Marketing Compliance. How to Sell Without Violating Privacy

Marketing and privacy are two key elements of modern business that frequently come into conflict. On one hand, marketing strives to know its client as thoroughly as possible — their behavior, interests, and habits. On the other hand, personal data protection laws limit how this data can be collected, analyzed, and used.

Regulators around the world are increasingly scrutinizing marketing practices. For example, the Italian regulator (Garante) recently fined Verisure Italy €400,000 for unlawful marketing communications without a proper legal basis and in violation of the obligation to inform data subjects. This case illustrates that problems arise not from isolated mistakes, but from systemic deficiencies in building marketing processes without taking into account the requirements of privacy legislation — which can cost a business hundreds of thousands of euros.

In this article we will examine how to sell effectively and lawfully at the same time, analyze the most common violations, the key requirements of the EU, USA, UK, and Ukraine, and show how to make marketing transparent without losing its effectiveness.

Email Marketing: It All Starts with Consent

Sending emails to clients remains one of the most effective marketing instruments. At the same time, it is most frequently the source of systemic violations in the field of personal data protection.

In the EU and the UK, the following principle applies: no marketing email without the prior consent of the recipient. This is a direct requirement of the ePrivacy Directive (and its UK equivalent, PECR). The exception is the so-called soft opt-in, which allows marketing messages to be sent to existing clients. However, even here the rules clearly limit the format of communication and the subject matter of messages.

Case study: A telling case from the Belgian regulator concerned email marketing by a fitness club that demonstrated how formally obtained consent may not cover the actual processing scenarios. When concluding a membership agreement, the client separately agreed to receive “news by email.” A few months later they received a marketing email inviting them to an event at a nightclub, sent from a name different from the fitness club’s brand. Although the event was organized by the club’s owner and the data controller was the same legal entity, the regulator found that marketing for the nightclub was a separate activity with a different processing purpose that was not covered by the consent given. Accordingly, the data processing was carried out without a proper legal basis.

In the USA, the approach to email marketing differs somewhat.

The CAN-SPAM Act makes it possible to send commercial messages to persons who have not given their prior consent to receive them, but requires giving the recipient a clear opportunity to unsubscribe (opt-out) and not to mislead them. The liability for violations is significant, as the Federal Trade Commission (FTC) can impose fines of up to $53,088 per email. In addition, individual US states introduce additional requirements. For example, California law (CCPA/CPRA) requires providing recipients with the opportunity to opt out of the “sale” or transfer of their data to third parties.

The Law of Ukraine “On Personal Data Protection” also requires the existence of a legal basis for any marketing mailing, and in practice such a basis is most commonly the data subject’s consent. Despite the fact that the 2010 law is outdated and does not take all modern approaches into account, it is based on European principles and provides for a person’s right to object to the processing of their personal data. Given the process of updating Ukrainian legislation and its harmonization with the GDPR, it is advisable for businesses to now build email marketing according to the European model.

Email marketing is only possible when there is a proper legal basis, and in most jurisdictions such a basis is the data subject’s consent.

Cookies and Tracking

Without cookies, modern digital marketing is impossible, as these files allow tracking of user behavior and showing them relevant advertising.

As we mentioned earlier, in the EU the ePrivacy Directive is in force, which requires obtaining prior consent for all non-essential cookies — that is, those that are not technically necessary for the website to function. This applies to both analytics and advertising pixels. Consent must be voluntary and transparent: it must be just as easy for the user to refuse cookies as it is to accept them.

Case study: A striking example of a violation is the decision of the French regulator (CNIL) at the end of 2021: Google was fined €150 million and Facebook (Meta) €60 million for making it difficult to refuse trackers. The “Accept all” button was one click away, while refusing required several steps. CNIL explicitly stated: “Refusing cookies must be as simple as accepting them.”

Typical violations that regulators pay attention to:

• Absence of a “Refuse” button alongside “Accept” (or its concealment in a submenu).
• Pre-ticked “I agree” checkboxes (under the GDPR this is invalid consent — the user must make the choice themselves).
• The banner does not explain what the data is collected for, who it is transferred to, and does not contain a link to a detailed cookie policy.
• Ignoring the user’s choice — for example, some websites still set trackers even if the person clicked “refuse.”

Targeting vs. Privacy

By using data about customer behavior or characteristics, businesses can show more relevant advertisements. However, from a legal perspective, targeting is often profiling. The GDPR does not prohibit profiling as such, but sets strict conditions for its lawfulness:

• the data subject’s consent;
• compliance with the principles of proportionality and transparency;
• the possibility of opting out of personalized marketing.

