Stay ahead of the compliance curve by proactively prepping for the California Privacy Rights Act. 

In 2018, the European Union passed the General Data Protection Regulation (GDPR), proving to businesses around the world that consumers are not going to stop demanding increased privacy rights.

Before the ink was even dry on the California Consumer Privacy Act (CCPA), privacy advocates were already working on its replacement, the California Privacy Rights Act, or CPRA.

And while the CCPA set the standard for modern US privacy law, CPRA raised the bar even higher. GDPR, CCPA, CPRA, CPPA…if you’re feeling swamped by acronyms, keep reading.

Here’s what’s new

CPRA has a lot of similarities to the CCPA, but there are some key differences in who the law applies to and how it’s enforced:

  1. CPRA changes its threshold for businesses. (Small business owners, rejoice!)  It’s either:
    1. $25M in global revenue (this stays the same from CCPA 1.0)
    2. OR 100,000 consumer/household/device records (this is an increase from 50,000)
  2. Fines are automatically $7,500 for violations involving minors.
  3. Businesses are now restricted from selling and sharing data with third parties instead of just from selling data, closing a loophole that had been used to circumvent notification requirements.
  4. Businesses are responsible for how third-parties use, share, or sell personal information collected.
  5. Businesses are required to have an obvious “Do Not Sell or Share My Personal Information” button on their website.
  6. CPRA eliminates the 30-day cure period before businesses can be fined.
  7. Enforcement shifts from the California Attorney General (AG) to the newly created California Privacy Protection Agency (CPPA).

Differences for consumers

The whole point of CPRA is to clarify vague sections of the CCPA and expand the protections available to consumers, including:

  • Expanding the categories of information eligible for private right of action after data breaches.
  • Adding the right to correct inaccurate information companies have on them and the right to limit the use and disclosure of sensitive information to CCPA’s list of rights.
  • Adding protections for sensitive personal information like SSNs, driver’s license numbers, biometric information, precise geolocation, and racial/ethnic information.
  • Granting consumers the right to deny both the sale and the sharing of their information.
  • Prohibiting businesses from profiling consumers in automated decision-making processes if they choose to opt-out of data collection/sharing.

What it all means

Some of these changes are a bigger deal than others. 

Whether or not you collect 100,000 records a year is pretty black-and-white. So is adding specific types of personally-identifying information (SSNs, driver’s licenses, precise geolocation, etc.) to the already CCPA-protected categories (cookie numbers, browser history, employment-related information, psychometric data, IP addresses, etc).

Even more complicated is that you’re now responsible for how your third-party vendors use the information you’ve collected. This means you need to go back and not only review how you handle data, but how your vendors handle it as well.

Another major change that CPRA introduces is the creation of the California Consumer Protection Agency (CPPA). Instead of relying on the already unwieldy, overburdened AG office for enforcement, the CPPA will dedicate significant resources, of both the financial and manpower varieties, to handling civil actions and enforcement. 

This increased oversight is a double-edged sword. On the one hand, businesses are likely going to be given very clear guidance to help them understand regulatory requirements. But on the other, companies can also expect robust auditing and enforcement, especially since CPRA adds liability if a data breach occurs and a consumer’s email address and either password or security question/answer is compromised.

Keep reading to learn how you can manage everything that is heading your way.

Here’s your to-do list

Check out our eight steps that can help you be CPRA-compliant.

1. Plan your compliance strategy

The biggest thing everyone has going for them is that CPRA doesn’t take effect until January 21, 2023. You have almost two full years to prepare and get your ducks in a row. Take advantage of it.

If you start working on it now, you have time to break your strategy into manageable pieces that won’t overwhelm your teams or your systems, letting them drink from a drinking fountain instead of a privacy firehose. 

Starting now also allows you the opportunity to truly build a great program, one that is agile and goes beyond just compliance to truly establish you as a forward-thinking, consumer-focused leader.

2. It’s all hands on deck

A good privacy program doesn’t depend on IT for everything. You should incorporate every function in your organization, from HR to legal to operations to marketing, in the development and execution of your compliance program. Identify team members from different departments and form a committee that can help share the work. 

3. Get what you need

If you’re already CCPA compliant, you’ll likely be able to complete this step by making small changes to your existing processes.

If you aren’t CCPA compliant yet, having a good compliance strategy is crucial to making this step work. Do you need to upgrade your IT infrastructure or buy new software? Do you need a consultant to help you understand the ins-and-outs of your responsibilities?  Do your employees need to be trained (or re-trained)?

Don’t feel like you need to become a privacy guru or that you need to manage compliance on your own. Resources and professionals exist to help you, and starting now gives you time to find the ones that fit your needs and budget.

4. Organize your data

Once you have a strategy, a first-rate privacy team, and the tools you need, you’re ready to start the hard work. Hands down, the biggest challenge CPRA presents is creating an efficient data inventory and effective workflows for managing the individual rights requests that will inevitably come your way.

This is, in part, because CPRA has changed what constitutes sharing and selling data. If you have been sharing data with advertisers for a cross digital device or ad targeting, now you have to disclose that and give consumers a way to opt-out of it. 

That means keeping close tabs on what you’ve got going on, datawise. You need to know what you’re selling and what you’re sharing because CPRA is un-blurring the lines between the two activities. The best strategy for data clarity? A thorough data mapping project. (See below for where to start.)

To do this well, you should complete (or update) your data mapping processes. Data mapping will expose any gaps you have in your data collection practices by showing you what type of data you are collecting, who you are collecting it from, where/how long it’s being stored, and who it’s being sold to or shared with. All of that information is critical to establishing and maintaining CPRA compliance.

Side note: Are you a sensitive data collector? Under CPRA, you need to have clear business purposes for using it. You need to know what you have because the restrictions and requirements around usage may differ. So double down on your data mapping efforts if this applies to you. 

5. Understand individual rights

Again, if you’re already CCPA compliant, updating your processes to manage the new categories of sensitive personal information and the new timelines for request acknowledgment and resolution is totally doable.

If you’re starting from scratch, it’s still totally doable. It will just take a little more effort. CPRA requires you to be able to respond to individual requests from consumers who want to access, delete, or correct the data you have collected about them. Consumers have the right to opt-out of having their information shared or sold and to limit the use and disclosure of sensitive information. 

To do all of that, your data collection needs to be specific and limited. Your data mapping needs to be spot on. And you need to have really solid processes (that you have really trained your employees on) for responding to these requests.

One of the best ways to manage individual rights requests is to build a one-stop privacy shop called a preferences center. A preferences center allows consumers to see your privacy notice, manage their data, and submit requests without having to scour your site map for your business practices and contact information. A well-designed preferences center also virtually guarantees that you are CPRA compliant.

6. Strengthen your security

Like CCPA, CPRA requires companies to take “reasonable security measures” to protect the data they collect. But CCPA didn’t give much guidance on what those security requirements needed to look like. 

CPRA isn’t super specific either, but it does require that businesses whose processing presents a significant risk to sensitive information submit regular risk assessments and annual cybersecurity audits to the new CPPA. Taking the time to set up those processes ahead of time allows you the time you need to make sure they work and to fix any problems they find before CPRA is enforced.

CPRA’s stronger right of action and dedicated enforcement agency means it’s far more likely than ever before that bad actors won’t be the only ones on the business end of administrative actions. Even accidental mistakes can be costly, which is why you need to give yourself time to build a strong, proactive program. If you can demonstrate you’ve done your level best to comply, you’re far more likely to have regulators work with you if there is an issue.

7. Check your privacy notices

Complicated regulations that vary by location means standard cut-and-paste privacy notices just won’t cut it anymore. Additionally, the trend right now is to move away from dense, purposefully incomprehensible legalese toward customized, user-friendly privacy policies that clearly demonstrate what you are doing to protect your users.

And remember—CPRA requires your privacy notice to be front and center on your website. 

8. Train, train, and train again.

Your compliance program is only as strong as your employees’ understanding of it. Even if you are CCPA compliant, your employees will still need to be retrained. If you start now, you’ll be able to do this training in small chunks over the next two years instead of dumping a giant new manual on your employees right before CPRA goes into effect and hoping no one makes a mistake.

Training can happen more than once a year. You don’t need to only block off two days for a privacy symposium. You can also set aside a few hours once a quarter, ten minutes in a weekly staff meeting, or five minutes to write a team email. It all adds up.

9. Go brag!

Okay. You have a compliance strategy that is being executed by a top-notch cross-functional team. Your consulting team has helped you get the right software to map your data and build effective processes for responding to individual rights requests. Your team has closed the loopholes they found after the risk assessment. You’ve got a preferences center and your employees could answer Double Jeopardy questions about your user-friendly privacy notice.

Now what?

Now you go tell people!

You’ve spent a lot of time and effort getting compliant, and you should be getting credit for it. Companies that have a proactive privacy program can use that as a differentiating factor, especially since an increasing number of consumers have proven they will switch companies or providers over data collection and sharing practices.

So instead of hiding your privacy notice, flaunt it by:

  • Build an easy-to-understand section on your privacy program into your website.
  • Including your commitment to consumer privacy in marketing you put out about other social justice initiatives.
  • Write opinion pieces and guest posts about the intersection of privacy, e-commerce, and advertising. 
  • Establish yourself as a leader by having your privacy team create a presentation for business conferences and industry meetings on how you made privacy work.
  • Train your customer service employees to bring up your commitment to privacy in their user interactions ala Southwest Airlines’ “We know you have a choice when flying. Thanks for flying with us” flight attendant speech.

Don’t get overwhelmed. Just get to work.

Rome wasn’t built in a day. Neither is a strong privacy program. Privacy compliance can feel overwhelming, especially when it changes every few years. But every step you take makes it less overwhelming, especially when you give yourself time to do it right.

Three years ago, companies across the globe were scrambling until the very last minute to get GDPR-compliant. Even with a two-year runup, GDPR was the first regulation of its kind and no one knew what they were doing.

That isn’t the case this time around. You can do it. And we can help.

Red Clover Advisors is here to keep you moving towards compliance. We can help you with whatever part of the process feels like too much.

Drop us a line today and let’s get started.

It may sound counterintuitive, but smart data privacy practices can make both traditional and digital marketing programs more efficient.

The rise of e-commerce and social media has forever changed the global economy, and while governments have continually dictated and adapted statutes regarding physical trade, they have only recently begun regulating the collection and use of consumer data. 

Because these data privacy laws vary—sometimes dramatically—by industry, country, and/or region, marketing professionals around the world have had to rethink even their most basic standard operating procedures (SOPs).

The evolving landscape of data privacy regulations makes upgrading marketing SOPs a complex endeavor. Add in the fact that regulations are often a year or two behind privacy best practices, and it’s easy to see why marketers are often concerned about doing their job well without running afoul of regulatory requirements.

Principles of data privacy 

There are three main principles that are at the core of most privacy legislation: transparency, control, and accountability.


A good data privacy program is about more than security. It’s about how consumer information is acquired, handled, stored, and shared. Governments, industry leaders, and consumers are increasingly demanding companies provide straightforward, unambiguous insight into what data they collect about their consumers and what they are doing with it.

