Hint: privacy is the right thing. 

Do the right thing as marketers to build trust.
Jon Dick, VP Marketing, Hubspot

For marketers, privacy can be a four-letter word. After all, your entire job is to get your message in front of as many people in your target audience as possible. 

But as people who specialize in creating and capitalizing on trends, most marketers also realize privacy is a trend with long-term staying power.

To be a successful marketing agency in this new privacy era, digital marketers have to understand the value consumers place on their privacy and understand an ever-growing body of privacy legislation. 

Consumers care about privacy. A lot.

Almost 92% of Americans are concerned about their privacy when they use the internet. The same number of people think companies need to be proactive about protecting the consumer data they collect. 

Most importantly, 87% of consumers think data privacy is a human right.

Driven in large part by the Facebook-Cambridge Analytica scandal and dramatic increases in major data breaches that have exposed millions of sensitive data records, consumers have started demanding increased transparency about the privacy practices of both their favorite companies and of the billion-dollar data brokerage industry.

In 2019, Cisco found that nearly one-third of consumers are willing to change how they shop online and who they shop with to protect their privacy. 

Businesses that ignore this groundswell of consumer support for privacy risk revenue and reputational losses. As a marketing agency, figuring out how to balance communicating privacy as a brand value with promotional messaging is crucial to your future success.

Governments care about privacy too

In 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect and changed consumer privacy forever. 

The world’s first comprehensive consumer privacy law, the GDPR, strictly regulated how companies that operate in or collect personal information from residents of the EU can collect, process, share, and store their collected data.

The United States doesn’t have a comparable federal privacy law, but multiple states (California, Virginia, and Colorado) have passed comprehensive consumer privacy laws that are in some degree similar to the GDPR, and more laws are being passed every year. 

Even though best practices are still being established, regulations are just going to keep coming.

Privacy compliance checklist

Almost every type of marketing is impacted by privacy regulations. But don’t let that scare you! Successful, privacy-compliant marketing is doable. Here’s how.

1. Probe your privacy policies

When we say “your,” we mean your agency policy and your client’s policy. 


Most new privacy laws require compliance from both data controllers (the entity collecting data) and data processors (the entity using the data, usually a vendor). Because data controllers can be held liable for data exposed in breaches of their non-compliant vendors, most companies won’t even work with vendors that haven’t updated their privacy policy.

As a marketing agency, you can be a data controller or a data processor. Sometimes you might be both, which means your privacy policy needs to be rock solid.

A few of the key points that your updated privacy policy should detail include:

  1. What personal data (name, address, phone number, email, location, etc.) you collect 
  2. Why (e.g. email marketing campaigns) and how (contact forms, cookies, weblogs, etc.) you collect the information you do, with whom you share it, and if you sell it as defined by the applicable law such as CCPA
  3. Who has access to the information you collect
  4. What choices the individual has and how the individual can make an individual rights request
  5. What data security measures you are using
  6. How you will tell your users about updates to your privacy policy 
  7. How and how quickly you will tell users about a breach

Once you know your privacy policy is up to regulatory snuff, you need to make sure it also matches up with your clients’ policies. 

If you have non-compliant clients, you can push them to create a new policy. Trust us, they will thank you for saving them from fines and injunctions.

And clients who already have an established privacy program will trust you more if you can prove privacy is as important to you as it is to them.

2. Cooperate and collaborate

To succeed in digital marketing, you have to be good at multitasking and at building relationships. These abilities can be a huge asset when it comes to privacy compliance.

Because your agency can be both a controller and a processor working across multiple systems, establishing strong, collaborative relationships with both your own IT and legal teams as well as your client’s IT and legal teams is critical to developing processes that actually work and do so smoothly for everyone.

3. Organize operations for opting-in or opting-out

Like the invention of caller id, consumers love opt-in and opt-out regulations. 

Marketers…not so much. But it’s not as bad as it looks from the outside.

GDPR = opt-in

The GDPR is built on an opt-in foundation. To achieve GDPR compliance, companies cannot collect any personal information from a consumer, share collected consumer information, or contact consumers without acquiring explicit consent. 

For marketers, this means that even if you have a huge email list with thousands of verified email addresses, with very few exceptions you can’t send emails to that list until you’ve verified the recipients have agreed to receive your emails.

CCPA/VCDPA/CPA = opt-out

By contrast, most US laws are based on allowing consumers to opt out of the collection, processing, sharing, or sale of their personal data. Under the new VCDPA and CPA laws, individuals need to opt-in to the use of their sensitive data. They can also opt out of receiving any marketing communication from you.

Opt-in to opt-in

Understandably, many marketers would prefer an opt-out system. Opt-out requires more engagement from users, which means you’ll probably be able to keep more data and continue contacting more people. 

While opt-in takes more work for you upfront and might initially shorten your email list, opt-in is the better, um, option long-term. 

Giving users the ability to choose the frequency and type of communication they receive from you and then honoring their choices will build more trust and loyalty with your target audience than any marketing campaign ever could.

If your users trust you, they’re far more likely to give you accurate information (no more fake email addresses!) and are also more likely to read whatever you send them. So instead of spending time trying to figure all that out, your marketing team can now spend their time nailing the message.

Basically, the more you let consumers ask to be left alone, the more effective your time together will be.

4. Vet your vendors

As an agency, you are a vendor. But, depending on your size, you might have vendors that help with things like production or analytics. 

You need to vet those vendors the same way your client vetted you. Read their privacy policy. Ask about how they protect the customer data you share with them. If there’s a mismatch, ask them to fix it or find a new vendor.

5. Analyze your access

As a vendor, one of the best ways to protect yourself is to make sure your relationship with your client is based on the principle of least privilege.

Under least privilege, your agency will only be given access to data that is key to your marketing work, which dramatically reduces the risk that data collected by your client will be exposed through a breach of your systems.

In addition to reducing your access to your client’s databases, make sure teams within your agency don’t have access to more sensitive consumer information than they need to do their job.

6. Scrutinize the social

Social media marketing is a fundamental part of every modern marketing campaign, and as such, has all the privacy challenges of regular digital marketing. But because social media is based on sharing and collecting information, there are special privacy considerations that must be addressed.

To be compliant with GDPR requirements, marketing agencies cannot use social media to manage remarketing campaigns unless users have explicitly consented to having their data processed. For example, in order for your business to remarket to an individual on Facebook, that individual would need to have consented to cookie placement. 

These expanded permissions structures are not necessarily difficult to create, but you need to make sure your agency fully understands the privacy laws your clients are subject to so you can help keep them compliant.

Privacy can be a powerful marketing tool

Privacy laws won’t end digital marketing, but agencies will have to innovate to come through this era of constantly changing guidelines and evolving best practices to survive. 

If your agency needs help designing and implementing privacy-centered processes, or if you want a partner that can help your clients up their privacy game, let’s talk.