I’ve been meaning to write this article on privacy compliance for marketing professionals for a while now, but the topic is so vast it could easily fill an entire book—something I’m not keen on tackling.

This article is best described as an introduction to the topic, giving you framework for evaluating your current privacy compliance posture and areas to focus on building out. Let’s begin by acknowledging a critical gap: the difference between complying with the intent of privacy regulations versus strictly adhering to the letter of the law. This distinction matters because regulators may either grant leniency or take enforcement action depending on whether they believe you’re genuinely honoring the spirit of these laws. Intention goes a long way with regulatory authorities, and that goodwill will be a reservoir that you dip into when you are doing something new or pushing a boundary.

Navigating Multiple Jurisdictions

The first thing marketers need to understand is that privacy regulations vary across geographic regions, and you don’t need to be physically operating in a region for its rules to apply. For example, if someone in Germany visits your website and shares personal information, you’re immediately subject to the GDPR (General Data Protection Regulation).

Here’s a simplified breakdown of the global landscape:

• GDPR (Europe and UK): The most established privacy framework, GDPR is well-understood by professionals but constantly evolving. Regulators are increasingly cracking down on violations, making compliance a moving target.

• California Consumer Privacy Act (CCPA): While focused on California, the CCPA applies to any business collecting data from California residents. With a growing number of law firms specializing in privacy lawsuits, even businesses outside California can be targeted. If you operate in the U.S., following CCPA is a smart default, especially since it shares many principles with GDPR.

• Rest of the World (RoW): Many countries have their own regulations, but tracking each one isn’t practical. Fortunately, adhering to GDPR and CCPA generally puts you in a strong position globally.

• China: China’s privacy laws, like the Personal Information Protection Law (PIPL), are complex and often opaque. They cover personal information collection, cybersecurity, and data security, but regulatory expectations can be unclear, making compliance challenging.

Familiarizing yourself with these principles isn’t just recommended—it’s essential to mitigate legal risks and potential fines.

A unique aspect of the CCPA is that it allows private law firms to initiate lawsuits. In my experience, these firms often make exaggerated claims, betting that companies will settle rather than fight. However, if you thoroughly understand your obligations and how your website and data practices function, you can confidently push back against baseless claims.

The Age of Consent

Consent is a cornerstone of privacy law, a principle solidified since GDPR’s introduction in 2018. The key question is: Are you obtaining explicit consent every time you collect personal information for marketing? I’ve seen cases where companies obscure the consent process, using deceptive tactics to imply agreement.

This is where the intent and letter of the law diverge significantly. Practices that might have been overlooked in the past no longer pass muster. To keep things concise, here are the essential consent guidelines:

• Don’t pre-check consent boxes: Users must actively opt in.

• Provide links to privacy policies and terms: Transparency is non-negotiable.

• Don’t assume submission equals consent: A separate checkbox is required for users to affirm their agreement.

• Include a policy consent checkbox: Confirm that users “read, consent, and agree” to your privacy policy and user agreement. This builds a foundation for a deeper, long-term relationship.

• Use clear, concise language: Design a user interface that makes data-sharing consent unambiguous.

• Bonus: Offer separate checkboxes for different communication types (e.g., corporate news, promotions).

  
  

For countries requiring double opt-in—notably Germany, Austria, and Switzerland—you must confirm a user’s intent after their initial sign-up. This typically involves sending a follow-up email or SMS with a link for the user to verify their consent. In these jurisdictions, double opt-in is legally mandated, and non-compliance can lead to hefty penalties.

Managing Cookies

Cookies are the primary mechanism for tracking users on websites, making them a critical focus for privacy compliance. While we can discuss data management in abstract legal terms, cookie management is where theory meets practice. Here are three key guidelines:

• Audit your cookies: Know every cookie on your site, keep the list updated, and understand each one’s purpose.

• Use a consent management platform (CMP): Tools like Osano or OneTrust streamline cookie categorization, consent collection, and compliance.

• Leverage Google Tag Manager (GTM): Use GTM to inject scripts dynamically, avoiding hardwired cookies unless necessary for specific functionality.

Start by auditing your website for all scripts and cookies, especially third-party ones. First-party cookies (those you create) often support site functionality rather than data collection. CMPs like Osano or OneTrust can simplify this process, forming a defensible framework for compliance.

A critical nuance: What happens before consent is granted? The answer is simple—in a well-designed system, nothing. Non-essential scripts must not fire until consent is given. Your consent banner should block website interaction until the user accepts, rejects, or customizes their choices. Enabling Google Consent Mode v2 ensures scripts don’t run prematurely, reducing your risk.

The consent interface should be user-friendly, offering options like “Accept All,” “Reject All,” and “Confirm My Choices.” The latter should open a menu with all non-functional cookies enabled by default, alongside links to your privacy policy and terms. Following these steps positions you to withstand regulatory scrutiny or lawsuits.

