What Does Privacy Compliance Really Mean? With Keith Nyberg On Ep.6 of Must Contain - Etumos Skip to main content
Newspaper illustration

What Does Privacy Compliance Really Mean? With Keith Nyberg On Ep.6 of Must Contain

January 6, 2022

Resident compliance expert, Keith Nyberg, starts off 2022 with a bang talking about all things compliance. Join Kristin and Kristin to learn what compliance means for MOPs, best practices for managing the various components, and how you can support your org.

If you’re short on time, start at 23:55 to get a quick rundown of the three things you need to know.

Listen and Subscribe

Transcript

Hosted by Kristin Crowe (OGK), and Kristin Anne Carideo (KAC)

Theme Song by Rusty Hall: (00:01)
Intro Theme Song

Kristin Crowe (OGK): (00:36)
Hi, I’m Kristin Crowe.

Kristin Carideo (KAC): (00:38)
And I’m Kristin Carideo.

Kristin Crowe (OGK): (00:40)
And this is Must Contain the podcast from Etumos where we help explain the how of marketing. Although we can’t always explain the why.

Kristin Carideo (KAC): (00:48)
join us every two weeks as we break down marketing and corporate topics and discuss what they really mean.

Kristin Crowe (OGK): (00:54)
And if you enjoy this podcast, please remember to like follow, or subscribe in all your favorite podcast.

Kristin Crowe (OGK): (01:00)
And we are back with episode six of Must Contain.

Kristin Carideo (KAC): (01:05)
Happy New Year.

Kristin Crowe (OGK): (01:07)
And to you as well, Kristin.

Kristin Carideo (KAC): (01:08)
New year, new episodes.

Kristin Crowe (OGK): (01:10)
That’s right. And this year, now that we’ve worked out all the kinks of recording and doing all the podcast things.

Kristin Carideo (KAC): (01:16)
Have we?

Kristin Crowe (OGK): (01:17)
I mean, I have, I’d say they’re pretty good, but anyway, okay. We are definitely podcasting experts and we’d love to open up our guest roster beyond just our friends and family and all the people that we know.

Kristin Crowe (OGK): (01:31)
So if you have a marketing or corporate buzzword that you can help break down and help our audience understand, we’d love to hear from you.

Kristin Carideo (KAC): (01:39)
Or a buzzword that you have no idea what it means, and you’re willing to admit it on a podcast and you want us to help you figure it out and figure out if it’s something you should spend your budget on in 2022 or skip, and just make fun of at happy hour with your coworkers.

Kristin Crowe (OGK): (01:53)
We have an open call for guests, pitch us the buzzword you wanna break down, we’ll link the form in our show notes and on etumos.com/must-contain and let us know what you think. We’ll hopefully have you on a future episode.

Kristin Carideo (KAC): (02:08)
And that’s also where you can find all of our previous episodes as well as transcripts of the episodes.

Kristin Crowe (OGK): (02:15)
All right, without further ado, we are here to actually talk to a guest with us. Today is our very own Keith Nyberg senior marketing technology consultant here at, Etumos. And he’s here to talk about compliance. That’s our buzzword for this week, compliance in the marketing GDPR, right-to-be-forgotten sense. We can’t help you with your taxes. Hello, Keith.

Keith Nyberg: (02:38)
Hi Kristin, Hi Kristin. It’s a pleasure to be here with both of you today. Just to give a quick introduction of myself as Kristin mentioned, I’m a Senior marketing technology consultant with Etumos, I’ve been at the company for three years now. Prior to that, I spent five years at Sugar CRM running all of our martech stack internally. But yeah, I’m also the co-leader of the San Diego Marketo user group. I’m Marketo certified solutions architect multiple time MCE certified and yeah, active in the communities as well. So really excited to be here and talk shop with you both today.

Kristin Carideo (KAC): (03:09)
Awesome. You’re also Etumos’ resident compliance expert. So that is great. So our first question and mean compliance, isn’t really a buzzword it’s something marketers kind of have to do, and it’s something that might scare them a little bit. So we’re cheating on our own concept here, but I do think we see some pretty interesting interpretations of the various privacy and compliance laws here in MOPs land. I’m sure most of our listeners can identify with that. And we’re hoping that, that we can spend this time together, Keith discussing what the right way is to start approaching, cleaning up your whole email marketing privacy legislation compliance situation. So I’m gonna start with a question that we usually start with, which is what does compliance mean?

