Why we care about compliance in marketing
Complying with marketing regulations is paramount, as consumers — and governments — have become more privacy-conscious.
Marketing compliance laws and regulations are nothing new. Until relatively recently, marketing regulations rarely went beyond the realms of trademark, truth in advertising and similar areas of consumer protection.
The 21st century changed much of that. Data got faster, cheaper and more voluminous. Search engines, social networks, tracking widgets and more have made it easy for even the most novice of two-bit marketing organizations to get the most direct form of customer insight — in the form of something akin to outright surveillance.
It’s not exactly a secret. One of the biggest developments to happen in the world of marketing is that the average consumer has become increasingly aware of the kind and volume of data that’s being collected, analyzed and used to market to them.
Martech bulls have clung to this realization as a justification for going further in their bids to move from buyer personas to buyer dossiers. They cite research purporting customers demand that marketers focus on personalization and seamless omnichannel experience. Marketers have entered an arms race of who can suck up and best use the most personal data.
But just as CX-focused consumers have noticed these trends, so too have the privacy-focused ones and their government representatives.
As never before, marketers need to be alert to consumer sensitivity about data and privacy issues — and need to recognize that trust is supremely important when consumers decide which brands they want to engage with.
Dig deeper: Build trust, gain sales
In this article:
The EU’s GDPR
The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018. This is in no small part the culmination of European sentiment toward data handling practices in the U.S. and general antipathy towards Big Tech. The law was notable for governing behavior that did not actually take place in the EU.
One of the fundamental premises of GDPR is that if a company controls or processes data belonging to an EU subject, that company is violating GDPR and is liable for penalties. Regardless of where in the world that company is located and where in the world its data collection, controlling or processing took place.
And those penalties can be steep. GDPR drastically elevated the maximum fines for which companies would be liable under prior European privacy laws. A GDPR violator may face a fine as high as €20 million (~$21.7 million) or 4% of total annual revenue globally.
GDPR was the broadest, most severe and most sweeping data protection law worldwide — at the time.
GDPR analogs
Although it’s been less than five years since GDPR was enacted, the world has become increasingly privacy-conscious. More laws and regulations, each with their own regional (and nationalist) quirks, have sprung up, including in Canada, Brazil, Indonesia and elsewhere. In the wake of Brexit, the UK ditched EU governance but kept its own version of GDPR (UK GDPR).
One of the most recent and, arguably, the most significant of major privacy laws is China’s Personal Information Protection Law (PIPL). PIPL is China’s analog of GDPR for that country’s own citizens, but stricter in some areas. For instance, the handling of “sensitive information” (i.e., categories of personal information receiving enhanced protection, including but not limited to data involving health, race, politics, religion and more) requires the data subject’s express consent — a high bar not even necessarily required in the EU under GDPR.
But what makes PIPL stand out even more from GDPR is the potential severity of the penalties. Under PIPL, grave violations may put a perpetrator in debt to the Chinese government to the tune of the greater of ¥50 million (equal to about $7.37 million) or 5% of their total global annual revenue, plus any and all “unlawful income.”
Additionally, employees and directors of the violating company may face personal liability up to ¥1 million (~$147,000), be suspended from the same kind of employment in China and/or have their social credit scores in China negatively impacted.
Meanwhile, the United States has gotten into the privacy act (so to speak). There are a few niche laws and regulations affecting privacy at the federal level in the U.S. For instance, the Children’s Online Privacy Protection Act (COPPA) impacts how companies can collect data involving or potentially involving minors, while a variety of other laws may incidentally overlap with data privacy concerns. But a U.S. version of GDPR at the federal level has yet to come into being.
Stateside, there has been more action. It all started with the California Consumer Privacy Act (CCPA), which came into effect about a month after GDPR did. The law was openly a GDPR-lite adaptation, applying not just within California but worldwide to certain businesses handling the data of California residents.
Since then, other states — Virginia, Colorado, Connecticut and Utah — have promulgated their own versions, all going into effect this year. (Virginia’s Consumer Data Protection Act (CDPA) has already gone into effect this year, as of January 1.)
Each state’s consumer privacy law is a bit different, not so much that you can’t glean the gist once you know the requirements of one of them, but more than enough if you’re a marketing, IT or compliance organization that has to stay abreast of these things.
California, too, has passed yet another privacy law, the California Privacy Rights Act (CPRA). Going into effect in July of this year, CPRA updates and amends CCPA. The amendments add and more clearly define new consumer data rights. They also establish a new state agency dedicated to handling the administrative enforcement powers of CCPA and CPRA.
