Data Privacy Laws + Marketing: A Layperson's Guide

Jan 30, 2019 / by Meghan Hultquist | 9-Minute Read

Data privacy laws in marketing

Data privacy is quickly becoming a business focus around the world, and it's only the beginning. Technology has reshaped our privacy expectations, and there is increasing backlash, as well as legal and regulatory action, that has been generated in response. This rapidly evolving landscape will fundamentally change how business is transacted online.

Huge data privacy scandals are making headlines, and conglomerates like Facebook and Google are being hit with significant financial penalties under applicable laws. As a result of the shifting legal landscape, consumers' expectations around privacy are once again shifting, too.

Evolving data privacy legislation affects many parts of a business. We've put together a high-level breakdown of the rapidly evolving legal landscape that is shaping up around data privacy, what marketers should expect, and what you can do to prepare for the future of commerce in a data privacy-vigilant world.

The Need for Regulation

The need for data privacy regulation is pretty obvious, at least from the vantage point of most consumers. As consumers, we understand and recognize that it's important and fair that companies protect our own private data, and that they don't abuse it.

Formal industry research, including this report from the Pew Research Center, backs up this shared sentiment of growing concern for data privacy among the U.S. public. Two-thirds of Americans surveyed have said that current laws are not sufficient to protect people's privacy, and 64% support increased regulation of advertisers.

Active Legislation

The legal landscape has struggled to keep up, but there's suddenly some serious traction that marketers need to know about.

Most savvy digital marketers are familiar with the EU's General Data Protection Regulation (GDPR), a notably stringent data privacy regulation in Europe that took effect in May 2018. The GDPR governs how personal data of EU citizens is collected, stored, managed, and processed by businesses. Although the GDPR is a European law, its application is worldwide, meaning that any company in the world that does business with EU citizens is subject to its rules. This month, a substantial financial penalty (approximately $57 million) was imposed on Google by French authorities for violations of the GDPR. This penalty is a vivid illustration of how U.S. companies might be affected by the legislation.

In the U.S., legislative efforts have picked up noticeably since the passage of the GDPR. California recently passed a data privacy law that will take effect in 2020, and many experts question whether this will become the federal standard. Legislation has also been introduced at the federal level. Ultimately, it's really not a question of if, but when data privacy regulations will become ubiquitious.  

The new U.S. law — the California Consumer Privacy Act, A.B. 375 — affords California residents an array of new rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected. Among other novel protections, the law states that consumers have the right to request the deletion of personal information, opt out of the sale of personal information, and access their personal information in a “readily useable format” that enables its transfer to third parties without delay.

Experts point out that the definition of "personal information" is intentionally broad, which means it's subject to a range of interpretations.

Never miss a single update. Get intelligent marketing insights delivered to your inbox. 


Subscribe to the HQdigital blog now!

The Impact on Marketing

The impact on companies in the marketing and tech sectors may be profound. Revenue generation in these industries often depends largely on consumer data. 

Social media giants like Facebook, LinkedIn, Twitter, and Instagram rely heavily on usage of personal data to drive advertising revenues. Data giants like Oracle and Experian, whose revenue comes from data storing, sharing, and analysis, stand to lose even more.

These changes will significantly affect how businesses is conducted and how marketers do their jobs. 

First, it's extremely important to develop awareness of any laws that apply to your company's jurisdiction and/or audience. Consult your attorney for legal guidance in these areas.

Secondly, apart from legal consequences, it's important for marketers to note that sometimes, the court of public opinion matters too. As more and more companies update their policies to become compliant with privacy laws, those who lag behind risk being perceived as non-compliant, or unconcerned, with their consumers' privacy.

A good starting point for taking action is to gain a sound understanding of the intent and major principles of these laws and opinions. Namely:

  • Consumers should be empowered to have control and knowledge about how their data is stored, shared, and collected during interactions with businesses. 
  • Consumers have to provide their consent before data can be obtained.
  • Consumers have the right to request that a company stop using their data for marketing, commonly referred to as a "right to be forgotten" in all systems. 

Changing Common Practices

What does this mean for marketers? Certain practices that have become commonplace, such as collecting a user's email address for a download and then subsequently using that email address to send marketing emails, may no longer be acceptable, without first obtaining consent or opt-in from a consumer. 

A Cleaner, Dryer Funnel

For many companies, this may mean a big drought at the top of the funnel, and marketers must respond accordingly. Approaches like ABM can still be leveraged to build one-to-one connections that stay within the boundaries of data privacy.

On the other side of that coin is the idea that companies will have a much cleaner database than in the past, since every contact will have to provide specific consent to be there in the first place. This consent barrier will actually serve as a filtration device, allowing companies to focus on leads who are truly engaged and interested.

