5 Data Privacy Myths For Marketers, Busted

As the first state to pass data privacy laws in 2018, California is very much a data privacy pioneer. But these laws don’t just apply to Golden State companies or marketers based here — they reach farther and have a greater impact than some marketers may realize. What are some of the false perceptions about data privacy that many marketers have?

To learn more in recognition of 2024’s Data Privacy Day, AMA SF spoke with Jodi Daniels, CEO and privacy consultant of Red Clover Advisors, and Robin Andruss, Chief Privacy Officer with Palo Alto-based SkyFlow, to bust the most common data privacy myths in the marketing world.

Myth #1: Marketers aren’t responsible if their third-party vendors don’t comply

Third-party vendors cover nearly all of the tools marketers use every day, or “any third party you share customer data with,” according to Andruss. Email marketing platforms, search engine analytics, and loyalty program software are all examples of third-party vendors that have access to your customer data. 

Marketers may be lulled into a false sense of security, assuming that any risk to properly safeguard or use data falls on the vendor. However, Andruss and Daniels both press that your company is ultimately responsible for protecting customer privacy, both by law and from an ethical perspective.

“As a marketer, you should be understanding who you’re sharing your customers’ personal data with,” Andruss said. “If those third parties were to have a breach or other negative consequence, you’d also have to notify your customers, which would impact your own brand.”

Daniels emphasizes the importance of evaluating vendors for their privacy measures and how they utilize customer data before onboarding any new technology or partner.

“A vendor review is critical because you’re not absolved if a vendor did something wrong,” Daniels said. “It’s your job to evaluate that vendor.”

Notably, data privacy and data security issues such as a breach are two separate issues.

“Security is about protecting the information, and privacy is about how that information is collected, used, and processed — do your vendors access and use the data you’re giving them?” Daniels said.

How your company uses the software in question makes a difference in both data privacy and data security.

“Some vendors handle security features on their side, whileothers require you to take more action,” Daniels said. “There are settings you have to have in place to make sure the platforms are as secure as possible.”

Access control, which determines who can log into the software, and two-factor authentication are two methods Daniels recommends marketers employ as part of a data privacy best practices policy.

Myth #2: All data collection is opt-in by default

Marketers may assume that all forms of data collection are automatically opt-in — that someone consents to their data being used when they sign up for a certain offer or service. Andruss and Daniels emphasized that this is far from the case. Customers supplying an email address, phone number, or mailing address are not considered opting into all marketing communications and activities.

“Think about if you offer an internet-based ad with 25% off for every new text message subscriber — the subscriber first has to provide their email and phone number, with clear notice upon initial collection, but then you also get a text message saying to ‘Opt Into’ future texts from the brand before they send more marketing messages,” Andruss said. “You have to understand how you’re getting consent and the method through which you’re getting consent, whether that’s through email, text, a signup form, or something else.”

In fact, the first enforcement action under the California Consumer Privacy Act, the first data privacy law enacted in the United States, involved a lack of proper opt-out procedures for customers.

“Data you’re collecting and using from adtech is generally considered a sale of data under the California privacy law and a growing number of other states,” Daniels said. “The first infraction of this regulation was by Sephora in 2022; their website had multiple tags on their site but did not have the right disclosures and the right opt-outs for customers. This is just one state and one example, but as other states enact their own data privacy laws, more businesses will have similar obligations.”

Daniels recommends understanding which data privacy laws apply to your business first and foremost before determining which marketing activities require which kind of opt-in and opt-out policies.

“Do you have global customers, customers in the U.S., in certain places in the U.S.? You have to do a privacy law review to see what applies to you,” Daniels said. “You also need to understand the kind of data you’re processing — the data you’re collecting for each marketing activity, where the data is stored, who it’s shared with, and which additional rules you have to adhere to. Then, you match up your marketing activities to your policies and make sure everything is compliant.”

Myth #3: Small companies don’t need to worry about compliance

For small businesses and start-ups, it’s easy to think that your activities may fall under the radar. And while there is a grain of truth to regulators making a splash with bigger names and large penalties, Daniels warns that time is running out before smaller companies will fall under the radar of regulatory bodies.

Andruss notes that because marketing activities and your privacy notice are very visible, attracting attention is not hard. She said “it just takes one complaint” from a member of the general public that could turn regulators’ attention to your business.

“Anyone can complain to the Federal Trade Commission or the Better Business Bureau; anyone can post on social media,” Andruss said. “This means that even the smallest company could still come to the attention of regulatory bodies — and those bodies may investigate you if they get a complaint.”

