Tag Archives: GDPR

Email Marketers and California’s New Data Privacy Law

1 Reply

Data Privacy
In June of 2018, Governor Jerry Brown signed into law the California Consumer Privacy Act (CCPA). Taking its inspiration from the European Union’s General Data Protection Regulation (GDPR), the CCPA was intended to protect online data privacy. Like the GDPR, it gives California residents the right to opt out of any sharing of their data and the right to have their data deleted. It was created by Alastair Mactaggart, a rich San Francisco real estate investor, and drafted by him with friends, including cybersecurity and data privacy expert Mary Stone Ross.

But Mactaggart wasn’t happy with the legislation and, two years later, introduced ballot measure Proposition 24, intended to correct what he saw as problems with the CCPA. In November 2020 the California voters passed a revision to the CCPA entitled the California Privacy Rights Act of 2020 (CPRA).1 Not everyone was happy with the new resolution, including MacTaggart’s former associate Mary Stone Ross who opposed it as did the ACLU among others. Nonetheless, the proposition passed and is now law in California.

Why It Matters

While California is just one of the fifty US states, it has one of the largest populations and an over-sized influence on the rest of the country. Legislation passed by California is often copied by other states. So what has been the impact of the CCPA on the email marketing community, and what should we expect from the CPRA?

So far, the CCPA doesn’t appear to have had a significant impact on many in the email marketing community. Will the CPRA change that? Will it have a more significant impact on businesses? Only time will tell for the true effects, but there are a number of changes in the law that seem likely to cause an impact. We have read the law and attempted to interpret how the changes will affect the email marketing community. Please note that this is not legal advice. For specific questions about the law, please consult an attorney.

One of the changes was intended to close loopholes around businesses sharing information. The new law changes the wording to include the sharing of information between companies in almost every way. Whereas before, with the 2018 version of the law, many people interpreted it to allow businesses to share information between companies with affiliate relations, that is now explicitly disallowed.

The California Privacy Protection Agency

The most dramatic change from CCPA is the creation of the California Privacy Protection Agency. Previously, the prosecution of privacy violations was left to the California attorney general’s office, which acknowledged they don’t have the resources to bring many cases to court. With a projected budget of $5 to $10 million dollars a year and a law that says the proceeds from these cases will go to the new agency, the California Privacy Protection Agency actually benefits from prosecuting cases. With these kinds of resources, we expect that there will be significantly more prosecutions. Additionally, with CCPA, there were rules that allowed a company to “cure” violations to avoid punishment. With the new law, the ability to cure violations is reduced to a one-time opportunity.

It’s not all bad news, however. As with the CCPA, the CPRA has little effect on smaller businesses. It only applies to businesses that earn over $25 million a year. If anything, it’s more lenient than the CCPA since it increases the number of subscribers a business can have from 50,000 to 100,000.

The exceptions are businesses that earn 50% or more of their annual revenue from selling or sharing consumers’ personal information. The changes in this law make it clear that sharing data with another business, regardless of the creative words used to describe the arrangement or the annual earnings, are now illegal without strict contractual requirements to ensure that business maintains the same level of privacy protection. If you make money by selling your email leads, you will need to be very careful about this law. And the penalties for violations remain debilitatingly high. Fines could be millions of dollars for a single email blast!

The law continues or even strengthens the requirements of disclosure for the personal information you collect. This law goes so far as to give the exact words you need to provide as a link on the homepage of your website to explain to users the information you collect and requires you to make an option available to users to request that this data be deleted.

In GDPR and Email: Part 1, an Overview, we pointed out that much of this legislation requires businesses to forget all the information about a recipient, without addressing the inevitable problems this can cause. Our reading of this is that the law does allow for the storage of some key identifier to support a user’s request to be deleted (specifically, email address in our case). While we doubt that this was the intended purpose of this subsection, it certainly appears to let businesses off the hook in regards to keeping email addresses to prevent further data gathering and further email sending.

