Describe governance and compliance in relation to digital marketing.
Marketing Cloud implementations need to comply with relevant data protection and privacy regulations to keep personal customer data secure and private. All emails sent from Marketing Cloud must further comply with the United States CAN-SPAM law.
There are a number of data protection and privacy regulations that can be relevant for companies to comply with, in order to keep customer data secure. Some of the most common regulations include:
|General Data Protection Regulation||GDPR||European Union|
|California Consumer Privacy Act||CCPA||United States|
|Health Insurance Portability and Accountability Act||HIPAA||United States|
|Telephone Consumer Protection Act||TCPA||United States|
|Federal Rules of Civil Procedure||FRCP||United States|
|Personal Information Protection and Electronic Documents Act||PIPEDA||Canada|
|Canada’s Anti-Spam Law||CASL||Canada|
|Personal Information Protection Act||PIPA||Japan|
|Privacy Act||Privacy Act||Australia|
Those regulations have different definitions of personal data and require different measures to keep such data secure. Some also apply to specific industries (e.g. HIPAA), while others apply all businesses handing personal data of residents in specific countries (e.g. GDPR).
All mentioned regulations have some common and overlapping principles that should be applied to protect personal data. Those common principles include:
Businesses may be required by data protection and privacy regulations to delete personal customer data. The rules when to delete this data can vary depending on the applicable regulation.
Data protection and privacy regulations such as GDPR, PIPA, and Privacy Act require personal customer data to be deleted when customers request it or when it’s no longer necessary to keep the data.
In Marketing Cloud, customer data can be deleted in several ways, such as:
Some data protection and privacy regulations may require encryption of personal data during transit or at rest.
In Marketing Cloud, data encryption during transit can be achieved by enforcing the latest TLS version and HTTPS on Marketing Cloud and landing pages. For API integrations, OAuth access token authentication for REST and SOAP API calls can be enforced.
Marketing Cloud also provides methods to encrypt data at rest. The available encryption methods include field-level encryption, transparent data encryption, and tokenized sending.
Businesses may be required by data protection and privacy regulations to honor customer requests about how their data can be collected and processed. This can impact the type of content delivered customers, and how customer data is processed in terms of tracking and analytics.
Data protection and privacy regulations such as GDPR, CCPA, TCPA, CASL, and PIPA require to collect customer consents for different types of data processing.
In Marketing Cloud, user can opt-in or opt-out from marketing communication via the Email Studio profile and preference center or a custom consent solution.
Businesses may be required by data protection and privacy regulations to restrict collecting and processing of customer.
Data protection and privacy regulations such as GDPR and FRCP can imply restrictions for forms of customer data processing.
In Marketing Cloud, processing of select customers can be prevented when managing contacts information via the REST API, or by contacting Salesforce support.
Businesses may be required by data protection and privacy regulations or customer contracts to allow customers to export all data collected about them.
Data protection and privacy regulations such as GDPR or customer contracts can require to let customers take their data with them.
In Marketing Cloud, data collected about a contacted can be exported using the Contact Data Portability report. Additional data can be extracted using Data Extract activities in Automation Studio.
CAN-SPAM stands for "Controlling the Assault of Non-Solicited Pornography and Marketing Act" and is a United States federal law governing email message requirements.
All emails sent from Marketing Cloud must comply with CAN-SPAM, regardless of the sender or recipient country. This is because most emails sent with Marketing Cloud are originating from the United States.
The CAN-SPAM regulation distinguishes between commercial and transactional emails. The compliance requirements for commercial emails (e.g. newsletters) are stricter than for transactional emails (e.g. order confirmations).
Commercial emails are email messages with the primary purpose of advertising or promoting a commercial product or service.
To comply with CAN-SPAM, commercial emails must fulfil the following requirements:
Marketing Cloud verifies that email sends classified as commercial emails contain an unsubscribe (i.e. profile center) link and a physical mailing address.
Transactional emails are email messages with the primary purpose of facilitating, completing, or confirming a transaction which was previously agreed upon between sender and recipient.
To comply with CAN-SPAM, transactional emails must fulfil the following requirements:
Marketing Cloud does not verify that email sends classified as transactional emails contain an unsubscribe (i.e. profile center) link and a physical mailing address.