The email industry largely represented a lawless Wild West for many years, with senders calling the shots. But an increase in both the availability and use of personal data combined with a rising number of data breaches have ushered in a new era of regulation driven by consumer privacy rights.
Between 2000 and 2017 there were two primary email regulations: Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) and Canada’s Anti-Spam Law (CASL). Details on each include:
- CAN-SPAM. Went into effect in December 2003, creating the U.S.’s first national compliance standards for sending commercial email. CAN-SPAM established rules for unsubscribe, content and sending behaviors, and outlined penalties for violators of the law.
- CASL. This became effective in July 2014 and applies to any commercial electronic message sent from or to computers and devices in Canada. It requires recipients’ express consent for all non-exempt emails with criminal and civil penalties for those not in compliance.
Then, in 2018, data breeches abruptly shifted consumer attention to the lack of transparency for how personal data might be captured, stored, and used. Not only did Facebook confirm hackers stole highly sensitive data from 29 million customers, several other brands were also hacked during the year, including: Marriott Hotels; MyFitnessPal; Google+; Ticketfly; Cathay Pacific; T-Mobile; Orbitz and British Airways. As a result, consumers’ trust of brands using their data changed, as did their willingness to provide personal information to brands.
Amid a year filled with data breaches, new legislation was rolled out to address the growing importance of data security. In May 2018, the General Data Protection Regulation (GDPR) went into effect. GDPR applies to all companies processing the personal data of people residing in the European Economic Area (EEA), regardless of a company’s location. With GDPR, companies are accountable for their collecting and handling of people’s personal information, while individuals are granted more power to access and control information held about them. When it comes to email opt-in, GDPR requires that brands collect affirmative consent that is “freely given, specific, informed, and unambiguous” to be compliant.
Other countries around the world took notice and drafted their own versions of privacy legislation on the heels of GDPR, including the Australian Privacy Act Amendments; Chinese Draft Regulations on the Classified Protection of Cybersecurity; and Brazilian General Data Protection Law, scheduled to go into effect February 15, 2020.
In the U.S., bills and bill drafts related to consumer data privacy have been introduced or filed in at least 25 states and Puerto Rico within the past year. America’s first privacy law, the California Consumer Privacy Act (CCPA) is scheduled to go into effect January 1, 2020. CCPA will allow consumers to force companies to disclose what personal information they have collected and provide consumers with the right to force companies to delete that data and refuse its sharing with third parties. Companies will also need to provide up front disclosure about what data they collect. While CCPA is a state law, it covers out-of-state merchants who sell to Californians or display a website in the state.
Marketing in the Age of Consumer Privacy
For marketers, the rising tide of consumer privacy legislation has clearly changed the rules of the game. These changes come at a time when the availability and use of consumer data has already increased consumers’ expectations about their customer experiences. A recent survey by data company YouGov, found that 47 percent of consumers had higher expectations about their customer experience as a direct result of sharing personal information with companies.
Consequently, consumer preferences and privacy have a significant financial impact on email program success; and therefore, play an increasing role in email program strategy.
According to email marketing platform provider Campaign Monitor:
- Research shows average email open and click through rates are 10x higher when sending to people who granted permission to email them.
- Permission-based email lists have a 40 percent higher ROI than purchased than purchased email lists.
- Campaigns sent to subscribers who haven’t given permission see 10x the number of spam complaints.
- When mailbox providers such as Gmail, Outlook and Yahoo notice subscribers are not opening or clicking your emails, or are marking them as spam, they will start delivering your messages to the spam folder.
If you haven’t already established a plan to be regulation-ready, now is the time. Here are three key features that every plan should include:
- Data strategy. Consumer’s willingness to share information and tolerance for data collection hinges on the ability of brands to deliver on their personalization promises. Marketers need to carefully consider the value and use of any consumer data before asking for permission to capture and store that data. Any data captured should be used to create timely, relevant, individualized customer experiences.
- Legal review. Due to variances in laws by state and country, businesses may have to implement multiple layers of protection in privacy policies. This is especially applicable for consumers in different states, even when data practices are the same nationally.
In the new era of consumer privacy legislation, it is critical to gain subscribers’ trust by demonstrating your ability to protect their data. By planning ahead, marketers will be prepared to use that data to provide highly relevant, individualized experiences.
Disclaimer: Nothing in this post should be considered legal advice. Marketers should work closely with their company’s privacy and legal teams for insights and direction about legislation compliance.
This post originally appeared on MarTech Cube.