How long can you rely on Consent or Legitimate Interest? | DMA

Filter By

Show All
X

Connect to

X

How long can you rely on Consent or Legitimate Interest?

T-timescale.jpg

When the GDPR was first published, the legislation made it clear that consent did not last forever. One of the most frequently asked questions remains, ‘how long does consent last?’

This type of principals-based legislation is new to many marketers and it has created a lot of uncertainty. The DMA’s Legal and Compliance teams continue to receive questions from members who want more specific timescales, so the DMA’s Responsible Marketing Committee produced the advice detailed below.

Following a recent investigation and subsequent adjudication from the Data and Marketing Commission (DMC), this guidance hasbeen updated so that it covers both Consent and Legitimate Interests – both described as marketing permission.

The Information Commissioner’s Office (ICO) also included a section about this in its guidance: ‘What is valid consent?’

How long does consent last?

"The GDPR does not set a specific time limit for consent. Consent is likely to degrade over time, but how long it lasts will depend on the context. You need to consider the scope of the original consent and the individual’s expectations."

It is important to remember that these timescales are not set in stone. As highlighted by the ICO’s comment above, context, scope and the consumer’s expectations are all factors to consider.

I’m sure it would be possible to come up with an example of a particular product or service that might benefit from a different timescale, but it would be wrong to do this without considering the impact on the consumer. Ideally there needs to be documented justification of your companies justification for the timescales you use, in order to meet the requirements of the GDPR’s Accountability Principal.

The DMA advises its members to adhere to these minimum standards on the lifetime of marketing permission:

For third-party data: telephone, email, SMS; the maximum time that permission can remain valid is six months after initial collection or any other positive contact (as defined below).

For third-party postal marketing: the maximum time any permission can remain valid is 24 months after initial collection or any other positive contact.

For all first-party data: telephone, email, SMS and post; the maximum time that permission can remain valid is 24 months after initial collection or any other positive contact.

The timeframes begin after the initial collection date or when further positive contact with the customer is made.

Definitions:

Initial collection

This is defined as the moment an organisation obtains permission from someone to process their personal data for direct marketing purposes. The organisation must maintain a record of the permission and an audit trail for evidence.

A positive contact

You must have proof that someone is continuing to engage with your organisation after they have given their permission.

For example, they have bought recommended products from an organisation, or clicked through from a marketing email to browse a website. These instances demonstrate an ongoing relationship between an individual and the organisation.

The data controller cannot rely on the absence of an action by the data subject as an indication of permission. There must be a dialogue, defined as a two-way communication via any channel, in which both parties exchange ideas, questions and answers.

DMA Members can get practical advice on this and any other issue related to data and marketing by emailing our Legal team: legaladvice@dma.org.uk


DMA Membership will provide your business with fantastic benefits, including advocacy, legal and compliance support, best practice guidance, research, insight and events.

Plus, with access to an online learning platform containing a range of qualification and bitesize learning modules, you’ll gain a cost-effective and simple way to keep your team upskilled.

Find out how DMA Membership will help your business thrive here.

Hear more from the DMA

Please login to comment.

Comments

Related Articles

Businesses must be ethical in their telemarketing practices to protect customers from unwanted, intrusive, or deceptive calls, ensuring their privacy and well-being are respected. Read how

Depositphotos_718680692_S.jpg

This article is written by MBA Group Ltd.

priscilla-du-preez-tAnrp8P51tY-unsplash.jpg

As abandoned baskets reach the highest levels in a decade, how can you make sure your customers successfully checkout?

hero-man-thinking-about-making-a-purchase.webp
As Black Friday approaches, marketers face pressure to captivate customers. The '23 season showed how brands use real-time data, AI, and dynamic content to tailor their messaging and boost engagement. Learn from them to shape your strategy.
iStock-1661657038.jpg