1

Adapting to Digital Marketing Regulations: An Exploratory Analysis of the

GDPR and its Effects on Individualized, Behavior-Based Marketing
Techniques

Author: Nathaniel Sposit

Author Contact: nsposit@gmu.edu

Institutional Affiliation: George Mason University, School of Business

Copyright © 2018. All Rights Reserved.

Disclaimer: This article is solely intended for academic and informational purposes and should
not be interpreted as legal advice. For legal advice, please contact an attorney at law.

ABSTRACT

The General Data Protection Regulations of the GDPR on individualized, behavior-

(‘GDPR’) came into effect in May 2018.
While the legal environment of the GDPR
has been vastly analyzed, the legislation’s
impact on digital marketing has yet to be
explored. This article will explain the key
provisions of the GDPR, explain how
individual user data is used in contemporary
marketing techniques and explore the impact
based marketing – a marketing technique that
relies on the use of personal data and used as
a primary revenue source for companies such
as Facebook and Google.
Keywords: GDPR, digital marketing,
behavior-based marketing, legal and
regulatory updates

INTRODUCTION
The General Data Protection Regulations
(‘GDPR’), which was enacted by the
European Union (‘EU’) in May 2016,
officially became law in May 2018. The
GDPR sets out to improve upon the 1995
Data Protection Directive by addressing
contemporary technological concerns
regarding the use of personal identifying
information and by increasing transparency
among the Member States through uniform
regulation.1 While the legal environment of
the GDPR has been vastly explored with a
range of (controversial) viewpoints, the
legislation’s impact on specific business
operations has yet to be explored. This article
will explore the impact of the GDPR on
digital marketing practices, specifically
examining how the Regulations will impact
individualized, behavior-based marketing.
Individualized, behavior-based marketing
efficiently targets online consumers (‘users’)
by providing relevant advertisements based
on past behavior and predicted future
behavior. The behavior-based marketing
method relies on the collection and analysis
of individual consumer data to preset the user
with relevant content. While the GDPR sets
forth new rules and regulations regarding the
ways companies can use individual consumer
data, companies are not likely to return to
mass marketing segmentation, a marketing
technique that targets anonymized aggregates
based on similar interests and has been
proven to be less efficient than
individualized, behavior-based marketing.
This article has been divided into three
sections: the first section will give a general
overview of the GDPR, the second section
will explain how personal data is used in
digital marketing, and the third section will
explore the impacts of the GDPR on the
individualized, behavior-based marketing.
2
SECTION I: THE GENERAL DATA
PROTECTION REGULATIONS
What is the GDPR?
EU Regulation 2016/679, more commonly
known as the General Data Protection
Regulations (‘GDPR’), was signed into law
by the European Parliament, in collaboration
with the Council of the European Union, in
May of 2016.2 The primary objective of the
GDPR is to enact up-to-date rules for the
collection, analysis, storage and sharing of
Personal Information ('user data’). The EU
Commission hopes that the law will ‘increase
trust in the use of information services by EU
users, while protecting their fundamental
rights’ and privacy.3 The law officially
repeals the 1995 Data Protective Directive
(Directive 95/46/EC).4 In the EU, a directive
mandates that every Member State must
implement federal legislation meeting certain
minimum requirements; however, the
execution and enforcement of a directive may
very well differ between Member States.5 On
the other hand, since the GDPR is a
regulation, its execution and enforcement are
uniform among all of the Member States.6, 7
In fact, the GDPR’s jurisdiction extends
beyond companies located in the EU Member
States; it includes any company ‘established
outside the EU offering goods/services (paid
or for free) or monitoring the behavior of
individuals in the EU.’8 The GDPR also
applies to US-based businesses offering
services to customers located in the EU. US-
based companies need to be aware of these
regulations and implement appropriate
safeguards to comply with the European law.
What Are the Key Principles of the
GDPR?
To safeguard personal information,
specifically personal data collected on the

