Marketing and privacy – there’s the law, there’s best practice and there’s reality

Ben Rapp, Group Chief Executive
June 2024

Marketing is often where businesses first consider privacy and its impact on their behaviour. While it’s arguable that there actually are other areas where privacy is of greater concern, the combination of direct impact on the bottom line and sheer scale means this is no surprise. The danger is that privacy is seen as a barrier to effective marketing and therefore resented, avoided or ignored. The risk here, of course, being that marketing is also the easiest entry point for a regulator, since most of what you do is publicly visible.

The question then is what does privacy actually mean for marketing? The answer, naturally, being “it depends”. It depends on what part of marketing you’re considering; it depends on where you are in the world, and where your customers are and it depends on how you go about doing your marketing – online and offline. A short article such as this can never give all of the answers; here, instead, are merely some signposts for your journey.

You need to think about the intersection of privacy and marketing in multiple dimensions. The first is to divide marketing into understanding and doing, and then to distinguish between mass audiences and targeted activity. Finally, you need to consider the nature of your prospects and your offer – essentially to distinguish between business-to-business (B2B) and business-to-consumer (B2C). That sets the scene for a pragmatic approach to marketing compliance.

Why do I say pragmatic here? Because the strict letter of the law and the reality of regulatory enforcement are different. By way of example, named email addresses for individuals within a business are technically personal data; if your privacy law has strict consent rules for direct marketing then in theory you should seek consent for B2B communication – but the reality is that almost no-one does and almost no-one cares. The truth is that nowadays most B2B contact is via named email; it is at least tacitly understood that you are trying to market to the business, which does not have privacy rights[1], and not to the individual – and therefore the most that is expected is a functioning opt-out.

On the other hand, when selling something to consumers you absolutely have to pay attention to your jurisdiction’s consent rules – which can vary from a “soft opt-in” for marketing emails to existing customers to a three-page form that must be completed and returned by the consumer to enable any marketing at all. Regulators globally have shown strong appetite for enforcing privacy rules in direct marketing – in fact for some jurisdictions that seems to be the only enforcement they do. So you need proper consent tracking including mechanisms to enable withdrawal of consent and evidence of the specific consent wording, along with – of course- a functioning opt-out. And if you’re in the habit of buying lists, it’s a habit you’ll probably have to stop. If your or your prospect’s jurisdiction requires consent – not all do, then do your reading or find an expert who really understands your specific space.

But remember those dimensions: the last two paragraphs refer only to direct marketing. Which might just mean email, text and telephone or could extend to any form of specifically-addressed content through any channel. What about mass-marketing – broadcast, website banners and so on? Again, it depends. Straight broadcast has no privacy implications when it comes to “doing” but the work you do to measure and understand your audience may well come into scope. Website banners might seem innocuous but are not if you are targeting them based on an online eyeball auction. Essentially any time at any point you can identify an individual – which does not need to mean that you can name them – you have to pay attention to privacy.

Which leads us to “understanding”, starting with cookies and similar mechanisms that allow you to identify and track individuals around the internet, but also including enrichment, data purchasing, analysis of customer and prospect browsing and purchase behaviour and all of the exciting world of “big data”. Here we would counsel two pragmatic watchwords: “transparency” and “reasonable expectation”. Do the people whose data you are analysing know that you are doing it? And when they find out, will they think that what you are doing is reasonable? If the answer to either of those is a no, you have a problem. That does not mean that ticking both boxes automatically makes your analysis compliant, but it’s a good starting point.

Why care about all of this? Well, you could be fined by a regulator, or told to change your behaviour, which isn’t a good look for the organisation or the brand. But more importantly, consumers and business customers increasingly care about their privacy. If your marketing demonstrates that you don’t, they won’t buy from you. That’s a much more important consideration than any possible regulatory action.



[1] Except in South Africa.

Act now and speak to us about your privacy requirements

Start a conversation about how Privacy Made Practical® can benefit your business.

Click here to contact us.

Back to top