How do we use profiling tools lawfully?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
In detail
- What does it mean for our use of profiling tools to be lawful?
- When can we rely on legal obligation?
- When can we rely on legitimate interests?
- Can we rely on contract?
- What about consent?
- What about vital interests and public task?
- What if our profiling involves special category information?
- What if our profiling involves criminal offence information?
What does it mean for our use of profiling tools to be lawful?
The first principle of data protection law requires processing to be lawful, fair, and transparent.
You must identify a lawful basis in order to collect and process personal information using your profiling tools.
There are six lawful bases for processing set out in article 6 of the UK GDPR. No one basis is always better, safer, or more important than the others. Your decision depends on what you intend to use profiling tools for.
In practice, the lawful bases that are most likely to be relevant to any profiling tools you use in your trust and safety systems are:
- legal obligation, this basis applies if you need to use profiling to comply with a common law or statutory obligation (eg your duties under the OSA); or
- legitimate interests, you can rely on this basis if you have a legitimate interest in using profiling (eg as part of enforcing your terms of service). This basis involves balancing your interests against the person’s interests, rights and freedoms.
Although there might be cases where contract can apply, it is likely that legal obligation or legitimate interests are more suitable lawful bases for your trust and safety profiling.
Consent may be an appropriate lawful basis in some cases. But this is only likely where you are required to get consent for storage and access technologies (such as cookies, tracking pixels and fingerprinting techniques) that are not strictly necessary. In these instances, you should also use consent as your lawful basis for any subsequent processing of personal information. You can rely on the consent sought under PECR for the subsequent processing, provided this consent was appropriate for the subsequent processing purpose(s). (See the section on How does PECR apply to profiling tools? and our draft guidance on the use of storage and access technologies for more information.)
If your profiling tools involve using special category information or criminal offence information, you must have a lawful basis and an additional article 9 or article 10 condition for processing. (See the sections below on What if our profiling involves special category information? and What if our profiling involves criminal offence information? for more information).
Further reading
When can we rely on legal obligation?
The information in this section is primarily about using legal obligation under the OSA. However, there may be other statutory obligations or common law duties that are relevant to you.
Legal obligation applies if processing personal information is necessary to comply with a common law or statutory obligation.
This does not mean that there needs to be a legal obligation specifically requiring the relevant processing activity. The point is that your overall purpose is to comply with a legal obligation.
You might be able to rely on legal obligation as your lawful basis if you are using profiling tools to meet your obligations under the OSA. However, you must ensure that the personal information you process in your tools is necessary and proportionate to achieve compliance.
You are also likely to be able to use this lawful basis for personal information processing that you need to do to apply the specific measures recommended in Ofcom's codes of practice under the OSA. This is because the codes provide measures that enable you to comply with the legal obligations set out in the OSA.
You must ensure that your processing is necessary and proportionate. This lawful basis does not apply if you can reasonably comply with your legal obligation without carrying out the processing, or by processing less personal information.
You must not rely on this lawful basis for processing that goes beyond what is required for you to meet your duties in the OSA (unless there are other common law duties or legislative obligations that apply).
You must directly link your processing to a legal obligation placed on you. You should document your decision to rely on legal obligation and identify the specific legal provision or source of advice or guidance that clearly sets out your obligation.
Further reading
Other resources
When can we rely on legitimate interests?
Legitimate interests is most likely to apply where you want to use personal information in ways that:
- people would reasonably expect; and
- don't have an unjustified adverse impact on people's rights and freedoms.
If there is an impact on people, legitimate interests may still be available, but you must show that there is a compelling benefit to the processing and the impact is justified.
You may have a legitimate interest in deploying a profiling tool (eg to detect and prevent harmful user behaviours in accordance with your terms of service, or to comply with the OSA). However, you must balance this interest against the interests, rights and freedoms of your users.
It is likely that using profiling tools will involve a degree of intrusion into the privacy of your users. This means you must demonstrate you have a compelling justification for using these tools that warrants a more intrusive privacy impact.
You must consider whether users would reasonably expect you to use their information in your profiling tool. Although users of online services may expect you to use their information for some online safety measures, they may not expect the type or extent of personal information processing that your tool involves.
To help you determine whether legitimate interests applies, you should carry out a three-part test to:
- identify your legitimate interest;
- show that processing is necessary to achieve that interest; and
- consider whether people’s interests, rights and freedoms override the legitimate interest you’ve identified.
We refer to this as a ‘legitimate interests assessment’ or LIA. You should keep this assessment under review and update it if your circumstances change.
Your DPIA can function as your LIA. You do not need to do a separate LIA, as a DPIA covers the same ground in more detail. (See the section on How do we assess and mitigate the data protection risks involved in our use of profiling tools? for more information about DPIAs and why they are a requirement for the processing carried out by your profiling tools.)
You must consider whether using personal information in your profiling tool is necessary and proportionate and whether less intrusive methods are available. If you can reasonably achieve the same result in another less intrusive way, legitimate interests does not apply.
If you process children’s personal information in your tools, you must take extra care to protect their rights and interests.
Example
A video gaming service identifies bot accounts operating on its service that are targeting genuine users with phishing scams. The gaming platform considers deploying a profiling tool based on machine learning that identifies bot accounts and bans them from the service. The tool uses a variety of personal information including a user’s rate of friend requests sent, their gameplay activity, and whether they have been previously blocked by other users of the service.
The gaming company considers the purpose of its tool and confirms that it has a legitimate interest in detecting and removing bot accounts that are causing harm to users.
It then considers the necessity test. A less intrusive method to detect bot accounts might be to rely on reports from other users. However, in this instance the service finds that user reports are a less effective and accurate way to identify the harmful accounts. Using a proactive bot detection tool also allows the service to detect and remove bot accounts at an earlier stage. The service decides that it is not possible to achieve its purpose without using the tool.
