How Recommendation Systems Comply with Privacy Regulations

Gabriella Vas Gabriella Vas
14 min read | September 21, 2021

User data is the bread and butter of recommendation systems generating personalized offers would be all but impossible without it. Personalization is an indispensable tool for crafting a memorable user experience, which in turn is the key to standing out from the crowded e-retail scene, and ultimately, to making a profit.  

On the other hand, stringent regulations are in place to protect online users’ personal data. These are constantly being redefined in order to keep up with the latest advances in technology. The General Data Protection Regulation (GDPR), the EU law governing privacy issues, has been in effect for over three years. In essence, it permits the processing of personal data only if a set of tightly defined criteria are met. (Similar privacy legislation is being introduced or is already in use in more than a dozen countries around the world, including Brazil, India, Japan, Australia, and, within the US, California.)

Still in the pipeline, another EU legislation, the E-Privacy Regulation, aims to address (among other topics) the legal concerns around user identification technologies, most notably third-party cookies. With all that in mind, you might be wondering:

  • Are recommendation systems GDPR-compliant?
  • Can personalization be sustainable without third-party cookies?
  • How can I meet legal requirements if I’m using a recommendation system on my website?

The short answers are yes, yes, and yes. Read on for the details, as explained by Bottyán Németh, Marketing Director at Gravity R&D, and Zoltán Tarján, Senior Associate at Siegler Bird & Bird

A Brief Overview of the GDPR

Every natural person has the fundamental right to informational self-determination and to have control over the processing of their personal data. This is the right that the GDPR aims to protect. Therefore, it limits the processing of personal data to specific scenarios defined by strict criteria.

One such scenario is if a natural person – a user, for short – consents to the processing and storage of their personal data. Two important criteria for this scenario are:
  • enabling the users to understand why and how their data is being processed, and
  • ensuring that they can withdraw their consent and have their data removed from the database at any time.

The GDPR states that data processing may be done by an organization for its own purposes (in this case, the organization is called a data controller), or outsourced to another organization (a so-called data processor). This latter has an obligation to gather, store, and process the personal data of natural persons (the users, or in GDPR terms, data subjects) according to the instructions and for the purposes of the data controller. 

The term “personal data” refers to any information that relates to an identified or identifiable natural person. 

Where Do Recommendation Systems Fit in the Context of the GDPR?

Recommendation systems, or, to be more precise, their providers, called personalization vendors (like Gravity R&D, for instance) are typically data processors. Their clients – web stores or content platforms (technically speaking, the operators of these websites) – are data controllers. 

Bear in mind: an organization is considered a data processor only if it processes personal data exclusively as part of the service it was commissioned to provide, for the purposes of its client. However, when the organization processes personal data for its own purposes, e.g. to grow its own business or as part of its daily operations (for instance, processing personal data about its employees or its clients in this context), in this case it’s considered a data controller, Zoltán Tarján explains. 

As a data processor, the personalization provider is responsible for ensuring the collection, storage and processing of user data in a way that complies with the instructions of its client, the data controller. 

Sometimes a personalization provider and its client will work together to define the purposes of data processing and the means to be employed to that end. In such a case they’re considered joint data controllers, and it’s their shared responsibility to comply with the provisions of the GDPR.

If a personalization vendor operates in the way it’s prescribed by the GDPR, which includes 
  • making it possible for users to reject cookies tracking their activity online;
  • giving access to personal data it stores and processes, if such a request is made by a user (via the data controller);
  • deleting a user’s data when asked to do so by said user (also via the data controller);

then it helps to ensure the GDPR compliance of its client as well. At least, as far as the personalization function of the given webshop or content platform is concerned. 

Cookie-Free Recommendations Make Personalization GDPR-Proof

The personal data typically used by recommendation systems is pseudonymized. This means that the names of natural persons in its database can only be connected to their personal details using additional information, a sort of key, stored separately.

This is a moderate degree of encryption because the connection between data subjects and their data can, theoretically, be restored. (One level up, in case of anonymized data, user names are permanently disconnected from personal details.) Therefore, pseudonymized data falls into the category of personal data in the framework of the GDPR, Zoltán contends. He adds: Whether a natural person can be identified based on cookie information alone is up for debate. However, it’s unquestionable that the rich, multifaceted information compiled in user profiles by state-of-the-art recommendation systems is, indeed, personal data.  

Therefore, the GDPR is applicable to personalization vendors as organizations processing personal data, and as such, they have to comply with the relevant provisions of the GDPR – together with their clients. 

How do they go about that? “Any personal data can be lawfully processed as long as the user has consented to it”, Bottyán Németh reminds us. But a personalization engine can serve recommendations even to users who have declined cookies, that is, to those who did not consent to the processing of their personal data. To them, the system displays recommendations based on contextual data or “trending” items, just like in the case of new, unknown visitors. 

According to Bottyán, context-based personalization is GDPR-proof, just as well as item-to-item recommendations. These latter include item lists labelled “Others also bought / viewed these” or “You might also need these”. Instead of analyzing the data of any specific user, the system generates these recommendations based on the relationship between the given product and the actions of known users (those who have consented to cookies).   

