Data Privacy and What You Need to Know
The marketing landscape is changing. While some argue that more regulation makes a safer digital world, one thing is clear. Increasingly stringent data privacy regulations mean that marketers should pay attention.
It’s not just Europe’s General Data Protection Regulation (GDPR) or Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). With more states passing data privacy laws, it’s more important than ever to take steps toward understanding how to track and use data while complying with regulations appropriately.
Because many clients have questions about what data privacy means for their business, we’re diving into that and sharing best practices to reduce your risk.
What is Data Privacy?
In a nutshell, data privacy refers to protecting the personal information you collect from leads and customers, including, but not limited to, name, email address, phone number and physical address. It also speaks to how you gather permissions to market to people, specifically via email.
Many governments consider data privacy a critical consumer right, driven in part by the 2018 GDPR implementation, which imposed strict regulations on businesses. Many countries and U.S. states, including California, Virginia and Colorado, have passed individual consumer privacy laws. Coupled with changing laws and an increasing focus on cybersecurity regulation, it’s more than just a good idea to begin implementing best practices. It could impact the future of your business.
How Does Data Privacy Impact Marketing Strategies?
It used to be that if you had someone’s email address, you could market to them without fearing significant if any, legal penalties. However, the privacy acts enacted since 2018 set out to change that, with potential fines of millions of dollars.
What this means is that if there’s even a chance you’re marketing to people living somewhere that protects consumer data privacy, you should protect their information and confirm that you have permission to market to them.
In other words, just because you have the data, it doesn’t mean you can use it, particularly when it comes to marketing campaigns, mass email sends, and automations.
Most data privacy laws apply to companies with 50 or more employees. However, even if your company is on the smaller side, getting permission to market to your audience can build trust with your audience, enhance customer relationships and strengthen your marketing efforts.
What are the Best Practices for Complying with Data Privacy Regulations?
Understanding data regulations and potential penalties is one thing. Knowing how to comply with them and reduce risk is something different. So let’s explore some of the best practices we share with clients.
Get Permissions When You Gather Data
Before we begin talking about marketing to your audience, we typically recommend examining how you’re gathering information and, more importantly, if they’re opting in to receive marketing communications (more on that below).
Suppose people join your mailing list from your website or by registering for online trainings. In that case, it’s a good idea to include language indicating that by clicking submit, they agree to receive marketing communications from you. (There are several types of opt-ins; we’ll get deeper into that below.)
Similarly, if you’re gathering sign-ups at a tradeshow, it’s important to use language that indicates you have marketing permissions if they fill out your form. While relatively easy to control for your sign-ups if the event provides a list of attendees, you don’t always have this information. Ultimately, it’s a good idea to confirm with the event managers that attendees agreed to get marketing communications from vendors,
While your marketing automation software generally tracks signups if they happen online, we typically recommend clients tag these contacts to identify when and where they opted in. For example, a tag might be “Event Name-Year.” To that end, it’s a good idea to keep a backup on hand to prove when people opted into your list to reduce risk.
Most people unsubscribe if there’s an error or they forget about signing up. However, it can take just a single complaint potentially open up a massive can of worms for your business if you can’t prove when or where the person agreed to receive marketing communications.
Know What Data You Can’t Use
Generally speaking, if people opt into your mailing list and don’t unsubscribe, you can usually send them marketing campaigns in compliance with data privacy regulations. We covered a few cases above—online opt-ins and trade shows where people agree to receive marketing communications. However, what about contacts from other data sources—how do you know if you can market to them?
- Purchased lists and generally a no because, most likely, these people haven’t opted into your mailing list.
- Data from your connections on LinkedIn is also generally a no-go. Just because an individual connects with you or your team doesn’t mean you have permission to market to them.
- Scraped data from anywhere online.
- Anyone who opts out or unsubscribes. Once they tell you to stop emailing them, you must honor that request and cannot re-add them to your list without explicit permission.