Marketing professionals spend their professional lives managing the often competing business processes of transparency and sales. Their skill in navigating the natural tension between these two goals, combined with an in-depth understanding of target audiences, make marketers uniquely qualified to guide their employers’ efforts to develop and explain crystal clear privacy policies.


While initially focused on defining consumers’ privacy rights online, the current trend in privacy legislation is towards increased accountability for how corporations use and protect (or don’t protect) the information they collect from their users.

Rather than expecting existing legal and administrative oversight bodies like an attorney general’s office to manage compliance, new laws in the US are taking things a step further by creating and funding agencies specifically tasked with enforcing regulations. 

Consumer control

Even with regional differences, modern digital privacy laws fundamentally give consumers more control over what data is being collected from them, why it’s being collected, how it’s being used, and who it’s being shared with. 

An interesting note: this movement isn’t led by industry. As evidenced by the passage of both the CCPA and the CPRA in California, privacy activists are at the forefront of advocating for increased consumer rights. 

This advocacy will permanently alter the landscape of marketing. Understanding the principles that form the framework of most privacy laws can help marketers build programs based on sound data protection practices while being agile enough to adapt to new and constantly changing laws.

What regulations look like

Data privacy regulations generally apply both to where a business is headquartered and where its customers live. This means a business based in Paris with users in France, San Francisco (California, USA), and Rio de Janeiro (Brazil) will likely have a minimum of three different marketing processes to maintain compliance in each region. While each set of regulations is unique, they all address the following needs:

  • Establishing requirements for transparent privacy policies
  • Defining what types of information constitute personal data
  • Requirements for internal security measures to protect consumer information
  • Restricting collection of data from minors
  • Articulating penalties for businesses if a breach results in exposure of consumer data 

Privacy policies

Historically, companies have been able to obfuscate behind privacy policies that were four pages of dense legal language an average consumer could not possibly hope to understand. Because of this, privacy policies lost their place as a critical consumer protection and instead became a pesky annoyance users just swatted away over and over again.

The new laws being passed pointedly target this problem by requiring transparent privacy policies that are prominently placed and easily accessed. By collaborating with legal, tech, and business departments, marketers have a unique opportunity to generate virtually free, earned brand awareness just by developing and publicizing a new, easy-to-understand privacy policy that clearly explains what type of data is being collected, who has access to it, and how having it will build a better user experience.

Data collection

For decades, marketers’ prevailing philosophy regarding data was the more data, the better. Regardless of how directly applicable the data was to their product and their target audience, marketers would collect as much data as possible and sit on it until they could figure out how to use it. This meant that companies could be storing outdated, useless-to-them-but-still-personally-identifiable consumer data for years.

Current privacy data laws make this practice of mass data collection less enticing to marketers by requiring them to tell their users what they are collecting and establishing penalties if collected data is exposed in a breach. While having less data to work with initially can feel threatening, targeted data collection can benefit marketers in multiple ways. 

  • Risk reduction—Removing non-essential data records eliminates risk of data exposure. 
  • Operational savings—Focused data collection can decrease data storage costs. 
  • Increased efficiencies—Fewer records make data sorting/analysis processes more agile. 
  • Enhanced performance—Intentional collection can improve effectiveness by improving the quality of the data underpinning campaigns.

Many privacy regulations require the creation of a data inventory, also known as a data map. A single-source-of-truth record, a data inventory facilitates tracking a record’s full lifecycle through company systems. 

A good data mapping process can find old/bad data, identify unnecessary data, and pinpoint vulnerabilities in collection and storage processes (bad vendors, weak permission structures, etc.).

Internal security measures

It is estimated that a business will fall victim to a ransomware attack every 11 seconds with cybercrime costing the world nearly $6 trillion annually in 2021. 

Add in that 68% of business leaders feel their cybersecurity risks are increasing, only 5% of companies’ folders are properly protected, and that data breaches exposed 36 billion records in the first half of 2020. It’s clear that data security is a major concern for both businesses and consumers.

Legislation doesn’t currently specify exactly what steps businesses need to take to protect their data, but most privacy law requires companies to take “reasonable security measures” to safeguard against breaches.


Existing privacy legislation around the world includes financial penalties, sometimes steep ones, for infringements and violations. 

New laws bolstered these actions by adding civil, even criminal, liabilities for companies that don’t comply with regulatory requirements, regardless of whether infractions are intentional or unintentional. This progressive intensity in enforcement actions makes it more critical than ever that marketers arm themselves with an understanding of what they can and can’t do.

How marketing functions are affected

Laws differ by region as to whether they require consumers be allowed to opt-in to (EU) or opt-out (US) of marketing contact, but there’s no question that marketing best practices will have to change to keep pace with privacy law. 

Email marketing

Email marketing—while not as problematic as tracking users across the internet—is still affected by the majority of privacy laws. Because email marketing seems so unintrusive, it is often exactly where businesses fall short of compliance.

This is unfortunate, primarily because compliance with email marketing rules is not particularly difficult to achieve. The primary rule in compliant email marketing is simple: do not aggressively target consumers who haven’t directly expressed interest in contact. 

Providing clearly marked opt-outs and unsubscribe buttons carry the bulk of compliance heavy lifting, but having an explicit opt-in checkbox on subscription forms virtually guarantees an email marketing campaign won’t transgress any privacy laws.

This works for companies who have existing email lists, but what about marketers who purchase email lists? Because most data privacy laws require consent to contact before contact occurs, the practice of buying email lists is not a safe foundation for email marketing campaigns.

This will require marketers to put more effort into the first-party collection of email addresses. While seemingly a disadvantage to groups who have historically relied on purchased lists, this latest shift in marketing campaigns actually has the potential to reinvigorate the stale art of email campaigns. Because marketers will know recipients are genuinely interested in their product or service, the text and imagery in emails can be more focused, specific, and tailored to an already tailored audience.

Cookie requirements

Cookies, small, randomly encoded text files that make e-commerce affordable for businesses by storing data about a user’s site visit on their own computer instead of on massive company servers, improve user experience by remembering shopping history, carts, log-in preferences, etc. 

Stored locally and too small to hold a virus or malware, cookies by themselves are more helpful than dangerous. 

But when combined with bad actors and/or pervasive tracking protocols from advertisers, cookies create a privacy risk for consumers and a liability risk for businesses. With most internet browsers banning third-party cookies (cookies placed on a site by a third party), smart marketing programs will shift data collection efforts to first-party cookies (cookies a company puts on their own website).

Generally speaking, cookies that don’t have an expiration date, track users through sensitive areas (like payment information), or are installed without asking for consent are all compliance and security red flags that need to be remedied.

Outreach and preference centers

Laws like the GDPR, the CCPA, and the VCDPA mandate that businesses give consumers increased control over how their personal information is collected and used. More importantly than that, though, is the ever-growing trend of consumers expecting this level of control regardless of the laws where they live.

A preference center, a dedicated page in an app or on a website, is a user-friendly way to push a privacy program past mere compliance by letting consumers tell businesses:

  • What personal information they can collect
  • What can be done with collected personal information 
  • How often they can use collected information to initiate contact
  • If collected data is inaccurate

The initial setup of a preference center requires a not insignificant investment of time and resources. Still, more than 40% of companies with strong privacy programs see benefits at least twice that of their privacy spend. A preference center will:

  • Aid in regulatory compliance by streamlining and optimizing data collection
  • Increase the ability to build accurate, real-time data sets by removing bad information
  • Build a corporate reputation as a leader in consumer protection
  • Protect against costly data breaches

Why marketers should lean in and honor customer choice

Every major law currently governing data privacy has been passed since online privacy was named a basic human right by the United Nations Human Rights Council in 2015. 

With more laws being proposed around the world every year, it’s clear that privacy will be one of the next decade’s primary consumer issues. Rather than fighting against this trend, companies that prioritize data privacy can cash in on a currency not managed by any foreign exchange controls: digital trust. 

Digital trust is the level of confidence consumers place in an organization’s commitment to secure and ethical online practices. This type of trust plays a key role in both customer conversion and retention. In 2020, consumers proved they will emphatically support companies who effectively balance consumer rights against and shareholder interests. 

Building digital trust by adding data privacy protection to a corporate social responsibility (CSR) program is good for business. A strong data protection program can prevent costly data breaches while improving company relationships with partners and regulators. 

Another point—over 70% of countries worldwide have data privacy legislation in place or are in the midst of drafting new laws. According to Oracle, “acceptable data practices developed two years ago have already become antiquated.” Designing marketing programs to meet privacy best practices instead of just to regulatory specifications builds an agile foundation that can quickly adapt to updated laws and regulations.

Most importantly, though, embracing a new way of working with data beyond compliance builds trust with customers. Demonstrating a commitment to the user experience will produce the most valuable commodity there is: trust.

“Regarding social media, I really don’t understand what appears to be the general population’s lack of concern over privacy issues in publicizing their entire lives on the Internet for others to see to such an extent… but hey it’s them, not me, so whatever.” Axl Rose

Yes, that quote is really from Axl Rose. 

As in Axl Rose, the lead singer of Guns N’ Roses.

When the frontman for the “most dangerous band in the world” starts talking about data privacy, you know the issue is part of the cultural zeitgeist.

Tie it in somehow

Big tech companies have a big problem

Machine learning happens when software programs “teach” themselves by using algorithms to extract and analyze a lot of data. And you may not realize it, but advances in machine learning have changed everything about our digital experience.  

Voice-recognition assistants like Siri and Alexa use machine learning to recognize commands. 

Social media and streaming platforms use it to recommend connections and content. 

Banks rely on machine learning to detect fraudulent activity and identify scams. 

Machine learning allows educational software to customize sessions for each student.

Basically, machine learning makes our lives markedly easier. But this ease comes at a tremendous cost.

Because machine learning requires a tremendous volume of incredibly detailed and frequently updated user data, technology companies tend to conveniently “forget” about privacy, leaving discussion of their privacy policies and programs until the last afternoon of a weekend retreat at the end of the year.

And so, often without even realizing it, technology leaders set themselves up to fail.

Privacy (by Design, that is.)

Were you thinking about privacy when you founded your startup? 

It’d be great if the answer was a wholehearted “YES!” but even if you’re just now joining the party, there’s still lots of ways to make privacy a guiding light for your tech company. Where do you start? Consider Privacy by Design.

Privacy by Design, a concept originated by the former Information and Privacy Commissioner of Ontario, Ann Cavoukian, operates on seven core principles: 

  • Being proactive, not reactive 
  • Making privacy the default setting 
  • Embedding privacy into design of all things 
  • Fully functional privacy 
  • End-to-end security 
  • Visibility and transparency for all stakeholders 
  • Respect user privacy

While Privacy by Design is actually required for website developers under the EU’s General Data Protection Regulation, it’s also important for tech companies to consider. It provides the opportunity to refocus products, operations, services—really, anything in the scope of their business—on their user’s right to privacy. It doesn’t need to be any more complicated than having an finance department that handles payroll or a marketing department that sends out email. 

When done correctly, it’s just part of the process. 

Social media section

You’d think after watching Mark Zuckerberg get hauled into a Congressional hearing after the Facebook/Cambridge Analytica scandal that other social media CEOs would make privacy a priority. But so far, they seemingly haven’t.

Clubhouse, the newest social media app taking the world by viral storm, is a prime example of tech companies putting profits before privacy.