Another GDPR-compliant approach to personalization is, quite simply, asking people what they want. “Get the data from the user, but only as much as you actually need”, as Bottyán puts it. This trick works wonders, particularly for beauty and fashion brands. A visitor in a web store can fill out their preferences or select the characteristics that best describe them – for instance: oval face, olive-toned skin, and a penchant for the style of the sixties. Based on this information, they’ll get tailor-made recommendations for, say, sunglasses. 

Three Years of GDPR Compliance: Challenges, Trends, Learnings

Back when the GDPR went into effect, demand for legal experts skyrocketed as everyone was anxious to comply with the regulation. The initial rush soon gave way to a cautious “look before you leap” attitude. Businesses and organizations tried to gauge the severity and the frequency of fines in order to figure out how much effort to invest in compliance – Zoltán Tarján remembers. In Hungary, the magnitude of fines ranges from hundreds to thousands of euros. The Hungarian data protection authority focuses primarily on issues with identifying appropriate legal basis for processing; on the deficiencies in privacy policies; on organizations’ refusal to take action upon data subjects’ requests; and on issues stemming from data breaches.  

Although these fines are not particularly high in European standards, they make it clear enough that the protection of personal data is not to be taken lightly. In Zoltán’s view, GDPR compliance is not a one-step, definitive solution; rather, it requires an ongoing effort. 

At Gravity R&D, the transition to a GDPR-compliant operation did in fact require a significant, concerted effort from everyone involved – Marketing Director Bottyán Németh recalls. Drafting the cookie policy and formulating the cookie settings was done with the help of Zoltán, a privacy expert at Siegler Bird & Bird. 

Ever since those steps were taken, hardly any issues arose with regard to GDPR compliance. To mention one of the few challenges: a client’s newsletter database didn’t meet GDPR requirements because at the time it was built, it wasn’t specified that user data would be gathered for the purpose of a newsletter. So the database had to be deleted and rebuilt from scratch, this time informing users about its purpose through a built-in function of the recommendation system.  

This article is for your information only. It’s not equivalent to reading and understanding the regulations that apply; nor can it be considered legal advice.

Can There Be Life After Third-Party Cookies?

Besides the GDPR, another important factor upending the world of online marketing is the imminent demise of third-party cookies. It’s old news now that, following the example of several other browsers, Google Chrome will no longer support third-party cookies  as of 2022. 

In Zoltán’s opinion, attempts to harmonize privacy regulations across the EU, as well as the active lobbying of some NGOs have led to ever stricter enforcement by data protection authorities – this is perhaps the reason why market operators have opted to move on. 

EU lawmakers have long been struggling to finalize the so-called E-Privacy Regulation, meant to replace the E-Privacy Directive that exists currently. Once it’s passed, the E-Privacy Regulation will be applied in all member states of the European Union particularizing and complementing the GDPR. (Wondering about the difference between EU directives and regulations? Directives guide the lawmaking process of member states, resulting in laws whose main provisions are the same across the EU but details might vary from state to state. Regulations are passed by EU lawmaking bodies and apply directly and universally in all member states.) 

Whereas the GDPR deals with the protection of personal data in general, the E-Privacy Regulation aims to address, among other topics, the use of cookies and similar technologies. Zoltán predicts that, as things stand at the moment, the E-Privacy Regulation is unlikely to usher in anything fundamentally new. The two major pillars of cookie regulation will remain the necessity of user consent and the obligation to inform. The latest draft stipulates that users should be able to allow or reject cookies using their browser or another software, as long as these settings function in compliance with all provisions of the regulation. Furthermore, it makes the case for easier deployment of some cookies that are not going to depend on users’ consent. 

Remember, the text of the E-Privacy Regulation is still the subject of negotiations among EU institutions, and as such, it is far from final.   

Now, how does this all affect recommendation systems? Before delving into the possible implications, let’s brush up on our understanding of cookies. 

Cookies are tiny data files placed on the user’s device by the browser whenever they visit a web page. These data files work like microscopic ID tags, storing the user’s relevant details, so websites can recognize them. 

The two main types of cookies are first-party and third-party cookies.  
  • First-party cookies are embedded in the user’s browser by the website they’re visiting. These cookies identify the user’s browsing history, settings and preferences, but only within the given website. Their main purpose is to enhance user experience, for example, by remembering language settings or earlier purchases. Therefore, first-party cookies are generally considered useful and harmless. They’re likely to be around in the long run. 
  • Third-party cookies are added to the user’s browser by an entity other than the website they’re visiting; typically a domain specializing in marketing or analytics. They work like wildlife tracking: these ID tags follow the user all over the internet. Data gathered this way can be used, for instance, to create retargeting campaigns, when e-retailers serve their customers ads for recently viewed products on websites other than their own, in an effort to persuade them to keep buying or to return to an abandoned cart. Third-party cookies are controversial because most people don’t like to be tagged. 

