Judge wooden gavel lying on table against background of woman showing challenge of privacy laws

North American Organizations Struggle to Comply with Privacy Laws

Recently, my company completed research around the topic of data compliance, to look at how IT and marketing decision-makers around the world are handling the most common data privacy and compliance challenges. We did this because this year marked the third anniversary of the EU’s General Data Protection Regulation (GDPR), and because of the recent surge in consumers’ data consciousness. Additionally, there has also been a widespread increase in new and state-specific privacy regulations in the U.S. like the California Consumer Privacy Act (CCPA), or the Virginia Consumer Data Protection Act (CDPA), to name just two.

Without a doubt, the driver for these laws is that consumer data is a valuable resource for companies, but nearly a decade of constant data breaches has caused most consumers to become cautious about sharing their personal information. Organizations want at least some regulation when it comes to permissions for what they share.

The data revealed that many businesses are still struggling to understand and comply with local data protection laws and regulations. This also translates to vulnerable consumers. The responses of 1,000 professionals revealed that 62.4% of companies are still not ‘completely compliant’ with the data regulations it is subject to, including GDPR, CCPA, and the Virginia CDPA. More than 61% of respondents said they handled data from the EU, which requires GDPR compliance. A smaller number of respondents handled data from the UK (21.9%), California (21.1%), and Virginia (17.2%).

Somewhat troublesome is that nearly a quarter (24.4%) of respondents didn’t know which data regulations apply to the company, indicating a lack of understanding for laws that apply to the location where the business operates, and also which laws its customers may be subject to.

More importantly, nearly half (44.7%) of companies have had to add or change marketing technology to comply with applicable data regulations; and some companies report spending $10,000 or greater each year to remain compliant with data regulations. That’s not an insignificant operating cost – and, given how fast privacy laws and regulations are continuing to evolve, that could easily drive costs up more with each passing year. So, what can companies do to ensure compliance, while reigning-in the spending and improving customer experience? Regardless of geography, company size or budget, I’m sharing four pro tips to help email marketers be successful at data compliance.

Pro Tip 1: Allow compliance frameworks to guide consent methods

First and foremost, what helps marketers with data compliance is ensuring they always acquire consent before adding someone to a mailing list. Whether it’s through a single opt-in or (even better) a double opt-in process, marketers must use practices for clear consent.

There are a few methods for gathering consent but not all are sufficient under the current compliance regulations. For example, a soft opt-in is not considered as explicit consent under GDPR. Soft opt-in is a form of temporary consent given by individuals while collecting email details. Regardless how much individuals engage with a brand’s marketing communications, consent must be asked in explicit language. The bottom line is if the individual didn’t say “yes,” it means “no.” Also, new and explicit permission must be obtained before email marketing campaigns are sent to legacy contacts. The exception is if marketers have kept a record of prior consent to receive communication from the brand or organizations.

That, of course, leads to the important aspect of compliance which is storing data safely and keeping a record of how express consent was obtained. This consists of who gave the consent, when the consent was granted (such as a date and time stamp), and the express purpose of the consent. Unless accompanied by a screenshot of a consent form, any record of IP address, or location and time the consent form was submitted would be considered insufficient. Therefore, an email confirmation may be necessary. Finally, it should always be simple and easy for consumers to remove, modify, or revoke consent at any time.

Pro Tip 2: Prioritize company reputation and customer safety follows

Since most survey respondents were based in EMEA (65.4%) and North America (21.7%), almost all organizations in the study were subject to GDPR, CCPA, and/or the CAN-SPAM Act. And this revealed a small, but bright spot in privacy and compliance challenges: EMEA businesses are closer to full compliance compared to North American businesses. While the number of completely compliant organizations in EMEA and North America are pretty similar, there are more EMEA businesses that are said to be ‘mostly’ compliant.

Before we get too excited by these numbers, I have to point out the serious business consequences that non-compliance with data privacy laws can carry. It places customers’ data safety, business success, and business reputation in jeopardy. Therefore, businesses cannot afford to just remain ‘nearly compliant.’ One rule of thumb to follow is if a business processes personal data, regardless of where it is based, compliance with data privacy laws is not a choice.

Any kind of non-compliance with data privacy laws affects customer data safety, business success, and reputation, or worse, exposes the company to legal actions or penalties. Utilizing compliant tools and solutions offer easy and effective ways for companies to achieve full compliance. It also allows IT and marketing decision-makers to operate with more certainty.

Pro Tip 3: Invest in a technology stack that safeguards data, too

Unfortunately, data regulation compliance doesn’t happen with the snap of some fingers. For starters, companies may need to change how they gather and use personal data. Companies may need to revisit existing data collection and retention processes and examine the technology stack to determine where improvements are needed. They may also consult with third-party providers to purchase a different solution.

In fact, the technology stack was a sticking point for a portion of survey respondents – when asked, 44.7% said that their companies had made changes, due to compliance issues. Most businesses spent less than $1,000, but a portion (5.9%) had spent as much as $10,000 or more.

These changes are undeniably important especially in the email space. Email service providers (ESPs) and assorted validation tools handle massive amounts of customer data, and it is crucial to ensure data safety and as discussed previously, avoid the costs of non-compliance.

One thing to also be mindful of while working toward compliance is to choose providers that prioritize compliance, too. Companies are equally responsible for third-party use and protection of customer data. To achieve full compliance, companies must ensure that any subcontractors in the equation comply with all relevant data protection regulations and provide the highest level of privacy and security.

Pro Tip 4: Get your global privacy priorities in order

We’ve discussed how avoiding the legal and financial consequences of non-compliance can maintain customer trust. There are no shortcuts to doing the work to protect customer data – but it’s worth it. As our research revealed, only a minority of respondent companies are complying with applicable data privacy laws. It’s interesting to see how different regions are treating data privacy, too. Overall, 76.7% of respondents said the EU appears more privacy-conscious than North America. While even North Americans generally agreed with this sentiment, it was more widespread in EMEA. The data echoed respondents’ hypothesis – more than 50% of NA respondents didn’t know what data protection laws applied to their businesses, but in EMEA, that number dropped to only 12%.

The results are clear that there is quite a bit more room for improvement here. The harsh reality is that no matter what the local attitudes are, data privacy affects everyone equally. So, regardless of where in the world you are doing business, privacy must be a top priority.