The exploitation of vulnerability through personalised marketing communication: are consumers protected?

: While data-driven personalisation strategies in marketing offer consumers several benefits, they potentially also create new disparities and vulnerabilities in society, and in individuals. This article explores in what ways application of so-called personalised marketing communication may lead to exploitation of vulnerability of consumers and builds on empirical findings on the issue by investigating if consumers are protected against such vulnerabilities under EU consumer protection law. We show a number of ways in which personalisation may lead to exploitation of internal and external vulnerabilities and that EU consumer law contains significant barriers to effectively address such exploitation.


Introduction
By undertaking various activities online, consumers are producing a large amount of personal information that is collected and processed by companies (Acquisti et al., 2015). This information is subsequently used to tailor online services by offering personalised communication based on individuals' characteristics, interests and behaviours (Bol, Dienlin, et al., 2018). While personalisation is currently applied in many different contexts, it very frequently occurs in the form of personalised marketing messages (so-called personalised marketing communication ("PMC"), see Strycharz et al. (2019)).
PMC encompasses different communication techniques that all involve interactions between companies and consumers, data collection and processing by companies and delivering marketing communication (Vesanen & Raulas, 2006). PMC is generally used as an umbrella term for communication about so-called sales and promotion (personalised offers, recommendations and advertising) as well as information provision (Strycharz et al., 2019). It offers consumers a number of benefits, such as increased relevance, informativeness and credibility of communication (e.g., Boerman et al. 2017;Tran 2017). At the same time, by targeting personal characteristics, such tactics make individuals more susceptible to persuasion, blurring the line between persuasion and manipulation. This can be seen as a threat to individual autonomy as well as bringing on a risk of economic harm (Calo, 2014).
In doing so, personalisation can thus potentially create new disparities and vulnerabilities in society, and in users . While the relation between personalisation and consumer vulnerabilities has been receiving growing attention in empirical studies, research on how European consumer law protects against such practices has been scarce. Therefore, the current study builds on the empirical findings by adding a legal perspective on consumer vulnerabilities and PMC.
In order to investigate to what extent EU consumer protection law protects consumers against vulnerabilities arising from PMC, the current research first explores the relation between PMC and vulnerabilities and, next, investigates the protection consumers are offered in this context. The following two research questions will be investigated: 1. In what ways can PMC exploit consumer vulnerabilities ? 2. To what extent are consumers protected against such exploitation under EU consumer protection law?
To answer the first question, we review consumer research on PMC, provide an overview of different types of vulnerabilities described in consumer research and explore in what ways PMC applications may exploit different types of consumer vulnerabilities. The second research question is answered through an analysis of EU consumer law, discussing the relevant pieces of legislation, case law and guidance documents.
The remainder of this article is structured as follows. First, the phenomenon of PMC is defined, and the possible exploitation of different types of consumer vulnerabilities explored (Section 1). After that, focus shifts to how PMC is regulated by EU consumer protection law and whether EU consumer law tackles the identified potential for vulnerability exploitation (Section 2). It is shown that EU consumer law contains significant barriers to effectively tackle PMC-related vulnerabilities.
This article finishes by a discussion of the implications of this conclusion, in which suggestions are provided on further research and on how EU consumer law could more adequately tackle PMC-related vulnerabilities (Section 3).

Section 1: Personalised marketing communication and consumer vulnerabilities 1.1 Personalised marketing communication -state of the art
Personalisation can be defined as "the strategic creation, modification, and adaptation of content and distribution to optimize the fit with personal characteristics, interests, preferences, communication styles, and behaviours" (Bol, Dienlin, et al., 2018, p. 373). Marketing communication is one of the most common contexts of personalisation online. PMC describes numerous applications that all involve collection and processing of consumer data by organisations (Vesanen & Raulas, 2006).
In the personalisation process, first, consumer data is collected with the aim of personalising communication. At this stage, different types of data can be collected. Next, the data are processed with the aim of constructing consumer profiles and inferring information about their needs and interests. In the third step, this information is used to produce personalised communication, which can be distributed through different channels (Strycharz, 2019). Figure 1 provides an overview of this process and includes examples of activities executed at every step. In the following, we apply this differentiation to introduce the PMC applications most used by marketers and investigated in research. Later, these methods will form the starting point for our legal assessment of specific PMC applications. One of the most common applications of PMC is online behavioural targeting, which can be defined as "adjusting advertisements to previous online surfing behaviour" (Smit et al., 2014, p. 15). This application uses behavioural data of consumers (often combined with other information, such as demographics), which are processed to infer which topics or products are likely to be interesting for an individual and to subsequently select advertising to display (McDonald & Cranor, 2010). A common example for this type of personalisation is showing advertising for products that a user has viewed before online, so-called remarketing, which is widely applied in banner ads on websites, on social media and in follow-up emails sent by online shops.
