🥳 You have completed all topics in the Handbook. Click here to claim your certificate!

2. Data protection

Data is the new gold. Data is the new oil. Whatever the metaphor, data is omnipresent in the digital world. As such, this precious resource comes with a significant responsibility: data protection.

As a marketer, you might have heard of GDPR. You might have had to deal with CPRA obligations. Maybe even the ePrivacy Directive rings a bell?

One thing you’ve most certainly faced are the numerous consent prompts that follow you across the web and your apps, asking for your permission for odd things like “sharing personal data with third parties” and “accessing information in device storage”.

The digital era brought in its wake huge, incomprehensibly complex machinery for collecting, handling, and sharing personal data of internet users. This machinery fuels the business of digital ads, of social media, of online news sites, of analytics vendors, and of many other endeavors that share a slice of this pie worth trillions of dollars.

As such, there’s always been an imbalance between the resources these huge companies have and the individual whose data is being exploited.

Human beings have a right to their personal data. They have a right to privacy. How those rights are respected and treated depends on the region and the legislation in place, but there’s certainly been a lot of movement in the legislative space to fix the imbalance in favor of the individual.

As a technical marketer, your job most likely revolves around handling personal data of your users. Consider yourself a steward of this information – tasked with safeguarding the privacy and integrity of the data. This is not just an ethical stance – it’s a legal obligation.

Data breaches and data leaks that come from inappropriate handling of user data can lead to severe brand damage, loss of customer trust, and substantial financial penalties.

For these reasons alone, understanding the basics of data protection measures and the related legislation is absolutely vital for anyone working in the digital world.

Don’t miss this fact!

Data protection is not solely a legal obligation. You are ethically bound to respect your visitors’, end users’, and customers’ right to privacy.

General Data Protection Regulation (GDPR)

GDPR is a pivotal piece of legislation in the world of data privacy and data protection. Originating from the European Union, it is considered a global benchmark for data protection standards.

At the heart of GDPR are several key principles that govern the collection and processing of personal data.

  1. Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and transparently in relation to the data subject.
  2. Purpose limitation: Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is in conflict with those purposes.
  3. Data minimization: Personal data collection should be adequate, relevant, and limited to what is necessary for the agreed purposes.
  4. Accuracy: Personal data should be kept accurate and, where necessary, up to date.
  5. Storage limitation: Personal data should be stored so that the identification of data subjects is possible only for as long as is absolutely necessary.
  6. Integrity and confidentiality: Personal data should be processed in a manner that ensures appropriate security.
  7. Accountability: The data controller is responsible for, and must be able to demonstrate, compliance with the other principles.

Under GDPR, the data controller is the party that determines the purposes and means of processing personal data. As a technical marketer, your company would typically be a data controller if you collect personal data for marketing purposes, for example.

The tools and services you use to fulfill your data controller tasks would typically be data processors. However, if these services define additional purposes (such as linking user data to their own systems), they would be joint or independent controllers of this user data with you.

GDPR establishes six legal bases for validating the lawfulness of personal data processing. The most commonly used are legitimate interest and consent.

Legitimate interest is a very flexible legal basis. It’s predicated on the idea that the personal data processing happens in a way that the data subject would expect.


If a visitor to your site subscribes to your newsletter, you don’t need an additional consent prompt to ask the visitor if they’re ok with their email address being used for the newsletter. By voluntarily subscribing to the newsletter, it’s reasonable to expect the visitor understands their email address will be used for this purpose.

GDPR establishes multiple rights of the data subject, such as the right to be forgotten. These rights and GDPR’s provisions in general are protected by fairly hefty fines – up to 4% of annual global turnover or €20 million, whichever is higher.

Deep Dive

Privacy laws around the world

There are many privacy laws around the world – over 70% of the world’s countries have some type of legislation in place. The bulk of these laws have been inspired by the EU’s General Data Protection Regulation.


While you don’t need to know the bits and pieces of all these different legislations, the overarching point is that ignoring data protection principles is no longer a viable option in the global data market.

For technical marketers, navigating these international laws requires an understanding of local laws, depending on which markets your business operates in, implementing universal best practices, where you adopt practices that align with the strictest of privacy laws to ensure compliance, and being adaptable, since privacy laws are constantly evolving. Staying informed and adaptable is key.

Here are some of the most significant privacy legislations around the world:

United States

Unlike the EU, the United States doesn’t have a single, comprehensive federal privacy law. Instead, it employs a sectoral approach with various laws targeting specific industries.