Speaker 3: (03:55)
I think from a Marketing Operations perspective, most marketing teams will always view compliance or privacy compliance as, Well, how do we capture consent for marketing? Right? What, where, where, how do we capture that? Opt-in and then second to that, how do we enforce compliance within our instance meaning, if we have somebody located in a region where we need opt-in and we don’t capture that, what are we doing systematically to ensure that we’re not gonna be sending them commercial electronic messages, right. But compliance is a broader topic than just those two things MOPs typically own those. And that’s why we focus so much time on both of those interactions. But compliance is also the process of capturing and storing data, right? It’s what, what legal language do we have on our forms to ensure that we’re capturing the right consent to store data?

Keith Nyberg: (04:36)
In our instance, there’s also some legislation out in the world that gives prospects or any, any person, the right to understand what data we have stored on their behalf. There are also processes that require us to allow a user to request the deletion of any stored data that we have for them. And so, while compliance really is specific for marketing to email and how are we allowed to email it really touches the entire org of where are we capturing our data? What consent do we have for that data? What consent do we have to use that data, other places, and what things do we need to enable for users to ensure that we can actively manage compliance based on the location that they’re in.

Kristin Crowe (OGK): (05:14)
We talked a little bit about managing compliance and location. And I think a lot of people often immediately go to the legislation, the acronyms that are associated with compliance, GDPR, CASL can-spam. And often when you think about legislation, you think of legality, which doesn’t really have a lot to do with operations in that sense, but as mops professionals, we all know it does have a big impact on operations. So how does the various geographic legislation impact mops teams and just marketing professionals in general?

Keith Nyberg: (05:47)
Yeah, I think there’s tons of laws, right? There are 250 countries in the world and each of them start to define their own legislation. There’s some friendly groups of countries like the EU that define policies that span all of the countries within that region. But then there are still nuances to that. Like the United Kingdom has their own legislation a little bit separate from Germany. That’s part of the EU that has their own legislation. So in terms of MOPs and, and privacy compliance practices, we at Etumos abide by a process-based approach to legislation. Which means that while there’s tons of different laws and names for buzzwords, for laws, there are typically only four operational processes. Any company is going to enable to manage the multiple types of legislation that exist around the world. Those types of legislation where we call them GDPR CASL translate into operational processes that we define as double opt-in, which is we need to capture the initial explicit opt-in.

Keith Nyberg: (06:39)
And then after we need to send a secondary email to reconfirm that opt-in right, double opt-in, there is opt-in, which means we require an opt-in and we have to have that. Otherwise, we don’t have the ability to market to somebody there is opt-in with implied consent, which means we do need opt-in. We don’t have to send a double opt-in email, but there are some use cases where may not have captured that explicit consent, but still have the ability to market, to somebody based on an existing business relationship. So people like customers, we may have the implied consent to market to them because they’re using our product, right. People who request contact on our website, they may be located in a region where we need that explicit opt-in and we don’t have it, but we have the ability to follow up for a temporary period of time, to follow up. So again, we have double opt-in, opt-in, opt-in with implied consent, and finally, we have opt-out. Those located in the United States are very familiar with this law. It is essentially we don’t need to capture any opt-in. We don’t need to ask you for your consent. We assume the ability to market to you until you express the desire to not be contacted and you opt-out. And any records that fall into that process are falling into the opt-out process.

Kristin Carideo (KAC): (07:39)
All of those are related to kind of the unsubscribe and email process, but there’s a component to these legislations that are about how data’s captured and how we’re handling that data. How is MOPs typically involved in that? And you know, what processes do you see to help govern the components of, of compliance that relate to the data capture?

Keith Nyberg: (08:05)
Yeah. Almost every company in the world is gonna have two assets on their website that speak to compliance. The first one being their privacy policy, which is a user’s right, and their ability to remain private. And what implications are safeguards the company has in place to enable that for a user. There’s also the terms of use or terms of service, which says by submitting this form, you know, you’re agreeing to us using your data in these ways, right? Almost every org is gonna have both of those items. And while we, as MOPs don’t really own those documents and we don’t own the language that lives on the forms, we typically actually own those forms, which is why we need to work with legal to figure out what is a bare disclaimer, that is gonna go on every single form. In our instance, that’s gonna safeguard the capture of our data, regardless of whether people are opting in or not.

