It may sound counterintuitive, but smart data privacy practices can make both traditional and digital marketing programs more efficient.

The rise of e-commerce and social media has forever changed the global economy, and while governments have continually dictated and adapted statutes regarding physical trade, they have only recently begun regulating the collection and use of consumer data. 

Because these data privacy laws vary—sometimes dramatically—by industry, country, and/or region, marketing professionals around the world have had to rethink even their most basic standard operating procedures (SOPs).

The evolving landscape of data privacy regulations makes upgrading marketing SOPs a complex endeavor. Add in the fact that regulations are often a year or two behind privacy best practices, and it’s easy to see why marketers are often concerned about doing their job well without running afoul of regulatory requirements.

Principles of data privacy 

There are three main principles that are at the core of most privacy legislation: transparency, control, and accountability.


A good data privacy program is about more than security. It’s about how consumer information is acquired, handled, stored, and shared. Governments, industry leaders, and consumers are increasingly demanding companies provide straightforward, unambiguous insight into what data they collect about their consumers and what they are doing with it.

Marketing professionals spend their professional lives managing the often competing business processes of transparency and sales. Their skill in navigating the natural tension between these two goals, combined with an in-depth understanding of target audiences, make marketers uniquely qualified to guide their employers’ efforts to develop and explain crystal clear privacy policies.


While initially focused on defining consumers’ privacy rights online, the current trend in privacy legislation is towards increased accountability for how corporations use and protect (or don’t protect) the information they collect from their users.

Rather than expecting existing legal and administrative oversight bodies like an attorney general’s office to manage compliance, new laws in the US are taking things a step further by creating and funding agencies specifically tasked with enforcing regulations. 

Consumer control

Even with regional differences, modern digital privacy laws fundamentally give consumers more control over what data is being collected from them, why it’s being collected, how it’s being used, and who it’s being shared with. 

An interesting note: this movement isn’t led by industry. As evidenced by the passage of both the CCPA and the CPRA in California, privacy activists are at the forefront of advocating for increased consumer rights. 

This advocacy will permanently alter the landscape of marketing. Understanding the principles that form the framework of most privacy laws can help marketers build programs based on sound data protection practices while being agile enough to adapt to new and constantly changing laws.

What regulations look like

Data privacy regulations generally apply both to where a business is headquartered and where its customers live. This means a business based in Paris with users in France, San Francisco (California, USA), and Rio de Janeiro (Brazil) will likely have a minimum of three different marketing processes to maintain compliance in each region. While each set of regulations is unique, they all address the following needs:

  • Establishing requirements for transparent privacy policies
  • Defining what types of information constitute personal data
  • Requirements for internal security measures to protect consumer information
  • Restricting collection of data from minors
  • Articulating penalties for businesses if a breach results in exposure of consumer data 

Privacy policies

Historically, companies have been able to obfuscate behind privacy policies that were four pages of dense legal language an average consumer could not possibly hope to understand. Because of this, privacy policies lost their place as a critical consumer protection and instead became a pesky annoyance users just swatted away over and over again.

The new laws being passed pointedly target this problem by requiring transparent privacy policies that are prominently placed and easily accessed. By collaborating with legal, tech, and business departments, marketers have a unique opportunity to generate virtually free, earned brand awareness just by developing and publicizing a new, easy-to-understand privacy policy that clearly explains what type of data is being collected, who has access to it, and how having it will build a better user experience.

Data collection

For decades, marketers’ prevailing philosophy regarding data was the more data, the better. Regardless of how directly applicable the data was to their product and their target audience, marketers would collect as much data as possible and sit on it until they could figure out how to use it. This meant that companies could be storing outdated, useless-to-them-but-still-personally-identifiable consumer data for years.

Current privacy data laws make this practice of mass data collection less enticing to marketers by requiring them to tell their users what they are collecting and establishing penalties if collected data is exposed in a breach. While having less data to work with initially can feel threatening, targeted data collection can benefit marketers in multiple ways. 

  • Risk reduction—Removing non-essential data records eliminates risk of data exposure. 
  • Operational savings—Focused data collection can decrease data storage costs. 
  • Increased efficiencies—Fewer records make data sorting/analysis processes more agile. 
  • Enhanced performance—Intentional collection can improve effectiveness by improving the quality of the data underpinning campaigns.

Many privacy regulations require the creation of a data inventory, also known as a data map. A single-source-of-truth record, a data inventory facilitates tracking a record’s full lifecycle through company systems. 

A good data mapping process can find old/bad data, identify unnecessary data, and pinpoint vulnerabilities in collection and storage processes (bad vendors, weak permission structures, etc.).

Internal security measures

It is estimated that a business will fall victim to a ransomware attack every 11 seconds with cybercrime costing the world nearly $6 trillion annually in 2021. 

Add in that 68% of business leaders feel their cybersecurity risks are increasing, only 5% of companies’ folders are properly protected, and that data breaches exposed 36 billion records in the first half of 2020. It’s clear that data security is a major concern for both businesses and consumers.

