GDPR Art. 5(1)(b) prohibits using data for purposes incompatible with the original collection purpose. When a user hands you their email to receive a password reset link, they are not consenting to receive a marketing newsletter — these are legally distinct acts under Art. 6 and Art. 7. Sending marketing email to all registered users on the basis of the signup 'contract' is one of the most common GDPR violations in AI-built apps, and it is one regulators can identify from a single test signup. Passing account data to enrichment services like Clearbit or advertising audiences on Facebook without disclosure compounds the violation into an Art. 13 breach (no notice at collection).
High because repurposing data without separate consent directly violates Art. 5(1)(b) and Art. 6(4), and marketing violations are routinely flagged by regulators in enforcement actions without requiring a formal complaint.
Add a separate, unchecked marketing consent checkbox at signup. Never add users to marketing lists based solely on account creation.
<form onSubmit={handleSignup}>
<input type="email" name="email" required />
<input type="password" name="password" required />
{/* Marketing consent — must default to false per Art. 7 */}
<label className="flex items-center gap-2 mt-4">
<input type="checkbox" name="marketingConsent" defaultChecked={false} />
<span>Send me product updates (optional). Unsubscribe anytime.</span>
</label>
<button type="submit">Create account</button>
</form>
// In the signup handler, record consent separately from account creation
await db.user.create({
data: {
email,
passwordHash,
marketingConsent: formData.marketingConsent === 'on',
marketingConsentAt: formData.marketingConsent === 'on' ? new Date() : null,
marketingConsentVersion: '2026-02-01',
}
})
if (formData.marketingConsent === 'on') await addToMarketingList(email)
For third-party data passes (enrichment APIs, advertising audiences), add explicit disclosure in your privacy policy and ensure a lawful basis exists separately from account delivery.
ID: gdpr-readiness.lawful-basis.purpose-limitation
Severity: high
What to look for: Identify cases where data collected under one lawful basis is being used for a different purpose without additional user consent. Common patterns: email collected under "contract" (service delivery) subsequently used for marketing newsletters without a separate opt-in; usage analytics collected under "legitimate interest" for product improvement subsequently shared with advertising networks; account data exported to third-party enrichment or scoring services not disclosed in the original privacy notice. Check the codebase for places where user data (especially email) is passed to systems other than those explicitly described in the privacy policy at the time of collection. Look for integration code that sends user data to enrichment APIs (Clearbit, Apollo, ZoomInfo), advertising audiences (Facebook Custom Audiences, Google Customer Match), or CRM systems with scoring features. Count all instances found and enumerate each.
Pass criteria: Data is used only for the purposes disclosed at the time of collection. Email collected for transactional communication is not sent to marketing lists without a separate opt-in. Usage data collected under legitimate interest is not passed to third parties for advertising. Any new use of existing data is either compatible with the original purpose, or is accompanied by a new consent mechanism and privacy notice update. At least 1 implementation must be confirmed.
Fail criteria: User email collected at signup under "contract" is added to marketing lists without a separate opt-in. Analytics data passed to advertising networks without disclosure. User data sent to third-party enrichment services not mentioned in the privacy policy.
Skip (N/A) when: Application has a single data purpose and no integrations that could create purpose conflicts.
Detail on fail: Specify the purpose conflict. Example: "Email collected at signup for account delivery is passed to Mailchimp marketing list without a separate consent checkbox." or "Usage events collected under legitimate interest are forwarded to Facebook Ads API for retargeting without user disclosure.".
Remediation: Separate transactional and marketing email lists and add a distinct opt-in:
// Signup form — separate consent for marketing
<form onSubmit={handleSignup}>
<input type="email" name="email" required placeholder="Email address" />
<input type="password" name="password" required />
{/* Marketing consent — separate, optional, unchecked by default */}
<label className="flex items-center gap-2 mt-4">
<input
type="checkbox"
name="marketingConsent"
defaultChecked={false} // MUST default to false
/>
<span>
Send me product updates and tips (optional).
You can unsubscribe at any time.
</span>
</label>
<button type="submit">Create account</button>
</form>
// In your signup handler, record consent separately
await db.user.create({
data: {
email,
passwordHash,
marketingConsent: formData.marketingConsent === 'on',
marketingConsentAt: formData.marketingConsent === 'on' ? new Date() : null,
marketingConsentVersion: '2026-02-01', // tie to privacy policy version
}
})
// Only add to marketing list if consent was given
if (formData.marketingConsent === 'on') {
await addToMarketingList(email)
}
For existing users already on a marketing list without documented consent: obtain retroactive consent via a re-permission campaign, or remove them from the marketing list.