Don’t Add Data to Unsubscribes

The new law makes it explicitly clear that personal information cannot be added to records for recipients that have unsubscribed. Maintaining the email address to know the person has unsubscribed appears legal, but you cannot then augment the file of information about that user to include any personal information, even if you won’t be sending to them. Some software or business practice changes may be necessary for companies to comply with this.

One thing that is unequivocally banned by the CPRA is the practice of assuming that consent is provided by hovering over, muting, pausing, or closing a given piece of content. It also prohibits the practice of using “dark patterns” to add data about users, which it defines as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.” Hopefully few businesses were doing this, but should you be considering it, now it is explicitly illegal.

Another frustration we have experienced with GDPR that doesn’t appear resolved by these California laws is the question of what constitutes personal information. Some things are obvious, such as Social Security Numbers, addresses, dates of birth, etc. But how about information like clickthroughs or opens? Is it personal information to keep track of what content the person opened, or to store the links that they clicked on? Certainly, an argument could be made that this information is unworthy to be considered confidential or private information, but the laws are not clear. It would be nice if this could be resolved for the email marketing community but for now, each company and their lawyers will need to make their own decision.

The CCPA went into effect at the beginning of 2020 and will stay in effect until the 1st of January, 2023. At that point, the CPRA will go into action, but the law also applies to personal information collected by a business on or after January 1st, 2022. If you are an email marketer who doesn’t collect any personal information about your recipients and simply blasts untargeted advertisements at them you may not need to change business practices. You need to offer an explicit “delete” option, rather than just an unsubscribe, but no other changes may be required. However, if you target recipients based on the information you have collected about them no matter what the source, you may have to make changes to “dumb down” your program. Untargeted advertisements appear to be acceptable but targeted advertisements may get you in trouble. It’s a bit ironic that the “benefit” of privacy protection may neuter all marketing to be generic and unengaging to recipients.

Go to Goolara website

1. The California Privacy Rights Act of 2020 in PDF form.

© Goolara, LLC, 2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Goolara, LLC and the Goolara Blog with appropriate and specific directions (i.e., links) to the original content.

The Year in Email

2 Replies

Happy New Year
Here we are again. Another year has come and gone. As always, there was no shortage of email flubs this years and we’ve collected a few of our favorites. Interestingly, we saw fewer of the “Dear [customer name]” errors that used to plague email marketing. Either people have finally made sure that their name fields contain information, or they’re starting to use dynamic content more. Either way, it’s nice to see that one go away. We’ll start the list with the one thing that doesn’t appear to be going away: the inactive unsubscribe link and CAN-SPAM violations.

Don’t You Dare Unsubscribe

unsub failAfter receiving ten unsolicited emails in just a few days from a company pretending to be Dawgs—a purveyor of ugly sandals—I tried to unsubscribe. This is what I got. How much of this is the sender’s fault and how much is the fault of their ESP, I can’t say, but needless to say, all of their emails went straight to the spam folder.

Unsubscribe? Never heard of it!

no unsub
How do I count all the things wrong with this email? From the needless word breaks to the disconnect between the offer (car rentals) and the company offering the deal (North Hills Clothing), this email cries “spam” at every level. How it ended up in my inbox is beyond me. I never would have clicked on the unsubscribe link on such a suspicious email, but this one doesn’t even have an unsub link!

See, We’ve Got an Unsub Link. I Think…

inactive link
East Midlands Trains does a good job of providing their physical address, and it looks like they’ve provided an unsubscribe link, but click on that link and nothing happens. A look at the email’s source code show where the problem lies:

<a href=”<%unsubscribe_link_text%>” target=”_blank” style=”text-decoration:underline; color:#333333;”>How to unsubscribe.</a>

There should be an actual URL listed in this href. Somewhere along the line, the unsub link got screwed up. Whether this was the email’s creator typing it in and accidentally using the wrong number of percentage signs, or HTML that was copied verbatim from a different ESP is hard to say.