While behavioural and demographic data are widely used in personalisation, recent developments include personalisation adjusted not only to individuals' past behaviour and demographics, but also to their unique psychological characteristics, so-called psychological targeting (Matz et al., 2017). Research in psychology indeed shows that psychological characteristics can be accurately inferred from digital footprints, such as likes or posts on social media (Kosinski et al., 2013;Segalin et al., 2017) and that adjusting communication to these characteristics leads to higher persuasiveness of messages. Hirsh and colleagues (2012) were first to show that personalising persuasive messages to personality traits increases their effectiveness. For example, personalised messages matched to people's extraversion or openness-to-experience resulted in more clicks and more purchases than their unpersonalised counterparts (Matz et al., 2017), while personalised political ads matched to one's personality traits (predicted based on a text written by the individual) were found to be more persuasive than ads not matching one's personality (Zarouali et al., 2020). At the same time, this technique is seen as highly controversial due to societal risks involved. The Facebook/Cambridge Analytica scandal in which a political consulting firm built personality profiles of hundreds of millions of Facebook users without their awareness (Dance, 2018) and used them for persuasion purposes, highlighted some of these risks. Regardless of questionable accuracy of personality trait predictions (Marengo & Montag, 2020), psychological targeting is increasingly applied in the industry, often under the name personality-based targeting or psychographic segmentation in which consumers of a company are assigned to different personality segments (Graves & Matz, 2018).
Zooming in to specifically the output of the personalisation process, banners  and emails (Maslowska et al., 2011) are commonly used to deliver PMC. In addition, PMC is also applied on own websites and within services of companies. On-site personalisation includes adjusting websites' look and feel to individual visitors (Hauser et al., 2014). Finally, price differentiation forms a distinct category of personalised output. It can be described as "differentiating the online price for identical products or services partly based on information a company has about a potential customer" (Zuiderveen Borgesius & Poort, 2017, p. 2). Empirical research on price differentiation is scarce (e.g., Fassnacht & Unterhuber, 2016;Wolk & Ebling, 2010), but a recent survey study suggests that consumers regard price differentiation practices as unfair (Poort & Zuiderveen Borgesius, 2019 While the different PMC applications offer benefits to consumers, they are also a source of worry. Much academic research on negative consequences of PMC has focused on privacy risks (e.g., Schumann et al., 2014;McDonald & Cranor, 2010) showing that, for example, consumers worry that personal information could be misused or sold to third parties (Dinev & Hart, 2006). However, a survey among Dutch consumers has shown that they also fear being manipulated and excluded from offers and information (Strycharz et al., 2019). They feel that their personal or psychological characteristics may be (mis)used by companies. The following section therefore links PMC to a definition of consumer vulnerability to present how certain applications of personalisation can lead to vulnerability exploitation.

Personalised marketing communication and consumer vulnerabilities
In consumer research, the term vulnerability has a broad range of applications, such as individual characteristics (e.g. age), social phenomena (e.g. stereotyping), business practices (e.g. marketer manipulations), and environmental forces (e.g. natural disasters). It has been emphasised that the term should not be used simply to describe certain designated consumers (such as children), as belonging to such a group does not necessarily make individuals vulnerable: "It is the circumstances that consumers face that determine their vulnerability" (Hill & Sharma, 2020, p. 4).
All people may experience vulnerability in some situations. Therefore, defining vulnerability based on group membership is limiting as vulnerability can also be individual and contextual, i.e., stemming from the situation one is in (e.g., external circumstances that lead to distress) (Baker et al., 2005). Consumers vary in the extent to which they are vulnerable in different contexts, across time and place (Hill & Sharma, 2020). This is particularly relevant in the context of this study as PMC does not necessarily involve exploiting vulnerabilities of certain groups (e.g., targeting young consumers). Rather, some PMC applications can be used to render individuals vulnerable in a certain context by using information on them for persuasive purposes (e.g., using information on one's psychographic profile in online interactions).
Regarding different sources of vulnerabilities, Baker and colleagues (2005) proposed a distinction between vulnerability stemming from internal or external factors. On the one hand, internal factors are related to individual characteristics (e.g., skills or literacy) and individual states (e.g., motivation or stress). On the other hand, external factors include a lack of access to goods and services (e.g., having limited access to the internet impeding one's possibility to use a webshop) and the environment one operates in (e.g., the design of a website or physical place). In the remainder of this section, we will present examples how applying PMC can lead to exploitation of internal and external vulnerabilities.