In addition to potentially setting you up for penalties, emailing these audiences isn’t likely to generate high ROI as they are not likely to engage with the content.
Understand the Three Types of Opt-Ins
Most people don’t know that there are three primary types of opt-ins: automatic, single, and double.
Automatic opt-ins mean that when people take a specific action, like filling out a form, you automatically opt them into mailings, giving them the ability to unsubscribe in every email.
Single opt-ins include some language to say something like, “By clicking submit, you agree to receive marketing emails from our company.” If there’s a checkbox they must agree to, some might construe this as a double opt-in, but many people consider this a single opt-in.
Double opt-ins require two steps to opt someone into your marketing emails. Often this means that after filling out a form, they receive an email from you they must click on to confirm they want to hear from you.
Understand the Difference Between Operational and Promotional Emails
Many marketing platforms allow you to differentiate between marketing emails and those explicitly related to operations, including onboarding and customer service. We typically encourage our clients to think critically about the purpose of the email—is it truly about awareness, or is it promotional?
Is your email operational? Here are a few examples:
- You have a service outage and are letting your customers know. (Yes, it’s probably operational.)
- You’re changing your customer service hours or procedures. (Yes, it’s probably operational.)
- You’re rolling out a new, improved service at no additional cost to your customers. (Yes, it’s probably operational.)
- You’re shipping out something your customer ordered or sending tracking updates. (Yes, it’s probably operational.)
- You’re sending reminder emails about an event. (Yes, it’s probably operational.)
- You’re rolling out a new paid service or product and sending a mass communication. (No, it’s probably promotional because you’re hoping it turns into sales, making it more promotional than awareness-driven.)
- You’re sending follow-up emails after an event with the replay that also includes an upsell to a new product. (No, it’s probably promotional because you’re hoping it turns into sales. If you were only sending the replay, it might be operational. As is, it’s likely more promotional than awareness-driven.)
Reduce the Risk of Getting Flagged as Spam
When people flag your emails as spam, it can affect deliverability and improve the likelihood of reports of non-compliance to governing bodies. Here are two ways to reduce that risk:
Warm Up Cold Lists
Suppose you have a list of people who have opted in but haven’t emailed them in at least six months (or more). They may not remember signing up if you haven’t been consistently showing up in their inboxes.
While you may have the law on your side and the backup to prove it, if you have too many unsubscribes or spam reports, it can trigger headaches, including notices from your marketing automation platform and potential legal reports.
In the case of a cold list, it’s a good idea to warm up the list before going all in on promotional emails to remind them how they got to your list.
Follow Data Security Protocols
By adding DKIM to your emails, you can show you’re a trusted sender. Why is this a good idea? In addition to potentially increasing the likelihood of landing in your audience’s inbox, you also reduce the risk of getting flagged as spam.
When in Doubt, Check with Legal
While these are best practices that we frequently recommend to our clients, every situation has varied nuances. If there are any gray areas or conditions you’re not sure of, it’s always a good idea to protect yourself by checking with legal to reduce risk.
Putting Best Practices in Place Now Can Reduce Your Long Term Risk
While 10-15 years ago, email marketing was like the Wild West, the rules of marketing communications have changed considerably over the last decade. As more governments pass data privacy laws, complying with them is a good business practice, even if they don’t specifically relate to your company now.
In addition to reducing the risk of hefty fines, you can also protect your reputation by reducing the likelihood of bad press and using these practices to strengthen relationships with your customers. Moreover, even if your company isn’t subject to these emerging regulations now, it may only be a matter of time. With that in mind, you can save potential headaches by putting best practices into place now, including tracking opt-in information.
BDO Digital’s data privacy team concentrates on helping clients identify which privacy regulations they fall under, evaluate current marketing practices for compliance and implement recommended changes. Contact us today if you’d like to find out how we can help you reduce your data privacy risk.
SHARE