Click for Full Transcript

(00:01):

Welcome to the, She Said privacy. He said, security podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

(00:22):

Hey Jody Daniels, here I am a certified information, privacy professional, and I help provide practical privacy advice to overwhelmed companies. I’ve worked with companies like Deloitte, the home Depot, Cox enterprises, bank of America and many others. And today we are flipping the script and I have John Corcoran here who has done thousands of interviews with executives, CEOs, and entrepreneurs, and he will be interviewing me. All right, Jodi. Thanks for having me. So in this episode, we’re going to dive into kind of privacy and marketing 101. So some of the common questions that companies have, particularly around email marketing, when you can send emails, when you can’t, cookie notices, which you see on every website, these days are a lot of websites, digital advertising. We’re going to dive into those different topics and answer some of the most common questions that people have.

(01:15):

But first, before we jump into that, this episode is brought to you by Red Clover advisors, which helps companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. Red Clover works with companies in a variety of fields, including technology, SAS, e-commerce media agencies, professional services, and financial services. In short, Red Clover uses data privacy to transform the way companies do business together. They are creating a future where there is greater trust between companies and consumers. You can grab their free guide, how to increase customer engagement in a private world. By going to red Clover advisors.com/customer-engagement, or learn more at redcloveradvisors.com, or you can also email info@redcloveradvisors.com. All right, Jodi. So let’s hop into this. So first of all, let’s start with email marketing. So maybe some companies that are listening to this, and they’re already doing some email marketing and what are some of the common things that they need to know in order to do email marketing today?

(02:17):

Because I think there’s a lot of confusion around email marketing, what you need to do and what, what you can do as a company. It is. I have this conversation, I feel like every day and the most important piece to understand is quite honestly, where are people coming from so that you know which law it is you have to apply to. So do you have people, for example, coming from around the world and are you actively emailing them? Some companies might get anyone from around the world, but they’re filtering them out. And they know that they’re ultimately never emailing anyone outside of the United States. Other people have a knowingly and purposeful global approach. Some people are just the U S in Canada. So before you can even figure out what you need to do,

(03:00):

That’s honestly, the very first step is understanding who you’re actually trying to send that marketing message to, and then you can begin understanding, okay, great. What is it that I need to do? Because the us Canada and Europe all differ.

(03:14):

Okay. And so I imagine someone listening to this might think, well, you know, most of my customers are in the us, but how do I know if someone is in Europe, is that going to affect me?

(03:23):

Well, and it can, and it all kind of goes back to what you’re also trying to do. So if you are a website and you are from the United States and all you want are United States customers, but Jodi finds you on page 23 of Google and happens to put my email in, and then you start marketing to meet you. Right. You don’t know if I’m from there at the same time, if you’re kind of legal policies. So your privacy notice and your terms start talking about, you know, we’re a United States based site. We, we sell to people in the United States. Everything about you is really for the United States, then that would not really put you in scope for GDPR. And some of the other things there’s some interesting nuances, excuse me, that you could talk about, but generally speaking, it doesn’t necessarily mean because I have you on my list, then, GDPR applies. You have to go through some other elements to determine that.

(04:18):

Got it, got it. So that can, it’s kind of, it seems like a little bit of an out, can protect some companies by if they are a US-based company. If they’re focused on US-based customers, by being clear and all their written communication, that that is who they’re targeting, who they’re focused on.

(04:35):

Right now, maybe I’m a B2B company and I have content and I want that content to be consumed by people all around the world. I worked with one company, they were us, their clients were us, but they actually, from their Google analytics could tell 30% or more was from the UK. So in that situation, they kind of know how many people are coming from around the world. And so they knew that they needed to comply with GDPR. I have another company and they just have a typical opt-in kind of email and they don’t know, and they’re not using IP filtering, but again, they’re only focused on the US or even us and Canada. So just because I put my email there and I never buy anything, you have to kind of go through a scoping exercise to determine if GDPR applies to you or not. So it’s an element that I think a company needs to do. And then if it determines it’s not applicable, then you take the right steps to inform everybody, Hey this is a US site. Thanks for coming. But we’re, we’re not going to try and sell you anything. And this is a US site. Thanks for stopping by.

