At 4Thought Marketing, we believe companies should view privacy compliance laws and regulations not as a necessary burden, but as an opportunity to build a foundation for creating better, more profitable customer experiences built on privacy compliance. Market leaders who embrace consumer’s demand for greater control over their data can then harness this information for improved personalization and customer journeys. The first step is changing the customer’s perception that you are collecting data indiscriminately and without consent by actively presenting opportunities for customers to control their data. Tell them exactly what data you are requesting, how you will use it, and then deliver a great customer experience. Your reward will be better engaged and loyal customers.

Why Privacy Compliance Matters for Your Business

The Marketing Opportunity

In the new experience economy, customers spend a lot of time researching their options before ever providing any personal information. In many cases, 70% of the sales cycle is complete before engaging with sales. That moment can make or break your ability to capture a lead and move forward. And customers DO care about data privacy. If you carefully apply the value of privacy compliance requirements to the experience and position the appropriate disclosures as valuable to the customer, there should be less friction when asking for information.

Global Business Reality

In 2018, the General Data Protection Regulation forever changed expectations for privacy and marketing.

The rise of e-commerce, global shipping, and digital products means you probably have customers or prospects around the world. To serve those, you must understand the privacy compliance laws wherever you do business. Your competitors understand this and are likely already working on how they will address the situation. And if you do not take action yourself, they will exploit the opportunity. If you do not adhere to privacy compliance laws, you will be left behind.

Other Jurisdictions Are Already Here

Following Europe, other countries are following suit. In the United States, the California Consumer Privacy Act (CCPA) became law in 2020. It also sparked conversations about the need for a national standard. While there appears to be progress towards the creation of federal privacy law, there remains much work to do. One thing is evident; there will be more countries adding or update their rules and regulations, not less.

The Potential for Fines

For those who fail to act, the fines imposed recently should be a wakeup call. A higher bar for privacy and data protection expectations greet marketers, and they must understand and become compliant. News articles speaking to recent fines are all around us, and monetary fine tracking websites pop up every month.

In our view, companies must understand the regulations and work to achieve compliance regardless of where you do business. Even if you don’t believe you must make changes immediately, you will likely need to in the future.

Think Beyond Email Addresses

The focus on privacy compliance with email marketing is understandable. As Medium reported, using personalization techniques in email marketing often leads to higher revenues. Email remains an effective marketing tactic. According to Campaign Monitor in their State of Email Marketing Infographic, 89% of businesses still consider their email marketing strategy as successful. It is no surprise that many marketers immediately think about email marketing when privacy compliance comes up.

However, equating “privacy compliance” with “email marketing” is thinking too narrowly. You need to look more broadly at your marketing systems and other places that may be relevant to regulations.

Here are some of the other areas beyond email that may be impacted by privacy compliance regulations:

• Customer data in your CRM. CRM data may include information manually input by your sales force or entered automatically through integration.
• Live events and webinars. If you run webinars and live events, you are certainly collecting information on individuals. Did they attend or not, and for how long? You may also collect data on questions asked at events.
• Traditional marketing data. Does your company use direct mail, postcards, and other media for marketing? If so, that data may be in scope for privacy compliance.

Marketing Should Be Leaders with Privacy Compliance

Many believe that the legal department, or perhaps the risk, compliance, and security team, should lead privacy compliance programs. Each plays an essential role in defining and implementing a privacy compliance program. However, their focus tends to be an internal, narrow focus on risk mitigation. Marketing, on the other hand, is focused almost exclusively externally on the customer. As a result, marketing should take a leadership role.

No organization spends more time obsessing over the customer’s perception of their brand. Marketing creates and manages the public face of your company. Beyond building and maintaining your company’s websites, and social media presence, they invest extensively in improving the customer experience across all channels. Savvy marketers see compliance as an opportunity to enhance the customer experience by asking the customer directly and requesting, with permission, data about their wants and preferences. By taking a privacy by design approach, actively informing and granting users control over their data, brands create more trust and confidence, and as a result, get better and more accurate data — all designed to support their marketers better.

Taking Action is the Only Option

Few people dream about diving into the details of privacy compliance laws and regulations. However, there are critical concepts that impose new expectations on marketers. Here are three we have identified as particularly noteworthy.

The Right to Be Forgotten (RTBF)

In marketing, we have operated under the assumption that you can collect and keep reams of customer data indefinitely. Indeed, relationship-based sales rely on the assumption that we can serve customers better as we learn how to understand them. However, the “RTBF” provision changes that.

A given prospect or customer may invoke the right to be forgotten to ask you to erase all information about them. To meet that requirement, you need to understand your data thoroughly. For example, can you find and delete all backups and copies to fulfill a customer’s request? Do you feel comfortable informing a customer that you have fully completed their request?

If that weren’t enough, your contacts would expect you to complete the above change within 30 days.

Right to the Restriction of Processing

Your contacts may restrict how you can process information about them. For example, we can see a situation where the prospect does not allow you to use their data to employ remarketing or retargeting techniques. How? They could tell you not to share their name and email address with third parties like Facebook.

You must be able to make adjustments to data processing at an individual contact level. Jane Smith may forbid one type of handling, whereas John Smith may forbid multiple types. If you cannot offer that level of nuance, you may face the prospect of having to make significant manual interventions.

The Right of Access by the Data Subject

The right of access requires data controllers to be ready for transparency as a baseline expectation. Customers may request a copy of their information, as well as details on how it’s used and processed. This right of access includes disclosing information about “automated decision-making,” which may include the use of AI, machine learning, and related technologies.

