Global Compliance Regulations: What They Mean for Your Organization

 In Best Practices, Marketing Automation, Marketing Operations

It’s 2020, and if your head is spinning due to the rapidly changing environment, you’re not alone. Something else has our head spinning too: all the compliance regulations that marketers need to know and how to comply with them. And we’re not the only ones with our finger on the pulse of regulations. According to the recently released 2020 Marketing Technology Landscape, “Data is by far the fastest growing category, up 25.5%.” The biggest subcategory here, Governance, Compliance, and Privacy, is up a whopping 68% since 2019.

Marketing will need to work closely with the Legal Team to craft compliance stipulations for your organization and implement those policies to evaluate risk and maintain compliance. To help drive conversations internally and keep you informed on compliance regulations, here’s a short list of legislation regarding marketing compliance and privacy policy from across the globe to be aware of.

CAN-SPAM

The CAN-SPAM Act is a set of regulations that applies to the United States that covers all commercial messages, including bulk email. Here are some of the main requirements:

  • It requires all commercial electronic messages (CEMs) to include an unsubscribe mechanism, or other appropriate opt-out requests.
  • You are also unable to use false, misleading, or deceptive header information or subject lines in your CEMs. Messages should accurately identify the person or business that sent it.
  • CEMs require a valid physical postal address.

We would recommend that unless other countries or states have specific compliance or privacy acts, use CAN-SPAM as the baseline for global communications. Of course, your organization may choose to adopt more stringent standards globally based on legal counsel. For more about the CAN-SPAM Act and how it affects you or your business, click here.

GDPR

The General Data Protection Regulation (GDPR) are regulations that apply to countries in the EU. Its regulations include:

  • All CEMs require an unsubscribe mechanism.
  • Processing personal data is prohibited unless that person or organization gives explicit consent to do so.
  • The Right to be Forgotten – This allows individuals to have personal information erased upon request, however this only applies to specific instances.
  • End User Control – Customers and prospects can decide what happens to their data. This allows individuals to “own” their personal data and decide how it is being used.
  • Accuracy and Security – Personal data must be up-to-date and accurate and kept for no longer than necessary. If stored personal information is inaccurate (i.e. incorrect or misleading), it must be rectified or erased completely.
  • Also note that countries may have their own compliance requirements. For example, Germany has a requirement for a double opt-in, which includes the individual confirming an opt-in for their data to be used, and then sending an email to confirm their opt-in again, to show that they are indeed the owner of their email address.

We recommend that all forms should always capture country and explicit consent. Also note:

  • If a customer hasn’t explicitly opted in but aren’t unsubscribed, they are designated “Implied Opt-In” because of legitimate interest and you may send the CEM with the option to opt-out
  • If a lead hasn’t explicitly opted in but aren’t unsubscribed, they are designated as “Implied Opt-Out” and you may not send them CEMs

To learn about more details of GDPR, click here.

CASL

Canada’s Anti-Spam Law (CASL) applies to residents and people working in Canada.  Like CAN-SPAM and GDPR, CASL also requires an unsubscribe mechanism. It also requires a physical mailing address and explicit consent to send CEMs, however implied consent will allow organizations to send CEMs based on the Implied Consent criteria:

  • Existing customers
  • Customers with the last purchase date of the past 24 months
  • They have made an inquiry in the past six months.

We would recommend that all forms should have an explicit opt-in checkbox for anyone residing or working in Canada to provide explicit consent for CEM. The compliance program in your Marketing Automation Platform (MAP) should also manage Implied Consent (per CASL), and include Implied Consent sunsetting that removes their Implied Consent status:

  • 24 months + 1 day from their last purchase or
  • 6 months + 1 day from the date of their last inquiry

For more details about CASL, click here.

Australia Privacy & Compliance

The Australian Privacy Act requires an organization to have an open and transparent privacy policy regarding how they use personal information. It also requires that organizations are compliant with CAN-SPAM, in that they must obtain expressed consent, and will allow organizations to send CEMs based on implied criteria:

  • The user is a current customer
  • The message is related to a product or service that has already been purchased by the individual.

All CEMs require an unsubscribe mechanism, and they must also include a sender name and physical mailing address. Also note that address-harvesting software cannot be used (i.e. email mining).

We recommend that all forms should have an explicit opt-in checkbox for anyone residing or working in Australia to provide explicit consent for CEMs (similar to GDPR). The compliance program in your MAP should also manage Implied Consent for customers and individuals of organizations that are current and past clients. Implied consent dates and reasons should also be recorded (similar to CASL implied consent).

To learn more about Australia’s Privacy and Compliance, click here.

CCPA

The California Consumer Privacy Act (CCPA) applies to residents of California and is enforceable starting July 1, 2020. Organizations must follow CCPA requirements if:

  • The business generates an annual gross revenue in excess of $25M, or
  • The business receives or shares personal information of more than 50,000 California residents annually, or
  • The business derives at least 50% of its annual revenue by selling he personal information of California residents

The CCPA also requires that consumers must be able to opt out of having their personal information sold to a third party. Consumers under the age of 16 must affirmatively opt-in. Consent must be given from a parent or guardian for a child under the age of 13. Consumers must also be able to request that organizations delete their personal information.

We would recommend collecting “State” information on all forms when The United States is selected as the country. If California is chosen on a form, display the privacy policy and the option to indicate if the user wants their information deleted.

Include a checkbox indicating the person is over the age of 16 and they consent to having their personal information stored. Your website should also be updated to include a banner notifying users of their rights (specifically targeting users in California).

We also recommend putting a system in place to alert consumers of a proposed sale of their data, including information on the purchasing company. And, have a way of recognizing when a person is requesting their data to be deleted and a process in place for deletion.

For more details about the CCPA, click here.

Nevada Bill 220

Nevada’s Senate Bill 220 (NV SB220) applies to residents of Nevada, and has been in effect since October of 2019. Organizations must follow its requirements if they collect and maintain “Covered Information,” which includes:

  • First and last name
  • Physical address
  • Email address
  • Phone number
  • Social Security Number
  • In-person or online contact information

The bill states that consumers must be able to request that the organization not sell their personal information, or opt out. This request can be provided via email, phone, or a link on an organization’s website.

We would recommend that after collecting State information on all forms, and if Nevada is chosen on a form, your organization should display the privacy policy and the option to indicate if the user does not want their data sold. If a user does decide to opt out, timestamp their request.

Also for users in Nevada, update your privacy policy and include a banner on your website notifying users of their rights.

To learn more about NV SB220, click here.

LGPD

Brazil’s Lei Geral de Proteção de Dados (LGPD) is a set of regulations on the horizon. It was signed into law in August of 2018, but will be put into effect in August 2020. The LGPD applies to all companies offering services or have operations involving data handling in Brazil, and requires users’ expressed explicit consent for data processing and appointing of a Data Protection Officer.

For more information on the LGPD, click here.

Parting Wisdom

Regardless of industry or target audience, the security of your users’ information is paramount. As a marketer, it is important to adhere to your legal obligations and mitigate any risks in partnership with your legal team. But also remember – personalized, valuable and timely content to keep your audience engaged and opted in will also benefit the organization more holistically (think deliverability, engagement metrics, and more) and improve the buying journey for your end users. It’s a win-win!

I hope this was helpful. And as always, feel free to contact me if you have any questions.

Recommended Posts