Ask the Compliance Experts: Why should I follow compliance laws if I don't live in the country that has them?

AskExpert2022Compliance4

In 2021, Webbula launched a video series, 'Ask the Email Experts' where we sat down with email industry experts to discuss various topics within the email marketing world. 

Webbula would like to introduce our new series. 'Ask the Compliance Experts'. A series that brings awareness to compliance and security within the email industry utilizing top deliverability and compliance experts.

Subscribe to our newsletter to keep up with new each month.  

Are you a compliance expert and want your voice to be heard in the series? Let us know! 

 

Ask the Compliance Experts: Why should I follow compliance laws if I don't live in the country that has them?

 

Chris Arrendale

Yanna-Torry Aspraki

Dennis Dayman

Kevin Huxham

Sergey Syerkin

Tom Wozniak

 

 


 

Chris-Arrendale

Chris Arrendale

CEO & Founder of CyberData Pros

linkedin

First, I'm looking at this more from a marketing company, a brand, or an Email Service Provider (ESP). Many of us are sitting here in the United States and are following compliance laws as it relates here, but if we have subjects that live in the EU, if we have data that is coming over from the company that we work for as far as transfers, we need to understand data, access, and data privilege.

Some of those compliance laws relate to the country where those subjects live. You always need to follow those compliance laws. I mentioned a little bit earlier, that you can be very strict and say, 'we, as a company, are gonna follow GDPR around the world because it is the strictest right now.' That's one approach.

The second approach is if you don't follow compliance laws in these other countries and get busted by a supervisory authority, or if an individual files a lawsuit, the fines are very hefty. Understand, If you don't follow those laws, there are repercussions that come with it.

Many organizations think I only send emails to people in the United States, but their website is available in the EU, Africa, and Brazil. If you're collecting data from these individuals around the world, you have a blind sense of who is in your database. For example, maybe you're collecting the country or the region, and you are aware of the name, but if you're marketing to those people, you need to understand the compliance laws based on where they are living.
For example, if they are subject to the GDPR and you received explicit opt-in consent before you started to market to them, having that information is key.

Second, Let's talk about over-collecting data. GDPR has what they call a data minimization principle, and you'll see this in some of the state laws here in the U.S. Over-collecting data is a problem in our society. Collecting too much information on a data subject can get you in trouble.

If you're over-collecting data, what are you using that data for? How are you storing it? Are you sharing it? Are you selling it? And why do you really need it?

Suppose you're collecting information on me to send me such as marketing materials in a PDF format or an event invite, you don't need to know my credit card number or my social security if I'm a male, female or other. All of the data that we are over collecting on sits in a database that many people have access to. Many people might be sharing or selling it. If that information's breached, it's going to be a higher level of sensitivity because that information is really secure around the world.

It's not about getting explicit, opt-in consent, or having the ability to follow the right to be forgotten. It's other things that people forget about data breaches, data over collection or minimization principles, and selling and sharing that data.

So being up to speed on what's happening around the world, working with legal counsel, and reading and doing some research is key. So that, that way, you are following compliance laws and not having the effect of 'oh, I only send to people in the U.S. and Canada, or I only send to people that live in Florida.'

Final thoughts, look in your database as a marketer and see where these people are coming from. Are you collecting country or region? Are you doing the right thing? And following those laws.

 

 

 

yann-torry-authentication

 

