When is it appropriate to share a customer's identity with a third party?

The main idea here is how sharing a customer’s identity with a third party should be governed by legitimate need and proper safeguards within a business relationship. When a customer is actively engaging with a partner who is needed to deliver the service, sharing the customer’s identity with that partner is appropriate because the partner is part of the service process. There’s usually a contractual basis and privacy safeguards in place to enable that sharing so the partner can verify who the customer is and complete the service task, while still protecting the customer’s information and limiting use to the intended purpose.

In this context, sharing with a partner helps ensure smooth service delivery and supports proper identity verification within the authorized workflow, provided the sharing adheres to policy, data protection agreements, and the principle of purpose limitation. The other ideas—requiring explicit consent for every instance, or assuming consent based on public status or public data—don’t fit the stated business scenario as cleanly, because they either depend on consent that isn’t explicitly obtained in the moment or ignore the need for safeguards, even if data is publicly available.