Click Here. Go ahead. I dare you.

spammerYou can click on that unsubscribe link all day and nothing will happen. This is an odd one. If you look at the email’s source code, you’ll find an unsubscribe link that works and a physical address (Royal Caribbean Cruises), but you won’t find either in the email when it’s opened. There is an unsubscribe, but the one that’s displayed is missing its URL. It’s a sloppy piece of coding that has the body copy closing before the final content. Add to all of this that the email supposedly comes from Amazon but clearly does not. This is either badly designed spam, or phishing or both.

We’re Experts!

white text errorThe above example is the bottom of the page on an email. Yes, that blank white area below the signup button is part of the email. At first it may look like the information required by CAN-SPAM is missing, but it’s there. The problem is that the sender decided to use a dark orange background image and set the overlaying type (the physical address and links) in white. This email looks fine as long as images are turned on, but not everyone turns the images on. When the images are off, you end up with a seemingly empty white space at the bottom of the email. This error is bad enough on its own, but this particular email came from another email marketing service provider. Out of professionally courtesy, I won’t name them, but the “Friendly From” in their sender line refers to them as an “Email Markeitng” (sic) service. As if all this isn’t enough, the mailing is filled with buttons asking readers to “Read More” or “Check It Out!” but none of these buttons are linked.

We Prefer to Call It…

sneaky unsubThis runs dangerously close to violating CAN-SPAM, which specifies that mailings must have a clear unsubscribe link. Here they’re trying to be clever. It didn’t help that clicking on the link went to an unsubscribe page that requires one to enter their email address. Guess which email went into the Spam folder?

Readability is So Last Year

GucciGucci likes to stay fashionable, but sometimes fashionable and readability collide. Pink and gold might be an interesting combination for apparel, but it makes a lousy combination in a text box.

Did You Say &⁠#38 or &⁠#48?

weird codingThis one confuses us. The HTML clearly shows that special characters labeled “&⁠#38” were inserted between each word in this headline. That’s the HTML code for an ampersand, but there’s no reason for for ampersands to appear between each word in the headline. The most likely cause is the code was copy and pasted from one program to another, leading to the insertion of this character for no good reason.

Button, Button, Who’s Got the Button?

bad buttonsIn the grand scheme of things, this is a pretty minor infraction, but it’s if you are going to make a table cell in your email look like a button, it’s better to put the <a> tags around the cell instead of the type. In this example, you’ll only activate the links by clicking directly on the type. Clicking within the boxes has no effect.

We’re a Real Company, Honest!

stock photosWe can’t tell whether or not the way the words “social media” run down the left side of the image is some misbegotten design idea (we think not), but the CanStock watermark on the image is unforgivable. If you plan to use an image, either pay for it, or create your own version (paying for it is usually cheaper). Sending out email like this makes a company look suspiciously like a fly-by-night affair. Marketing Knowledge Cloud isn’t such a company, but you couldn’t tell it from this email.

Even Alt Tags Can Be Wrong

bad code
This one nearly caused my brain to explode. You can see in the text I’ve highlighted in yellow that the HTML codes for the right and left curly quotes are displaying instead of the curly quotes. That might have been okay, except that below it on the right, another article on the same page is displaying curly quotes in the same content. It that weren’t enough, as soon as I choose “display images” the HTML code disappears. A closer examination of the code revealed that this text appears as part of a styled alt tag (for more on stylized alt tags see The Finer Points of Styled Alt Tags). The code for the right curly quote reads: “&amp;#8220;” which will display as “&⁠#8220;” which is the correct code for that curly quote. Either somebody really wanted this to look exactly wrong, or they got confused. The right curly quote on the headline to the Page-Turner article has a value of x201C, which works, but it is hexadecimal code instead of the more common HTML code. If I had to guess, I’d say that the two article were written and formatted by different people and then assembled in the newsletter. One of them knows more about HTML than most people, while the other needs to go back to class.