Clubhouse is a free, audio-only app that is kind of like an old-school conference call, except that anyone in the world can join in on conversations hosted by experts on topics ranging from cryptocurrency to Real Housewives to immunology. Going from two million users in January 2021 to 10 million by February 2021, Clubhouse is so popular you have to be invited by a current user to even access the platform.

At first glance, Clubhouse seems like it would be a privacy dream. No video. Nothing is recorded. Hosts can kick trolls out of their rooms, block people from joining, keep people from speaking…it feels like Twitter and Facebook had a baby, gave it a flip phone instead of a smartphone, and set strict house rules for inviting friends over. 

But the reality is much more complicated.

Right now, Clubhouse allows new users to invite two friends to join the app. But to invite those two friends, users have to give Clubhouse access to all their contacts. 

All of them. 

Let’s say you, a privacy-savvy consumer, decide to join Clubhouse but are smart enough to protect yourself and your friends by not sharing your contacts. You don’t invite anyone. That doesn’t mean you’re safe lurking anonymously in the back of Clubhouse chat rooms. Once you sign up, Clubhouse notifies everyone who has you in their contacts that you are there, even if they aren’t in your contacts.

Facebook has updated their privacy settings and given its users more options for protecting their profile. Instagram now allows ‘Grammers to manage which and how many photos the app can access. Twitter allows you to change the privacy settings for each tweet. All three apps require an email address, and while they offer phone number verification, you don’t have to give them your phone number to use the platforms.

Clubhouse has none of those options.

You have to give Clubhouse your phone number. They say they’re working on it, but the app also doesn’t have great options for moderating/removing hate speech and dis/misinformation. On February 24, 2021, Clubhouse confirmed their security had been compromised and hackers had figured out how to live-stream feeds from multiple rooms. According to Business Insider, the Stanford Internet Observatory (SIO) found some of Clubhouse’s back-end infrastructure was transmitting audio and data traffic without encryption

Everything but the kitchen sink

We’ve gotten so used to companies taking data from us for everything that everyone, from users to Clubhouse engineers themselves, probably don’t even realize the risk this type of sweeping, all-encompassing data collection practice exposes everyone to. Consumers put themselves at risk of having their identities stolen, identifying information exposed, and accounts hacked.

And for businesses, freewheeling data and privacy policies can cause lasting and permanent damage. Take a look at American Express’ list of seven risks every business should plan for:

  • Economic
  • Financial
  • Reputation
  • Operational
  • Competitive
  • Compliance
  • Security

With increasing privacy legislation like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), companies that don’t give their privacy program the same consideration as their human resource, financial, and legal policies are taking on risk in every single one of these categories.

The CCPA levies civil penalties of $7500 for intentional violations of its restrictions and $2500 for each unintentional violation. This means that if you wait to shore up your privacy policy and you get caught not being able to tell a consumer what data you’ve collected from them or if your users’ personal data is exposed after a hack, you can accidentally cost your company tens of thousands of dollars. The law also allows the California Attorney General to seek an injunction against and halt business operations of offenders.

While the CCPA is the first and most aggressive privacy law in the United States, it definitely won’t be the last. States across the country either have passed or are considering a multitude of privacy laws, including some that are more robust than anything California has enacted. Privacy rights are the wave of the future, and waiting to do something about it increases the risk you’ll fall afoul of regulatory requirements.

Is there another part of your enterprise that you’d leave so vulnerable?

Don’t leave your door unlocked, and don’t expect IT to lock all the doors either

In 2015, Apple CEO Tim Cook gave a speech about privacy and security. It’s a great speech that provides some key insights into a mind that is shaping the world’s tech future. Even five years later, there’s a quote that still stands out:

 “If you put a key under the mat for the cops, a burglar can find it, too.”

And since then, he’s spoken about the imperative for the digital marketing market to stop horning in on people’s privacy. At the Privacy & Data Protection conference in January 2021, he said:

“As I’ve said before, if we accept as normal and unavoidable that everything in our lives can be aggregated and sold, we lose so much more than data, we lose the freedom to be human. And yet, this is a hopeful new season, a time of thoughtfulness and reform.”

With this, Cook is highlighting how mission-critical privacy is for companies. When companies put sales and revenue growth ahead of privacy and security, they are taking on as significant a business risk as leaving their offices unlocked.

Luckily, you don’t have to be a privacy expert or a tech genius to take real steps to protect your company.

Prioritize privacy

Smart companies protect themselves by making their privacy program part of their core operations. Human resources, legal, financial, product and engineering, operations, and IT departments should be working collaboratively on workflows and processes that integrate forward-thinking data privacy policies across the entire organization. If you need help figuring out how to start, check out our privacy strategy, privacy compliance, and fractional privacy officer services. 

Train. And then train again.

Going along with the theme that every department should be part of developing your privacy program, it won’t do you any good to create the most amazing privacy program in the world if your employees don’t understand it. Privacy training doesn’t have to be full-spectrum seminars (but it can be!). Weekly email reminders, a quick agenda item in regular staff meetings, and small sections in a newsletter are all great ways to reinforce your expectations.

Less is more

One reason you need every department involved in your organization’s privacy work is you need to figure out exactly what data you need from users and employees to optimize your systems. And then you need to collect exactly that and nothing else. Limiting data collection decreases both your risk and your data storage costs while simultaneously making it easier for you to manage an agile response to changes in privacy regulations and best practices.

Sell it!

For some reason, even though they sacrifice privacy for sales and growth, everyone seems to forget that being privacy-friendly gives you a competitive advantage. You need to use it.

Remember that Tim Cook speech referenced earlier? Check out what else he said:

“I’m speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information. They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong. And it’s not the kind of company that Apple wants to be.

Apple doesn’t need privacy to differentiate itself. They launched our modern, smartphone culture, made everyone a photographer, forever altered software development and distribution, and changed the way we access the internet. But they are smart enough to see that while everyone is willing to invest in developing the next generation of big data tech, far fewer companies are willing to put their resources towards protecting that data. 

Google Chrome controls 69% of the browser market and has a much higher usage rate than Apple Safari, but Apple was first to eliminate third-party cookies. They require software developers to include privacy labels detailing what type of data is collected for every app sold in the App Store. In short, Apple’s forward-thinking privacy policies have allowed them to continue changing their industry, even as other companies catch up technologically.

Your company can be like Apple. You can go beyond what is legally required to give your consumers maximum control of their personal information. And then, like Apple, you can control the conversation. 

Keep your eyes on the prize

Don’t get lost in the race to create and sell the best tech. Make sure you remember that your consumers are not your product. Their trust is the product that will make you perpetually profitable.

If you need expert help matching your privacy program goals to what is actually happening in your company, get in touch today and let Red Clover Advisors show you how easy and affordable privacy compliance can be.

What the Spice Girls can teach you about the intersection of privacy and business.

A preference center can help you fine-tune your marketing, get compliant with privacy regulations, and build customer trust. So why don’t you have one?

I won’t be hasty, I’ll give you a try, but if you really bug me then I’ll say goodbye

When, how, and how often to contact your users is the magic formula businesses have been trying to crack for years without realizing the answer was right in front of them the whole time: let your customers tell you.

New privacy regulations are forcing companies to battle these same types of questions. What data can I collect from my users? How much do I need to tell them? Instead of hoping to find a silver algorithm bullet, just ask your users.

Consider the following:

There is a clear through-line between how people feel about data privacy and how they act as consumers. If you don’t let your users tell you what they really (really) want, they’ll kick you to the curb.

Now you know how I feel! Say you can handle my [data]? Are you for real?

Like Sporty and Baby Spice say—saying you know how your consumers feel and backing it up are two very different things. Building a preference center puts your money where your mouth is.

A preference center is a dedicated page in your app or on your website that allows consumers to tell you:

  • What information they are okay with you collecting
  • What they will allow you to do with that information 
  • How often you can contact them
  • Correct the data you’ve collected about them if it’s wrong

Creating a preference center requires an investment of your time and resources, but it pays off in a big way. More than 40% of companies with strong privacy programs see benefits at least twice that of their privacy spend. A preference center will:

  • Help you be compliant with existing and proposed privacy regulations like the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and Virginia’s Consumer Data Protection Act
  • Improve your ability to build accurate, real-time data sets by detoxing your data
  • Establish your reputation as a leader in consumer protection and data privacy
  • Protect against costly data breaches

So, how do you build a preference center? It’s easier than you think.

Now don’t go wasting my precious time. Get your act together and we’ll be just fine.

It’s possible to build a responsive, user-friendly preference center regardless of how big your company and budget are. Here are three critical steps for a privacy program that gives consumers what they really (really) want.

1. Create a data inventory

Two important points:

  • You can’t tell your users what types of data you are collecting and what you’re doing with it if you don’t know what data you have. 
  • The days of collecting anything and everything about your users are long gone, thanks to increasingly robust privacy regulations. 

A data inventory is a single-source-of-truth record of all your data assets that allows you to track a data record’s full lifecycle through your system. It tells you what you’re collecting, how and why you’re collecting it, and where you’re storing it. 

In short, it’s the most valuable thing you can do to improve your privacy program. 

It can give you pinpoint clarity into your users because it forces you to sit down and figure out what information your operation actually needs to function. 

Getting rid of the extra stuff means that even though you may have less data, what you have is more useful.

2. Be transparent & set expectations

Once you know what you’re collecting and why, you’re ready to revamp your privacy notice. 

Ditch your dense legalese. Be straightforward about why you need/want it and how having it will build a better user experience, and then place your new notice prominently on your homepage and in your preference center.

One note about your preference center—it should be a single page with easy-to-use opt-out or opt-in buttons. Make it clean and simple for a quality user experience  

3. Sell it! (Your work, not the data)

Doing all this work won’t do much good if people don’t know you’ve done it. Make a marketing push that tells your users all about how you built this amazing preference center just for them. Drill messaging that demonstrates your commitment to privacy, and you’ll build up priceless reservoirs of consumer trust.

4. Make their choices meaningful

When it comes to preference centers, it’s time to think beyond the unsubscribe button. Yes, you should let them unsubscribe, but preference centers are more than that. Give your customers real choices in how they interact with you:

  • Do they want emails? How often? And what kind?
  • Would they like to get SMS messages instead of emails?
  • Direct mail or in-person solicitation? Why not!

When you let them dictate the terms of engagement, you’ll get more useful information from them while establishing brand loyalty. 

You have got to give

When done well, privacy goes beyond regulations and cookie banners. It establishes trust with consumers because it recognizes that they’re people, not data sets. They have preferences and needs of their own. 

Using a preference center may seem like a small thing, but it tells your customers that you care about what they want out of the relationship. 

And in the immortal words of the Spice Girls, that kind of friendship never ends.

As an executive, it’s up to you to set the standard for your organization’s data privacy approach. You can use International Data Privacy Day to start your year off on the right foot. 

Thursday, January 28, 2021, is a big day. Not only is it National Have Fun at Work Day, National Kazoo Day, and National Blueberry Pancake Day, it’s also International Data Privacy Day. On this day, groups in the United States, Israel, Canada, and 47 European countries work together to empower individuals and businesses to respect privacy, safeguard data, and enable trust

It’s no secret that consumer expectations and regulatory requirements for data privacy will drive business best practices’ development and innovation over the next decade. The implementation of compliant privacy programs has a steep learning curve. It’s in your best interest as a leader to get in front of it now when you have time to do it, rather than wait until you legally have no choice.

