Regulations · GDPR · Article 22
// GDPR · ARTICLE 22 · AUTOMATED DECISION-MAKING

Automated decisions in marketing.

When your segmentation engine decides who gets the airdrop, the bonus, the campaign, it’s automated decision-making with legal effect. Most growth stacks are inside this article without realising.

Applies to: Lifecycle Growth CRM and segmentation Recommendation engines

The rule.

Article 22 restricts decisions made solely by automated means when they produce legal effects on the data subject or similarly significantly affect them.

// Regulation (EU) 2016/679 · Article 22(1)

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

The EDPB guidelines on automated decision-making (WP251rev.01) clarify that “similarly significant” covers decisions that affect a person’s financial circumstances, access to services, employment, or opportunities. Targeted marketing can fall inside Article 22 when the decision is based on profiling and the outcome materially affects the consumer — for instance, who gets access to a financial product, an airdrop, or differential pricing.

What it requires.

Four operational obligations.

Identify the decisions. Catalogue every automated decision in your marketing stack: who gets the campaign, who gets the bonus, who gets the airdrop allocation, who gets the dynamic price, who gets the personalised recommendation that drives a purchase. Each is potentially in scope.

Establish lawful basis. Article 22(2) provides three lawful bases: contract necessity, EU/Member-State law authorisation, or explicit consent. For most marketing automation, contract necessity does not apply — the decision is for the firm’s commercial benefit, not necessary for the contract. That leaves explicit consent.

Transparency. Article 13(2)(f) and Article 14(2)(g) require the firm to inform the data subject about the existence of automated decision-making, including profiling, and provide meaningful information about the logic involved and the significance and consequences.

Right to human review. The data subject has the right to obtain human intervention, express their point of view, and contest the decision. This must be operationalised — not just a sentence in a privacy policy.

Common violations.

// Violation pattern · airdrop allocation by score

Airdrop allocation: algorithmic score based on wallet activity, on-chain history, social signals. Eligible users notified by email. No disclosure of the scoring logic.

Automated decision with financial effect. No transparency about the logic. No human-review path. Fails Article 22 and Article 13(2)(f).

// Violation pattern · dynamic pricing by segment

Fee schedule varies by user segment determined algorithmically from KYC data, transaction history, and behavioural signals.

Differential pricing is a financial effect. If the segmentation is fully automated, Article 22 applies and consent is required.

// Violation pattern · lifecycle engine that gates access

Lifecycle automation: users below the engagement-score threshold do not receive the new-product launch email; users above do.

Looks innocuous but: the algorithm decides who hears about a financial product. If knowledge of the product is material to the financial decision, this is significant. Closer call than the others but trending toward scope.

How to comply.

// Fix 1 · catalogue the decisions

Build a register of automated decisions in your stack. Each entry: what the decision is, what inputs feed it, what outcome it produces, who is affected, lawful basis. This is also a GDPR Article 30 records-of-processing requirement.

// Fix 2 · explicit consent at signup

For marketing-automation decisions that are in scope of Article 22, collect explicit consent at signup, separately from the marketing-email consent. “I understand my eligibility for product offerings may be determined by automated processing of my account data, and I consent to this.”

// Fix 3 · transparency in privacy notice

Privacy notice must disclose: existence of automated decision-making, the logic in plain language (you don’t have to publish the model; you do have to explain what factors matter and how), the significance and consequences.

// Fix 4 · human-review path

For every Article 22 decision, the user must have a clear path to request human review: email address, support form, in-app option. Document the review process. SLAs for response.

// Fix 5 · DPIA before launching

Before launching a new automated-decision system in marketing, run a Data Protection Impact Assessment (Article 35). Document risk to data subjects, mitigations, and the lawful-basis analysis. Standard practice in regulated firms; rare in growth stacks.

Related rules.

  • Article 7 — Consent →

    Consent for marketing is the upstream gate. Consent for automated decisions is layered on top.

  • MiCA — KOL disclosure →

    KOL-driven segmentation often pairs with Article 22 issues: the algorithm decides which KOL audience gets which offer.

  • FCA — Incentives ban →

    An incentives engine that determines eligibility algorithmically is doubly problematic: incentives ban applies, and Article 22 applies.