internet, the GDPR establishes several
fundamental rules that must be followed by
any entity engaged in the collection, analysis,
storage or sharing of personal information
relating to residents of the European Union.9
The first rule is that personal data is to be
processed in a ‘lawful and transparent
manner.’10 The principle of transparency
coincides with the concept of explicit
consent; the user must be able to reasonably
understand why their data is being collected,
what data is being collected, how their data
will be used and stored, and if their data will
be shared with a third party.11 When
consenting to the use of personal data, the
user must check a box that acknowledges
consent to a specified use. The consent box
may not be prechecked or implied. The
explicit consent rule applies to any collection
of personal data that can be ‘directly or
indirectly’ used to identify an individual; this
rule applies to the collection of emails as well
as IP addresses and cookies.12 The third
section of this article will outline use-cases
where explicit consent will need to be
obtained by digital marketing professionals.
Purpose Limitation and Data
Minimization
The second key rule of the GDPR states that
personal information can only be collected
and processed for a specific purpose and the
purpose must be stated at the time of the
collection.13 Additional consent is required
for any use of the data that exceeds the
limitations of the initial purpose.14 Directly
related to the ‘purpose limitation’ rule is the
‘data minimization’ rule which restricts the
amount of data that can be collected.15 The
collected data must be reasonably necessary
to fulfill the stated purpose. For example, if
the user is completing a contact form, the
stated purpose would be to reply to the user’s
contact request and address the user’s
comment, question or concern. The user’s
3
name, email address and phone number
would be reasonably necessary to fulfill the
stated purpose. The user’s hair color would
not fall under the reasonably necessary test
and would violate the data minimization rule
in most circumstances. Furthermore, the
user’s email address cannot be added to a
subscription mailing list unless additional
consent is obtained following the ‘purpose
limitation’ rule.
Information Accuracy, the Right to
Rectification, and the Right to Be
Forgotten
Businesses are required to make a reasonable
effort to ensure the data is accurate and up to
date. Accuracy, the fourth key rule of the
GPDR, is a principle that was carried over
from the 1995 Data Protection Act.16 Under
the new law, inaccurate information requires
rectification ‘without delay.’17 Reasonable
steps should be taken to correct inaccurate
information or delete the information if
rectification is not possible.18 Determining
which steps are ‘reasonable’ to ensure the
accuracy of information depends upon the
use of the information. For example, a
FinTech (financial technology) company
must follow certain Know Your Customer
(‘KYC’) guidelines to confirm the identity of
its users. A FinTech company has a greater
obligation to ensure accuracy than an online
gaming platform.
Under the GDPR, the user also reserves the
right to rectification or the right to have
inaccurate or misleading information
corrected.19 The accuracy principle is not
severable just because a user exercises the
right to rectification.
Closely related to the right of rectification is
the ‘right to be forgotten,’ a term coined by
the 2014 judgment by the European Court of
Justice.20 The court ruled in the case of

Google Spain v Mario Costeja González that
González had the right for inaccurate,
inadequate, irrelevant and excessive
information to be removed from the search
results.21 The GDPR codified the right to be
forgotten, allowing individuals to retract
consent just as easily as it was given as long
as the information is no longer needed for the
original purpose.22 For example, if the
original purpose was to keep and maintain a
user account on an e-commerce website and
the user consented to her or his address being
stored for shipping purposes, the address
should be deleted when the user closes the
account since it will no longer be used for the
original purpose. The GDPR mandates that
user data should be erased if 1) it is no longer
needed for the original purpose (as described
above), 2) the user retracts consent, and there
is no reasonable justification to store the data,
or 3) it is required to be erased by statutory
law or a court order.23 Failure to fulfill a
legitimate request for erasure could result in
severe penalties.
Storage Limitation
If a user’s data is no longer needed to fulfill
the original purpose for which it was
collected, the data must be erased or
anonymized under the ‘storage limitation’
principle.24 The objective of the GDPR’s fifth
key rule is to ensure that personal data is not
kept indefinitely. However, anonymized
data, or data that cannot directly or indirectly
identify an individual, may be stored without
limitations.25, 26 Anonymized data can be
used for ‘archiving purposes in the public
interest, scientific or historical research
purposes or statistical purposes.’27 The
GDPR also suggests that companies should
have a data storage limitation policy
integrated into their data use and privacy
policy to specify how long data should be
stored, what data should be anonymized and
how the anonymized data will be used.28 For
4
example, a user’s date of birth may be
collected and used for age verification. The
user decides to delete the account a few
months later. Per the storage limitation
principle and the company’s data use and
privacy policy, the user’s information should
be deleted after 30 days of the initial closing
of the account. The company allows users 30
days to change their mind and reactivate the
account. After 30 days, all of the user’s
personal information should be deleted, but
the user’s date of birth may be stored so that
the company can analyze aggregate user
behavior. The user’s date of birth will need to
be anonymized and can no longer be
connected to the user.
Confidentiality and Data Breaches
One fundamental difference between the
1995 Data Protection Directive and the
GDPR is the integration of cybersecurity and
data breach notification requirements. The
legislatures who drafted the 1995 Directive
had most likely never heard of cybersecurity,
nor imagined the possibility of mass data
breaches. However, the principle of
confidentiality is not a new concept. Article
5(1)(f) of the GPDR states that personal
information should be processed ‘in a manner
that ensures appropriate security of the
personal data, including protection against
unauthorized or unlawful processing and
accidental loss, destruction or damage, using
appropriate technical or organizational
measures.’29 Companies are required to set
up appropriate safeguards in order to protect
personal data from unauthorized access.
Companies need to be sure that both their
systems and any external data processors or
storage devices are equipped with the
appropriate level of security to reduce the risk
of a data breach. In the event of a data breach,
companies are required to report the data
breach to the appropriate data protection
agency with 24 hours.30 If the compromised