Some of the most important laws in the U.S. include:

  • The California Consumer Privacy Act (CCPA): This act grants California residents the right to know what personal data is being collected and to whom it is being sold or disclosed, along with the right to access, delete, or opt-out of the sale of their personal data.
  • The California Privacy Rights Act (CPRA): CPRA extends the scope of CCPA by including organizations that not only sell personal data but also share personal data. It introduces additional protections for consumers, for example with regard to their data being used for targeted advertising.
  • The Health Insurance Portability and Accountability Act (HIPAA): This act protects the sensitive patient health information from being disclosed without the patient’s consent or knowledge. It applies to businesses in the healthcare sector.
  • The Children’s Online Privacy Protection Act (COPPA): COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age. It mandates parental consent before collecting, using, or disclosing personal data from children.

Lack of federal legislation and the powerful lobby of the U.S. surveillance sector have made it difficult to establish cooperation and interoperability between EU and the U.S. with regard to handling personal data.

In U.S. law, non-citizens are regarded as aliens and have greatly reduced protections when it comes to personal data. In the EU, in contrast, even those just visiting the region are entitled to the full protection of GDPR.


  • China: The Personal Information Protection Law (PIPL), similar to GDPR, regulates data processing activities and mandates consent for data collection.
  • Japan: The Act on the Protection of Personal Information (APPI) requires businesses to respect individuals’ rights regarding their personal data.
  • Australia: The Australian Privacy Principles (APPs) under the Privacy Act 1988 govern standards, rights, and obligations around collecting, using, and disclosing personal data.


  • Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out rules for the collection, use, and disclosure of personal data in the course of commercial activity.
  • Latin America: Brazil has the General Data Protection Law (LGPD) and Argentina has the Personal Data Protection Act. Both have established comprehensive frameworks inspired by GDPR.


Consent is shorthand for “notice and choice” in the digital world.

It means that users are prompted for a choice – do they grant consent to their data being used for specific purposes or not.

Consent is one of the six legal bases for lawful processing of personal data under GDPR. In other words, if you are in doubt whether you have the right to process certain user data, asking for explicit affirmation from the user is one way to ensure the legality of the data collection and processing.

However, consent is also ethically questionable and sometimes a downright dangerous basis to hang your proverbial data hat on. Considering the number of data processors and data sharing activities that modern sites and apps work with, what users actually consent to is likely to go over their heads.

A single decision based on a cursory look at the gobbledygook of a consent prompt can have downstream effects that haunt the user for years. Add to this the fact that many companies try to tweak the UX to secure affirmative consent any way they can.

GDPR, for example, requires consent to be explicit, informed, and easy to withdraw. All three of these are controversial and consistently toyed with in the world of UX patterns.

While you may be tempted to mess around with consent UX to secure as much data as you can, you should err on the side of maximum data protection. Remember that your visitors have a sacrosanct right to privacy – trying to game that with UX patterns will not be a durable strategy.

Deep Dive

ePrivacy Directive

The ePrivacy Directive, commonly known as the “EU Cookie Law”, is a legal framework that complements GDPR for the electronic communication sector.

The ePrivacy Directive is the main reason for the proliferation of cookie banners and cookie prompts on the web.

One of its key provisions is the requirement that all access to device storage (such as cookies) that is not strictly necessary for the delivery of the service requires affirmative consent from the visitor.

In other words – if a browser cookie isn’t even being used for personal data collection and processing (in which case it wouldn’t fall under GDPR), it would still be covered by the ePrivacy Directive as it uses device storage.

Being a directive, ePrivacy is transposed in different ways in EU countries’ national laws. Thus, in some regions the interpretations are stricter, and in some regions they are more relaxed.

As a technical marketer, privacy audits might fall in your lap, too. For ePrivacy, you might need to assess the different types of device storage that your tools and services utilize, and make sure they are evaluated for whether they are strictly necessary for the service to function or not. Most likely your marketing tools will require consent from your visitors before you can allow them to store anything in the visitor’s device.

Ready for a quick break?

You have our consent to take a break now. We respect your right to relax!

Different flavors of risk

While much of data protection falls under legal obligations, there are other things to consider, too. If you choose to protect user’s right to privacy only because the law requires you to do so, your effort will most likely be underwhelming.

Legislation moves slowly. Companies are very good at finding ways to resume access to data blocked by legislation or technology, using legal loopholes and poorly scoped risk assessment exercises.