(You guessed it: in between first and third-party, there’s also a category called second-party data. This term is used when the website deploying the cookie shares the information generated this way with another domain, usually in the framework of a strategic partnership.)

Recommendation Systems Can Survive on First-Party Cookies Alone

Bottyán explains: First-party data is by far the most useful source of information for personalization purposes. Most tailored recommendations can be generated using only first-party data. Over the course of the past years, tech giants like Google and Facebook have been accumulating this precious resource. The majority of online users like to breeze through login processes to a multitude of platforms using their Facebook or Google accounts, and as a consequence, they generate reams of first-party data about various aspects of their lives online – all for the big players in Silicon Valley, enabling these latter to churn out hyper-targeted ads. This monopoly of first-party data is pushing publishers – websites offering free content in return for advertising income – to the brink of extinction. 

If third-party cookies are going to be discontinued due to privacy concerns, and first-party data is being eaten up by Big Tech, is there an alternative solution for identifying users that is universally acceptable? 

Of the several options being debated by industry pundits, Bottyán finds Unified ID 2.0 the most promising. Still in the works, the idea is to generate a universal identifier from each user’s anonymized email address. This would provide enough information for domains around the web to craft tailored experiences for the given person, without going so far as to infringe their privacy. 

As for personalization engines, Bottyán makes it clear: since they provide tailor-made recommendations only within a given website, all they need is the site’s first-party cookies. So even after third-party cookies are gone, recommendation systems will keep functioning without a hitch.

This article is for your information only. It’s not equivalent to reading and understanding the regulations that apply; nor can it be considered legal advice. 

Seven* Simple** Things to Keep in Mind When Processing Personal Data

If you’re in the business of e-retail, either using a recommendation system or just considering launching one, the issue of GDPR compliance is probably often on your mind. You may be confused about the various conditions and requirements of data processing, or unsure whether you’re ticking all the boxes as prescribed by the GDPR. Fear not: here’s a handy to-do list compiled by our legal expert, grouped around the seven key topics of lawful data management. 


  1. Display a privacy policy on your website, complete with all relevant information. Check your personalization vendor’s privacy policy as well. Ask your vendor to explain their privacy policy to you before signing the data processing agreement.
  2.  If you’re using cookies, create a cookie policy to include the following information: 
  • what cookies you’re using; 
  • what purpose they serve; 
  • how long they’re valid; 
  • which third parties, if any, can access data collected by means of these cookies; 
  • and any other details that might be relevant to your visitors. 

In case you’re using third-party cookies, check if the domains deploying said cookies oblige you to provide your users with information about how these third-party cookies function.

User Consent

  1.   Place a cookie banner on a prominent point of your main page, so your visitors can find out about the cookies
    you use, and decline or allow them.  
Cookie information should be provided on multiple levels. Level one is the cookie banner itself, which should 
  • identify the data controller; 
  • briefly summarize the purpose of data processing; 
  • and make it clear that cookie consent is optional. 
  • The cookie banner should include buttons to allow all cookies; to reject all cookies; and to learn more.  

Level two is the detailed information page accessed when clicking Learn More. It should feature the full list of data processing purposes, with detailed descriptions and Allow and Reject buttons for each purpose. Rejecting cookies should not be more difficult or complicated for users than allowing them. 

User consent by means of pre-ticked checkboxes does not comply with the GDPR. Assuming that continued browsing on the site means the user has accepted cookies does not make the cut, either. Cookie walls – when content on a website is only accessible to users who have consented to cookies – are also problematic, Zoltán warns.   

Deletion of Data

  1. If a user asks to have their personal details removed from your database, you have a month to hit Delete. Otherwise, tell the user why you refuse to delete their data – in this case, it’s a good idea to consult with a legal expert, to be sure that you have the right to refuse. If you have a contract with a data processor (for instance, a personalization vendor), share the request with them and check to see if it’s been dealt with.  

Data Security

  1. Make sure that the personal data processed by you or by your personalization vendor is stored securely. Carefully weigh risks and benefits to choose the appropriate degree of encryption, pseudonymization, or other data security measures.


  1. Have appropriate internal procedures in place for handling requests from data subjects. Put someone in charge, create a dedicated email address, and agree on a realistic timeframe for responding to inquiries. 
  2. Be prepared for an eventual data breach, like a hacker attack or data leaked through an email sent to the wrong address. Have an emergency protocol for identifying and responding to data breaches, and remember to inform authorities and users whose privacy was compromised (if required).

* This is a summary of GDPR compliance priorities, not an exhaustive list of your obligations under the GDPR. Read our full GDPR Guidance Document for more complete information. 

** “Simple” is relative when it comes to describing GDPR compliance. If you feel more comfortable involving a professional, consult a legal advisor. Gravity R&D recommends the privacy experts at Siegler Bird & Bird

One final disclaimer: This article is for your information only. It’s not equivalent to reading and understanding the regulations that apply; nor can it be considered legal advice.

What to read next

Join our newsletter

Get to know the ins and outs of personalization