Higher-Quality Content

Going forward, marketers will need to earn the right to communicate with consumers. What this will likely mean is that the fight for people's attention will now be coupled with a fight for users' consent. Ultimately, the need to produce high-quality content will only increase, across all industries and on a worldwide basis. There may even be an emergence of agencies and organizations that specialize in obtaining consent from target audiences.

Deeper, More Specific Relationships

There is also a big opportunity in the way of developing one-to-one relationships. Data privacy concerns aside, for years, effective digital marketing has increasingly been moving in the direction of individualization, personalization, and one-to-one messages. Companies that continue to focus on building strong, one-to-one relationships with prospects and customers are most likely to succeed.  

What to Do Now

The future is still uncharted, but there are a handful of actions marketing teams can take now to facilitate compliance with ethical data collection best practices. 

Here are some steps marketers can take to help improve data privacy rights for individuals.

Update Your Website Privacy Policy

Update your website privacy policy to use simple, easy-to-understand language that your audience can easily locate and understand. Be very transparent about your privacy policy, and write it in a way that an eighth grader could understand, even if you have a sophisticated or highly educated target audience. 

Here's what to consider when it comes to your privacy policy:

  • Users should have a choice. The mere fact that a user is interacting with your website does not qualify as consent to your privacy policy. The GDPR essentially eliminates the concept of tacit data privacy consent.
  • Consenting to your privacy policy must be a clear, affirmative action. You cannot use a hidden, pre-checked box or other convoluted means to obtain consent. If your privacy policy cannot be easily understood by someone at an eighth-grade reading level, rewrite it until it can. 
  • Include an opt-out that is as clearly labeled as the opt-in.

Update Your Cookie Policy

A cookie is a very small file that is downloaded to a user's device each time they visit a website. Most websites in the world use some form of cookies. These cookie files contain data like the website's name and unique user ID. 

The GDPR references cookies directly, in Recital 30. Essentially, it states that cookies should, in fact, be treated as personal data, since they are used to uniquely identify a person. 

Just like with your privacy policy, when it comes to cookies:

  • Users must have a choice. The mere fact that a user utilizes a website doesn't mean that they consent to all cookies. 
  • Similar to all consent provisions under the GDPR, consenting to cookies needs to be a clear, affirmative action. The most common example is a checkbox to opt-in or a selection of settings from the website's menu. 
  • Include an opt-out. The GDPR clearly states that a user must be able to withdraw their consent as easily as they gave it. 

Update Your Forms

One thing you can do now is to update your website forms to include an opt-in box for consent to receive marketing communications from your company.

Not only does this move you in the right data privacy direction, but it will also ensure you have an engaged database that is willingly receiving information from your company.

Map Your Process

In order for anyone to understand whether your internal policies and procedures are legally compliant, you'll need to be able to describe and explain what your processes are. A surprisingly high number of companies get by with little-to-no processes in place, but this is an area where it's extremely important that everyone is on the same page. 

Mapping your processes is the best way to ensure you haven't overlooked any key areas. Start by meeting with your team and creating a whiteboard map of how your marketing team collects, stores, manages, or processes personal data. Highlight areas where data is collected or passed. Make a list of any technology systems where information is stored.

Document Your Policy

The easiest way to make sure you have a clear and compliant data privacy policy is to document it so that it can be referenced. Use the process map that you created in the step above to document the different elements of your policy, and make sure this information is available to all members of your team. Include these documents as part of your team's onboarding policy to make sure everyone is compliant from the very beginning.

Make Opt-Out Easy 

One important element included in the GDPR is the "right to be forgotten," which means that a person has a right to have their digital identity erased upon request. Move in this direction by making sure it's easy for a user to remove themselves from your database. Your email marketing should already include opt-out language that complies with the CAN-SPAM Act, a U.S. law that has been in place since 2003. Effectively handling opt-outs is one of the many reasons a clear process is so essential. 

List Your Legal Questions

If you're going to make adjustments to comply with a law, you're going to run into questions only an attorney can answer. Make this process easier by compiling an organized list of questions and issues that come to mind when you think through your process, data collection, and consent language. Legal, marketing, and compliance teams will need to approach data privacy collaboratively. 

Effectively tackling and handling the issue of data privacy will not be easy nor simple for many U.S. businesses. However, at the end of the day, brands still have plenty of opportunities to achieve the necessary understanding of their consumers and prospects. It is still very much possible to properly protect customer data and ultiize advanced audience-based marketing to deliver a tailored message that will resonate well. Businesses should embrace the coming changes to data privacy and get out in front of them by taking steps today to put people's right to protect their data front and center. As with most legal matters, it's far easier to start preparing early and take a proactive stance than to conduct yourself with disregard for the law and try to deal with the consequences reactively.

Never miss a single update. Get intelligent marketing insights delivered to your inbox. 


Subscribe to the HQdigital blog now!

Topics: marketing

Meghan Hultquist

Written by Meghan Hultquist

Subscribe to Email Updates

Search the Blog