EYEBROW

US data privacy laws 101 - everything you need to know

Let’s explore the topic in marketer-friendly terms so you can be confident in your understanding of these laws.

Sections

Understanding US data privacy laws

Data privacy laws can be confusing. But the impact of getting them wrong can be huge. In this guide, we explore the current laws and highlight the changes that are soon to be in place. We’ve presented the essential information in marketer-friendly terms to add clarity around all the data privacy changes on the horizon and how best to prepare.

Now, we’re not lawyers, so this guide doesn’t constitute legal advice, but we have been in the business of getting emails successfully into customers’ inboxes for over 25 years. And have a whole team of deliverability and messaging experts in house, helping us do that in the most responsible way. So we’re pretty confident in sharing these key points with you.

Data privacy laws can have a big impact on how you approach certain marketing initiatives, but that doesn’t mean there will be a negative impact on your results. In fact, these regulations can actually improve your email marketing success. The laws have been created to protect and please consumers, and will help your marketing do the same.

The current state of data privacy laws across North America

California was the first state to implement a data privacy act in 2020, and other states are now catching up. In the space of five years, 20 new data privacy laws have come into effect with eight more introduced, or in committee approval stages. That’s over half the states in the USA introducing their own variation of a data privacy law. This is a lot to follow, so we’re going to make it as simple as possible. Let’s start with a timeline that shows the status quo:

What we already know

All of the US data privacy acts aim to give everyone control over their personal data, by introducing a requirement for transparency and accountability from organizations handling that data.

Under these laws, when a data subject (someone the business holds personal data on) requests access to their own personal data, the business needs to provide it. Having a clear and comprehensive customer data system makes it easier for you to prepare for these types of requests.

The types of data requests you might get from a customer include:

  • Finding out what data has been collected
  • Finding out why their data is being collected and processed
  • Obtaining a copy of their data
  • Amending the data held
  • Restricting or opting out of the selling, or sharing, of some or all of their personal data with third parties
  • Restricting, or opting out of, the use of some or all of their personal data for profiling or targeted advertising
  • Requesting the processing of their data be stopped
  • Sharing their data with another platform on their behalf
  • Request the data held to be deleted

Customers having a right to their own data is something we can’t see going away. And rightly so. While it can sound like a huge task to manage such a wide range of specific data needs, if data privacy best practice is followed, these requests should be fairly simple and straightforward.

The upside to the regulations

The new and existing laws can benefit your marketing. By adopting best practices and ensuring compliance, you increase trust with your most data-conscious customers.

Strong data privacy practices will result in more effective marketing and reduces the time you spend dealing with legal issues. Let’s look at some best practices that can be easily adopted right away.

Get ahead with data privacy best practice tips

Marketing best practice moves faster than the process of creating new data-legislation, so keeping up with the expectations and comfort levels of your audience is a proactive way to stay ahead of regulations. The most basic requirements most customers have (and deserve) when it comes to looking after their data are captured here:

Obtain explicit consent: Always seek clear and explicit consent from customers before collecting their data. Even better, explain why you want those specific details and what they can expect back in return (e.g. location data to show them relevant in-store events). This builds trust and ensures compliance with regulations.

Limit data collection: Only gather data that is necessary for your marketing activities. This minimizes risk, simplifies data management, and shows your customers that you respect their data by only asking for what you really need, and what you can realistically use to benefit them.

Implement strong data security measures: Strengthen the data you collect by requiring a double opt-in (where a trigger email or communication is sent to the customer to confirm the data has been shared intentionally and accurately). This ensures complete consent within your marketing lists and protects your database from bots.

Use accredited and privacy-first tools: Choose marketing technology that supports you in meeting privacy laws and makes it easy to uphold high standards across your marketing activity.

What else do you need to know?

Alongside the change in data privacy laws, there is increasing conversation around ‘dark patterns’. A dark pattern is any technique that tries to manipulate people into doing something that they wouldn’t otherwise do.

Examples of dark pattern marketing include:

  • Advertising or sales content that is disguised as editorial content
  • Creating a false sense of urgency; things like fake countdown timers that never hit 00:00 and products where 99 other people always seem to have this item in their cart
  • Uneven weighting on options; having “accept” or “reject” is evenly weighted, offering “accept” or “manage preferences” would be uneven
  • Hiding unsubscribe buttons by making the text size much smaller than other text, or in the same font color as the background
  • Manipulating people into sharing unnecessary data e.g. misleading people into selecting the highest data-sharing option

Remember: Just because something is a common technique in your industry, doesn’t make it okay – if it’s a dark pattern you could be penalized.

Next steps

This guide is here to help you navigate the implementation of data privacy laws, but as we’ve already said, we’re not lawyers, so before implementing or removing any complex data regulations it’s always worth chatting to your legal team.

Talk to your lawyers

Data privacy is an important issue, and it’s something marketers need to work with legal departments on. The rules vary from state to state, so take the time to get some advice from an expert on your local laws, they can guide you through the specifics for your business.

Talk to your wider team

Data is a huge part of successful marketing, but the responsibility for ensuring overall data compliance needs to happen at an organizational level. Collaborate with all teams that handle data, whether that’s an actual data team, your developers, your sales teams, customer success, and even your vendors’ solutions architects to understand exactly how the data is being handled at every stage. This is also a great way to identify any additional integrations, tools or solutions that could help you improve the customer journey and the level of care being applied to the personal data you’ve been trusted with.

Talk to us

Having supported our UK and European customers when GDPR was introduced, we’re in a great place to help our US customers adapt to the changing legal landscape. We’re ISO 27001 certified in Information Security Management Systems, so you can trust us to do our part when it comes to managing your data safely and securely. We’re really proud of that.

Learn more about responsible marketing.

See what Dotdigital can do for you
Watch a demo