(05:38):

Okay. So it seems like if GDPR applies, that’s kind of the highest bar that, that requires the most of a company in terms of privacy compliance. So let’s start there. So let’s say that GDPR does apply or you’re being cautious as a company and you want to make that you treat it as if it does apply. What are some things you need to be mindful of as you do email marketing?

(06:04):

Yeah. So it’s really interesting because we actually then have to add in this other law called the E privacy directive, or it’s kind of known as Pescara PECR because it’s actually the digital marketing law that intersects with GDPR. So you sort of have to look at both and generally speaking, very generalized. You also have to look at the type of marketing. Are you a B to B company? Are you a B to C company? And in which countries are you potentially emailing might dictate the rules of what you can, but generally speaking, it’s a consent. It’s an opt in approach and philosophy to marketing in the EU. Now there might be some exceptions to current customers. So if I’m, I’m a current customer, there’s this other kind of it’s called a lawful basis. Meaning I have to have a reason to be able to use the data consent.

(06:56):

I’ve opted in this other one is called legitimate interest. So I’m a, I’m a customer it’s in my legitimate interest to try and tell you about my next new product, or you bought the base level. I want to upgrade you with the four attachments that you need. That’s a bit of a legitimate interest to be able to market to you. So you have to also really go through the theme here is to be able to go through and understand the data that you have and the customers you have and go through that appropriate analysis to determine, does it have to always be opt in? Is there any room for it not to be opt in? And then if it is consent, making sure that you actually meet the specific definitions of consent and GDPR has its definition of consent. And this other law has its definition of consent and you have to bridge the two together very easily, a checked box, not consent.

(07:45):

You can’t have a pre ticked box, which many of us see today, right? You go, you buy something and it’s, pre-checked I sign up for events a lot of the times. And so like, would you like to hear about more events? No, I, I don’t want to hear about more events, so right. It’s already pretext that does not meet the definition of consent. It can’t be bundled with, you bought for you to get this lead magnet or for you to buy this product. You’re automatically added to the marketing. It’s supposed to be unbundled. There’s supposed to be separate terms. So, and there’s a couple other requirements that, that the law has. So understanding the requirements and what you’re going to rely on is quite honestly the very first step to being able to determine what you need to do.

(08:30):

Okay. So you can’t have a pre ticked box now, what do you need to say?

(08:35):

So it’s supposed to be specific informed, freely, given easily to withdraw some easy withdraws and unsubscribed button informed as I’m signing up for the weekly newsletter, I’m signing up for the tips and tricks. I’m signing up for you to tell me about all the partners that you work with. There’s a difference of, please tell me about your products and then let me try and sell you something from all my partners. And then I make an affiliate commission, right? That’s very different. So what is it that I’m signing up for? Or if you’re sharing my email, right? That’s an, opt-in like I signed up for your emails. I didn’t sign up for you to share it so that the third parties can email me. So it has to be informed and it has to be freely given meeting. It’s not tied to something else. The privacy notice needs to be around there, either in the footer or kind of generally like oftentimes people put it sort of near the submit button or in the footer. So those are some of the big requirements.

(09:33):

Okay. A bunch of questions here. So I’m sure you’ve heard this one before. Can I just grab a, you know, this legalees off of someone else’s website, plop it onto my website. I’m sure you’ve gotten that one before?

(09:48):

I have. I have, well, you know, if their business is going to be the one responsible, if you get in trouble, then I suppose sure. How about it? But the likelihood of that is probably pretty nil. So instead you need to look at your business because their business is not your business and what they have might apply to them, but not, not to you. And so it’s not advised to just go and borrow from someone else. Now, at the same time, you can look to others to see, you know, tone and type of information, but you have got to apply it to your business specifically and make sure you feel comfortable with it because you’re ultimately responsible.

