Marketing Data Privacy: What Brands Need to Know

Will Rice
First published January 11th, 2024
Last updated May 15th, 2024
Explore marketing data privacy: Learn about privacy laws, cookie policies, myths, and best practices to build customer trust and compliance.
Marketing Data Privacy: What Brands Need to Know

Today, people are both more aware and concerned over how businesses use their data. Going forward, marketing and data privacy needs to be a top priority for businesses. Here’s how you can build a path to success.

This is a write-up of Jodi Daniels’s talk that she gave at GTM4ward. Here you can find her slides.


The roadmap to trust

Data privacy is all about building trust and connecting with our audience. This means answering questions like:

  • What type of data is being collected?
  • How is it being used?
  • Where is it being stored?
  • How is it being shared?’
  • What control does a user have?

Unfortunately, lots of consumers don’t trust the brands they interact with. Surveys show that as many as 72% of Americans are reluctant to share personal data with businesses. This can have major consequences, 73% of customers “would spend significantly less” for products or services
from a business that lost its trust.

Think about every time you’ve ever chosen to buy something and haven’t given specific credit card information to a site. Instead, you’ve chosen to use a different type of wallet such as PayPal, Amazon, or Apple Pay.

You’ve done this because you don’t trust a site with your credit card details. You’d rather store trust an intermediary with your credit card information. This is the case for how people view their data online.

Individuals are wary of how much data they’re giving to people online. They only want to share details with companies that they trust.

To put it simply, to stay on top of your marketing and data privacy requirements, you need to build a roadmap to trust. This begins with a privacy policy. Think of this as the outward-facing communication roadmap with all your customers and prospects.


Common myths

There are plenty of common myths relating to data privacy. Let’s tackle some of these head-on.


My organisation is TOO small

Globally, many of the privacy laws like GDPR have no minimum threshold. The scope of your business doesn’t matter, you still might fall into the jurisdiction of privacy laws.

In the United States, you might find some floors. A handful are revenue-based, but the majority look at the volume of customer data points. This means that each user that visits your website is classed as a data point.

The reality, of course, is that most customers don’t know data privacy laws. The average customer is probably unaware that certain areas have thresholds. This means when they see that website A offers certain privacy options, they think that website B should offer the same.


All websites need a cookie banner

It might be that all websites should have a cookie banner. In reality, though, this rule isn’t required everywhere in the US.


All marketing is opt-in

All marketing is not opt-in. Again, whilst globally, a user must generally ‘opt-in’ to marketing, this isn’t the case everywhere in the US.


No one cares about privacy

Does anyone really care about privacy? After all, most people want convenience above all. They’re going to expect that you track data–every online business does this.

Actually, people do care about privacy–as we illustrated with the stats we showed earlier. The more that companies mishandle data, the more data-aware people become. This means that consumers starts to care even more about their data.


All our data is in the cloud and we’re fine

If you use a service like Shopify, will they secure all your data and follow privacy laws? Unfortunately not; Shopify is responsible for Shopify, you are responsible for your E-commerce site. This includes all the data you collect, how it is used, shared, accessed, and much more.

Shopify will house your data. It’s up to you to oversee your data. The same goes for any other platform and any data you store in the cloud.


Data privacy is everyone’s responsibility

Sometimes, people think that data privacy is the job of the legal or compliance teams. Actually, though, everyone should care about data privacy. Every single person in your organization is likely processing data in some capacity.

It isn’t always just employees that are impacted either. If you’re processing applicant data, then you fall into the jurisdiction of many worldwide privacy laws.

If you are in a marketing role and have anything to do with an IP address or an email address, then you’re involved with data privacy.


What are the core requirements of a privacy program?

The image below shows all the pieces that make up a privacy program. Let’s tackle each piece individually.


Things that make up a privacy program.


Image Source: Red Clover Advisors

Establish governance – Someone is ultimately responsible for data privacy in your organization (although everyone has a role).

Policies & standards – There are internal and external privacy policies.

Data inventory – This is cataloging all the data that you have in your organization. Perhaps a team has asked you to help them understand the kind of data you have in your business processes.

Privacy impact assessments – This is a deeper dive into identifying all the privacy risks around how data is processed at a particular level. This is required for pretty much all retargeting in almost every privacy jurisdiction.

Individual rights – Has anyone ever opted out of cookies or asked for data to be deleted? These are some of the individual rights you will need to fulfil.

Vendor management – You’re responsible for knowing who the data is going to and what they are doing with it.

Marketing strategy and preference management – We’ll spend more time talking about this point below.

Security – How is data protected? This is a very important piece of a privacy program.

Training – Every employee needs to know about privacy and how it relates to their role.

Sustainable compliance – Compliance needs to be sustained. Once a privacy program is created, you need to maintain it. There will be new privacy laws introduced frequently. It’s your job to have processes for incorporating any new procedures.


Individual Rights Process

If you encounter a cookie banner and can accept or reject it, this is an individual right. You’ll want to think about the following stages:

  • Individual makes a request.
  • Company receives it.
  • How will the company honor the request?
  • How will the company communicate to the individual?
  • Working with a long list of consumer rights, access, opt-out, delete, etc.
  • Train anyone in the company who might interact with customers.


