An Email Marketers’ Guide to Consumer Privacy Changes

The email industry largely represented a lawless Wild West for many years, with senders calling the shots. But an increase in both the availability and use of personal data combined with a rising number of data breaches have ushered in a new era of regulation driven by consumer privacy rights.

Between 2000 and 2017 there were two primary email regulations: Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) and Canada’s Anti-Spam Law (CASL). Details on each include:

  • CAN-SPAM. Went into effect in December 2003, creating the U.S.’s first national compliance standards for sending commercial email. CAN-SPAM established rules for unsubscribe, content and sending behaviors, and outlined penalties for violators of the law.
  • CASL. This became effective in July 2014 and applies to any commercial electronic message sent from or to computers and devices in Canada. It requires recipients’ express consent for all non-exempt emails with criminal and civil penalties for those not in compliance.

Then, in 2018, data breeches abruptly shifted consumer attention to the lack of transparency for how personal data might be captured, stored, and used. Not only did Facebook confirm hackers stole highly sensitive data from 29 million customers, several other brands were also hacked during the year, including: Marriott Hotels; MyFitnessPal; Google+; Ticketfly; Cathay Pacific; T-Mobile; Orbitz and British Airways. As a result, consumers’ trust of brands using their data changed, as did their willingness to provide personal information to brands.

Amid a year filled with data breaches, new legislation was rolled out to address the growing importance of data security. In May 2018,  the General Data Protection Regulation (GDPR) went into effect. GDPR applies to all companies processing the personal data of people residing in the European Economic Area (EEA), regardless of a company’s location. With GDPR, companies are accountable for their collecting and handling of people’s personal information, while individuals are granted more power to access and control information held about them. When it comes to email opt-in, GDPR requires that brands collect affirmative consent that is “freely given, specific, informed, and unambiguous” to be compliant.

Other countries around the world took notice and drafted their own versions of privacy legislation on the heels of GDPR, including the Australian Privacy Act Amendments; Chinese Draft Regulations on the Classified Protection of Cybersecurity; and Brazilian General Data Protection Law, scheduled to go into effect February 15, 2020.

In the U.S., bills and bill drafts related to consumer data privacy have been introduced or filed in at least 25 states and Puerto Rico within the past year. America’s first privacy law, the California Consumer Privacy Act (CCPA) is scheduled to go into effect January 1, 2020. CCPA will allow consumers to force companies to disclose what personal information they have collected and provide consumers with the right to force companies to delete that data and refuse its sharing with third parties. Companies will also need to provide up front disclosure about what data they collect. While CCPA is a state law, it covers out-of-state merchants who sell to Californians or display a website in the state.

Marketing in the Age of Consumer Privacy

For marketers, the rising tide of consumer privacy legislation has clearly changed the rules of the game. These changes come at a time when the availability and use of consumer data has already increased consumers’ expectations about their customer experiences. A survey by data company YouGov found that 47 percent of consumers had higher expectations about their customer experience as a direct result of sharing personal information with companies.

Consequently, consumer preferences and privacy have a significant financial impact on email program success; and therefore, play an increasing role in email program strategy.

According to email marketing platform provider Campaign Monitor:

  • Research shows average email open and click through rates are 10x higher when sending to people who granted permission to email them.
  • Permission-based email lists have a 40 percent higher ROI than purchased than purchased email lists.
  • Campaigns sent to subscribers who haven’t given permission see 10x the number of spam complaints.
  • When mailbox providers such as Gmail, Outlook and Yahoo notice subscribers are not opening or clicking your emails, or are marking them as spam, they will start delivering your messages to the spam folder.

If you haven’t already established a plan to be regulation-ready, now is the time. Here are three key features that every plan should include:

  • Data strategy. Consumer’s willingness to share information and tolerance for data collection hinges on the ability of brands to deliver on their personalization promises. Marketers need to carefully consider the value and use of any consumer data before asking for permission to capture and store that data. Any data captured should be used to create timely, relevant, individualized customer experiences.
  • Transparency and clarity. To build consumer trust you must provide clear, easy-to-understand privacy policies; communicate privacy policy changes; and respect consumers’ rights to access and control their information.
  • Legal review. Due to variances in laws by state and country, businesses may have to implement multiple layers of protection in privacy policies. This is especially applicable for consumers in different states, even when data practices are the same nationally.

In the new era of consumer privacy legislation, it is critical to gain subscribers’ trust by demonstrating your ability to protect their data. By planning ahead, marketers will be prepared to use that data to provide highly relevant, individualized experiences.

Disclaimer: Nothing in this post should be considered legal advice. Marketers should work closely with their company’s privacy and legal teams for insights and direction about legislation compliance.

This post originally appeared on MarTech Cube

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time