data can have a negative impact on an
individual, the individual must also be
notified.
SECTION II: CONSUMER DATA IN
DIGITAL MARKETING
What is Behavior-Based Marketing?
Behavior-based marketing is an
individualized approach to advertising where
the user’s past behavior and future predicted
behavior determines the current marketing
content displayed. Individual consumer data,
such as search history, preferences, and
demographics, are collected and analyzed in
order to present relevant and more efficient
advertisements to the consumer. The goal of
behavior-based marketing is to increased
sales and reduce marketing cost, thus
achieving an efficient economic system.
Mass Market Segmentation: An
Inefficient Predecessor
In the beginning years of the internet, mass
marketing segmentation was used to
determine which advertisements to display.
Like behavior-based marketing, mass
marketing segmentation relies on the use of
consumer data.31 However, mass marketing
segmentation uses aggregate consumer data
while behavior-based marketing concentrates
primarily on individual user data. Mass
marketing segmentation techniques aim to
discover previously unknown consumption
patterns by grouping consumers based on
similar characteristics.32 Using aggregate
data, mass marketing segmentation
techniques allow marketers to appeal to a
specific audience.
The development of interconnected
networks, including the internet, has
advanced the use of mass marketing
5
segmentation by making consumer data
instantaneously accessible. The
instantaneous access of data allows marketers
and, more recently, Artificial Intelligence to
make informed decisions based on the supply
and demand model. Advancements in
automated data mining techniques ‘help
uncover the hidden knowledge and
understand the customer better.’33 While
mass marketing segmentation itself has
become more efficient with the development
of new technologies, aggregate marketing as
a whole still is not the most effective
marketing strategy.
Mass marketing segmentation is inefficient
because it targets aggregates rather than the
individual customer. An article, written by
Shaw & al. in 2001, found that traditional
mass marketing segmentation techniques
result in reduced response rates and increased
costs.34 Poor response rates occur because
marketing professionals are assuming an
individual’s interests based on another
individual’s interests whom both share
similar characteristics. In order to increase
efficiency, marketers should predict an
individual’s needs and wants based on the
individual’s behavior. The use of aggregate
marketing methods should be strictly
complementary to individualized, behavior-
based marketing.
How Does Behavior-Based Marketing
Make Use of Personal Data
Websites begin to collect consumer data even
before the page has finished loading.
Websites capture information such as the
user’s IP address and stored cookies from the
user’s browser, and they receive information
such as tracking pixels from referring sites.
An IP address is the identity of a device at a
specific time and place and provides
information such as the user’s location. A
user’s IP address is considered personal

