Do privacy laws forbid personalization?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Privacy laws don't ban personalization. They tell you how to do it without getting fined. GDPR, CCPA, CASL, and the rest assume you will use names, behavior data, and preferences. They just want you to have a reason, tell people what you're doing, and let them out.
Under GDPR, the rule is lawful basis. Article 6 lists six of them, and for marketing personalization you're realistically using one of two: consent (Article 6(1)(a)) or legitimate interest (Article 6(1)(f)). If someone ticked an unticked box at signup that said "send me product recommendations based on what I browse," you have consent. Document it. Date, source, IP, exact wording. If you can't produce that record, you don't have consent, you have a hope. The full text is here: GDPR Article 6.
Legitimate interest is the path most e-commerce brands actually use for things like "customers who bought X also bought Y." You need a documented Legitimate Interests Assessment (LIA) showing the personalization is genuinely useful to the recipient, not just to you, and that it's not creepy or excessive. Recommending a refill of the coffee they bought four weeks ago: fine. Building a psychographic profile to predict when they're emotionally vulnerable to a discount: not fine.
The part people get scared of is Article 22, which covers automated decision-making and profiling that produces "legal or similarly significant effects." That's credit scoring, insurance pricing, job application filtering. Sending someone a different subject line because they opened your last three emails is not that. The ICO has been clear on the distinction in their guidance on automated decision-making.
What actually trips people up in audits is not the personalization itself. It's three boring things:
- No record of consent. You imported a list from a previous tool and lost the timestamps. Now you can't prove anyone agreed to anything. This is the same problem covered in do purchased lists ever work, and the answer is the same: no provable consent, no send.
- A privacy policy that doesn't mention what you're doing. If you segment by purchase history, your policy needs to say you segment by purchase history. Vague "we may use your data to improve our service" language doesn't cover it.
- No easy way to opt out of the personalization specifically. A global unsubscribe is required by CAN-SPAM and CASL. GDPR also expects granular control where it makes sense. "Stop tracking my behavior but keep sending me the newsletter" should be a real option if you're doing behavioral targeting.
The stuff that's safe by default: first name in the subject line, product recommendations from declared preferences, location-based store info when the user gave you their postcode, re-engagement flows for people who haven't opened in 90 days. None of that requires explicit Article 22 consent. It's all standard practice with a documented lawful basis.
The stuff that needs explicit, unambiguous, opt-in consent: combining email behavior with third-party data brokers, inferring health or political views from click patterns, sharing behavioral data with advertising partners outside your processor agreements. If you're doing any of those, talk to a lawyer, not me.
The practical version: if a regulator showed up tomorrow, could you hand them (a) where this person consented, (b) what they consented to, and (c) the privacy policy that was live on that date? If yes, your personalization is fine. If no, the personalization isn't your problem. Your record-keeping is.
This is also why we tell people to stop worrying about whether subject-line personalization itself is risky. It isn't. The real deliverability risks live elsewhere, like the ones covered in can I guarantee inbox placement and is deliverability luck or logic.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.