Individual Rights Process when someone encounter a cookiee banner


Privacy considerations before kicking off a new product, service, or marketing campaign

Think about the period before you launch any new marketing campaign. It’s important to understand the types of data that are being collected. Whenever you launch a new project, someone inevitably else asks ‘How much does it cost?’, ‘What’s the technology?’, ‘is there a legal requirement?’.

In the same way, we need to ask ourselves a list of privacy questions.

  • What type of data is being collected?
  • Is it sensitive?
  • Is it required?
  • Where will it be stored?
  • What will my customer/prospect think?
  • Is it covered in the privacy notice?
  • Are there any privacy laws in scope?
  • Are there additional security measures needed?

You don’t need to be a privacy expert here. Just think about these questions so that you can identify the right people in your organization.


Privacy 101

We’re on a big hockey stick of privacy laws. Every state highlighted in green in the image below has passed and signed privacy laws (not all are effective yet but will be coming into place).


US state privacy legislation tracker


This image illustrates the challenges of dealing with cross-state data laws. It’s important to note, each law has a very different scope.

Below is a timeline of how the ‘privacy trend’ started. As you can see, going forward there is a minefield of legislation to be aware of. Many of these new laws are mirrored on GDPR and will further impact how businesses deal with data.


How the privacy trend started with GDPR


Cookie requirements are NOT created equal

We mentioned at the top of this article that not all marketing is opt-in. You don’t always need a cookie banner.

Cookie requirements are not created equal. Users need to opt-in to cookies in the EU and UK but don’t in the US (at least, until Washington’s data law comes into effect and this may apply in select instances).


Typical Type of cookies

We have several different types of cookies. Let’s look at each.

Strictly necessary cookies are essential to site functionality. These are the cookies that keep items in a shopping cart or remember login credentials.

Preference cookies, also known as functionality cookies, allow a site to remember things like
language preferences, region. settings, etc.

Statistics cookies, sometimes called performance cookies, anonymously collect
information about how users interact with a site (Google Analytics, for example, are
statistics cookies).

Marketing cookies collect identifiable data about an individual user’s online
activity in order to deliver relevant advertising.

You can have strictly necessary cookies without needing consent. It’s the rest of the cookies that are the challenge. You’ll have to look by the jurisdiction in which your customers are based. This might involve opt-in or opt-out consent. You’ll need to understand all the different types of cookies that you use to accurately deal with consent.


How is ‘sale’ defined

The United States covers a concept called ‘sale of data’. A sale of data can include ad tech. This means that analytics cookies are considered a sale of data. As a result, you have to do a long list of things.

As you can see in the image below, California led the way and other states followed suit.


how california led the privacy legislation and other states follow


What do I need to know about “sale”?

As mentioned, you need to understand every cookie that you are using. You’ll likely need a link at the footer of your home page that says ‘opt-out’ of sale. Your privacy notice also cannot state that you do not sell data.

You must confirm that your organization–in particular, your sales and marketing teams– understands the new definitions and interpretations of what constitutes a ‘sale’.

Equally important is to ​​review and update your privacy notices to accurately and
completely reflect any ‘sales’.

Sephora found itself in trouble by not following this rule. The company used third-party analytics cookies on its site and did not disclose that they were a sale of data. By avoiding marketing data privacy laws, the company had to pay $1.2 million in fines, plus legal fees and navigate significant negative PR.


Opt-In/opt-out and links on websites

Rules for opting-in and opting-out are equally complicated. As you can see below, rules change dramatically from state to state and across the globe.


Opt-In/opt-out rules in various states and in the GDPR


What do I need to know?

To avoid being caught out, try to bear the following points in mind:

  • Implement consent mode tools to allow individuals to opt-in to the collection and processing of personal data and to opt-out of the sale or sharing of personal data for targeted advertising.
  • Include a “Do Not Sell or Share My Personal Information” (or alternate) link on your website’s homepage (or state in your Privacy Notice that personal data is not being sold).​
  • Recognize the Global Privacy Control Opt-Out Signal (“GPC”). GPC is a browser setting that notifies websites of a user’s privacy preferences, such as not sharing or selling personal data without their consent, by sending a signal to each website a user visits.


How do you handle all of this?

Not all cookie consent or banner options are considered equal. There is a lot of nuance to think about for each kind of cookie banner. Try to bear the following points in mind.

  • You need to have a banner that describes what you are doing. What are the kinds of cookies that you have in pixels? Do you have analytics, advertising, social media, or any other cookie types?
  • List if you use any session replay cookies. Session replay can raise all sorts of pixel litigation lawsuits. Make sure that all session replay cookies are opt-in.
  • Include a link that allows users to change their cookie settings. It’s also useful to link to your privacy policy.
  • Include symmetrical options. In other words, don’t just have an option to accept but also allow users to reject cookies.
  • Keep in mind that some cookie consent solutions have special nuanced configurations within GTM.
  • It isn’t acceptable just to say that you use cookies. You need to explain how cookies are being used.