But consumers are aware. These days they understand much more about privacy and data protection that data-hungry companies like to think. As such, the risk of participating in questionable data harvesting practices goes beyond just legal risk.

There is the ethical risk of assuming that the user is OK with you collecting data from them even if they denied consent. Typically, the excuse is that the consent was solely for device storage (ePrivacy, for example) and personal data (GDPR, for example). However, it’s dangerous to make assumptions about the intent of consent. Users might say “no” to cookies and personal data, but they might say “no” to many more things – you just didn’t ask them explicitly.

There is the brand risk of negative public exposure, if it becomes known that you are collecting data from users with ethically questionable means. Many companies have been outed in public for their questionable activities regarding user data.

There is the data security risk of inadvertently collecting sensitive information just because you didn’t pause data collection when consent was not granted.

Laws like GDPR are really about risk assessment. There is no laundry list of items that you always must follow without exceptions. Your company (and your legal team) need to assess the level of risk involved with all your decisions as a data controller.

Deep Dive

Data Protection Impact Assessment (DPIA)

Impact assessments are processes designed to help organizations identify and minimize data protection risks in their organizations.

DPIAs are particularly relevant under GDPR in the European Union, but they are a useful exercise to take under any data protection framework.

The purpose of a DPIA is to systematically analyze, identify, and minimize the data protection risks of a project or plan.

DPIAs help ensure compliance with data protection laws, by demonstrating that appropriate measures have been taken to protect personal data.

A DPIA is required (for example, under GDPR) when data processing is likely to result in a high risk to the rights and freedoms of individuals. Examples include:

  • Large-scale processing of sensitive data.
  • Systematic monitoring of public areas on a large scale.
  • Use of new technologies or novel applications of existing technologies.

Sometimes a DPIA is beneficial even beyond the legal requirement. It lets your organization anticipate, identify, and address issues at an early stage. DPIAs also demonstrate your organization’s commitment to data protection and help you achieve regulatory compliance proactively.

We (the Handbook authors) are not lawyers. We are not equipped to tell you how to run your company, how to act as a data controller, which laws to follow, and what risks are worth taking.

However, by reminding you about how serious the legislation is about data protection in almost all corners of the world, we hope to inspire you to think of Privacy by Design from the vantage point of your visitors – all who are entitled to data protection and privacy under the full protection of the law.

As a technical marketer, you will be cajoled, tempted, and even coerced by data companies to get more data at whatever cost. Data is incredibly valuable. But you must remember that the right to privacy is incredibly valuable to the individual, too.

Key takeaway #1: Right to personal data protection

Article 8 of the EU Charter of Fundamental Rights states that everyone has the right to the protection of personal data concerning him or her. While this is indeed only in the EU, it’s good to take it as a guiding principle regardless of where in the world you operate. This is the foundational principle behind GDPR, and GDPR has been the blueprint for many other privacy laws and regulations around the world.

Key takeaway #2: Consent needs to be informed

Consent is a legal basis that is often used as justification for processing personal data. Users are asked, typically in a consent prompt or a banner, whether they grant the data controller the right to collect and process the user’s personal data. However, most users don’t understand what they are actually consenting to. They are faced with overwhelming options or complex legal (or technical) terminology, so it’s difficult to argue the consent was informed and freely given. Often, sites try to manipulate users to grant consent by using complicated UX patterns to mislead them.

Key takeaway #3: Privacy risks are gradient, not binary

Privacy laws and regulations often leave a lot for interpretation. They can’t possibly cover all possible use cases without ambiguity, so they might be broadly worded to allow organizations to justify their actions in a variety of ways. It’s thus important to assess the risks and privacy impacts of operations that deal with personal data. Sometimes, even though there is a risk, it’s deemed acceptable enough to proceed with the chosen approach. What’s most important is that these assessments are documented and that data collection is done within the boundaries of what the assessment covers.

Quiz: Data Protection

Ready to test what you've learned? Dive into the quiz below!

1. Do companies always need to ask for consent if they want to process a user's personal data in the EU?

2. How is a data subject defined under the GDPR?

3. Which of the following are principles that govern the collection and processing of personal data under the GDPR?

Your score is


What did you think about this topic?

Thanks for your feedback!

Unlock Premium Content

Simmer specializes in self-paced online courses for technical marketers. Take a look at our offering and enroll in one or more of our courses!