If you’re a business whose marketing and sales activities include collecting personal data from your customers, it’s important to remember:
1) they must give their permission for you to access that data, and
2) they have the right to be informed about how it is being collected and used.
These are key transparency requirements under the EU GDPR (General Data Protection Regulation) that must be observed to avoid fines – and the potential displeasure of your customers.
Consent, as defined in Article 4(11), is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
But it’s not as easy as getting a simple “yes” from your customers. Consent means giving people genuine choice and control over how you use their data. If the individual has no real choice, consent has not been “freely given,” and it will be invalid.
You must also keep records of their consent, make your requests for it prominent and clear, and allow your customers to withdraw their consent easily and at any time. You also cannot make the fulfillment of any contract agreement you have with them conditional on their consent to using their personal data, unless it is required for the contract to perform.
GDPR is clear that consent should not be bundled up as a condition of service unless it is necessary for that service.
Ultimately, when considering your customers’ right to be informed, providing them with clear and concise information about what you will do with their personal data is the main concern.
Articles 13 and 14 of the GDPR specify what individuals have the right to be informed about. Businesses must explain the purpose of processing personal data, how long they will keep that data, and who it will be shared with. All these disclosures are included under what is called “privacy information,” and they must be provided at the time when you collect their personal data.
Additionally, if personal data is obtained from other sources, individuals must be provided with privacy information no later than one month after obtaining the data.
The information provided to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.
Countries outside the EU have their own privacy and data regulations. In Brazil, the Lei Geral de Proteção de Dados (or LGPD) governs personal data, both online and offline, and is clearly inspired by the EU’s GDPR. The LGPD specifies that information provided to customers regarding privacy and data must be clear and unambiguous.
When consent of Brazilian customers is required, if there are changes in the purpose of the processing of personal data that are not compatible with the original consent, the customer must be notified and may revoke their consent if they do not approve of the changes.
Thailand’s PDPA (Personal Data Protection Act) offers data protection regulations against the misuse of personal information belonging to business customers in Thailand. Customers must provide consent for their data to be collected, used, and disclosed, and they can revoke consent at any time. Businesses must ensure that appropriate security measures are put in place to guard against data loss or modification, and that the data is completely accurate, complete, and up to date. Consent, in writing from the customer, must be obtained before processing or disclosing their personal information.
As data privacy and data protection regulations continue to evolve around the globe, businesses have the best chance to stay compliant by taking a holistic approach and making data privacy as a core value and priority. By being transparent, auditing and updating data processes, and keeping customers informed along the way, your business will avoid costly fines, and more importantly, build trust with your users and customers.
Looking to understand more about the changing privacy landscape with the current state of GDPR regulations and how that can affect your eCommerce customer journey? Then check out this webinar to learn how eCommerce brands can build superior, personalized customer journeys without the use of personal information.