Skip to Content

Welcome!

Share and discuss the best content and new marketing ideas, build your professional profile and become a better marketer together.

Sign up

This question has been flagged
consent
1 Reply
410 Views
Avatar
CKonnect

“One Consent, Many Uses? Purpose Creep in Action”

A user gives their phone number to verify their identity (2FA). A month later, they get a WhatsApp ad from the same platform. No fresh consent.

📣 Do you think this is a legitimate reuse of data or a classic case of purpose creep?

💬 Jump in:

  • Should businesses take separate consents for marketing vs. security use cases?
  • How do you explain granular consent to a non-privacy person?

Let’s see how you’d handle this as a DPO or privacy consultant!

Avatar
Discard
Avatar
aftab.naukhaiz1997@gmail.com

This scenario is the classical example of purpose creep. The business is reusing the data for a purpose other than that for which the data was originally collected. This is the clear violation of the principle of purpose limitation, only processing personal data for specified, explicit and legitimate purposes.

  • Should businesses take separate consents for marketing vs. security use cases?


Yes, absolutely. One consent, one purpose, multiple consents Multiple purposes: this is termed as 'granular consent'. Granular consent is a fundamental requirement of modern privacy regulations like GDPR, DPDPA, and PDPA. Security and marketing are two different domains; both need separate consent. The consent for security is not used for marketing purposes.

  • How do you explain granular consent to a non-privacy person?


Think about the tailor shop. Instead of just a single "I agree to everything" form, a shop practising granular consent would give you a form with choices:

  •  I give my phone number so you can call me when my clothes are ready. (This is the main aim and a required permission.)
  •  I would like to get text messages about special festival discounts (like Diwali or Eid). (This is an extra, optional permission.)
  •  I agree to get a call to provide feedback on the stitching. (Another optional permission.)

The above illustration shows you have control over your data. You can check the boxes for the things you are okay with and leave the rest blank. This way, your number is used only for the things you approved, making it your choice, not the business's.

How I handle this as a DPO or privacy consultant

·   I would train the marketing team about the concept of purpose limitation.

·   I would enable the concept of privacy by design, as mentioned in the above example, where the tailor provides the detail form.

·   I would make the user aware in simple language how his/her consent is used and for what purpose without using difficult legal language.

·   I would audit where purpose creep is happening.

·   I would review the privacy policy, terms & conditions and consent management systems.

Follow

https://www.ckonnect.co.in/blog/privacy-team-pulse-7/purpose-creep-privacy-consent-misuse-69

Avatar
Discard
Related Posts Replies Views Activity
Ghosting the Unsubscribe Button
consent
Avatar
Avatar
1
Dec 25
348