In an increasingly global world with shifting data practices, it’s important to ensure quality data for email marketing campaigns. Not only is it a legal imperative, but a better user experience for prospective customers. When considering a new business relationship, subpar communication practices are not a great way to start. Creating a best-in-class workflow automation for privacy compliance best practices will keep your marketing data clean and increase performance of email marketing campaigns.
What is a privacy compliance processing program in Marketo Engage?
Privacy compliance as a philosophy is a set of laws which state how organizations meet regulatory and legal requirements for the collection, processing, and maintenance of information. Processes for managing privacy compliance are not an out-of-the-box feature in Marketo Engage and need to be built to suit an individual company’s needs. Compliance requirements are not one-size-fits-all and require input from a legal team to identify the company’s overall risk tolerance, and which scenarios require additional consideration. Building an automated privacy compliance workflow in Marketo Engage will allow a company to address individual scenarios, countries, and time frames, and you should do it.
Etumos’ recommended workflow automation is designed to focus on the regulations which define requirements for data protection related to geography, like GDPR. Our process is designed to run when a person is created, or when information about the person’s country is changed. The process runs persons through a set of filters and flows that will indicate on the record how the person is going to be processed and whether or not they need further criteria.
What a privacy compliance processing program is *not*
Privacy compliance is its own operational program for complying with global laws around data privacy regulations. It is not a marketability manager, a data cleanup program, an assignment program, etc. For best practices, build the privacy compliance workflow automation to only manage compliance with global data privacy regulations as the company legal team recommends.
While other processes can certainly use the information once a record has been properly processed, the goal is to keep this process on its own as simple and specific as possible.
Why do companies need privacy compliance in Marketo Engage?
Data collection and handling has become increasingly complex and a mistake in the collection, handling, or processing of data can cost you. Even if you’re only doing business in certain countries, it’s worth discussing with legal professionals to review your data practices and how to manage them just in case there’s a regulatory requirement of which you are not aware. It’s also beneficial to consider these regulations before you expand into geographies with compliance laws in place. A Marketo Engage workflow automation can make sure data is processed appropriately or removed from the system entirely if that is the wish of the legal team/company.
When should a company set up privacy compliance?
As soon as you can! It is never too early or late to protect data quality. If you’re ever going to market to prospects outside of the United States, you’ll need a whole Privacy Compliance Program to account for different privacy laws around the world. You need Privacy Compliance before you expand out into these different markets. (You should probably have a Marketing Privacy Compliance Policy decided upon before that, conversationally.)
How do you implement privacy compliance in Marketo?
Always start by working with the legal team to determine definitions for main concepts – for example, what countries or situations would be considered implied consent, vs. requiring explicit consent (opt-in checkbox), double opt-in, etc, or what to do when records do not have a known country. Some legal teams will also want to process a record differently depending on if they filled out a form, attended an event, or were created by the sales team. This is critical to define for a successful implementation.
Once definitions are agreed upon, a program can be created in Marketo. Start by creating smart lists within the program to define the different processing groups. For Etumos, those look like:
- Opt-Out (no consent required)
- Opt-in with Implied Consent
- Double Opt-in
The program includes a smart campaign that will look at the smart lists and update a special privacy compliance field to indicate how Marketo Engaged sorted the record (consistent with the naming conventions from the smart lists). This “sorter” should be triggered upon person creation or country value change.
The resulting data value change from the sorting campaign will trigger smart campaigns corresponding to the processing groups. This is where it gets a little more complex, but with proper definitions and documentation, it should be easy to build!
Etumos will build a folder for each processing group (Opt-Out, Opt-in, Double Opt-in, etc). Within each, there will be a “controller” campaign that listens for a data value change to the processing group field that corresponds with that specific campaign. From there, if there are additional requirements or considerations, the controller will look at smart lists to identify how to further process those records.
This can be difficult to imagine or explain so let’s walk through an example.
- A person is created via a form fill with a country of Spain with explicit consent captured.
- The sorting campaign is triggered and looks at all the processing group smart lists. This person, for this example, falls into the “Opt-In (Consent Required)” processing group smart list, so the sorting campaign updates their Processing Group field to “Opt-In (Consent Required)”
- The corresponding controller for this processing group is triggered by the Data Value change of Processing Group = Opt-in (Consent Required).
- The flow step will use smart lists to determine if explicit consent was captured or not and then call the appropriate smart campaigns to properly process the data and ensure data quality.
- For this example, the person gave explicit consent via a form fill. This calls the smart campaign specific to a person who falls within the Processing Group of “Opt-In (Consent Required)”.
- Within this final campaign, another custom field “Consent Status” will be updated to indicate that Explicit Consent was captured.
- If the person did not provide explicit consent, the controller for this group would instead call a smart campaign that indicates the person did not provide consent. But again, this smart campaign would only be used for those who fall in the processing group of “Opt-In (Consent Required).”
Build out a controller for each processing group, and create smart campaigns to indicate if a person has explicit consent, implied consent (if applicable), or no consent.
Be sure to keep the smart campaigns specific, clear, and simple. While it may seem like there are a lot of smart campaigns, it makes scalability, adjustments, and troubleshooting, incredibly clear.
Finally, if there are other scenarios that need to be accounted for, it may be helpful to have a folder for these as well. Some things that may be considered are consent history, consent expiration, request for stored data, request for data removal, etc.
Etumos uses the unsubscribe feature and updates unsubscribe reason to make sure email marketing campaigns cannot email people who could be a liability. For this reason, it is also beneficial to include a smart campaign for user unsubscribe to process opt-in and consent status.
- The Etumos best practice for setting up any program is to integrate it with an initial processing/person is created program. The goal is to only use the “person is created” trigger once, freeing processing time and allowing control of the order data is processed. This may look like making sure that a person syncs with SFDC or has their country data cleansed before privacy compliance runs, or it may be that privacy compliance should run before anything else. The choice is super easy when it is managed within one program.
- Keep naming conventions the same across smart list, field value, and smart campaigns! For example, a smart list for “Opt-In (Consent Required)” would match the processing group field picklist value of “Opt-In (Consent Required),” which would make the folder “Opt-In (Consent Required),” which would match the controller/corresponding campaigns “Opt-In (Consent Required) Controller.” This makes auditing, reporting, and searching, easier.
- When using a sorter or controller smart campaign where a record should theoretically always find a match, use a default value to indicate when there is likely an error. For this program, if the Processing Group does not match any of the smart lists, their Processing Group field will be updated to “error” which will trigger an error alert. Each individual processing group controller also has a default “ERROR” smart campaign, specific to each, so that any gaps can be rectified quickly.
Who benefits from privacy compliance?
Everyone! It’s a win, win, win. Legal is happy that marketing is considering data privacy laws, customers and prospects trust you with respecting their privacy and data, email marketing campaigns will have better data quality for sends, and the marketing operations team will sleep soundly knowing their marketing data is in good shape.
Privacy compliance should only be complicated for those interpreting the laws – for the marketing team, try to make it as simple and easy to follow as possible! Get your definitions and scenarios in check, and let Marketo Engage’s automation workflows do the heavy lifting.