In last month’s column, I wrote about how the digital communications legal landscape is like the weather in New England – constantly changing. And while change is a constant, there are a few best practices marketers can adhere to in order to stay above the law in almost any region of the world. They are: achieve a high degree of marketing relevance; obtain explicit permission; provide transparent disclosure when gathering customer data; and let consumers control how they provide their data and how you use it. In this month’s column, I will delve deeper into the changing legislation in the U.S., Canada, the European Union (EU), and Asia Pacific (APAC) – and how marketers can keep up with the constant changes.
The CAN-SPAM Act, which went into effect in January 2004, provided the foundation for digital communications legislation in the U.S. as it applies to email marketing communications between brands and consumers. CAN-SPAM applies to all email being sent to or from the United States. An opt-out mechanism is required, but permission is not. CAN-SPAM doesn’t apply to transactional messages. Spam remains a global problem, but most U.S. consumer brands and B2B marketers have complied above and beyond the law as required by CAN-SPAM, through self-regulation and automated compliance, as well as technology and counsel provided by their email service provider (ESP).
Nonetheless, a number of new legislative initiatives are in the works that focus on consumer privacy, data collection, and data use. The main thrust of all of these proposals is to give consumers more control over how their personal profile information is gathered, used, and shared by marketers. It’s still too early to tell what the final legislative outcome will be, but marketers should be prepared for the following changes:
- Simplified privacy policies
- Shorter and easier to read
- Specific notification of sharing consumer data with third-party partners
- Commercially-reasonable data retention periods
- Keep data only as long as it is needed, not indefinitely
- Expanded application of data collection regulation beyond email
- Social networking
One important distinction to remember is that U.S. standards follow an opt-out-of-tracking mechanism for behavioral targeting rather than the opt-in mechanism required by the European Union. Still, change is coming for U.S. marketers, and instead of a “wait and see” mentality, marketers should take the following steps to proactively prepare for tighter regulation of consumer data use:
- Get permission for everything relevant to your contact strategy (a basic email marketing best practice that should be applied across all of the marketing channels you’re using)
- Enhance preference centers to centralize your permissions and data collection processes
- Look at your database structure to accommodate new preference requirements and data gathered through channels other than email, including mobile and social networking
Similar to U.S. proposals, Canada’s Online Protection Legislation (COPL) expands regulation of marketing messages to and from Canada beyond email to include IM, SMS, social, and mobile marketing. Unlike the U.S., COPL also applies to all commercial content, including transactional messages. Other important distinctions for marketers to take note of:
- Explicit opt-in required
- Implicit opt-in valid for two years
- Unsubscribe applications must be live for 60 days (30 days in the U.S.)
- Private right of action available to anyone (state attorney generals and ISPs only in the U.S.)
Implications for marketers:
- Get permission for everything relevant to your contact strategy
- Implicit opt-in only valid for two years
- You must opt in or purge those names
- Know where your customers are located
- If you don’t have geographic information, you need to get it or assume that they are in Canada to avoid COPL non-compliance
European Union (EU)
The European Union has some of the strictest regulations in the world through the EU Data Privacy Directive. The directive requires opt-in prior to sending unsolicited email and compliance with eight data protection principles:
- Data must be fairly and lawfully processed
- Data must be processed for limited purposes
- Data must be adequate, relevant, and not excessive
- Data must be accurate
- Data must not be kept longer than necessary
- Data must be processed in accordance with individuals’ rights
- Data must be kept secure
- Data may not be transferred to non-EEA or -EU countries without adequate protection
The EU also provides for individual rights when it comes to personal profile data. Individuals have the right to gain access to their data and to seek compensation for non-compliance. Consumers also have the right to opt out of having their data used for direct marketing as well as an opt-out of fully automated decision-making about them. Permission is required for web tracking and there is a proposal in the works that will require explicit permission for the collection of cookies and other tracking technology.
The implications for marketers navigating this tightly regulated environment are as follows:
- Get permission for everything relevant to your contact strategy
- Document all permission paths
- Consumers have the right to ask for it
- Know where your customers are or you will have to assume they are in EU
Asia Pacific (APAC )
A quick snapshot of the Asia Pacific region reveals a wide range of regulatory environments from strict compliance laws to a near total lack of controls over marketing communications. Australia, for example, maps to the EU requirements, which are among the strictest in world, whereas India, Malaysia, Taiwan, and Thailand currently have no applicable requirements.
How Do I Keep Up With the Changes?
As you can see, keeping up with the U.S. regulatory environment alone can be a daunting task. Outside the U.S., the regulatory environment ranges from very strict in the European Union to virtually no regulation in some Asia Pacific countries. How can marketers navigate this constantly shifting regulatory landscape? The best approach and best practice is to always err on the side of caution. Adopt a full permission mentality by asking permission for everything relevant to your contact strategy and take the time to understand the nuances of the respective cultures where you’re marketing to consumers.
Keep in mind the following no matter where you’re marketing to consumers:
- Just because it’s legal, doesn’t mean that you should do it
- Permission doesn’t mean unconditional ability to market to people
- Respect their preferences
- Know when they become unresponsive
- Always strive to stimulate engagement with your audience
- Only keep consumer profile data as long as you need it
Finally, make sure that you have dedicated resources – whether in-house or in partnership with your email service provider – to monitor domestic and global regulatory environments and develop action plans for your marketing and communications teams.