To respond to this expectation and others, we suggest organizations develop templates, checklists, and procedures that staff can use. Otherwise, you have an operational risk that data may be mishandled or disclosed improperly.

Importance of Internal Socialization and Coordination

What do your sales, marketing, and other people who touch customer information need to know? Vague admonishments to “be careful” or “route all questions to the in-house privacy compliance” expert is not enough.

We recommend improving your marketing and privacy program, not just to expose or highlight compliance. Make it a central theme of your customer experience. Of course, the resources you put into awareness and training will need to be calibrated based on your risk appetite.

Use the following techniques to improve privacy compliance awareness:

• Policy updates: Start by regularly reviewing and refreshing your privacy and related marketing policies to address the latest privacy compliance laws and regulations.
• Procedure updates: Tailor these updates to your staff that is most likely to need privacy compliance such as sales, marketing, and customer service. Remember that the scope of your procedures needs to go beyond email marketing.
• DSAR management: Who will be responsible for responding to DSARs? If you decide to decentralize this function (g., each sales representative responds for their clients), enterprise-level monitoring is essential to ensure consistent responses.
• Project management: Aside from small businesses with no exposure, you will probably need to organize a privacy compliance project. We suggest including a change management program as part of that activity.

As you plan your awareness activities, you might be wondering if you can demonstrate 100% compliance in every country where you do business. With changes to existing regulations and new jurisdictions coming online regularly, you’ll need to keep up to date and make regular improvements to your privacy compliance foundation.

Privacy Compliance is like a Perpetual Relay Marathon

In 2018, everyone focused on the May GDPR deadline for a good reason. Authorities would start some level of enforcement activities after that date. As a consequence, marketers assumed they must achieve compliance by the deadline.

In 2020, the CCPA became law, with enforcement starting in July 2020. And at the close of 2019, discussions about federal privacy compliance laws became part of the political dialog in the US. This pattern of meeting new requirements in multiple jurisdictions will likely accelerate, making privacy compliance a series of marathons. In the US, the CCPA 2.0 has already begun working its way through the process, with other state laws following close behind.

It comes down to the question if privacy compliance is about risk appetite and developing a plan or if it is an opportunity to both meet privacy compliance AND improve your customer experience. Imagine that an EU representative investigates your business. Will you be able to demonstrate that you have the right processes in place to achieve compliance?

Designing a privacy compliance plan needs to consider the following issues:

• Current CX maturity: As we discussed earlier, a great CX is a key to improving customer loyalty and trust. If you already plan or are currently implementing CX improvements, building it on a foundation of privacy compliance accomplishes both at the same time.
• Your available resources: As you plan your approach, what resources, including internal talent and access to qualified external consultants, do you have?
• Data audit: Conduct a data audit to understand what data and systems you have in place. We cover this topic in more detail in another section of this document.
• Risk evaluation: Based on probability and impact, evaluate the risk each data source contains. For instance, the data you have in a marketing automation platform such as Eloqua has a higher likelihood to trigger a privacy compliance issue than a handful of business cards.
• Priority-based implementation: Based on your resources and risk evaluation, develop a phased approach to implement privacy compliance.

Collecting & Using Customer Information at the Correct Time

In the past, marketers could collect information and use it over and over again in perpetuity. In digital marketing, a prospect might join an email list, or submit a form to download a white paper and then end up receiving a wide variety of unrelated marketing for months or years afterward. To achieve privacy compliance, you will need to think differently about your approach.

How do you continue to grow your business and connect with customers? Start by understanding that privacy compliance recognizes a place for ongoing communication. For example, keeping customer data to fulfill technical support requests are unlikely to be a problem.

The more significant problem lies in customer and marketing lists. What if you have an extensive email list of people who signed up to download an eBook? With new privacy and compliance regulations, it would not be wise to continuously contact them, especially regarding messages unrelated to the white paper. What’s the solution? One approach is to use content marketing techniques to connect your marketing assets and gather consent as you go.

For example:

1. A prospect joins your email list to download a white paper.
2. You can follow up to deliver the white paper and confirm they received it.
3. Within the white paper, add links and calls to action to access other resources. For example, a white paper may explore a broad issue, such as privacy compliance. Within that white paper, you can include a call to action to sign up for a related offer, such as an Eloqua focused privacy compliance cheat sheet or self-assessment resource.
4. The prospect opts in for the related asset, and now you can follow up with them on that point.

By using the above process, you can quickly show that a prospect has demonstrated an interest in finding out more and wants to hear from you.

Charting an Ongoing Course for Privacy and Compliance Updates

At this point, you have probably found more than a few holes in your privacy compliance program. What should you do next? There are two steps we recommend.

Complete A Privacy Compliance Self-Assessment

Go through each category we’ve covered today and rate your organization’s preparedness on a scale of 0 to 10, where 10 is fully compliant. If you have more than two areas with a score under five, you have a strong need for additional support. Keep in mind that authorities have a track record of imposing significant fines for privacy mistakes and violations.

Request a Consultation with 4Thought Marketing

Our privacy compliance consulting services help customers meet their regulatory obligations without sacrificing customer experience.

Depending on your needs, our experts can help define, build, and gain consensus for your privacy compliance strategy, assist with technology decisions, and manage your privacy project implementation. We’ll keep you up to date with the latest privacy laws and regulations, including the GDPR, CCPA, CASL, and more, everywhere you do business.

Get in touch with us today to schedule your consultation.