Data privacy isn’t a new concept for marketers. If your brand collects consumer data—and what marketer doesn’t—then you need a privacy program that adapts as business processes or regulations change.
Well, where do marketers begin? Do you need to follow GDPR, CCPA, CAN-SPAM, or the other 19 state privacy laws? Then, how do you even understand what they’re asking you to do —and how they’re asking you to do it?
Whether you are just getting started or strengthening an existing program, these ten steps will help you establish compliance.
Step 1: Learn the Law (or laws)
Marketing is no longer bound by geography. You can provide outstanding marketing services to a client based in Seattle even when you’re based in Tucson. The remote nature of marketing work means you need to be extra aware of what privacy regulations apply to your business.
Companies that operate in or collect data from residents of the European Union are subject to the grandfather of all data privacy laws, the General Data Protection Regulation (GDPR). The GDPR establishes strict consumer consent guidelines, as well as rules regarding data collection, use, and storage, consumer rights to privacy, and penalties for non-compliance. Internationally, the GDPR has been a lynchpin in privacy regulations, but it’s not the only global privacy law. Canada, Brazil, China, and other major global powerhouses have, or are working on, similar legislation that is important for marketers to understand.
Unlike the EU, the United States hasn’t passed a federal data privacy law. Instead, states have taken the lead. California started with the California Consumer Privacy Act (CCPA). Then, four more states—Virginia, Colorado, Utah, and Connecticut—each passed their own omnibus privacy legislation. 14 more states, as of the end of 2024, have passed privacy laws.
Depending on your company’s size, industry, and client base, your company may be subject to more than one privacy law. But if Googling the latest privacy regulations seems overwhelming, the IAPP has a state privacy legislation tracker that can help you understand your current compliance obligations and any changes that might be headed your way.
A Very Important Note for businesses
Even if a privacy law doesn’t strictly apply to your business—i.e., you fall outside the threshold for CCPA—your customers will expect you to prioritize their privacy. Base your privacy program on best privacy practices, not just legal regulations.
Step 2: Understand Your Data – Complete a Data Inventory
This step is a big one and may require a significant investment of time and resources. But if you do it well, the rest of the steps will be easier to manage.
Marketers typically collect data that includes name, email, and phone number. Sometimes marketers collect other information that consumers may question or not want to provide, like income, personal preferences, health conditions, or concerns. Marketing professionals also offer all kinds of services and implement a wide range of workflows and tools to deliver them.
Whatever you collect and however you do it, auditing your services and tools will make performing the necessary step of conducting a data inventory easier. Also known as a data map, data inventories are required under the GDPR and Minnesota’s privacy law (MNCDPA). While data inventories are not directly required under the CCPA, companies are still expected to identify and track the flow of personal information – so by default they should have a data inventory. Even if you’re not mandated to have one, a data inventory is an essential tool that identifies what type of data your company is collecting and from whom.
A data inventory will give you a clear picture of how customer data is collected, processed, shared, and stored. It will help you see if you’re:
- Collecting more data than you need
- Using data in ways you haven’t disclosed or that don’t align with a public privacy notice
- Sharing or transferring data with people/organizations you shouldn’t
- Putting data at risk through unsafe processing or storage practices
- Categorizing or using sensitive personal information incorrectly
- Meeting existing compliance obligations
Keep in mind that, as a marketer, you are likely to use numerous third-party vendors, from email automation platforms to project management tools, CRMs, and social media platforms. As such, you must carefully evaluate vendor practices for collecting, sharing, and storing data. You should also double-check how you implement permissions and settings on your end. For example, if you run Facebook ads as part of your marketing work, consider implementing their Limited Data Use tool, which restricts how Facebook processes any information gathered via Facebook Pixel.
Step 3: Understand Do Not Sell/Do Not Share
Most privacy laws, while they don’t explicitly say it, often regard AdTech activities, including targeted advertising and some analytics tools, as a “sale of data.” This matters for marketers because some jurisdictions require organizations to provide individuals with the option to opt-out of the sale or sharing of personal information. Several state privacy laws, including those in Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, California, Colorado, and Connecticut, define a sale of data as more than just a monetary transaction. It could mean that you shared data in exchange for getting a service for free, such as sharing data for free analytics. While the laws may not state it directly, targeted advertising and analytics are often treated as a sale under these regulations.
In contrast, other states such as Iowa, Tennessee, Indiana, Virginia, and Utah define a sale only when there is monetary exchange.
And this is important. Under CCPA, businesses are required to include a link that says, “Do Not Sell/Do Not Share My Personal Information” on a website’s homepage with a link in the footer, or by using the CCPA icon 
that states, “Your Privacy Choices.”
Step 4: Optimize Opt-In and Opt-Out Processes
Most U.S. privacy laws require that consumers are given the option to opt out of having their data collected or processed. This often looks like a checkbox under a web form, containing language like, “I consent to receive advertisements and other marketing communications from XYZ company and its partners’.”
Adopting a consumer opt-in approach is better than providing opt-out opportunities because it gives consumers the most control over their personal data.
Keep in mind that some privacy regulations—like GDPR—have specific consent standards that you need to follow, such as making sure consent is freely given and boxes are not pre-checked when a user opts in. These standards also apply to US privacy laws such as when marketers use sensitive data, such as precise geolocation or health data. Sensitive data under privacy laws has a unique definition by state so be sure to review your specific situation. If you’re marketing to children or collecting children’s data, there are separate consent requirements that apply in many jurisdictions – yet that is a whole different blog topic for another day. Make sure you follow the correct consent requirements for each region where you operate.
Step 5: Manage Your Cookies and Other Digital Trackers
Most privacy and data protection laws include requirements around cookie management. In some cases, this means obtaining consent before using cookies or other digital trackers. Because laws and consumer preferences continue to evolve, managing third-party cookies and other tracking technologies requires ongoing attention and adaptation.
