Customer Relationship Exception

An exemption allowing limited personal data use based on existing business relationships without requiring separate consent for each communication. Various privacy laws recognize that customers have reasonable expectations their data will be used in connection with services they've purchased or inquired about. For example, CAN-SPAM allows businesses to send commercial emails to customers with whom they have an existing business relationship without requiring opt-in consent, though opt-out must be honored. GDPR's legitimate interests basis may cover some customer relationship processing. The exception typically covers communications reasonably related to the relationship, such as service information, account management, or similar products/services—but doesn't extend to unrelated marketing or sharing with unrelated third parties. Organizations must still provide transparency, honor opt-outs, and ensure processing remains proportionate to the relationship. The exception shouldn't be abused as blanket permission for all marketing.