Keith Nyberg: (08:47)
Right. and again, that’s typically by submitting this form, I’m agreeing to the privacy policy in terms of use as defined by company ‘A’ right. So that’s just a blanket thing that I see used very commonly, and that’s gonna safeguard how we capture data and making sure that when we get it, we’re okay to use it in the ways that we’ve defined. Right. Separate to that, there’s the processes related to like data storage and data deletion. Those are things that we in MOPs typically get involved with because we’re gonna own the form on the front end, where people are requesting those activities, but we ourselves and MOPs are not gonna be able to actually action all of those items ourselves. And the reason being is that Marketo or most marketing automation platforms don’t have the ability to write or, or access other objects outside of leads and contacts.

Keith Nyberg: (09:30)
Right. so any account data that may have a user’s information listed in it, that’s stuff that we don’t have, the ability to delete any tasks associated contact. Those are things that we don’t have the ability to delete opportunity, data, things that we don’t have the ability to delete. And so that’s why we get involved. We can create the form, we can create an alert, or we can create a task in the system that says, “Hey, somebody on the revenue ops team, let’s go in and reconcile this data, or let’s pull this data for the user.” But we don’t have the ability to action that request all on our own which is why it’s really like we’re lighting a match for the process and initiating it, but we’re not gonna be able to finish the entire process ourselves. So yeah, MOPs gets involved with making sure that we’re consistent across our forms, making sure that we’re using that language everywhere, that it’s needed, making sure that we’re enabling the processes that need to be supported the capture of opt-in the unsubscribe behind the scenes. But at the end of the day, we don’t really own the documents that speak to those or the language. We just need to make sure that we’re doing what, what the legal team is asking of us.

Kristin Carideo (KAC): (10:27)
Oh, that’s all lawyer stuff. The language.

Keith Nyberg: (10:30)
Yeah. Yes, exactly.

Kristin Crowe (OGK): (10:31)
all right, Keith. So we’ve got a lot of legal speak. We’ve talked a lot about like the, the way compliance is managed and the different components of it. And you talked about the four processes that really impact MOPs. So how have you seen some of your clients manage those four processes in order to adhere to the legislative requirements in the various geographies?

Keith Nyberg: (10:54)
Yeah. I oftentimes see orgs define what the processes are they wanna support, you know, we mentioned four, your company may choose to only support three of those processes or two of those processes. So determine what processes you’re gonna support. And then from there I most commonly see companies go to the list of all countries in the globe and start to kind of categorize or sort those countries into the processes that they’re planning on supporting. I think that that’s a really critical first starting point for this project, because it’s gonna tell you what percentage of your database falls into process A versus process B versus process C. There are multiple ways that companies can manage how they’re sorting records into groups, right? We at Etumos typically like to have one smart list. In our instance, that’s gonna say, this is the criteria that qualifies somebody for this process.

Keith Nyberg: (11:38)
And then in the processing through the program, we actually set a field on the, the person itself that’s called processing group, where we actually hard stamp the processing group that they qualify for in compliance. That way, when we’re auditing, we can easily determine which groups that they were sorted into and how they were managed. I think there’s also nuances with how you define a region. A lot of companies are gonna have to pick fields that specify location, keep in mind, we have things like country. We have things like inferred country. We have things like account or billing country, right. And every country’s gonna, or every company’s gonna have to define what is the order of operations for which fields you want to acknowledge first or second or all? A good example of that is I commonly like to implement processes, to sort into groups using “country is,” “these countries,” or the “countries empty” in the inferred is these values, right?

Speaker 3: (12:25)
Cause then we’re prioritizing the country value. And only if the country at valued, are we gonna utilize inferred. Germany is a really great example where some GDPR nomenclature covers records that are located in Germany, even if they’re not residents of Germany, which means somebody could fill a form being located in Germany, even though they specify that they’re located in the United States and your company may choose to still wanna action them with a double opt-in. So for that specific processing group, oftentimes I see the country is Germany or the inferred country is Germany. Which means that you’re gonna safeguard both of those items. Even if somebody says they’re not in Germany, if we can tell I that they are, we may take that, that, but again, company’s gonna define kinda the fields they want to sort and the prioritization of those fields relative to each other as they make those decisions for how they are sorting records into those groups.

