Blog - Rhea+Kaiser

Privacy Laws: What Marketers Need to Know - Rhea+Kaiser

Written by Hubspot user | Jun 27, 2023 11:48:21 PM

Staying compliant with state privacy laws: Essential insights for marketers

 

Last year, legislatures across the country were busy introducing privacy bills that give consumers more power over how companies collect, use and store their data. Initially, the introduction of these bills created a flurry of information about the impending changes and what that means for organizations.

Although the buzz around consumer privacy has died down a bit in recent months, that doesn’t mean marketers can afford to wait to put plans and processes into place to ensure they are compliant. At the present date in 2023, five states have privacy laws that either have gone or are going into effect that protect residents of their respective boundaries, wherever they may be in the country. Organizations and marketing teams need to educate themselves to understand the obligations these new laws present.

WHAT DOES COMPLIANCE MEAN?

The challenge with these laws is that the components and coverage vary from state to state. For example, privacy laws in California, Virginia, Connecticut and Colorado give consumers the right to correct personal information. However, the laws in Utah and Nevada do not include the right of rectification.

Additionally, different privacy laws have two distinct ways to obtain consent: opt-in and opt-out. Opt-in is more protective as it requires users to actively agree to share their information. Opt-out, on the other hand, presumes users consent to data being collected until they take steps to prevent it. To further complicate the privacy landscape, the laws are all written in language that is relatively vague and open to interpretation by each state’s respective Attorneys General.

Fortunately, there are some commonalities across the various state privacy laws, such as consumer opt-out signals. Generally speaking, to be in compliance, businesses need to allow consumers to tell them to:

  • Stop tracking website activity
  • Stop emailing them
  • Remove their information from any kind of database, analytics or targeting pool

We recommend companies handle these opt-out signals themselves, in real time. As soon as a consumer clicks the button, the website analytics, pixels, email lists and CRM databases need to clear their data. This keeps the control and compliance for these laws within the business, as opposed to passing the buck down the line to executional marketing and analytics partners. This will require specific company website and email or CRM functionality. Many of the main tech providers in these spaces have built-in features to accommodate these actions.

Given that compliance guidelines vary from state to state, we also advise taking a blanket approach, treating all residents of the US the same, but managing to the strictest of the states’ laws’ particulars.

GET READY FOR THE NEW LAWS

To be compliant with new privacy laws, companies will need new processes to handle opt-out requests across the organization. If a visitor requests to opt-out of website tracking, targeting pools, analytics, or receiving emails, the request needs to be pushed downstream to systems that are processing that data. Generally, this information needs to be communicated to team members who manage web and digital tracking tools and martech platforms. How that is handled within each organization will vary so leadership should gather team members from marketing, IT, compliance and legal to develop a protocol to handle and process the requests.

You may also need to change or add opt-out options from your website and email templates. As always, optimal user experience should be top of mind. As visitors navigate your site or receive marketing emails, make sure the opt-out process is quick and seamless. Options include:

  • Preference center options: Preference centers provide users a place to choose which data processes they want to opt-out of.
  • Request-based rights selection forms: Forms allow users to enter their preferences for each right.
  • User-enabled privacy controls: These allow organizations to respond to users that have these signals at the browser level.

Varied state law requirements mean it is also a good idea to check your existing privacy program to ensure compliance. A review should include:

  • Policies and notices: Assess and update as needed, including your privacy policy and cookie consent mechanisms.
  • Data retention policy: Make sure your data retention policy specifies a reasonably necessary retention period for each type of data. Equally important is that all of your employees understand and follow the policy.
  • Data security safeguards and data breach preparedness: Review and update your written security program to ensure that it meets the legal requirements that are appropriate for the level of risk associated with your data.

Of course, these are suggestions, and you should consult your compliance and legal team or partners for specific advice.

The impacts of these laws are as of yet unknown but will certainly be heavily felt in paid media around modeling, optimization, frequency capping, behavioral targeting, retargeting and various other areas.

Looking to get the most out of your digital marketing? We can help. Drop us a note to learn how we can help you meet your marketing goals.