Marketing: Email Compliance – Part 2

with Pamela Muldoon

In Part 2 of our riveting Email Compliance series (it’s true, we promise), Anne and Pamela talk about the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA). Learn how to store, collect, and handle data securely, while following these important laws and avoiding liability #LIKEABOSS


Quick Concepts from Today’s Episode:

  1. The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. 

  2. The GDPR sets out seven key principles:

  3. Data must be:“

  4. (a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);

  5. (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

  6. (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

  7. (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

  8. (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);

  9. (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

  10. The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them. This landmark law secures new privacy rights for California consumers, including:

  11. The right to know about the personal information a business collects about them and how it is used and shared;

  12. The right to delete personal information collected from them (with some exceptions);

  13. The right to opt-out of the sale of their personal information; and

  14. The right to non-discrimination for exercising their CCPA rights.

  15. CCPA applies to you if your business:

  16. Has a gross annual revenue of over $25 million;

  17. Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; or

  18. Derives 50% or more of their annual revenue from selling California residents’ personal information.

Referenced in this Episode

Direct links to things we brought up +

GDPR information
CCPA information
Pamela Muldoon’s Website
BadAss Editing by Carl Bahner
Recorded on ipDTL


>> It’s time to take your business to the next level, the BOSS level! These are the premier business owner strategies and successes being utilized by the industry’s top talent today. Rock your business like a BOSS, a VO BOSS. Now let’s welcome your host Anne Ganguzza.

Anne: Hey everyone. Welcome to the VO BOSS podcast. I’m your host, Anne Ganguzza, along with my CAN-SPAM Pam [laughs] special guest host Pamela Muldoon. Hey Pamela, how are you?

Pamela: Oh my goodness, Anne.

[both laugh]

Anne: CAN-SPAM Pam.

Pamela: Yes.

Anne: I say this, BOSSes, because if you did not listen to our previous episode, we talked all about compliance and the CAN-SPAM – I can say that three times fast – the CAN-SPAM Act, which was set forth to ensure that all emails are sent within a certain set of guidelines and rules to avoid spamming and all sorts of stuff like that.

Pamela: And I’m a rule follower, Anne, so I’ll take that as a title compliment today.

Anne: CAN-SPAM Pam.

[both laugh]

Pamela: That doesn’t mean you can spam me. Just so you know. [laughs]

Anne: That’s right, that’s right, you cannot spam Pam, but it’s CAN-SPAM Act Pam [laughs] Muldoon.

Pamela: Thank goodness we’re going to use different letters and different [laughs] acronyms.

Anne: I’m glad that you actually brought that up. So compliance is a huge issue. I remember a couple of years ago a whole bunch of stuff coming out about GDPR. So I think that we should probably discuss GDPR as well, Pam, and maybe a compliance part two to the series, because I think it’s something as BOSSes and entrepreneurs, we need to be aware of these things. So GDPR came out I believe in 2018, right, Pam?

Pamela: 2018, yeah, it did. Yep. And I think what we’re going to talk about today has more to do with data privacy. What was great about the CAN-SPAM Act is it gave you a specific set of guidelines that are very actionable and very doable. When we start talking about these other compliance laws that have gone into effect around the world, it really is a response to data breaches and the privacy concerns that have become even part of our culture and just hot topics over the past years as well.

Anne: I think in 2018, when GDPR, which by the way stands for General Data Protection Regulation, came out for the EU, other places started looking at those and adopting those policies as well.

Pamela: Yeah, they definitely took the lead, and it’s all designed for protection of information, and so we’ll touch on some probably key highlights and key points of GDPR. We’re not here again to [laughs] put the fear in anyone. It’s just, there’s a very specific subset or group of folks that are listening to VO BOSS that this will affect more than others.

Anne: I think here, number one, the most important thing that as BOSSes you have to understand, when being concerned about data and data privacy, is understand that when you have someone’s email address, that’s a piece of data. When you’ve built your buyer persona, and you understand, you have a first name, a last name, an email address, a location, could be all sorts of other things you have, you know, a record of what they’ve purchased, or if they’ve contacted you. All of that is personal data. So you have to ask a few questions I think in terms of understanding your data practices and where you may need to step it up in terms of compliance. So what personal data do you hold? This could be the data you have in your ESP. It could be the data you have in your CRM. It could be data you have in an Excel spreadsheet, right? And if you have that data, is it secure? Do you have that data on a Web server? Do you have it hosted somewhere, and wherever you have it, it has to be secure, probably encrypted would make me feel better about it, so that people can’t steal it. Like who has access to it besides yourself? And that includes people who might be hosting on the server, if they have admin privileges or data privileges to access the database there. And then who or where is it transferred, if you’re going to be downloading it, uploading it, if it’s going to be moved from server to server, and how long do you keep that data? All very, very important questions.

