A company can process data only if one (or more) of six lawful purposes applies. When sharing personal data with a third party for the purpose of permitting the third party to market to data subjects, companies typically rely upon the consent of the data subject. While consent may not be the only lawful purpose that permits such a transfer, depending upon the type of marketing to be sent and the marketing laws of the jurisdiction in which the data subjects reside, the controller that receives the data may separately need consent in order to transmit direct marketing.
The Article 29 Working Party – the predecessor to the European Data Protection Board – took the position that when companies solicit consent they should be “granular” and not ask data subjects to “consent to a bundle of processing purposes.”1 Although the Working Party recommended obtaining separate consent for each purpose of processing, it did not take the position that separate consent must be sought when there is a single purpose for processing (e.g., transmitting information to third parties for their direct marketing), but such processing might involve multiple recipients (e.g., third party controllers that intend to send direct marketing).2 To the contrary, the Working Party stated that a single “specific consent” could be presented to a data subject that sought permission to “send the contact details to commercial partners.”3 According to the Working Party, the single consent would be “deemed valid for each partner . . . whose identity has been provided to the data subject at the time of . . . his or her consent.”4 The Working Party reasoned that because there was only one purpose in the proposed processing (e.g., marketing) only one unified consent need be presented.
As a result, a company can, consistent with the GDPR, ask data subjects in a single request for permission to share their information with multiple third parties. For example, a controller could ask data subjects to “consent to our sharing of your contact details to the following list of commercial partners so that they may send your information about their products or services: [List of third parties].”
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. WP 259 Rev. 01 at 10.
2. WP 259 Rev. 01 at 10.
3. WP 259 Rev. 01 at 10.
4. WP 259 Rev. 01 at 10.