12 Tips For Ensuring Privacy Compliance In Salesforce Marketing Cloud

Introduction

According to the Cisco 2022 Consumer Privacy Survey, 37% of global customers have switched brands over data privacy concerns.

Several legal and government authorities have also established their privacy standards for organizations collecting and using customer data. Google failed to comply with state consumer protection laws by misleading users about its location tracking practices. As a result, they agreed to a $391.5 million settlement with 40 US states. 

Salesforce Marketing Cloud can help organizations comply with these regulations and maintain customer trust. 

Understanding Privacy Regulations

General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are two most prominent regulations that govern personal data collection, processing, and storage. 

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) governs how organizations, companies, governments, and other entities handle the personal data of individuals. The GDPR mandates compliance for all organizations processing the data of EU residents.

The GDPR establishes seven key principles for data processing.

• Lawfulness, Fairness, And Transparency: Organizations must have a legal basis for processing data. This should be done in a fair, transparent, and unbiased manner.

• Purpose Limitation: Data collection is restricted to legitimate purposes that are clearly communicated to individuals.

• Data Minimization: Organizations can only collect the minimum amount of personal data necessary to achieve their stated goals.

• Accuracy: Data must be accurate and kept up-to-date through rectification.
• Storage Limitation: Personal data can only be retained for as long as necessary for the intended purpose.
• Integrity and Confidentiality: Robust security measures, such as encryption, are required to safeguard data integrity and confidentiality.
• Accountability: The data controller is responsible for demonstrating compliance with all these principles.

Non-compliance with the GDPR can incur significant financial penalties. These fines are tiered based on the severity of the infringement.

• For less serious violations, organizations may face a fine of up to €10 million or 2% of their global annual revenue, whichever is greater.
• More serious infringements can result in fines of up to €20 million or 4% of their global annual revenue, whichever is higher.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) empowers California residents with control over their personal data. CCPA regulates how businesses collect, use, and disclose personal data. Organizations that conduct business in California with annual gross revenue of over $25 million must comply with CCPA.

CCPA provides the following privacy protections to California residents.

• Right to Know: Businesses must disclose the categories and specific details of personal information they have collected upon request.
• Transparency at Collection: Before collecting data, businesses must clearly inform consumers about the types of personal information they gather and how it will be used.
• Right to Access: Consumers have the right to request and receive, free of charge, their personal information held by a business. However, businesses are only obligated to fulfill such requests twice within a 12-month period.

Non-compliance with CCPA can result in the following penalties.

• Intentional Violations: Intentional violations of the California Consumer Privacy Act can bring civil penalties of up to $7500 for each violation.
• Unintentional Violations: The maximum penalty for unintentional violations is $2500 per violation. 

Health Insurance Portability And Accountability Act Of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law. According to this law, organizations should create privacy standards for protecting customer health information from being disclosed without consent. 

To comply with the HIPAA Security Rule, all covered entities must abide by the following.

• Ensure the confidentiality, integrity, and availability of all Electronic Protected Health Information (e-PHI).
• Detect and safeguard against anticipated threats to the security of the information.
• Protect against anticipated, impermissible uses or disclosures that are not allowed by the rule.
• Certify compliance by the organization’s workforce. 

Non-compliance with HIPAA results in Civil Monetary Penalties (CMPs) based on the level of culpability.

• Unknowing: Between $100 and $50,000 per violation and not exceeding $25,000 per year. 
• Reasonable Cause: Between $1,000 and $100,000 per year. 
• Willful Neglect: Between $10,000 and $250,000 per year. 
• Willful Neglect And No Fix: Between $50,000 and $1.5 million per year. 

Is Salesforce HIPAA Compliant?

Organizations can make Salesforce HIPAA compliant by implementing practices like:

• Prevent caching sensitive data including Patient Medical Information (PMI).
• Refrain from enabling autologin on websites storing sensitive health information.
• Implement a consent-based data collection methodology. 

Read more to find about Salesforce's comprehensive set of compliance certifications and attestations 

12 Strategies To Ensure Privacy Compliance With Salesforce Marketing Cloud

The following strategies will allow organizations to comply with relevant privacy regulations. 

1. Obtaining Explicit Consent

81% of US citizens feel they have very little to no control over the data organizations collect. This can result in loss of confidence or trust.

Organizations must get the explicit consent of consumers for all data collection and processing activities, including email communications, tracking website interactions, and personalized marketing. 

Ducati, a multinational motorcycle manufacturer, uses Salesforce to clearly list the information it collects whenever customers fill out forms on the landing page. Ducati also has a transparent privacy policy that mentions data collection, storage, and usage. 

