The public has been demanding accountability and consequences for companies that disregard consumer privacy, and the collective efforts of consumer rights activists and governmental bodies have resulted in data protection laws such as the GDPR and CCPA. These laws now hold companies, marketers, and salespeople accountable for the data they collect, store, and share.
It is crucial to understand the specific expectations privacy laws impose on companies in order to achieve compliance.
Therefore, we have prepared a comprehensive guide to assist your company, particularly your marketing team, ensure compliance with privacy laws.
Is Your Company in Violation of Global Privacy Laws?
In order to implement changes that will make your marketing and sales privacy law-compliant, you’ll need to first understand what data protection laws expect you to do differently. Here’s a list of major privacy laws by country.
While there are some recurring themes across all data protection laws, it’s very difficult to distill the broad talking points into just a few short sentences. However, the section below enlists all the essential things you need to know to get started.
Note that some of these might not apply to you based on the nature of your product, service, or company, and where your company, target audience, prospects, or customers are located.
Your company might be in violation of privacy laws if
#1 You don’t follow best practices when it comes to collecting or processing data and personally identifiable information like names, addresses, emails, or phone numbers.
This includes:
- Processing consumers’ data when they don’t have legitimate interest in your product, company, or service
- Not informing the consumer of your intentions for processing their data at or before the point of data collection
- Collecting emails without explicitly explaining what the information they are providing will be used for using checkboxes or other means
- Not informing the consumer if you process their data to make automated decisions
- Not obtaining parental consent prior to collection, use, and/or disclosure of the personal information from children under the age of 13 (COPPA)
#2 You don’t have a privacy law-compliant method to store and retrieve information about prospects and users.
This includes:
- Using cookies to store personal data other than what is absolutely necessary without their consent
- You are using software or vendors that aren’t privacy-law compliant to store, process, and retrieve information about users
#3 You don’t have a privacy-law compliant Privacy Policy document in place.
Scenarios include:
- It isn’t easy for users to find the information that they’re looking for to give informed, meaningful consent in your privacy policy page/document
- Critical information on what data is collected, how it’s collected, why it’s being collected/shared, and who it is shared with isn’t available in your privacy policy page/document
- Your users aren’t explicitly informed about their 8 rights (GDPR)
#4 You haven’t followed administrative protocol mentioned in the privacy law documentation, for example:
- You don’t give users the right to access, edit, rectify, or erase/remove/delete their information
- You haven’t appointed or hired a Data Protection Officer (DPO) (doesn’t apply to all companies, read this post to see if you are required to hire one)
- You haven’t performed a Data Protection Impact Assessment (DPIA) exercise (only applies if you meet this criteria)
#5 You are a vendor and you don’t have a Do Not Sell My Personal Information (DNSMPI) page (CCPA)
Important Note: While this includes most of the major things your company needs to be privacy law compliant, this does not constitute legal advice. If you’re working on being compliant with GDPR or other privacy laws, please work with data privacy, legal, and auditing teams to get the job done.
Privacy Law Compliance: Marketing Best Practices
Now that you know what privacy laws expect you to do, here are some of the best practices you should absolutely follow to be privacy law compliant.
#1 Review Your Website Forms
Privacy laws demand that you have a lawful basis for processing a user’s data, and that consumers must give you consent explicitly and freely when you collect their information for a specific purpose (e.g. product demos) or offer a non-essential service to them (e.g. sending marketing emails and newsletters).
In order to do this, you need to have non-pre-checked checkboxes under your forms that allow the user to express their consent for you to process their information.
(Source)
Use plain english to indicate what the users will be signing up for by checking the boxes, and always give them the option to choose their preferences before collecting their personal information. Keep terms and conditions/privacy policy checkboxes separate from consent request checkboxes to ensure that you obtain explicit permission from your users.
#2 Provide Unsubscribe and Opt-Out Options
Canada’s Anti-Spam Legislation and US’ CAN-SPAM requires companies to opt out of receiving commercial or marketing emails. Always have an Unsubscribe and/or Edit Preferences button attached to your marketing emails so it’s easy for people to withdraw consent if they want to.
Email marketing and marketing automation software like HubSpot or MailChimp allow you to automatically append this to marketing emails, and in some cases even make it a non-removable element.
#3 Maintain Proof of Consent
Recording when each user (or their parent, in the case of COPPA) has given you consent to store, process, and use their information is a good practice that you should absolutely follow. Failure to do so might result in you and your company finding yourselves in a sticky situation when asked to demonstrate when, where, and how you’ve stored and processed the consent given to you by your users.
#4 Create Comprehensive Cookie Notices
As you might know already, cookies are files that are stored on a user’s computer to track and collect information on user behavior and actions.
Most marketing software use cookies, and if you are dropping cookies in your users’ computers, then you’ll need explicit permission from your users to store your cookie to be privacy law-compliant. This is typically accomplished by displaying a cookie pop-up on your website. Under the new laws, especially GDPR, it’s important to have a detailed cookie policy that explains the type of cookies you use, why you are using it, and with whom you are sharing the cookie data.
There are several websites that allow you to generate a cookie policy document that’s customized for your website.
#5 Choose Privacy-Conscious Vendors and Software
One aspect of privacy-compliance that’s often overlooked is choosing vendors and software that’s also privacy-law compliant, like 6sense. Marketing Operations and Sales teams typically use various software, and it’s imperative that you choose the right providers if you want to improve privacy compliance in your company.
#6 Set Up Double Opt-Ins
While double opt-ins are not required by law, having it set up is a good practice that will help you spot valid and responsive subscribers early on. A double opt-in is when you send a user an email asking them to confirm or verify their subscription. While not mandatory, double opt-ins help you remove junk/spam addresses from your database, and also ensures that you build a mailing list that has above average open and click rates.
Other Important Notes
While the points mentioned above are the best practices that Marketing teams should follow to maintain data privacy in marketing, there are several other actions that companies need to take to become truly privacy law-compliant. Some of the key things are to:
- Create Privacy Policy, EULA, and T&C documents that are in accordance with the expectations of data privacy laws
- Ensuring that the users are able to reach out to you to request that their information be edited/removed from your database
- Having an audit done to ensure that you’ve covered all your bases
Don’t Risk It!
Though the number of companies that are reprimanded for not being privacy law-compliant is fairly low, getting caught can mean a temporary/definitive ban on data processing and a fine of up to €20 million or 4% of your business’ total annual worldwide turnover (GDPR) or some other such crippling fine along those lines.
Make sure you follow these best practices to maintain the data privacy of your customers in your marketing!
Footnotes: Implications of Major Privacy and Data Protection Laws
Below is a list of all major privacy and data protection laws that are in existence as of March 2021, and the highlights on the implications of these laws and what’s required to comply with them.
- General Data Protection Regulation (GDPR)
- Region: EU
- Key Requirements
- Official Checklist
- California Consumer Privacy Act (CCPA)
- Region: California
- Key Requirements
- Data Protection Act (DPA)
- Region: UK
- Key Requirements
- Personal Information Protection Law (PIPL)
- Region: China
- Key Requirements
- Lei Geral de Proteção de Dados (LGPD)
- Region: Brazil
- Key Requirements
- Personal Data Protection Act (PDPA)
- Region: Singapore
- Key Requirements
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Region: Canada
- Key Requirements
- Note: Soon to be replaced by the Digital Charter Implementation Act (DCIA)
- Children’s Online Privacy Protection Act (COPPA)
- Region: USA
- Key Requirements