How to collect marketing profiling consent: everything you need to know

In the world of digital marketing, profiling is a powerful tool: it allows us to better understand our users, personalize experiences, and increase conversions.

However, to collect sensitive data, it's essential to comply with privacy regulations, first and foremost the European Union's General Data Protection Regulation (GDPR).

But how can we collect consent correctly? In this article, you'll discover everything you need to know to collect marketing profiling consent in a secure, transparent, and legal way.

Data processing for marketing purposes: what does it mean?

Marketing purposes include various activities aimed at promoting a company's products or services, reaching new customers, and strengthening relationships with existing ones.

Among the main marketing purposes are sending promotional communications, such as offers and discounts, via email, SMS, or push notifications, to keep customers updated on the latest news.

User profiling is another purpose, aimed at collecting and analyzing data related to users' behaviors, preferences, and interests, to personalize communications and offer tailored content.

Retargeting campaigns, which aim to re-engage users who have shown interest in the company or its products, represent another important marketing purpose.

Additionally, a marketing purpose can be customer loyalty through dedicated programs, exclusive promotions, and point collection systems, to strengthen their relationship with the brand.

Can I use my users' data for marketing purposes?

Yes, you can use your users' data for marketing purposes, but only if you comply with privacy regulations, such as GDPR.

Processing personal data for marketing and profiling purposes requires explicit and informed consent from users. It's essential to explain transparently what data is collected, how it will be used, and what the benefits are for the user, such as personalized offers or relevant communications.

Managing consent in an ethical and compliant manner is crucial to avoid penalties that can reach up to 4% of annual global turnover or €20 million, whichever is greater.

Consent for marketing purposes

GDPR requires that for user profiling for marketing purposes, it is necessary to obtain user consent for the processing of their personal data.

Consent must be:

• Free: users must be able to choose whether to accept or refuse profiling.
• Specific: consent must relate to specific and clearly identified activities, such as profiling for marketing purposes.
• Informed: users must know how and why their data is being collected.
• Unambiguous: consent must be clear and manifested through a specific action, such as checking a box.
• Revocable: Users must be able to withdraw their consent at any time, as easily as they gave it.
• Documented: maintain a detailed record of consents obtained, including information such as the date, time, IP address, and content of the information provided at the time of consent

To request user consent in a compliant way, it's important to distinguish the type of consent needed:

• Cookie banner: must be placed on the website to allow users to choose whether to accept or refuse the use of navigation data and sharing with third-party providers. This banner should appear immediately when the user accesses the site, clearly informing them about cookie usage and data collection for profiling and marketing purposes.
• Consent for sending promotional communications (e.g., newsletter): specific and separate consent is required to send communications to users. This involves clearly informing about the use of their data exclusively for sending communications.

Assicurarsi che entrambi i consensi siano richiesti in modo chiaro e separato è fondamentale per rispettare le normative sulla privacy.

Examples of consent formulations

Consent for direct marketing

These formulas ask users for permission to receive general communications (email, SMS, notifications) without necessarily relying on detailed profiling:

"I agree to receive marketing communications about products, services, and special promotions from [Company Name] via email."

"I wish to receive updates, promotions, and exclusive offers from [Company Name] via SMS and/or email."

"By giving my consent, I agree to receive newsletters and information about the latest news from [Company Name] via email."

Consent for profiled marketing

In this case, the requested consent refers to the possibility of analyzing user data to create personalized and relevant communications, based on specific interests and behaviors:

"I consent to the collection and use of my browsing data to receive personalized communications and tailored recommendations from [Company Name]."

"By giving my consent, I authorize [Company Name] to send me personalized offers and content based on my interests and browsing behavior."

"I accept that [Company Name] uses my personal and purchase data to send promotional communications and suggestions based on my interests and preferences."

Granular consent option

Granular consent offers users the ability to choose the type of communications they wish to receive and how their data will be used:

"I wish to receive marketing communications about products and services from [Company Name]"

"I authorize [Company Name] to use my data to personalize offers and content based on my specific interests."

Including the option to choose and clearly and transparently explaining the purposes helps respect user privacy, increasing the likelihood of obtaining valid and informed consent.

Storage of marketing consent

Okay, now that you've received user consent, is everything finished? No, to avoid problems during potential audits, you need to keep proof of the obtained consent.

Consent storage is essential to be able to prove, in case of verification or request by the user or the Privacy Authority, that consent was obtained correctly.

Without documented proof of consent, a company could incur penalties and damage to its reputation.

What information to store

It's important to collect and store the following information:

• Date and time: the precise moment when consent was provided.
• Privacy notice version: the privacy notice or data processing policy that was in effect at the time of consent collection.
• Collection method: whether consent was given via online form, checkbox, or other means.
• Proof of consent: such as a screenshot or log of the user's action (e.g., checking a box or clicking a button).
• Specific purposes: the type of marketing for which consent was granted (e.g., direct marketing, profiling, etc.).

Where to store consent data

The secure and traceable storage of data related to user consent is fundamental for complying with privacy regulations. Before adopting a solution, it's important to verify if your current system is already capable of recording and managing consents adequately. If you don't have a dedicated system, you can consider integrating a Consent Management Platform (CMP) like Avacy.