Observing International Data Privacy Day is a smart place to start building your company’s data privacy culture.

Why you need a robust data privacy program

If your company sells products online or collects data from online users, the odds are high you’ve heard about the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), or the EU’s General Data Protection Regulation (GDPR).

These are the most aggressive and far-reaching data privacy laws, but they are far from the only regulations on the books. Unlike other countries, the United States follows a sectoral approach to data privacy regulations, meaning regulations tend to be either regionally based or industry-focused. Industries and states currently without specific data privacy regulations may find them cropping up in the next several years.

Constantly shifting goalposts pose a big challenge for businesses. Just adhering to the current best practices for data privacy and protection for meeting current regulations isn’t enough to keep you competitive. If you want to maintain agile responsiveness to a changing data privacy landscape, you need to follow best practices that exceed existing standards.

Consumer expectations

Regulatory compliance is not the only reason you need to pursue an aggressive privacy culture. Consumers are increasingly proving that how a company uses their personal information plays a role in their purchasing decisions. A recent Salesforce survey found that 84% of consumers are more loyal to companies with strong security controls.

With 69% of consumers believing that companies will use their personal information in a way that they are not comfortable with, there is a real opportunity for businesses willing to differentiate themselves through forward-thinking, consumer-focused privacy programs.

The good news is that privacy policy development is good for your bottom line. Ninety-seven percent of companies proactively implementing robust privacy policies report an increased competitive advantage and/or investor appeal. Over 70% said that aggressive data protection practices improved their operational efficiency, agility, and innovation.

So break out your kazoos and look through the suggestions below to find a way your organization can celebrate National Have Fun at Work Day by observing International Data Privacy Day. (Blueberry pancakes optional.)

Ideas for Data Privacy Day

While it may sound like a tall order, getting your team committed to, even excited about, privacy is the natural result of education and empowerment. And it can be fun!

The National Cyber Security Alliance, a leading nonprofit, public-private partnership dedicated to promoting cybersecurity and privacy education, has five suggestions for ways executives can improve their company’s privacy program:

  • Create a privacy-aware culture
  • Organize regular privacy awareness trainings
  • Help your employees manage their individual privacy
  • Add privacy protections to your employee’s regular toolbox
  • Get expert help

One note — while the ideas below are a great entry point, running an effective privacy program doesn’t happen just by checking items off an agenda. Your privacy to-do list is more like a rotating chore chart than a to-do list. Just like you do month-end reconciliations and scheduled inventory orders, maintaining your privacy infrastructure needs to be part of your standard operating procedures.

Get #privacyaware

One of the biggest challenges companies face in developing an institutional privacy awareness is that people just don’t understand what data privacy is. The fastest way to eliminate this barrier is to help your employees see just how vulnerable they are and how much of their personal data is out floating around the internet.

Two great tools to help people see the gaps in their data privacy knowledge are the National Privacy Test and the Google Phishing Quiz. On January 28, you could have your team/department take these tests and give prizes to top performers. And bonus! If multiple people miss the same question, you have a ready-made list of training topics for future staff meetings. 

Other steps you can take on January 28 include running an internal campaign to make sure your employees know and understand your privacy program and their place in it. Every group email, newsletter, and meeting should have a “privacy moment” where these ideas and best practices are reinforced.

Teach your employees to fish (but to avoid phishing)

There is a reason the saying “teach a person to fish, you will feed him for a lifetime” has stuck around. As corny as it sounds, it’s true. Here’s a quick exercise your team can do on January 28 (or any day) that will help them understand their level of privacy savvy. The results may be surprising.

After completing the Google exercise, National Cybersecurity Alliance’s Manage Your Privacy Settings page can help them set personal privacy settings that align with their comfort level.

Why should you use your valuable working hours to take your employees through this process? 

Employees who are empowered to manage their personal privacy are more likely to understand why privacy is so important to your clients. 

Training, training, training. (Did we mention training?)

Before we talk about why your employees need consistent privacy training, let’s go over a few definitions:

  • Effective frequency is the number of times a person needs to hear an advertising message before acting on it.
  • Mere-exposure effect is the likelihood that people will develop a preference for something the more familiar they are with it.
  • Redundant communications is the term used to describe using multiple communication modalities to convey the same message. 

Advertisers, masters of getting people to do what they want, use these terms to create a framework for the behavior they are hoping to elicit with their campaigns. Current marketing research indicates that effective frequency can change behavior with as few as three messages but is most effective between 6 and 20 times. Similarly, mere-exposure reaches maximum efficacy between 10 and 20 times.

But that’s advertising. How does this apply to employee training?

Several years ago, Harvard Business School professor Tsedal Neeley conducted a study of how managers use redundant communication to help their team meet deadlines and other project goals. Neeley found that the most effective managers repeated themselves at least once, but more often between three and four times using multiple methods.

This means managers who successfully changed employee behavior and/or maintained team performance standards communicated the same information via meetings, emails, individual phone conversations, internal message boards, texts, and face-to-face. 

If you want your employees to buy into your data privacy strategy, you need to:

  • Consistently expose them to it
  • Provide opportunities for them to understand it at a deeper level
  • Clearly and repeatedly communicate your expectations using multiple modalities

These “trainings” do not need to be formal seminars with expensive guest speakers. They can be five minutes in a staff meeting or five sentences in an email. The key is to up the effective frequency and exposure to messaging using redundant communication.

Make privacy standard. And easy.

If you want your employees to understand you are serious about privacy, you can prove it by:

  • Implementing company use of VPNs, encryption, and two-factor authentication
  • Explicitly prohibiting the use of work devices for personal use (and vice versa) and use of public WiFi networks
  • Providing company-branded camera covers or privacy screens
  • Requiring strong passwords

Whether or not you do it on January 28, activities like passing out new privacy swag or sponsoring a company-wide strong password challenge reinforce your commitment to privacy as a core company value. That can only help in the long run.

Use an expert

Getting your team on board is important, but employee buy-in alone will not make you compliant with privacy regulations or best practices. As a leader, it’s your responsibility to figure out or hire out the critical and technical pieces of your data privacy program:

  • A gap and maturity analysis will show you where you have exposure from your data privacy practices.
  • Creating a data inventory will give you insight into what types of data you are collecting, where and how long you are storing it, and who you are sharing it with. 
  • Custom privacy notices and policies allow you to clearly communicate your data practices in a way consumers can understand (instead of in dense legalese).
  • Reviewing and updating your cookie consent practices will help ensure that you collect only what you need and are compliant with collection notification regulations.
  • Having someone review your digital marketing practices can prevent costly fines and operating injunctions that can damage your reputation and bottom line.
  • Third-party assessments are vital to confirming your vendors’ privacy policies are both compliant and aligned with your standards.

Proactive privacy programming is possible

Whether you are subject to existing regulations or not, take advantage of International Data Privacy Day 2021 to chart a new course in your organization’s privacy journey. Need some help getting started? Contact Red Clover Advisors today to jumpstart your privacy program.

The Complete 2021 Privacy Compliance Checklist Header

Maybe you’re ahead of the pack when it comes to privacy, keeping your privacy policy and data inventory in shipshape. In that case, we salute you! (But you probably also know that privacy compliance obligations are a moving target and you keep planning for the future.)

But for the lot of you working hard at meeting your business goals while also struggling to wrap your head around how to fit privacy compliance onto your to-do list, take heart: 2021 is a great year to take it on. 

Why? Because privacy is about more than just putting systems and technology in place to help track and manage your customers’ personal information. 

It’s about respecting your relationship with customers. It’s about prioritizing the trust that they extend to you when they share their names, emails, phone numbers, addresses, whatever data points you’re asking for. It’s about leading with privacy, whether you’re a multinational corporation or a brand-new startup. 

So what will it take to be a privacy-forward business in 2021? Here’s our list for the upcoming year. 

Wrap up CCPA compliance

We said the same thing last year, but it still applies. CCPA is the most comprehensive, enforceable general data privacy legislation in the US. If you haven’t finished up your CCPA compliance, don’t wait on this. 

So what do you need to know for CCPA? Ready to jump into CCPA compliance? We’re here to help with that. 

Just getting acclimated? See below for your debriefing. 

  1. Do that data inventory. You know that accomplished, on-top-of-your-to-do-list feeling that you get after spring cleaning? That’s how you’ll feel when you organize your data and figure out what you’re collecting, using, storing, sharing, and selling. 
  2. Be transparent with your audience about how you’re collecting personal information. This should include the aforementioned Don’t Sell My Personal Information link on your home page and a crystal clear privacy notice that details your collection practices.
  3. Make individual rights requests easy. Include at least two methods for submitting requests.
  4. Respond to individual rights requests ASAP. Implement a verification method to protect your customers’ personal information. 
  5. Protect minors’ rights via appropriate consents for collecting children’s information
  6. Cover your data security bases—consumers can file civil suits if you don’t take “appropriate security measures” and their data is exposed in a breach.

Getting CCPA compliant in 2021 isn’t just about avoiding the fines, fees, and reputational damage that comes along with compliance failures. It’s also part of preparing for the California Privacy Rights Act (CPRA) compliance in 2023. 

Read more on CPRA here

CPRA is guaranteed to give your business more to think about in terms of privacy. The new legislation, passed in the California general election in November 2020, expands on the core tenants of CCPA and moves privacy obligations closer to GDPR’s requirements (General Data Protection Regulation, EU’s privacy law).  It promises to help make enforcement of compliance more achievable for the state of California. Here are a few of the key features:

  • Grants new rights to data portability, correction, and restricting the use of sensitive personal information 
  • Clarifies definitions of selling information 
  • Raises threshold for personal information processing

But just because CPRA is coming down the road doesn’t mean that CCPA should be disregarded—its rules definitely still apply. 

But pay attention to other laws as well

And I’m not just talking about GDPR. CPRA may be the latest in US privacy law, but other states are edging towards more robust legislation. 

You may remember that last year, we mentioned the Texas Privacy Protection Act, the New York Privacy Act, and the Washington Privacy Act, the latter being back and updated for the third time.  These laws are still in the works, but New Hampshire, Oregon, and Virginia are also joining the party. While the final shape and outcome of legislative efforts is unknown, it’s good to keep your finger on the pulse of these discussions. 

And don’t forget about what’s going on overseas

We’re not just talking about general GDPR requirements. You need to be tracking several developments on the European privacy frontier.

Schrems II ruling

In July, the EU’s Court of Justice struck down the Privacy Shield arrangement, which supported the flow of personal data between the EU and the US. According to the ruling, American organizations weren’t meeting the conditions of providing “adequate” protection for EU residents’ personal data. While a replacement for Privacy Shield is in discussion, there’s not an imminent replacement. That means some fancy footwork may need to take place if you’re going to keep processing EU data. (But it’s worth getting that choreography down.)


When January 1, 2021 rolls around, the UK will no longer be part of the EU. For privacy practices, this means that US-based businesses dealing with personal data from the UK will have to accommodate the UK’s equivalent of GDPR. Don’t delay in assessing whether you fall into the scope of their framework. While regulations will be similar, you may need to adjust some internal processes to comply.  

