GDPR, CASL, CAN-SPAM, Oh My!

Skill Level

Intermediate

Learning Track

Tech
Compliance

Setting up Pardot for all the different legal jurisdictions you may operate in can be a daunting task. Recognizing the common goals between these different laws allows us to find common patterns and simplify how we use Pardot to achieve compliance. Join us for a broad survey of compliance laws you may or may not have thought about, and learn some some practical ways to build out Pardot in a way that still offers a great user experience (and keeps your legal team happy!)

 

GDPR, CASL, CCPA, CAN-SPAM are all of the different compliance laws that we need to understand and build out in Pardot to be compliant with our marketing automation. The legalities of marketing isn’t always the most exciting part of marketing automation, but it is really important. We will be covering some local and regional laws, dive into GDPR, look at some compliance tools available in Pardot, and review how to get in compliance.

Do Pardot and Salesforce actually comply with GDPR? The short answer is yes; they give you the tools you need to get in compliance. But the long answer is that there are a lot of moving parts that involve both people, processes and the tech that is used. 

What are those actual laws and how can we build these tools to work with them? None of us are lawyers: we simply know how to make the tools do what we need them to, to comply with the laws that we have. Good advice can help you look into these things but always consult your legal team. 

What’s really important to us is the marketing lens for all of this. We want to know how we can grow our lists in a compliant way, how we keep them warm, how we get the data we need to improve performance, how can we personalize that data whilst not annoying anyone. There’s also a couple of differences in terminologies that are really key to this conversation, and those are the difference between data privacy laws and email and communication laws. 

 

Local and Regional Laws 

As marketers, we’re always thinking, “Is it okay to be sending this email?” But actually, the onus for GDPR is very much on these data privacy laws and they are different. You’re probably most familiar with the US CAN-SPAM laws. With CAN-SPAM laws, it’s a little bit different to GDPR because no explicit opt-in is technically required. We do have that legitimate interest piece. You have to offer an opt-out mechanism for 30 days, but you have 10 days to process unsubscribes, which is a little bit different to GDPR. It doesn’t require opt-in consent. 

However, Pardot does have a permission-based marketing policy, so it does require us all to create and manage opt-in subscriber lists, and it is always best to try and get that explicit opt-in on your forms. Pardot also doesn’t want you to buy lists, guys, even though CAN-SPAM says it’s okay for some crazy reason; we really shouldn’t be uploading purchased lists into Pardot because if Pardot finds out, they’re going to tell you off. 

Additionally, California, as of January 1st, has its own version of these laws. We’ve got the Consumer Privacy Act, where companies now have to be very transparent about the types of data they have on you. They’re allowed to prevent you from selling that data, and you can request to have your data deleted. The California laws could potentially pull the rest of the US a bit more in line with the GDPR that we’re familiar with. 

 

Global Regulations

Looking at the rest of the world, there are CASL laws in Canada. There is a distinction again between email comms and privacy laws. In Canada, for example, you will mostly need explicit permission unless they’re an active customer, and you can mail anybody who’s enquired about products in the last six months. This does also apply to some social DMs and text messages. 

Then, you’ve got the data privacy laws like PIPEDA. You do need to have that consent to collect, use or disclose personal information. You need to take precaution when working with third parties, especially if you’re buying lists, and you have the 10 Fair Information Principles, which are available online and always helpful for you to know if you’re marketing in these regions. 

In Brazil, they have these 10 legal bases for processing data as well. Sensitive information must be treated differently, and this is another common thread. Next, there are multiple Australian acts, ones that people marketing in Australia recently have a lot of questions about. They do require opt-in. You’re not allowed implied consent like you are with the US. New Zealand is a little bit less stringent. Again, they have this list of principles, which is common with a lot of these laws. Opt-in is required so again, no legitimate interest. 

 

GDPR

Finally, we get to GDPR, the one you’re probably really familiar with. Everyone’s talking about it. You need a legal basis for processing personal data. Opt-in must be explicit. You cannot pre-check a checkbox on form and you cannot grandfather in data you’ve held previously, prior to that 2018 date. There is a lot to take away here. 

On the email side, the onus is on the data privacy piece. The e-privacy directive in Europe is becoming a regulation set alongside the GDPR and it’s saying that you need specific consent to send emails: you can’t have a soft opt in and you can’t disguise your identity. You need to be very transparent and almost compassionate with your marketing. 

