Six Steps Marketers Need to Take for Data Privacy Compliance in 2023
Data privacy isn’t a new concept for anyone currently in marketing. Even if they aren’t currently subject to a specific law, trends in data privacy have been changing the marketing landscape since 2016, when the European Union’s General Data Protection Regulation (GDPR) set the current standard for digital consumer privacy rights.
Unlike the EU, the United States hasn’t passed one universally applicable data privacy law. Instead, the federal government has opted for a sectoral approach, placing the responsibility of protecting citizens’ personal data on each state legislature.
With its 2018 California Consumer Privacy Act (CCPA), California was the first and only state with meaningful privacy protections for four years. But according to the world’s leading data privacy resource (the International Association of Privacy Professionals, or IAPP), “state-level momentum for comprehensive privacy bills is at an all-time high.”
Between 2021 and 2022, four more states—Virginia, Colorado, Utah, and Connecticut—each passed their own omnibus privacy legislation. Earlier legislation gave businesses up to two full years to prepare for enforcement, but newer state privacy laws have shortened the on-ramp, sometimes significantly.
Five state-level privacy laws will come into effect in 2023:
- California’s updated California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) go into effect on January 1, 2023
- The Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) will be effective beginning July 1, 2023
- The Utah Consumer Privacy Act takes effect December 1, 2023
Whether you need to update your marketing practices to match new compliance obligations or your company is just beginning to consider its privacy program, the best time to start is now.Six steps to successfully balance marketing and privacy
No matter where you are in your privacy journey, there are six things you can do to make establishing compliance more efficient and effective:
- Figure out which laws apply to you
- Evaluate existing practices and identify necessary changes
- Obtain input and buy-in from all departments
- Base new processes and protective measures on privacy best practices
- Build trust to increase first-party data collection program
- Stay flexible
Step 1: Figure out which laws apply to you
While some marketing teams operate out of brick-and-mortar shops and serve a limited geographical region, marketing is an increasingly remote industry. You can provide outstanding marketing services to a client based in Seattle even when you’re based in Tucson.
The remote nature of marketing work means you need to be extra aware of what legal requirements apply to your business. The U.S. and the EU aren’t the only governments with data privacy laws.
But if Googling the latest privacy regulations seems overwhelming, there are tools to help you know what you need to pay attention to. The IAPP has a global privacy map and a state privacy legislation tracker that can help you understand your current compliance obligations and any changes that might be headed your way.
A Very Important Note for businesses
Even if a law doesn’t strictly apply to your business—i.e., you fall outside the revenue threshold for CPRA—your customers may well expect you to prioritize their privacy. Base your privacy practices on best privacy practices, not just legal regulations.
Step 2: Evaluate existing services and practices and identify necessary changes
This step is a big one and may require a significant investment of time and resources. But if you do it well, the rest of the steps will be easier to manage.
Marketing professionals offer all kinds of services and implement a wide range of workflows and tools to deliver them. Maybe you run an agency that focuses strictly on copywriting. Or maybe your game is focused on lead generation and paid advertising. Maybe you’re in-house marketing and do it all for a construction company.
Whatever you do and however you do it, first thing is first: start by auditing your services and tools.
Auditing your services and tools will make performing the necessary step of running a data inventory easier. Also known as a data map, data inventories are required under the GDPR and CPRA. But even if you’re not mandated to have one, a data inventory is an essential tool that identifies what type of data your company is collecting and from whom.
It will also give you a clear picture of how customer data is collected, processed, shared, and stored. Understanding your full data management program will help you see if you’re:
- Collecting more data than you need
- Using data in ways you haven’t disclosed or that don’t align with a public privacy notice
- Sharing or transferring data with people/organizations you shouldn’t
- Putting data at risk through unsafe processing or storage practices
- Categorizing or using sensitive personal information incorrectly
- Meeting existing compliance obligations
Knowing where the risks are makes mitigation exponentially easier. But keep in mind that, as a marketer, you likely use numerous third-party vendors, from email automation platforms to project management tools to your social media platforms.
These tools are part of your data collection program, and, as such, you must carefully evaluate their practices for collecting, sharing, and storing data. You should also double-check how you implement permissions and settings on your end. For example, if you run Facebook ads as part of your marketing work, consider implementing their Limited Data Use tool, which restricts how Facebook processes any information gathered via Facebook Pixel.
Step 3: Obtain input and buy-in from all departments
Systematic, universal data privacy is a fairly new concept, so it’s somewhat understandable that many leaders instinctually silo privacy functions. But here’s the truth: marketing isn’t solely responsible for your privacy program. Neither is IT (privacy and security aren’t the same things).