All Tests Are Not Created Equal

media query errorThis looks pretty bad doesn’t it? The code contains media queries to make sure the content adjusts its size across various devices. The problem is, it’s wrong. This screenshot was taken from an iPhone. The first table is behaving as it should, but then the rest of the email goes all cattywampus. We suspect the person that created this simply tested the responsive results by resizing the window on their browser—a kind of poor man’s test environment. If you do that, this email looks fine, proving that there’s no substitute for the real thing.

I Are An Expert!

Speaking of testing, here’s an email from a company that that specializes in providing testing environments for all the various browsers and phones. Either they missed one, or they decided that the Mail program in Microsoft’s Windows 10 wasn’t worth worrying about. Either way, this isn’t something a company whose raison d’etre is testing email should ever be guilty of (to prevent further embarrassment, we’ve removed the company’s logo).

I Heard You the First Time

Amazon errorAmazon likes to send out notifications about newly available movies and TV shows. We’re not sure what happened here, but suspect that the API call that was suppose to register that the email had been sent wasn’t receiving the proper information and decided to keep sending until it was told to stop.

There’s Always One More Typo

misspelled glassTypos are the bane of every writer’s existence. So what’s worse than a typo in your content? How about a typo on the actual product you’re selling. This glass, offered by Bourbon & Boots, has what should have been a clever quote by Mark Twain, but we’re sure Mr. Clemens knew the difference between “then” and “than.” This error has gone uncorrected for over a year now.

Hey Everybody! We Value Your Privacy!

GDPR goofWhen the GDPR came into effect, lots of businesses scrambled to make sure they were compliant. Sometimes, these efforts were counterproductive to say the least. One of the worst came from Ghostery, who sent out an email explaining the steps they’d taken to ensure GDPR compliance. Too bad the included everyone’s email addresses in the “To” field.

Did I Say Mail Merge Errors Were Gone?

mail merge errorPerhaps I spoke too soon. Just when I thought I’d see a year without mail merge errors, this one landed in my inbox. It’s such an easy error to avoid with the careful use of dynamic content.

Our Next Speaker: Wyatt Earp

dead speakerOne of the more amusing apologies came from b8ta—a tech gadget store than sponsors meet-ups with inventors and start-up founders. We’re not sure how you’d confuse Ben Holt with Ben Einstein, but we guess it could be worse: They could have announced that Albert Einstein was going to appear at the b8ta store instead.

Don’t Do This. Not Ever.

fake oopsApology emails have a higher open rate than other emails, so one can see why a marketer might want to use this to their advantage. But apologies are a serous thing and pretending to apologize for the sake of sales puts you just one step away from being labeled a spammer. Don’t do it.

Okay, that’s it for this year. We hope you enjoyed that. In the end, the lesson to be learned is always the same: Test, test, test.

Go to Goolara website

To IP or Not IP, That is the Question

Leave a reply

IP graphic
Internet Protocol (IP) addresses are how the Internet keeps track of who is where. They aren’t necessarily attached to specific email addresses, but they do contain potentially valuable information about a person’s geographic location (although, as we’ll see, this is an imperfect science). It stands to reason that the more information you know about your subscribers, the easier it is to tailor your content to fit their interests, so there is some value in attaching IP information to each email address, but be careful: Where you and your customers reside can affect the legality of this practice.

Using the IP Address

Your computer’s IP address is like a landline telephone. If everyone in a household is using that telephone, then everyone will show up under the same number. Like a telephone number, an IP address can give you a good idea as to where someone is located without showing you the exact address. A search on our own IP, for instance, turns in different results, but they are all in the Bay Area, which is where our headquarters are located. Even with this limitation, an IP address will narrow down the possible location of the subscriber, which can, in turn, help greatly with certain types of marketing.

Dynamic vs. Static

There are two kinds of IP addresses—dynamic and static. Their names suggest exactly what they are. A static IP address is one that never changes. Companies, for instance, will often be use a static IP address to help them send and receive data and allow others to easily log onto their servers. A static IP address is mandatory for certain activities such as VoIP and VPN to ensure stable connections. Individuals might also opt for static addresses if they plan to host a website on a server, or are highly active in the online gaming community.