Yanna-Torry Aspraki

Deliverability Specialist and CRO of EmailConsul

linkedin

I love this question. It is extremely important to understand quite a few things about email deliverability, sender reputation, and how it all connects together with compliance. When it comes to email, laws, and regulations are put into place to protect people from certain business and sending practices. It is as simple as that. They don’t exist to annoy us senders, they are here to protect us from things we are constantly annoyed at, and even more things we don’t even see. Being blocked by a spam filter or getting listed on a blocklist is extremely irritating. Don’t get me wrong, it annoys all of us sometimes, even deliverability specialists. But, the ISPs and blocklists aren’t just creating random rules to control how you send emails and what you do in your business. They are trying to keep the subscribers’ and consumers’ inboxes a safe space. They will decide what rules and checks to create in order to make their own decisions on how to best protect their own customers. This can be based on security, current spam and phishing issues that happen without most of us even noticing, etc… but also by looking at regulations and laws, what they want, and ensuring we the senders comply with them. Just in the United States, different states have their own stipulations when it comes to email and data-related regulations. ISPs can’t maintain hundreds of different spam filters for each location that has different laws and regulations that are constantly evolving. It is just not humanly possible. This is why email geeks repeat again and again which best practices to follow. Because, yes, you may “legally” be allowed to do something, but it doesn’t mean that because the government isn’t going to penalize you that the spam filters and blocklists won’t. Sending emails to people who want them with valuable content will always perform better than randomly sending emails about a company nobody knows about with zero tangible value. Before pressing send, remember how you feel when you open your own inbox. If you aren’t too happy with what brands are doing, probably best not to copy the strategy. The law might not come out and get you, but the machine deciding where your emails land definitely will. Let’s not all wait until we are forced to do something to make changes to our sending practices.

 

 

 

 

 

Dennis_D-2

 

Dennis Dayman

Resident Chief Information Security Officer of Proofpoint

linkedin

Privacy compliance has become a prevalent business concern due to an increasing number of high-profile regulations, including General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), designed to protect unauthorized access to personally identifiable information (PII). Privacy compliance can be a business differentiator for modern companies. Many modern companies collect copious amounts of complex data as part of everyday operations and rely on analytics of this information to run the business. This type of data collection creates challenges for privacy compliance processes, starting with proper business data identification and classification to determine which regulations apply. Those accused of violating data privacy rights risk significant hits to the company's reputation and customers' trust. Many data protection rules apply not only when responsible parties are established or operated within a country, but also when the controller used equipment located inside the country to process personal data. So, while you might think you are not required to adhere to compliance laws, the people whose data you collect and process might have rights under compliance laws where they live. Organizations should develop information governance programs, data privacy policies and employee training programs to help achieve compliance with regulatory mandates. Detailed, documented information governance programs that include data privacy policies also help ensure proper response in the event of a breach, as well as provide necessary documentation during regulatory audits and investigations. These information governance programs should include processes to inventory personal information and establish procedures to keep this data private, while also making it available should the customer request it. Companies should also keep detailed documentation of their accordance with any relevant compliance rules, which will be necessary if a legal or regulatory incident occurs.



 

 

 

kevin_h-1

Kevin Huxham

Director of Deliverability and Privacy Operations at CakeMail

linkedin

It seems like we’ve had a lot more on our plates in the last two years to distract us from our pre-Covid lives, but as the world opens up and Policymakers get back to business, we are going to see a continuation of the progress they have made with regards to Data Privacy Protection & Anti-Spam regulations. 


These rules are in place for a reason. Not only do they help curb abuse, prevent fraud and reduce Spam; they hold people accountable which makes the world a better place. Heaven knows, we could all use a little bit more of that right now.


When it comes to email, most Anti-Spam laws are a minimum set of rules you should already be following with your marketing strategy. Having proper consent before you email somebody just makes sense. The same goes for including an Opt-out mechanism, so make sure you facilitate the Unsubscribe process in the content of your emails -or- your recipients will be more apt to complain (by marking your email as “Spam”), which will have a serious negative impact on your deliverability.  


For many of these laws, it’s important to point out that it’s not the country you reside in that matters, it’s the country you are sending “To” (or collect personal data on) that you must comply with. A good example of this is the General Data Protection Regulation (GDPR) which protects the rights of people’s personal data in the European Union and you only have to do business with someone in Europe for it to apply to you. The same goes for many Anti-Spam laws, it is the location of the recipients on your list that matters, not where you (the sender) are located. 