EU regulators are increasingly insisting on consent for personalized advertising. For example, the Irish regulator (DPC) fined Meta €390 million, finding in particular that Meta unlawfully processed user data for behavioral advertising, attempting to cover this with “performance of a contract” with the user. The company is now required to request opt-in from European users for personalized advertising. This is a precedent for other platforms too: if advertising is based on user data (their interactions and preferences), the best strategy is to obtain opt-in.

Steps for lawful targeting:

• Obtain consent for personalized advertising at the moment of data collection. For example, when registering for a service, ask separately: “Do you agree to receive personalized offers and advertising based on your data?” (and explain that you can opt out at any time). If the user has not given consent, show only contextual advertising without using personal data.
• If the user has opted out of marketing, exclude them from all targeting campaigns.
• In every advertisement that is personalized, it is worth informing the user of the use of their data. For example, Meta shows “Why am I seeing this ad?” where it explains that the user’s data (email or behavior) was used for targeting.

Transferring Data to Marketing Platforms

Facebook Pixel, Google Ads tag, and other platforms allow tracking conversions, creating retargeting, and collecting statistics. However, from a privacy perspective these instruments transfer user data to third parties. Technically this may look like the transfer of an IP address, a cookie identifier, or information about actions on the site, but collectively such data often allows a specific individual to be identified. This is why for regulators this constitutes processing of personal data with transfer to third parties.

It is important to understand that large platforms generally do not position themselves as processors.

Meta, Google, and similar services often act as separate or joint controllers, since they also use the data received for their own purposes. For example, you and Meta are joint controllers at the stage of collecting and transferring data through the pixel. This means you must:

• Inform the user in your Privacy Policy of the use of such pixels, name the relevant platforms (Meta, Google, etc.), explain that data is transferred and for what purpose. Also provide links to the policies of these third parties.
• Obtain the user’s prior consent before activating the pixel (through a cookie banner or other mechanism).
• Accept the relevant contractual terms. For example, Meta requires agreeing to the Joint Controller Addendum, which stipulates that the platform is responsible for the exercise of certain user rights, while the business is responsible for informing users and for the legal basis of processing.

If the platform acts as a processor — for example, if you use an email mailing service or a CRM system for marketing — then you need a Data Processing Agreement (DPA) with that provider. Article 28 of the GDPR obliges the conclusion of a written agreement specifying what data is processed, for what purposes, the security measures, the confidentiality obligations, and so on. The absence of such a DPA is itself a violation.

Documentation: The Foundation of Marketing Compliance

Marketing is usually associated with creativity, speed, and experimentation. At the same time, it is documentation that determines how lawful and manageable these activities are from a privacy perspective. Marketing teams can create dozens of commercial materials, but without a proper legal framework even the most successful campaign can become the cause of regulatory risks.

In the context of marketing compliance, the following documents are of key importance:

Privacy Policy and Cookie Policy

Public documents where you describe what personal data/cookies you collect and how exactly you use them. Many companies make the mistake of writing policies very abstractly. Instead, a good approach is to dedicate a separate section “Marketing and mailings,” “Cookies,” and explain in a clear form: “We may send you promotional emails, but only with your consent. You can unsubscribe at any time via the link at the bottom of the email or by writing to us.” Also indicate that you use third-party platforms (name which ones) and that data may be transferred to them.

Data Processing Agreement (DPA)

An agreement with each provider that processes data according to your instructions. Make sure that in the agreement with them or in a separate addendum there is a section on the processing of personal data in accordance with the requirements of the law. It must specify that the provider acts only according to your instructions, ensures confidentiality, applies appropriate security measures, and so on (the list of requirements is in Article 28 of the GDPR).

Regulators have repeatedly emphasized that the responsibility for having a DPA rests with both parties.

Standard Contractual Clauses (SCC)

Standard contractual clauses on transfer are required for the transfer of personal data to third countries. If, for example, your Ukrainian employees gain access to client data from the EU for marketing purposes, you are formally transferring data to Ukraine, which does not have an adequacy decision. In that case, SCC are required between your European entity and the Ukrainian one. A Transfer Impact Assessment must also be conducted, evaluating who the recipient is, what data is involved, what the risks are, and what technical and organizational measures you have implemented (encryption, security policy updates, etc.).

