Koroberi is a B2B integrated marketing agency located in the North Carolina's booming Triangle. Koroberi specializes in branding, content creation, PR, advertising and digital strategy.
d

HELLO

We’d love to hear
from you!

236 S. Boylan Ave
Suite 100
Raleigh, NC 27603
919 438 2423
letschat@koroberi.com

Digital
marketing compliance

1

Overview

2

Domestic U.S.
regulations

3

International
regulations

4

Download our compliance checklist

Overview

There have been several domestic and international laws passed in recent years to give consumers data privacy rights. The laws focus on how individuals’ data can be used and establish management requirements for companies that handle personal data. The intent is to prevent incidents of unauthorized disclosure of personal information and loss of consumer privacy from businesses that collect identifying information.

In the United States specifically, there are currently no nationwide data protection laws, however there have been a number of states that have passed specific legislation covering their residents. California’s CCPA is perhaps one of the more influential state-passed legislation which other states have begun to model and build upon with subsequent laws. All together this jumbled mass of hundreds of very similar data protection and privacy laws enacted at both the federal and state level serve to protect the personal data and privacy of U.S. citizens while online. 

Read below for a summary of major domestic and international regulations:

U.S. domestic data privacy and consumer protection laws

The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, (CAN-SPAM)

Businesses must ensure email marketing efforts comply with CAN-SPAM laws. These laws set the rules for commercial email, curbing spam and allowing recipients to opt out of these types of communications. As outlined by the Federal Trade Commission (FTC), all businesses are required to do all the following or risk being in violation of CAN-SPAM laws and potentially facing fines of over $42,530.
  1. Don’t use deceptive Sender information. The “From,” “Reply-To,” originating domain name and email address must be accurate in identifying the person or business sending the email.
  2. Don’t use deceptive subject lines. The subject line must accurately reflect the content of the email.
  3. Identify the email as an ad. This does not apply to email contact lists in which recipients have opted in to receiving your emails.
  4. Tell recipients where you’re located. A business’ postal address must be included in your email. This can be a business’ current street address, a registered post office box, or a commercially registered private mailbox.
  5. Tell recipients how to opt out on future emails. Emails must include some sort of unsubscribe notice. A landing page may be created to allow recipients to opt out of certain types of messages (i.e. Update your Preferences) or opt down in terms of email frequency, but an unsubscribe option must be included allowing recipients to stop all future commercial messages from you.
  6. Honor opt-out requests promptly. Any opt-out mechanism offered must be able to process opt-out requests quickly and appropriately in no more than 10 business days after receiving a recipient’s opt out request. Business must also honor a recipient’s opt-out request without any additional kind of quid pro quo attached to it.
  7. Know what your vendors and partners are doing on your behalf. Businesses can’t contract away their legal responsibility to comply with CAN-SPAM laws. In fact, both your company and any vendors you use to send out violating emails may be held legally responsible.
Source: CAN-SPAM

California Consumer Privacy Act  (CCPA)

As of Jan 1, 2020, CCPA is law and effects any businesses interacting with California residents specifically online and via email. More specifically, the law applies to those for-profit companies who meet at least one of the following criteria:
  • Your business’ annual revenue is over $25 million.
  • Your business receives information of over 50,000 consumers, households, or devices annually.
  • At least half of your business’ annual revenue comes from selling personal information.
The CCPA outlines five major rights now afforded to Californians. Each is listed below and summarized in layman’s terms:
  1. The right to know what personal information is being collected about them. Businesses must inform consumers what personal information is being collected from them either before or at the time of collection. This includes everything that could possibly link back to a customer from the most sensitive, obvious things (name, email addresses, biometric data) to the less obvious (browsing history, cookies and IP addresses).
  2. The right to access their personal information. Businesses must offer at least two ways for individuals to request a copy of all personal information collected about them. Under most domestic compliance laws consumers have the right to know:
  • Types of personal information collected
  • Where the information came from
  • Why the information was collected
  • The categories of any third parties the business has shared the information with
  • Specific pieces of information that have been collected

Once a personal information request has come in, businesses must provide all information via mail or electronically free of charge within 45 days. Consumers can make up to two of these personal information requests from a business within a 12-month period.

  1. The right to know whether their personal information is being sold or disclosed and to whom. If requested by an individual, businesses must disclose the types (but not the names) of third parties they share personal data with. These parties may include advertisers, campaign tracking and reporting platforms, data brokers, etc. Upon request, businesses must also specifically share what information was disclosed.
  2. The right to opt out on the sale of personal information. Businesses must offer at least two ways for individuals to opt out of having their personal information sold to or shared with any third parties (advertisers, data brokers etc.) and once received the business must honor the request. At a minimum, the law requires that businesses provide the following:
  • A toll-free number that individuals can readily access
  • An opt-out (aka “Do Not Sell My Personal Information) link in site footer

NOTE: Businesses can still sell information if the data has anonymized (meaning all personally identifiable details have been removed before doing so).

  1. The right to equal service and price, even if they choose to exercise their privacy rights. If a customer takes advantage of their privacy rights granted under the CCPA (i.e. opts-out of the sale of their personal information or requests to access their personal information) businesses cannot discriminate against these customers for doing so by charging extra, reducing the quality of customer service or refusing to provide a service. Businesses can however, offer bonuses or financial incentives in exchange for individuals disclosing their personal information.
Source: CCPA

Enforcement

Most domestic data privacy laws are enforceable by the state attorney general’s office, however it’s only enforceable if it can be proven that a business’ inadequate security measures specifically caused a data breach that allowed for consumers’ Social Security numbers, credit cards or health information to be disclosed. Typically, if the breach does not involve highly sensitive information a suit is not likely to be pursued, however legislators are considering amending to allow for any violations not just those that can potentially cause substantial harm. In case of a successful suit, the most fines range from $2,500 to $7,500 and allow businesses up to 30 days to correct violations.  