Dynamic IP addresses are often used for home connections. They are considerably cheaper and the end user doesn’t have to worry about network configuration since this is handled automatically. As one might expect, geolocation is a little more reliable with a static address than a dynamic one, although both have some value here.

Linking IP addresses to the email addresses gives you ability to provide information as to when and where a person opted to receive email from you, eliminating potential claims that your mailings were unsolicited. Some ISPs ask for this information when investigating spam complaints. But there is a big caveat to using this approach: It might be against the law.

IP Addresses and the Law

The legality of linking IP addresses to email addresses changes from country to to country. In some countries, it is perfectly legal, while others see it as a violation of privacy, allowing it only after the subscriber has agreed to let the ESP use that information. In the US, for instance, there is no single, comprehensive federal law regulating the collection and use of personal data. Even if there were, the odds of it being enforced are slim considering that the FTC only brings a handful of cases against emailers to court every year, and most of those are because the products these companies are selling don’t work, rather than privacy breaches or CAN-SPAM violation.

In Canada, which has some of the strictest spam laws on the books, a record of an opt-in is required. Canada has strict rules about what information the government can gather about a person, but the laws concerning the private sector appear less well defined. If businesses aren’t allowed to attach IP information to email addresses, then the verification of subscription becomes a lot harder. This summer, a second aspect of CASL takes effect that lets individuals challenge a company’s email programs, meaning anyone can bring any company to court. This sounds like a recipe for disaster, but only time will tell.

In Great Britain, you can collect IP addresses, but you start treading into the danger zone once you connect those IP addresses to individual email accounts. An IP address by itself isn’t considered personal data, but when it’s combined with other information to build a profile of an individual, it suddenly becomes personal data—even if that individual’s name is unknown. You’ll need to get permission from the recipients to do so. This isn’t a big deal., although most British companies use these additional requests for more specific information, such as the location of the recipient’s preferred store.

In most of the rest of Europe, things get even even trickier. In Europe, static IP addresses have been considered personal data for some time now, but on October 19, 2016, the Court of Justice of the European Union (CJEU) ruled that dynamic IP addresses can also qualify as personal data under EU privacy law. Additionally, the Swedish Supreme Administrative Court has ruled that collecting and storing IP addresses is in violation of the Personal Data Act.

These laws have been further enforced with the approval of the EU General Data Protection Regulation (GDPR). The regulation was passed by the EU Parliament in April of 2016. Although not specific to email, the regulation does require businesses to keep tight controls on their private data and gives your subscribers the “right to be forgotten.” Any data you have on them needs their approval and they can nix it at any point. This includes their name, photos, email addresses, bank details, posts on social networking websites, medical information, and computer IP addresses. The regulation has a two year grace period before they start cracking down on violators, and applies to any business doing business in the European Union.

The irony here is that by not allowing the ESPs to use this information, it makes it harder to verify when someone not associated with that email address is pranking the actual addressee, making it far more likely for that person to receive spam than they otherwise would.

Over in China they have a completely different take on the matter. As far as they’re concerned, an IP address in isolation isn’t personal data because it’s focused on a computer and not an individual. This reasoning was applied by the Hong Kong Privacy Commissioner in a complaint about Yahoo!’s disclosure of information about a journalist to Chinese authorities.

Approach With Caution

So what is the best technique? If your company does no business outside of the United States, and never plans to expand past that country’s borders, IP collection isn’t an issue. If, on the other hand, your clientele is international and you need to stay compliant in several countries, you’re better off either forgetting about collecting IP information, or adding a check box to the sign-in process to verify that the recipient has approved your use of their IP address information. Given the constantly shifting landscapes or laws on this subject. Some type of verification from the users that it’s okay to note their IP addresses is the safest route.

Go to Goolara website