information under the GDPR because it can
be used to identify an individual indirectly.
Cookies are packets of data that are sent
initially from the website, stored in the user’s
browser and later retrieved from the browser
by the original website or by other websites.
Cookies indicate that the user has previously
visited the website and sends information
from previous visits back to the site. Tracking
pixels are a particular type of cookie that
allows user information to be sent between
websites. Tracking pixels allow websites to
share user behavior. In marketing, an e-
commerce site might share tracking pixels
with Facebook. If the user does not buy
anything within a session, then
advertisements containing the product will
appear the next time the user is on Facebook.
Cookies and Tracking Pixels
Cookies store personal user data and transmit
that data between the user’s browser and the
website. Cookies retain the user’s activities in
previous sessions and are used to retain
stateful data such as abandoned shopping
carts, form data, user preferences and login
status.35 Both aggregate marketing
segmentation and individualized behavior-
based marketing rely almost entirely on
cookies. Cookies share the user’s age,
gender, specific location, and interests.
Tracking pixels, a specific type of cookie,
share the user’s behavior from websites,
search engines, and social media. Tracking
pixels are used in retargeting and are based
entirely on the user’s past behavior. By
applying machine learning and artificial
intelligence to analyze a user’s past behavior,
prediction algorithms can gage a user’s future
behavior as well.
6
Using Cookies for Individualized,
Behavior-Based Marketing
Amazon Inc. is a prime example of a
company using individualized, behavior-
based marketing techniques. In 2017,
Amazon’s global online marketplace revenue
was 108.5 billion US dollars; this does not
include revenue from Amazon Web Services,
Amazon Prime Subscriptions, and other
miscellaneous services.36 Amazon captures
and processes cookies that store a user’s
search engine history and website behavior.
For example, if a user searches for ‘Wireless
Headphones’ on Google that search is stored
in a cookie. Amazon uses the information in
the cookie to display an array of wireless
headphones both on Amazon’s website and
on other websites through retargeting
advertisements.
Individually-tailored behavior-based
advertisements are more effective than
promoting to an aggregate marketing
segment. Amazon would rather spend
resources promoting headphones to the
individual that is actively searching for
headphones instead of putting up a billboard
near a high school full of students that may or
may not need new headphones. The goal is to
capture prospects and turn them into
customers.37 The best way to identify a
prospect is by targeting users who are
actively searching for a product. For
example, a shoe retailer would be better off
starting a conversation with an individual
who is looking through the window at the
shoe store than the individual looking at cars
at the nearby car dealership. The individual
looking in the window of the shoe store is a
prospect and has the potential to become a
customer while the individual who is looking
at new cars most likely has no interest in
buying new shoes at the given moment.

SECTION III: INDIVIDUALIZED
MARKETING AND THE GDPR
The collection, analysis, storage and sharing
of personal user data is undoubtedly
necessary for one-on-one behavior-based
marketing and an essential aspect of
contemporary digital marketing techniques.
The GDPR mandates how businesses
operating in the European Union can collect,
analyze, store and share personal data of EU
residents. In the era of globalization, almost
every business is affected by the provisions
of the Regulations. Even the local American
Mom-and-Pop shop who just launched their
first website will need to comply with the
GDPR.
How Will the GDPR Affect the Use of
Cookies?
The GDPR requires that business obtain
explicit consent before the collection,
analysis, storage or sharing of personal data
that can directly or indirectly identify an
individual. The use of cookies requires
explicit consent because they contain specific
data about an individual. An article published
in the Harvard Business Review predicts that
individually-tailored, behavior-based
advertising will significantly decrease due to
increased personal data protection
38
regulations. The article, written before the
GDPR became law, suggests that behavior-
based marketing will be replaced by
contextual advertising, advertisements based
on the aggregate interests of the content
viewers (similar to mass marketing
segmentation).39 For example, if a blog
article is about blockchain technology, the
advertisements may be for cryptocurrencies
because data suggests that the majority of
individuals interested in blockchain
technology are also interested in purchasing
cryptocurrencies. Despite the article’s
prediction that individualized behavior-based
7
marketing will decrease with the
implementation of the GDPR, it has not
stopped businesses from using cookies to
market to individual customers effectively.
Although the actual economic impacts of the
GDPR are unknown, companies have
adopted new data privacy policies in order to
comply with the Regulations and continue
the use of cookie-based advertising. Amazon
Inc. saw an increase in global online
marketplace revenue from Q1 2018 to Q2
2018.40 The GDPR took effect in the middle
of Q2 2018; therefore, further economic
analysis should be conducted after the
earnings from Q2 2019 have been released.
The economic performance of companies
operating both in and outside of the EU
should also be assessed. However, it is
unlikely that companies will stop using
cookies or collecting other personal
information to be used for marketing
purposes.
To solve the disparity between stricter data
protection laws and the demand to use
personal data for individualized marketing,
businesses are requiring that users accept
their new data privacy policy in order to
continue using online services. Users both in
the EU and the US have become accustomed
to a popup that asks for ‘explicitly consent’
to the use of cookies and other personal data.
These popups usually say something along
the lines of “this site uses cookies and uses
other personal user data according to our data
privacy policy…click ‘accept’ to continue to
use this site or read our privacy policy for
more information.”
Additional Applications of the Regulations
Google Analytics is an essential tool for
marketing professionals; it allows businesses
to know who is viewing their content, how
users are viewing their content and the

