Data collection and permissions

Making sure the customer understands what permission they are giving and for what

The potential use of customer records for direct marketing and audience development, and any sharing of personal data between organisations relies on three things:

  • the circumstances in which data was obtained
  • the notifications given to the customer at the time of collection
  • the permissions obtained.

In some circumstances the law requires that permissions are obtained by asking customers to “opt-in”, and in others it is acceptable to give them the opportunity to “opt-out”, but in both cases it is not recommended to use pre-ticked boxes.

Two pieces of current legislation are involved: the 1998 Data Protection Act (“DPA” which followed the 1984 Data Protection Act) and the Privacy and Electronic Communications Regulations (“PECR” 2003).

Both are pieces of legislation implementing EU law to protect individuals’ privacy. The practicalities of collecting data will vary dependent on whether this is happening online, in person or by phone.

For all methods, notifications to the customer are a fundamental legal requirement.