9/27/2018 Project Proposal Impact of GDPR on personalized marketing Lijuan Tang 111353312 Problem ————————————————— 1 Background ———————————————- 2 – What is the GDPR

April 18, 2019 Critical Thinking

9/27/2018

Project Proposal
Impact of GDPR on personalized marketing
Lijuan Tang
111353312
Problem ————————————————— 1

Background ———————————————- 2
– What is the GDPR?
– What it the personalized marketing?
– Technology

Methodology ——————————————— 4

1
Impact of GDPR on personalized marketing

Problem
Under GDPR, consumer now have more control over their data. Without consent from
customer, company couldn’t track or store customers’ data. What’s more, customers have right
to have their data deleted. However, data is like the fuel that powers the modern marketing
machine. And Personalized marketing is one marketing strategy that really rely on it. One
survey conducted among UK users and shows that 34% of UK users said they will exercise their
right to be forgotten once GDPR come into force. GDPR leads to data shrink for most company
and a lot of digital marketers and professionals said GDPR has a significance impact on
personalized marketing. However, it’s still hard to say GDPR is good or bad to digital marketing.
The effect might be positive or negative and companies need to find solutions to either leverage
this opportunity or address the problem.
Background
What is the GDPR?
GDPR stands for General Data Protection Regulation. It’s one set of data protection rules
for all companies operating in the EU, wherever they are based. The EU General Data Protection
Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. And It was enforced
on 25 May 2018. The GDPR primarily aims to give more control and rights (See appendix 1) to
individuals over their personal data. One feature of GDPR is extraterritorial applicability. GDPR
applies to all companies processing the personal data of data subjects residing in the Union,
regardless of the company’s location. For instance, if a US company provides product or service
to the people in Union, this company must comply with the regulation. Another important feature

2
of GDPR is consent. Before GDPR, most company considered their users implied consent that
company is able to gather, store, analyze their data. The GDPR redefines consent as “any freely
given, specific, informed and unambiguous indication of the data subject’s wishes by which he
or she, by a statement or by a clear affirmative action, signifies agreement to the processing of
personal data relating to him or her.” Company must get consent from customer, only then can
company collect, store, process and analyze their data. Besides, organization in breach of GDPR
can be fined up to 4% of annual global turnover or €20 million.
GDPR set a new strongest rule about data privacy worldwide. Some company like Los
Angles Time decided to block EU users from their content entirely. However, it’s not a long-
term solution. Although some company outside the Union don’t need to comply with the GDPR,
they still need to think about what they could to prepare for the future possible enforced data
privacy regulation in their own country.
What is the personalized marketing?
Personalized marketing is a marketing strategy by which companies leverage data
analysis and digital technology to deliver individualized messages and product offerings to
current or prospective customers. In order for personalized marketing to be successful, a
company must be able to obtain as much personal information about a current or prospective
customer as possible. Let’s look at a daily
experience for example. I have an account at
Bloomindales.com and today I added a sports
legging in the cart but didn’t check out. And then I
closed the browser. 10 minutes later, I received an
email from bloomgdales.com and this email reminds
Source: Amazon

3
me that I forget to complete my purchase. Another example is when your open the Amazon
website, you may see a “recommendation for you” section. Amazon based your data like
purchase history and your search query, they could recommend some related products to you.
Generally speaking, it’s not a coincidence that you see some ads in your browser, email and
social media platforms. Those ads are tailor to you. Marketing platform like Google Ads,
Facebook Ads could generate a target audience list for clients based on users’ address, IP,
interest, gender, and deliver the individualized message.
Technology
A survey shows the leading digital marketing personalization technologies used by large
companies worldwide as of May 2016. According to the data, 71 percent of responding
organizations used web analytics software for
personalization purposes.
Currently, the popular web analytics
software are Google Analytics and Adobe
Analytics. Normally, web analytics software like
Google Analytics will provide a tracking code to
Source: Google Source: Facebook

4
their clients, company just need to install it into their pages. Company could use advanced
Google Analytics collection and tracking features through cookies that collect personal data from
website visitors. However, right now consent is an important feature of GDPR and cookie
consent is one part of it. cookie consent refers to getting permission from website visitors to
collect personal data. After receiving the consent from users, Google Analytics is able to gather
the demographics data, interests, behavior data and etc.

Methodology
Descriptive Research
Descriptive research is often described as studies that are concerned with finding out
“what is”. Since this project discusses about what’s the impact of GDPR on personalized
marketing and the nature of this project is descriptive, descriptive research will be the primary
method for it. The data collected from descriptive research may be quantitative, qualitative or
both. Quantified information could help us better understand the impacts and support it.
However, because of the lack of enough data, I can’t verify the conclusion statistically and It
may reflect certain level of bias.
Source: Google

5
Data Source
This project discusses the problem for the entire industry, due to the time and other
limitations, primary data is unavailable. Thus, I will use secondary data as the data sources for
this project. Secondary data represents public or existing information collected by others. I will
collect the related data and information from government statistics, industry report or other
related reports. Because the feature of secondary data, it’s hard to find lots of data specific to this
topic, I will combine different information and interpret it, try to get some insights from them.

6
Appendix 1 – Data subject rights
The right to access –this means that individuals have the right to request access to their personal
data and to ask how their data is used by the company after it has been gathered. The company
must provide a copy of the personal data, free of charge and in electronic format if requested.
The right to be forgotten – if consumers are no longer customers, or if they withdraw their
consent from a company to use their personal data, then they have the right to have their data
deleted.
The right to data portability – Individuals have a right to transfer their data from one service
provider to another. And it must happen in a commonly used and machine-readable format.
The right to be informed – this covers any gathering of data by companies, and individuals
must be informed before data is gathered. Consumers have to opt in for their data to be gathered,
and consent must be freely given rather than implied.
The right to have information corrected – this ensures that individuals can have their data
updated if it is out of date or incomplete or incorrect.
The right to restrict processing – Individuals can request that their data is not used for
processing. Their record can remain in place, but not be used.
The right to object – this includes the right of individuals to stop the processing of their data for
direct marketing. There are no exemptions to this rule, and any processing must stop as soon as
the request is received. In addition, this right must be made clear to individuals at the very start
of any communication.
The right to be notified – If there has been a data breach which compromises an individual’s
personal data, the individual has a right to be informed within 72 hours of first having become
aware of the breach.