Demystifying Consent
It is a common misconception that consent is needed to process data, particularly when considering the GDPR and the CCPA. Although these two regimes differ, consent is not required in either.
The GDPR outlines six legal bases of processing, each holding equal significance. To ensure compliance with this regulation, companies must select one of these bases when processing data. At Lusha, we rely on the legitimate interest legal basis. This allows us to process data subject information that is subject to the GDPR for the purposes of benefiting our customers’ B2B sales, marketing, fraud prevention and recruiting endeavors. This practice is also followed and stated by other players in the industry (e.g. ZoomInfo and Cognism).
We firmly believe that our legitimate interest in processing business contact data outweighs any potential impact on the fundamental rights and freedoms of data subjects. This belief is supported by several factors:
Firstly, the nature of the data we process has minimal influence on an individual’s private life. Secondly, individuals within the business realm reasonably anticipate their contact information being shared for these specific purposes. Lastly, such information is widely disclosed, further validating the legitimacy of our data processing activities. Please refer to our transfer impact assessment for more information.
Before selling data belonging to California or EEA residents, Lusha provides such individuals with a Privacy Notice that covers Lusha and its customers in respect of all Article 14 of GDPR requirements.
While the GDPR sets stringent requirements, it’s worth noting that the California Consumer Privacy Act (CCPA) takes a different approach. Unlike the GDPR, the CCPA does not mandate a specific legal basis for processing personal data. Consent is only required in limited scenarios, such as when individuals are enrolled in financial incentive programs like loyalty programs. However, for the collection, processing, or sale of personal data, consent is not a prerequisite.
At Lusha, we fully respect and comply with the CCPA’s relevant provisions, including the right for individuals to request to opt-out of the sale of their personal data. Our commitment to data privacy and transparency ensures that our practices align with applicable regulations, empowering our customers to navigate the business landscape with confidence.
Additionally, it is important to note that direct marketing laws, which typically require consent, draw a clear distinction between direct marketing and B2B prospecting. In fact, Direct marketing laws usually exempt B2B cold calls by default (e.g. Canada and Singapore) or will exempt B2B cold calls after a company scrubs their phone number list against a country’s “do not call” registry. Lusha scrubs its data against the do not call registries in the US and the UK.
