In my last post, I went over why you need to pay attention to compliance regulations for email marketing, as well as the three core areas:
- Data Privacy
- Anti-Spam Policies
- Email Authentication
This time, I’m going to take a dive into the maelstrom that is Data Privacy.
What is Data Privacy?
Marketing – especially email marketing – is driven by data: customer data, leads and sourcing, behavior analytics, and so much more. When it comes to customers, clients, and leads, we tend to collect a lot of information. Our CRMs have names, emails, phone numbers, addresses, purchases, billing information, etc., etc.
This is called Personally Identifiable Information (PII). NIST further defines PII as “Information that can be used to distinguish or trace an individual’s identity… either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.”
So, what does this have to do with marketing?
Everything. Because we collect so much information, we have to protect it: there can be massive damage in the hands of the wrong person.
- We don’t want competitors accessing any of our data
- Mishandling data will annoy the heck out of your ESP and audience
- If hackers get a hold of any databases containing PII, they’ll ransom it back to your company – or worse, leak it to other bad actors
That’s where Data Privacy Regulations come in
There are a ton of regulations that outline what PII to protect, how, and why. While a lot are cybersecurity-focused, the rules overlap with how we manage our databases and CRMs. That includes stuff like communication and how we store information in our databases.
Of course, because there are so many regulations, navigating them all – and understanding which ones apply to you – can be a bit of a nightmare. So let’s get into the most relevant ones for marketers.
psst: don’t wanna read all this? skip to my best practices!
Global Privacy Control (GPC)
If you’re not already familiar with the Global Privacy Control (aka GPC or GPC signal), you’ve definitely encountered it. In a nutshell, GPC is a set of technologies that allows a website visitor to indicate if they want their information to be sold or shared with third parties.
I’m not going to explore it too much in this post as I want to focus more on email marketing. However, depending on how your company’s website and ESP are set up – and how they’re connected – you might need to apply the GPC signal within your ESP. There are also a few data privacy laws in the US that include GPC in their requirements (see below).
GDPR and other worldwide Data Privacy Laws
You’ve probably heard about the GDPR. This guy is an absolute unit of rules. Heck, I’ve been in cybersecurity marketing since it was rolled out and am still learning about all its nuances. So, what is it?
The General Data Protection Regulation (GDPR) was rolled out in 2018 by the European Union. It’s often summarized as the “Right to Be Forgotten.”
In short, the GDPR:
- Gives individuals rights over their personal data, which is defined as any information that can identify a living person.
- Establishes rules on how personal data is secured and processed – including guidance on how individuals can correct, access, and delete their information.
- Defines how organizations use personal data, and establishes penalties and fines for violations.
How does it affect marketing?
For marketers, “personal data collected” is the same PII discussed above. Basically, the bread and butter of our jobs.
For email marketing, the GDPR mainly applies to how we store data:
- We have to keep our databases secure
- We need to be clear about how we use PII when someone enters our database (ex, signs up for a newsletter or makes a purchase)
- We need to make sure we honor unsubscribe and opt-out requests.
Although the GDPR is an EU law, it applies to anyone who does business in the EU – regardless of where the organization is located.
It’s also a good framework to follow. As I said above, there are a ton of data privacy laws around the world, and the GDPR sets the gold standard for many of them. So, even if you don’t do any business in the EU, there’s most likely a similar law in place in your region that you need to follow.
OK, so how do I know which Data Privacy laws I need to follow?
Here’s a snapshot of a few major regions and countries with data privacy laws, and the types of organizations they apply to – note that many of the core regulations for each are the same as the GDPR’s.
| Regulation/Law | Status | Region | Businesses/Organizations |
|---|---|---|---|
| The General Data Protection Regulation (GDPR) | In effect (as of 2018) | European Union | Organizations that do business in the EU (even if they’re headquartered elsewhere) |
| United Kingdom General Data Protection Regulation (UK GDPR) | In effect (as of 2021) | United Kingdom | Organizations that do business in the UK (even if they’re headquartered elsewhere) |
| Personal Information Protection and Electronic Documents Act (PIPEDA) | In effect | Canada |
|
| Canadian Privacy Statutes: Personal Information Protection Act (Alberta) (PIPA Alberta) Personal Information Protection Act (British Columbia) (PIPA BC) Act Respecting the Protection of Personal Information in the Private Sector (Quebec Private Sector Act) |
In effect | Provinces of AB, BC, and QC | Same as PIPEDA, with additional Province-specific requirements |
| Federal Law on the Protection of Personal Data held by Private Parties (FLPPDPP) | In effect (as of March 21, 2025) | Mexico |
|
| Privacy Act (Australia), Australian Privacy Principles (APPs), Privacy and Other Legislation Amendment Act 2024 (Cth) (the Privacy Act Amendment Act) | In effect | Australia |
|
| Privacy Act 2020 (Act) and its Information Privacy Principles (IPPs) | In effect | New Zealand | Any organization doing business in NZ, regardless of where the information was collected or held |
| American Privacy Rights Act of 2024 (APRA), American Data Privacy and Protection Act (ADPPA) | Proposed, neither yet voted on (as of March 1, 2026) | United States | See below for individual state regulations |
US Laws
Meanwhile, although the US doesn’t have one comprehensive law, many states have (or are in the process of) introduced acts regulating data privacy. Again, these are either based on or cross over with the GDPR.
