Privacy and Marketing -How to do marketing under the GDPR? 

PrivacyTeam May 1, 2022
marketing under GDPR

Did you know that 73% of marketers fear that privacy concerns will negatively impact their analytics efforts? The marketers’ goal is to know everything about their prospects – what they like, what they need, and even when they are likely to shop (aka “profiling”). Therefore, privacy laws and regulation which limit the possible use and collection of personal data hurts the marketing industry. But does it have to? 

There are still ways to process personal data for marketing purposes properly and lawfully, without violating anyone’s right to privacy and without risking yourself (or your company) with privacy fines.

These guidelines will focus on what you CAN do as a marketer under most privacy regulations:

What type of data are you processing? 

  • Business / Work-related personal data – Phone/email (business extension / work email), Industry, Organization, Role. Office location 
  • Private/Individual personal data – Phone/email (mobile number / personal email address)
  • Technical data – IP address, engagement, viewability, device and system specs, and other information typically collected by cookies and other tracking technologies
  • Combined data – Some activities might use more than one type of data (we use our private email address for our LinkedIn account, but we will be targeted based on our organization, industry, and role, or based on our activity with our company email – the combination will be done with the help of cookies or other technical data)

In most cases, depending on your data subject and business type (B2C / B2B) you will collect prospects’ email addresses and full names.

Privacy consideration upon collection: 

Make sure to minimize – Under the GDPR, there is a principle called “minimization,” which means – collecting only the data you need. There is no justification to collect gender or sex when doing email marketing.

Location, location, location – It’s essential to know the relevant privacy rules in the jurisdiction your prospects are at.

Privacy laws differ between jurisdictions – It’s important to keep an eye on recent legislation, not only for the jurisdiction you are currently in but also, and more importantly, on the jurisdiction your prospects are at. For example, each time you market and offer your service to EU citizens – it should comply with the GDPR.

Most EU countries have marketing-specific guidelines that specify when you need an opt-out and opt-in or even double opt-in, like in Germany. 

Keep your finger on the pulse when it comes to privacy regulation, and you’ll be able to adapt your marketing methodologies accordingly.

How is the data collection made?

You can collect leads in various ways – from LinkedIn, web forms, etc. Make sure you obtain your leads only from approved and legitimate sources. It is recommended to collect directly from prospects and not through third parties. This way, you can ensure that they gave their explicit consent for receiving marketing materials from you.

If you collect personal data through your website, specify the collection methods and uses in your privacy policy.

If you decide to use lead enrichment tools or data brokers, you should be familiar with the risks – see Privacy & Lead enrichment tools. In short, there is no way to know if those leads you got gave their consent for receiving marketing materials from you. In case they didn’t, you are fully exposed to GDPR fines that can end up being 20 million Euros or 4% of your total turnover. And no – data brokers won’t take the fall for you.

Marketing activities that generate leads include:

  • Direct marketing – Direct marketing can be utilized in multiple ways, such as Newsletters, “Celebratory” emails, and Automated/engagement emails (using tools such as Mailchimp, Marketo, etc.)
  • Social media marketing – Marketing activity on social media platforms (Facebook, Twitter, YouTube, etc.).
  • Analytics tools – Services that enable visitor and user tracking (journey and interaction with the website / online assets), measurement & optimization of marketing performance.
  • Cookies – For marketing purposes, cookies are typically used to provide information for advertising partners or to collect data that the company will then use for its marketing activities (SEO / PPC / social / targeting/ conversions).
  • Events and webinars – Host, sponsor or organize an event and ask participants for contact information (directly or via sponsored company)

Marketing privacy requirements – Opt-in/ Soft opt-in/ Double opt-in /Opt-out?

As I mentioned above, privacy regulations differ between countries. While in some countries, you only need to offer a way to opt out from marketing materials, in others, you may need explicit consent to even send the first email to your prospects.

There are four types of consent: 

  • “Opt-in”: Clear and explicit consent from prospects for receiving marketing materials
  • “Soft Opt-in”: In some countries, you can interpret a former relationship with a prospect such as a purchase or inquiry as “implied consent.” Keep in mind that there is a time limit of 6 months from the last purchase in some countries, such as Canada.
  • Double opt-in” – This means that when a user signs up for an email marketing list, an email is sent out to the user, which includes a link to click and confirm the subscription (as required in Germany)
  • Opt-Out: You can send marketing materials to anyone, as long as they didn’t opt-out. Keep in mind that you ALWAYS have to include a way to opt-out of receiving marketing materials. This method currently exists in the USA.

*Pre-ticked opt-in boxes are banned under the GDPR. You also cannot rely on silence, inactivity, default settings, or your general terms and conditions or seek to take advantage of inertia, inattention, or default bias in any other way.

Summary and tips

There are a few things you need to keep in mind when you are engaging with marketing activities and handling personal data of customers or prospects:

  • Collecting data responsibly– make sure that you have the proper consent and opt-in and out mechanisms and are transparent about using tracking tools. 
  • Be clever with how you reach audiences – don’t surprise them. Check out your website (or other places where you collect contact details) and make sure that a link (and, where needed – a checkbox) to your privacy policy is shown in all relevant places. 
  • Hire and educate for privacy – privacy started with proper training. If an employee of yours violates privacy regulations, you are at risk of being fined. Make sure your employees and marketers are familiar with relevant privacy and spam regulations and the needed requirement in each country they are marketing to.

Not so bad, ah? Privacy isn’t necessary here to hurt digital marketing. You can still do efficient marketing and find relevant prospects and respect their right to privacy (and avoid massive fines). 

Categories: Blog
Tagged: ,

Related Articles