According to the Cisco 2022 Consumer Privacy Survey, 37% of global customers have switched brands over data privacy concerns.
Several legal and government authorities have also established their privacy standards for organizations collecting and using customer data. Google failed to comply with state consumer protection laws by misleading users about its location tracking practices. As a result, they agreed to a $391.5 million settlement with 40 US states.
Salesforce Marketing Cloud can help organizations comply with these regulations and maintain customer trust.
General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are two most prominent regulations that govern personal data collection, processing, and storage.
The General Data Protection Regulation (GDPR) governs how organizations, companies, governments, and other entities handle the personal data of individuals. The GDPR mandates compliance for all organizations processing the data of EU residents.
The GDPR establishes seven key principles for data processing.
Non-compliance with the GDPR can incur significant financial penalties. These fines are tiered based on the severity of the infringement.
The California Consumer Privacy Act (CCPA) empowers California residents with control over their personal data. CCPA regulates how businesses collect, use, and disclose personal data. Organizations that conduct business in California with annual gross revenue of over $25 million must comply with CCPA.
CCPA provides the following privacy protections to California residents.
Non-compliance with CCPA can result in the following penalties.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law. According to this law, organizations should create privacy standards for protecting customer health information from being disclosed without consent.
To comply with the HIPAA Security Rule, all covered entities must abide by the following.
Non-compliance with HIPAA results in Civil Monetary Penalties (CMPs) based on the level of culpability.
Organizations can make Salesforce HIPAA compliant by implementing practices like:
Read more to find about Salesforce's comprehensive set of compliance certifications and attestations
The following strategies will allow organizations to comply with relevant privacy regulations.
81% of US citizens feel they have very little to no control over the data organizations collect. This can result in loss of confidence or trust.
Organizations must get the explicit consent of consumers for all data collection and processing activities, including email communications, tracking website interactions, and personalized marketing.
Ducati, a multinational motorcycle manufacturer, uses Salesforce to clearly list the information it collects whenever customers fill out forms on the landing page. Ducati also has a transparent privacy policy that mentions data collection, storage, and usage.
Use consent management tools within Salesforce Marketing Cloud to obtain consent for all marketing activities and prevent tracking of contacts who request otherwise.
Consent can also be obtained by using the Salesforce Consent Data Model. It is a standard model for managing consent at multiple levels, from global preferences to setting granular controls. This data can be connected to Marketing Cloud to respect customer’s consent preferences.
Segment customers according to their preferences to receive marketing communications. This helps comply with regulations and reduces the risk of sending unsolicited messages. Sending messages to the right customers also increases delivery rates and eliminates the chances of being flagged as spam by Internet Service Providers (ISPs).
Spotify, one of the largest global streaming platforms, uses Salesforce Marketing Cloud to segment its users based on consent and preferences. This allows the brand to elevate its digital experiences by sending more customized communications to customers.
43% of US customers believe they are not able to protect their personal data collected by organizations. To avoid facing this issue with your customers, consider anonymizing or pseudonymizing data where possible to protect individual privacy while still being able to use the data.
Implement data retention policies to retain personal data only for a short time. Regularly delete data that is no longer needed. To uphold its customer-first approach, T-Mobile, one of the largest telecom service providers, uses Salesforce to ethically collect, retain, and use all the customer data. It also clearly states all this information on the official website.
63% of global customers believe most companies aren’t transparent about how their data is used.
Ensure privacy policies are clear, concise, and easily accessible to customers. Explain how the data is collected, stored, and used. The privacy policies should also state the customer's rights under data protection laws.
BMW Motorrad, a multinational luxury vehicle manufacturer, clearly states its privacy policy.
Be prepared to provide individuals with their data upon request, as regulations require. Ensure systems can export and transmit personal data in a standard format. Salesforce Marketing Cloud makes it easy for businesses to give customers their data on request. The following table shows how to extract customer data from various SFMC components.
| Application |
Action |
| Automation Studio |
Use data extracts to obtain the record based on the contact's ID value. |
| Personalization Builder |
Contact the Marketing Cloud account representative for help. |
| Social Studio |
Subject to specific limitations, it is possible to export managed account data from Social Studio either in the Analyze tab or by using cross-workplace reports. Individuals can also export their social media data directly from the relevant social network. |
Appoint a Data Protection Officer if the organization is subject to GDPR or similar regulations. The DPO can help ensure compliance and act as a point of contact for privacy-related issues.
Lindsey Finch, the Executive Vice President at Salesforce, is also the Data Protection Officer at Salesforce. She and her team collaborate throughout the company to promote a privacy-oriented culture.
They work on designing, implementing, and ensuring compliance with the global privacy program. This includes integrating privacy considerations into the product development process.
Conduct DPIAs to assess the potential risks and privacy implications of Salesforce Marketing Cloud activities. Address identified risks and implement safeguards accordingly.
To Conduct a DPIA with Salesforce Marketing Cloud, organizations should follow eight steps.
Make it easy for individuals to opt out of marketing communications and ensure the process is transparent and straightforward.
For example, while running email campaigns with the Email Studio, always add an “unsubscribe” link within it. By clicking on this link, the individual should be able to seamlessly opt out of all future communications.
81% of users believe the way a company treats their personal data is indicative of the way it views them as a customer. Develop a clear and effective plan for responding to data breaches, including notifying affected individuals and relevant authorities. Practices like these not only help secure the data but also help build trust and loyalty.
Educate the marketing and sales teams about privacy regulations and data protection laws. While implementing a Digital Experience Platform, ensure they understand the importance of privacy compliance and the potential consequences of non-compliance.
Want to learn more about how to remain compliant with data privacy regulations with Salesforce Marketing Cloud? Take this Trailhead course to learn more.
Or speak to Salesforce experts to get quick recommendations on how you can ensure compliance with relevant privacy and data protection regulations.