What’s the difference between personalization and profiling under GDPR?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You're adding "recommended products" to your emails based on past purchases and browsing behavior. Your legal team flags it as potentially "profiling." You thought you were just personalizing. Who's right? Under GDPR, the answer depends on what the data is being used to decide.

Personalization means using subscriber data to tailor content: showing a product someone bought before, addressing them by name, sending a birthday discount. You're not drawing inferences about their character or making decisions that affect what they can access. Profiling, as GDPR defines it, means using data to make automated inferences about a person's behavior, preferences, or characteristics, especially when those inferences drive decisions that have real effects. Recommending a product based on browsing history sits in a gray zone. Running a suppression algorithm that infers someone is financially distressed and removes them from premium offers is firmly in profiling territory.

The legal significance of that distinction shows up in GDPR Article 22, which gives people the right not to be subject to solely automated decision-making that produces significant legal or similarly significant effects. For most email programs, you're not in that territory: no one's access to services is being cut off based on their click rate. But the regulation does require you to be able to explain the logic behind decisions that determine what subscribers see and whether they receive certain content. If you can't describe your segmentation logic in plain language, that's a signal it might be closer to profiling than you realized. The practical gap usually surfaces when teams audit their privacy policy language against what the technical implementation is actually doing.

If you're building segments on inferred signals (predicted churn likelihood, inferred life stage, behavioral scoring), your privacy policy needs to describe that use, and subscribers should have explicitly consented to it. Generic "marketing communications" consent doesn't cover building predictive models about individuals. The clearest path is specificity at the point of collection: tell people what signals you're collecting and how they'll influence what you send. Then keep your consent documentation updated as your technical approach evolves. Auditing the gap between your privacy disclosures and your actual segmentation logic is the first concrete step, and it's one most programs are overdue for.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me audit my personalization vs profiling approach

I just read about the difference between personalization and profiling under GDPR on the Email Almanac. Help me apply this to my situation. I need to: - List every signal my ESP or CRM uses to personalize email content or decide who receives what - Identify which of those signals constitute inferences about subscribers (vs direct stated or behavioral data) - Check whether my privacy policy discloses the inferences I'm actually making - Determine whether my current consent language covers predictive or behavioral segmentation My details (fill in what applies): - Email platform: ... - Personalization signals I currently use: ... - Whether I use predictive scoring or behavioral inference: ... - Where subscribers are based (EU, UK, US, mixed): ...

Edit the yellow boxes, then send to the AI of your choice.