demographics of the users. However, under
the GDPR, it is possible to identify an
individual using Google Analytics indirectly.
Thus, it is necessary to obtain explicit
consent before collecting user data. There is
also an option to anonymize user data before
it is processed by Google Analytics which
would comply with the GDPR.
Email marketing is another technique used by
marketing professionals to reach an audience
of prospects and customers. Emails often
include the user’s name as a psychological
marketing technique and display relevant
content based on the user’s interests.
Businesses are required to gain explicit
consent before collecting email addresses,
names and other personal information and
must also provide a way for users to
unsubscribe.
Retraction of Consent
Users also have the right to retract consent of
the use of personal data. The GDPR
mandates that personal data must be deleted
or anonymized upon the request of the user.41
The user should be able to retract consent as
easy as it is given. Businesses should provide
an ‘opt-out’ procedure in their data privacy
policy. Typically, users can request their data
to be deleted either in their account settings
or by emailing customer support. Businesses
who fail to respond to a request for erasure
can face a fine up to ‘500,000 euros, or in the
case of an enterprise up to 1% of its annual
worldwide turnover.’42 Therefore, it is in the
company’s best interest to install an
automated and systematic procedure for
responding to requests for erasure.
CONCLUSION
Although the General Data Protection
Regulations were signed into law by the
European Parliament, the Regulations affect
8
businesses in the United States and the other
countries around the world. More
specifically, the GDPR has significant
implications on individualized, behavior-
based marketing techniques that depend upon
the collection of personal data stored in
cookies. Companies can either return to
ineffective mass marketing segmentation
techniques or adopt specific GDPR
compliance procedures and continue the use
of behavior-based marketing. In order to
maintain a competitive advantage and
comply with the GDPR, companies will need
to obtain explicit consent to use cookies and
other personal data for marketing purposes.
Although the exact economic impacts of the
GDPR are unknown, businesses will
ultimately adapt to the regulations and
continue to utilize cookies and personal
information in behavior-based marketing.
Disclaimer: This article is solely intended for
academic and informational purposes and should
not be interpreted as legal advice. For legal
advice, please contact an attorney at law.
(1-2) European Commission. Data Protection: Rules for the
protection of personal data inside and outside the EU.
Available from https://ec.europa.eu/info/law/law-topic/data-
protection/ [Accessed 31st July 2018]. (3) Voss, W. G.
Preparing for the Proposed EU General Data Protection
Regulation: With or without Amendments. Business Law
Today. 2012: 1-5. (4) European Commission. Data
Protection: Rules for the protection of personal data inside
and outside the EU. Available from https://ec.europa.eu
/info/law/law-topic/data-protection/ [Accessed 31st July
2018]. (5-6) Burri, M., & Schär, R. The Reform of the EU
Data Protection Framework: Outlining Key Changes and
Assessing Their Fitness for a Data-Driven
Economy. Journal of Information Policy. 2016;6: 479-511.
(7-9) European Commission. Data Protection: Rules for the
protection of personal data inside and outside the EU.
Available from https://ec.europa.eu/info/law/law-topic/data-
protection/ [Accessed 31st July 2018]. (10) General Data
Protection Regulations, Regulation (EU) 2016/679. The
European Parliament and of The Council. (11-12) Liss, D.
How GDPR Impacts Marketers: What You Need to Know.
Available from https://www.socialmediaexaminer.com
/how-gdpr-impacts-marketers/ [Accessed 31st July 2018].
(13-15) European Commission. Data Protection: Rules for
the protection of personal data inside and outside the EU.
Available from https://ec.europa.eu/info/law/law-topic/data-
protection/ [Accessed 31st July 2018]. (16) Information
Commissioner's Office. Principle (d): Accuracy. Available