Legislation doesn’t currently specify exactly what steps businesses need to take to protect their data, but most privacy law requires companies to take “reasonable security measures” to safeguard against breaches.


Existing privacy legislation around the world includes financial penalties, sometimes steep ones, for infringements and violations. 

New laws bolstered these actions by adding civil, even criminal, liabilities for companies that don’t comply with regulatory requirements, regardless of whether infractions are intentional or unintentional. This progressive intensity in enforcement actions makes it more critical than ever that marketers arm themselves with an understanding of what they can and can’t do.

How marketing functions are affected

Laws differ by region as to whether they require consumers be allowed to opt-in to (EU) or opt-out (US) of marketing contact, but there’s no question that marketing best practices will have to change to keep pace with privacy law. 

Email marketing

Email marketing—while not as problematic as tracking users across the internet—is still affected by the majority of privacy laws. Because email marketing seems so unintrusive, it is often exactly where businesses fall short of compliance.

This is unfortunate, primarily because compliance with email marketing rules is not particularly difficult to achieve. The primary rule in compliant email marketing is simple: do not aggressively target consumers who haven’t directly expressed interest in contact. 

Providing clearly marked opt-outs and unsubscribe buttons carry the bulk of compliance heavy lifting, but having an explicit opt-in checkbox on subscription forms virtually guarantees an email marketing campaign won’t transgress any privacy laws.

This works for companies who have existing email lists, but what about marketers who purchase email lists? Because most data privacy laws require consent to contact before contact occurs, the practice of buying email lists is not a safe foundation for email marketing campaigns.

This will require marketers to put more effort into the first-party collection of email addresses. While seemingly a disadvantage to groups who have historically relied on purchased lists, this latest shift in marketing campaigns actually has the potential to reinvigorate the stale art of email campaigns. Because marketers will know recipients are genuinely interested in their product or service, the text and imagery in emails can be more focused, specific, and tailored to an already tailored audience.

Cookie requirements

Cookies, small, randomly encoded text files that make e-commerce affordable for businesses by storing data about a user’s site visit on their own computer instead of on massive company servers, improve user experience by remembering shopping history, carts, log-in preferences, etc. 

Stored locally and too small to hold a virus or malware, cookies by themselves are more helpful than dangerous. 

But when combined with bad actors and/or pervasive tracking protocols from advertisers, cookies create a privacy risk for consumers and a liability risk for businesses. With most internet browsers banning third-party cookies (cookies placed on a site by a third party), smart marketing programs will shift data collection efforts to first-party cookies (cookies a company puts on their own website).

Generally speaking, cookies that don’t have an expiration date, track users through sensitive areas (like payment information), or are installed without asking for consent are all compliance and security red flags that need to be remedied.

Outreach and preference centers

Laws like the GDPR, the CCPA, and the VCDPA mandate that businesses give consumers increased control over how their personal information is collected and used. More importantly than that, though, is the ever-growing trend of consumers expecting this level of control regardless of the laws where they live.

A preference center, a dedicated page in an app or on a website, is a user-friendly way to push a privacy program past mere compliance by letting consumers tell businesses:

  • What personal information they can collect
  • What can be done with collected personal information 
  • How often they can use collected information to initiate contact
  • If collected data is inaccurate

The initial setup of a preference center requires a not insignificant investment of time and resources. Still, more than 40% of companies with strong privacy programs see benefits at least twice that of their privacy spend. A preference center will:

  • Aid in regulatory compliance by streamlining and optimizing data collection
  • Increase the ability to build accurate, real-time data sets by removing bad information
  • Build a corporate reputation as a leader in consumer protection
  • Protect against costly data breaches

Why marketers should lean in and honor customer choice

Every major law currently governing data privacy has been passed since online privacy was named a basic human right by the United Nations Human Rights Council in 2015. 

With more laws being proposed around the world every year, it’s clear that privacy will be one of the next decade’s primary consumer issues. Rather than fighting against this trend, companies that prioritize data privacy can cash in on a currency not managed by any foreign exchange controls: digital trust. 

Digital trust is the level of confidence consumers place in an organization’s commitment to secure and ethical online practices. This type of trust plays a key role in both customer conversion and retention. In 2020, consumers proved they will emphatically support companies who effectively balance consumer rights against and shareholder interests. 

Building digital trust by adding data privacy protection to a corporate social responsibility (CSR) program is good for business. A strong data protection program can prevent costly data breaches while improving company relationships with partners and regulators. 

Another point—over 70% of countries worldwide have data privacy legislation in place or are in the midst of drafting new laws. According to Oracle, “acceptable data practices developed two years ago have already become antiquated.” Designing marketing programs to meet privacy best practices instead of just to regulatory specifications builds an agile foundation that can quickly adapt to updated laws and regulations.

Most importantly, though, embracing a new way of working with data beyond compliance builds trust with customers. Demonstrating a commitment to the user experience will produce the most valuable commodity there is: trust.