Select Page
Share

By Rafael Viana *

I don't know if you heard about it, but Brazil has a data protection law that will take effect in a year, and if you don't make the necessary changes to conform to the new law, your company could be fined between R$ 50 million or 2% of annual sales. In addition to fining those who do not comply with it, the law also defines the rights (of people regarding their personal data) and duties for those who wish to make use of this data. Like any regulation, everything is well explained on the Planalto website, and I recommend reading it to understand it better.

An important point, everything I bring here as a recommendation or example should not be treated as legal advice. Your company should seek a specialized audit to have a legal basis for your data. Get informed!

LGPD, what changes?

The main change is the very definition of what is covered by the law, which begins like this:

Art. 1 This Law provides for the processing of personal data, including in digital media, by a natural person or by a legal person under public or private law, with the objective of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.

Every time I read this I shiver! This excerpt makes it clear that the most valuable asset of the 21st century is defined as a fundamental right of freedom and privacy for the individual and not just information in someone's database. It's a change of mind!

Other definitions are part of the law and below I have separated the three that I believe to be the main:

- Personal data is all information related to the identified or identifiable natural person;
- Data processing is any operation carried out with personal data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction;
- Consent is the free, informed and unequivocal manifestation by which the holder agrees with the treatment of his personal data for a specific purpose.

In a simple way, this means that: every company that wants to make use of (see the definition of treatment) personal data will need the consent of the holder for that determined purpose, which can result in the reduction of the size of their lists of recipients of email marketing, especially in cases where these lists were created not in line with the new law, since it will be necessary to request consent again and not everyone will do so.

There was a desperation, right? I already know what you must be thinking - “Wow Rafael! These changes will reduce the number of people who receive my e-mails, resulting in a drop in sales ”. Look, I agree with that in part, but know that we saw the opposite effect in a very similar scenario a little over a year ago. Next I will bring a little of what we saw in Europe with the arrival of the GDPR (General Data Protection Regulation), which is the European Union's data protection law.

GDPR, an example for the LGPD

GDPR was the law that ushered in a new era, where personal data has become an individual's right. Regardless of which country the European Union citizen lives in, the law extends to him globally. For example, if an American company wishes to make use of a citizen of Spain's data for its email marketing campaigns, it needs his consent for this, otherwise it will be infringing the GDPR. With LGPD it will be exactly the same, that is, every company, Brazilian or foreign, will have to have the consent of the Brazilian citizen to make use of their data.

Just like here in Brazil, the European Union took time to adapt to the requirements of the law and we observed two different types of approaches, according to a survey conducted by Marketo. One group, which represents 45% of the interviewees, had as objective an approach more focused on the legal aspects, that is, all the modifications and adjustments were made to fit within the parameters of the law and thus not suffer a fine. The other 55% chose to treat these changes as an opportunity to improve their marketing strategies, allowing them to improve the relationship with their customers and prospects, in addition to complying with the law. Regardless of the approach adopted by the companies, we came to observe results one year after the GDPR came into effect, among the main ones being:

Better deliverability

When comparing Return Path's Deliverability Benchmark reports for 2017 and 2018, we can see an increase in the inbox delivery rate. We believe that this improvement is the result of lists composed of people who provided informed consent in a conscious and informed manner, as described in the law, in addition to reducing the amount of invalid addresses and spam traps (which were removed because they were unable to opt-in) again).


(Comparison of the numbers in the 2017 and 2018 Return Path Deliverability Benchmark reports)

List churn reduction

This is a benefit that is generally seen in the long term, as the email addresses used by your leads or customers leave your base, through unsubscribe, spam complaint or e- mail ceases to exist (bounce by nonexistent box, or also known as unknown users, very common when an employee leaves the company).

To get an idea of the benefit, the list churn rate in Europe post-GDPR is on average 0.57%, and in Latin America it is on average 0.79%, is what this study published by IBM says. This may seem like a low number, but put it in the following perspective, if you could get a reduction of just 0.1% for each shipment to a base with 1 million recipients, in one year this means the possibility of maintaining about 200 thousand contacts.

Only that benefit? Not really! But if I go into detail about everything that is being reported as a post-GDPR benefit, I would end up writing a book. More directly, the graph below shows the benefits that were observed and published in a UK Marketing Email Tracker 2019 study by the Direct Marketing Association of the United Kingdom.


Have you been able to convince yourself that these changes could be good for your company?

So, are you ready for the LGPD?

The first step is to raise awareness of the entire company and the people who work in the departments that make use of personal data. Involve the legal department and the department responsible for information security, they will help to define the rules of how data can be collected and used (remember the definition of what data processing is).

If you have to change anything, consider an approach that makes it all an opportunity to improve your marketing and growth strategy, such as:
- Be clearer about what will be sent and through which channels (email, sms, push);
- Have a clear opt-in, a suggestion is to offer two unmarked checkboxes, where the visitor has to choose one of the two options (instead of the classic standard of a single pre-marked accepted checkbox);
- Forget the current mindset that the data is from the company. Wrong! The data belongs to the people and the companies have or not an authorization for them to be used.

May August 2020

As we saw here, the LGPD is here to stay. It already has a date to go into effect, and it also already has a National Data Protection Authority that will be responsible for evaluating complaints and applying fines, that is, it is not time to “push with the belly”. You will have to adapt!

Do not let the amount of changes affect you, as it is not a seven-headed bug, it is just an adaptation and a collaborative effort to adapt, then just follow your company's security guidelines for using the data and that's it.

Remember: the sooner your email marketing program is adapted, the sooner the fruits will be harvested, and without surprises.
Success!

(*) Rafael Viana is Senior Email Strategist at Return Path 

Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies

quick access

en_USEN