Align your digital marketing strategy with privacy

Digital marketing—especially these days—is critical to connecting you to your audience. But is your digital marketing on the right side of privacy? 

Between the General Data Protection Regulation (GDPR), the ePrivacy Directive, the California Consumer Privacy Act (CCPA), Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM), Canadian Anti-Spam Legislation (CASL), there’s a lot to weigh across your channels. 

Take email marketing for one. Email marketing is at the top of marketers’ to-do lists: 87% of them use email marketing to distribute content organically. 

That means you’re probably sending out emails. But do you know if you’re: 

  • Representing your message correctly? 
  • Setting up appropriate opt-ins and opt-outs for your recipients? 
  • Sufficiently managing your records? 

Email marketers should be able to answer these questions in the affirmative. But email marketing likely isn’t the only thing on your digital plate. Your website is a major piece of the pie. 

Give your website some love

Your website is a heavy lifter for your marketing efforts—and your compliance ones, too. If you’re a developer, the word “compliance’ likely sparks visions of ADA-accessibility requirements. But your website needs far more than that. For both GDPR and CCPA, you should always make sure that you’re locking down your data with the most up-to-date security practices. You should also make vetting your vendors one of YOUR best practices—how they handle data privacy and security has major implications for your business and customers. 

Here are a few of the other big-ticket items for getting your website compliant in 2021. 


  • Provide a link from your home page that says “Do Not Sell My Personal Data” 
  • Make sure you get the appropriate consents before collecting personal data belonging to minors
  • Include a method for visitors to request, move, change or delete data 
  • Update your privacy policy to share what personal data you collect, how you use it, third parties data is shared with, data that’s sold and a description of their individual rights as per CCPA


  • Add a cookie banner so your visitors are informed about your cookie practices and can provide opt-in consent 
  • If you depend on consent for email marketing, make sure you’re getting that consent appropriately (i.e., through opt-ins and/or double opt-ins)
  • Implement a system for notifying users about privacy policy updates or data breaches 
  • Make sure your anonymize data when using third-party services or plugins

Note: This list isn’t exhaustive. For help with GDPR and CCPA compliance, drop us a line—we can help you get moving in the right direction. 

Put together amazing privacy messaging

There’s not a single good, consumer-friendly reason privacy practices can’t be made comprehensible to your customers. That’s it. Short and sweet. You can do it. You need to do it. Because people are over convoluted privacy policies that are as indecipherable as Beowulf

A good start is to finetune your landing pages where you house your privacy and security policies. While B2C businesses might not have a rapt audience, B2B companies will find that customers are hungry to know how you’re complying with privacy laws. 

Part of your messaging strategy should be to help your customers tailor their marketing experience with you. Preference centers give them options of how much communication they want to receive and what type. Need inspiration? Just look at how companies like, MailChimp, and Apple craft engaging user experiences that speak directly to their customers’ privacy concerns while staying true to their brand identity. 

Finally, to make integrating privacy into your marketing, a good practice is to have a checklist for the privacy regulations you need to follow. Knowing what the benchmarks are will make everyone’s job a little easier. 

Make privacy a focus at your workplace

To start, in 2021, get your team trained on privacy issues. That in and of itself is a multifaceted thing. It can involve information security awareness or privacy awareness. It can be a deep dive into CCPA individual rights requests, or it can reinforce industry-specific privacy compliance requirements. (Take, for example, the Gramm-Leach-Bliley Act for financial services.)

Your team also needs thorough data security training. After all, human error is responsible for some massive data breaches. And given the large numbers of workers still living the work-from-home life, your team needs to be looped in on all the relevant data security rules. Let’s not repeat the same mistakes in 2021. 

A final word on focusing on privacy in your workplace. Don’t leave internal privacy discussions to the IT crowd or the marketing department. Privacy is pertinent to your entire operation. So when you’re looking down the road at new projects, products, services, vendors, whatever you’re planning on getting up to next year, bring privacy to the table.  

The clock is counting down until 2021. I’m just as excited as everyone for the promise and opportunity of a brand new year. But seizing opportunity means being proactive. Don’t treat compliance as a last-minute addition to the rest of your business activities. 

Ready to get started before the ball drops? We’d love to chat. Drop us a line to schedule a consultation.

If you’re in marketing, email is probably one of your love languages. It’s a major channel of communication, after all.  

But email marketers need to know more about click-through rates and optimizing graphic design for mobile. Marketing privacy laws are setting the tone for consumer expectations in the 2020s. 

In other words, how you approach marketing privacy laws will define your business — not just in terms of your sales funnel, but in establishing your brand as one that treats consumer data with respect. 

Yes, laws across the globe are taking a stronger stance on individual rights and how they pertain to privacy and personal data. But instead of playing Whack-A-Mole with your approach to privacy, here’s a bit of food for thought: prioritizing compliance with the strictest privacy laws may take more work, but you’ll see better results in the long run.

What is email marketing? 

But let’s hold up for a moment. Not all email communications are the same. Some are unreservedly marketing-driven. Others are purely transactional. Depending on what you’re sending, there are different rules that apply to it.  

Marketing emails 

Marketing emails are those sent with a fundamentally commercial intent. This could be an e-blast about a big sale you’re running. Others might be sent to nurture leads within your funnel. These emails are sent to groups of contacts, whether segmented or list-wide.  

Transactional Email

Unlike marketing emails, transactional emails are one-to-one emails following a transaction. The most obvious example is getting an email receipt after purchasing an item, but shipping notifications, password resets, or invoice emails are also examples of them, too. To double down on the definition, transactional emails are sent to individuals, not email lists.  

What privacy laws are we looking at?

At this point, it feels like there are a lot of privacy regulations to track, but let’s simplify things here. For email marketers, there are four key regulations to be aware of. Yes, each one is distinct but there’s some fundamental overlap that will ultimately make compliance easier. 

The General Data Protection Regulation (GDPR)

You can’t talk about privacy laws without talking about GDPR. (Well, it’s not a legal requirement, but we don’t advise skipping it.) GDPR is the EU’s landmark, watershed, groundbreaking privacy regulation. It’s the most extensive one in the world and while it applies specifically to EU residents, it has impacted businesses across the world. 

If you’re targeting EU residents via email, you need to comply with GDPR and also the ePrivacy Directive or as it is known in the UK, the Privacy and Electronic Communications Regulation (PECR). In this section, we’ll focus primarily on GDPR’s requirements. However, it’s important that you also are familiar with the ePrivacy Directive, which has differing rules by country and varies if it’s B2B or B2C marketing.  

As an email marketer under GDPR, you need a lawful basis for emailing people. Lawful basis takes six different forms: consumer consent, contract, legal obligation, legitimate interest, vital interests, and public tasks.

When it comes to reasons for contact, consent is the gold standard. Assuming it’s done right, it means people really, truly want to hear from you. So…how do you do it right? You need to collect freely given, specific, informed, and unambiguous consent as per Article 32. To achieve compliance, you have to implement practices that meet stricter requirements for:

  • Consumer opt-in permission rules
  • Allowing consumers to delete their personal information
  • Storing user consent

Consent doesn’t just apply to GDPR, either. Generally speaking, the ePrivacy Directive requires consent. (And here’s a checklist to help you navigate it.)

But if you don’t have to meet strict consent, you do have other options for reaching out to people. “Legitimate interests” offers another commonly trod path to meeting the lawful basis requirements. It wouldn’t be a compliance regulation if you didn’t have an assessment to tackle. Specifically, the legitimate interest assessment (LIA). For an LIA, you have to demonstrate:

  • Are you pursuing an interest that is legitimate and real? There are a whole host of reasons, from supporting IT security to direct marketing for your company.
  • Is it necessary? Can you avoid processing data and meet your goals?
  • Do the data subject’s interests be impacted by your business interests? (Also known as the balancing test.)

Legitimate interest can be applied to both B2B and B2C clients, but different rules apply to them. Here’s a handy chart from the Information Commissioner’s Office, the Data Protection Authority in the UK, that helps explain when legitimate interest might be used. 

Does it look like legitimate interests is the best route to email marketing compliance? It may be a good option—but look before you leap. Be intentional about how you approach which lawful basis to rely upon, no matter what you end up determining. 

How to get a GDPR compliant email program going

It’s our best practice and to stay on your customers’ good side (and GDPR’s good side!), to rely on consent as much as possible and therefore we suggest building these features into your email marketing program: 

Opt-ins (and outs)

Get explicit consent for emails

Before sending out emails to someone, obtain their explicit consent with an opt-in form. Consent should be a specific, informed, and unambiguous indication of your customer’s wishes through affirmative action.

But here’s a good rule of thumb: Don’t save being explicit and transparent just for your emails. In all things privacy related, you should practice being explicit and transparent. 

Checkboxes for bundled consent

For a single item of consent, checkboxes aren’t mandatory. A few sentences can suffice for getting active consent!

However, if you are asking for consent to multiple things (for example, signing up for your email newsletter AND to use data for targeted ads), then you need to get consents for each action. 

To get these consents, use checkboxes. Just make sure that consent is still active: Don’t use pre-checked checkboxes. 

Link to your privacy policy 

Don’t forget to add a link to your Privacy Policy in the opt-in form. Subscribers have the right to access the information explaining how you process personal data.

Honor subscriber requests 

Revoking consent — i.e., unsubscribing to your emails — must be straightforward and easy. Your email recipients need to be able to:

  • Unsubscribe to that particular marketing communication
  • Unsubscribe to all of your communications
  • Contact a return email address

Storing user data and user consents

Once you get consent, then what? That consent shouldn’t just vanish into thin air. You need to store it as proof in case of audits. This proof should include:

  • Who gave consent
  • When they gave it
  • And what they specifically consented to

Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM)

While GDPR may be the biggest privacy regulation to date, CAN-SPAM is the oldest when it comes to specific email marketing laws, dating back to 2003. This was in the Wild-West era of the internet, back when your inbox could be filled with a veritable unsolicited brothel, along with basically any other spam content. 

The short version

CAN-SPAM only applies to the United States and only to promotional emails, not transactional ones. (See above.) Businesses using email to communicate with US residents must follow the below requirements to stay in compliance: 

  • Don’t use misleading email addresses, names, domains, or subject lines with the intention of misleading
  • Emails to individuals who haven’t given consent must be labeled as ads (such as somewhere in the email it says this was an advertisement)
  • If the email contains explicit content, this has to be noted in the subject line
  • Include a physical address in all marketing emails
  • Provide a straightforward and easy way to unsubscribe. Requests must be fulfilled within 10 days.

Canada Anti-Spam Legislation (CASL)

Think GDPR, but limited and applying to Canada. CASL has been in effect since July 1, 2014, and hasn’t substantively changed since then. This piece of legislation focuses on protecting e-commerce in Canada by regulating business email activity to prevent identity theft, phishing, spyware, and more. 

