Our special guest for episode 334 of the award-winning EDGE of the Web podcast was Niklas Stephenson of Legal Monster. Host Erin Sparks spoke with Niklas about the legal challenges digital marketers can face if they’re not careful. Here’s what we learned:
Niklas Stephenson: His Background and Experience
Niklas is the founder and CEO of Legal Monster, and he started it as a way to help marketers not worry about if they’re breaking the local email marketing laws anywhere in the world. Before Legal Monster, he was a VP of Growth at Trustpilot.
Niklas is a serial entrepreneur. He started his first company when he was 16 years of age. He was terrible at video games, so instead of spending weekends losing to his friends, he taught himself to code and how to build websites. He became a major player in Denmark in the content system called Mambo and then Joomla, telling everyone he was 25 when really he was only 16. He launched his own website design and web solutions consultancy at that age. That eventually led to him building a SaaS company in Denmark that was just sold earlier this year. With so much entrepreneurship under his belt, it was a very different kind of experience to join a big global team like TrustPilot.
The Legal Pitfalls in Email Marketing
The internet is the first thing that is both totally global and without any means to govern it globally. The European Union now has the GDPR (general data protection regulation), but it only covers privacy. It doesn’t cover marketing. So even within Europe, there are different marketing laws in each country. In the US, there are even different states with different marketing laws. Any company with a presence on the internet, no matter where it is, if it is marketing towards a certain country, it must follow that local country’s laws. Running a Google AdWords campaign targeting the UK means following British laws. Running an English-worded language campaign on Facebook targeting Danish people means following Danish law.
How do you get a grip on what the local marketing laws are in each area to know if you’re compliant? This is why Niklas started Legal Monster, and the idea for it occurred to him while he was at TrustPilot. The company was active in 80 different countries, so it started by hiring a law firm in each and every one of those countries. They found out from the law firms how to be compliant marketers in each of those countries. Then it took that information to its marketing department and said, “Here are 80 different ways you need to do the marketing.” Finding a way to make that process easy for marketers was the idea behind Legal Monster. It would be silly for every company to go through such an extensive (and expensive) process in-house. Legal Monster shoulders most of that burden, such as easily helping companies ensure they have gotten consent from consumers in way that complies with that area’s marketing laws.
Financial Penalties for Noncompliant Email Marketing
Data authorities in Europe are pretty active in pursuing fines against people who violate marketing consent laws. A company can be fined $25 per email it sends without having received proper consent from the consumer. If a company is sending to a list of 5,000 Danish emails every month in a non-compliant way over 10 months, that adds up fast: 5k X 10 X $25 = $1,250,000 in fines (this is just an example scenario).
In the United States, the rules are much “lighter” and easier to comply with, but the fines are also much higher. Non-compliant email marketing in the US can cost a company $19,700 per email. One type of non-compliance would be when someone unsubscribes from your list and you keep emailing them anyway. That could cost you $19,700 per non-compliant email sent. A big Danish company actually had email compliance violations for marketing targeting US consumers, and did in fact end up paying a $1 billion fine. And it had to cease and desist all of its marketing efforts in the US for an entire quarter.
What’s interesting in all of this is that all the concerns about privacy feel like a new focus, but these email marketing laws have been around for a long time, and yet no one pays any attention to them – until they are notified of an action against them. The internet has been like the Wild West for so long, people just don’t think about laws and compliance. But that’s now changing. Governments have realized it all needs more regulation. In Europe, for example, the “data authorities” or agencies are getting 50 times the resources than they used to get five years ago, so they are using that to be very active around enforcement. It all has to be taken very seriously.
Real-World Noncompliance Scenarios
An example of how this can play out in horrible ways is a large company that was in the process of selling off a big chunk of its business. The due diligence process revealed they didn’t have the right email marketing consents, and a big part of their revenue channel was sending out emails. And suddenly the buyer, five months into the deal and just before closing, pulled out and said, “Sorry, we can’t buy. If 95% of your revenue is coming from email and you don’t have the right to email people, what is the value of your business?” You can understand why the buyer would want to pull out – they’d be buying a criminal enterprise! The seller ended up giving a 20% discount on the deal.
What many people fail to realize is how easy it is to find yourself on the wrong side of compliance when sending emails. If you can show documentation of how you got consent, and that it was the right consent for the particular area in which the consumer lives, you could get into trouble. Let’s say a person was on your website, and added a product to the shopping cart, but then didn’t make the purchase. It’s pretty common for a company to send out an “abandoned cart” email message to that person to try to get them to finalize the purchase. But if that consumer didn’t opt-in with the proper consent, that email is non-compliant even though it feels like the company should have a right to send it. If you want to send abandoned cart emails, you’ve got to build in a consent process before the consumer can get to the shopping cart.