Avacy CMP is designed to store consents securely, ensure the traceability of information, and provide centralized management. A CMP not only simplifies the collection and tracking of consents but also helps you stay compliant with evolving regulations. Implementing it can significantly enhance consent data management and security, offering a scalable solution for your business.

Try Avacy now

Storage duration

According to the Privacy Authority's provision of October 15, 2020, the principle of accountability is introduced, according to which consent data should be kept only for the time strictly necessary for marketing purposes.

"The mere passage of time is not a sufficient parameter, in itself, to assess the suitability of the legal basis. Consent to the processing of personal data for promotional purposes, as the maximum expression of individual self-determination, [...] must be considered valid, regardless of the time elapsed, until it is revoked by the data subject, provided that it was correctly acquired originally and is still valid in light of the rules applicable at the time of processing as well as the retention times established by the controller, and indicated in the privacy notice, in compliance with Art. 5, par. 1, let. e) of the Regulation."

Source: Garante per la Protezione dei Dati Personali, Provvedimento del 15 ottobre 2020

According to the Privacy Authority, the key focus is not so much on the data retention period but on the validity of the consent obtained and the absence of its withdrawal. Therefore, it is the data controller who determines the data retention period, and this choice must be specified in the Privacy Policy.

Consent updates and revocations

Users have the right to modify or revoke their consent at any time. CMPs like Avacy allow you to update or revoke consent with ease and keep track of all changes made. Maintaining a history of revocations and updates is useful to demonstrate that the company respects users' rights.

Try Avacy now

Marketing and profiling activities: the privacy policy

The privacy notice for marketing and profiling purposes must comply with regulatory requirements, particularly those of GDPR. Here are the essential elements it must contain:

1. Identity and contact details of the data controller: clearly indicate the name, address, and contact details of the company (or person) responsible for data processing. This helps users know who is collecting and using their data.
   
   Example: "[Company Name], headquartered at [Address], email: [contact email]."
2. Purposes of data processing: describe the specific purposes for which you collect data, distinguishing between:
   • Direct marketing: for sending generic promotional or informative communications.
   • Profiling: for creating profiles based on users' preferences, behaviors, and interests, with the aim of personalizing communications and improving user experience.
     
     Example: "The collected data will be used for marketing purposes and to offer you personalized content and offers based on your interests."
     
3. Types of data collected: specify which personal data will be collected for each purpose, for example:
   
   • Personal data: name, surname, email, phone number;
   • Navigation data: pages visited, time spent on site;
   • Behavioral data: purchase preferences, interactions with marketing emails.
     
     Example: "We collect your personal and browsing data to analyze your interests and improve the relevance of our communications."
     
4. Legal basis for processing: indicate the legal basis for processing data for marketing and profiling purposes. Generally, the legal basis for these purposes is the explicit consent provided by the user. Make sure to specify that the user can withdraw consent at any time.
   
   Example: "The processing of your data for marketing and profiling purposes will only occur with your consent, which you can withdraw at any time."
5. Data Collection Methods: describe how the data will be collected, for example, through:
   • Registration forms
   • Cookies and tracking technologies
   • Analysis of online purchases and interactions
     
     Example: “We collect data through the registration form, cookies on our site, and interactions with emails.”
     
6. Sharing Data with Third Parties: If data is shared with third parties, such as business partners or marketing service providers, it is important to specify this. Include details about who will receive the data and for what purpose, ensuring that the providers comply with GDPR regulations.
   
   Example: “Your data may be shared with partners and providers for marketing and analytics purposes, solely to improve the services and offers provided.”
   
7. Data Retention Period: indicate how long you will keep the data collected for marketing and profiling purposes. Explain that the data will be kept only as long as they are useful for the declared purposes, after which they will be deleted or anonymized.
   
   Example: “We will retain your data for a maximum period of [specify the period, e.g., 24 months] from the time of consent, unless you revoke it.”
   
8. User Rights: specify the rights of users in relation to their data, which include:
   • Right of access
   • Right of rectification
   • Right of erasure
   • Right to restriction of processing
   • Right to object (including the right to object to profiling)
   • Right to data portability
   • Right to withdraw consent at any time
     
     Example: “You can exercise your rights of access, rectification, erasure, objection to profiling, or withdrawal of consent by contacting us at [contact email].”
     
9. How to Withdraw Consent: specify how the user can withdraw consent. The withdrawal process should be simple and immediate, such as through a link in emails or a dedicated section on the website.
   
   Example: “You can withdraw your consent for marketing and profiling purposes at any time by clicking the unsubscribe link in our emails or by contacting us at [contact email].”
   
10. Contact Details of the Data Protection Officer (DPO): If the company is required to appoint a DPO (Data Protection Officer), include their contact details so users can reach out for matters related to personal data protection.
    
    Example: “Our Data Protection Officer can be reached at the following email address: [DPO email].”
    
11. Privacy Policy Updates: specify that the policy may be subject to changes over time and that users will be informed of any updates.
    
    Example: “This policy may be updated. In such cases, we will inform you accordingly.”

How to ensure compliance simply

Complying with regulations may seem like a very complex task. Fortunately, Avacy offers advanced solutions that make the compliance process much simpler.

Avacy provides all the necessary tools to facilitate compliance with privacy regulations.

Try Avacy now