Privacy laws tend to emphasize customer consent in multiple areas: information sharing, marketing purposes, being contacted, and more. However, these same laws cover more than explicit consent. Marketers may not realize that even if a customer declines to provide explicit consent to be contacted, it may still be permissible to get in touch with them. Let’s look at how our privacy software, 4Comply, distinguishes consent vs. permission.
Privacy regulations worldwide all have something to say about consent. The most specific was the European General Data Protection Regulation (GDPR), which took effect in May 2018. Since the GDPR has provided a blueprint for subsequent privacy laws, it’s an excellent place to learn how the law views customer consent.
“Consent” is a legal term defined as an action taken by the customer. Any customer that actively chooses to allow a company to communicate with them has granted consent. It’s either given, or not given, and customers that don’t explicitly give it should not be contacted.
However, the GDPR and similar laws also allow you to send communications under certain other circumstances, even if the individual has not explicitly given consent. These communications fall under a category that the GDPR calls “legitimate interest”, or “implied consent” as the Canadian privacy law CASL puts it. However, even implied consent requires an action on the customers’ part, usually making a large purchase or attending a company-hosted event. They must display a degree of interest before the company can contact them.
However, this permission is still somewhat limited by the consumer’s actions. Under the GDPR, you cannot arbitrarily send information about Product ABC if a person shows interest in or purchases Product XYZ. You must be able to justify the connection. And if no connection exists, you’re restricted to contacting the customer about Product XYZ only. This is a good rule to follow even if local laws don’t require it—no business wants to alienate a customer.
To briefly summarize, 4Comply tracks these two categories:
Your permission to contact the customer will eventually expire. While the GDPR doesn’t include an explicit time restriction, companies establish and adhere to certain guidelines for expiration dates.
According to the Data & Marketing Association (DMA), any business subject to the GDPR should consider adopting permission time frames such as the following:
In general, just be respectful. No customer wants to receive emails about Product ABC forever because they watched a video about it on your website years ago.
In some situations, you will have a compelling reason to keep customer data (or contact the customer) longer than usual. To justify why you need to do this, you must be able to prove that you have legitimate interests that are best served with customer data. Legitimate interests for a company under the GDPR include:
If your company is focused exclusively on explicit consent, you might be losing the chance to stay in touch with a larger pool of potential customers. You may be able to communicate with them based on legitimate interest or permission by proxy. As a marketer, you have both the responsibility and the opportunity to know what local regulations allow and to ensure you’re making the best use of your contact database. But at the same time, you have the responsibility to respect the wishes of the people you contact. Your company’s data policy and practices should reflect these responsibilities.
Not sure if you’re handling your customers’ data correctly? Get in touch with us to get the problem sorted out.