Personal Data Protection requirements: obtaining customer contact information to make delivery
There are certain obligations under the PDPA to watch out for when obtaining the contact information of customers to make a delivery.
At the time of obtaining your customers' contact information:
- Purpose limitation obligation: You must notify your customers of the purpose(s) for the collection, use or disclosure of their contact information. This should be done on or before collecting their information.If you intend to use or disclose your customers' contact information for purposes other than making a delivery, such purposes must be notified to customer in advance and they must be reasonable in the circumstances. For example, it would be reasonable to state that you will use a customer's contact information to 'provide the customer with updates on new products and promotions', but it would not be reasonable to state that you will use a customer's contact information for 'any purpose that you deem fit'.
- Consent obligation: You must obtain each customer's consent to collect, use and disclose their contact information. It is recommended that you obtain express consent from your customers (e.g., by requiring customers to indicate their consent by ticking an 'I agree to your terms and conditions' checkbox at the time of collecting their contact information). However, consent may also be implied when it is voluntarily given to you by your customer when they make a purchase from you and select the delivery option.
If you will be engaging a third-party vendor to make the delivery:
- It is good practice to ensure that your customers' consent to you includes authority for you to disclose, process and share their contact information with all relevant and reasonable third parties, for the fulfilment of purchases.
- You should, as a matter of best practice, obtain a signed contract from the vendor to only use your customer's contact information for the sole purpose of making the delivery.