Pamela: And these are especially, I mean when we talk about GDPR, we’re talking about the members of the European Union, right? You could be listening from the EU, right, and you’re marketing to each other [laughs] within it, or you could be listening here in the United States, and you market to somebody in the EU, right? This is why this is so critical.

Anne: I’m glad – you reeled me in on that one. I do want to say it’s important you understand what it is that you have. If it’s not applying to you right now and maybe it’s just applying to – not in the United States yet, I guarantee you that if there were a data breach, possibly on a server, or people got information – I have websites where people have passwords, and they log in. If there’s a data breach, there’s a certain amount of responsibility that you have. Especially if you’re selling services on your website, you might potentially have people’s data. I know that I always make sure the data that I have is either hosted on another server that takes that responsibility, or if people are paying me and using a credit card, that sort of thing, it’s hosted by another server like PayPal or Stripe, or that sort of thing. But understand that if you have a Web server that maintains, even a WordPress server that maintains email information and/or credit card information, that’s important for you to know. If you don’t know, find out. [laughs]

Pamela: Right.

Anne: Make sure that you’re not going to be responsible for it if there’s a breach on that server.

Pamela: Just like you know last time, when we talked about CAN-SPAM, we talked about that opt-in. This has been a theme for us, I think, is the importance of the opt-in. But with something like GDPR, it becomes even more important that you can provide the consent record. So again, because it’s data, to your point, Anne, right, your email address for example is data. You know, people forget, [laughs] “did I, did I opt into this,” for whatever reason. Again you know, and you have touched on this, I think, how can an average VO BOSS, owner, entrepreneur stay on top of this? Be aware of what’s in your data. Just be aware of what’s in your database, who’s in it. I would encourage them to consider re-looking at their database a couple of times a year, just making sure they’re very aware of who is in it and how they opted in, and really understand, and of course the larger your database gets, the more complicated this can get, but if you are using a large database and really doing a lot around email marketing, more than likely you’re also working with a virtual assistant or somebody else who can help you kind of stay on top of these things as well.

Anne: Absolutely. And if you do have that data on, let’s say, a server, let’s say you’re using a CRM to keep a database of your potential clients and contacts, they should have a policy. You should make sure that you read that policy, understand where that data is being stored, and actually I would even question, if it’s not written somewhere in the fine print on the server, ask where’s that information being stored, is it on that server, and how is it being protected security wise? Is it encrypted? Are those servers safe from being, I don’t know, hacked? This is something that we have all been through like, Target’s servers were hacked what, not so long ago, and people’s data was compromised. I just had something the other day, a thing that you don’t want to see, that trusted source that all of a sudden had a data breach. You don’t want that to be you. And so I know what it feels like when, gosh, my Target account just got compromised or whatever it is, or your credit card account got compromised.

Pamela: When they mention a brand, you’re like oh that could oo – now I have to pay attention. [laughs]

Anne: Exactly. So pay attention to where your data – and don’t just blindly say, well, I purchased this package, and this is what I’m doing. Make sure you know how they’re handling the security of the data, and if they’re keeping it, how they’re keeping it, if it was encrypted. Back when I worked for the school, it was a policy I had to adhere to. I had to actually create a report every year about where was the data being held, and was it being encrypted, and where were they being stored, because we didn’t want to have people, you know, hacking into the server and getting passwords. Not that you’re likely to have password information so much, unless you have a service that you’re offering for your, you know, clients to log in, but if you do, make sure that that’s encrypted, and if that’s hosted on a Web server, make sure that that Web server is either, they don’t store those passwords on that same server, or that server is behind a firewall, or something like that. It’s just good to know.

Pamela: Well, and we have been talking mainly about, you know, your data being housed on say an ESP or something that holds your email address, but I think it’s a good opportunity to also remind folks of the importance of CRM in terms of this as well, which is that, you know, the relationship management software, right, your customer relationship management software. And so there’s a number of discussions on any [laughs] in any given moment out there on the inter-webs on these things. But again, doing this versus an Excel sheet, I want you as a VO BOSS to think about this, what’s more hackable, right? [laughs] Using something like a Nimble or a Voiceoverview, or these actual software services, that you can use, and those are for multiple reasons, but this alone could be one of those reasons you need to consider that. Right? Because again it’s not a third-party vendor that’s going through that, you know, compliance process as a company to ensure that the data is secure.

Anne: Yeah. It just makes me think, honestly, I just like brought up Tiktok, you know.

Pamela: Yeah.

Anne: Is that data being sold? Is the data being compromised? It’s really something that if you’ve not thought about it, I need you guys to think about it. We need to be BOSSes and understand where your data is, and make sure it’s protected.

Pamela: And yeah, if you’re taking data from other people, you now are part of that chain [laughs] of command, right?