Disclaimer: I’ve only visited a law school once, for a few minutes, to admire the library. This article isn’t legal advice. If you’re navigating compliance for your company, working with a legal professional will help ensure you’re on the right track.
In 2018, the General Data Privacy Regulation (GDPR) introduced us to terms like legal basis, data portability and right to be forgotten. Many companies were forced to rethink their data privacy practices, or lack thereof.
A couple years later, in January 2020, the California Consumer Privacy Act (CCPA) took effect. In March 2021, Virginia enacted the Virginia Consumer Data Protection Act, which will go into effect in January 2023. More states are discussing similar moves. The trend isn’t going away.
The good news? The shift toward greater transparency and stronger data privacy protections can actually help improve our work as marketers. There’s an opportunity to forge more trusting relationships with your audiences. There’s a greater drive to create compelling, engaging content. And marketing automation providers have risen to the challenge, developing features to address privacy and compliance.
But wait, let’s look a little closer at the CCPA and GDPR…
HubSpot provides some informative resources for understanding the key tenants of the GDPR as well as the CCPA in more detail. I’ll be drawing from their analysis here.
While the GDPR is more comprehensive than the CCPA, there is overlap between the two. Both require that companies provide a clear explanation of what data they collect and how it will be used. Both laws give individuals the right to view any of their own data being stored by a company, as well as the right to be forgotten. And that means really, permanently forgotten. Not like that ex from high school whose Facebook profile you “accidentally” stumble across every couple months.
Data must be permanently deleted if requested by the customer or lead. Both regulations limit the sale or transfer of data to third parties without consent. Lastly, each regulation extends its application beyond the limits of physical brick and mortar locations within their region.
All companies collecting data on citizens of California or the EU, regardless of their physical office location, may be required to comply. Yes, that means that even if you’re an East Coast company, if there’s any chance your website might gather data on someone from CA or Europe, you should just err on the side of caution here.
Within the GDPR, companies are required to demonstrate a “legal basis” to use their audiences’ data. HubSpot has broken this down into two: a legal basis to process data and a legal basis to communicate. Your audience should be given an explanation of the ways in which their data will be used and the ability to provide consent for each use.
Let’s say you have an ebook on your website, 5 Strategies to Stay Happy at Work. If someone downloads the ebook, you’d like to add them to your happiness tips email nurture campaign. Consent to receive marketing emails would need to be explicitly provided by your leads. That means you can’t assume an opt-in based on form submission.
On to the tech: Marketing automation features supporting data privacy
How are marketing automation platforms supporting data privacy? Let’s take a look at two in particular: HubSpot and Pardot. In both platforms, some features are automatically available while others need to be manually enabled in your settings.
Tracking opt-in
Both HubSpot and Pardot let you enable a banner on your site, requesting visitors opt-in to web tracking (an important component of GDPR). HubSpot lets you choose between notifying visitors of the use of cookies (without requiring an opt-in) or requiring an explicit opt-in. (At this time, it seems Pardot does not offer the first option, only explicit opt-in.)
You’ve probably come across a banner like this in your travails around the web. In Pardot, the opt-in banner can be enabled under Admin > Overview. In HubSpot, this feature is located under Settings > Privacy and Consent.
Protip: HubSpot allows the banner to be displayed in a different language on various pages on your site. Que bueno!
Capturing email opt-ins
Often, we tend to focus on tracking opt-outs in HubSpot or Pardot. But data privacy regulations like GDPR are putting the onus on getting consent, meaning proactive opt-in (as opposed to the old-school method of just hoping that your recipient is too lazy to opt out). HubSpot modified their email subscriptions to make it easy to track and audit email opt-ins and lawful basis to communicate. You can add these subscriptions to forms to make it easy to collect opt-ins.
In Pardot, you can add a checkbox field to your forms to capture and store confirmed opt-ins.
Providing visibility into personal data
Both HubSpot and Pardot allow you to export individual records into a shareable file. This allows you to quickly respond to requests from your customers or leads to access or modify their personal data.
In Pardot, you can export a record by navigating to the Prospects tab and selecting an individual customer or lead. Within the quick actions dropdown at the top, you can click CSV export to generate a shareable file.
In HubSpot, you can export an individual Contact record by adding them to a list. Under Contacts > Lists, you can create a new list and add your Contact. Click on the More dropdown (hover over the list to make this appear). Export is listed under here.
We really did mean delete this time
Spoiler alert. The standard delete option in Pardot and HubSpot doesn’t permanently remove records. The information is retained and can be restored in the future.
In HubSpot, if the GDPR toggle is activated, you’ll have two options when selecting the delete button on a Contact (a “soft” and a “hard” delete). You guessed it. The hard delete permanently removes all personal information.
In Pardot, you can permanently delete prospects by navigating to the recycle bin (under Admin). The option is found by clicking on the gear icon on individual Prospects. You can also select multiple records and click Permanently Delete from the dropdown at the bottom of the table. (Can someone help me think of some synonyms for permanently?)
With the growing awareness and increasing regulations surrounding data privacy, implementing these features can help build trust with your audience while ensuring your emails land in welcoming inboxes (and that you stay out of trouble). As marketers, we should work to build transparency and consent in all of our daily efforts.
The challenge is on us to develop better quality content in order to earn those opt-ins. With an engaged audience, you might even see that open rate climb over 30%…
Hand-dandy resources
- https://www.pardot.com/blog/how-pardot-helps-marketers-comply-with-todays-privacy-regulations/
- https://www.salesforce.com/eu/gdpr/pardot/
- https://www.gibsondunn.com/virginia-passes-comprehensive-privacy-law/
- https://knowledge.hubspot.com/settings/gdpr-resources
- https://knowledge.hubspot.com/account/how-do-i-turn-on-gdpr-functionality-in-my-hubspot-account
- https://blog.hubspot.com/marketing/ccpa-compliance
- https://www.hubspot.com/data-privacy/ccpa/ccpa-compliance
- https://blog.hubspot.com/marketing/third-party-cookie-phase-out
- https://blog.hubspot.com/marketing/what-is-the-gdpr
- https://www.hubspot.com/data-privacy/gdpr
- https://www.hubspot.com/data-privacy/gdpr/hubspot-product-playbook