Marketing is often where businesses first consider the privacy of personal data and its impact on their behaviour. 

Unfortunately, privacy is seen as a barrier to effective marketing and, therefore, resented, avoided or ignored. Since marketing tends to be publicly visible, it is the easiest entry point for a regulator to probe a businessʼ practices and creates the risk of being found to be non-compliant with regulations.

The question then is what does privacy actually mean for marketing? The answer is that it depends. On what, you may ask. It depends on what part of marketing youʼre considering, where you and your customers are in the world and how you go about doing your marketing, online and offline. A short article such as this can never give all of the answers. Here, instead, are merely some signposts for your journey.

Pragmatic approach

You need to think about the intersection of privacy and marketing in multiple dimensions. The first is to divide marketing into ‘understandingʼ and ‘doingʼ, and then to distinguish between mass audiences and targeted activity. Finally, you need to consider the nature of your prospects and your offer – essentially to distinguish between business-to-business B2B and business-to-consumer B2C. That sets the scene for a pragmatic approach to marketing compliance.

Why pragmatic? Because the strict letter of the law and the reality of regulatory enforcement are different. For example, named email addresses for individuals within a business are technically personal data. If your privacy law has strict consent rules for direct marketing, then, in theory, you should seek consent for B2B communication – but the reality is that almost no-one does and almost no-one cares. The truth is that, nowadays, most B2B contact is via named email; it is at least tacitly understood that you are trying to market to the business, which does not have privacy rights (except in South Africa), and not to the individual – and, therefore, the most that is expected is a functioning opt-out.

On the other hand, when selling something to consumers, you absolutely have to pay attention to your jurisdictionʼs consent rules, which can vary from a ‘soft opt-inʼ for marketing emails to existing customers to a three-page form that must be completed and returned by the consumer to enable any marketing at all. Regulators globally have shown a strong appetite for enforcing privacy rules in direct marketing. In fact, for some jurisdictions, that seems to be the only enforcement they do. So, you need proper consent tracking, including mechanisms to enable withdrawal of consent and evidence of the specific consent wording, along with – of course – a functioning opt-out. And if youʼre in the habit of buying lists, itʼs a habit youʼll probably have to stop. If your or your prospectʼs jurisdiction requires consent, and not all do, then do your reading or find an expert who really understands your specific space.

Privacy in mass marketing

The scenarios outlined above refer only to direct marketing, which might just mean email, text and telephone or could extend to any form of specifically addressed content through any channel. What about mass-marketing – broadcast, website banners and so on? Again, it depends. Straight broadcast has no privacy implications when it comes to ‘doingʼ, but the work you do to measure and understand your audience may well come into scope. Website banners might seem innocent, but are not if you are targeting them based on an online eyeball auction. Essentially, at any time, at any point, you can identify an individual – which does not necessarily mean that you can name them – you have to pay attention to privacy.

That leads us to ‘understandingʼ, starting with cookies and similar mechanisms that allow you to identify and track individuals around the internet, but also including enrichment, data purchasing, analysis of customer, prospect browsing, purchasing behaviour and all of the exciting world of ‘big dataʼ.

Here, I would provide two pragmatic watchwords: ‘transparencyʼ and ‘reasonable expectationʼ. Do the people whose data you are analysing know that you are doing it? And when they find out, will they think that what you are doing is reasonable? If the answer to either of those is a no, you have a problem. That does not mean that ticking both boxes automatically makes your analysis compliant, but itʼs a good starting point.

Why care about all of this? Well, you could be fined by a regulator, or told to change your behaviour, which isnʼt a good look for the organisation or the brand. But more importantly, consumers and business customers increasingly care about their privacy. If your marketing demonstrates that you donʼt, they wonʼt buy from you. Thatʼs a much more important consideration than any possible regulatory action.

Ben Rapp is a data protection expert and Group Chief Executive Officer of Securys Limited, a global data protection firm, with offices in the United Kingdom and Jamaica, serving clients in over 60 countries.