The short version

Like GDPR, this regulation doesn’t pertain just to businesses in Canada; it applies to any business that sends marketing communications to Canadian email addresses. The basic rules include:

  • Getting consent, either express or implied, from individuals prior to sending them marketing emails
  • All consent forms must be clearly written and include the identification and contact information for the business
  • Users can revoke consent any time they wish
  • Businesses must keep records of consent for all Canadian residents
  • Marketing emails have to include the name of the company and its information, as well as instructions on unsubscribing

While CASL applies to anyone in Canada or anyone sending to a Canadian resident, there are some exceptions. Some business communications are exempt from CASL, including certain B2Bs communications. Under the B2B exemption, “commercial electronic messages” (CEMs) sent by employees or a representative are exempt providing that the: businesses have a prior relationship and the message pertains to the business activities of the recipient. 

California Consumer Protection Act (CCPA)

CCPA is the big-deal privacy legislation that went into effect on January 1, 2020. Like GDPR, the legislation establishes a series of fundamental privacy rights for consumers in California. 

The short version

Like GDPR, this regulation is geographically restricted in that it protects California residents. However, businesses to whom it applies can be located anywhere as long as they collect California residents’ email addresses. CCPA isn’t primarily focused on email marketing, but some of its rules apply. Remember that:

  • CCPA’s definition of personal information includes email addresses 
  • Every customer should be allowed to opt-out of marketing emails from you and any third-party you “sold”* their data to (such as that webinar where you didn’t have an opt-in to share the information with the sponsors and you shared the whole list)
  • Inclusion in a privacy notice that email is collected and how it’s used. 

*CCPA uses a broad definition of the term “sell.” It doesn’t necessarily mean that money is changing hands. Besides, sell, it can refer to “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means…”

Five Tips for Success in Privacy-Forward Email Marketing

It’s easy to prioritize bigger picture privacy concerns, but it’s really important to not let email marketing fall by the wayside. 

Yes, it’s expensive to miss the marketing compliance mark. It’s also a surefire way to damage your reputation and customer trust. After all, email is a daily part of life for people. It’s a major touchpoint for marketing teams. If you drop the ball, you’re showing them that you aren’t thinking about their needs and their privacy — right in their own inbox!

Tip #1: Double up on the opt-in

All of the privacy regulations above require some level of opt-in. How do you streamline the process to work for everyone?

Double opt-ins. It’s only specifically required in Germany as a result of their interpretation of the ePrivacy Directive, but it’s a good process to implement across the board. It’s an additional step for your customers and it can drop your subscriber rate. But it does two important things for your business that ultimately create more value for everyone:

  1. It improves your email list. You get more accurate data, protects against fake subscribers and scammers, and (most importantly) it delivers leads that are more qualified
  2. It lowers the cost of your email marketing program because you’re bringing fewer invalid emails to the table (i.e., less money) and it improves your deliverability 
  3. It provides a better route to explicit consent. The two-step process guards against involuntary or accidental requests. 

You’ll remember that US CAN-SPAM doesn’t require you to get your subscribers or leads to opt-in. But the other regulations do and when it comes to privacy, opting for the more intensive measures is always the better option. Why? By making sure you’ve taken the safe route, you avoid the risk of running afoul of compliance regulations. Basically, if you follow all the rules, you don’t break any rules. 

But there’s also an important customer trust point to consider. Making the effort to get their consent actively demonstrates that you respect their choice in the matter. 

Tip #2: Keep your records up-to-date

Obtaining consent is critical. So is keeping track of it. You need to be able to prove that you’ve received valid consent and have proof of it. As such, your database should allow for you to track consents, including:

  • Who consented
  • What they consented to
  • When they consented
  • How they consented

Again, CAN-SPAM is the outlier in email marketing privacy by not requiring that you keep records of consent. See the advice above, rinse, and repeat. 

Tip #3 Don’t forget to offer an opt-out

Here’s an important point of agreement on the privacy front. Four out of four privacy regulations agree: give your subscribers the option to unsubscribe from your emails. Unsubscribing shouldn’t be like passing a Senate spending bill, though: it should be uncomplicated and timely.

The approach that we’re all about? Customer preference centers, which allow your customers to customize their email relationship with you. Do they want to hear about everything that you’re doing? Do they want to just receive the greatest hits? Preference centers facilitate this by providing nuance in customer relationships. Changing email addresses, receiving fewer or different emails, hitting the snooze button on emails, or receiving communications across other channels like SMS or social. 

Don’t forget to include a global unsubscribe option, as well. CAN-SPAM requires it!

Tip #4 And proceed with extreme caution when buying email lists

Why? There are a number of reasons. Privacy laws like GDPR make buying email lists cumbersome because of the necessary due diligence before a company can email them. 

Moreover, cold leads from an email list don’t particularly perform well. It’s not hard to guess why — these people didn’t express any interest in your business. Even the most well-crafted email will land with a thud if the recipient isn’t interested in it. And another “moreover”: purchased email lists often contain inactive or outdated emails. Sending an email to them could risk a privacy violation in and of itself!

Tip #5 Be honest about what you’re about

Your emails always need to clearly articulate who you are, your address, website, and how someone opted in to receive it.

No catfishing. Not in your online social life, and not in your email marketing. Make your proposition clear, simple, and then deliver on it. This means no clickbait headlines and no misleading promises of deals or discounts just to improve your open rates. Much like with enacting double opt-ins, you see a more measured response, but the response that you do see will be more genuine and more likely to lead to results. 

You shouldn’t just be honest with your customers, either. You should also be honest with yourself about what you’re using data for. It’s easy to be ambitious and think of reasons to collect information, but collecting data that you aren’t actually needing or using can be considered a violation. 

One thing is for sure: this is not the email marketing landscape of 20 years ago. Compliance and trust need to be a part of every interaction and every email that gets sent. Lots of marketing professionals have piecemealed out their compliance efforts, but ultimately, that leaves them scrambling to adapt and their customers wary about their privacy. 

So let’s try this instead: Take the road of more compliance. More effort. It’s worth it to keep your email marketing practices in line, and to keep your customers feeling good about your relationship with them. Ready to talk email and privacy? Drop us a line to schedule a consultation.


Download our free guide about what email marketing developers need to know about marketing privacy laws.

An international tour of cookies? Sounds delightful after this long year. We’re thinking: palmiers from France, Polish torunskie pierniki, Brazilian sequilhos, and kourabiedes from Greece. 

Wait, that’s from the baking blog, not the privacy one. 

But it’s important to talk about the other type of cookies from this perspective, too. While the EU’s General Data Protection Regulation (GDPR) and the ePrivacy Directive gets lots of airtime, there are nuances that businesses need to consider when planning and implementing their cookie strategy.


Recently Google and Amazon were fined $163 million for their use of web cookies to track user activities without seeking proper consent. Read more about is here.

Key GDPR and ePrivacy Cookie Requirements

Before we jump into talking about cookies in the EU, here’s a quick refresher on general GDPR and ePrivacy cookie requirements. 

  • You have to tell your users about all the cookies on your website in plain language. This allows them to provide informed consent. (Or not.)  
  • You can’t drop cookies—except strictly necessary ones—until you’ve received user consent for each cookie. This consent must be clear and explicit.
  • You can’t withhold services—including website or application access—if they don’t consent to cookies. (FYI: This is often referred to as “freely given consent.”)
  • You’ve got to protect your users’ data. Do third parties have access to user data? It’s still your job to protect it. 

What Do You Need to Know About Cookie Consent?

Not surprisingly, countries in the EU have come up with varied interpretations of privacy. Each member state has its own data protection authority (DPA) that monitors privacy laws in their state. They provide guidance and interpretation for businesses and the general public. 

DPAs don’t always agree on many issues in privacy. Some are still finalizing initial guidance following GDPR’s implementation. Others have been proactive in implementing GDPR and then revising regulatory guidance. Naturally, cookies are a topic up for (repeated, heated) discussion. 

And why not? Cookies can be ambiguous. What does consent look like? Is it opt-in? Opt-out? What cookies need consent? What’s personal information? What about banners and cookie walls? What’s the meaning of life? 

Need a refresher on cookies? Check out our whitepaper here or read Do I Need a Cookie Consent Banner

The list goes on. But that’s why we’re here—to help you understand the different perspectives on cookies within the EU. (We can’t help with the meaning of life, though. That’s outside of our scope.) Let’s take a look at where guidance is strongest: France, the UK, Germany, and Spain.

Cookie Consent by Country

GDPR and ePrivacy have done a great deal to bring privacy practices in line throughout Europe. Among France, the UK, Germany, and Spain, there are some big similarities. 

First off, cookie rules don’t apply just to cookies. Rather, they’re relevant to any technology storing or accessing information on a user’s device. (Notably, though, under German practice, it also has to involve processing personal data.)

Consent is viewed similarly, particularly when we’re looking at its definition. Consent—when required—must be specific, freely given, and unambiguous before cookies are deployed. However, there are some nuances when it comes to how it’s put into action in Spain. 

Consent, moreover, takes place on multiple levels. Global consent is broadly shared among the UK, France, and Spain, meaning that consent must cover each purpose for which the cookies are used. (Germany, an outlier, doesn’t comment on this.) 

Granular consent—the practice of getting consents for separate things—is also a point of general agreement, though each country takes a different approach to achieving it. While the UK doesn’t provide any guidance on the matter, France mandates a second layer allowing users to give consent to each cookie separately. Spain requires that a first layer link to granular consent tools for each category of cookie. Finally, the ability to give granular consent is a must for Germany, but they don’t dictate where it should be implemented.

One big issue in consent is third-party vendors—more commonly referred to as processors in GDPR. French, German, UK, and Spanish authorities all agree: organizations need to identify all processors who will rely on users’ consent. (France goes just a bit further and states that a list of third parties should be accessible and regularly updated.) 

But enough about the similarities. Time for a deeper dive into each country’s cookie policies.


France bases its cookie laws on the GDPR and ePrivacy Directive and on guidance from Commission nationale de l’informatique et des liberté (CNIL). CNIL’s most recent guidance was issued in October 2020, which updated instructions around user consent, analytic cookies, and cookie walls. 

Lawful basis for processing and consent

When it comes to the lawful basis for processing, France limits it to either user consent or strict necessity for technical cookies. Content must be given through positive action and it must be informed consent, meaning the data subjects have been given explicit and clear details about the purposes of the cookies. 

As per CNIL’s guidance, several actions don’t constitute content:

  • Continuing to browse a website
  • Pre-checked boxes
  • Browser settings

Analytic cookies and consent

According to France, organizations don’t have to inform users and collect consent if analytic cookies are being used:

  • Solely to evaluate and measure a website or application’s audience
  • Test a new version of a website or application
  • Only generate anonymous statistics

Cookie walls

According to CNIL’s latest guidance, the cookie wall as a tool isn’t GDPR compliant—consent is only valid if the user chooses to accept cookies without any significant inconvenience or negative consequences. Being denied access to a website would fall into that category. 

Consent retention and lifespan of cookies

As per CNIL-recommended best practices, cookie consent should ideally be valid for six months. Similarly, they recommended that cookie refusal should be retained for the same period of time. 

When it comes to the lifespan of cookies, it shouldn’t be longer than 13 months.


The Spanish DPA, the Spanish Agency for Data Protection or AEPD, looks to GDPR in putting together its guidance, as well as local laws: Law 34/2002 on Information Society Services and Electronic Commerce, Law 3/2018 on Data Protection and Guarantee of Digital Rights, and the AEPD’s opinions. 