(10:31):

Okay. Another question can I just email someone? I don’t know, or can I not just email someone? I don’t know, this kind of thing comes up, right? Like it is the new world that we live in with EMA marketing. Is that saying that you know, if I, if I get someone’s email address, does that mean I can’t email them unless I have some kind of approval to email them.

(10:55):

So it really depends on the jurisdiction. So if you remember what we talked about first, the very first piece is you have to know where you’re emailing people because the law in the answer connects to where they are. So in the United States, our email marketing rules are much more liberal compared to what they are in Canada and to, to Europe. So you have to understand that you also have to figure out, are you B to C or B2B because the rules also different. So B to C is going to be more stringent and protecting the consumer business. There’s sort of this expectation that I need to be able to conduct business as business development. I have to find you. And so it also depends on where you get the information. There’s a lot of list brokers. People will buy the list. If you buy a list and you want to email, you need to, you’re supposed to actually inform when you send the message, you know, Hey, I got your email from this list or something to that effect to inform the person why they, the email and then allow them to unsubscribe. There’s also sort of this legitimate interest concept. Would they expect an email from me? And maybe it’s a, one-time email, not a mass message that you put through your marketing automation tool. There’s also a huge difference of, Hey, we met at the trade show or, Hey, Sally told me to contact you. You’re giving context and allowing them to say, thanks, but no thanks. Which is vastly different than putting them in a marketing automation, CRM, and, and sending them a series that they never signed up for.

(12:24):

Yeah. Do that. You see that happen a lot.

(12:27):

And so then what happens even in the United States, which you can do that because there’s not a law that says you can’t when you go to unsubscribe, if the person says, well, I never subscribed for this, that actually will hurt your credibility with the email service provider.

(12:42):

Right. So that’s, that’s kind of like a non-legal issue, but it is an issue that affects your business. If, cause then that affects the deliverability of the rest of your emails. Correct?

(12:51):

Right. It does. It affects deliverability. And then you might be paying for something that no one’s ever going to open, they’re just going to automatically delete. So there’s all kinds of factors that go into that. But you have to look at the jurisdiction in Canada, it’s, it’s challenging. You have to have consent and you have to figure out, well, how did I get this information? Was it publicly available? Was it not publicly available? So if you find, you know, Jodi Daniels and my email on a website, and I just grabbed that email to send to you, there’s an expectation. If I put my email out, I’m, I’m asking you to find me, I didn’t say, put me in your database and blast me. I said, send me a message. Jodi would like to sell you something. That’s kind of the expectation. But if I just randomly guessed at it and send you some message, and again, it kind of is the same theme of where did I get it? What is my message? How did I send it in? Do I have an unsubscribe? All of these really, especially for Canada and Europe should all have an unsubscribe option on them. Even if it’s just PS, if you don’t want this, it reply and I won’t email you anymore.

(13:55):

Right. Right. Now this might be not an important distinction, but sometimes there are unsubscribed buttons where you have to enter your email address. And I know that bothers people. Sometimes the fact that you have to enter your email address, you know, it kind of gets under my skin a little bit. It’s like, why do I have to give you my email? You send me an email that I don’t want to receive. I want to unsubscribe. I just want one click. So is there any requirements around that?

(14:19):

I’m kind of the same. You should have it, but there’s different technologies that allow it to be able to grab it automatically and not grab it automatically. So just kind of depends.

(14:29):

Okay. All right. Let’s talk about cookie banners. So this has really proliferated, I think, over the last, you know, year or so or something like that, it seems like so many websites have some kind of pop-up banner notice cookie, banner. I think it’s commonly called. So what are the requirements around those?