Create long-lasting compliance when it comes to cookies, pixels, tags and other tracking technologies by:
- Assessing the information your cookies collect and what their purposes are
- Identifying and categorizing all existing cookies by type
- Building and implementing a cookie banner
- Recognizing and honoring Universal Opt-Out Mechanisms (UOOMs) – like Global Privacy Control (GPC)
- Testing the consent and opt-out mechanisms to ensure they are effective, sufficient, and in working order
- Reviewing/Updating your privacy notice and/or cookie notice to ensure it accurately describes the cookies you use and choices you provide to users
- Creating a cookie governance program to manage and review all of the above on an ongoing basis and to determine what cookies/pixels should be there in the first place
One of the big questions we get a lot: Do you even need a cookie banner?
The answer depends on the regions where your business operates. Not all jurisdictions require one.
And, If you do have a cookie banner, don’t forget to review it!
When building or revising a cookie banner, it needs to make sense and should:
- Be visible, easy to understand, and accurate
- List the types of cookies used on your website
- Include proper language that describes the purpose of each cookie
- Include options for users to exercise rights, giving equal choice between accept and reject
- Ability to manage the cookie settings from the cookie banner
- Be formatted without “dark patterns,” e.g., font/color/box shape discrepancies that push the consumer to “accept” rather than “reject” cookies
- Link to your privacy notice
Step 6: Implement a preference center and/or trust center
Everyone likes to have choices, right? And giving consumers options for how they want you to handle their data can be as easy as building a preference center.
A preference center is typically part of a first-party data strategy. It is a page on your website or app where users can tell you how you may use or share their personal information. Preference centers support privacy compliance and allow consumers to:
- Choose the type of emails they want
- Say yes or no to text messages
- Set contact frequency
- Select topics of interest (coupon offers, webinars, events, etc.)
- Pick their preferred communication channels (email and/or text)
- Control how much content they want to receive – from some marketing communications to nothing at all
Preference centers have major benefits. They make marketing more effective and simplify data management by allowing consumers to update their information and tell you when and how you may contact them, how often and about what. This ultimately helps marketers to increase open rates, retain subscribers, build better ROI, reduce unsubscribe and email deliverability issues, and more.
Step 7: Create a Process for Privacy Rights Requests
Most privacy laws require companies to have a process in place that allows consumers to exercise their privacy rights. This includes (but not limited to) the right to access the information a company has about them, correct, or delete their personal information from company databases. It also includes the right to opt out of the sale of data, which is not only limited to tracking technologies. It can also include more direct practices, such as sharing an email address.
Managing and responding to these requests involves both legal and operational expertise. To stay compliant, businesses need to establish a clear and efficient workflow for processing these requests within the required timelines. This means businesses should:
- Set up appropriate methods for people to submit rights requests:
Provide ways for individuals to submit requests, like a webform, email address, or a toll-free number (this one is required under CCPA for many companies). - Make sure people are who they say they are:
Implement procedures to verify the identity of the requester. Each law has specific rules on how and when verification is required. - Decide how requests will be handled:
Determine whether requests will be managed manually, through dedicated software, or a combination of both. - Train your team:
Ensure that team members who handle privacy rights requests are properly trained. Laws like the CCPA require this. - Document your process:
Create a written policy that outlines how requests are received, verified, processed, and fulfilled. - Vet third parties:
If you rely on third parties to process or store personal data, confirm that they can help you honor privacy rights requests.
Download our Privacy Rights Roadmap for more information.
Privacy Rights Roadmap: Business Guide
Discover how to simplify compliance with GDPR, CCPA, and other privacy laws with our comprehensive Privacy Rights Roadmap.
Step 8: Conduct a Privacy Impact Assessment
A privacy impact assessment (PIA) is a complex task that involves evaluating the risks to personal information associated with an organization’s processes, services, or products. Its primary legal purpose is to ensure compliance with many data privacy regulations. Targeted advertising is a common marketing activity that requires a PIA. Download our Privacy Risk Assessments Guide for more information on the PIA process.
Step 9: Review and Update Your Privacy Notice
A privacy notice needs to say what you do and do what you say. It is an external document that should explain what data you collect, how it’s used, stored, and shared, as well as outline privacy rights available to individuals, including how they can exercise these rights. Laws like GDPR, CCPA, and many other state privacy laws have specific requirements on what your privacy notice needs to include.
If you’re still using a privacy notice from the digital Stone Age, you’re not alone. Many companies rely on privacy notices written years ago, filled with dense, legal terminology describing outdated data privacy practices. A marketing-friendly privacy notice should be clear, direct, and written in everyday language. When your privacy notice is accurate and easy to understand, it becomes a trust-building tool that reflects how seriously your company takes privacy.
Need help writing a privacy notice? Our Privacy Notice Guide, has you covered with clear steps and handy tips.
Step 10: Connect with a Privacy Pro
No two marketing teams are alike, and neither are their privacy practices. While there are many off-the-shelf programs that promise total compliance, the reality is that most fall short without the guidance of a privacy expert who understands the nuances of your company’s specific use cases and any applicable privacy regulations.
Whether your organization already has a privacy program in place or is just beginning to explore data privacy, working with a privacy consultant will save you time and money by ensuring you stay on the right track.
Need Help? Wondering How to Get it all Done?
Privacy compliance is not just a legal obligation – it’s a critical component of building and maintaining trust with your customers. By embracing privacy, you’re not just avoiding risks, you’re creating a foundation that strengthens your relationships with customers and sets your business up for long-term success.
This is something every marketer should be proud to stand behind! And if you need more help, the privacy experts at Red Clover Advisors are ready to assist. Schedule a call today.