MARDREAMIN’ SUMMIT 2025
MAY 7-8, 2025 IN ATLANTA - GA
Days
Hours
Minutes
Seconds
View the session live or catch the replay here. You’ll find the recording and all related resources on this page once available.
Our live discussions are happening over in Slack. That’s where you can connect with speakers, join session threads, and chat with other attendees in real time.
Setting up Pardot for all the different legal jurisdictions you may operate in can be a daunting task. Recognizing the common goals between these different laws allows us to find common patterns and simplify how we use Pardot to achieve compliance. Join us for a broad survey of compliance laws you may or may not have thought about, and learn some some practical ways to build out Pardot in a way that still offers a great user experience (and keeps your legal team happy!)
This session, led by Chloe Wilde, dives into the complexities of regional and local compliance laws, emphasizing that being compliant with marketing automation involves technology, people, and processes. The focus is on establishing the right controls within Pardot and Salesforce to manage data privacy and communication preferences.
It’s critical to distinguish between data privacy laws (which govern the collection and use of personal data) and email and communication laws (which govern messaging). GDPR is primarily a data privacy law. Always consult your legal team—this session provides technical implementation advice, not legal counsel.
CAN-SPAM (USA): Explicit opt-in is not technically required (legitimate interest applies). You must offer an opt-out mechanism for 30 days and have 10 days to process unsubscribes.
Pardot Policy: Pardot enforces a permission-based marketing policy, requiring opt-in subscriber lists and prohibiting the use of purchased lists.
CASL (Canada): Requires explicit permission unless the recipient is an active customer or has inquired about a product in the last six months. Applies to social DMs and text messages.
Australian Acts & New Zealand: Generally require opt-in (no implied consent).
GDPR establishes rights for individuals regarding their personal data, applying to any data held from EU prospects, regardless of where the company is headquartered.
Personal Data: Anything related to an identified or identifiable data subject (e.g., name, email, cookies are considered personal data).
Sensitive Personal Data: Information on race, health, religion, or sexual orientation.
Actionable Tip: If collecting sensitive data (like meal preferences for an event), gather it in a separate form that does not cookie the prospect and use the principle of data minimization (only keeping what is necessary).
Pseudonymous Data: Data (like an IP address or linked page views) that can be connected back to an individual with additional information stored elsewhere. This data becomes personally identifiable more easily than you might think.
Even though there are six bases, two apply most often to email marketers:
Consent: Explicit opt-in permission (e.g., an unticked box cannot be pre-checked).
Legitimate Interest: Processing information because there is a valid reason (e.g., someone spoke to a salesperson at an event booth). This is a gray area and should be used cautiously.
Grandfathering: Data obtained prior to May 2018 is not grandfathered in; GDPR applies to all data held.
US Based, Doesn’t Apply: If you hold data for any EU prospect, it absolutely applies.
Double Opt-in: Double opt-in is only legally required for prospects in Germany, Austria, or Switzerland. It is recommended globally for data validation and trust.
Salesforce and Pardot provide the tools to build a compliant infrastructure.
Design an Affirmative Opt-in Process: Update all conversion points with an explicit opt-in checkbox. Use automation rules to set statuses based on form submission behavior.
Document Policies: Document all marketing and lead generation policies. Appoint a privacy champion.
Decide on Regionalization: Choose to either adopt one policy globally (the strictest) or use Pardot features like dependent fields on forms to change opt-in options based on country.
Custom Consent Fields: Use a custom field (e.g., “Opt-In Status” with values like Confirmed, Opted Out, Unconfirmed) instead of the binary Pardot Opt-Out field. This allows you to set the “Unconfirmed” status for double opt-in processes.
The Right to Be Forgotten: If a prospect makes a deletion request, they must be permanently deleted from the Pardot recycle bin, Salesforce, and all other connected marketing systems.
Note: The right to be forgotten changes when a prospect becomes a customer; you can hold data necessary to fulfill the contract (e.g., billing) but not for marketing purposes.
Data Access Control: Use Business Units to control access to data, geographically separating data and ensuring only the employees who need certain data for their job can access it.
Forms: Clearly state what information is collected and how it will be used.
Emails: Ensure emails link to the privacy notice and include the company address in the footer.
Email Preferences: Clearly indicate that subscription options are used for marketing purposes.
Data Audit: Review custom fields to remove sensitive or unused data and ensure User Sync is used to maintain accurate access control.
List Growth: Ask for consent at all points of lead conversion.
Internal Alignment: Ensure sales and service teams are also asking customers to opt-in, making compliance a cross-departmental effort.
Marketing Automation: Automate the adding and removing of active customers and prospects to mailable lists where there is legitimate interest, ensuring data is current and accurate.