AEPD was updated in July 2020, and organizations were expected to comply by October 31 of this year.

Lawful basis for processing and consent

In Spain, the lawful basis for processing is clear, affirmative consent. However, some privacy professionals have considered Spain’s definition of affirmative consent to be ambiguous.  

Unlike other member states, Spain now considers continued browsing on a website to be a valid form of consent, assuming that adequate notice has been given. Other actions that may constitute valid consent include:

  • Using a scroll bar, insofar as the information on cookies is visible without using it.
  • Clicking on any link contained in the site other than those in the second layer of information on cookies or the privacy policy link.
  • On devices such as mobile phones or tablets, by swiping the initial screen and accessing the content.

Note: these actions are considered valid consent as a form of affirmative action. They’re not saying that implied consent suffices.

Analytic cookies and consent

Analytic cookies require consent. (See, sometimes it’s straightforward!)

Cookie walls

Spain’s AEPD most recent guidance has determined that cookie walls aren’t compliant if they don’t offer an equivalent alternative to access without having to give their consent.

Consent retention and lifespan of cookies

The lifespan of cookies match their intended purposes. And given that the AEPD suggests user consent should only last 24 months, cookies should match the lifespan of consent.


In the UK, the DPA is the Information Commissioner’s Office (ICO). While other DPAs in the EU are bound by GDPR, the upcoming Brexit puts the UK in a different position. Questions have, naturally, cropped up.

The UK has committed to following GDPR’s guidelines, but under the guise of a UK GDPR. More officially known as the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

As such, GDPR won’t actually apply in the UK after December 31, 2020—yes, it’s that soon—but the above regulation nonetheless preserves GDPR’s guidance. ICO also looks to the Privacy and Electronic Communications Regulations (PECR). 

Lawful basis for processing and consent

The user’s consent is the lawful basis for processing under ICO’s guidance. 

If consent is required under PECR for non-essential cookies, organizations can’t fall back to an alternative legal basis under PECR or GDPR (or its replacement). In cases where personal data is involved, then the ball is in GDPR’s court and legitimate interests can be used as a legal basis. 

Analytic cookies and consent

Analytic cookies don’t belong to the “strictly necessary” category of cookies. As such, you need to get consent before deploying them. 

Another point to remember for ICO guidance: first-party and third-party cookies are considered distinct. You need consent for both, but as per ICO, valid consent is viewed as harder to get for third-party cookies because of the lack of direct relationship between third party and the user. Take extra care to highlight use of third-party cookies. 

Cookie walls

In other states, cookie walls aren’t generally aligned with valid consent. However, ICO allows for the possibility if it applies to specific content and it doesn’t impede access to the website as a whole. 

Consent retention and lifespan of cookies

ICO doesn’t extend any specific guidance for how consent can be retained nor what the appropriate lifespan of a cookie should be. For both questions, there’s not a one-size-fits-all answer. 

Generally speaking, for lifespan, it’s ideal to limit duration to what is necessary for the purposes of the cookie. Likewise, for consent, you should consider what the function of consent is in the context of use. Does a user visit frequent? Are functionalities changing? Is content updated? Those types of questions should guide you when you seek consent.


In Germany, GDPR and ePrivacy are applicable, but their DPA, delightfully known as Datenshutzbehörde (DSB), also provides robust guidance for organizations. That being said, unlike other EU member states, Germany hasn’t entirely implemented Article 5(3) of the ePrivacy Directive.

Instead, there is a debate around whether some provisions within the preexisting German Telemedia Act sufficiently cover the requirements of Article 5(3) of the ePrivacy Directive. Notably, the German Data Protection Conference takes the position that Article 5(3) of the ePrivacy Directive hasn’t been implemented in German law. As a result, according to them, there is no German cookie law and instead, guidance is reliant on GDPR.

Lawful basis for processing and consent

The legal basis for processing in Germany rests on consent, contractual relationship, or legitimate interest, depending on the purpose of cookies and/or tracking tools. 

Analytic cookies and consent

Consent is required for analytic cookies when they result in transferring personal data to a third party. Even then, obtaining consent might not be strictly necessary as long as users can opt-out of transferring their data to the third party.

Cookie walls

As a rule, consent for cookies must be voluntary according to Germany’s guidance. Anyone wanting to access a site or application needs to be able to refuse cookies without negative consequences. In other words, access should be allowed even if cookies are refused.

Consent retention and lifespan of cookies

Germany doesn’t have specific local guidance on retention of consent and the lifespan of cookies. As a result, policies default to GDPR and ePrivacy. 

Cookies Around the World

Cookies in the EU, of course, aren’t limited to France, Spain, the UK, and Germany—each member state either has or has the ability to develop guidance on how cookies should be handled. And, don’t forget, these are just European cookies. Brazil, China, India, Australia, are just some of the other countries with privacy regulations in place that address cookies. 

Cookies are complex, but they’re a critical part of your privacy practices. If you haven’t had your fill of cookies yet, we’d love to help you customize your cookie practices to your EU audiences. Drop us a line to schedule a consultation today.

Cookie banners. Let’s talk about them.

They’ve been hanging around websites since 1994. (Basically, Stone Age digital technology.) Just think, how many cookie banners have you clicked past in your digital life without a second thought?

(A lot, probably.)

It’s enough to make a business owner or marketing professional wonder: do I really need a cookie consent banner to be compliant with the laws and regulations?

It’s hard to keep track of privacy regulations, after all, especially when changes are always appearing on the horizon. Consider that the European Data Protection Board (EDPB) adopted guidelines on valid consent in May. Or that Apple’s new iOs 14 requires users to authorize information known as IDFA, which requires opt-in permission before developers and publishers can start tracking ads. 

Let’s unpack this question together. 

What’s a Cookie Banner, Actually?

First: the cookie. Cookies are small text files that your computer stores when you visit a website. They contain lots of information and there’s a big variety when it comes to the types of cookie. Some are purely functional, while others might track visitor data or activity on a website. 

Cookies can be really helpful for both website owners and website visitors, but they aren’t universally loved. Especially by users. They can feel intrusive and a little Big Brother-ish, especially when the purpose of cookies isn’t clearly explained and users aren’t given options for managing user consent. 

In years past, it was acceptable to just pop some cookies onto your website and go back about your job. But now, as a result of legislative efforts, notice and consent are required before you can place cookies on a user’s device. 

The notice and consent come in the form of cookie banners. They can be a pop up. They can be a banner on your website. They can be in your header or footer. They can be a whole wall of text ala Google. 

No matter how it’s formatted, though, it has an important job: alert website visitors that cookies are present on the website and get informed consent prior to data collection. 

Approaches to Cookie Banners

You have options for cookie banners depending on your cookie practices and policies. You can take a simple approach of Notice Only, which isn’t compliant with GDPR but is straightforward. You can take the Opt-Out route, which means you fire all cookies when your visitors arrive on your website. 

However, this approach misses the GDPR mark. 

You can take the Implied Consent route, meaning your website activates strictly necessary cookies. Users are then asked to click through to learn more and otherwise consent is implied by continued use of the site. 

Finally, you can take the Opt-In approach, the most compliance-aligned method. This is your most compliance-forward approach. Fire only the strictly necessary cookies when a user arrives on your site, and get their explicit permission for everything else. An ideal opt-in cookie banner informs users what cookies are being used for and then has them take a specific and intentional action, like checking a box, before firing the rest of the cookies. 

What Laws Apply to Cookie Consent Banners?

General Data Protection Regulation (GDPR)

GDPR was seriously maligned when it rolled out in 2018. It still is spoken of in aggrieved tones by some marketing and privacy professionals. 

We get it. It’s a tough one. It required lots of businesses to recalibrate their operations. 

But behind the challenges, it does bring some good into the world. It gives people real, actionable rights! It gives them channels to exercise them! It holds businesses accountable for how they process and use personal data. That’s worth a lot. 

So where do GDPR and cookie banners meet? Like with so many privacy-related questions, it comes down to consent to data processing. 

Consent, Cookies, and GDPR

What pieces need to be included in your cookie banner according to GDPR

Opt-in Cookie Consent

GDPR requires that you take an opt-in approach, which means your website won’t fire cookies without the go-ahead from your visitors. (With the exception of those that are needed for essential site functions.) This consent should be given via an opt-in button. What’s more, you need to be extremely clear with your users: they are agreeing to cookie deployment. 

Informed Consent

Why is this clarity so important? Your visitors’ consent has to be informed and explicit. You can help them provide this informed consent by spelling out what kind of cookies you are using, why you want the data, and how you’re going to use it.  

Note that consent requirements are subject to change. For example, this fall the Commission nationale de l’informatique et des libertés (CNIL) in France issued new guidance that states scrolling past a cookie banner doesn’t constitute valid consent. Nor does the cookie wall, which makes consent required to access a site. Moreover, they recommend a “Reject All” button for the first layer of a cookie banner. 

Learn more about CNIL and their cookie guidance.

Third-Party Data Sharing

Let’s talk a little more about how you’re using personal data. For a GDPR-compliant cookie banner, you need to tell your website visitors if you’re sharing their information with third-party vendors. Yes, we know they provide important services but they’re also a significant security risk for your business and your customers. 

One big third-party service that deserves discussion here? Google Analytics. Google Analytics is one of the most common cookies run on websites so it’s understandable that people want to know how it interacts with GDPR. Google Analytics uses cookies and therefore requires user consent to be compliant. 

But while Google Analytics is a data processor, you can adjust the settings so it tracks data in an anonymous mode. This means you can choose to proceed without consent. (But we definitely recommend you consider getting consent anyway as a best practice.)

Learn more about anonymizing data.

We’d be remiss if we didn’t touch on Facebook, CCPA, and cookies. Facebook is a prolific cookie source, but they’ve taken the position that businesses need to determine whether their data transfer activities with Facebook qualify as sale of data under CCPA. 

That being said, businesses can make use of a feature known as Limited Data Use (LDU), which does just that: creates limitations on how Facebook can use your business’ data. 

Via LDU, marketers can specify which data they want to share with Facebook. Initially, LDU was automatically enabled for all Facebook business accounts, but since July 31, businesses will have to make the updates manually. 

Remember, this isn’t an exhaustive list of third-party vendors or their requirements. Always review terms and conditions for the cookies that you use.  

Link to the Website’s Cookie Policy. 

Finally, you’ve got to link to your cookie policy, which should detail how and why cookies are used and where they live on your site. (Remember, you need to have this legal document in place, too.) The easiest way to do that? Pop the link in your cookie banner.  

Link to Cookie Settings

Consider this a bonus activity. Linking to your cookie settings isn’t required for GDPR compliance if users can outright reject all your cookies. But consider this: Privacy doesn’t need to be all or nothing. Make consent management easy for customers. When they customize their interactions with your website and your brand, they’ll be in control of their information and you’ll build a better relationship with them. 

ePrivacy Directive

But before there was GDPR, there was the ePrivacy Directive. Passed in 2002 and amended in 2009, it’s not a law but rather a directive that requires EU member states to develop national privacy laws. 

While GDPR deals specifically with personal data, ePrivacy works on the issues of electronic communication, web traffic, and, you guessed it, cookies. In fact, it’s sometimes referred to as The Cookie Law because it, well, laid down the law on cookies, requiring explicit user consent before websites could fire anything but strictly necessary cookies. 

