The privacy paradox (sometimes called the internet paradox) describes a disconnect between how people feel about data privacy and how they behave online. To be blunt… it means people say they want their personal data protected and privacy respected, but they’re still using Password123! to log in to most of their online accounts.
That’s a bit of an extreme example, but it’s not hard to imagine, is it?
Of course, it’s not just cyber-crime that concerns people. In recent years, many consumers were shocked to find out how their data is being used by legitimate brands. That’s thanks in part to big stories like Facebook’s data privacy scandal, which impacted more than 87 million people.
According to Cisco’s 2021 Consumer Privacy Survey, 89% of people say they care about data privacy and want more control. That sounds like a lot. But there’s a difference between talking the talk and walking the walk.
Cisco’s survey also found that 79% of consumers are willing to take action to protect sensitive personal data. However, only 32% of those surveyed are what Cisco calls “Privacy Actives” – or those who’ve actually acted on their data privacy concerns.
One of the main ways people take action is to leave online platforms and providers because of inadequate data privacy policies and protections. Cisco found a third of Privacy Actives have ended relationships with social media brands while 17% have left email platforms over privacy concerns.
Consumers’ desire for highly personalized marketing experiences only adds to the privacy paradox. McKinsey & Company’s Next in Personalization 2021 Report found more than 70% of consumers expect personalization and 76% get frustrated when brands don’t provide personalized experiences.
Successful email marketers are pursuing personalization as an important trend. Our own Inbox Insights 2022 report revealed that 49% of best-in-class email marketers planned to use more personalization in the year ahead. That made it the top trend in our survey.
But enough statistics for today. Let’s explore the ways marketers can take advantage of email personalization while respecting the privacy and security of subscribers.
To get some answers, we talked with Darine Fayed, General Counsel and Data Protection Officer (DPO) at Sinch Mailjet. That’s right. Darine is a real-life lawyer who deals with the legalities of email and privacy all the time. Every week, she’s on calls answering our customers’ data privacy questions and addressing their concerns.
She believes respecting the privacy of your subscribers is an investment that will pay off.
Darine Fayed, General Counsel & DPO, Sinch Mailjet
This article takes a high-level look at the intersection of email personalization and data privacy protection. However, it’s always important for brands to get their own professional legal advice for in-depth guidance. Your organization’s personalization and privacy situations are unique.
When the European Union’s General Data Privacy Regulation (GDPR) entered the scene back in 2018, a lot of marketers were freaking out. Then, most ethical email marketers breathed a sigh of relief after realizing they were already following many of the rules.
Since then, GDPR has been a model for new data privacy legislation and updates to existing laws around the world. One place where data privacy laws are still a bit murky is the United States. While there is the California Consumer Privacy Act (CCPA) and other state laws,
Darine Fayed says some sort of national U.S. privacy is needed, but will likely take some time.
Darine Fayed, General Counsel & DPO, Sinch Mailjet
The reality of online commerce and a connected global market means even small businesses have to consider how data privacy laws impact email marketing. So, let’s review common practices connected to email personalization and how they relate to data privacy.
You can’t personalize emails for anyone until you get their email address and basic information. It should go without saying that buying a list of emails is a bad idea. So, most new contacts are acquired after they fill out online forms and willingly subscribe to your emails.
One thing you cannot do is include pre-ticked checkboxes on those online forms. The Court of Justice for the European Union ruled this tactic does not comply with GDPR. Let’s be honest, this was always a sneaky move based on the assumption that people wouldn’t notice the pre-ticked box.
There are cases in which brands may have implied consent to email someone. That would include certain transactional emails such as order confirmations and shipping updates as well as directly replying to someone who filled out a contact form to reach support.
However, implied consent does not mean you’ve got permission to send contacts marketing emails. To do that, you’ll need express consent, which means they knowingly and willingly signed up to get those communications.
Make it very clear what people are signing up for when they fill out a form. If they’re downloading an ebook or subscribing to your newsletters, let them know you’re also going to send them marketing emails or product news (assuming that’s your plan).
To take things a step further, build a preference center where subscribers can choose the types of email communications they want to receive from your brand.
Another smart idea is implementing a double opt-in sign-up process, which ensures new subscribers truly want to be on your list. And the confirmation email can also be your opportunity to build trust with your customer as to your data privacy commitments.
In the world of data privacy compliance, consent can be taken away as easily as it was given. Or at least, it should be.
Data privacy laws, like GDPR, indicate that people should be allowed to change their minds about opting in to your emails. That means marketers should make it simple and easy to unsubscribe. So what is simple and easy? Well, most of us know what it’s not.
For example, it’s still quite common to see a teeny-tiny unsubscribe link at the bottom of emails. Imagine how that might impact a subscriber with low vision. It’s definitely not supporting an accessible inbox experience.
On the other hand, we occasionally notice marketers who remind subscribers how they got on the list, why they’re getting the emails, and even offer a way to unsubscribe at the top of the message. That’s a great way to build trust.
You’re only hurting yourself if you make opting out difficult. It means subscribers are more likely to mark your emails as spam. As Darine reminds us, it hurts your sender reputation and brand reputation.
Darine Fayed, General Counsel & DPO, Sinch Mailjet
The right to opt-out is one of five consumer rights outlined in the CCPA. Although, this specifically refers to giving consumers the power to restrict companies from selling their personal information.
We get it, unsubscribes can hurt an email marketer’s ego. And you certainly need to keep an eye on the unsubscribe rate to make sure there aren’t bigger problems.
