How marketers and legal teams can navigate new privacy regulations

Marketers and legal teams must navigate an evolving patchwork of privacy regulations and complications.

As consumer privacy regulations have changed the way business is conducted, marketers must work closely with their legal teams to rethink how they track and communicate with consumers.

Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) expand protections for consumers with regard to the use of their personal information online. GDPR and CCPA have different requirements, but they both put the onus on businesses that fall under these laws to notify consumers of the information collected on them and to allow them to opt out of having that data tracked. Failure to do so can result in large fines and penalties.

Restricted use of consumer data is forcing B2C digital marketers to reevaluate loyalty programs, location-based data on apps and other personalization strategies, according to Chief Marketer. But it also means brands have the opportunity to build trust through transparency with their customers, and companies will become better stewards of personal data by building privacy protections into their marketing platforms.

As brands work with their legal teams to navigate these issues, striking the balance between customer experience and compliance is a delicate art that requires intentional effort on both sides of the table.

With 23 years in the business, Stu Ingis, chairman of Venable LLP and co-chair of the e-commerce, privacy and cybersecurity group at the firm, helps marketers navigate these challenges. Ingis also represents leading marketing and advertising trade associations in legal and policy matters, serving as counsel to the Association of National Advertisers (ANA), Interactive Advertising Bureau (IAB) and Digital Advertising Alliance (DAA).

Ingis shares recommendations about how marketers and legal teams can best work together to create campaigns, messaging and content that’s both compelling and compliant with privacy regulations.

When’s the ideal moment in the production process for the legal team to first review a brand’s marketing concept: far ahead in the planning phase or when the team is down to the final assets?

Stu Ingis (SI): It depends on the level of depth of the internal counsel. If they’re a sophisticated internal counsel, sometimes they can review not at all or at the end. But if it’s a one-off or if people are planning a big campaign, it’s better to seek guidance on the front end to set the parameters. Then, once the content is created, it’s always a good idea to get a second set of external eyes, even if it’s just a quick look at the content.

When marketers submit copy for legal review, it’s often returned with a lot of legalese, sometimes sparking disagreements between marketing and legal departments. How do you balance the need for building the best creative with the mission-critical imperative for a brand to comply with laws and regulations?

SI: We try to find solutions that make people happy with the content while complying with the law. That requires experience, sometimes creativity and also just being patient to find a workable approach. But I don’t think it’s an either/or. You can usually find a good common ground there.

A privacy partner you can trust: CCPA and beyond


On email solicitations, for example, we found ways where there’s a lot of specific compliance requirements to build in choices for consumers and appropriate disclosure while not interfering with the primary content of the message.

GDPR and CCPA have sparked a lot of debate about consumer privacy. How have those laws changed the way marketers operate?

SI: Well, the two laws take very different approaches to protecting information. I would argue that ultimately neither of them has been beneficial to consumers. While they may limit some types of data sharing, they’re also reducing all kinds of offerings and ways of paying for services that ultimately benefit the very consumers that they’re asserting they’re protecting. The CCPA is an abundance of ambiguity.

Other states are now considering their own data privacy and security laws. What challenge does that pose for marketers?

SI: Neither consumers nor businesses benefit by having a patchwork of unrelated laws. In law school, they teach a famous case: When the highway system was developed initially, states passed laws requiring different-sized mudflaps on trucks. And so when truckers arrived at a state border, they would have to pull over and change the mudflaps until the courts found that the state laws violated interstate commerce protections in the Constitution.

CORE insight 

Many marketers work with a network of colleagues, vendors and partners on external messaging, and all of those parties need to be aware of legal and compliance requirements. To get everyone on the same page, “having processes and well-understood checklists in place is really useful,” says Stu Ingis of Venable LLP. This helps ensure that everyone knows the process, gets accustomed to doing it and doesn’t miss any details.


At Venable, we’ve been working on behalf of a lot of companies on an effort called Privacy for America to pass a federal privacy law that gives strong protections for consumers and is workable for businesses.

The marketers and companies I work with, like Epsilon, take their obligations very seriously and are responsible and good custodians of consumer data. I think they already spend significant resources and do a good job of meeting their privacy obligations. Part of it is just being able to explain that to consumers.

What repercussions do marketers face for not being fully compliant with consumer privacy laws—or for just being poor stewards of consumer data?

SI: They certainly face reputational impacts and bad press about mishandling of data, breaches or misusing data, and that can really hurt individual companies or their service providers. There are financial implications of enforcement, including a very active class-action bar trying to go after reputable companies relating to the premises that can extort millions of dollars from companies.

There have also been a lot of recent settlements of companies in the tens of millions of dollars by the Federal Trade Commission and state attorneys general. They’ve gone after a lot of the big internet companies.

Given how rapidly the laws are changing and developing, it’s an improvement for people to be involved in the policy deliberations, drawing information from Privacy for America or other efforts that can inform them of what’s going on so they can stay current.

Would that also mean weighing in on new laws during public comment periods and contacting legislators to voice their opinions?

SI: Yes. It’s as important as ever for policymakers to understand marketers’ good uses of data.

CORE Content Issue 1 Promotion

Image credit: Vladimir Godnik/Getty Images