Kristin Crowe (OGK): (13:13)
Doing a good ‘ol CYA on, on all of those, right.

Keith Nyberg: (13:16)
Exactly.

Kristin Carideo (KAC): (13:17)
And I think the tough and the sometimes scary part about these legislations is we run into clients that for example, will say, well, I’m not marketing in Europe. And like the fact of the matter is that doesn’t matter if a European stumbles into your system, you know, your liable, and the same thing with somebody happens to be in Germany that day, you know, they’re accessing your stuff from Germany. And so you need to make sure that that you’re covered, you know, which I think kind of leads into, you know, a lot of, there’s a lot of nuance to a lot of the choices you’re making, which countries sort of these groups based on what legislation governs them where do legal teams typically get involved with this process and, and what decisions can the marketing ops team make themselves?

Keith Nyberg: (14:07)
Yeah. I always remind any Marketing Operations users that I’m working with, anytime, a compliance project kicks off from me with, with a client, or anytime I’m chatting about it just socially we are not a legal team. And I think that’s the most important thing to remember, in our MOPs role is that it is not up to us to define how the company wants to manage their risk related to compliance. Because at the end of the day, risk is really what we’re managing here. And some companies are gonna take a more risky approach to help drive their business. And some are gonna take a very conservative approach, right? I’ve had clients on either end of the spectrum that are very risk-averse or very risk happy, right? They, they don’t care about, about the risk at all. Where I see MOPs in helping with that process is every MOPs team member should have documentation on “this is our current compliance process,” right?

Keith Nyberg: (14:52)
These are how we are managing people based on the location that they are in. These are the fields that we’re using to sort people into those different processes. And being able to provide that to legal and say, this is where we’re doing. This is what we’re doing right now, just to get validation, doesn’t need to, doesn’t need to be right. Doesn’t need to mean that it’s wrong. It just means that we need to have the ability to present that information to legal so that they can review it and determine whether they’re comfortable with it or not. One of the things we were talking about processing groups earlier that we didn’t kind of cover is that there’s these four processing groups, and I mentioned country location. There could be a bunch of records that exist in your instance that you have no location information for.

Keith Nyberg: (15:27)
Right. And that’s typically a category when we’re sorting records into these processing groups, your legal team is gonna have to make a distinguishment of if we don’t know where people are, what of those four processes that we mentioned, do we wanna apply to records, right. Because maybe they don’t care about the risk and they say, we’re gonna treat everybody like opt-out. We don’t know where they are. We’re gonna treat ’em like they’re from the United States. Right. that would be a very risk-averse approach or, sorry. Yeah. A very risky approach. In my opinion. The other end of the spectrum would be we always want to safeguard our instance. And so if we don’t know where somebody’s located, we’re just gonna assume they’re located in Germany. Right. And you can kinda pick which tier of safeguarding you wanna apply. But that’s another audience that we need to have a discussion with legal about.

Kristin Crowe (OGK): (16:08)
Crazy as it sounds compliance is really a lot about how risky you wanna be and what are the, you know, what are the things you’re willing to test and, and what are the things you’re not and related to that, you know, what are the best practices to show consent for marketing has been captured? You know, what fields have you seen commonly used for this? You know, in, even though there are lots of ways people could be doing it, either sides of the risky spectrum and what are some of the commonalities across the management of that information?

Keith Nyberg: (16:38)
Yeah. That’s a that’s a really great question. And it definitely deviates a lot from my experience and what I’ve seen, I think starting at the very top of what’s most relevant in terms of managing these practices we have to have an opt-in type field, right. Most companies are serve that up as boolean, meaning it’s a true/false type field. And it’s either “yes, we have that opt-in,” or “no, we do not.” I have seen companies implement this as a string-type field where they have “yes,” they have “no,” and then they have “empty” for records that they’re unsure about. I typically don’t like that approach because you’re gonna always end up coming back to, well, do we have it or not? Right. and so really I, my preference is to serve the, in as a boolean, you can put it on your forms as a check box.