The regulation shares GDPR’s understanding and definition of consent as “freely given, specific, informed and unambiguous indication” through a statement or clear affirmative action. To be in compliance with the ePrivacy Directive, you’ll need to:

  • Get consent (as defined above) from users before firing anything other than strictly necessary cookies
  • Deliver accurate information about data tracked by each cookie before consent is given
  • Document and store consent records
  • Services shouldn’t be contingent on accepting cookies
  • Opting out and withdrawing consent should be easy

However, EU member states and their regulatory bodies add complexity to the picture. CNIL, the Information Commission Office (UK), the Swedish Data Protection Authority, and the Hellenic Data Protection Authority are just a few of the regulatory bodies that provide guidance for their states. 

To add even more complexity, the ePrivacy Directive is in the process of being upgraded to the ePrivacy Regulation. While it will carry on in spirit what the Directive put in place, it will have stricter rules for security and pose its own GDPR-like fines. On the plus side, though, the most current draft proposes to streamline cookie consent processes. (But hold your horses — the Regulation may not come into play until 2021 due to ongoing negotiations.)

Wait, what about CCPA?

You may notice that the California Consumer Privacy Act (CCPA) isn’t listed here. Quelle surprise! But CCPA, while currently the strongest state privacy law in the US, doesn’t technically require them. Instead, it requires that you notify website visitors “at or before” collection of “personal information,” which can include cookies.

Moreover, CCPA takes an opt-out rather than an opt-in approach to consent. You don’t need a banner to make the opt-out happen, but it’s the best practice to make sure you give users the fullest opportunity to exercise their individual rights. 

A little bit more about CCPA and cookies

As per CCPA, websites do need to tell users what personal data they’re collecting via cookies and if they’re going to be selling it to third parties. Don’t think you sell anything? Don’t jump to that conclusion quite yet. 

CCPA has an impressively broad definition of selling — it doesn’t have to mean that you or someone else has shelled out money. “Selling” in CCPA-land also refers to “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means…” Even your well-intentioned ad tech might be included.

To facilitate a transparent privacy program, you can include a link that lets users accept cookies or not. One helpful further step? Provide users a preference center so they can control their cookies. 

But while preference centers are great (really great, actually), they do take strategy to implement. Be thorough by including links to industry opt-outs like About Ads or Network Advertising Initiative’s (NAI) opt-outs. If Facebook and Google cookies are part of your cookie game, requirements for opting out should be linked, too. 

Who Needs Cookie Consent Banners?

But the big question: Do you need a cookie consent banner? There are privacy regulations all over the world that deal with cookies, so it depends on where your customers and audience are. Is your audience located in the EU or the US? If you tick these boxes, you have to have a cookie consent banner:

  • If you have customers in the EU?
  • Do you target individuals in the EU?  

So, that’s a pretty short list. If you don’t collect data from EU visitors, then you’re not legally mandated to post a cookie consent banner. 

You can even set up your cookie banner to trigger just for visitors from the EU. Or just for California. Or you can set it up the same banner for everyone. Point is: you have options.

But even if you don’t, you still should strongly consider it. 

Here’s why: Major data breaches in the past years, combined with misuse of our personal information by tech giants and the ubiquity of digital content in our lives, have eroded public trust. Only 15% of people feel like they have meaningful control over their personal information held by companies. 

Compliance regulations like GDPR and CCPA work to mitigate privacy concerns and reign in misuse, but the real work shouldn’t be done in courthouses and parliaments. 

It needs to be done on the ground floor. Companies, along with their legal departments and marketing teams, can take the initiative to protect their users and their data by creating transparency in their digital marketing and handing over the privacy reigns to their users. 

All of this can happen within your cookie consent banner. 

Privacy is operationally crucial. To get privacy working for you, it has to work for your customers and to do that, it has to center around transparency and trust. If that sounds like a goal for your business, we’d love to talk. Drop us a line to schedule a conversation today!

What if we told you that there was something that you could do that would:

  1. Build better relationships with your customers
  2. Protect your business
  3. Get you on the right side of data privacy laws and regulations
  4. Was totally achievable regardless of how big or busy your business is AND
  5. Would take your mind off of the crazy times we’re living through right now

We bet you didn’t think we were talking about working on California Consumer Privacy Act (CCPA) compliance, but it’s true. 

With all that’s happened in 2020, CCPA’s enforcement date came and went without the hubbub that it was due, but that’s okay. It’s always a good time to get compliant. 

Let’s take a look at the CCPA best practices and see what you can do to make your 2020 just a little better. 

CCPA: A View from the Top

If you’re just tuning in now to CCPA, welcome to the show. Privacy regulations are notoriously opaque and difficult to parse, but we’ve distilled the main goals down to the key takeaways.

CCPA went into effect on January 1, 2020 and became enforceable on July 1 and applies to any business that either: 

  • Earns more than $25 million in revenue per year OR
  • Collects or processes 50,000 consumer records per year OR
  • Derives 50% of its annual revenue from selling personal information

Don’t meet those thresholds? You might think compliance doesn’t need to be on your radar. But remember, consumer privacy is the new standard and if you don’t comply with CCPA (or any other major privacy regulation — we’re looking at you, EU’s General Data Protection Regulation), it may give customers pause. And more than that, it might cause you to miss out on that next big sale or investor.

Also remember, under CCPA, you’re not the one that needs to be in California – it’s your customers. California residents have the following privacy-related rights:

  • Right to know all data collected on them, the categories of data, and the purpose of collection
  • Right to refuse the sale of their information
  • Right to request deletion of their data
  • Mandated right to opt-in before the sale of information of children under 16
  • Right to know the categories of third parties with whom their data is shared, as well as those from whom their data was acquired

Have questions about CCPA regulations? Learn more about it here.

What do you need to do: The short and sweet version

What do all those rights mean for your business? I.e., how do they translate into operational practices. When you translate legalese into action items, it’s easier than it sounds.

  • Keep your privacy policies up to date and make sure to include CCPA disclosures in them
  • Make sure consumers have the ability to submit individual rights requests, including the right to delete, right to access, and right to opt-out of sale  
  • Create opt-ins for the sale* of minors’ data: 
    • For children under the age of 13, parents or guardians must opt-in
    • For children ages 13-16, the minor must opt-in  
  • Put a “Do Not Sell My Personal Information” link on your homepage that takes consumers to an opt-out form. 
  • Give consumers at least two ways to request any of their information that you’ve collected, shared, or sold. 
    • Toll-free phone number is required.  For companies who operate solely online (ensure you review with a privacy professional to see if you qualify), they do not have to provide a phone number.  They can provide an email address.  Generally, all companies provide either a web-form or email address to submit requests.
    • Web forms are required to opt-out of the sale of information
  • Make sure you fulfill any consumer requests when they ask for what information you’ve collected or sold*. If they want you to delete it, make sure to delete you fulfill this request too. 
    • If a third-party vendor is involved, you’ll also have to make sure they’re in compliance, too. Vendor management programs that incorporate thorough contract reviews and assessments can facilitate this. 

*CCPA uses a broad definition of the term “sell.” It doesn’t necessarily mean that money is changing hands. Besides, sell, it can refer to “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means…”

Getting from point A to B to C(CPA)

Okay, we’re on the same page of the general requirements for CCPA. But what are the best ways to accomplish these line items? 

#1: Get your privacy notice squared away

Whether you’re baking up a privacy notice from scratch or you’ve got one already completed, you’ll want to put some dedicated effort and attention towards this task. A copy-paste privacy policy and privacy notice from a template (or from another business — but let’s not go there right now) isn’t going to serve you well. Your privacy documents need to speak to your business practices and to your customers. Customize it. 

It’s also important where you put it. You shouldn’t tuck it away in some deep, dark corner of your website. As per CCPA, it needs prime real estate. To meet compliance requirements, your privacy notice needs to be put in a conspicuous place — most commonly on the home page — and anywhere data is collected. 

Keep your policy updated

Privacy policies are kind of like updates for your iPhone. You get everything updated and working smoothly…and then there’s another update. 

Thankfully, you don’t need to update your privacy documents quite that often. As per CCPA, you’re required to update annually. 

#2 Train Your Team on CCPA 

You — along with legal, marketing, IT, or consultants — come up with your privacy policy, but your employees execute it. The ones handling consumer questions, facilitating individual rights requests, assessing vendors, and so forth? Or maybe the ones handling marketing campaigns

They need to know how that all fits into CCPA compliance and why. They need to know what data security risks are present, what the implications of a data breach are, and a whole host of other critical points. 

There are philosophical, and mission- and values-based reasons for training. There are also legal ones; CCPA requires employees managing individual rights requests to be trained. But when it comes down to it, your team just plain need to be trained on how to correctly do that part of their job. Note, CCPA doesn’t dictate how employees need to be trained, but there are several ways to accomplish this, including using materials from the International Association of Privacy Professionals (IAPP), creating your own curriculum, or working with a privacy professional.  

#3 Keep Your Records Up to Date

Records are critical in compliance land. Without them, it’s simply not feasible to maintain compliance. So where do you start? 

Get yourself a data inventory. This will be your roadmap, helping you understand the flow of personal information across its entire lifecycle at your business. For CCPA, this will include tracking what information qualifies as “sold.” 

You need to keep your records up to date for consumer records requests as well; as per CCPA, you have to retain any request for at least twenty-four months. A data inventory also helps you track which of your vendors have access to your customer’s data. (See more on that below.)

But be diligent about security when it comes to your record-keeping practices; CCPA also requires that you implement “reasonable security procedures and practices.

#4 Review and update vendor contracts

Dust off your vendor contracts. It’s time to take a look and see who is doing their part for CCPA compliance. If you don’t have in-house counsel, contact your favorite law firm to get help assessing these contracts. 

Support from privacy professionals is also a big asset in these tasks, too, particularly when it comes to building a process around your vendor contracts. We look at how vendors are:

  • Keeping system, data security, and privacy as per best practices and the industry standards
  • Meeting confidentiality and privacy requirements
  • Committing to notify you of security breaches, incidents, and potential vulnerabilities 
  • Committing to independent audits and assessments and to providing you access to audit documents

As with so many things in our professional lives, these tasks are never truly and finally complete. You should plan to review your contracts annually. #5 Make it easy for customers

Finally, let’s not just make compliance easier on ourselves. Let’s make it easier on your customers. Your customers, after all, are giving you their personal information. It’s theirs! Respect that! Make sure they can control it. 

CCPA is intended to give customers that control through rights like opt-in, opt-out, consumer requests, and more. But these rights have to be implemented by you, the business. CCPA may provide guidelines on how you should do it, but there are ways to go above and beyond that build trust and transparency with your customers. 

Creating a preference center for your customers to access their preference choices, edit their contact information, adjust what data is being collected, and offer additional insight into your data collection and usage.

Finding your best path to compliance doesn’t have to be difficult. We won’t break out into a rendition of “ Get By With A Little Help From My Friends,” but having the right help in your corner makes a huge difference. That’s what we’re here for. Drop us a line and let us know how we can help you.

Get our free guide on Getting From Point A to B to C(CPA)!