Interviews, insight & analysis on digital media & marketing

Balancing the conflict between privacy and personalisation

By Anne-Claire Bellec, CMO, Kameleoon

Brands currently face a conflict when it comes to customer data and how they use it. Consumers want a personalised experience that provides them with the information, products and services that best meet their needs, yet, they want to protect their personal data – the very same data that could be used to tailor the experience to match their requirements.

At the same time regulations, such as GDPR and CCPA, are tightening how brands can collect and use personal data, with the emphasis shifting to consent. So how do we find a middle ground that can reconcile these two competing aims?

Perhaps the first thing to note is that 73% of consumers now expect some level of personalisation, albeit with controls over how their data is used and protected when interacting with brands. Among the benefits cited in studies are receiving more relevant information quickly, being provided with better, more targeted offers and increasingly importantly getting to the right content easily on smaller screen devices.

GDPR, CCPA, ITP and an increased focus on cookies

Regulations, such as GDPR and CCPA, are tightening how brands collect and use personal data. These regulations have also helped to heighten consumer knowledge around how their personal data is collected, stored and used by brands. It means that the emphasis generally is now shifting to informed consent.

However, as if regulatory action were not enough, the tech companies – most notably Apple and Google, are also taking action to protect privacy. Apple Intelligent Tracking Prevention (ITP) sits within the Safari browser and has the effect of limiting cookies to a seven-day lifespan. This has already impacted the reliability of A/B testing results since visitors are regarded as ‘new’ if they return to a site after seven days, meaning they potentially see different experiments and variations. Similar action taken by Google Chrome will take effect from 2022 with third party cookies banned.

Two approaches to dealing with the conflict

The first approach to dealing with the new regulatory environment is via flexible consent management and ensuring organisations use the right policies for different audiences and activities. Under GDPR, A/B testing consent is classed within the ‘audience and statistics measurement’ category of cookies, which means that in many countries (such as France) it does not require informed consent.

Personalisation sits under the ‘advertising and content’ personalisation category. This does require informed consent – normally through the pop-in that appears when a consumer visits a site for the first time. This means that an experimentation platform has to offer different consent management policies depending on the use cases that need to be delivered on the website, namely: technical ones (no consent required) A/B testing (inform through a banner or ask for explicit consent depending on the country) and personalisation (ask for explicit, informed consent).

A Consent Management Platform helps put these regulatory requirements into practice and can remove the fear that digital marketing and user experience might be negatively impacted by these regulations. In fact, if asking for consent is done correctly, organisations will not be adversely affected at all.

‘Hot’ data can be more useful

The second approach revolves around the fact that some of the more useful data to a marketer is not governed by GDPR (or any other legislation) at all. ‘Hot’ data is anonymised browsing data which does not allow a visitor to be identified. It includes visitor behaviour on a website, along with information on the visitor’s device, location or browser and contextual information which can influence a purchasing decision based on the user’s location such as weather, season or time of day.

Using hot behavioural data can be more effective than using stored information since it delivers a real-time picture of what a visitor is looking for, and their intent at that exact moment. It is therefore central to delivering the personalisation that visitors want – while safeguarding their anonymity. Showing its power, it can be possible to predict the conversion intent of completely new visitors within 15 seconds of them arriving on a website.


In conclusion, all is not lost for the marketer. Legislation such as GDPR provides a level of safeguarding for consumers which means that they have a degree of reassurance that the brands they do choose to engage with are mandated to look after their data. This can help engender trust while delivering personalisation that works for both parties by improving their user experience. And as we have seen, some of the more useful information to a marketer is not governed by legislation at all and needs to be acted on quickly and in real-time to maximise the chance of conversions.