Are You Compliant? Best Practices for New Data Privacy Laws

If you tensed up at the thought of data privacy law compliance, you’re not alone. 

The Age of Digital Privacy Law overhaul is here. GDPR, CCPA, CPRA, CASL, and other regulations are now the law of at least a portion of the land. And there are more coming. 

Some businesses take these laws very seriously, while others do not. Where do you stand? 

If your company gets fined so often for data privacy breaches that the payouts are a line item on the balance sheet (not naming names), it’s probably not a huge concern, even though it should be.

But if your company cares about things like hefty fines and damage to its reputation, you hopefully have these processes in place.

While there are different nuances and details specific to each of these international regulations, the goal of each data privacy law is to manage the digital relationship between individuals and businesses. Essentially, these laws encourage companies to do what they should have done: focus on quality over quantity in their communications.

Some Marketing Automation Platforms like Hubspot have taken a straightforward approach to compliance with data privacy laws: Simply check a box, answer some questions, and you’re compliant. 

Others like Eloqua and Marketo have taken a “build-it-yourself” stance. 

Both methods have their merits, but neither delivers a quality solution. Hubspot’s approach is too broad. How can specific concerns or needs of the business be met with a blanket approach? At the other end of the spectrum, Oracle and Adobe are too hands-off, with little to no guidelines around best practices or how to implement them. 

Oracle and Adobe’s stance also means each customer will have varying strengths and weaknesses in their design, depending on the experience of who is designing and implementing the solution and the amount of time and legal guidance they have.

Compliance at a High Level

Quick disclaimer: These broad recommendations will be appropriate for many areas of the world but are not comprehensive. Please check with your legal counsel to ensure compliance in all jurisdictions where you have business relationships.

If you’re an Oracle or Adobe customer, you have free reign to set up your approach to data privacy compliance. While this freedom provides flexibility, it can also be a little overwhelming. So here are some details of what you need to be compliant.

For data privacy law compliance, you need an easily accessible record for each contact confirming their consent to be emailed and your legitimate interest in communicating with the contact.

• Consent: What is the level of consent required by each geographical region you are marketing in?
• Opt-Out: You email contacts without explicit consent, and they must opt out.
  
• Single Opt-In: You email contacts only after they have given express consent at least once.
  
• Double Opt-In: You email contacts only after they have given express consent at least two times.
  
• Legitimate Interest: Do you have a legal basis to communicate with the contact? Are they a current customer? Did they perform an activity that indicates they want to receive certain content from you? This is especially pertinent for B2Bs and does not apply to B2Cs as often.

You also need a process to remove contacts who demand removal from your system.

• Right to be Forgotten: If a contact tells you to remove them from your database, you must remove them promptly and have the rules in place so they don’t re-enter.
  

Know where your contacts reside and the rules around email marketing for those locations.  

• Profile: Data decays at a rate of up to 75% annually, depending on the industry. Be careful about making assumptions around location data. Depending on your business, you may be able to make straightforward inferences about your database. For instance, if you only operate in the US, you can safely assume CAN-SPAM and CCPA/CCPR apply. However, this does not mean you do not have international contacts in your database.

Track your contact engagement.

• Engagement: Use the information you have in your database to determine how to treat contacts. For instance, you can remove records with little or no engagement data, hard bouncebacks, and unsubscribes. At the same time, contacts with engagement data and well-populated profiles should be appropriately tagged to receive email under the law that applies to them.

When looking to implement a compliance solution, consider the following:

• What regions and jurisdictions are you operating in? By what privacy laws are these regions governed?
  
• Do you have a legitimate interest to communicate with part or all of your database? Are there any particular groups that need special treatment?
  
• Think about what attributes you should track.
  
• Create a change log for contact records as their compliance status is modified. This log could be a contact feature or custom data object.
  
• Once you set up the process within your MAP to track compliance, feed your initial records before turning your process on.
  
• Audit your process regularly.

How Dark Pool and Frequency Management Can Help

While we can’t tell you which laws apply to your circumstances, we can help devise your strategy for handling contacts.

First up is Motiva’s Dark Pool for analyzing contact engagement. If you’re seeing a high percentage of contacts in the “Remove” or “Stop Sending and Shift to a Different Channel” categories in Dark Pool, you’ll want to examine the contacts that comprise those groups.