. But experience shows that the willingness to provide such consent is significantly lower among existing customers than among new customers. This is probably not so much because the data subjects object to the data processing – in practice, opt-outs by the data subjects are just as rare as subsequent opt-ins – but rather because they regularly rate their individual benefit as too low to make the effort.
But even when setting up new databases based on the consent of new customers, one quickly encounters legal as well as factual difficulties. Effective consent under the GDPR requires that the data subject declares it in an informed manner for a specific case. This presents companies with the challenge of transparently informing the data subject at the time consent is obtained about future data processing, the details of which often cannot yet be determined at that time. For example, the question of which (currently or in the future) available method of customer segmentation makes sense for the company depends largely on how many data subjects will actually consent. It is also unclear in this context whether the data protection authorities require, as part of such consent, to name the specific, possible external third parties whose data could be used in the future.
What should companies be advised to do?
Ideally, companies should understand data-driven target group analyses and customer segmentations as strategic projects that must be planned and thought through long in advance, also in terms of data protection law. Profiling based on a legitimate interest in direct marketing can certainly be justified based on the opinions of the Art. 29 Group, but it is associated with more or less major risks due to the restrictive view of the German supervisory authorities. Companies wishing to avoid this risk are forced to anticipate as early as possible the future data processing associated with such profiling to obtain effective consent from the data subjects and to build up the necessary data inventory.
In any case, against the background of the fining decision from Lower Saxony, companies are well advised to subject target group analyses and customer segmentations that are already being practiced or planned for the future to a more detailed examination under data protection law. Caution is also advisable here because such services are typically offered to a company by external agencies or management consultants, who, however, regularly act as mere data processors and in this respect pass on their liability under data protection law to the company as the data controller.