from https://ico.org.uk/for-organisations /guide-to-the-
general-data-protection-regulation-
gdpr/principles/accuracy/ [Accessed 31st July 2018]. (17)
General Data Protection Regulations, Regulation (EU)
2016/679. The European Parliament and of The Council.
(18) European Commission. Data Protection: Rules for the
protection of personal data inside and outside the EU.
Available from https://ec.europa.eu/info/law/law-topic/data-
protection/ [Accessed 31st July 2018]. (19) Information
Commissioner's Office. Principle (d): Accuracy. Available
from https://ico.org.uk /for-organisations/guide-to-the-
general-data-protection-regulation-gdpr/principles
/accuracy/ [Accessed 31st July 2018]. (20-22) Information
Commissioner. Factsheet on the "right to be forgotten"
ruling. Available from https://www.inforights.im
/media/1186/cl_eu_commission_factsheet_right_to_ be-
forgotten.pdf [Accessed 31st July 2018]. (23-24) European
Commission. Data Protection: Rules for the protection of
personal data inside and outside the EU. Available from
https://ec.europa.eu/info/law/law-topic/data-protection/
[Accessed 31st July 2018]. (25) Information Commissioner's
Office. Principle (e): Storage limitation. Available from
https://ico.org.uk/for-organisations/guide-to-the-general-
data-protection-regulation-gdpr/principles/storage-
limitation/ [Accessed 31st July 2018]. (26-27) General Data
Protection Regulations, Regulation (EU) 2016/679 Article
5(1)(e). The European Parliament and of The Council. (28)
Information Commissioner's Office. Principle (e): Storage
limitation. Available from https://ico.org.uk /for-
organisations/guide-to-the-general-data-protection-
regulation-gdpr/principles/storage-limitation/ [Accessed
31st July 2018]. (29) General Data Protection Regulations,
Regulation (EU) 2016/679 Article 5(1)(f). The European
Parliament and of The Council. (30) Voss, W. G. Preparing
9
for the Proposed EU General Data Protection Regulation:
With or without Amendments. Business Law Today. 2012:
1-5. (31) Pridmore, J., & Hämäläinen, L. E. (2017). Market
Segmentation in (In)Action: Marketing and 'Yet to Be
Installed' Role of Big and Social Media Data. Historical
Social Research. 2017;42(1): 103-122. (32) Pridmore, J., &
Hämäläinen, L. E. (2017). Market Segmentation in
(In)Action: Marketing and 'Yet to Be Installed' Role of Big
and Social Media Data. Historical Social Research.
2017;42(1): 103-122. (33-34) Shaw, M. J., Subramaniam,
C., Tan, G., & Welge, M. E. Knowledge management and
data mining for marketing. Decision Support Systems.
2001;31: 127-137. (35) Kristol, D. M. HTTP Cookies:
standards, privacy, and politics. ACM Transactions on
Internet Technology. 2001;1(2): 151-198. (36) Statista.
Amazon: Global net revenue by segment 2016. Available
from https://www.statista.com/statistics/672747/amazons-
consolidated-net-revenue-by-segment/ [Accessed 31st July
2018]. (37) Linoff, G. S., & Berry, M. J. Data mining
techniques: For marketing, sales, and customer relationship
management. Wiley; 2011. (38-39) Ghosh, D. How GDPR
Will Transform Digital Marketing. Available from
https://hbr.org/2018/05/how-gdpr-will-transform-digital-
marketing [Accessed 31st July 2018]. (40) Statista. Amazon:
Global net revenue by segment 2016. Available from
https://www.statista.com/statistics/672747/amazons-
consolidated-net-revenue-by-segment/ [Accessed 31st July
2018]. (41) European Commission. Data Protection: Rules
for the protection of personal data inside and outside the EU.
Available from https://ec.europa.eu/info/law/law-topic/data-
protection/ [Accessed 31st July 2018]. (42) Victor, J. M. The
EU General Data Protection Regulation: Toward a Property
Regime for Protecting Data Privacy. The Yale Law Journal.
2013;123(2): 513-528.