If compliance isn’t at the top of your yellow legal notepad’s to-do list, it’s time to make a new list. In this session, Keith Nyberg, Marketing Technology Consultant at Etumos, guides you through best practices for managing your database as you move toward a more compliant model to ensure that your program is really doing what you think it is. Learn ways to effectively implement privacy compliance for your organization in Marketo.

1. Privacy Compliance
Managing your Legal Requirements in Marketo
KEITH NYBERG

2. About Me
Professionally
• Marketing Automation Manager at SugarCRM

3. About Me
Professionally
• Marketing Automation Manager at SugarCRM
• Traveled through Southeast Asia
• TH, LA, KH, MY, ID, SG, PH, VN & JP

4. About Me
Professionally
• Marketing Automation Manager at SugarCRM
• Traveled through Southeast Asia
• TH, LA, KH, MY, ID, SG, PH, VN & JP
• Marketing Technology Consultant at Etumos
• San Diego Marketo User Group

5. About Me
Professionally
• Marketing Automation Manager at SugarCRM
• Traveled through Southeast Asia
• TH, LA, KH, MY, ID, SG, PH, VN & JP
• Marketing Technology Consultant at Etumos
• San Diego Marketo User Group
Personally
• Enjoy surfing, stacking rocks, running BM camp
& taking my RV places
• Currently in Oceanside, CA

6. Agenda

7. Agenda
What is Privacy Compliance?

8. Agenda
What is Privacy Compliance?
Goal of Privacy Compliance Program

9. Agenda
What is Privacy Compliance?
Goal of Privacy Compliance Program
The Ideal Program State

10. Agenda
What is Privacy Compliance?
Goal of Privacy Compliance Program
The Ideal Program State
Steps to Implement

11. Agenda
What is Privacy Compliance?
Goal of Privacy Compliance Program
The Ideal Program State
Steps to Implement
This is NOT legal advice!
Topic discussed today are purely philosophical
and no guidance provided should be
considered as legal advice.
Privacy Compliance is tricky… it is your job to
work with your legal team to balance risk and
business success. Too much enforcement can
affect the business negatively, not enough
enforcement can lead your company to legal
consequences.
Let your legal team determine the right
balance!

12. What is Privacy Compliance?
Source:
https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx

13. What is Privacy Compliance?
Source:
https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx

14. What is Privacy Compliance?
LOTS OF LAWS!
Source:
https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx

15. A company's accordance with established personal information
protection guidelines, specifications or legislation.
Privacy Compliance is..

16. A company's accordance with established personal information
protection guidelines, specifications or legislation.
A company with good privacy compliance processes adheres to
regional regulations and enforces these regulations in their
communication strategy.
Privacy Compliance is..

17. How Legal talks
EXPRESSED CONSENT - any freely given, specific, informed and unambiguous indication
of the data subject's wishes by which he or she, by a statement or by a clear affirmative
action, signifies agreement to the processing of personal data relating to him or her.
(Article 4(11))1
Sources:
https://gdpr.eu/gdpr-consent-requirements/
https://crtc.gc.ca/eng/com500/guide.htm

18. How Legal talks
EXPRESSED CONSENT - any freely given, specific, informed and unambiguous indication
of the data subject's wishes by which he or she, by a statement or by a clear affirmative
action, signifies agreement to the processing of personal data relating to him or her.
(Article 4(11))1
IMPLIED CONSENT- may include having an existing business relationship (EBR) based on a
previous commercial transaction with the recipient; or having an existing non-business
relationship based on, for example, membership in your club, or if the recipient
participated as a volunteer for your charitable organization; or where a person makes
their email address publicly available by publishing it on a website.
Sources:
https://gdpr.eu/gdpr-consent-requirements/
https://crtc.gc.ca/eng/com500/guide.htm

19. How Legal talks
EXPRESSED CONSENT - any freely given, specific, informed and unambiguous indication
of the data subject's wishes by which he or she, by a statement or by a clear affirmative
action, signifies agreement to the processing of personal data relating to him or her.
(Article 4(11))1
IMPLIED CONSENT- may include having an existing business relationship (EBR) based on a
previous commercial transaction with the recipient; or having an existing non-business
relationship based on, for example, membership in your club, or if the recipient
participated as a volunteer for your charitable organization; or where a person makes
their email address publicly available by publishing it on a website.
Sources:
https://gdpr.eu/gdpr-consent-requirements/
https://crtc.gc.ca/eng/com500/guide.htm