In fact, you can’t even do a remarketing ad for that without consent, even though the ad is not email-based. You need a specific consent per channel. If you’re going to text message, you need specific consent. If you’re going to do specific remarketing towards an individual, either based on a cookie or based on an email address, that is communicating via a channel as well. You need specific consent. And it needs to be individual consent. You cannot bundle it all together and just say, “We’re allowed to email, text, and do remarketing.” That is not allowed.
What if the remarketing is being handled by an agency? How does agency involvement affect all this? Basically, agencies also need to be compliant. Agencies need to get up-to-speed on all of this immediately or could find themselves inadvertently getting their clients into trouble, which wouldn’t be good for business.
You also have to be careful about your business model and what relates to it and what doesn’t. If the core business involves a subscription of some kind, then the company is allowed to communicate with the consumer about the subscription and to deliver the content. But the company cannot communicate with those subscribers with offers that are related. For example, if Spotify wanted to also start selling musical instruments, it couldn’t communicate with all its subscribers about selling musical instruments, even though it’s the same company.
It’s not just enough to get the right consent for each market, you have to be able to prove you got it, with evidence. If you can’t prove your consent with evidence, you could still get into trouble.
How Consent Laws Vary by Location
Remember there are different laws when it comes to consumers (B2C) and other businesses (B2B), and all these laws vary by place. In the US, a B2B company collecting intake data can include the client company’s email address on its form as long as there is some language included about how use their email address to communicate with them and solicit their business. In the UK, if that data collection form is for consumers, then there has to be specific consent language with a checkbox, and that checkbox cannot already be pre-checked. In Germany, valid consent has to be a double opt-in, meaning the checkbox first and then a follow-up email the consumer has to click on to verify opt-in.
In many European countries, the marketing laws also require a certain amount of the company’s privacy policy be shown to consumers as part of the opt-in consent process, and even what specific parts of a privacy policy need to be shown, such as how the consumer can unsubscribe or opt out. The consumer has to have a very clearly stated way to unsubscribe and opt out.
Consent also has to be very specific as to the topic of the communication. If you only have the consent to email about a special offer or discount code or something, and then suddenly you send emails to invite to an event such as a webinar, you don’t have consent to email about that topic.
So many companies have built up a big email list in a non-compliant way. What can they do at this point to avoid contact with the data police? The company could email them with a message saying they want to confirm they want to keep receiving these emails, and have a link in there with the proper consent all drawn up for where they live. That email in and of itself is non-compliant, but at least they’re trying to get proper consent with it moving forward.
What this is really about at its core is trust. As a business you want your customers to trust you, and that includes how you use their email address. If you send them all these emails for other marketing purposes and they didn’t give you permission to send them those emails, you’re violating their trust. Unethical marketing is why all these laws exist today.
How Legal Monster Works
Legal Monster has gone out to each of 80 countries and consulted local law firms to come up with the right legal way to get consent in both English and the native language. It then created what it calls its “legal framework” with all of the information in it. Legal Monster’s service acts like a widget on a company’s website. When a consumer comes to the business website, Legal Monster determines location from their IP address or from the business if they already know it. It can then present the right legal consent language based on the consumer’s location and what type of communications the business wants to have with the consumer, whether it’s B2C or B2B, the company’s privacy policy, the purposes of the communication, and so on.
Some people assume that if a business tries to cover all the possible bases, the consent form will be overly long and complicated, which has been the case with some companies (HubSpot went that route). Not so! Legal Monster specifically achieves an optimal balance between legal compliance and marketing effectiveness. It aims to get the right legal consent while still maintaining good conversion rates.
Keeping in mind the importance of evidence to prove consent (in many places the standard timeframe of saving documentation of consent is five years), Legal Monster collects 21 data points proving the consent and what it was for, and stores it all in an audit trail so it can easily be assembled if needed. And it’s all been vetted through local law firms, so it will hold up in court.
Connect with Niklas Stephenson and Legal Monster for a FREE Compliance Check!
Twitter: @nikstep (https://twitter.com/nikstep)
LinkedIn: https://www.linkedin.com/in/niklasstephenson
LM Website: https://www.legalmonster.com
LM Twitter: @legalmonster (https://twitter.com/legalmonster)
LM LinkedIn: https://www.linkedin.com/company/legalmonster
LM Facebook: https://www.facebook.com/Legal-Monster-310844502852394
LM Instagram: @legalmonster_com (https://www.instagram.com/legalmonster_com)
Wish You Knew More About Your Digital Marketing ROI?
Find out what you need to know with a Site Strategics report examining your SEO, content, social media, and PPC. Visit https://edgeofthewebradio.com/roi to get 30% off a comprehensive review of your digital assets!