Following Anti-spam law is one thing, but ultimately it’s the ISP that determines if you reach the inbox or not. So unless you like wasting your time with low Inbox rates, finding your emails in the Junk folder or blocked - the ISP have their own rules you need to follow. In fact, you should follow best practices for sending to any receiver if you expect to reach the Inbox. Most ISPs (like Gmail) have Anti-Spam Legislation requirements built into their Spam detection, but it doesn’t end there. 


Here is a small sample list from the Gmail Bulk sender guidelines:


Don’t send messages to people who didn't sign up to get messages from you
  • Never purchase email addresses from other companies
  • Confirm each recipient's email address before subscribing them
  • Avoid opt-in forms that are checked by default
  • Send email to engaged users
  • Consider periodically sending messages to confirm recipients want to stay subscribed
  • Avoid deceptive content and include information to properly identify the sender
  • Authenticate your domain
    • Publish an SPF record for your domain
    • Turn on DKIM signing 
    • Publish a DMARC record for your domain
  • Properly remove reject/bounced emails
  • Keep your lists up to date by removing people who complain or unsubscribe

Whether it’s the Canadian Anti-Spam Legislation (CASL), the EU General Data Protection Regulation (GDPR) or Apple’s latest Mail Privacy Protection, they have all had a direct impact on Marketing and Data Privacy world-wide. There is no doubt in my mind we are moving towards people having more control over their Personal Identifiable Information (PII) which is a good thing. Who knows.. maybe even the FTC will vote to update CAN-SPAM one day! 


The bottom line is Yes, you should be following these compliance laws because it’s the right thing to do.

 

 

sergey

Sergey Serkin

Founder & CPO of EmailConsul, Email Deliverability and Anti-Abuse Evangelist

linkedin

 

When it comes to compliance there is definitely an interesting trend for senders to notice. The trend is a pretty simple one. Even though the laws have some differences between them, the one thing that is clear is that every year a couple new countries implement their own regulation. They are almost identical in nature and if you aren’t following them it is better to start preparing now. There is nothing worst than having to make extreme changes and huge business pivots in a tiny amount of time because you don’t have a choice. They sometimes require you to force a re-confirmation email to be sent out, to change your email collection practices, update your templates and the way you store data, and so much more.

The other thing to keep in mind is that even if you don’t have any strict laws enforcing certain best practices, the ISPs are definitely looking at your email practices. On the long run, if it hasn’t happened in some measure already, you will be penalized if you aren’t following the laws, which are best practices at the end of the day, and your sender reputation and deliverability rate will take a hit. It is better to be aware of how they work and what is needed from you now to ensure you aren’t surprised when changes arise and don’t impact your inboxing.

 

 

 

 

TomWozniak

Tom Wozniak

Executive of Marketing at Optizmo

linkedin

One of the many advantages of digital marketing is its global nature. Marketers can easily reach an audience around the world, often without even trying to. However, once you start marketing to people in other countries, even unintentionally, your campaigns may be subject to local laws and regulations. While some marketing regulations may be written to focus on companies located within a given country, others are extra-territorial in scope. In these cases, the laws may be related more toward individual rights, rather than business regulation. The General Data Protection Regulation (GDPR) in the EU is a good example of an extra-territorial law. 

If you are actually focusing on growing your business in certain countries, it would be wise to familiarize yourself with the laws of each of those countries, especially as they relate to foreign companies marketing to their residents. You may find that many of them don’t pertain to your business, but when you do identify applicable laws, you should consider getting professional legal advice about your potential liability, should your business grow in a particular country. 

Complying with local laws can also be a logical best practice to optimize the consumer experience of local residents. They may expect that companies they purchase from will adhere to particular business practices (around collecting their data, etc.) and if you aren’t, it could be a detriment to your campaign performance and overall results when marketing to consumers in that country. 

 


 

 

 

 

 

If you enjoyed this post, be sure to look for future posts in this video series by signing up for our weekly newsletter!

Check back next month to listen to our next round of email experts' answers to, "What to do if someone threatens to sue you due to data compliance and processing issues."

 

Verify, Protect and Grow Your Database