5

Do you need to obtain explicit affirmative user consent to send their data to a third party?

Currently we have a form on our website for users to fill out to register interest in our service. This data is then stored in our own database, but it is also sent to a sales service provider and a marketing service provider.

Do we need to get explicit consent from the user to send their details (personally identifiable, includes name and phone number) to these third party services?

Because the user has willingly given us this information is it OK to just send the data to third parties or do we need consent?

Michael Curry
  • 991
  • 8
  • 20

2 Answers2

1

Is the third party acting on behalf of you and your core product which the customer has shown explicit consent in being contacted regarding?

If the third party is a Data Provider and handling the customer's details on your behalf, to provide a service that the customer has explicitly consented to, then my understanding is you will be ok.

If they aren't providing a service that the customer has consented to receive information on, or they are selling an unrelated service or product, you're going to be in big trouble.

Basically you are the Data Controller: you have procured the information directly from the client and it is all necessary to fulfill the task for which it is given, and any contact will only receive communication relating to it or that they expect. If you or the Data Provider breach this then you, the Data Controller, could be in trouble.

Edunikki
  • 237
  • 1
  • 8
  • Thanks for this - the third parties are handling the customer's details on our behalf to provide a service. The customer checks a single box that confirms that they have read our privacy statement, which includes details of where we send their data and what it's used for. This box doubles as a marketing email opt-in box. Are we doing that correctly? – Michael Curry May 30 '18 at 08:21
  • 1
    You have to make sure that the terms and conditions are clearly stated and not hidden. If the marketing is related to a service they have shown interest in and is your service than you should be ok. If it is someone else's service and you have given them someone's identifiable information (including their email address) then you will be in trouble. Someone else doing your marketing for a service that the customer has indicated an interest in should be ok, someone marketing their own service won't be. Similarly, it has to be of explicit interest/use to the customer rather than speculative. – Edunikki May 30 '18 at 12:39
  • 1
    [this](https://www.consultancy.uk/news/13487/six-privacy-principles-for-general-data-protection-regulation-compliance) has useful basic information - I suspect you're too broadly defining what services you offer and who you share identifiable information with – Edunikki May 30 '18 at 12:46
0

I know the topic is a bit old but, it is becoming more and more relevant due heavy fines now been issued throughout EU.

GDPR/CCPA is making a lot of people nervous, no doubt. I think most website owners have no clue about cookies or what it is used for. Due the inconsequential use of cookies (thus far), cookies were never subject of discussion.

My best advice is, before getting worked out over fines and implications, to get familiar with GDPR/CCPA regulations. Most importantly, before implementing a 3rd party tool, check if your website really needs it. There are not many free online tools which allows you to check your GDPR compliance status but, sites like https://www.gdpr-service.com/consult allows you to verify if you really need a major change in your website.

If you have 5 to 10 cookies containing no 3rd party, you might as well contract a programmer to build a popup acceptance module for you. Else, I'm afraid you will need to signup for some service which provides you with the cookie policy (including cookies group and description) in order to be compliant.

Jay
  • 312
  • 3
  • 12