Records of Processing

An internal document where you describe all operations with personal data. For each marketing activity it is worth recording the purpose of processing, the categories of data, the categories of data subjects, recipients, retention periods, and the legal basis. This is not only an obligation under the GDPR, but also a tool that will help identify whether data is being used somewhere without a legal basis, whether it is being stored longer than necessary, and so on.

Data Protection Impact Assessment (DPIA)

For some marketing processes it may be mandatory (for example, if you carry out large-scale profiling of users). Even when a DPIA is not formally required, conducting one voluntarily demonstrates your responsibility. In the context of marketing, a DPIA makes it possible to weigh: are we excessively interfering with users’ privacy? Perhaps it is worth reducing the granularity of the data or providing additional guarantees.

Documentation of User Consent

Keep forms, log records, and technical journals. In the event of a dispute the burden of proof lies with the company, and the absence of evidence of consent frequently directly affects the amount of the fine. Make sure such records are reliably stored and can be presented upon the regulator’s request.

Team Training

It is equally important to train the marketing team on privacy requirements. No policy will work if the team does not understand it. Conduct training, explain what personal data is, why it is important to ask for consent, and how to process unsubscribe requests immediately.

A culture of privacy must be part of marketing culture.

What Can You Do Right Now?

1. Inventory of marketing channels

Compile a full list of all channels and instruments through which you interact with clients and leads: email mailings, SMS, messengers, targeted advertising, social networks, affiliate programs, website analytics, CRM, and so on. The goal is to get a complete picture of data processing.

2. Verification of legal bases

For each channel, determine the legal basis for processing personal data. Has consent been obtained? If relying on legitimate interest, conduct a Legitimate Interest Assessment (LIA). Make sure no marketing is taking place anywhere without a proper legal basis.

3. Audit of consents and opt-outs

Review the forms on the website, questionnaires, and checkboxes. Is the consent request clearly formulated? Are checkboxes pre-ticked? Test the unsubscribe process: how quickly and easily can one opt out of mailings or change cookie settings? Walk through the user journey yourself.

Read more: What is a Customer Journey Map and why is a transparent privacy policy important for marketing?

4. Currency of policies and notices

Update the Privacy Policy, Cookie Policy, and other notices (for example, short pop-up notices when collecting emails). Make sure the policies are accessible on every website where data is collected, and that users can easily find them (link in the footer under “Privacy,” etc.).

5. Agreements with counterparties

Go through the list of marketing contractors and services. Find the relevant agreements (contracts, annexes to them) and check for the presence of personal data protection provisions. If the contractor is foreign — make sure either that they fall under an adequacy decision or that SCCs have been signed. Compile a register of these agreements.

6. Cookies and trackers

Use specialized scanners (for example, services like Cookiebot) to scan your website for cookies before and after consent. Make sure only mandatory cookies are set without consent. Check whether the consent withdrawal mechanism works (for example, through re-opening the banner).

7. Data security

Pay attention to databases containing marketing information (email lists, CRM with client profiles, exported files with leads, etc.). Who has access? Are files password-protected? Is data stored in plain text in cloud storage without access controls?

8. Data retention periods

Personal data cannot be kept “forever, just in case.” Set clear periods: for example, if a contact has not responded to mailings for 2 years — delete or archive them (or better, ask whether they are still interested). This practice is a GDPR requirement (the principle of storage no longer than necessary) and reduces the risk of a breach (less data — less harm).

9. Readiness for user requests

Assess how prepared you are to respond to data subject requests. How long will it take to find all data about a specific person in your systems if they ask? Will you be able to fulfill a data deletion request? Assign responsible persons and define procedures.

10. Track legislative updates

Privacy regulation is constantly changing. Therefore, compliance is not a one-time project, but a process that requires regular review. Designate a responsible person or engage external advisors at least once a year.

Conclusions

Marketing compliance is not a brake on marketing — on the contrary, it is a way to build long-term relationships with clients. Effective marketing is possible without excessive interference in privacy through contextual advertising, aggregated analytics, and data that users provide consciously and voluntarily.

The specialists of Legal IT Group help businesses scale marketing and sales without violating privacy rules, incurring fines, or facing complaints from users and regulators. We have supported projects in the fields of ad-tech, CRM, and email marketing, have practical experience working with GDPR and ePrivacy requirements in the EU, UK PECR, as well as with US legislation, in particular CAN-SPAM, CCPA/CPRA, and individual state laws.

Need an audit of marketing processes, documentation, or a comprehensive solution? Contact us — we will help you build marketing compliance without harm to your business.