Privacy compliance in marketing used to be seen as someone else’s problem: legal, IT, operations, outside consultants, or any combination of the four, with each team playing a crucial role in ensuring that the company’s marketing activities don’t break any rules.
But those days are well and truly gone. Privacy regulations are the road rules of the Internet age, and anyone dealing with data needs to be able to read all the signs to avoid compliance collisions that can be very costly, not to mention, reputationally damaging.
Data privacy became a significant issue in the UK around the time the EU General Data Protection Regulation (GDPR) was implemented in May 2018, but due to several high-profile data breaches and increasing public awareness and unease around data misuse the issue had already been bubbling for some time. Now, it’s constantly evolving, constricting the way marketers operate by giving customers all the power.
In the US, data privacy concerns accelerated in the mid-to-late 2010s, again, driven by a combination of legislative actions, high-profile data breaches, technological advancements, and increasing public awareness and it continues to evolve.
In most of Europe, the ePrivacy Directive is the most important law when it comes to email marketing, and it interacts with GDPR.
You need to understand both, so let’s break them down, to make it clear what each piece of legislation covers.
- The ePrivacy Directive, as the name suggests, focuses on privacy, whereas GDPR is about data protection. While the regulations are distinct, they overlap in European law.
- Sending someone an unwanted email affects the privacy of their communications – so that falls under the ePrivacy Directive.
- By collecting, using, storing, or sharing someone’s email address, you are “processing” their “personal data”, which is regulated by GDPR.
- When using an email address, which is “personal data,” you must comply with GDPR, in addition to the ePrivacy Directive’s rules about sending marketing emails.
- Lastly, and most importantly, when we talk about compliance, we’re often talking about consent. When processing personal information, you may first need to obtain the all-clear from the individual concerned.
Consent is a complicated business, so let’s review the different types.
Explicit consent (opt-in)
GDPR requires a data subject’s consent to be “freely given, specific, informed, and an unambiguous indication of the data subject’s wishes” given via a “clear affirmative action” – so they need to know exactly what they’re agreeing to and demonstrate it. This is a strong standard of consent
Explicit consent is when a customer has taken affirmative action by choosing to opt-in to receive marketing messages from a company. This consent has no use-by date. The customer must later opt out of receiving future communications.
Here are two examples of explicit consent.
As per GDPR:
- Unchecked opt-in box.
- The check box must not be pre-selected, or pre-ticked, as if assuming the customer wants to opt in. The box needs to be empty so users can freely choose to participate and demonstrate that intention.
- An active hyperlink must be visible to the company’s privacy policy.
- If Terms and Conditions are referenced, an active hyperlink must be provided.
- Consent can’t be bundled with opting-in to a company’s T&Cs or privacy policy. Everything needs to be clear.
- If a company wants to get a consumer to agree to their T&Cs, it requires a separate opt-in box.
Other examples of opt-in consent regimes include Brazil, Canada, Chile, Colombia, India, Morocco, Malaysia, South Africa, South Korea, Japan, and Taiwan.
At Pipeline360, all countries outside the US are treated as opt-in.
Opt-in consent in the United States
Unlike in the UK, where the customer has all the power and must clearly and actively choose to participate, in the US the system works in reverse. Unless a consumer opts out, a company is free to send marketing communications to them.
Prechecked opt-out box.
The checkbox will be pre-selected or pre-ticked. The customer must uncheck the box to show they don’t want to receive marketing materials. If they don’t, that’s all the approval marketers require to proceed.
But marketers must:
- Provide an active hyperlink to their privacy policy.
- If a link is provided to T&Cs, a hyperlink is required.
- Consent can’t be bundled with opting-in to a company’s terms and conditions or their privacy policy. If a company wants to get a consumer to agree to their T&Cs, a separate opt-out box specific to this request is required.
- In the example above, a consumer’s affirmative action to opt-out or “unsubscribe” would be to uncheck the checked box, “Email me about Rollbacks, special pricing, hot new items, gift ideas and more.”
Future privacy developments
The ePrivacy Regulation is intended to replace the ePrivacy Directive but is still under discussion. It aims to update and tighten rules around electronic communications, potentially increasing the compliance burden on marketers.
The update has faced significant delays and has yet to be finalised or implemented, despite being ongoing since it was first proposed in January 2017.
Given it is an EU initiative, the ePrivacy Regulation is not directly applicable to the UK since Brexit. However, before Brits voted to leave the EU, it was subject to the ePrivacy Directive through the Privacy and Electronic Communications Regulations (PECR), which – post-Brexit –the UK has retained. So, moving forward the UK may opt to align with some aspects of the new legislation. So, we’re on a wait-and-see on that.
Then, there’s GDPR. Until a General Election was called in May, the UK seemed set to usher in a new framework, the Data Protection and Digital Information (DPDI) Bill, as the government sought to simplify the UK’s data protection rules and reduce the compliance burden of GDPR, a European Union regulation no longer applicable post-Brexit. It was hoped the DPDI could pass before Parliament dissolved, but that never happened.
However, during the King’s Speech in July, the UK’s new Prime Minister, Keir Starmer, announced the latest iteration of DPDI – the Digital Information and Smart Data (DISD) Bill. While not much is known about it, the Government has indicated that it may incorporate several elements from its predecessor. So, again, the compliance climate remains fluid, so marketers need to stay informed to ensure they continue to use the right tactics and don’t fall foul of the law.
Compliance isn’t a choice, nor is it something that you can ignore, hoping someone else on the team will catch. But, by taking ownership at an individual level, it can be easily managed, keeping customers happy, and informed, and helping teams build lasting relationships through trust and transparency.
At Pipeline360, we take compliance seriously because we know that data privacy and protection aren’t just legal obligations—they’re the foundation of trust in the digital age. With our deep investment in technology and a dedicated team focused on privacy and data security, we’re uniquely positioned to guide you through the complexities of GDPR, the ePrivacy Directive, and beyond. Our commitment to rigorous compliance standards and our proactive approach to evolving regulations means we’re not just navigating this landscape; we’re helping shape it. Read our President, Tony Uphoff’s Open Letter to the industry.