Regarding internal factors, lack of understanding of targeting can make consumers vulnerable. Vulnerability may occur due to a diminished capacity to understand advertising, products, or both (Smith & Cooper-Martin, 1997). When being exposed to a persuasion attempt, e.g., a personalised ad, individuals employ three different knowledge structures to decide how to cope with this situation, namely 1) topic knowledge, i.e., beliefs about the subject of the persuasive message; 2) agent knowledge, i.e., beliefs about the party responsible for the message; and 3) persuasion knowledge, i.e., beliefs about the persuasive tactic used, the context in which it was used and its effectiveness (see the Persuasion Knowledge Model by Friestad & Wright, 1994). If consumers lack one of these knowledge structures, it diminishes their coping mechanisms and makes them vulnerable to manipulation.
In the context of PMC, Smit and colleagues (2014) have shown that consumers have insufficient knowledge to understand its working as the majority of consumers does not understand how their data is collected or what obligations companies have when they collect and process their data.
Another way in which PMC may lead to exploitation of internal vulnerabilities is psychological targeting, as it gives companies an opportunity to target internal factors to make users more vulnerable to persuasion in a specific context. Past research has discussed it as a threat to consumer autonomy and privacy as this practice negatively affects one's ability to make a rational decision (Ward, 2018). Receiving messages personalised in a way that specifically targets the personality of individuals hinders their ability to accurately sense when and how they are being manipulated. The sender can identify and target specific consumers that are more likely to react to a particularly framed message based on their personality traits, while bypassing others for whom this message could have an undesired effect (Tufekci, 2014). For example, impulsiveness can be triggered by targeting personality traits. Such traits can be predicted from one's language use on social media and past research has shown that certain personality traits strongly correlate with one's impulsiveness (Park et al., 2015). Such targeting of personality traits leading to human irrationality shows that psychological targeting can also be seen as exploitation of individual vulnerable states. This indicates that psychological targeting might take advantage of consumers' psychological weaknesses, beyond the light of their own awareness (Ward, 2018).
Personalisation can also be used to exploit the fact that vulnerability can be contextual. As Calo (2014) argues, collecting consumer data and processing it to construct individual profiles "permits firms to surface the specific ways each individual consumer deviates from rational decision-making, however idiosyncratic, and leverage that bias to the firm's advantage" (p. 1003). When applying PMC, organisations can explicitly personalise messages based on the inferred psychological state and the specific life situation of consumers. In the past, Facebook allegedly offered advertisers the option to target young users in a state of psychological vulnerability, inferring when the users feel insecure and stressed (Tiku, 2017). In a similar pattern, a marketing firm found that women feel less attractive on Mondays, especially in the morning, and recommended targeting women with beauty products specifically at that time of the week (PHD Media, 2013).
Next to internal factors, external factors that render consumers vulnerable can also be used to make personalisation more effective. Although there is lack of empirical research on the impact of external factors, numerous examples from the industry show how data on externalities can be used for PMC. One example concerns personalised dynamic pricing techniques, which have recently been criticised for not only being based on current market demand, but also on external factors that render individuals more in need of a service. For example, Uber has been criticised for increasing their price due to severe weather or ongoing safety issues (such as terrorist threats) knowing that in such a situation, consumers are in higher need of their services (Weiner, 2014). The same company has also been criticised for using data on the consumer's device to identify whether the battery of the mobile device is low, and Uber's services are urgently needed (Golson, 2016). Use of this type of data on external and situational factors about the consumer explicitly exploits the vulnerable situation they are in.
In conclusion, PMC applications can exploit consumer vulnerabilities in several ways. First, lack of understanding of targeting makes consumers vulnerable. Second, exploiting personality traits of consumers may lead to exploiting individual irrationalities. Third, PMC makes it possible to target consumers who are less rational due to other internal vulnerabilities, such as illness or psychological distress as well as due to external factors. In the next section we will provide an overview to what extent EU consumer law takes the relation between PMC and vulnerabilities into account and offers consumer protection.