It helps to think of privacy like you think of customer experience. Customer experience is part of every function in your company. From marketing to product design to pricing strategy to customer service, customer experience objectives and performance data guide and impact decision-making processes for businesses in every industry.
New privacy regulations are comprehensive and achieving compliance requires a lot of heavy lifting across the board. If your program is built solely from a marketing or IT standpoint, achieving compliance will probably result in inefficiencies, even obstacles, for other departments. Obtaining input from all your company’s key stakeholders will help you manage competing priorities and ensure everyone on your team is on the same page.
Remember that some business activities may be siloed differently depending on your organization. That makes communication and collaboration extra important. If, for example, your marketing department handles all the copywriting for your business’ website, but the IT department manages the back end, then make sure your developer has clear instructions for how to set up—and maintain—cookie banners and privacy notices across the site so you can stay on the right side of compliance.
Step 4: Base new processes and protections on privacy best practices
There are two ways a business can approach privacy. The first is through process (privacy by design), and the second is through technology (privacy by default). The best programs utilize both.
When we talk about privacy by design, here are a few examples of what we mean:
General privacy-by-design best practices
- Writing a straightforward, easy-to-understand privacy notice
- Implementing the principle of least privilege, which means employees, processes, and vendors have access to the smallest amount of data needed for each assigned task
- Updating data inventories or data maps regularly
- Providing frequent training on privacy best practices for all employees
- Conducting regular risk assessments, both internally and for vendors
Marketing-specific best practices
- Reviewing your privacy notice before executing a new marketing campaign or signing on a new vendor
- Checking to make sure your privacy notice and cookie banner are on all landing pages—and firing correctly
- Ensuring consent is captured when needed
- Communications follow the laws required for email and texting
- Creating a preferences center that allows customers to choose what personal information they share with you and how often you communicate with them
These “designed” processes set clear expectations for how employees and contractors interact with customer data. The guardrails are big and obvious. By contrast, privacy by default uses technology and automation to create an invisible fence around collected data. Examples include:
- Redundancies that ensure automatic and timely installation of software updates/patches
- Automatic application of the strictest possible privacy settings
- Collecting the minimum amount of data and storing it for the shortest possible time
- Rigorous password and network access standards
- Automated alerts and compartmentalization in the event of a breach
Because the data privacy landscape is constantly in flux, building a privacy program based on best practices (instead of specific compliance obligations) ensures you can quickly respond and adapt to the inevitable changes in the future.
Step 5: Build trust to increase first-party data collection program
Digital marketers have relied on user data collected from third-party cookies for years, but soon that won’t be possible. Moving forward, companies will have to focus on building databases out of shared personal information coming directly from data subjects (aka your customers), also known as first-party data.
But remember: because the pipeline for first-party data is straight from your customers to you, you’re assuming additional responsibility for keeping consumer data under wraps. It’s even more imperative to have an airtight privacy program. That means carefully using it according to laws and notices, making sure your notice is clearly posted, and all the other privacy-must haves.
If you’ve completed steps 1–4, proving you’re worthy of trust is just a matter of communication. Luckily, marketers are great communicators.
Adding information about the work you’re consistently doing to protect customer privacy to your website, email campaigns, social media posts, and multimedia advertising is a simple way to get goodwill for something you have to do anyway. If your customers understand what information you’re collecting from them and what you’re doing with it, and if you give them ways to control what they’re uncomfortable with, they’ll be much more likely to tell you who they are and what they like.
Step 6: Be flexible
In June of 2022, a bipartisan group of lawmakers published a draft of the American Data Protection and Privacy Act, which, if passed, would be the first federal data privacy law passed since the 1999 Gramm Leach Bliley Act. The timeline for passing this law is unclear, but regardless of what happens with it, increasingly robust data privacy regulation is a trend that is not going anywhere.
Whether it’s a federal law or multiple new state laws, the next few years of privacy compliance work are sure to be marked by constant change. The best way to future-proof your marketing operation is to build a program that:
- Receives regular input from key players in every department
- Delivers regular training and education to employees
- Has processes based on privacy best practices, not just compliance obligations
- Conducts regular risk assessments and incident response drills
- Communicates privacy practices to customers
- Reviews and updates policies every year
If you need help balancing the operational needs of your business with privacy best practices and compliance obligations, the experts at Red Clover Advisors are here to help. Schedule a call today.