Consent vs. Permission: Properly Using Customer Data
Privacy laws tend to emphasize customer consent in multiple areas: information sharing, marketing purposes, being contacted, and more. However, these same laws cover more than explicit consent. Marketers may not realize that even if a customer declines to provide explicit consent to be contacted, it may still be permissible to get in touch with them. Let’s look at how our privacy software, 4Comply, distinguishes consent vs. permission.
Consent: A Legal Overview
Privacy regulations worldwide all have something to say about consent. The most specific was the European General Data Protection Regulation (GDPR), which took effect in May 2018. Since the GDPR has provided a blueprint for subsequent privacy laws, it’s an excellent place to learn how the law views customer consent.
“Consent” is a legal term defined as an action taken by the customer. Any customer that actively chooses to allow a company to communicate with them has granted consent. It’s either given, or not given, and customers that don’t explicitly give it should not be contacted.
However, the GDPR and similar laws also allow you to send communications under certain other circumstances, even if the individual has not explicitly given consent. These communications fall under a category that the GDPR calls “legitimate interest”, or “implied consent” as the Canadian privacy law CASL puts it. However, even implied consent requires an action on the customers’ part, usually making a large purchase or attending a company-hosted event. They must display a degree of interest before the company can contact them.
Consent vs. Permission in 4Comply
4Comply takes legitimate interest into account and from there, derives the related concept of “permission.” Rather than an explicit yes or no, permission relies on analyzing your customers’ activity and seeing what the law and your company’s privacy policy allows.
As stated earlier, certain choices the customer makes can imply permission to be contacted. For example, consider a customer who purchases from your website. They have to provide a good deal of information to do so. If your company’s policy states that you are allowed to communicate with the customer about their new purchase for a certain amount of time, and if you explain this as part of your privacy policy, the company can derive permission if they complete the purchase. They’ve been informed of and have agreed to your terms.
However, this permission is still somewhat limited by the consumer’s actions. Under the GDPR, you cannot arbitrarily send information about Product ABC if a person shows interest in or purchases Product XYZ. You must be able to justify the connection. And if no connection exists, you’re restricted to contacting the customer about Product XYZ only. This is a good rule to follow even if local laws don’t require it—no business wants to alienate a customer.
To briefly summarize, 4Comply tracks these two categories:
- Consent is actively and explicitly given or not given to you by your contacts.
- Permission is calculated based on actions taken by your contacts and then applying the applicable regulations and your company’s privacy policies.
How Long Can You Save Customer Data?
Your permission to contact the customer will eventually expire. While the GDPR doesn’t include an explicit time restriction, companies establish and adhere to certain guidelines for expiration dates.
According to the Data & Marketing Association (DMA), any business subject to the GDPR should consider adopting permission time frames such as the following:
- Keep emails and phone numbers no longer than 6 months
- Keep mailing addresses for postal marketing no longer than 2 years
- Keep first-party data of any kind no longer than 2 years
Again, these are simply suggestions based on generalized understanding of the GDPR. You should consult your legal team, your marketing team, and your own data retention guidelines in your privacy policy to best serve you and your customers’ interests.
In general, just be respectful. No customer wants to receive emails about Product ABC forever because they watched a video about it on your website years ago.
Retaining Data Longer Than Normal
In some situations, you will have a compelling reason to keep customer data (or contact the customer) longer than usual. To justify why you need to do this, you must be able to prove that you have legitimate interests that are best served with customer data. Legitimate interests for a company under the GDPR include:
- Fraud prevention
- IT security
- Marketing
Customers may be inherently suspicious of a company that insists on keeping their data on file for a long time. To combat this, provide a clear privacy policy and explain exactly how data is used. Demonstrate that your customers’ privacy is not being violated.
Are You Handling Customer Data Correctly?
If your company is focused exclusively on explicit consent, you might be losing the chance to stay in touch with a larger pool of potential customers. You may be able to communicate with them based on legitimate interest or permission by proxy. As a marketer, you have both the responsibility and the opportunity to know what local regulations allow and to ensure you’re making the best use of your contact database. But at the same time, you have the responsibility to respect the wishes of the people you contact. Your company’s data policy and practices should reflect these responsibilities.
Not sure if you’re handling your customers’ data correctly? Get in touch with us to get the problem sorted out.