Section 2: Personalised marketing communication and EU consumer protection law 2.1 Introduction
In legal literature, personalised marketing communication has so far been discussed mainly from the perspective of data protection (e.g., Steppe, 2017;Zuiderveen Borgesius & Poort, 2017;Wachter, 2020;Finck, 2021) and, to a lesser extent, non-discrimination law (see e.g., Wachter, 2020;Gerards & Zuiderveen Borgesius, 2021). However, to address the exploitation of vulnerabilities through PMC, consumer protection laws can be highly relevant as well. This is especially so because data protection law-at least in the EU-leaves significant room for the processing of data for PMC, in particular if consumers have consented to it (Zuiderveen Galli, 2020, also on the notion of "consent" under EU data protection law). In addition, the potential of EU data protection law to address the risks of PMC seems limited, taking into consideration that people tend to consent to the processing of personal data even if they believe that their privacy is important (Acquisti & Grossklags, 2005;Finck, 2021) and because it is questionable whether people truly understand the contemporary data systems and the consequences of their consent (see Finck, 2021, also for other limitations of EU data protection law in relation to personalised marketing

PMC and the Unfair Commercial Practices Directive The Unfair Commercial Practices Directive
The UCPD harmonises the regulation of business-to-consumer commercial practices in the EU. By doing so, the UCPD aims to increase the smooth functioning of the internal market while at the same time achieving a high level of consumer protection (Article 1 UCPD). The scope of the UCPD is particularly broad, as it covers any business-to-consumer commercial practice. As confirmed by the European Court of Justice ("CJEU"), this essentially includes any type of business-to-consumer advertising and marketing, including one-to-one commercial practices (CJEU C-388/13 UPC). This is relevant in the context of PMC: even communications that are fully personalised (i.e., personalised at the level of one single consumer) are "commercial practices" as defined by the UCPD.
The UCPD contains a mix of general and specific prohibitions of unfair commercial practices. In particular, it contains a general prohibition of unfair commercial practices as well as general prohibitions of misleading and aggressive commercial practices. Apart from these general prohibitions, the UCPD also contains a "black list" of specifically defined commercial practices that are deemed unfair under all circumstances.
The European Commission published a guidance document on the application of the UCPD, which was last updated in 2016 ("EC Guidance"; European Commission, 2016 Duivenvoorde, 2019). However, no amendments were introduced to the UCPD that specifically addressed PMC.

Benchmarks for protection under the UCPD
In the application of the general prohibitions in the UCPD (such as the prohibitions of misleading and aggressive commercial practices), the national courts and enforcement authorities must assess whether the economic behaviour of the "aver-age consumer" is distorted by the practice at hand (see e.g., Article 5.2(b) UCPD).
This average consumer is deemed to be "reasonably informed, observant and circumspect" (Recital 18 UCPD; CJEU C-210/96 Gut Springenheide). In practice, this means that the average consumer is generally expected to understand that advertising should be taken with a pinch of salt. It also means that the average consumer is in principle expected to read all information supplied to him and to make a rational choice based on this information. This has raised significant criticism in literature, taking into consideration that-as evidenced by behavioural insights-consumers often do not consider all information available and do not take rational decisions due to biases in their decision making (Franck & Purnhagen, 2014;Duivenvoorde, 2015;Van Boom, 2016). If the economic behaviour of the average consumer is not distorted, e.g., because the average consumer is expected to understand the persuasive tactics used and to respond rationally, the practice is-in principle-not prohibited.
Since the average consumer benchmark is the default benchmark in the UCPD, the UCPD in principle disregards vulnerabilities of consumers who, either globally or in a specific context, do not meet the standard of the average consumer. This presents a significant barrier for courts and enforcement authorities to tackle the exploitation of vulnerabilities, including through PMC applications (see similarly for US law, which operates the standard of a "reasonable person": Willis, 2020). In particular, the average consumer benchmark disregards that all people may experience vulnerability in some situations. This is problematic from the point of view of tackling the exploitation of vulnerabilities through PMC, especially because companies may use PMC to exploit consumer vulnerabilities at the individual level, e.g., through psychological targeting or by targeting consumers that are-for whatever reason, and in the situation at hand-identified as being less rational.
However, benchmarks other than the "average consumer" can be applied under certain circumstances. Through the application of these alternative benchmarks, courts and enforcement authorities can-at least to some extent-take into account the behaviour of specific groups of consumers. This can lead to a higher level of consumer protection in specific cases (Duivenvoorde, 2013).
The first of these alternatives is the target group benchmark. If a commercial practice is directed at a specific group of consumers, the average member of that group is taken as the benchmark (Article 5.2(b) UCPD). For example, for a TV commercial that is broadcasted right before a children's TV show, the average child watching the show serves as the benchmark in assessing the fairness of the commercial practice. The target group benchmark can to some extent help to address PMC-re-lated consumer vulnerability. If PMC is targeted at a specific group, the average member of that specific group can serve as the benchmark. For example, if an online advertisement is specifically directed to a group of consumers who are likely to react to that advertisement less rationally due to a personality trait (psychographic segmentation), the behaviour of the average member of that group can be taken into account-rather than the rather rational behaviour of the "average consumer".