(14:49):

Yep. So it’s been two years since GDPR came into effect, and this again is an intersection between GDPR and that E privacy directive because the E privacy directive or this thing called pet GRA is actually the digital marketing rules. But then it had that intersect with GDPR that says before, you’re going to use data. You actually have to have one of six reasons to be able to use it. You have to, you’re going to process the data. So generally it was consent and that is the cookie banner that’s popped up. Now what’s interesting is we’re sitting here in the United States. We didn’t actually have to get them, but a lot of companies went and put them everywhere either because they chose to, and that’s what they wanted, or they didn’t know how to separate them, or didn’t buy a tool that would allow it to only be for their EU audience. But there are tools that will allow you to separate out your audience. You can have one for the EU, one for Thailand, one for Philippines, one for now, just California.

(15:42):

So they perceive who is viewing your website. And they can tell if they’re coming from Thailand or the EU or wherever when they give different notices. Okay.

(15:50):

Right. And that’s actually important because the notice the actual language that’s in the banner and the way the banner is set up, differs by jurisdiction. So in the EU, it really is an opt in approach. I need to opt in to be able to set those advertising and analytics cookies and anything that’s not considered essential or functional, essential, or functional are things like keep my username and password or my shopping cart cookies. So I don’t have to keep putting in my t-shirt every time I click the website, right? That’s a functional cookie, but advertising and analytics, while it might be necessary to have a business it’s not actually necessary to make the website work. And so that’s the difference. The EU approach is opt in to that in the language should be different in the United States. It’s not an opt in. It’s a, Hey, I’d like to tell you that there’s cookies here.

(16:40):

And so I’ve informed you if you’d like to manage those click here. So very different language. There’s this other notion of, of a sale. And that’s kind of a complex concept that we might not cover here. Like we need to be the 201 class, but in California, there’s some extra layers that you have to be thinking about for a cookie notice that can meet this kind of interesting definition of a sale of data that cookies might fall into. Well, that’s very different. It’s still an opt out approach versus an opt in approach in the EU. And with both of those banners, you shouldn’t have a cookie notice that says, this is the kind of cookies we use. This is why we use cookies and somewhere, especially for the EU, you need a list of, these are the cookies on your website. Some people manually populate that with the chart. Here’s all my cookies for companies that have a lot of cookies or use, or change them a fair amount. Then they should really look at a tool that can help auto-populate that list. So they’re not manually needing to do that every time they add a cookie.

(17:41):

Got it. Okay. And those tools, I assume that they are not providing the language as well, or they have suggested, or is it just language, but again,

(17:52):

I really want to have a professional who knows what they’re talking about. Use it. I mean, an interesting story is I had one, one company I talked to and they had guidance quite honestly, from an attorney. And then I had guidance from the cookie tool and they didn’t understand they can contradicted. And it it’s more because the software tool said one part and the company, or the attorney said just a little bit different, but they needed someone who understood how it all worked to bridge together. And so we were able to make sure that they got the right cookie banner and the right jurisdiction with the right language and off to the races that they would.

(18:24):

Okay. So if I’m a company and I’m listening to this and I’m thinking, come on, like, what’s my real exposure here. Now are companies getting sued over these things? Do you see that happening?

(18:34):

So companies are getting sued, whether the lawsuit will hold will, will be kind of an interesting one. For California, there’s 80 lawsuits underway for a variety of different issues. So it’s all just too early to tell exactly what will happen for GDPR. There are definitely fines that are happening and some make the news and some are really small. There’s all kinds of GDPR trackers that are out there on the web tracking. The hundreds of violations that, that have been there. What I will say is, especially if you’re a B2B company, your customers are looking to you and your website is your front door. So if you don’t have the right privacy notice up, or my email marketing opt-in experience, isn’t quite right. And my cookie banner isn’t right. I’m going to be kind of saying, well, whatever you tell me about your privacy and security practices, I’m not sure I’m going to believe you because my first experience isn’t super strong and the same is going to be true on the B to C side consumers, more than two thirds of consumers don’t trust companies today with the data that they collect and they want more regulation, 80% of customers will be more inclined to provide information if they feel comfortable and they can trust the company. So again, it’s my front door experience. If I have a cookie banner that doesn’t have the right words, or I have a cookie banner that you can hasn’t even been finished because it still has the Latin in it, or the template language, which I have seen say with privacy notices, if you’re going to use the template, which that’s a different story, at least fill it,

(20:04):

Fill it in.