20. How MOPs talks
EXPRESSED CONSENT
• Opt-In: asking for consent to marketing on your company’s form

21. How MOPs talks
EXPRESSED CONSENT
• Opt-In: asking for consent to marketing on your company’s form
• Double Opt-In: asking for consent to marketing on your company’s form, in addition
to asking them to reconfirm their request via email

22. How MOPs talks
EXPRESSED CONSENT
• Opt-In: asking for consent to marketing on your company’s form
• Double Opt-In: asking for consent to marketing on your company’s form, in addition
to asking them to reconfirm their request via email
IMPLIED CONSENT
• Opt-Out: consent to marketing assumed until Opt-Out occurs

23. How MOPs talks
EXPRESSED CONSENT
• Opt-In: asking for consent to marketing on your company’s form
• Double Opt-In: asking for consent to marketing on your company’s form, in addition
to asking them to reconfirm their request via email
IMPLIED CONSENT
• Opt-Out: consent to marketing assumed until Opt-Out occurs
OTHER IMPLIED CONSENT
• Customer/Ex-Customer: existing/previous business relationship
• Hand-Raises: contact requests, inbound emails, etc

24. Program Goals & Outcomes

25. Program Goals & Outcomes

26. Program Goals & Outcomes
This program WILL
1) safeguard your instance

27. Program Goals & Outcomes
This program WILL
1) safeguard your instance
2) capture consent details

28. Program Goals & Outcomes
This program WILL
1) safeguard your instance
2) capture consent details
3) follow S.C.R.I.M. best practices

29. Program Goals & Outcomes
This program WILL
1) safeguard your instance
2) capture consent details
3) follow S.C.R.I.M. best practices
Source:
https://www.freepngclipart.com
LEGAL

30. Program Goals & Outcomes
This program WILL
1) safeguard your instance
2) capture consent details
3) follow S.C.R.I.M. best practices
Source:
https://www.freepngclipart.com
I’m stoked!
LEGAL

31. Program Goals & Outcomes
This program WILL
1) safeguard your instance
2) capture consent details
3) follow S.C.R.I.M. best practices
This program will NOT
• manage communication preferences
• append Email Opt-In – EVER!
Source:
https://www.freepngclipart.com
I’m stoked!
LEGAL

32. The Ideal Program

33. The Ideal Program Components
1. Fields

34. The Ideal Program Components
1. Fields
Source:
https://sciencing.com/benefits-agriculture-farmers-6973506.html

35. The Ideal Program Components
1. Fields
Source:
https://sciencing.com/benefits-agriculture-farmers-6973506.html

36. Recommended Fields
Capturing Consent
• Email Opt-In (boolean)
• Email Opt-In Date/Time (dateTime)
• Email Opt-In Source (text)
• Email Opt-In Status (string)

37. Recommended Fields
Capturing Consent Enforcing Consent
• Email Opt-In (boolean)
• Email Opt-In Date/Time (dateTime)
• Email Opt-In Source (text)
• Email Opt-In Status (string)
• Unsubscribed (boolean)
• Unsubscribed Reason (string)
• Consent Expiration Date (date)

38. Unsubscribed
Privacy compliance is enforced using Unsubscribed.
This means that Unsubscribed will be set TRUE for any record that has not
provided consent based on their country’s requirements.
Anyone that should not receive direct marketing due to privacy compliance
will be automatically blocked from emails sent from Marketo and Salesforce.
This will occur on creation, or when the person’s location changes to a region
that requires consent.

39. Recommended Fields
Capturing Consent Enforcing Consent
• Email Opt-In (boolean)
• Email Opt-In Date/Time (dateTime)
• Email Opt-In Source (text)
• Email Opt-In Status (string)
• Unsubscribed (boolean)
• Unsubscribed Reason (string)
• Consent Expiration Date (date)

40. Recommended Fields
Capturing Consent Enforcing Consent
• Email Opt-In (boolean)
• Email Opt-In Date/Time (dateTime)
• Email Opt-In Source (text)
• Email Opt-In Status (string)
• Unsubscribed (boolean)
• Unsubscribed Reason (string)
• Consent Expiration Date (date)
Email Opt-In Source
• system.dateTime
• lead.utm_values
• lead.First/Last Source
• lead.First Last Source Detail

41. Recommended Fields
Capturing Consent Enforcing Consent
• Email Opt-In (boolean)
• Email Opt-In Date/Time (dateTime)
• Email Opt-In Source (text)
• Email Opt-In Status (string)
• Unsubscribed (boolean)
• Unsubscribed Reason (string)
• Consent Expiration Date (date)
Email Opt-In Source
• system.dateTime
• lead.utm_values
• lead.First/Last Source
• lead.First Last Source Detail
Unsubscribed Reason
• Privacy Compliance