Daniels recommends becoming compliant from the get-go before it’s too late — and the consequences are too expensive, both to your reputation and to your bank account.

“Some companies want to do the right thing right away and be above board, and other companies see data privacy compliance as a hindrance,” Daniels said. “Do you decide which laws you as a company are going to adhere to? The HR teams comply with laws; the finance team complies with tax laws. It’s the same thing. The only difference is that privacy is new.”

Myth #4: If you get in trouble, it won’t hurt your brand

Some marketers may think that consumers don’t care what’s done with their data or don’t think their information being used for other purposes isn’t a big deal. Andruss and Daniels say that the opposite is true.

“There are some consumers who have no clue, and there are also savvy consumers who really pay attention,” Daniels said. “For example, tech-oriented moms have in-depth conversations about different Internet of Things (IoT) devices and their privacy measures before they bring those items into their home.”

Brands that don’t prioritize data privacy might find that they develop a less-than-stellar reputation.

“Data privacy issues are an erosion of trust,” Andruss said. “If they aren’t taken seriously by marketing professionals, these issues can impact your entire company.”

Andruss and Daniels say that this is true of both B2B and B2C consumers. For B2B companies, data privacy issues could result in customers switching to a competitor. For B2C consumers, this could mean customers seeking out alternatives to products that prioritize data privacy. In short — underestimating consumers’ care or knowledge regarding data privacy can land your company in hot water.

This also applies to how you present the way you collect data from customers. If you use dark patterns, which are design choices that may falsely lead a customer to give up their information, that can leave both customers and the FTC with a bad impression.

“Dark patterns, as defined by the FTC, are design choices that are not in the consumer’s best interest,” Andruss said. “Things like pre-checked opt-in boxes and confusing cancellation procedures are dark patterns. The FTC has recently made it clear that they will take action against dark patterns if they saw these traps, and consumers will take note, too.”

Myth #5: You won’t get caught not complying

California was the first state to pass data privacy laws in 2018. Several states have followed suit since — four more states have enacted laws since 2018, and several more are rolling out their own versions within the next two years. 

“The reality is… the risks are that customers won’t buy from you and you’ll eventually be fined to some degree,” Daniels said. “Every state has fines, typically around a couple of thousand dollars per record… even if you’re a small company, you can end up under regulatory review, and they don’t like companies who aren’t truthful on privacy notices or on their actions. They will be happy to come after you and cause all kinds of issues.

Daniels added that many of the regulatory actions in 2023 were related to targeted advertising, targeted marketing, and privacy notices. 

“Who wants that negative PR?” Daniels said.

Andruss described the hope of not getting caught as “an old way of thinking.”

“With states passing their own laws, plus GDPR in Europe, regulators are much more in tune with the marketing world and what happens in it,” Andruss said.

Noting that marketing, data privacy, and the law are now closely intertwined, Andruss said that regulators are starting to scrutinize companies under the microscope.

“Various agencies, both federal, state, national, and international want to know how people make money,” Andruss said. “Our lives are so digital, and the law is catching up with putting protections in place.”

For Data Privacy Day, take stock of your best practices

As marketers, we are responsible for much more than just good creative or a good return on ad spend (ROAS). We have to comply with the law, including the rapidly evolving field of data privacy law. And while there’s a lot of ground to cover, this primer offers an overview of what you need to know as you plan future campaigns.

The AMA SF is here to help point you in the right direction. With content, programming, webinars, and more, we keep you up to date on the latest marketing best practices with the Bay Area’s leading experts. Connect, network, and learn with us — sign up for our newsletter or follow us on LinkedIn to stay in the loop.

About The Author

Stella is an award-winning former journalist with more than 15 years of editorial experience. Her specialties are in content creation for SEO, brand voice development, content marketing strategy, and editorial calendar creation and management. She is a newcomer to California by way of New Jersey and New York. As the Content Marketing Editor for AMA-SF, Stella works with the organization’s board to develop, create, and deploy editorial content. This content supports the organization’s mission to connect Bay Area marketers and encourage thought leadership from AMA-SF board members that elevates the chapter’s profile regionally and nationally. Stella is the owner of award-winning content marketing firm The Stellastra Effect and of cannabis digital marketing agency CannaContent. Prior to opening her agencies, Stella worked in the licensing industry, overseeing product lines, enforcing brand voice standards for international brands, and developing private-label brands in consumer electronics, home lighting, and kitchen products. When not at her desk, you’ll find Stella singing to her houseplants, searching for great sushi spots, and thrifting for vintage treasures and great bargains.