If you handle any data from your customers, even if it is just an email address, you need to have rock-solid data security. And if you do outbound sales of any kind, you need to ensure that your cold outreach is compliant with local cold email laws.
In this blog, I will discuss what data protection and how to do it as well as how to make your cold outreach complaint with the local laws and regulations.
Table of contents
-Definition of B2B data compliance and the two types of data protection
-Demystifying common legal terms related to data compliance
-Is cold email legal?
-How is cold email different from spam?
-Benefits of adopting data compliance in your organisation
-How to achieve impeccable standards of data protection and privacy for your customers
-Guidelines for sending cold emails legally
What is B2B Data Compliance?
Data compliance is a term used to describe formal standards and practices for ensuring your customer data is protected from loss, theft, corruption, and misuse. Data compliance as a term includes all regulations that your organisation must follow, in terms of how you organise your customers’ data, use and store it. This means no matter who your customer is, you must keep their personally identifiable information (PII) and financial details confidential, and prevent their sensitive data from falling into the wrong hands.
There are two kinds of data you need to pay attention to when it comes to data protection: personal data and business data.
Personal data: Personal data refers to any information that can directly or indirectly identify an individual, and this is directly under purview of data compliance legislations. Personal data includes everything from names, identity numbers, locations and email addresses or usernames to cookies and IP addresses.
Business data: Business data is information related to a business, such as its name, public email and landline number. Business data is not protected under data compliance laws. However, the line is very thin as information in relation to one-person companies may constitute as personal data where it allows the identification of a person. Moreover, some business email addresses also fall under personal data, such as those email addresses with names of individuals.
Let us break down some common legal terms related to b2b data compliance in the next section.
Common data related legal terms demystified
Digital Identity: A digital identity is an online or networked identity adopted or claimed in cyberspace by an individual, organization or electronic device. With each upload, each click and every second you spend online, you leave behind some traces of your identity in cyberspace which in totality forms your digital identity.
Personally Identifiable Information (PII): Personally identifiable information represents any sensitive information connected to an individual that can identify or pinpoint their location. While PII has several formal definitions, generally speaking, it is information that can be used by organizations on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
Personally Protected Information (PPI): PPI refers to information that is non-public and protected by the government. This includes a person’s social security number, home address, date of birth, and home phone number.
Anonymization: Anonymization is a data processing technique that removes or modifies personally identifiable information to create data sets that inform but do not reveal the identities of the people represented.
Pseudonymisation: Data processing under pseudonymisation creates a separation between the data subject and the personal data. A person cannot be identified without additional data that is stored separately. Compliance laws like the GDPR advice organisations to pseudonymise and/or encrypt all personal data. This encryption may not stop malicious actors accessing the information altogether, but it does make it much harder for them.
Consent: An independently offered indication of a person’s interest through a statement or affirmative action, qualifies as consent around personal data so long as there is an option to withdraw consent (for instance via an ‘unsubscribe’ button at the bottom of marketing emails)
Explicit consent: Some data compliance laws require consent with a written statement or a digital note, the key being that it must be able to be verified, something that would be difficult to do with an oral form of consent. This type of consent is called explicit consent.
Unambiguous consent: Unambiguous consent involves knowingly checking a box or agreeing to technical terms which clearly indicate in this context the data subject’s acceptance of the proposed processing of his or her personal data.
Opt in consent: An opt-in consent requires organisations to obtain explicit consent from the user before collecting and processing their personal data. The explicit consent is sought by asking for an affirmative action for indicating your consent to allow processing of your personal data. For eg. Whenever you visit a website, you can manually opt in to retain your online activity for various purposes.
Opt out consent: Opt-out means that the recipient has to withdraw consent after your initial outreach. There are two main ways through which opt-out options are offered to the consumer:
a) Pre-emptive opt-out in which you can untick/uncheck a pre-selected checkbox
b) Consent withdrawal where you are provided a clear option to withdraw your permission or change your preferences through an unsubscribe button in your mail or newsletter.