(20:05):

But right, that’s my front, that’s my first impression of the company and people care about this. So it’s important. It’s important to get it right?

(20:14):

Yeah. That’s an interesting distinction because I think a lot of companies may be viewing it as Oh, a headache or another thing I need to do. But when you put it that way, it’s a great point because consumers want it. They expect it. And they’re going to lose trust for you if you don’t have it there. So there’s a lot of different acronyms in this world. GDPR. Another one, I don’t think we’ve mentioned it yet. Is CCPA. Now that’s California, consumer privacy act. You mentioned California a couple of times, but what is CCPA?

(20:45):

Good point. I use these acronyms all. So thanks for catching me. So the California consumer privacy act is a law that became effective January 1st, 2020, and enforceable July 1st, 2020. And it is a lot of people compare it to GDPR because it’s the first, most comprehensive state privacy law that we have in the United States. And it brings some of the elements of GDPR with it, like individual rights. Meaning let’s say we talked about email marketing, so I’m on your email marketing list. I know I want to, not only unsubscribe, I want you to delete me. I have that right. If Jamie lives in California or I’m a company that has applied at nationwide. So there are companies that have said not just for California, but we’re going to apply these individual rights to all of our customers. So individual rights is one. I kind of just shared an example. It also says that you have to make sure you have an accurate and updated privacy notice. And it has a variety of very specific items that have to be in the privacy notice. And it brings up this idea of sale of data, which is a very unique, complex definition. It’s not only I sold you data. You gave me money. It can be, I share data with you. You get to do whatever you want with it. That might be a sale.

(22:02):

Okay. Is what you’re telling me is that States are, are starting to adopt these privacy laws. So am I as a company, am I going to have to start thinking about 50 different States having 50 different sets of rules?

(22:19):

You could. California. So today there are a myriad of state laws. You have, I mentioned California, this particular one, CCPA is the strictest of all of them. And that is true. If anyone listening here does anything with like facial recognition or biometrics that are specific state laws, that address that there’s some other state laws that say you have to have a privacy notice on your website, but nothing quite to the level of CCPA on the data breach side. If you have a data breach, there are 50 state laws. Now the good news is hopefully we’re not having a data breach every day, so we can continue to conduct our business without having to deal with that. There’s a very high likelihood of 50 state laws, unless we can have a federal law. And there’s been a federal law introduced multiple federal laws every year for more than a decade. And we just still don’t have one yet. So it’s a bit of a crystal ball throw a dart, not quite sure what will happen.

(23:15):

Got it. Got it. Okay. And then so we’re running a little short on time here but this has been great overview. So what about texting? Are there different rules for texting versus a website versus email marketing?

(23:28):

There are again by jurisdiction. So Canada and Europe are going to have their own digital marketing laws that you have to look at for texting and here in the United States, we have one called TCPA, the telephone consumer protection act and texting in the United States and almost everywhere is an opt in requirement. So you cannot send a marketing message without opting in first.

(23:52):

Got it. Okay. All right. Well, this has been great Jodi remind everyone where they can go to learn more about you and learn more about the work that you do.

(24:00):

Absolutely. Well first, thank you so much. This was such a great discussion and I would be delighted for folks to come and visit atredcloveradvisors.com. You can email at info@redcloveradvisors.com and also we have a special checklist that we’ve put together about how to increase customer engagement. And you can grab that@redcloveradvisors.com slash customer engagement.

(24:22):

All right. Great. Thanks so much, Jenny. Thank you. Thanks for listening to the, she said privacy. He said security podcast. If you haven’t already be sure to click, subscribe, to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.