Can We Use Customer Data for Marketing?
The Everyday Marketing Tactic That Could Quietly Trigger a Legal Storm
• 23 Sep 25
“Data is the fuel of modern marketing - but if you don’t know how to handle it, you’ll burn your brand.” - Matthew Glynn
Introduction
Using customer data for marketing feels like a natural part of doing business. It’s how you personalise campaigns, optimise performance, and scale reach. But here’s the warning: what feels like smart marketing could actually be unlawful data use - and the consequences can be severe.
This issue may not apply to every startup, but if it does, and you’ve missed it, the fallout can be significant. The legal frameworks around data use are complex, fast-evolving, and unforgiving - especially when marketing teams move faster than compliance teams can keep up.
In this blog, we’re going to flag up some key considerations to help you better prepare to tackle this issue - because prevention is always better than the cure.
Legal issues are important but easily overlooked, especially when founders are focused on the big launch or the issue of the day - and in a startup, there’s always an “issue of the day”.
Optional Inclusion: What Is Customer Data in Marketing?
Customer data used in marketing typically includes:
◼️Email addresses
◼️Purchase history
◼️Browsing behaviour
◼️Location data
◼️Demographic profiles
◼️Social media interactions
This data is often collected through websites, apps, CRM systems, and third-party platforms. The legal question is whether you can use this data for marketing - and under what conditions.
Why This Topic Is Important
This can be an important issue for start-ups because:
Legal Requirement: Most privacy laws require explicit consent before using personal data for marketing.
Customer Trust: Misuse of data can erode trust and damage your brand’s reputation.
Global Reach: If you market across borders, you must comply with multiple data regimes (e.g., GDPR, PDPA, CCPA).
Platform Compliance: Ad platforms may suspend accounts that breach data use policies.
Investor Scrutiny: Data governance is a growing focus in due diligence processes.
Automation Risk: Marketing automation tools can amplify non-compliance at scale.
Reputational Exposure: Data misuse stories spread fast - and stick.
Regulatory Complexity: Laws are evolving rapidly and vary by jurisdiction.
Operational Confusion: Teams often lack clarity on what data can be used and how.
Litigation Risk: Consumers and regulators are increasingly litigious over data rights.
Q: Can I use customer emails collected during checkout for marketing?
A: Only if you obtained clear, informed consent at the time of collection - and provided an opt-out option.
Consequences of Not Addressing This Issue
The consequences of not attending to this issue may include the following:
1. Legal Implications
Regulatory Fines: Breaches of GDPR, PDPA, or CCPA can result in fines reaching millions.
Enforcement Action: Regulators may issue cease-and-desist orders or require data deletion.
Litigation Risk: Class actions and individual lawsuits are increasingly common.
2. Commercial Implications
Loss of Customers: Consumers may abandon brands that misuse their data.
Partnership Breakdown: Strategic partners may walk away from non-compliant businesses.
Marketing Restrictions: You may be banned from using key ad platforms or CRMs.
3.Operational Implications
Campaign Disruption: Non-compliant campaigns may be pulled mid-flight.
Resource Drain: Legal firefighting consumes time, money, and focus.
Team Paralysis: Uncertainty around data use can stall marketing initiatives.
4. Biz Valuation Issues
Due Diligence Failures: Investors may reduce valuation or walk away entirely.
Exit Risk: Acquirers may flag data governance as a deal-breaker.
Brand Devaluation: Public exposure of data misuse can permanently damage brand equity.
The above lists are indicative issues - the relevance of which will depend on your circumstances including the nature of business undertaken by your start-up.
What You Need to Be Doing
We have identified quite a number of potential issues that the start-up needs to consider and below are some examples of the types of steps you might want to consider taking to address these issues considered above.
Map Your Data Flows
Identify what customer data you collect, where it’s stored, and how it’s used.
This is the foundation of any compliant marketing strategy.
Obtain Proper Consent
Ensure all marketing data is collected with clear, informed, and specific consent.
Use opt-in checkboxes and avoid pre-ticked forms.
Review Your Privacy Policy
Make sure your privacy policy clearly explains how customer data will be used for marketing.
It should be accessible, transparent, and regularly updated.
Segment Your Data
Separate marketing-consented data from operational or transactional data.
Only use the former for promotional campaigns.
Implement Opt-Out Mechanisms
Every marketing message should include a clear and easy way to unsubscribe.
Track and honour opt-outs across all channels.
Train Your Marketing Team
Ensure your team understands the legal boundaries of data use.
Provide regular updates as laws evolve.