From the 2018 laws, there were some big fines but they weren’t as significant as many of us thought they were going to be. The biggest fines so far are for Google, BA and Marriott. These fines were all about data privacy. Google failed to be transparent. The other ones were data breaches. There weren’t any spam email finds because that was what we were all scared about. 

If you actually look at the legislation, how many times does the word “email” appear in the GDPR? Only once. It’s just referring to the use of email as personally identifiable information because what GDPR really is about is establishing rights for individuals with regards to their data privacy. 

 

Types of Data in GDPR 

What data is actually governed by GDPR? First, we have personal data: Anything related to an identified or identifiable data subject. For example, your favorite color. Secondly, there is sensitive personal data. This includes any information on race or ethnicity, political or religious affiliations, any sexual orientation, and genetic data: anything that could be considered personal. A good example of this that we might use Pardot for is asking for people’s meal preferences or T-shirt sizes coming up to an event because you could infer religious or health information from those choices. Gather that information in a separate form that doesn’t cookie the prospect because we don’t need to know somebody’s T-shirt size and connect their email address, we just need to know the number of T-shirt sizes that we need. Keeping that data separate and then using the principles of data minimization and deleting anything you don’t need afterwards is really important. 

Next, we’ve got pseudonymous data. This is data that can’t be connected back to someone without additional information stored elsewhere. An example we have here is, say you’re reading Jenna Molby’s book and Jenna has recorded my IP address and links to the pages that I’m viewing. I’ve been cookied but I’m pseudonymous because without my name and my email address, Jenna doesn’t know it’s me. 

This is really interesting when we start looking at like cookie’ing prospects in Pardot because how much information do we actually have? What intelligent guesses can we make about who that person is if they’re cookie’d but we don’t have their name? It’s probably easier to track people than you think, and therefore, that data becomes personally identifiable. So, it’s really important to know what kind of data we have and how can we minimize that data, or have as little data as we need to do the job we’re setting out to. 

Then, there is anonymous data. Let’s be honest, we’re in marketing. It doesn’t exist. Unless you’re literally putting a suggestion box in the middle of a forest, it’s probably not going to be anonymous for the reasons that I’ve just described. GDPR has some lawful basis for processing data as email marketers. Even though there are six, there’s only two that really apply to us. These are “Consent,” if they’ve explicitly opted in, but also “Legitimate Interest,” the idea that we can process information if there’s a valid reason. However, it’s a big gray area. It’s probably only going to apply for things like if somebody came and spoke to a salesperson at an event booth. 

What do we actually consider personal data when we’re looking at the data we have in Pardot? Firstly, cookies are personal data. We’re tracking someone, we’re looking back to their email address, so they’re absolutely a use of personal data. 

 

Compliance Misconceptions

Here’s a quick summary to comply with GDPR. What we should really be doing to make sure we’re on track with this is first, documenting our internal processes. We should be running data privacy impact assessments for any new technologies we’re introducing into our tech stack and figuring out how they’re moving data between the different platforms. Certain types of businesses will need a data privacy officer, depending on the vertical you work in and the region that you market again. Create privacy policies and make sure that those are linked to in different areas of Pardot, like your email footers, for example. Finally, understand your reporting obligations when a data breach occurs. 

There are some misconceptions that people have about GDPR. A lot of people think they’re US-based so GDPR “doesn’t apply.” If you’re holding any data from any prospects that are outside of the US, like if somebody enters a form and they’re from the UK, it absolutely applies. 

You think your data’s grandfathered in, it’s not. If you obtained it prior to that May 2018 date, GDPR still needs to apply to that data. You need to hire a data protection officer. Again, it’s only if you’re headquartered in certain countries, for example, that it’s really something to have that conversation with your legal team about. 

Another common misconception is that you need to have a “double opt-in process.” You only need a double opt-in process for prospects who are situated in Germany, Austria or Switzerland. Those are the three countries where double opt-in is really important. Although, it’s recommended to look into it because it’s a great way of not just building that trust with your prospects, but also data validation to make sure that joke data isn’t entering your system. 

 

Compliance Tools with Pardot

What is Pardot doing about all this? We’ve got the Pardot Cookie Banner, so the visitors can opt-in to tracking on a per country basis. We have Pardot and the right to be forgotten, moving people to the recycle stage. If someone’s made a right to be forgotten request, remember that in Pardot, even though it’s not tracking people in the recycle bin, you still need to permanently delete them out of the recycle bin. You also need to delete them out of Salesforce and out of anywhere else in your tech stack and your marketing tech stack that that data is being held outside of customer processing.