However, in practice it will most likely be difficult for the authorities to ascertain that a specific PMC practice is actually targeted at a specific group, and that this group is indeed less rational or attentive. This applies in particular to marketing communication that is personalised at the individual level, e.g., on the basis of automated individualised A/B testing, see Section 1.1. This will make it difficult (if not: impossible) to determine that a "group" is targeted. In such a case, it will not only be difficult to determine for an enforcement authority what "group" is targeted, but also how the average member of this group is expected to respond (see similarly in relation to US law: Willis, 2020).
Arguably, if PMC is personalised at the level of an individual consumer, the individual consumer could serve as the "target group". This view is in fact taken by the Netherlands Authority for Consumers and Markets in its guidance on the protection of the online consumer (Netherlands Authority for Consumers and Markets, 2020, pp. 15 and 26). It is questionable whether this view is indeed in line with the UCPD, in particular because according to the wording of the UCPD an actual "group" must be targeted in order for the target group benchmark to be applicable.
Hence, it is doubtful whether the target group benchmark can actually serve to protect consumers when PMC is truly personalised.
The second alternative to the average consumer benchmark is the vulnerable group benchmark (Article 5.3 UCPD). If a commercial practice affects a particularly vulnerable group, the average member of that group serves as the benchmark.
Rather than focusing on who is targeted by the commercial practice, this benchmark focuses on who is affected by the practice. Hence, the added value of the vulnerable group benchmark compared to the target group benchmark is that this benchmark can also be applied if a company is not targeting its marketing communication to a specific group (Anagnostaras, 2010;Trzaskowski, 2016). Article 5.3 UCPD specifically refers to vulnerability due to "age, mental or physical infirmity or credulity", but also seems to be applicable to other potential sources of groupbased vulnerability (Anagnostaras, 2010;Duivenvoorde, 2013;Trzaskowski, 2013).
However, the vulnerable group benchmark is only applicable if certain requirements are fulfilled. Firstly, Article 5.3 UCPD essentially only takes into account group-based vulnerabilities and not individual and contextual vulnerabilities.
Hence, the notion of vulnerability in the UCPD is considerably narrower compared to the understanding of vulnerability in consumer research. Secondly, the vulnerability must be reasonably foreseeable to the company. And finally, the vulnerable group must be "clearly identifiable". These requirements tend to significantly limit this benchmark's scope of protection (Duivenvoorde, 2013;Trzaskowski, 2013;Galli, 2020;Helberger et al., 2021, p. 25). At the same time, it could be argued that the requirement of reasonable foreseeability could be fulfilled more easily in a PMC context, at least if the vulnerability of a particular group is apparent to the company due to the data that is available to it. Still, it will likely be difficult in practice for the authorities to pinpoint a specifically vulnerable group that is clearly identifiable and to prove that the vulnerability of this group was indeed reasonably foreseeable to the company. This is especially the case because companies may base their targeting on a combination of different characteristics (such as multiple demographics as well as past online behaviour), rather than on a one specific group characteristic.
All in all, the potential of the vulnerable group benchmark to address consumer vulnerability in the context of PMC seems limited and is therefore ill-fitted to effectively deal with the exploitation of vulnerabilities through PMC. This is especially the case because the approach of addressing group-based vulnerability disregards that vulnerability, as is pointed out by Baker and colleagues (2005), can be temporary and related to external factors.

PMC and misleading commercial practices
The UCPD prohibits misleading commercial practices. In particular, it prohibits misleading actions (i.e., misleading consumers by providing them with false or misleading information, Article 6 UCPD) and misleading omissions (i.e., withholding essential information to consumers, Article 7 UCPD). For any PMC practice to be assessed as misleading, it must either be misleading to the average consumer (or possibly to the target group or vulnerable group, if such a benchmark is applicable) or must omit essential information (such as the full price inclusive of taxes and additional costs). Hence, the starting point is that influencing consumers is in principle allowed, as long as consumers are provided with sufficient and correct information. This is in fact one of the guiding principles in EU consumer protection law, which is also known as the "information paradigm" (Reich & Micklitz, 2014, p. 22;Van Boom, 2016, p. 402).
In principle, the UCPD does not require companies to disclose that marketing communication is personalised (see for the discussion whether and to what extent a similar duty exists under EU data protection law e.g., Veale & Edwards, 2019;Galli, 2020;Malgieri, 2019). This is another barrier in effectively tackling the exploitation of vulnerabilities through PMC, taking into consideration that lacking such knowledge makes it more difficult for consumers to cope with vulnerabilities arising from PMC.
Arguably, not disclosing to consumers that an offer (such as a price for a specific the consumer what the price of a specific product is, rather than having to explain that this price has been personalised. As will be shown below, such a duty does arise from the amended Consumer Rights Directive.

PMC and aggressive commercial practices
The UCPD also prohibits aggressive commercial practices (Articles 8 and 9 UCPD).