Introducing dark patterns!

Dark patterns are becoming a big issue for marketers. If you don’t know, these are user interfaces that are designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.

Avoid big font that influences the user to behave in a way that is best for the company. Always think about the customer first.


What do I need to do about dark patterns?

You avoid the issue of dark patterns, you can take the following steps.

  • Review your user interfaces to identify and eliminate any dark Patterns.
  • Consider engaging an independent party outside of your organization and/or conducting user testing facilitated by a market research firm to identify any potential dark patterns, particularly in any consent process.
  • Include input from individuals representing different populations (such as age, gender, race, and level of education) in any review or user testing so that different perspectives and experiences can be considered.
  • Add training on dark patterns for your teams that develop web interfaces and consent processes.


Regularly perform a cookie audit

It’s highly encouraged that you do regular cookie audits. Cookies are dynamic and they change. New cookies and pages are taken off and added daily.

So, regularly, review the cookie consent software solution for

  • Cookie banner language.
  • Cookie banner consent settings (notice only, opt-in or opt-out, or implied
  • Cookie categorization.
  • Cookie consent software implementation.
  • Create a cookie policy.
  • Cookie audit to review the tech works.


Privacy Notices

Privacy notices tell users what information is collected, used, stored, and shared. There are two key points to privacy notices. Firstly, they need to say what you do. Secondly, though, and more importantly, you must do what you say.

Remember, data privacy is everyone’s responsibility. Teams need to work together and communicate what’s happening with data.


What goes into a privacy notice?

  • What Data Collected
    • Ex. If children’s information is collected, state this here and explain in the use section how it is used.
  • How Data is Used
    • Ex. Used for sending tickets, for camps, medical emergencies, processing donations
  • Where Data is Shared
    • Ex. Third parties like email service providers, ticketing and donation platforms, third party nurses for camps.
  • Cookies & Trackers
    • Describe types of pixels and cookies used with an industry opt-out like
    • Link to Facebook, Google and all Social Media platforms direct opt-out pages.
  • Privacy Choices
    • How can people opt-out or request information?
  • Privacy Law Requirements
    • Depending on your organization’s size, you might have to add in specific privacy law sections.
  • Standard Other paragraphs
    • There are many other paragraphs like the effective date and the sites it applies to, children’s data (if you don’t collect), international, security, links to third-party sites, changes, and more.


Individual rights

The chart below shows how complex individual rights can be. Most of the diamonds don’t align completely. Each piece of legislation has drastically different rights.


How each piece of legislation has different rights.


What about people with no individual rights?

You need to decide what you will do for users that have no individual rights. Will you show them the cookie banner, or only use the banner in regions that are required? If a user asks you to delete their data, will you include them?

In short, you need a process for dealing with these issues. It’s the job of your organization to keep track of these procedures. Training is essential for providing employees with the know-how to deal with these situations.


Going forward

Hopefully, you understand that this is all about trust. If you want people to hit the ‘accept’ button on your cookies, you have to explain why doing so will benefit them. You need to know what you’re doing with the information and how users can build a relationship with you.


Privacy is here to stay

More laws are coming globally that will impact marketing data privacy. You must inform users about what is happening with their data. You should only collect what is needed and always have a business purpose for collection. When you do collect data, make sure that it is always protected.

How can you future-proof? Simply, by knowing your data. Make sure to review the privacy notice, maintain good security, and think about the customer first.

Remember, you can always invest in outside help if you need additional assistance. MeasureMinds offers a GDPR compliance service to help make sure everything is GDPR & cookie-compliant.


Tips for success

To finish off, let’s recap some of our top tips for success.

  • Someone needs to own privacy, if no one does, volunteer someone.
  • Privacy is not a set-and-forget activity, it is constantly ongoing.
  • Remember the basics:
    • Collect what you need to.
    • Disclose why you are collecting it.
    • Allow the individual choices (ex. Chance to
    • Protect the data
    • Know your vendors, if you use a third party pixel what are they doing with the data.
  • If you’re ever unsure, just ask!
  • When you’re gathering any data, always put the customer first.
  • Don’t just copy what others are doing. Your individual needs will probably be quite different.


Download Red Clover Advisor’s FREE checklist

Red Clover Advisors have created a free checklist that covers global data laws. Why not follow this link and download a copy?


Data privacy and Google Analytics

Are you using Google Analytics? we have a great article on GA4’s privacy features that you should activate. But if you need further help with your Google Analytics or Google Tag Manager setup, please get in touch.


About Jodi Daniels

Jodi Daniels is Founder and CEO of Red Clover Advisors, a privacy consultancy, that simplifies data privacy compliance, helps companies build trust with customers, and serves as the outsourced privacy officer for organizations. Jodi is a national keynote speaker, co-host of the top ranked She Said Privacy / He Said Security Podcast, co-author of Wall Street Journal & USA Today best selling book Data Reimagined: Building Trust One Byte at a Time.

Profile picture of jodi daniels

Will Rice
Follow me
0 0 votes
Article Rating
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Articles from our Blog
Would love your thoughts, please comment.x