Keith Nyberg: (17:16)
You can put it on your forms as a select type field with yes or no that’s required there’s options there. But in terms of how it’s managed in the database, a single opt-in field that captures the user’s consent should be required, to enable any of the processes that we’re gonna manage in compliance. Speaking to that field though we wanna make sure that that field is reserved only for the end-user. So similar to how we try not to touch unsubscribe other than when a user wants to append it, opt-in should be the same. And if somebody’s created in our instance that hasn’t opted in, we operationally should never be setting that explicit opt-in to true, because it should be our source of truth field for whether that person has taken that action or not. You’re gonna remember that. We talked about opt-out as a category, and we talked about opt-in with implied consent, right? Castle in Canada, where we may have an existing customer that’s created in our instance we have an existing business relationship with them and we never captured opt-in. We aren’t gonna unsubscribe ’em because we have the ability to market to them. But that’s another perfect example where we are not going to set explicit opt-in based on an implied business consent use case. We’re just not gonna unsubscribe ’em. So that’s the unsubscribe or sorry, the opt-in field, which is gonna be critical in any privacy compliance program to counter that I was just talking about an unsubscribed field, right? Every marketing automation platform is gonna have some big variation of “do not email” or “unsubscribe” that we wanna manage in the system. Marketo’s great in the sense that we have the ability to set that field and operationally we can send emails, but everything else that’s not operational is gonna be restricted.

Keith Nyberg: (18:40)
Meaning only things that people request they’re gonna have fulfilled. So unsubscribed is critical and enforcing consent and enforcing our opt-in processes because there are gonna be situations where we don’t capture an explicit opt-in and the way we safeguard our records is by setting unsubscribe to “true.” Right. outside of that, I think there’s value in us knowing when we’re setting unsubscribe to “true” for our purposes, for compliance versus when the end-user has done it themselves. And so, again, unsubscribers a feel that should be reserved for the end-user. So when we set operationally, it’s important to have an unsubscribed reason field, in my opinion, where you’re setting privacy compliance as the reason you are unsubscribing the record, right? So you have an opt-in and then you have an unsubscribe field, and both of those should kind run, not in parallel. They’re not gonna be one to one.

Keith Nyberg: (19:23)
But really opt-in is where we’re capturing consent versus unsubscribed as, okay. We’re gonna enforce consent with a reason, right? Outside of that, some fields that I think are, are best in class or best practice to have, are like a processing group, which I mentioned earlier, right? We have a field for processing group where we stamp the group that the record qualified for in terms of processing. We also have a field that’s called consent status that we typically like to use, which is a friendly label for what form of consent do we have, right. And there’s explicit consent. Opt-In the explicit consent double opted in, maybe somebody’s pending double opt-in, right? Maybe somebody has no consent because they haven’t opted in maybe somebody has implied consent by their region or implied consent because they’re a customer. But these are all campaigns that you can manage in your program local to the category that you’re managing them in.

Keith Nyberg: (20:07)
Be it opt-in, be it double opt-in. And it’s important in my opinion, to set those as just that you can see at a friendly label, well, this is the type of consent I have, or I’ve captured initial consent. I’m waiting for the secondary consent and the status is pending double opt-in. Now, this next field is gonna be one that’s probably debated. And maybe some people are gonna yell at me when they hear this podcast, but I see all the time people capturing an explicit opt-in date, right? It’s like a date field, or a date time field. And whenever boolean get set to true on explicit opt-in, they want to go in and operationally set a static date/time field on the person record while this approach isn’t bad. I just wanna call out that there’s multiple journeys and lifetimes and conversations that we have with prospects, which means that having a single date field is never gonna be comprehensive of an entire journey.

