How long can you rely on Consent or Legitimate Interest?
16 Sep 2020
When the GDPR was first published, the legislation made it clear that consent did not last forever. One of the most frequently asked questions remains, ‘how long does consent last?’
This type of principals-based legislation is new to many marketers and it has created a lot of uncertainty. The DMA’s Legal and Compliance teams continue to receive questions from members who want more specific timescales, so the DMA’s Responsible Marketing Committee produced the advice detailed below.
Following a recent investigation and subsequent adjudication from the Data and Marketing Commission (DMC), this guidance hasbeen updated so that it covers both Consent and Legitimate Interests – both described as marketing permission.
The Information Commissioner’s Office (ICO) also included a section about this in its guidance: ‘What is valid consent?’
How long does consent last?
"The GDPR does not set a specific time limit for consent. Consent is likely to degrade over time, but how long it lasts will depend on the context. You need to consider the scope of the original consent and the individual’s expectations."
It is important to remember that these timescales are not set in stone. As highlighted by the ICO’s comment above, context, scope and the consumer’s expectations are all factors to consider.
I’m sure it would be possible to come up with an example of a particular product or service that might benefit from a different timescale, but it would be wrong to do this without considering the impact on the consumer. Ideally there needs to be documented justification of your companies justification for the timescales you use, in order to meet the requirements of the GDPR’s Accountability Principal.
The DMA advises its members to adhere to these minimum standards on the lifetime of marketing permission:
For third-party data: telephone, email, SMS; the maximum time that permission can remain valid is six months after initial collection or any other positive contact (as defined below).
For third-party postal marketing: the maximum time any permission can remain valid is 24 months after initial collection or any other positive contact.
For all first-party data: telephone, email, SMS and post; the maximum time that permission can remain valid is 24 months after initial collection or any other positive contact.
The timeframes begin after the initial collection date or when further positive contact with the customer is made.
This is defined as the moment an organisation obtains permission from someone to process their personal data for direct marketing purposes. The organisation must maintain a record of the permission and an audit trail for evidence.
A positive contact
You must have proof that someone is continuing to engage with your organisation after they have given their permission.
For example, they have bought recommended products from an organisation, or clicked through from a marketing email to browse a website. These instances demonstrate an ongoing relationship between an individual and the organisation.
The data controller cannot rely on the absence of an action by the data subject as an indication of permission. There must be a dialogue, defined as a two-way communication via any channel, in which both parties exchange ideas, questions and answers.
DMA Members can get practical advice on this and any other issue related to data and marketing by emailing our Legal team: firstname.lastname@example.org