What data privacy issues exist around segment tagging?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

When you tag someone as "health-conscious" or "high-income," you're doing more than organizing your list. You're making inferences about them, and those inferences are personal data under GDPR and similar laws. Even innocent-looking tags like "discount-seeker" or "at-risk" create data points that regulators care about.

The biggest risks: inferring sensitive categories (health, religion, politics, sexuality.even indirectly), not being transparent about why you're tagging people, keeping tags around longer than necessary, and not being able to explain or justify your categorization logic if someone asks to see their data.

Here's the real problem. Under GDPR, when a subscriber asks what personal data you hold about them, you have to disclose everything. That includes segment memberships and inferred tags. If you've tagged someone "complaint risk" or "low-value customer," you may need to explain that tag and justify why you made it. Build tags you'd feel confident showing someone. If a tag would be awkward to disclose, rethink whether you should create it at all.

Start with this: document why each tag exists and what lawful basis you're using. Understand what lawful basis means for your business. Review any tags that touch sensitive topics and make sure you're not inferring protected categories. Ask your team whether they'd defend each tag if a regulator asked.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a privacy audit for your tags.

I want to audit my segment tags for GDPR and privacy compliance. Help me determine which tags create legal risk: 1. What makes a tag legally problematic (sensitive inference, lack of basis, etc.) 2. Which of my current tags should I review or delete 3. How to document lawful basis for the tags I keep 4. What to do if a subscriber requests to see their segment data My details: - Jurisdiction(s): EU / US / global - Current segment tags: list a few examples - Lawful basis I'm using: consent / legitimate interest / other - Ever had a GDPR/data access request: yes / no - Compliance review done: yes / no / unsure

Edit the yellow boxes, then send to the AI of your choice.