As of March 2026, four states also include GPC implementation in their laws.
The tl;dr is that all of these regulations affect citizens and residents of their respective region: i.e., EU citizens are covered by the GDPR, NJ residents are covered by NJDPL, etc.
| Regulation/Law | Status | State | Businesses/Organizations |
|---|---|---|---|
| California Consumer Privacy Act of 2018 (CCPA) & California Privacy Rights Act of 2020 (CPRA) |
In effect – includes GPC |
California |
Does business in CA and at least 1 of the following: – has an annual gross revenue of $25m or more – controls or processes the personal data of at least 50,000 consumers – derives more than 50% of gross revenue from selling personal information |
| Connecticut Data Privacy Act (CTDPA) |
In effect – includes GPC |
Connecticut |
Does business in CT and at least 1 of the following: -controls or processes the personal data of at least 10,000 consumers – derives more than 25% of gross revenue from at least 25k consumers |
| Colorado Privacy Act (CPA) |
In effect – includes GPC |
Colorado |
Does business in CO and at least 1 of the following: – controls or processes the personal data of at least 10,000 individuals – derives revenue from at least 25k individuals |
| The New Jersey Data Privacy Law, P.L. 2023, c. 266 (NJDPL) |
In effect – includes GPC |
New Jersey |
Does business in NJ and at least 1 of the following: – controls or processes the personal data of at least 10,000 consumers – controls or processes the personal data of at least 25k consumers and makes money from the sale of personal data |
| New York Privacy Act | Proposed; has not passed the state legislature as of March 1, 2026 | New York (state) |
Does business in NY and at least 1 of the following: – has an annual gross revenue of $25m or more – controls or processes the personal data of at least 10,000 consumers in NY – derives more than 50% of gross revenue from at least 25k consumers |
| Texas Data Privacy and Security Act (TDPSA) | In effect | Texas |
Does business in TX – Exemptions: Small businesses as defined by the United States Small Business Administration |
| Utah Consumer Privacy Act | In effect | Utah |
Does business in UT and at least 1 of the following: – has an annual gross revenue of $25m or more – controls or processes the personal data of at least 100,000 consumers – derives more than 50% of gross revenue from selling personal information of at least 25k consumers |
| Virginia Consumer Data Protection Act (VCDPA) | In effect (updated January 1, 2026) | Virginia |
Does business in VA and at least 1 of the following: – controls or processes the personal data of at least 10,000 VA residents – controls or processes the personal data of at least 25,000 VA residents and derives more than 50% of gross revenue from selling personal information |
Best Practices for Data Privacy
I have another post coming up that will cover more best practices in-depth.
That said, here are my top recommendations you can follow now :
- Carefully consider what information you need for your campaigns, and how you collect that information.
- Work with your InfoSec and Legal teams to ensure your sign-up forms and website cookies don’t violate anything, and your CRM is secure.
- If someone opts out of your communications, make sure you have systems in place to remove them from your ESP and CRM immediately. (Some regulations require you to do this within 24 hours, while others grant you up to 45 days. Play it safe and process your opt-outs immediately.)
Next up
Stay tuned for everything you didn’t know that you wanted to know about anti-spam and email authentication!
Want more direct guidance on Email Marketing Compliance? I’m available for consulting and auditing – drop me a line!
Further Reading
Want more? If you really want to get to know any of these regulations in-depth, here’s a list of resources that I used to double-check everything in this post.
GPC
- https://www.w3.org/TR/gpc/
- https://globalprivacycontrol.org/#about
- https://en.wikipedia.org/wiki/Global_Privacy_Control
Worldwide Data Privacy Regulations
GDPR – EU | https://www.gdprsummary.com/gdpr-summary/ | https://gdpr.eu/
PIPDEA – Australia | https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
FLPPDPP – Mexico | https://secureprivacy.ai/blog/mexico-privacy-law-lfpdppp-2025
United States Data Privacy Laws
CCPA | https://oag.ca.gov/privacy/ccpa
CPRA | https://thecpra.org/
Colorado Privacy Act (CPA) | https://coag.gov/resources/colorado-privacy-act/
Connecticut Data Privacy Act (CTDPA) | https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act
NJ Data Privacy Law (NJDPL) | https://www.njconsumeraffairs.gov/ocp/Pages/NJ-Data-Privacy-Law-FAQ.aspx
Texas Data Privacy and Security Act (TDPSA) | https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/texas-data-privacy-and-security-act
UTAH Consumer Privacy Act (UCPA) | https://iapp.org/news/a/utah-becomes-fourth-state-to-enact-comprehensive-consumer-privacy-legislation | https://le.utah.gov/~2022/bills/static/SB0227.html
Virginia Consumer Data Protection Act (VCDPA) | https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/
American Data Privacy and Protection Act (ADPPA) | https://www.consumerprivacyact.com/american-data-privacy-and-protection-act-adppa/ | https://usercentrics.com/us/knowledge-hub/american-data-privacy-and-protection-act-adppa/
If you want a more concise summary, DLA Piper has an amazing guide that covers data protection laws in more than 160 jurisdictions.
Note: I’m not currently affiliated with DLA Piper or any of the other organizations in this reference list.