In essence, aggressive commercial practices are selling techniques which limit the consumer's freedom of choice or conduct regarding the product by use of harassment, coercion (including the use of physical force) or undue influence. These are practices that are thought to distort the free shaping of the will of the consumer, using techniques which compromise the consumer's freedom of choice (Carballo-Calero, 2016).
The prohibitions of aggressive practices in the UCPD (including the "black list" of aggressive practices) do not specifically regulate PMC. In order for a practice to be prohibited, (i) a company must exercise harassment, coercion or undue influence and (ii) this practice must impair the average consumer's freedom of choice (or, under circumstances: that of an average member of the target group or the vulnerable group) in a way that causes him or is likely to cause him to take a transactional decision that he would not have taken otherwise. From these requirements it follows once more that influencing consumers (either through regular advertising or through PMC) is in principle allowed (see also European Commission, 2016, p. 78), with the exception that the company may not exercise harassment, coercion or undue influence-notions that seem to point to rather clear-cut cases of unduly pressuring consumers to do something against their will. In addition, the average consumer benchmark again serves as a significant barrier in effectively protecting consumers against the exploitation of vulnerabilities through PMC.
Still, PMC practices could be prohibited as aggressive commercial practices under specific circumstances. Especially "undue influence" can be of relevance to PMC.
Undue influence is defined in Article 2(j) UCPD as "exploiting a position of power in relation to the consumer so as to apply pressure, even without using or threatening to use physical force, in a way which significantly limits the consumer's ability to make an informed decision." The UCPD does not make clear when a "position of power" ex- ists, but the UCPD seems to refer to a specific position of power of the company vis-à-vis the consumer, rather than structural market inequalities (such as information asymmetry) (Caronna, 2018). Such a position of power could exist, for example, if the consumer has become psychologically dependent on the company (Micklitz et al., 2010, pp. 147-148). Arguably, the context of PMC (in which companies collect data on consumers' behaviour in order to influence them more effectively) can put those companies into a position of power (see also Helberger et al., 2021). This could be the case in particular if the company holds information on vulnerability of the consumer, such as the psychological state of the consumer (e.g., state of distress) or on detrimental external circumstances (such as the consumer having to book a taxi while having a low phone battery).
However, the mere imbalance of power is insufficient to conclude that the company is exercising undue influence (see the text of Article 2(j) UCPD cited above and Caronna, 2018). A practice constitutes undue influence only if the company is exploiting the power imbalance and is applying pressure onto the consumer, in a way that makes the consumer uncomfortable and confuses their thinking in relation to the decision they are about to take (CJEU C-628/17 Orange Polska). In the words of Advocate-General Campos Sánchez-Bordona, this pressure must cause "the forced conditioning of the consumer's will" (Opinion in cases C-54/17 and C-55/17 AGCM v Wind and Vodafone). For example, charging a higher price to consumers who are in a hurry to book a taxi ride is in itself not putting the consumer under pressure.
This could possibly be different if the taxi company would send a pop-up message to the consumer saying that "Your battery is low -book this ride immediately!".
In this context, it is important to note that Article 9 UCPD emphasises that one of the elements that should be taken into account when assessing whether a practice constitutes undue influence is "the exploitation by the trader of any specific misfortune or circumstance of such gravity as to impair the consumer's judgement, of which the trader is aware, to influence the consumer's decision with regard to the product".
Also on the basis of this provision it seems likely that merely contracting with a consumer who is in high need of a product or service, or even charging a higher price to such a consumer, is insufficient for the practice to be aggressive. Again, it seems that additional circumstances are needed. Similarly, the mere targeting of advertising to consumers who are in a vulnerable psychological state is unlikely to constitute an aggressive commercial practice in itself. For example, targeting online advertising for a book on "better sleeping" to people who are awake in the middle of the night and are therefore likely to have sleeping problems is probably not aggressive as such, but repeated targeting of such advertising during the night could well be (since this could constitute putting the consumer under pressure).
In conclusion, the prohibition of aggressive commercial practices does provide some potential to tackle the exploitation of vulnerabilities through PMC, but only under specific circumstances. The notions of harassment, coercion and undue influence are essentially written to challenge rather clear-cut practices, which involve unduly pressuring consumers to do something they do not intend to. In contrast, the exploitation of PMC will often involve more subtle ways of influencing consumers, such as psychological targeting or personalising content on the basis of the inferred psychological state or life situation of a consumer. Such forms of PMC can exploit consumer vulnerabilities, without clearly satisfying the requirements of Articles 8 and 9 UCPD.

