Data & Privacy Regulations: What marketers need to stay compliant
Data collection and analysis is a core part of marketing. Marketers want to know everything from the basics like “how many people come to our website” to more advanced insights like “which are the top-performing marketing campaigns in the last quarter and what factors will let us replicate their success.”
Marketers need data.
Indeed over the past decade, it’s been hammered home that we need to make data-driven decisions and we should be gathering as much data about our customers’ behaviours as possible.
That’s about to end. Welcome to the end of third-party cookies and hello to stricter laws around data, privacy, and consent.
In this article, I’ll tell you what I understand about the current state of data privacy regulations, best practices for compliance, and how to start addressing data privacy into your business.
I’m not a lawyer. Do not take this as legal advice. Do take it as advice to go chat with someone in legal who understands marketing, business, and privacy compliance.
Introduction to Data Privacy in Marketing
Data privacy is the protection of personal information from unauthorized access, use, or disclosure. Marketing, as mentioned above, is involved with the collection and use of personal data for the purpose of promoting products or services.
Google Analytics tracks where people go on our websites, the Facebook Pixel is used for remarketing, email addresses are collected for newsletters, CRMs save personal information to help fulfill online orders … the list goes on.
In recent years, there has been growing concern about data privacy in marketing.
Let me rephrase.
In recent years, there has been growing resentment among consumers about how their data is collected and used. Ads follow them around the web. They can’t shake companies who continue to appear in their Instagram feed, they get promotional email and spam from sources they don’t recognize … the list goes on.
Marketers have taken advantage of the lack of regulation. So now the rules are here.
In short, this involves obtaining consent from consumers before collecting their data, providing transparency about how their data will be used, and giving them control over their data.
It doesn’t matter if you are a lovely small business. Other marketers have run amok. Consumers lack trust so getting consent is going to be hard. It means marketers have to rebuild trust through clear and concise privacy policies, cookie consent management, and the use of secure platforms, encryption, and anonymization to protect the personal information they do collect.
I know data regulations are complex. But I also know that it’s my job as a marketer to understand what data can be collected and how to use it in a responsible and ethical manner. This requires ongoing attention as new regulations are enacted.
I’m still trying to figure out what applies in a Canadian context. But the same way that marketing works with sales, publicity and design, it’s time to hang out more with legal, ops and IT.
Current State of Data Privacy Regulations
Most marketers are familiar with data and privacy regulations like the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States. But do you know about the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada?
Have you seen more and more Canadian companies implementing cookie consent banners on their sites? PIPEDA is why. My understanding is that PIPEDA requires explicit consent for marketing and advertising cookies. That means users have to opt-in. Are you showing Canadian website visitors a cookie consent banner before tracking them?
Let’s start with GDPR. GDPR is one of the most comprehensive data privacy regulations in the world. It requires companies to obtain consent from consumers BEFORE collecting and using their personal information, provide transparency about how their data will be used, and give them the right to access and delete their data. Failure to comply can result in significant fines. AND, the regulation applies to any business with consumers in the EU. It doesn’t matter if you’re a US or Canadian business, if you have website visitors from the EU, then you need to present a cookie consent banner, have a clear privacy policy, and be able to delete that person’s data if requested.
That means, Google Analytics should not be tracking visitors until they accept marketing cookies on your site.
The CCPA is a data privacy law in California that gives consumers the right to know what personal information is being collected about them, the right to request that data be deleted, and the right to opt-out of the sale of their personal information. The CCPA applies to for-profit companies that have a gross annual revenue of over $25 million and collect or sell the personal information of 100K or more California residents.
You might think that you can ignore this one based on your company size, but selling data does not necessarily mean a monetary transaction has occurred. One example of “sales” includes collecting personal information through cookies for targeted advertising purposes. This definition of selling is different in each jurisdiction but it’s important to understand that IP address, session details, and browsing activity could be considered personal identifiers, especially when combined with remarketing pixels.
In addition to CCPA, several American states have (or are introducing) data protection regulations for how marketers collect and use data about consumers in those states.
If you have website visitors from California, Virginia, Colorado, Connecticut, Utah, Montana, Iowa, or Hawaii then you need to consider current and upcoming state-level privacy laws.
If you have website visitors from the EU and Canada, then you should review your privacy policies and cookie banners to ensure you are handling the data you collect correctly.
