The email industry largely represented a lawless Wild West for many years, with senders calling the shots. But an increase in both the availability and use of personal data combined with a rising number of data breaches have ushered in a new era of regulation driven by consumer privacy rights. Martech
Between 2000 and 2017 there were two primary email regulations: Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) and Canada’s Anti-Spam Law (CASL). Details on each include:
- CAN-SPAM. Went into effect in December 2003, creating the U.S.’s first national compliance standards for sending commercial email. CAN-SPAM established rules for unsubscribe, content and sending behaviors, and outlined penalties for violators of the law.
- CASL. This became effective in July 2014 and applies to any commercial electronic message sent from or to computers and devices in Canada. It requires recipients’ express consent for all non-exempt emails with criminal and civil penalties for those not in compliance.
Then, in 2018, data breeches abruptly shifted consumer attention to the lack of transparency for how personal data might be captured, stored, and used. Not only did Facebook confirm hackers stole highly sensitive data from 29 million customers, several other brands were also hacked during the year, including: Marriott Hotels; MyFitnessPal; Google+; Ticketfly; Cathay Pacific; T-Mobile; Orbitz and British Airways. As a result, consumers’ trust of brands using their data changed, as did their willingness to provide personal information to brands.
Amid a year filled with data breaches, new legislation was rolled out to address the growing importance of data security. In May 2018, the General Data Protection Regulation (GDPR) went into effect. GDPR applies to all companies processing the personal data of people residing in the European Economic Area (EEA), regardless of a company’s location. With GDPR, companies are accountable for their collecting and handling of people’s personal information, while individuals are granted more power to access and control information held about them. When it comes to email opt-in, GDPR requires that brands collect affirmative consent that is “freely given, specific, informed, and unambiguous” to be compliant.
Other countries around the world took notice and drafted their own versions of privacy legislation on the heels of GDPR, including the Australian Privacy Act Amendments; Chinese Draft Regulations on the Classified Protection of Cybersecurity; and Brazilian General Data Protection Law, scheduled to go into effect February 15, 2020.
In the U.S., bills and bill drafts related to consumer data privacy have been introduced or filed in at least 25 states and Puerto Rico within the past year. America’s first privacy law, the California Consumer Privacy Act (CCPA) is scheduled to go into effect January 1, 2020. CCPA will allow consumers to force companies to disclose what personal information they have collected and provide consumers with the right to force companies to delete that data and refuse its sharing with third parties. Companies will also need to provide up front disclosure about what data they collect. While CCPA is a state law, it covers out-of-state merchants who sell to Californians or display a website in the state.
Marketing in the Age of Consumer Privacy…