The service goes on to consider the balancing test. It takes into account the reasonable expectations of its users and the risks to users arising from using the tool, including the risks of incorrect outcomes. The services considers how to tell its users about its use of the profiling tool and the personal information it involves, making it more likely that they will expect their information to be processed in this way. The service considers steps to mitigate the risks to users through measures such as implementing a human review and appeals process, and limiting the use of the tool to the areas of its service where bot accounts are causing harm.
The processing undertaken by the tool is privacy intrusive. This means that when carrying out the balancing test, the service must consider whether it has a compelling justification for the processing. In this case, the service determines that it has a compelling justification to detect and remove bot accounts to protect users from fraud. The service has taken steps to reduce the risk to users and ensure its use of the tool is necessary and proportionate, and overall determines that the balance favours their legitimate interest in processing the information.
Can we rely on contract?
The contract lawful basis applies where the processing is objectively necessary for the purposes of a contract between you and your users. You cannot rely on contract in other circumstances.
You might be able to use this lawful basis for using your profiling tools where they are:
- integral to the delivery of your core service; and
- a proportionate way of achieving your purpose.
If the contract is with a child under 18, you must consider whether they have the necessary competence to enter into a contract. If you have doubts, you should either:
- assure yourself that the child has the necessary competence; or
- consider an alternative basis, such as legitimate interests.
Although there might be cases where it’s possible to use contract for the processing you undertake in your profiling tools, it is likely that legal obligation or legitimate interests are more suitable.
Further reading
What about consent?
Consent is about giving people genuine choice and control over their information. Consent won’t apply unless you’re processing personal information you collected using storage and access technologies that required consent under PECR. This is because you’re unlikely to be offering people a free choice about whether you process their information through your use of profiling tools.
However, if you have to obtain consent for your use of storage and access technologies (ie where the strictly necessary exemption doesn’t apply), and the information involved is personal data, then you should use consent as your lawful basis for subsequent processing of that information unless the strictly necessary exemption applies.
You can rely on the consent you sought under PECR for the subsequent processing, provided this consent was appropriate for the subsequent processing purpose(s).
(See the section of this guidance on How does PECR apply to profiling tools? and our draft guidance on the use of storage and access technologies for more information.)
Further reading
- Consent
- Draft guidance on the use of storage and access technologies, in particular the section on How do the PECR rules relate to the UK GDPR?
What about vital interests and public task?
Vital interests generally only applies to interests that are essential for someone’s life. So this lawful basis is very limited in its scope, and generally only applies to matters of life and death.
Public task is unlikely to be relevant to the user-to-user services this guidance applies to. This is because this basis only applies where you are ‘exercising official authority’ or carrying out a specific task in the public interest that is laid down by law.
Further reading
What if our profiling involves special category information?
If your planned profiling involves special category information, you must identify a condition for processing in addition to identifying a lawful basis.
This is the case whether you:
- plan to use special category information as input data to support your assessment about a user, including analysing user-generated content containing this information; or
- use your profiling tools to intentionally infer information about users that falls within the special categories.
If your profiling tool involves analysing user-generated content and you are not sure whether the content contains special category information, you should identify a condition for processing to cover that possibility and minimise the privacy risks.
There are 10 conditions for processing special category information outlined in article 9 of the UK GDPR. Five of these require you to meet additional conditions and safeguards set out in schedule 1 of the DPA 2018. In many cases you also need an ‘appropriate policy document’ in place to meet a schedule 1 condition in the DPA 2018.
Substantial public interest
The substantial public interest condition is most likely to be relevant for your use of special category information.
To rely on this condition, you must demonstrate that your processing has substantial public interest benefits.
To do this, you must meet one of 23 specific substantial public interest conditions set out in part 2, schedule 1 of the DPA 2018. For almost all of these conditions, you must have an appropriate policy document in place.
The conditions that may be relevant to your trust and safety profiling include:
- preventing or detecting unlawful acts, this condition is met if your use of personal information is necessary to prevent or detect an unlawful act;
- regulatory requirements, this condition applies if your use of personal information is necessary to comply with a regulatory requirement that involves establishing whether someone has committed an unlawful act or has been involved in dishonesty, malpractice or other seriously improper conduct. For example, this is likely to be relevant where you need to process special category information to meet your obligations set out in the OSA, providing this processing is a necessary and proportionate way to comply; and
- safeguarding of children and individuals at risk, this condition applies if your use of personal information is necessary to protect a child or at-risk person from neglect or harm, or to protect their wellbeing. For example, this condition is likely to be relevant to any processing of special category information you may undertake to comply with your children’s safety duties in the OSA.
For each one of these conditions, you must demonstrate that your specific processing is ‘necessary for reasons of substantial public interest’.
Special category data, including the specific section on What are the substantial public interest conditions?
What if our profiling involves criminal offence information?
You must ensure that you process any criminal offence information lawfully, fairly and transparently, and that you have an article 6 lawful basis for processing.
In addition, article 10 of the UK GDPR states that you must only process criminal offence information if this processing is:
- under the control of official authority; or
- authorised by domestic law. In the UK, this means you need to meet one of the conditions in schedule 1 of the DPA 2018.
You are unlikely to be processing under the control of an official authority when carrying out profiling in your trust and safety systems. Therefore, if your profiling involves criminal offence information, you must identify a specific condition for processing in schedule 1 of the DPA 2018.
As with special category information, you may require an appropriate policy document depending on the condition you rely on.
The following schedule 1 conditions may be relevant for processing criminal offence information in your trust and safety systems:
- preventing or detecting unlawful acts (see earlier);
- regulatory requirements (see earlier); and
- safeguarding of children and people at risk (see earlier).
Further reading