Is a company required to separately solicit consent each time that it wants to share personal data with a third party for their marketing purposes?

Bryan Cave Leighton Paisner


A company can process data only if one (or more) of six lawful purposes applies.  When sharing personal data with a third party for the purpose of permitting the third party to market to data subjects, companies typically rely upon the consent of the data subject.  While consent may not be the only lawful purpose that permits such a transfer, depending upon the type of marketing to be sent and the marketing laws of the jurisdiction in which the data subjects reside, the controller that receives the data may separately need consent in order to transmit direct marketing. 

The Article 29 Working Party – the predecessor to the European Data Protection Board – took the position that when companies solicit consent they should be “granular” and not ask data subjects to “consent to a bundle of processing purposes.”1  Although the Working Party recommended obtaining separate consent for each purpose of processing, it did not take the position that separate consent must be sought when there is a single purpose for processing (e.g., transmitting information to third parties for their direct marketing), but such processing might involve multiple recipients (e.g., third party controllers that intend to send direct marketing).2   To the contrary, the Working Party stated that a single “specific consent” could be presented to a data subject that sought permission to “send the contact details to commercial partners.”3   According to the Working Party, the single consent would be “deemed valid for each partner . . . whose identity has been provided to the data subject at the time of . . . his or her consent.”4   The Working Party reasoned that because there was only one purpose in the proposed processing (e.g., marketing) only one unified consent need be presented.

As a result, a company can, consistent with the GDPR, ask data subjects in a single request for permission to share their information with multiple third parties.  For example, a controller could ask data subjects to “consent to our sharing of your contact details to the following list of commercial partners so that they may send your information about their products or services: [List of third parties].”

For more information and resources about the CCPA visit

 This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. WP 259 Rev. 01 at 10.

2. WP 259 Rev. 01 at 10.

3. WP 259 Rev. 01 at 10.

4. WP 259 Rev. 01 at 10.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bryan Cave Leighton Paisner | Attorney Advertising

Written by:

Bryan Cave Leighton Paisner

Bryan Cave Leighton Paisner on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.