2. Utilizing Consent Management Tools

Use consent management tools within Salesforce Marketing Cloud to obtain consent for all marketing activities and prevent tracking of contacts who request otherwise. 

Consent can also be obtained by using the Salesforce Consent Data Model. It is a standard model for managing consent at multiple levels, from global preferences to setting granular controls. This data can be connected to Marketing Cloud to respect customer’s consent preferences.

3. Segmenting Data

Segment customers according to their preferences to receive marketing communications. This helps comply with regulations and reduces the risk of sending unsolicited messages. Sending messages to the right customers also increases delivery rates and eliminates the chances of being flagged as spam by Internet Service Providers (ISPs). 

Spotify, one of the largest global streaming platforms, uses Salesforce Marketing Cloud to segment its users based on consent and preferences. This allows the brand to elevate its digital experiences by sending more customized communications to customers. 

4. Anonymizing Data

43% of US customers believe they are not able to protect their personal data collected by organizations. To avoid facing this issue with your customers, consider anonymizing or pseudonymizing data where possible to protect individual privacy while still being able to use the data. 

5. Implementing Data Retention Policies

Implement data retention policies to retain personal data only for a short time. Regularly delete data that is no longer needed. To uphold its customer-first approach, T-Mobile, one of the largest telecom service providers, uses Salesforce to ethically collect, retain, and use all the customer data. It also clearly states all this information on the official website. 

6. Implementing Transparent Privacy Policies

63% of global customers believe most companies aren’t transparent about how their data is used. 

Ensure privacy policies are clear, concise, and easily accessible to customers. Explain how the data is collected, stored, and used. The privacy policies should also state the customer's rights under data protection laws.

BMW Motorrad, a multinational luxury vehicle manufacturer, clearly states its privacy policy.

7. Maintaining Data Portability

Be prepared to provide individuals with their data upon request, as regulations require. Ensure systems can export and transmit personal data in a standard format. Salesforce Marketing Cloud makes it easy for businesses to give customers their data on request. The following table shows how to extract customer data from various SFMC components. 

8. Appointing Data Protection Officers (DPOs)

Appoint a Data Protection Officer if the organization is subject to GDPR or similar regulations. The DPO can help ensure compliance and act as a point of contact for privacy-related issues. 

Lindsey Finch, the Executive Vice President at Salesforce, is also the Data Protection Officer at Salesforce. She and her team collaborate throughout the company to promote a privacy-oriented culture.

They work on designing, implementing, and ensuring compliance with the global privacy program. This includes integrating privacy considerations into the product development process.

9. Conducting Data Protection Impact Assessments (DPIAs)

Conduct DPIAs to assess the potential risks and privacy implications of Salesforce Marketing Cloud activities. Address identified risks and implement safeguards accordingly. 

To Conduct a DPIA with Salesforce Marketing Cloud, organizations should follow eight steps.

• Step 1: Document how data will be processed throughout the project and the scope of the data.
• Step 2: Justify the data processing activities that occur by justifying the resources for the objectives and outcomes of the project. 
• Step 3: Consult several key parties, like the Data Protection Officer and project stakeholders,  throughout the course of the DPIA.
• Step 4: Create a prioritized list of the assets and identify potential vulnerabilities. 
• Step 5: Strategically formulate and implement appropriate risk mitigation measures.
• Step 6: Once all risks are identified and an appropriate security strategy is devised, obtain sign-off for implementation from relevant parties. 
• Step 7: Deploy the solutions and other measures to reduce risks.
• Step 8: Produce a final DPIA report with the project details, identified risks, and mitigation measures. 

10. Implementing Opt-Out Mechanisms

Make it easy for individuals to opt out of marketing communications and ensure the process is transparent and straightforward.

For example, while running email campaigns with the Email Studio, always add an “unsubscribe” link within it. By clicking on this link, the individual should be able to seamlessly opt out of all future communications. 

11. Developing A Data Breach Response Plan

81% of users believe the way a company treats their personal data is indicative of the way it views them as a customer. Develop a clear and effective plan for responding to data breaches, including notifying affected individuals and relevant authorities. Practices like these not only help secure the data but also help build trust and loyalty. 

12. Training And Awareness

Educate the marketing and sales teams about privacy regulations and data protection laws. While implementing a Digital Experience Platform, ensure they understand the importance of privacy compliance and the potential consequences of non-compliance. 

Ensuring Privacy Regulations in Your Organization

Want to learn more about how to remain compliant with data privacy regulations with Salesforce Marketing Cloud? Take this Trailhead course to learn more.

Or speak to Salesforce experts to get quick recommendations on how you can ensure compliance with relevant privacy and data protection regulations.