Aware of email marketing requirements for customer privacy and data security?
Getting the right message out should be straightforward, right? But is your marketing team:
At Red Clover Advisors, we’ve been collaborating with clients on data security and privacy strategies since Day 1. It’s our goal to make privacy, clear and actionable for your business without the cost of doing the work in-house.
We bring a client-centered approach to helping you find the right approach for your business. Our services are robust, customizable, and always at the forefront of compliance needs.
When done right, your marketing strategy can be something to shout from the rooftops. That’s because you’re putting your customer’s privacy and security needs front and center. We help you do that.
Data security and privacy can’t be ignored, least of all when it comes to your marketing. Working with experienced information security professionals helps marketing teams get the results they want while protecting your business and your customers from security risks.
Reach out to our team at Red Clover Advisors today to start with your free consultation.
What are the risks we face if our marketing team doesn’t meet compliance standards and regulations?
Marketing needs creativity, but it also needs data. When it comes to the data side of things, you’ve got to start from a place of compliance. Failing to do so costs you money, your reputation, and customer relationships.
The financial costs of compliance alone are devastating. Regulator audits are massively expensive and fines and fees aren’t any better. While large corporations can take these kinds of hits, small and midsize businesses aren’t always prepared to incur these costs.
There are also financial costs that result from losing your hard-earned customers. When customers feel they can’t trust you, they’ll quickly take their business elsewhere.
And there is the risk of reputational damage that cannot be overlooked. A compliance violation inflicts a serious blow to any company that wants to be seen as trustworthy. (I.e., most of us.) It tells your customers, your stakeholders, and your industry that you don’t take your responsibility as protector of sensitive personal information seriously. In stark terms, it’s a major failing for businesses.
What are the main regulations that impact marketing departments?
There are data security and privacy regulations at the state, federal, and international levels that impact marketing departments. There are regulations that impact the email, digital advertising, and texting practices that marketers rely on (like CAN-SPAM, TCPA, CASL that we always need to consider). The two big comprehensive ones we will address here are the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). What do you need to know about them?
General Data Protection Regulation (GDPR)
GDPR is the EU’s landmark privacy legislation. GDPR created regulatory guidelines for any businesses, organizations, or non-profits that interacts with an EU resident’s personal information in the course of providing goods or services to them.
One of the major highlights of GDPR is its definition of an individual’s rights over their personal data. GDPR gives EU residents significant controls over their information, including:
- The right to be informed
- The right to access
- The right to rectification
- The right to erasure/to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
GDPR also defines special categories of sensitive data, which includes:
- Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
- Trade-union membership
- Genetic data, biometric data processed solely to identify a human being
- Health-related data
- Data concerning a person’s sex life or sexual orientation
In short, these rights key EU residents in on how their personal data is being collected, stored, and used by companies. It gives them the right to consent, object, and delete their information.
Looking for more insight on GDPR compliance? Look no further.
California Consumer Protection Act (CCPA)
There are no current comprehensive federal laws regulating data security and privacy like GDPR, but rather a patchwork system of laws. However, CCPA has taken the stage as the law for states to emulate. CCPA is the largest state-level privacy regulation in the United States. It’s newer than the GDPR, having just recently become enforceable in July of 2020, but it’s been a compliance target for businesses since it was first announced in 2018.
Unlike GDPR, CCPA only applies to California residents. More specifically, you need to keep CCPA compliance top-of-mind if you are:
- You’re a for-profit business that:
- Collects and controls California residents’ personal information AND
- Does business in California AND
- Has one of the following:
- Annual gross revenues in excess of $25 million
- Annually receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis
- Derives 50% or more of your annual revenue from selling California residents’ personal information
Under CCPA, consumers have a defined set of individual rights. These include:
- The right to notice
- The right to access personal data and information
- The right to know if their personal data is being shared (and with whom)
- The right to deletion
- The right to know whether their data is being sold and the option to opt-out of the sale
- The right to equal rights and services
In the CCPA universe, your team has to be ready to uphold these individual rights through addressing consumer requests. You’ve got to meet deadlines for responses and appropriately verify their information. And, critically, your privacy notices need to be up-to-date.
Fines and fees are part of CCPA, as is the potential for legal action either via the state attorney general or from individual lawsuits.
Learn more about CCPA and where it might be going.
What does my marketing team need to know about…?
Cookies are used for all sorts of purposes on a website or an app, but for marketing teams, they provide valuable data for understanding consumer activity and behavior. Because nothing in compliance is one-size-fits-all, though, no one data security and privacy regulation treats cookies the same.
If this feels nebulous, that’s because it kind of is. But here are three reasonably solid takeaways about marketing and cookies.
- You’ve got to stay up-to-date on rules and regulations across multiple countries and geographic regions
- Preference management software can be your best friend
- When it comes to data collection, consent is everything
Want a big ol’ plate of cookie goodness? We deliver all that plus a glass of milk.
Data inventorying is mission-critical for data security and privacy. It’s a key element of GDPR compliance; it’s necessary for privacy notices; you need it for facilitating individual rights requests. (And from a functional standpoint, you can’t be sure your data is secure if you don’t know what you have, after all.) Data inventorying helps you get a bird’s eye view of the data you have and ask important questions like:
- Why are we collecting it?
- Who is accessing or using the data?
- Where is it being stored?
- How is it being used, shared, and secured?
Data inventorying helps you identify map your vendors and ensure they’re complying as well.
Do we need a privacy officer?
Compliance is an ever-moving target. Who helps you keep track of it? For small and midsize businesses, the responsibility falls on the marketing or legal teams. After all, compliance heavily impacts these departments and it can help keep costs down. This can be a good option for some companies, but others can seriously benefit from a third option: the fractional privacy or compliance officer.
Fractional privacy officers help you focus on the issues at hand: data security, privacy, and compliance. They’re specialists with an ear to the ground on regulations, changes in the industry, and the most up-to-date best practices. This leaves your marketing and legal teams free to do the work they’re passionate about while still guarding against non-compliance (and all the associated costs).
Let’s look at a common example: announcing a product launch. Your marketing department might consider putting together a new landing page and sending out a celebratory email blast to your email list. You put together some copy, find a template for your landing page and email, and presto! Ready to go.
However, a fractional privacy officer can help you make deliberate and informed decisions about how you approach these projects. While they may seem like small potatoes, there are important compliance questions to consider.
- What needs to go on the landing page?
- Do you need a privacy notice? Where should it go and what should it say?
- Who can you email about this?
- Are we covering all our bases?
Fractional privacy officers can have a big impact on an organizational level as well. Privacy and security start with your workplace culture, but if you’re not up to speed on best practices and policies, it’s all too easy to let it slide. However, fractional privacy officers also can help you establish a culture of compliance at your business, providing support for training, strategies, and communications.