A Word About YouTube

Many of us rely on embedded YouTube videos in our websites. These present a unique challenge because YouTube ignores the consent selections your website users select. This is not a malicious action on Google's part, but a quirk of the iframe method that YouTube embed codes rely upon. This can, however, pose a challenge when it comes to regulatory compliance. YouTube specifically captures analytics data from users, whether they are on your site or on the YouTube site.

There is a workaround to this that Google has provided. YouTube Privacy-Enhanced Mode prevents the collection of analytics and tracking data by YouTube. Turning it on, however, is not a simple act of flipping a switch. To enable this feature, you must replace all youtube.com urls in your embed codes with "https://www.youtube-nocookie.com/".

Chatbots & Privacy

This functionality is nearly ubiquitous in modern websites and chatbots will no doubt gain greater capabilities thanks to AI. What is important to know about chatbots is that they are often powered by third parties and exist as a superset of your website functionality that, from the perspective of regulators, is a separate data collection experience.

What this means is that within your chatbot scripts you must affirm consent for collection of information and retention of chat scripts. Include links to your privacy policy and website terms, and work with your legal team to include a section on chatbots in your privacy policy document.

Chatbots are a unique challenge because not only are you collecting personal information, but you are also retaining the transcripts of the interaction with website visitors. This detail can be extensive and go far beyond basic identifying information, therefore it is essential that you establish the framework for what is collected and how it is used and retained.

Your CRM

It does not matter what CRM you use, they all provide the basic functionality necessary to serve as the master data system from consent management. What I mean by this are the data objects for checking/unchecking consent for:

• Marketing opt-in

• Double opt-in

• Do not call

• Do not contact

A CRM system is the one resource that sales, support, and marketing can rely on for the purposes of communicating with individuals. With that in mind it is essential to leverage this functionality in your privacy program in place of building standalone systems that may not enjoy the same degree of access.

Data Processing Agreements (DPAs)

Simply put, DPAs are agreements that dictate the terms by which data is shared by your and your vendors or partners. These are negotiated when you sign on with vendors, or passed through in the case of many monthly subscription SaaS applications. These agreements are essential and without them your are highly exposed to legal action, so don't treat this as a checkbox in your procurement process.

When I negotiate vendor contracts there are 3 stages of development that I work through. The first two are finance and contract terms, while the third is the DPA, often utilizing a specialty legal resource. The fact is that almost all of these DPAs are going to be good to run with out of the box, but you absolutely must know what is in in them and how data is being shared.

Handling "Delete My Data" Requests

Deletion requests are increasingly common, driven by consumer awareness and tools like Mine that automate the process. These requests typically go to a Chief Privacy Officer or a designated email, unless you’ve built a specific workflow to manage them.

Here’s the challenge: If you delete all traces of an individual, how do you prove compliance? The solution is to maintain a deletion log with metadata (e.g., request date, completion date, scope) and send the requester a confirmation email, archiving it with a timestamp for your records. This satisfies mandatory deletion requirements under GDPR and CCPA.

Crafting a Data Retention Policy

If you don’t have one, develop a data retention policy. It should detail:

• What data you retain

• Why you’re keeping it

• How long you’ll keep it

• Your process for purging it

  
  

Data hoarding is a real issue, and privacy laws aim to curb it. A clear policy ensures every piece of customer data has a defined purpose and lifecycle.

Exceptions Exist

Privacy regulations are extensive and have been developed over a period of years, with sufficient time for comment and adjustment post-implementation. As you might imagine, the evolving nature of these rules means you have an obligation to stay on top of the updates and understand the documented exceptions that permit legitimate use of personal data even when otherwise restricted.

Operational emails are notifications and updates considered crucial for utilizing services and products or for maintaining a commercial relationship. Examples include emails about product end-of-life and upgrades, notices of changes in corporate entities, banking and tax documents, and support emails. These fall under the category of "operational email," which bypasses the usual consent and privacy restrictions that typically regulate communication.

Data deletion requests do not include customer information necessary for warranty service, financial transactions, tax information, and export compliance information. Simply put, if laws and regulations stipulate the retention of information then the data deletion request carves this out as necessarily retained information.

Individual privacy regulations do take into account the burden placed on small businesses. While safeguarding personal information is an overriding obligation for all businesses, the specifics of specific privacy laws often kick in at revenue and customer count thresholds. The CCPA is applicable when you hit gross revenue of $25m per year OR have 100,000+ customer records OR derive 50% or more of your revenue from selling data.

Intent vs. Letter of the Law

As I mentioned at the outset, merely following the letter of the law isn’t enough anymore. You must align with the intent of privacy regulations, demonstrating a genuine commitment to protecting personal data across all touchpoints—customers, prospects, partners, candidates, and employees.

It’s tempting to think privacy rules hinder marketing, but I’ve found that high-performance marketing and strict compliance can coexist and even complement each other. If your strategy relies on spamming millions of random contacts, privacy laws will be a challenge. But if you focus on a targeted audience with compelling, relevant offerings, compliance becomes a natural part of the process—not a barrier.