Legitimate interest: An unspoken agreement (though enforced by laws like GDPR) that allows a user to trust that companies will use the data they collect for things of use or importance to the individual. It depends on purpose, necessity, and balance. As a company requesting data from your customer, you must ensure you have a legitimate interest in asking for the information and that legitimate interest is not overridden by the individual’s interests, rights, or freedoms.
First–party data: The data you collect directly from your audience or customers is called first-party data. This data may include intent data from behaviors, actions or interests demonstrated across your website(s) or app(s), your CRM data, Subscription data or Data from your social media accounts.
Second–party data: This is the data you get from another organization’s first party data. Second party data is similar to first party data, but it comes from a source other than your own audience.
Third–party data: Third party data is data that you buy from outside sources who generally do not hold data but source it on demand. A third party data aggregator collects and organises this data for you in compliance with data protection laws. A good example of this is hubsell’s data processing as a service (DPaaS).
Walled gardens: A walled garden is a data approach where all information sought from customers is kept in a closed ecosystem with all operations managed by the ecosystem controller.
Dark patterns: Dark patterns are actions that nudge users into making uninformed choices about their personal data which they do not intend, typically to their own detriment and to the benefit of the organisation. These may be tactics or practices intended to trick people on the internet into purchasing, committing to, or signing up for things without clearly understanding that they are doing it.
Now that we have gone through some common aspects of data compliance, we come to a differentiating factor, the location. Data compliance is worldwide but the laws are different, depending on where you are or who you sell to.
Before we go in detail into different region-specific B2B data compliance laws, let us look at the legalities of cold email.
Is cold email legal?
Cold email is the kingpin of outbound marketing but there still remains to be a lot of confusion around the subject. The biggest one being: is it legal to cold email a complete stranger for commercial purposes?
The answer is rather simple, cold emailing is legal but spamming is not.
In the next section, let us explore the differences between cold email and spam, and find out exactly what will keep you in the safer spectrum.
How is cold email different from spam?
Governments in several countries have actually introduced legislation to regulate spam emails. That is why any sales professional who wants to stay on the right side of the law should know the difference between cold email and spam email.
There are three key differences between a cold email and spam.
1. Cold email is targeted and personalised
The first key point of distinction stems from where you get your contacts from. Usually, an email is considered spam if the sender sends mass unsolicited emails to a list of recipients without bothering to know who those recipients are, or if the email is even applicable for them. These email lists are purchased or scraped from thousands of websites using bad prospecting softwares.
A cold email is targeted towards a list of prospects who you feel can benefit from your product or service. The list of contacts is carefully curated either after extensive research by your marketing teams or with the help of B2B data providers like hubsell which provide B2B contacts on demand. Additionally, hubsell allows you to use multiple dynamic and static placeholders that makes your message as personalised as can be.
2. Cold email is relevant to the buyer
Cold emails are intentional and personalised to the recipient’s needs.
It aims to provide value to the recipient, helping them address any unique goal or challenge they may be facing.
In contrast, spam emails focus on promoting the product rather than focusing on the recipient.
While cold emails involve researching the potential customer and matching the product offering to the recipient, spam emails are usually just one generic mass email sent to hundreds or thousands of people without any tweaks.
3. Cold email is authentic, clear and concise
Cold emails are always honest about their intent. The subject lines of cold sales emails usually indicate their purpose and don’t leave the recipient guessing what the message is about.
In contrast, spam emails mostly use ambiguous subject lines and sometimes even deceptive or clickbait subject line ploys unrelated to the actual message. Their aim is just to get the recipient to open the email.
So is cold email always legal?
As long as it is done right, cold emailing is perfectly legal.
However, various countries have their own rules regarding what’s “right” for unsolicited commercial emails. It’s crucial you keep these in mind for your cold email outreach campaign.
