Consent vs. Permission: Properly Using Customer Data

consent vs permission x
consent vs permission x

Articles about privacy and consent management are plentiful online. And while most companies understand these principles, it’s important to remember what they actually mean. Customers allow companies to use their data—and they can opt-out at any time. Professional email marketers understand this and provide simple methods of expressing interest or unsubscribing. However, any company that makes the process overly complicated could be asking for trouble.

At 4Thought Marketing, when discussing consent management, we distinguish between two different aspects: consent and permission. Consent is simple to understand. It’s an action taken by the customer. Either a customer grants it, or they don’t. Any customer that chooses to grant consent allows the company to communicate with them about a particular brand or product. But what if consent is never granted? Does that mean the company cannot reach out to a potential customer at all?

4Comply takes the concept of consent into account and from there, derives a related concept: permission. Rather than an explicit yes or no, permission relies on analyzing your customers’ activity and seeing what the law and your company’s own privacy policy will allow. Making a purchase, especially a major one, can result in permission for the company to contact the customer about their purchase. But the exact extent of your ability to contact the customer is more restricted.

In this article, we’ll cover consent and permission, as well as the essential role they play in data privacy. Let’s start with some fundamental questions from the perspective of a digital consumer:

  • When someone provides consent, what does that mean to the company asking for consent?
  • If you don’t give consent, is that the same as unsubscribing from future emails?
  • Once consent is given, does that consent expire? Can you retract it?

Important Privacy Laws to Understand

Privacy regulations worldwide all have something to say about consent. The most specific was the European General Data Protection Regulation (GDPR), which took effect in May 2018. Since the GDPR has provided a blueprint for subsequent privacy laws, it’s an excellent place to begin learning about how the law views customer consent.

When customers provide an active response to a question asking for consent (such as checking a box), you are allowed to communicate with them. They have provided consent. The GDPR and similar laws also allow you to send communications under certain other circumstances, even if the individual has not explicitly given consent. These communications fall under a category that the GDPR calls “legitimate interest”, or “implied consent” as the Canadian privacy law CASL puts it.

But how can your company tell the difference? If someone has not provided consent but is eligible to receive marketing emails from you, can your company get in trouble for contacting them? To truly understand the answer, we need to distinguish between two similar concepts: consent and permission.

Consent vs. Permission in 4Comply

  • Consent is actively and explicitly given or not given to you by your contacts.
  • Permission is calculated based on actions taken by your contacts and then applying the applicable regulations and your company’s privacy policies.

Customers give permission through several possible methods. In most cases, this can be a case of giving permission by proxy when customers perform a related action. For example, consider the example of a customer making a purchase from your website. They have to provide a good deal of information to do so. If your company’s policy states that you are allowed to communicate with the customer about their new purchase for a certain amount of time, and if you explain this as part of your privacy policy, the company can derive permission if they  proceed with the purchase. They’ve been informed how you will use and retain their data and they’ve agreed to it.

However, this permission is still somewhat limited by the consumer’s actions. Under GDPR, you cannot arbitrarily send information about Product ABC if a person shows interest in or purchases Product PDQ. You must be able to justify the connection. And if no connection exists, you’re restricted to contacting the customer about Product PDQ only. This is a good rule to follow even if local laws don’t require it—no business wants to alienate a customer.

How Long Can You Save Customer Data?

Finally, your permission to contact the customer will eventually expire. While the GDPR doesn’t place an explicit time restriction, companies establish and adhere to certain guidelines for expiration dates.

According to the DMA, any business subject to the GDPR should consider adopting permission timeframes such as the following:

  • Keep emails and phone numbers no longer than six months
  • Keep mailing addresses for postal marketing no longer than two years
  • Keep first-party data of any kind no longer than two years

Again, these are simply suggestions based on generalized understanding of the GDPR. You should consult with your legal team and your own data retention guidelines in your privacy policy to best serve you and your customers’ interests. In general, just be respectful. No customer wants to receive emails about Product ABC forever because they watched a video about it on your website years ago.

In some situations, you will have a compelling reason to keep customer data (or contact the customer) longer than usual, by legal standards or by your own. To justify why you need to do this, you must be able to prove that you have legitimate interests that are best served with customer data. Under the GDPR, legitimate interests for a company include:

  • Fraud prevention
  • IT security
  • Marketing

Customers may be inherently suspicious of a company that insists on keeping their data on file for a long time. To combat this, provide a clear privacy policy and explain exactly how data is used. You must demonstrate that your customers’ privacy is not being violated and that their data is being used for reasonable purposes.

Are You Handling Customer Data Correctly?

To summarize, if your company is focused exclusively on explicit consent, you might be losing the chance to stay in touch with a larger pool of potential customers. You may be able to communicate with them based on legitimate interest or permission by proxy. As a marketer, you have both the responsibility and the opportunity to know what local regulations allow and to ensure you’re making the best use of your contact database. But at the same time, you also have the responsibility to respect the wishes of the people you contact. Your company’s data policy and practices should reflect these responsibilities. Your first duty is to provide your customers with an enjoyable, safe experience interacting with your website.

Not sure if you’re handling your customers’ data correctly? Get in touch with us to get the problem sorted out.