However, it’s natural, normal, and even good to have people leave your list. Those subscribers are just dead weight that drags down your other metrics. You don’t need them anyway.
While list cleansing and email address verification aren’t regulatory requirements, Darine calls them smart proactive moves that support email deliverability. For one thing, they prevent spam complaints from inactive contacts who forgot they ever subscribed. Darine also suggests asking for consent again when you attempt to re-engage or reactivate dormant subscribers.
Now we’re getting down to the real, juicy data – the insights you need to personalize your emails and build those relevant inbox experiences for individual subscribers.
One of the first places you’ll collect personal info about new contacts is on a sign-up form. Beyond a name and email, your forms may ask for phone numbers, employers, job titles, location, family and marital status, or other personally identifiable information (PII).
Make sure every form used to collect email addresses also provides a link to your privacy policy. That’s where people can find out exactly how their data might be used. Here’s Darine’s solid advice on the language in your brand’s privacy policy.
Darine Fayed, General Counsel & DPO, Sinch Mailjet
That includes data collected after the form is filled out. You may be personalizing email experiences based on how people engage with your emails – like what campaigns they open and what they click on. You can also use things like content consumption, purchase history, and the pages they visit on your site to support an email personalization strategy.
Just because you can collect certain personal data, it doesn’t mean you necessarily should. Responsible marketers only ask for the information they truly need to provide an ideal email experience. Collecting more than that could put you and your subscribers at risk in the event of a cybersecurity breach.
Darine points out that there are different levels of personal data. Certain information, like social security numbers, bank accounts, and health information is considered highly sensitive personal data. It requires special attention and extra protection.
Depending on your industry, you may have to follow specific privacy laws. For example, the US has the Health Insurance Portability and Accountability Act (HIPAA), which protects the privacy of a patient’s health information.
Earlier, we mentioned the right to opt-out. Data privacy laws also define other common consumer rights. They include the right to access and the right to be forgotten.
Laws like GDPR and CCPA give your subscribers the right to see all of the personal identifiable information (PII) you’ve collected about them… yes, all of it. That means you need a way to compile and deliver all of that information to them.
The right to be forgotten means more than just removing someone from your email list. It means deleting every piece of data you have on that individual. When complying with a request to delete a consumer’s data, it should be as if they never existed in your database (and any third party sub processors’ databases that you may use).
Just keep in mind, opting out or unsubscribing is not the same as exercising the right to be forgotten. To do that, contacts need a way to contact your organization and make a specific request. Data privacy laws like CCPA require at least one official way to request data deletion. It can be a phone number or a physical address, but it may be wise to set up a dedicated email address for this.
These requests are officially known as data subject access requests (DSARs). Your data needs to be stored in a way that protects it from bad actors. But you also need to be organized enough to comply with DSARs.
Darine says, in the early days of GDPR, Mailjet didn’t receive many access requests. The company was able to handle it manually. Over time, however, requests increased to thousands and we developed an automated internal process to handle DSARs.
That may not be feasible at your business, but there are other solutions.
Darine Fayed, General Counsel & DPO, Sinch Mailjet
Check out ratings and reviews of DSAR software on G2 to learn about some of these tools.
In addition to protecting private data stored in your infrastructure and marketing platforms, data privacy laws like GDPR and CCPA require that sensitive information is protected “in transit.” That would include when it’s sent via email. It also involves the process of transferring data from one email service provider (ESP) or marketing automation platform to another. So, it’s something to consider if you switch ESPs.
Darine calls data transfers a “hot topic” in the world of digital privacy. Much of the concern centers around the now-defunct EU-US Privacy Shield, which was a framework for exchanging data between the European Union (as well as Switzerland) and the United States.
After legal challenges from privacy groups, the European Court of Justice struck down the EU-US Privacy Shield, saying the framework didn’t do enough to protect EU citizens. As of early 2022, plans for “Privacy Shield 2.0” were underway, and the U.S. and the European Commission have recently committed to a new Trans-Atlantic Data Privacy Framework which will establish an important legal mechanism for transfers of EU personal data to the U.S.
However, Darine says all of this does not mean there is no secure way to transfer personal data across the Atlantic.
Darine Fayed, General Counsel & DPO, Sinch Mailjet
There are three players in the data privacy game: data subjects, data processors, and data controllers. Data subjects are your subscribers and customers. Data processors handle data and information on behalf of controllers. If you’re collecting PII for email personalization, you work for a data controller.
And, while Darine says everyone is responsible for handling PII with care, data controllers have a greater responsibility to protect their customers.
Darine Fayed, General Counsel & DPO, Sinch Mailjet
Part of that means identifying vendors and third-party solutions you can trust. Find out more about data privacy and working with third-party solutions providers while complying with important regulations.
The topic of data privacy and digital marketing is a touchy one. However, for any company that cares about the people they serve, it’s worth the consideration and effort. Plus, when people see you putting their privacy first, it will boost your brand’s reputation.
Darine Fayed, General Counsel & DPO, Sinch Mailjet
At Mailjet and Sinch Mailgun, we place an extremely high priority on security for our own customers as well as the privacy of the people and businesses that our customers serve.
Mailjet was founded in France and is the preferred email service provider for many companies in Europe. So, we’ve always placed a lot of value in closely following the rules of GDPR. You can find out more in our FAQ on Mailjet’s GDPR compliance and on Mailjet’s Security & Privacy page. And if you still have questions, email us at privacy@mailjet.com.
Want to learn more about data protection in marketing? Download our GDPR kit for marketers!