What are the different B2B data compliance and cold outreach laws?
Now there are a myriad of industry-specific and location-specific regulations concerning cold outreach and data security and privacy laws for you to know about depending on your business model.
I have collated some of the most well-known and broadly utilised regulations below.
Data protection and cold outreach in the European Union
In Europe, the GDPR and PECR defines rules to give EU citizens more control over their personal data and outreach.
While PECR prohibits specific unsolicited commercial messages, GDPR protects recipients from the way organisations gain their data and keep it secure.
Europe’s GDPR is one of the most popular privacy laws in the world due to its clarity and breadth of descriptions.
Under the terms of GDPR(General Data Protection Regulation) issued in 2018, not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.
The GDPR requires a legal basis for data processing and this requirement must follow one of the following legal bases:
- Processing is necessary to satisfy a contract to which the data subject is a party.
- You need to process the data to comply with a legal obligation.
- You need to process the data to save somebody’s life.
- Processing is necessary to perform a task in the public interest or to carry out some official function.
- You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it is a child’s data.
GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. What this ultimately means is that almost every major corporation in the world needs a GDPR compliance strategy.
Penalties for not adhering to the GDPR are severe, with the maximum fine being €20 million or 4% of annual worldwide turnover for the preceding year – whichever is greater.
Cold outreach laws
If you’re sending marketing emails to E.U. citizens, you’ll need to comply with Privacy and Electronic Communications Regulations 2002 (PECR), along with ensuring that your data is obtained and processed in accordance with with GDPR guidelines.
Privacy and Electronic Communications Regulations 2002 (PECR), which is a basis for national laws governing this area, specifying that “everyone has the right to respect for their private and family life, home and communications.”
A. Why should you comply?
The general aim of the PECR is to prohibit certain unsolicited commercial messages. As with all E.U. directives, it leaves it to the member states to translate into law.
On top of that, the GDPR dictates how organisations obtain recipient data and keep it secure.
As a result, anyone undertaking digital marketing or sending sales emails will need to comply with both the PECD and GDPR.
The GDPR states that the fines will be “effective, proportionate and dissuasive” for each individual case based on their statutory catalogue of criteria. Among other things, intentional infringement, a failure to take measures to mitigate the damage which occurred, or lack of collaboration with authorities can increase the penalties.
For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.
Violation of PECR can have a fine of up to £500,000 which can be issued against the organisation or its directors.
B. How to comply?
When sending unsolicited emails, it is possible to remain PECD and GDPR compliant by ensuring that these emails are directed to people who will find the message helpful. You also have to fulfil other requirements such as:
- The sender must identify themselves and the topic of the email, provide accurate sender details, and include a genuine physical address in the email.
- There must be a straightforward, unambiguous way for recipients to opt-out of future emails and request the deletion of their personal data.
Apart from these general rules, each country in the E.U has some regulations which supplement the GDPR. So don’t forget to be mindful of the national cold outreach laws that apply in your particular region and ensure compliance.
The legislation came into force across the European Union on 25 May 2018. The GDPR covers all the European Union member states and while most member states follow the Opt-in option, there are some which follow the Opt-out option as well.
Countries with an opt-in regime i.e ones that require explicit consent before sending marketing communications are:
- Czech Republic
Countries with an opt-out regime i.e. those that allow sending communications straightaway with an unsubscribe button to withdraw consent are:
- The United Kingdom
CASL: The Canadian Anti-Spam Legislation
Canadian Anti-Spam Legislation (CASL) concerns email marketing and applies to all emails sent to Canadian residents as part of commercial activity.
The primary feature of CASL is that recipients must give companies consent before they can email them. Implied consent can be used to send unsolicited B2B emails if the person’s email address is publicly available (e.g: on company websites) and unaccompanied by a statement which confirms they do not wish to receive email marketing to their business email address.
If the person’s email address isn’t publicly available, B2