Audit Your MarTech Stack
Ensure your CRM, email platform, and analytics tools are configured for compliance.
Use tools that support consent tracking and data minimisation.
The above suggestions are just a few of the steps you can consider taking. There are many more things that need to be done to ensure the associated risks are effectively and pragmatically dealt with.
Q: Can startups use behavioural data for ad targeting?
A: Yes - but only with valid consent and in compliance with privacy laws. Cross-border data transfers may also require additional safeguards.
How These Risks Can Play Out
Case Study 1: The Checkout Consent Gap
A startup collected emails during checkout but didn’t obtain marketing consent. A regulator fined them under local privacy laws, and they were forced to delete their entire email list - just weeks before a major product launch.
Case Study 2: The CRM Misfire
A SaaS company migrated to a new CRM and accidentally sent marketing emails to users who had opted out. Complaints flooded in, and the company was temporarily blacklisted by their email provider.
Case Study 3: The Investor Walkaway
During due diligence, a VC discovered that a startup had no documented consent for its 50,000-person mailing list. The deal was paused, and the startup had to rebuild its list from scratch - delaying funding by six months.
Frequently Asked Questions
Q: Can I use customer data collected for support to send marketing emails?
A: Not without separate, explicit consent for marketing purposes.
Q: Is consent always required for marketing?
A: In most jurisdictions, yes - especially for email, SMS, and targeted advertising.
Q: Can I buy a marketing list from a third party?
A: It’s risky - you must ensure the data was collected with valid consent and that you have the right to use it.
Q: What if I only market to existing customers?
A: Some jurisdictions allow this under “soft opt-in” rules, but conditions apply - and opt-out must still be offered.
Understanding the Legal Terminology
◼️Personal Data: Any information that can identify an individual, directly or indirectly.
◼️Consent: Freely given, specific, informed, and unambiguous agreement to data processing.
◼️Opt-In: A mechanism where users actively agree to receive marketing.
◼️Opt-Out: A mechanism allowing users to withdraw from marketing communications.
◼️Data Minimisation: The principle of collecting only the data you need.
◼️Soft Opt-In: A limited exception allowing marketing to existing customers under specific conditions.
◼️Data Controller: The entity that determines the purpose and means of processing personal data.
How GLS Can Help You
By building your legal team capability on the GLS platform, you will be capable of:
◼️Rapidly assessing your marketing data compliance risks
◼️Accessing pre-built consent language and privacy policy templates
◼️Getting expert reviews of your marketing workflows and CRM practices
◼️Training your team on data privacy and marketing law essentials
◼️Avoiding costly legal missteps before they happen
Final Thoughts
Using customer data for marketing can be a powerful growth lever - but only if it’s done legally. The risks of getting it wrong are real, and the consequences can be costly. The good news? With the right legal infrastructure in place, you can market confidently, compliantly, and competitively.
Observations & Tips
- Obtain Valid User Consent: Secure clear and informed consent before using customer data for marketing purposes.
- Review Privacy Policies Regularly: Ensure privacy notices accurately explain how customer data is collected and used.
- Limit Data Usage Purpose: Use customer information only for the purposes originally disclosed to users.
- Implement Opt-Out Mechanisms: Allow customers to easily withdraw consent or unsubscribe from marketing communications.
- Avoid Excessive Data Collection: Collect only the information necessary for defined marketing activities.
- Protect Sensitive Information: Apply enhanced safeguards when handling financial, health, or location-related data.
- Manage Third-Party Sharing Carefully: Disclose and regulate how marketing partners or vendors access customer data.
- Maintain Consent Records: Retain proof of user permissions, preferences, and marketing authorisations.
- Comply with Cross-Border Rules: Assess international data transfer obligations before global marketing campaigns.
- Align Marketing & Legal Teams: Ensure campaigns are reviewed for privacy and consumer protection compliance.
- Monitor Behavioural Tracking Practices: Cookies, profiling, and targeted advertising may trigger additional legal obligations.
- Avoid Assumed Consent Models: Pre-ticked boxes or implied consent structures increase enforcement risks.
- Prevent Reactive Privacy Compliance: Late-stage legal fixes can lead to penalties, complaints, and reputational harm.
Startup Legal Support Centre
Build your own legal department with our online platform of startup-focused legal tools.
Startup Legal Guide Map
Explore the Guide Map to grow your business while staying on top of legal essentials.
Legal On Call™ (Free Trial)
Sign up for GLS Legal On Call™ and get expert answers to your startup legal needs.
Pro Bono Startup Legal Clinic
Get free expert legal advice at the GLS Pro Bono Clinic and power your business forward.
