By Dennis Dayman, CIPP

If you hear "CAN-SPAM" and think of spiced ham or think "C-28" is a Chinese restaurant combo platter, you're either really hungry or--more likely--you're in need of a refresher on the rules for e-mail regulations.

Recently, there has been an increase in e-mail regulations. The CAN-SPAM Act, passed in 2003 and amended in 2008, was one of the earliest legislative efforts to rein in spam and ensure e-mail regulations. Just this past year, on December 15, 2010, Canada passed the C-28 Anti-Spam Act, making the sending of unsolicited commercial e-mails to or from Canada a prosecutable offense. Another bill--H.R. 5777, the Best Practices Act--is being discussed in the U.S. If passed, that bill will require transparency and disclosure when organizations collect personal data about online users' behavior and will only allow data recording from users who opt in.

As important as these laws are for e-mail marketers, the trend they represent is even more critical. With the increasing number of data breaches, for every attempt to bend the rules or profit at the expense of consumers, new legislation is created to prevent future offenses and punish the offenders. In this environment, noncompliance is not an option--marketers must understand and comply with privacy rules and regulations.

Knowing every letter of every law, however, is excessive. What marketers need to know are the guidelines common to most privacy laws. Here are five best practices:

  • Transparency: Telling people how you are collecting their data and what you're going to do with it are two things that marketers should have been doing all along. They are also major components of current and upcoming legislation--C-28 and H.R.5777. Informing people how their data will be used to cater to their specific interests is a much more successful and sustainable policy than withholding information from prospects.
  • Consensual activity: Marketers must realize if they are engaging in cross-border marketing, they now need approval from the recipient. The change isn't drastic; it requires little more than a Web page field that asks, "Can I send you something, yes or no?" For marketers, this is actually good news because e-mails won't be wasted on people who don't have a genuine interest.
  • Relevancy: Contacting only the people who want to be contacted and sending only the information they want is the heart of relevancy. It's also a major component of privacy. Avoiding the "I didn't want this" spam-button click reaction was once key to staying off blacklists; soon it may be part of staying out of the courtroom. The requirement for consent is a foundation for relevancy, but even after gaining a recipient's consent, the burden lies on marketers to send relevant content.
  • Adaptability of privacy policies: Laws can go only so far in defining acceptable privacy policies. To truly serve and protect people, organizations should be able to address privacy concerns at any point in a marketing process. The concept known as Privacy by Design asserts that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must become an organization's default mode of operation, ideally. Privacy by Design presents a set of "foundational principles" that can help companies innovate in ways that are consistent with Fair Information Practice Principles (FIPPs). With ever-changing privacy requirements, the ability to revise one's settings is not only an advantage but also a necessity.
  • Clarity: Small print and legalese should be a dead practice for marketers. The need for transparency, consent and relevancy can be undermined by unclear terms, confusing jargon or complicated clauses. People are much more apt to share data and continue receiving e-mails and other marketing messages when they understand what is going on. Already, draft bills and self-regulatory practices emphasize clarity, and, whether ratified or not, it makes sense to strive for clear messaging. A privacy policy just isn't enough anymore. This means that you will need to be "hyper transparent" when you're collecting, transferring and processing PII. You can NO LONGER think that posting in your privacy policy what you are doing with a person's information is sufficient. You need to become "hyper transparent."

These five points are compelling, but what else do marketers have to gain by complying with privacy laws and best practices? Efficiency.

A study conducted by Return Path found that more than four-fifths of e-mail delivery problems result from a sender having a poor reputation. A poor sender reputation stems from the regular bending or breaking of privacy rules and dissatisfied prospects reporting spam or noncompliant behavior. This means that noncompliant marketers attempting to reach a wider audience or build a bigger database--those valuing quantity over quality--are shooting themselves in the foot. Though an organization with a bad sender reputation may send out a greater volume of e-mails, the likelihood of those e-mails actually being effective or even being read is much lower than a reputable and compliant company.

Fear of sanctions and avoiding inefficiency shouldn't be the only motivators for organizations. As fundamental as it sounds, keeping prospects and consumers happy should always be top of mind for marketers.

According to Todd Defren, a principal of SHIFT Communications, "A happy customer tells three friends. An unhappy customer tells Google." What this translates to is for every one e-mail sent to a happy and well-informed recipient, there exists the possibility of additional word-of-mouth referrals. Or, in other words, it can literally pay to respect the privacy, consent and intelligence of a client or prospect.


Today, there is no reason not to comply with privacy rules and regulations. The laws and best practices are designed to satisfy and protect the people involved, while also affording organizations the potential to grow revenue and client base. If compliance is a question of capability as opposed to intent, third-party privacy monitoring and auditing services such as TRUSTe are available to ensure everything is as it should be. With all the information available, it makes sense for marketers to keep SPAM canned and have C-28 on the menu.

Compliance drives demand, leads and revenue.

Dennis Dayman, CIPP, is the chief privacy and security officer for Eloqua.


If you want to comment on this post, you need to login


Related Posts