Privacy laws tend to emphasize customer consent in multiple areas: information sharing, marketing purposes, being contacted, and more. However, these same laws cover more than explicit consent. Marketers may not realize that even if a customer declines to provide explicit consent to be contacted, it may still be permissible to get in touch with them. Let’s look at how our privacy software, 4Comply, distinguishes consent vs. permission.
Consent: A Legal Overview
Privacy regulations worldwide all have something to say about consent. The most specific was the European General Data Protection Regulation (GDPR), which took effect in May 2018. Since the GDPR has provided a blueprint for subsequent privacy laws, it’s an excellent place to learn how the law views customer consent.
“Consent” is a legal term defined as an action taken by the customer. Any customer that actively chooses to allow a company to communicate with them has granted consent. It’s either given, or not given, and customers that don’t explicitly give it should not be contacted.
However, the GDPR and similar laws also allow you to send communications under certain other circumstances, even if the individual has not explicitly given consent. These communications fall under a category that the GDPR calls “legitimate interest”, or “implied consent” as the Canadian privacy law CASL puts it. However, even implied consent requires an action on the customers’ part, usually making a large purchase or attending a company-hosted event. They must display a degree of interest before the company can contact them.
Consent vs. Permission in 4Comply
However, this permission is still somewhat limited by the consumer’s actions. Under the GDPR, you cannot arbitrarily send information about Product ABC if a person shows interest in or purchases Product XYZ. You must be able to justify the connection. And if no connection exists, you’re restricted to contacting the customer about Product XYZ only. This is a good rule to follow even if local laws don’t require it—no business wants to alienate a customer.
To briefly summarize, 4Comply tracks these two categories:
- Consent is actively and explicitly given or not given to you by your contacts.
- Permission is calculated based on actions taken by your contacts and then applying the applicable regulations and your company’s privacy policies.
How Long Can You Save Customer Data?
Your permission to contact the customer will eventually expire. While the GDPR doesn’t include an explicit time restriction, companies establish and adhere to certain guidelines for expiration dates.
According to the Data & Marketing Association (DMA), any business subject to the GDPR should consider adopting permission time frames such as the following:
- Keep emails and phone numbers no longer than 6 months
- Keep mailing addresses for postal marketing no longer than 2 years
- Keep first-party data of any kind no longer than 2 years
In general, just be respectful. No customer wants to receive emails about Product ABC forever because they watched a video about it on your website years ago.
Retaining Data Longer Than Normal
In some situations, you will have a compelling reason to keep customer data (or contact the customer) longer than usual. To justify why you need to do this, you must be able to prove that you have legitimate interests that are best served with customer data. Legitimate interests for a company under the GDPR include:
- Fraud prevention
- IT security
Are You Handling Customer Data Correctly?
If your company is focused exclusively on explicit consent, you might be losing the chance to stay in touch with a larger pool of potential customers. You may be able to communicate with them based on legitimate interest or permission by proxy. As a marketer, you have both the responsibility and the opportunity to know what local regulations allow and to ensure you’re making the best use of your contact database. But at the same time, you have the responsibility to respect the wishes of the people you contact. Your company’s data policy and practices should reflect these responsibilities.
Not sure if you’re handling your customers’ data correctly? Get in touch with us to get the problem sorted out.