In 2021, Webbula launched a video series, 'Ask the Email Experts' where we sat down with email industry experts to discuss various topics within the email marketing world.
Webbula would like to introduce our new series. 'Ask the Compliance Experts'. A series that will spread compliance and security awareness within the email industry utilizing top deliverability and compliance experts within the industry.
Subscribe to our newsletter to keep up with new each month.
Are you a compliance expert and want your voice to be heard in the series? Let us know!
Ask the Compliance Experts: What can you do to ensure that you’re compliant in every country?
CEO & Founder of CyberData Pros
The first one is that a lot of brands and marketers that I work with take the approach of, "Let's just apply the strictest rule as it relates to compliance, which is GDPR, and let's apply that to every country around the world and our thought process and our marketing process."
So as opposed to thinking about Brazil’s Lei Geral de Proteção de Dados (LGPD) or what's happening in China or all of the laws in the United States, let's just take the GDPR philosophy and apply that to our entire program. So explicit opt-in consent, the right to be forgotten, data portability, everything that comes along with GDPR.
That's a very aggressive approach and something that I applaud a lot of marketers and brands that want to go down that path, but that's also very strict. There are quite a few resources that I use, such as International Association of Privacy Professionals (IAPP). IAPP publishes updates daily related to regulations in Brazil, China, Japan, and everything worldwide.
There are also quite a few more like Thomson Reuters and a few other legal sites. One of them is the Information Security and Privacy Guide to International Law and Compliance, which regularly gets updated. The downfall of compliance and legal books is that they are hundreds of dollars to purchase. Typically your legal department or general counsel that you're working with is getting up to speed on those laws and regulations and can help you out too.
As I work with clients or as I talk to people, I always caveat it with, you know, "make sure you, you know, run things by your legal team or by your general counsel to make sure that he or she is up to date and up to speed on these approaches."
Lastly, I always like to say if you're confused and you're unsure after doing some research again, consult with your general counsel and your legal team. That would be an excellent place to go because, hopefully, they're up to speed on some of those compliance laws.
Deliverability Specialist and CRO, EmailConsul
Every country has its own laws and proceedings when it comes to compliance. To ensure you aren't making obvious mistakes, cross off this entire checklist!
First things first: Consent.
In order to store information or send emails you need to ensure you are transparent with your subscribers and have their consent. This helps lower spam complaints and helps with your sender reputation and deliverability, and helps you stay compliant.
When we ask subscribers for consent, we need to be clear with them. If they are giving you an email for a "Free smoothie recipe book," that is all you should be sending them. You can not subscribe them to your daily email or to your other businesses unless you ask them, and they accept. With just a checkbox, you can easily ask for permission and ensure new subscribers are aware they are being signed up for multiple emails.
You also need to ensure you are safely storing your subscribers' information, whether it is billing information or simply an email address.
It is essential.
This means we need to be careful when importing data into various tools and exporting it. Who knows how many copies of your subscriber lists you have on a computer or in your Google Drive or Dropbox accounts.
When sending emails you need to be cautious that the "From," "To," and "Reply-To" fields contain either the person's name or the business name people are expecting and who the email claims to be coming from. When it comes to content and remaining compliant emails sent to your subscriber, it should fall within their expectations. You need to ensure you send content to people that they expect. It must come from the right company or person and fit people's expectations. For example, your subject lines shall also be honest and should not be misleading. There should be no use of "RE:" and "FWD,". Emails should also contain your business address and an unsubscribe link to ensure a smooth removal process and reduce spam complaints or low engagement.
When it comes to inboxing and deliverability, being compliant is extremely important. Inboxes want to protect their clients from fraudulent or unwanted emails. They work on their spam filters using information from received emails, but they also implement specific rules as different laws are being put in place. If the laws want something from senders, trust us when we tell you that spam filters want the same things. So maybe you aren't worried about anyone sending you a fine, but it doesn't mean the inboxes and spam filters will allow certain practices anymore.
Resident Chief Information Security Officer, Proofpoint
This is a tough question, because now today what used to be the “bar”, General Data Protection Regulation (GDPR), is now crowded with so many other countries' interpretations of what data privacy is and now here in the United States, many states now have their own version of privacy regulations.
You can’t simply even pick and choose from each different law and try to make a single compliance program that covers everything in one fell swoop. Businesses today do not operate within borders. Vendors, suppliers, customers, and business associates all work to stretch operations across state and international borders. Often, they also operate or rely on business in multiple industries. Having to navigate various federal, state, and industry-related regulations creates confusion and inefficiencies for entities, assessors, and regulatory bodies.
What I can tell you are a few simple things to start to do and possibly ensure that you are not outright breaching people’s trust when they give you their email address or other data points. This is NOT a comprehensive list, but something to consider.