What’s next?

Domestically, the passing of the CCPA is widely seen as just the first step in establishing stronger consumer privacy protection laws in the United States. There are already several stricter amendments to the law currently up for legislative consideration. The belief is that the law will lead to more comprehensive legislation in the future.

There is a growing handful of other states that have enacted similarly robust data privacy protection laws  as those passed in California, however with some very important additions including:

Illinois and Massachusetts
Businesses must receive written consent from individuals before obtaining biometric information like fingerprints or scans of the retina, hands or face geometry, and disclose their policies for usage and retention.
Maine
Prohibits internet service providers from selling or sharing customer data with a third party without expressed consent from the individual. (Only applies to customers that are physically located or billed for services in Maine.)
Maryland
Businesses must disclose any and all information passed on to third parties. Websites are also prohibited from knowingly disclosing any personal information collected about minors.
Nevada
Businesses must respond to personal information requests within 30 days (CPPA outlines 45 days). In addition, minors 13-16 years old must opt-in to the sale of their data, and parental consent is required for individuals under the age of 13.
New York
In the state of New York, individuals own all their information and are allowed to revise or correct inaccurate information.

Major international data privacy and consumer protection laws

EU General Data Protection Regulation (GDPR)

GDPR provides a common data privacy law that affects all individuals, companies or businesses that have a presence or does any sort of business with the EU. GDPR fines are scalable and designed to make non-compliance a costly mistake for both large and small businesses alike. With two tiers of penalties, which max out at €20 million (approximately $26 million) or 4% of global revenue (whichever is higher) and the ability for individuals to seek compensation for damages, the cost of non-compliance is stiff. Generally accepted principles, much unlike the CCPA in the U.S., are as follows with two additional rights also afforded:
  1. Right to access. Individuals can ask for a copy of their collected personal data along with an explanation of how this data is being used.
  2. Right to rectification. Individuals have the right to revise or remove any of their personal data at any point.
  3. Right to be forgotten. Individuals can request their personal data be deleted completely.
  4. Right to restrict processing. If an individual believes, for example, that their personal data is inaccurate or collected unlawfully, they can request limited use of their personal data.
  5. Right of portability. Individuals have the right to receive and reuse their personal data in a structured, commonly used and machine-readable format (i.e CSV, XML and JSON file formats) that can easily be transferred.
  6. Right to object/opt out. Individuals can opt out of their personal data being processed for a business’ reporting, email marketing or marketing efforts at any time.
Under GDPR, processing personal data is generally prohibited, this includes pseudonymized information. There are however a few explicit times a business can process personal data. These include:
  • With expressed consent from the individual (ex. opting in)
  • Due to contract or legal obligations
  • Necessary to save a life
  • To perform a task in the public interest or to carry out some official function
  • There’s a legitimate interest to process someone’s personal data. (Has the most flexible legal basis, although the rights of individuals will always override your interests, especially if it’s related to the data of a minor.)
If there has been a data breach, under GDPR it is mandatory that a business inform all individuals whose personal data they’ve collected within 72 hours of learning of and reporting a breach to the ICO. Source: GDPR

Germany’s Bundesdatenschutzgesetz (BDSG)

Germany is the first Member State in the EU to enact national privacy laws to supplement the GDPR. BDSG lays out more rules for data processing based on environments (i.e. context of employment, surveillance of public places). Also, a Data Protection Officer is needed if at least 10 people are regularly engaged in the processing of personal data whether manually or through automated means.

Source: BDSG

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is akin to both the U.S.’s CCPA laws and the EU’s GDPR, but with less teeth. Fines are much milder in comparison maxing out at CAD$100,000 (approximately $76,000) for serious offenses. These specific offenses include acting against whistle blower employees, obstructing a federal Privacy Commissioner investigation or audit, and failing to retain personal data to allow individuals the opportunity to exercise their rights.

Source: PIPEDA

Enforcement

With GDPR enforcement now in full swing, the Information Commissioner’s Office (ICO) is charged with investigating, enforcing and issuing financial penalties to ensure compliance measures are being followed. All data breaches must be reported to the ICO and, beyond issuing financial penalties, the ICO can impose powerful business corrections that considerably impact the day-to-day operations of a business. Nothing is off limits, although the ICO has confirmed that they will reserve top end fines for only the most serious data breaches.

Within Germany, certain BDSG data protection infringements are also now considered criminal offences and can be sentenced up to three years in prison or a fine. These cases are typically reserved for instances in which personal data is illegally transferred to third parties, somehow made accessible for commercial purposes on a large scale or if personal data is gained through intentional and harmful fraud.

What’s next?

The enactment of the GDPR prompted an international interest to better understand and comply with data privacy and protection laws aimed at consumers. Many companies are still working towards compliance and some have been hit with major fines to expedite the process further. However, the belief is that law will continue to lead to more comprehensive and transparent data processing legislation in the future. With Germany taking the first steps in their BDSG laws, other member states are also poised to pass other supplementary national legislation along with GDPR in their countries.

Download our compliance checklist

Get on the fast track to compliance!

Download our basic compliance checklist to start your way on the fast track to digital compliance.
Still unsure of where your company lands on compliance, or how to get there? Drop us a line!