What’s the difference between personalization and profiling under GDPR?

Under GDPR, personalization and profiling are related but legally distinct concepts. The distinction matters because profiling triggers additional compliance requirements and subscriber rights.

Personalization typically uses stated preferences and explicit data to customize content. When a subscriber tells you their interests through a preference center and you send matching content, that's personalization based on direct input.

Profiling involves automated processing of personal data to evaluate, analyze, or predict characteristics like behavior, preferences, economic situation, or reliability. When you infer that a subscriber is price sensitive based on browsing patterns, or predict their likelihood to churn based on engagement history, that's profiling.

GDPR grants subscribers specific rights around profiling, including the right to know that profiling occurs, the right to object, and protection against decisions based solely on automated profiling that significantly affect them.

Disclose profiling activities in your privacy policy. Explain what data is used, how inferences are made, and what rights subscribers have. If profiling produces legal or similarly significant effects, additional safeguards apply.

Personalization responds to what someone tells you. Profiling guesses what they haven't said. Both can serve subscribers, but profiling requires more care.