Finally, there are business units. A couple of articles in the GDPR cover data minimization and controlling access to data to only those who need it. A good way of doing this is using business units, because then you’re only giving certain data to people in the business who need to use that data for that job. Breaking things out geographically is a really good way of tackling that. Salesforce also has some great educational resources if you do want to do a bit more of a deep dive. 

Here are some common questions and some things you can do in Pardot to really tackle this yourself and become GDPR heroes.”Is an email just personal data?” Yes, it is because it can be tracked to a person. “Will keeping limited data limit our exposure?” Yes, data minimization is really important in GDPR. Don’t keep data that you no longer need, especially things connected to time-bound events or campaigns. If you don’t need the data anymore, get rid of it. 

“If a prospect attends an event, is this legitimate interest?” This is a gray area, but technically yes. More so in the US than in the EU, but yes. If somebody has actually come up to your stand, spoken to a salesperson, or given a business card, it’s tricky, isn’t it? They haven’t ticked a box to say they explicitly opt-in. Again, that’s a conversation to have with your legal team. 

“Is opting out the same “as the right to be forgotten?” No, because if somebody is opting out, they’re saying “It’s okay that you have my data, I just don’t want to receive marketing information.” If somebody makes a right to be forgotten request, they’re saying you need to delete their data completely out of your system. And on that note, “Does the right to be forgotten change when a prospect becomes a customer?” Technically yes, because if somebody has a customer, you can have as much information as you need on that customer to be able to to fulfill the contract that you’ve created between you both. You can have all the information you need for billing purposes, just not marketing purposes. 

“When do you need to double opt-in strategy?” If your prospect’s in Germany, Switzerland or Austria, then you definitely need one. But it is worth looking into outside of that, just for that data validation piece and building that relationship with your prospects, knowing that they want to hear from you. 

 

Design, Document, Decide

Here are some action items for you to take away from this. Design an affirmative opt-in process, update any custom fields, automation rules, and update all of your conversion points. You’ve got that explicit opt-in checkbox. Make sure that Pardot is doing what you need it to be doing to be compliant with your local laws. 

Document all of your marketing and lead gen policies. This is really important. Nobody wants to get audited by the ICA, so having that documentation is really useful. Review your privacy policy. Make sure you have it on your email fitters and anywhere that prospects might be interacting with you, like your landing pages. Make sure that you have a privacy manager or even just a champion for GDPR compliance within your business or in your team. 

Decide if you’re going to regionalize this or adopt one policy across the board because you can change Pardot automations to take different actions depending on the country that prospect is in. For example, using things like dependent fields on Pardot forms to show different types of opt-in options, depending on the country that they choose, which is a really cool little tip. 

Areas to review in Pardot are the forms, making sure that they state what information will be collected and how it will be used. Checking your emails and making sure they link to the privacy notice, they’ve got your address in the email footer. Checking email preferences, have you indicated that the subscription options on your preferences page are used for marketing purposes? Do you have any sensitive custom fields? Is that data current and accurate? Can you remove anything that you’re no longer using? Access is the big one. Are you using Salesforce User Sync? Are all of your Pardot users current and necessary? Are any places and systems that process personally identifiable information well-documented and within easy reach for all of your teams?

Then, of course, there’s a few things to look at in Salesforce as well. Look at things like data deletion, consent management, controlling visibility, using profiles and company-wide sharing settings, and setting up custom objects in Pardot. There is lots here that you can do, but you’re probably wondering, “Who am I going to market to after I’ve removed all of this data that no longer consents?” There are plenty of ways you can grow lists in a compliant way. You can ask for consent on points of lead conversion. You can automate adding and removing clients and active prospects to mailable lists where there’s legitimate interests, so you know that all of that data is current and accurate. You can make sure that you have called out everything you’re doing in our privacy notice. Of course, you can make sure that your email preference page is up-to-date and that your email footer for sales and service teams are also asking people to opt-in. We’re really taking this beyond marketing. We’re taking it to anybody who’s customer facing and working with our clients.

About the Author

Chole
Wilde
CRM & Marketing Automation Strategist
Sercante

Chloe Wilde is a 2x Pardot certified consultant with a background in sales, product marketing and digital strategy, with a focus on GDPR and compliance in marketing. In her free time she reads obsessively, plays video games competitively, and enjoys hiking in the Malvern Hills where she lives.

Skip to content