And it’s all just the tip of the iceberg stateside. Other states are at various stages of developing their own respective privacy laws.
“State-level momentum for comprehensive privacy bills is at an all-time high,” reads a statement from the International Association of Privacy Professionals (IAPP). “Although many of the proposed bills will fail to become law, comparing the key provisions helps to understand how privacy is developing in the United States.”
Indeed, Virginia’s CDPA recognizes “sensitive information” and provides special protections for such information — but California’s CCPA in its original form does not. Now, California’s CPRA rectifies that, taking a cue from Virginia and providing enhanced rights for California residents related to sensitive categories of personal data.
Common privacy law provisions
Obviously, not all privacy laws and regulations are alike. Even laws and regulations that share similar provisions may differ in the bounds and mechanics of those provisions.
That said, here is a general overview of some of the rights and duties that may be found in some of these laws.
Consumer/data subject rights. An individual variously may be able to demand:
- Confirmation: …that a data handler confirm or deny whether or not it possesses/handles/processes their data.
- Access: …to their data such as a data controller may hold.
- Portability: …that a data handler disclose the data subject’s information in a common file format.
- Correction/rectification: …that a data handler correct their personal information if outdated or otherwise wrong.
- Deletion: …that a data handler delete their personal data.
- Opt-out: …that a data handler refrain from or stop processing their personal information in some way, such as selling the data subject’s data, constructing a personal profile of a data subject based on their information or making decisions about that data subject through automation (i.e., without human input).
Additionally, some data privacy laws grant a data subject or consumer a right of private action (i.e., the right to sue a data handler or other entity for violations of the given law). Notably, some data privacy laws, like Virginia’s CDPA, do not grant this right.
Other duties
Under various privacy laws, data handlers owe duties not only to individual consumers or data subjects but also to the government itself. These may include duties to:
- Give consumers/users/data subjects notice about the data handler’s data practices and related information.
- Conduct a privacy and/or security risk assessment.
- Refrain from processing certain kinds of data in certain ways.
- Disclose breaches, data exposures and similar events.
- Develop and abide by policies for collecting and/or handling minors’ personal data in an even more protected manner than other personal data.
Other laws
While data privacy laws across the world are perhaps the most nascent and complex to impact marketing practices, there’s more to marketing compliance than data privacy and data stewardship. Much older laws continue to place limits on what is considered acceptable marketing.
While this list is in no way exhaustive, it is common for various jurisdictions to have laws proscribing the following:
False advertising
In general, advertising must be truthful. Marketers constantly look for ways to stretch this (under English common law, the UK and the U.S. have long allowed for “mere puffery” — for instance, that a product is “the best”). But if you’re claiming that your product is, say, compatible with iOS devices, it better be compatible with iOS devices.
Misleading, deceptive or unfair claims
General consumer protection laws are a heightened version of false advertising laws, banning what are called “unfair” and “deceptive trade practices.” This can include misleading claims, even if “technically true.” These laws are far broader than even that, affecting business practices in general. For instance, paying for online reviews may be prohibited by such laws.
Industry-specific laws and regulations
Other laws and agencies, as well, generally prohibit misleading claims. For instance, in the U.S., the FDA regulates advertising claims related to health and medicine, while the SEC regulates statements, disclosures and advertising about investments.
Companies in highly regulated industries like healthcare and finance are restricted not only in what they can say but the context of what they say and how they can say it.
Pharmaceutical advertising, even if as innocuous as a piece of conference swag with the brand name and logo of a drug featured on it, may need clearance from the FDA. An investment firm may face SEC action if it makes embellished claims or if it makes subject claims in violation of disclosure regulations.
Trademark infringement
Trademark laws are often less about banning anyone in the world from ever using a word or phrase or logo (or sound or color or even smell) and more about:
- Avoiding customer confusion.
- Preventing businesses from trading on the goodwill of another business.
To that end, even advertising that is deceptively similar to an in-effect trademark, even if not quite the same, can be infringing.
Sometimes (though not always), PPC and backend SEO practices that use a competitor’s trademark can be deemed an infringement. (For instance, bidding on your competitor’s company name).
Influencer marketing disclosures
If you’re working with a social media influencer, generally that influencer should clearly and conspicuously disclose that they were compensated for posting about your company, product or service. Failures to do so may create liability for both the company and the individual influencer, as per FTC regulations.
Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney authorized to practice in your jurisdiction.
Opinions expressed in this article are those of the guest author and not necessarily MarTech. Staff authors are listed here.
Related stories