Be aware that the laws often apply to where the consumer is, not where your business is located.
Did you know Google Analytics is illegal in Austria, Denmark, Finland, France, Hungary, Italy, and Norway? Yup.
Key Principles of Data Privacy in Marketing
The definition of personal data varies by jurisdiction, which can make data privacy regulations seem complex. But there are some key principles or general points you can follow.
Personal data includes anonymous website data gathered by tracking tools like Google Analytics.
Targeted advertising, like remarketing with the Facebook Pixel or via Google Ads, has to be disclosed in several jurisdictions, and often requires organizations to either offer opt-in or opt-out rights.
Cookie consent banners help with consent management, but you have to confirm that the tool you use also recognizes the Global Privacy Control Opt-Out Signal (GPC), which is a browser setting many users set to notify websites not to share or sell their personal data without consent.
Banner text and design often require certain elements. For example, Accept and Reject should be weighted evenly (don’t make Accept bigger, bolder, easier to click than Reject). The text should say if you collect data for advertising, analytics, social media or other purposes AND you need to explain why. Plus, you should include links to user settings and your privacy policy.
The main components of these regulations are transparency, consent, data management, security, and accountability.
Provide Transparency: Provide clear and concise information to consumers about how their personal information will be collected, used, and shared. Home Depot was recently found in violation of PIPEDA for disclosing personal information to Meta​​​​​​​. When customers gave an email to get an e-receipt that information was also used for remarketing purposes on Facebook and Instagram. So transparency applies to what you’re collecting and why, whether that’s in person or online. Be sure you have a clear privacy policy that outlines the types of data collected, the purposes for which it will be used, and how it will be secured. Have you reviewed your privacy policy recent? Time to review.
Obtain Consent: Marketers should obtain explicit and informed consent before collecting personal information. This means providing the option to opt-in or opt-out, depending on jurisdiction. Do you have a cookie banner in place and is it active for the right audiences?
Respect Consumer Rights: EU consumers have the right to access, correct, and delete their personal information. Be sure you have a way to do that, and check if it applies to other markets. Be responsive to requests and provide timely and accurate responses. Who’s your privacy officer and what’s your internal process if you get a request?
Implement Security Measures: Marketers should implement appropriate security measures to protect personal information from unauthorized access, use, or disclosure. This includes using encryption, firewalls, and other security protocols to protect data. At a basic level, you probably have https for your website, but consider where else you store customer information and how it’s protected. Look at your various marketing vendors. Do you have two-factor authentication for login to tools storing customer info?
Be Accountable: Marketers should be accountable for the collection, use, and sharing of personal information. This means having policies and procedures in place to ensure compliance with data privacy regulations, conducting regular audits to ensure that personal information is being collected and used in a responsible and ethical manner. If you have some seasonal downtime, it may be time to set up a data privacy training and awareness session for staff.
Tools and Resources for Data Privacy Compliance
Complying with data privacy regulations does not have to be a hard, unmanageable job. There are several tools and resources available.
Start with a privacy compliance checklist. I attended a webinar from Jodi Daniels at Red Clover, a privacy consultancy firm, and she was phenomenal at explaining the regulations and what to consider.
Establish and maintain a data inventory to ensure your organization understands the categories and sources of personal data collected, how it’s used, where it’s stored, and who it’s shared with. Review contracts with third parties, vendors, service providers, and processors to ensure they have adequate processes in place to comply.
Obtain and track consent. Make sure your cookie banner provides the required notices and enables users to opt-in (or out), as required by applicable data privacy laws. Here’s a clear article on Canada’s PIPEDA and cookie banner requirements.
Update and revise privacy notices. Privacy Policy Generators, like you find in Shopify, create privacy policy templates that are a helpful first step. Here’s another Red Clover resource on policy statements.
And, we are in marketing, right? Tap into those skills. Promote your privacy efforts to build trust with your audience and improve consent-accept rates.
Conclusion
Data privacy is essential for building trust with your audience and creating effective marketing campaigns. By following best practices for data privacy compliance, marketers can ensure that personal information is collected, used, and shared in a responsible and ethical manner. With the right tools and resources, marketers can build a culture of data privacy and security that helps protect their customers and their business.
Extra reading