Privacy, Please! A Look at 2023’s Developments in Email Privacy—and What’s Ahead in 2024

 Disclaimer: The information provided in this blog does not, and is not intended to, constitute legal advice. All content is for general informational purposes only. Readers should follow up with their own legal and privacy teams for the most up-to-date information. 

Just a few decades ago, legislation pertaining to sending commercial email and protecting consumer data privacy was scarce. Since the days of the email Wild West, governing bodies across the globe have enacted laws that may dictate various conditions for marketers to consider when sending email. 

Governments are cracking down on consumer privacy and major players in the email ecosystem are tightening their policies—motivated at least in part by growing consumer wariness about how their personal data is used and by whom.   

To keep subscribers loyal, marketers must keep up with the ever-evolving laws and consumer sentiments in the email ecosystem. Nowadays, the collaboration between marketers, privacy teams, and legal experts is more critical than ever. Given the vast number of laws, regulations, and policies email marketers must now adhere to—especially for global senders—this collaboration should be a top priority.

Let’s take a look at the state of the privacy landscape in 2023 and explore what’s ahead in 2024. 

What happened in 2023?

Governments and private companies alike made moves toward stricter data privacy policies throughout 2023. Twelve US states signed new privacy laws in 2023. The introduction of new stateside privacy laws such as the Colorado Privacy Act (CPA) and the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) show that lawmakers are making a commitment to protect the privacy of their citizens.  

 But although there are several federal-level privacy bills in the works, the United States doesn’t yet have a singular federal law that governs the privacy of all types of personal data.  

In the private sector, Apple has made yet another strong move toward enhancing consumer privacy with the release of iOS 17 and Link Tracking Protection (LTP).  

So, what lies behind the introduction of these privacy protections? The answer is layered.  

First, threats to consumer data are constantly evolving and increasing. Nefarious actors and scammers continue to find new ways to prey upon individuals and businesses through data hacks, phishing scams, increased unsolicited email messages, and the dubious sharing and selling of consumer data. New legislation is attempting to keep up with that and protect consumers. To do their part, email marketers need to continue to follow best practices and consult with their legal counsel to ensure they comply with the laws.  

Second, consumers are becoming increasingly aware of how their personal data is being used and shared. Especially after the introduction of the EU’s General Data Protection Regulation (GDPR), citizens around the globe want greater control over how companies leverage their data. This shift in attitudes may suggest that consumers are now demanding more transparency from the brands they interact with, and support from their governments in ensuring their privacy is respected.  

Governments and businesses are playing a game of catch-up as they actively try to close loopholes that leave consumer data vulnerable to all sorts of bad actors.  

What changes can email marketers expect to email and privacy in 2024? 

1. Legislation on Artificial Intelligence (AI)  

Artificial Intelligence (AI) became an email marketing buzzword throughout 2023, and for good reason. The proliferation of countless AI algorithms and tools that assist in email marketing communications is ongoing. However, consumers need only look at everyday technologies like Siri and Google Maps to know that AI is already all around us. While AI might be a part of our everyday lives, legislation governing its use is not.  

While some countries and regions have already drafted a broad AI legislation framework, such as the EU’s Artificial Intelligence Act (AIA) and Canada’s Artificial Intelligence and Data Act (AIDA), there is very little governance on AI in the United States as of 2023.  

While government agencies like the Federal Trade Commission (FTC) have issued guidance on potentially deceptive claims of AI-powered services, and other agencies have developed a framework for using AI responsibly, the US awaits formal legislation definitively outlining the do’s and don’ts of AI.  

It may come sooner rather than later. Ten states have laws going into effect in 2023 which include AI regulations—and several states have proposed task forces to investigate AI. Several additional states have proposed bills in the current legislative session. 

Most recently, President Biden issued an Executive Order on safe, secure artificial intelligence.   

One objective of the new Executive Order is to protect Americans’ privacy by establishing new standards for AI safety and security. 

