Articles about privacy and consent management are plentiful online. And while most companies understand these principles, it’s important to remember what they actually mean. Customers allow companies to use their data—and they can opt-out at any time. Professional email marketers understand this and provide simple methods of expressing interest or unsubscribing. However, any company that makes the process overly complicated could be asking for trouble.
At 4Thought Marketing, when discussing consent management, we distinguish between two different aspects: consent and permission. Consent is simple to understand. It’s an action taken by the customer. Either a customer grants it, or they don’t. Any customer that chooses to grant consent allows the company to communicate with them about a particular brand or product. But what if consent is never granted? Does that mean the company cannot reach out to a potential customer at all?
In this article, we’ll cover consent and permission, as well as the essential role they play in data privacy. Let’s start with some fundamental questions from the perspective of a digital consumer:
Privacy regulations worldwide all have something to say about consent. The most specific was the European General Data Protection Regulation (GDPR), which took effect in May 2018. Since the GDPR has provided a blueprint for subsequent privacy laws, it’s an excellent place to begin learning about how the law views customer consent.
When customers provide an active response to a question asking for consent (such as checking a box), you are allowed to communicate with them. They have provided consent. The GDPR and similar laws also allow you to send communications under certain other circumstances, even if the individual has not explicitly given consent. These communications fall under a category that the GDPR calls “legitimate interest”, or “implied consent” as the Canadian privacy law CASL puts it.
But how can your company tell the difference? If someone has not provided consent but is eligible to receive marketing emails from you, can your company get in trouble for contacting them? To truly understand the answer, we need to distinguish between two similar concepts: consent and permission.
However, this permission is still somewhat limited by the consumer’s actions. Under GDPR, you cannot arbitrarily send information about Product ABC if a person shows interest in or purchases Product PDQ. You must be able to justify the connection. And if no connection exists, you’re restricted to contacting the customer about Product PDQ only. This is a good rule to follow even if local laws don’t require it—no business wants to alienate a customer.
Finally, your permission to contact the customer will eventually expire. While the GDPR doesn’t place an explicit time restriction, companies establish and adhere to certain guidelines for expiration dates.
According to the DMA, any business subject to the GDPR should consider adopting permission timeframes such as the following:
In some situations, you will have a compelling reason to keep customer data (or contact the customer) longer than usual, by legal standards or by your own. To justify why you need to do this, you must be able to prove that you have legitimate interests that are best served with customer data. Under the GDPR, legitimate interests for a company include:
To summarize, if your company is focused exclusively on explicit consent, you might be losing the chance to stay in touch with a larger pool of potential customers. You may be able to communicate with them based on legitimate interest or permission by proxy. As a marketer, you have both the responsibility and the opportunity to know what local regulations allow and to ensure you’re making the best use of your contact database. But at the same time, you also have the responsibility to respect the wishes of the people you contact. Your company’s data policy and practices should reflect these responsibilities. Your first duty is to provide your customers with an enjoyable, safe experience interacting with your website.
Not sure if you’re handling your customers’ data correctly? Get in touch with us to get the problem sorted out.