Keith Nyberg: (20:50)
Right. I routinely see records that have unsubscribed in 2016, they’ve come and opted back in, in 2017. And then they unsubscribed again in 2018. And you can think about from a, a data management perspective, if you get an inquiry from a legal guidance that says this person’s suing us, we emailed them between these dates. Did we have opt-in or not? And we have processes in place that know that date of consent. You know, we start to lose visibility into that, right? And if we only had consent for a certain period of time, our single date field is never gonna be able to articulate that to us. It’s either gonna be empty or it’s gonna show the earliest date, which isn’t very valid. So it’s my preference to have a consent history field that’s a text field and every time a consent status changes, or every time we capture or gain or lose consent to, to contaminate and put a system date time in there with the form of consent that we have, and then details on where we captured it. And that’s gonna be a value that just keeps getting concatenated over time, which will be a running history of all the consent loss and gains that we’ve had for a record. So when legal comes to us and says, Hey, what went on? We can go to one source of truth field and say, well, on this date, we captured consent. We emailed them for six months and then they unsubscribed and we lost consent. Right. so I think that that’s a really helpful field to have.

Kristin Carideo (KAC): (21:58)
What you’re saying, kind of boils down to just making sure it’s, again, all of this is about CYA, right? Like just making sure in the event that we need to pull that data later, it’s there and it’s available. This is the kind of project you setting up. These processes is kind of one of those rare instances. I think where Marketing Operations may be sort of misaligned with what marketing wants, cuz Marketing Operations has to, has to enact what legal wants to do, right. So, you know, marketing’s not gonna like it. If legal wants to treat everybody like they live in Germany, if we don’t know where they live, but if that’s what legal says, you know, Marketing Operations, the onus is on us to do it.

Keith Nyberg: (22:39)
Do it, make it, you know, make it happen. Exactly. and I was just checking through some of my notes, but the only I feel that I forgot to mention is sometimes there is value in having a consent, expiration and date field. As I mentioned, there are some implied consent processes like customers or like partners or like inquiries that you may wanna set a timeframe to meaning CASL, as an example, will give us typically 12 months to market to customers. Once they’ve churned 12 months, we need to, to reconcile the record and unsubscribe ’em at that time. So having a consent expiration date is a really easy way to implement that where you can put the system data in there and future, future date stamp for when we’re gonna lose consent. You could also do that for inquiries like 30 days or something like that, where we’re gonna have the ability to market 30 days. And then in 30 days, we need to unsubscribe the record. So it’s the only other field that I was thinking of. We get back to the regular scheduled programming,

Kristin Crowe (OGK): (23:27)
So we don’t have any more regularly scheduled programming, Keith cuz I think we’ve given people more than enough information to chew on. And I wanna mention very quickly that we’ll have some additional resources in the show notes. So if you’re looking for more information around compliance, the implementation of compliance from a MOPs perspective, you can view those resources in the show notes.

Kristin Crowe (OGK): (23:51)
Thank you Keith, for that, and thank you for your time. And if you have ignored the last several minutes of content or you just saw what time to skip to, to get the three most important things, welcome here they are.

Here are the three things you really need to know about privacy compliance in marketing. If you have learned nothing else, know these things. One, compliance for marketing and Marketing Operations is a concept that includes consent to marketing, handling of data within marketing tools, safeguarding that data, and making it clear what happens to that data once it’s been captured. Two, there are four different processes that generally need to be handled across the different pieces of legislation from an email marketing perspective and grouping into these four processes can help you make sense of all the different legislation. First double opt-in second opt-in third opt-in with implied consent and fourth opt-out. Third, if you don’t know what’s happening from a compliance standpoint when you join a new organization, go find out. It seems scary because there are a lot of acronyms and it’s the law, but breaking it into process groups can help you understand how to meet the needs of the business, maintain your marketable audience and not incur a huge fine, and that’s Must Contain, compliance.

Kristin Carideo (KAC): (25:08)
Thanks for listening. We’ll be back in two weeks with another great MOPs topic and until then remember never ever assume your email looks good in outlook. Test it.

Kristin Crowe (OGK): (25:22)
This episode was produced by Kristin Crowe. Kristin Carideo, Ali Stoltzfus, and Lindsay Walter. It was edited by Kristin Crowe theme music by Rusty Hall. Special thanks to Keith Nyberg and that’s Must Contain I’m Kristin Crowe and we’ll see you in two weeks. Yay.

Want more? Check out Keith’s on-demand webinar on Managing Privacy Compliance in Marketo.

Get in Touch with Us

At Etumos, we love what we do and we love to share what we know. Call us, email us, or set up a meeting and let's chat!

Contact Us