Among other sweeping changes, the Executive Order will: 

• Protect Americans from AI-enabled fraud and deception by establishing standards and best practices for detecting AI-generated content and authenticating official content
• Evaluate how agencies collect and use commercially available information—including information they procure from data brokers—and strengthen privacy guidance for federal agencies to account for AI risks
• Strengthen privacy-preserving research and technologies, such as cryptographic tools that preserve individuals’ privacy, by funding a Research Coordination Network to advance rapid breakthroughs and development
  

2. Gmail and Yahoo’s new 2024 requirements 

Because the wheels of justice can move slowly, private companies began to introduce their own strict rules and regulations to protect their subscriber’s mailboxes in 2023. Recently, Google and Yahoo announced new requirements that will be enforced starting in February 2024.  

According to Google’s Sender Guidelines and Yahoo’s Sender Best Practices, senders will be required to: 

• Set up SPF and DKIM email authentication 
• Implement DMARC email authentication for their sending domain 
• Ensure DMARC alignment by ensuring the domain in the sender’s From: header is aligned with the SPF or DKIM domain 
• Implement one-click unsubscribe and include a visible unsubscribe link in the message body. Unsubscribe requests must be processed within two days. 
• Keep spam reports below a certain threshold (specifically 0.30 percent for Gmail) 

Ultimately, these new requirements aim to keep their uses safer as scammers and spammers find new and innovative ways to infiltrate mailboxes.  

3. Google and third-party cookies in 2024 

Though this point may feel like déjà vu for many marketers, Google will begin phasing out third-party cookies for one percent of users starting in Q1 of 2024. Third-party cookies are set by a website other than the one currently being browsed.  

The move to phase out third-party cookies is undoubtedly a move toward more thorough privacy protections because it prevents data sharing between companies that consumers may not be aware of, and aligns more closely with evolving legislation.  

4. New and evolving privacy laws 

Next year promises to introduce many new state laws on data privacy. Montana’s Consumer Data Privacy Act (MTCDPA), Oregon’s Consumer Privacy Act (OCPA), and the Data Privacy and Security Act (TDPSA) in Texas have all been passed into law and will all come into effect in 2024.  

In Europe, the European Commission’s proposal for more regulation on e-privacy aims at reinforcing trust and security in the digital world. 

Undoubtedly, we’ll see additional global privacy amendments and laws come into play in 2024 and beyond. 

What should marketers do next?

Despite the vast number of data privacy and anti-spam laws across the globe, marketers must still work with their privacy and legal advisors to stay up to date on what’s changing, and how they must comply.  

As a best practice, marketers should also remember to: 

• Keep in close contact with your legal and privacy teams for ongoing process reviews
• Get familiar with GDPR, CAN-SPAM, and any other regionally relevant laws and regulations
  

In the United States specifically, marketers should, at least: 

• Only send emails to permission-based lists (and reconfirm subscriber interest where necessary) 
• Include clear information in your message headers—header information cannot be misleading
• Include a valid postal address in your communications.
• Offer a functioning one-click unsubscribe mechanism in promotional emails (and honor unsubscribe requests quickly)
• Make it clear that your email is an advertisement

(Note: This is not an exhaustive list.) 

For more information…

For an in-depth look at the new sender requirements from Gmail and Yahoo, check out our latest episode of State of Email Live, featuring Yahoo’s Marcel Becker. He’ll cover why Yahoo is making these changes and the impact for email marketers.

Content may not constitute the most up-to-date legal or other information. This blog contains links to other third-party websites. Such links are only for the convenience of the reader; Validity does not recommend or endorse the contents of the third-party sites. 

Readers of this blog should contact their attorney to obtain advice with respect to any particular legal matter. No reader of this blog should act or refrain from acting on the basis of information in this blog without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein—and your interpretation of it—is applicable or appropriate to your particular situation. Use of, and access to, this blog or any of the links or resources contained within the blog do not create an attorney-client relationship between the reader and blog authors or contributors.  

The views expressed through this blog are those of the individual author writing in their individual capacities only—not those of Validity. All liability with respect to actions taken or not taken based on the contents of this blog is hereby expressly disclaimed. The content in this blog is provided “as is;” no representations are made that the content is error-free.