PMC and the general clause
Commercial practices are also prohibited if they are "contrary to the requirements of professional diligence". This follows from the general prohibition of unfair commercial practices in Article 5 UCPD. The general clause essentially functions as a "safe- However, this general prohibition can be of use in relation to practices that were not foreseen at the time the UCPD was introduced, including PMC. In order for PMC practices to be prohibited under Article 5 UCPD, the practice at hand must-in essence-go against the normative values that apply in the specific field of busi-ness activity (European Commission 2016, p. 51). This provides some potential to challenge the exploitation of vulnerabilities through PMC, but only if the practice is not accepted within the industry. For example, targeting impulsive consumers with advertising for products that they are likely to regret purchasing could potentially qualify as an unfair commercial practice, provided that it can be established that such a group has been specifically targeted. If this cannot be established, the practice is likely to be allowed, taking into consideration that the average consumer is in principle expected to respond rationally. Similarly, targeting teenagers who feel insecure and stressed with advertising which makes use of their mental states, could qualify as an unfair commercial practice (also it does not involve putting the teenagers under pressure), again provided that such a group has been targeted specifically. However, it must be noted that this is unchartered territory, and that the notion of professional diligence is notoriously vague.

PMC and the Consumer Rights Directive: price personalisation
The The new information duty does-to some extent-address the lack of understanding of price personalisation that consumers may have and that can make them vulnerable to this practice. The new information duty will at least ensure that consumers will be aware that a price is personalised. At the same time, it is questionable whether consumers will really understand the (in some cases: negative) effects of personalised pricing in a specific case, taking into consideration that companies will not be obliged to disclose what data the personalisation is based on and to what extent this price is different to that of other consumers.

Conclusion
The aim of this article was to examine the ways in which PMC can exploit consumer vulnerabilities as well as to analyse to what extent consumers are protected against such exploitation under EU consumer law. A review of past empirical literature showed that PMC indeed has the potential to exploit both internal and external vulnerabilities. Internal vulnerabilities can be exploited in three ways. First, due to a lack of appropriate persuasion knowledge about PMC, consumers may not be able to adequately respond to the persuasion attempt. Second, psychological targeting renders consumers less rational in reaction to PMC. Finally, utilising the fact that internal vulnerability can also be temporary and contextual, organisations can exploit such vulnerabilities in users by creating an environment that takes advantage of, for example, consumers' emotional states or personal concerns. Regarding external vulnerability, companies can take advantage of the environment of the consumer and exploit the consumer's lack of access to resources.
As to the legal protection against the possibilities for exploitation of vulnerabilities through PMC, this article has shown that PMC is not specifically regulated under EU consumer law, with the exception of the new information duty on personalised pricing in the CRD. PMC practices can be prohibited under circumstances, just as other (non-personalised) commercial practices. However, the system of consumer benchmarks in the UCPD constitutes a significant barrier in effectively tackling the exploitation of vulnerabilities through PMC. In addition, even if it can be established that the average consumer or a specific target group or vulnerable group is harmed, PMC applications that exploit consumer vulnerabilities will in most cases not be typical misleading or aggressive practices. Instead, the exploitation of vulnerabilities through PMC may well involve more subtle ways of influencing consumers, which lend their effectiveness to being based on individual profiles inferred from data collected on the specific consumer (such as the consumer's tendency to react less rationally in certain situations). Such applications may potentially qualify as unfair commercial practices, but the UCPD is clearly not written to tackle such cases.

Implications for consumer law and future research
What are the implications of these conclusions? We will discuss how EU consumer law could respond in order to tackle the exploitation of vulnerabilities through PMC more effectively and address the implications of our conclusions for future research.
Taking into consideration that EU consumer law aims to achieve a high level of consumer protection, it would make sense to strengthen EU consumer law in order to tackle the exploitation of vulnerabilities through PMC more effectively. The exploitation of vulnerabilities through PMC can be seen as harmful both for individuals (as a threat to the autonomy to make informed decisions, see Calo, 2014 andSusser et al., 2019) and for the economy (since consumer manipulation potentially constitutes market failure, see Averitt & Lande, 1997;Hanson & Kysar, 1999;and Calo, 2014). Framed differently: the potential of exploitation of consumer vulnerabilities through PMC is likely to increase the power asymmetry between companies and consumers (Calo, 2014;Helberger et al., 2021). Consumer law could do something about it.
By saying this, we do not imply that EU consumer law is the only field of law through which exploitation of PMC-related vulnerabilities can be tackled. For example, specific risks of discrimination through PMC (such as through price discrimination) could be tackled through non-discrimination law (see e.g., Zuiderveen- Gerards & Zuiderveen Borgesius, 2021). In addition, the exploitation of vulnerabilities through PMC could partly be prevented by limiting the possibilities for companies to collect data through data protection law (see Calo, 2014;Zarsky, 2019). However, taking into consideration that consumer law (more than data protection law) aims at protecting consumers against economic harm by reducing power asymmetries between companies and consumers, it makes sense to look at EU consumer law to at least offer part of the solution.
