Email marketing frequently operates across borders, with the ever-growing creativity and complexity of campaigns designed to engage customers wherever they are. As organizations work to collect and use data to inform their decision-making and understand what makes customers tick, they need to also focus their energies on staying compliant with data privacy laws, which since the arrival of stronger and broader regulations have long arms and sharp teeth.
As a result, organizations should ensure they keep up-to-date with their obligations if they are to avoid the risk of non-compliance, enforcement action and the potential for huge fines. Given their broad relevance, GDPR and CCPA are good places to start.
GDPR – General Data Protection Regulation
The General Data Protection Regulation (GDPR) was drawn up in the EU, coming into force in 2018 to ensure data privacy for information within the European Union and European Economic Area, giving EU citizens more control over their personal data.
GDPR is applicable and enforceable to anyone or any organization that does business with or offers its services to EU residents, including the US. This is a key point, and US-based businesses should be mindful of their obligations under GDPR. The largest fine to date – 50 Million Euros or around $57 million – was handed out to Google in 2019 by the French data regulator for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.” An appeal by Google last year was dismissed.
But these penalties have not only affected large businesses. Even small companies have seen fines come their way, which highlights the importance of GDPR compliance across businesses of all sizes.
GDPR covers several lawful bases for data processing, and consent is one of them. As a result, organizations need to update their understanding of consent from it being permanent to dynamic. This means that consent under GDPR could depend on the situation and is only specific to the activity in question. For example, marketing teams need to consider some vital questions, such as: Do I have permission to send marketing messages to you? Are you expecting my emails?
GDPR states that customers must also be able to easily withdraw consent if they decide they don’t want to hear from the sender anymore. And they need to have the choice to opt-out on an ongoing basis, the choice to update their consent status at any time, and the right to have their personal data removed from that business’ database. What’s more, if they want to take their data with them, to another provider for example, the organization holding it must comply.
The point is, if organizations want to reach out to their contacts, they should offer them only what they’re interested in, and engage in a safe space where they can give or deny permission directly from the outset.
California Consumer Privacy Act (CCPA)
Similarly, the CCPA addresses how companies around the world must handle the personal data of California residents. In place for just over a year, it applies to for-profit businesses that annually, sell the personal data of 50,000+ California residents or have annual gross revenue of more than $25 million. It also applies to organizations that pull at least half of their yearly revenue from selling Californians’ personal information.
The requirements of the CCPA are comparable to GDPR in that applicable individuals must have the right to know whether their personal information is being collected and what personal information is being collected about them. In addition, they can say “no” to the sale of personal information, delete their personal information, and have the right to receive equal services and prices no matter how they exercise their CCPA privacy rights. As with GDPR, consent is key, and email marketers must be explicit about any information collected or sold from their exchanges with a California-based contact.
The emphasis on data privacy is growing
GDPR and CCPA are just two examples of the growing list of domestic and international data privacy regulations put in place to more effectively protect individuals. From Brazil to Australia, China to Canada, authorities are now ready and able to act against organizations – large or small – flouting the rules or ignorant of their obligations.
These are vital considerations. It doesn’t matter whether email marketing is being used every day or for the first time ever, by a huge corporation or by a one-person startup – understanding the rules and weaving them into each piece of activity is not optional.
Ultimately, the best piece of advice is: seek advice. Professional, qualified guidance should always be accessed if there is any doubt over the regulations or risk of non-compliance – with hundreds GDPR fines already imposed and with customer loyalty at stake, it’s a false economy not to.
Disclaimer: EU data protection laws, including the GDPR, and the CCPA are complex. This byline should not be considered legal advice. Please consult a legal professional for details on how the GDPR and CCPA impacts your specific business case.