General Data Protection Law: 5 Tips for Marketing Teams

We listed 5 measures for those who work in marketing to put into action as soon as possible

ATTENTION: The purpose of this post is for information only – we do not provide legal advice, nor are we responsible for measures that may be taken by third parties in relation to the General Data Protection Law (LGPD).

The LGPD entered into force in Brazil in September 2020, after many comings and goings in political proceedings. In addition to the insecurity caused by uncertainties in the regulatory scenario, there is also the absence of the institution of the National Data Protection Authority (ANDP), a body that will regulate activities related to the processing of personal data, both in the public sector. , how much private.

With the absence of ANPD in the adaptation process, most companies are following, as far as possible, European guidelines. For marketing it is no different: professionals have several initiatives and changes ahead.

These initiatives are very important: the adequacy of Landing Pages and forms for obtaining consent, Email Marketing, sponsored ads, and other Digital Marketing strategies that have already been the subject of this blog post.

In this post, we’ll give you five other tips that can help you adapt your company’s marketing strategies to the LGPD.

5 marketing tips to comply with the General Data Protection Law

1. Your lead base needs legal bases

Are you authorized to use the personal data of the Leads you have in your database? It is the responsibility of everyone within a Marketing team to understand the legal basis of the LGPD. That is, to know what are the hypotheses provided by law that allow data to be processed by a company or organization.

By processing, it is understood any operation performed with this data, such as:

  • Collect;
  • Access;
  • Use;
  • Storage;
  • Reproduction;
  • Communication, etc.

Of the ten legal bases that authorize the processing of data, two, in particular, stand out for Marketing purposes: consent and legitimate interest. One of the most recurrent questions is: which of these two legal bases should I use for my marketing actions? The answer is: “it depends”.

It is important to understand the difference between them and in which cases you can use them.

2. Rethink Outbound Marketing

Here the scenario is delicate, as some Outbound Marketing practices tend to fall into disuse or will require more care.

Outbound Marketing can be defined as a traditional strategy, in which the brand is active in the process of prospecting for customers. On the other hand, Inbound Marketing consists of a passive prospecting strategy. In other words, while in Inbound you create mechanisms to attract potential customers, in Outbound you identify the profile of potential customers and start approaching them.

A practice widely used by companies today is the purchase of contact lists from companies known as “ data brokers ”. They are entities that compile and sell consumer information on the internet.

Data brokers

Data brokers not only use raw data to reach online consumers but also so-called derived data, which are inferences made from the combination of raw data.

However, the lead acquisition model based on purchases of lists with “data brokers” presents incompatibilities with the LGPD. The practice does not obey the principle of the specific purpose of data processing, nor the need for the free, informed, and specific consent of the data subject.

Therefore, only work with vendors who legally guarantee that their lists contain contacts who have opted in for marketing communications. This seems like an obvious solution, but it requires some caution: with LGPD, if you buy a list without proper permission, it’s not just the vendor’s problem, you could also be held responsible.

3. Don’t forget about cookies

“Cookies” are identifiers that can be generated or collected from the browser or device you use, in order to provide a page for you to access or to identify your browsing profile.

In summary, cookies can be used for various purposes, such as measuring page audience, generating statistics, monitoring, etc.

Ok, but can cookies be considered personal data? Personal data is information related to a natural person that can make them identifiable or identified.

At this point, it is important to understand two things: both the LGPD and the GDPR followed an expansionist line of interpretation regarding the concept of personal data.

expansionist theory

According to the expansionist theory, personal data is a set of information that when gathered can individualize someone. For example, a cookie, which through navigation data allows inferring behavioral profiles (like trips), when associated with other data, such as a CPF, can make a person identifiable.

Therefore, the definition of personal data in the law uses the word “identifiable” and not just “identified”.

What are the legal bases for the use of cookies?

Both in the GDPR and in the LGPD, there is an indication that a legal basis for data processing is necessary. The ePrivacy Directive only associates cookies with the legal basis of consent – ​​and makes an exception to the use of this hypothesis for cookies strictly necessary for browsing or using the solution. All others need consent.

4. Make it easy to exit

How many times have you, as a consumer, had trouble canceling a subscription or unsubscribe from an email list, for example? Hidden and unintuitive buttons and ineffective processes are common practices to make it difficult for a Lead to exit. That shouldn’t happen anymore.

Tell people they have the right to withdraw their consent at any time and how to do this. As of the General Data Protection Act, withdrawing consent should be as easy as it was to provide it.

5. Organize your Leads and automation segmentations

Will the LGPD derail automated profiling and decision-making practices? The answer is no. However, creating segmentations according to Leads profile characteristics is a practice that will need to respect some limits, especially in cases of invasive and discriminatory practices.

In marketing actions, such practices can have a negative impact under the law, depending on factors such as:

  • Intrusiveness in profiling;
  • The expectations and desires of the individuals involved;
  • How marketing communication is provided;
  • The vulnerability of the data subject.

We can use as an example two cases about the price variation of a product or service:

  • In the first case, a company, when performing credit analysis, identified that the consumer was experiencing financial difficulties. And for this reason, it is often the target of loan offers at higher interest rates than usual, running the risk of accepting the loan and potentially incurring higher new debt than it could. In this case, the automated decision, which results in differentiated interest based on personal data, can have a significant effect and be considered a discriminatory practice.
  • In the second case, suppose a company offers discounts to its most valued customers. This practice, in principle, does not have a legal or significant effect, as it does not infringe the data subject’s rights.

In both cases, there is a variation in values ​​for the acquisition of products or services, but the classification of the decision as to its legal or significantly similar effects depends on a broad contextual and principled analysis of the processing practices, in the specific case.

Next Steps with LGPD

Last but not least: understand your scenario with the LGPD, it’s yours alone. Each company has specific realities and needs to comply with the law. Therefore, seeking professional advice is essential for a successful adaptation process.