- Only add an email address to your mailing list after having obtained explicit permission of the owner of the email address.
- Never share data or repurpose an email address without that person’s explicit permission or better yet, do NOT buy data from those you can’t verify they have consent to sell the data to you.
- Make sure you offer a full-service preference center that gives them a choice to not only remove themselves or delete themselves from a list, but all lists that you possibly are using. You need the right processes in place to ensure that any individuals who want removed from your databases get removed.
Being compliant involves following the rules and regulations laid out by a governmental institution, identifying the areas which impact an organization, implementing policy change and monitoring. Organizations lose around $4 million in revenue due to non-compliance of a single law. In other words, having business objectives that follow set guidelines is essential to being compliant. There are a number of ways to become complaint, which vary depending on the country.
Each organization should develop a compliance program to ensure that they are compliant in every country. The elements of an effective compliance program that would work in every country can be described as the "Seven Pillars of Compliance".
Implementing the "Seven Pillars of Compliance" are :
1) Ethical values and corporate culture:
Ensure that ethical values are embedded in the corporate culture. The compliance function should be overseen by the board of directors and senior management should be held accountable for promoting a culture of compliance.
2) Compliance policies and procedures:
Compliance policies and procedures should be designed in such a way that they are applicable to the laws of different countries and help prevent, detect and remediate non-compliance with laws, regulations and ethical standards. They should be reviewed and updated on a regular basis to reflect changes in the legal and regulatory landscape.
3) Effective training and communication:
All employees should receive training on the compliance policies and procedures and be made aware of their individual responsibilities. There should be a mechanism for employees to report suspected wrongdoing without fear of retaliation.
4) Independent review and audit:
An independent review or audit should be conducted on a regular basis to assess the effectiveness of the compliance program. The findings should be reported to the board of directors and senior management.
5) Reporting channels:
Reporting channels should be established so that employees can report fraudulent activities and any non-compliance with policies. For instance, the anti-money laundering (AML) compliance is usually standard in different countries across the world. A financial institution that finds suspicious activities and does not report it is fined for not following compliance laws. Therefore, if all reports are investigated promptly and appropriate action is taken, then a business can ensure compliance.
6) Disciplinary actions:
Disciplinary actions should be taken against employees who engage in misconduct. The disciplinary action should be proportionate to the seriousness of the offense and designed to deter future wrongdoing. The process is internal for the employees to ensure they follow regulations, especially when a company has its franchise or office in a foreign country.
7) Third-party due diligence:
Organizations should exercise due diligence when dealing with third parties. They should ensure that their business partners are complying with applicable laws and regulations and have adequate internal controls in place.
Implementing the seven pillars will ensure compliance, however companies need to keep in mind that the compliance landscape is constantly changing and they need to stay up-to-date with the latest developments. Adhering to that will help ensure compliance with laws and regulations in every country.
Founder, Chief Product Officer, CPO, Email Deliverability and Anti-Abuse Evangelist, EmailConsul
Knowledge is essential when it comes to compliance. Reading up on various data privacy laws will help you understand what is required from you and what these laws are trying to protect people from.
Over the last decade data privacy laws have been on most businesses' radars as news, posts, and webinars talked about CAN-SPAM, CASL, or GDPR. As time progresses these laws and policies will protect consumers by implementing stricter guidelines, and as you can see in the article linked above, many countries are aligning certain provisions closer to those of GDPR.
Unfortunately, ensuring you are compliant with every law on your own is almost impossible. Laws evolve all the time, so you need to ensure you are kept up to date with the data privacy laws that you fall under. Start by understanding what GDPR, CAN-SPAM, or CASL is looking for to understand what countries are trying to protect people from. This would also give you a good idea of what spam filters and inboxes are looking to protect their customers from as well!
For email, one crucial part of ensuring you are compliant is by providing transparency to your subscribers. People want to know what they are signing up for when giving their personal data. Your checkboxes for new subscribers should be unchecked, and you shouldn't add email addresses to your campaign's list because you have them. You need to ensure you are somehow recording and tracking your subscribers' consent, The date they subscribed, which online form or physical paper they shared their data and consent on. You should also keep a record of when someone unsubscribed. If you are using a form from an email marketing software provider, they manage storing the data for you.
All in all, you need to stay informed about changes, manage your subscribers' expectations during consent, store data securely and make it easy to opt out.
At the end of the day, every country is trying to protect consumers from the same thing, so you will see many similarities between them.
If you enjoyed this post, be sure to look for future posts in this video series by signing up for our weekly newsletter!
Check back next month to listen to our next round of email experts' answers to, "What is a DPA (Data Processing Agreement)? Who needs it? What happens if you don’t have a DPA? What are the different levels of DPA ? "