This is not to say that an "easy fix" is available for EU consumer law to effectively tackle vulnerability exploitation through PMC. For example, an overall ban on PMC (as has been defended by some, see Willis, 2020) would be undesirable for many, taking into consideration that PMC can also be beneficial to consumers in many ways (e.g., Boerman et al., 2017;Tran, 2017). Moreover, this article has shown that the relationship between PMC and consumer vulnerability is complex and multidimensional. As a result, it seems impossible to solve the problem by simply replacing the notion of vulnerability in the UCPD (Article 5.3) with a new and better one. Rather than trying to implement an easy fix, it makes sense to strengthen EU consumer law through a combination of improvements.
One improvement could be a progressive interpretation of the UCPD by courts and enforcement authorities. For example, the CJEU could recognise that the average consumer does not always respond rationally to commercial practices, in particular if such practices are personalised. This would make it easier for national courts and enforcement authorities to assess the exploitation of PMC-related vulnerabilities as unfair, also if no clear "target group" or "vulnerable group" can be identified In addition, changes to EU consumer law could strengthen its potential to effectively tackle the exploitation of vulnerabilities through PMC. For example, an information duty could be introduced to ensure that consumers are informed that commercial content is personalised and on the basis of what data this is done.
This could increase consumers' persuasion knowledge and help them to deal with personalised persuasion attempts (see Section 1.2). In fact, such a transparency requirement has recently been proposed as part of the EU Digital Services Act ("DSA", European Commission, 2020), which is an ambitious attempt to introduce more stringent rules on internet intermediaries in relation to a broad range of issues (Savova, et al., 2021;Savin, 2021;Cauffman & Goanta, 2021). Article 24 of the DSA proposes that in case of personalised advertising, online platforms must provide "meaningful information about the main parameters used to determine the recipient to whom the advertisement is displayed. " However, this information duty is limited to advertising via online platforms and thus does not apply to other forms of PMC, such as personalised apps and webshops. In addition, it is questionable whether the duty to inform consumers about "the main parameters" will actually make consumers understand whether and how their vulnerabilities are being targeted.
Moreover, even if a broader information duty would be introduced (e.g., in the UCPD, taking into consideration that the DSA will apply to online intermediaries only), it is important to realise that being unaware of the persuasive tactics applied in marketing content is just one of the ways in which PMC may lead to exploitation of consumer vulnerabilities (see Section 1.2). Finally, consumer research shows that information duties tend to have a limited effect in effectively empowering consumers (see for empirical research on transparency and consumer empowerment in the context of consent for data collection and processing for PMC, Strycharz et al., 2021; see for the difficulties of effectively explaining the negative consequences of PMC in relation to data protection law also, Wachter et al., 2018).
Hence, an information duty can only be part of the solution.
An additional measure to more effectively tackle the exploitation of vulnerabilities through PMC could be to introduce a clause in the UCPD that essentially prohibits PMC applications that are designed to exploit the vulnerabilities of one or more consumers, without the UCPD's consumer benchmarks being applicable to this clause. Such a clause could be accompanied by the introduction of a number of new practices on the UCPD's black list, which specifically address PMC practices exploit vulnerabilities.
Finally, in order to effectively enforce the UCPD in relation to PMC, it would make sense to introduce a duty for companies applying PMC to disclose for each market- Further legal research could be conducted in order to develop these proposals (and quite possibly: others) in detail. In addition, empirical research on the contextual and external types of vulnerabilities in online interactions with companies is necessary to make identification of vulnerability exploitation easier. While conceptualising these new forms of digital vulnerability has received growing attention (Hill & Sharma, 2020), research on operationalising these vulnerabilities and their role in consumer online interactions is still scarce. In addition, studying vulnerabilities that are temporal and contextual, rather than permanent and group-based, poses new challenges to the field. Traditional empirical methods used to study group-based vulnerabilities are often not applicable in this context. However, as shown by Bol et al., 2020, studies using "digital trace data" have the potential to uncover the relation between personalisation and vulnerability factors. Such data can be collected through tracking consumer behaviour and their exposure to PMC (Bol et al., 2020) or by analysing data voluntarily donated to researchers by individuals (data obtained through access requests under the GDPR, see Boeschoten, 2020). Another possibility for identifying the link between PMC and consumer vulnerabilities is use of ad archives, i.e., publicly accessible databases documenting advertisements on different platforms (Leerssen et al., 2019). Such empirical research into the link between PMC and consumer vulnerabilities on an individual level can also provide further insights into the necessary protection for consumers.