42. Recommended Fields
Capturing Consent Enforcing Consent
• Email Opt-In (boolean)
• Email Opt-In Date/Time (dateTime)
• Email Opt-In Source (text)
• Email Opt-In Status (string)
• Unsubscribed (boolean)
• Unsubscribed Reason (string)
• Consent Expiration Date (date)
Email Opt-In Source
• system.dateTime
• lead.utm_values
• lead.First/Last Source
• lead.First Last Source Detail
Email Opt-In Statuses
Unsubscribe = FALSE
• Double Opt-In
• Expressed Consent: Opt-In
• Implied Consent: Customer
• Implied Consent: Ex-Customer (exp)
• Implied Consent: Hand-Raise (exp)
Unsubscribed = TRUE
• Pending Double Opt-In
• No Consent
Unsubscribed Reason
• Privacy Compliance

43. The Ideal Program Components
1. Fields

44. The Ideal Program Components
1. Fields
2. Segmentation

45. The Ideal Program Components
1. Fields
2. Segmentation
Source:
https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx

46. The Ideal Program Components
1. Fields
2. Segmentation
Source:
https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx
https://theeventscalendar.com/blog/event-management/how-to-market-your-event-with-email-audience-segmentation/

47. The Segmentation
Legislative Approach
1. Embargoed
2. GDPR
3. CASL
4. Australian Spam Act
5. Other
6. Unknown
7. CAN-SPAM
8. Default

48. The Segmentation
Legislative Approach
1. Embargoed
2. GDPR
3. CASL
4. Australian Spam Act
5. Other
6. Unknown
7. CAN-SPAM
8. Default
OPs Process Approach
1. Unsubscribe
2. Double Opt-In
3. Opt-In
4. Other
5. Unknown
6. Opt-Out
7. Default

49. The Segmentation
Legislative Approach
1. Embargoed
2. GDPR
3. CASL
4. Australian Spam Act
5. Other
6. Unknown
7. CAN-SPAM
8. Default
OPs Process Approach
1. Unsubscribe
2. Double Opt-In
3. Opt-In
4. Other
5. Unknown
6. Opt-Out
7. Default
1. One segment for each unique compliance process

50. The Segmentation
Legislative Approach
1. Embargoed
2. GDPR
3. CASL
4. Australian Spam Act
5. Other
6. Unknown
7. CAN-SPAM
8. Default
OPs Process Approach
1. Unsubscribe
2. Double Opt-In
3. Opt-In
4. Other
5. Unknown
6. Opt-Out
7. Default
1. One segment for each unique compliance process
2. Group consistent processes together

51. The Segmentation
Legislative Approach
1. Embargoed
2. GDPR
3. CASL
4. Australian Spam Act
5. Other
6. Unknown
7. CAN-SPAM
8. Default
OPs Process Approach
1. Unsubscribe
2. Double Opt-In
3. Opt-In
4. Other
5. Unknown
6. Opt-Out
7. Default
1. One segment for each unique compliance process
2. Group consistent processes together
3. Always have Other and Unknown

52. The Segmentation
Legislative Approach
1. Embargoed
2. GDPR
3. CASL
4. Australian Spam Act
5. Other
6. Unknown
7. CAN-SPAM
8. Default
OPs Process Approach
1. Unsubscribe
2. Double Opt-In
3. Opt-In
4. Other
5. Unknown
6. Opt-Out
7. Default
1. One segment for each unique compliance process
2. Group consistent processes together
3. Always have Other and Unknown
4. Know what process Other/Unknown/Default should fall into

53. The Segmentation
Legislative Approach
1. Embargoed
2. GDPR
3. CASL
4. Australian Spam Act
5. Other
6. Unknown
7. CAN-SPAM
8. Default
OPs Process Approach
1. Unsubscribe
2. Double Opt-In
3. Opt-In
4. Other
5. Unknown
6. Opt-Out
7. Default
1. One segment for each unique compliance process
2. Group consistent processes together
3. Always have Other and Unknown
4. Know what process Other/Unknown/Default should fall into
5. Sort by importance

54. Segmentation Fields
Safer fields to use
• Inferred Country (IP address)
• Country (form selection)

55. Segmentation Fields
Safer fields to use
• Inferred Country (IP address)
• Country (form selection)

56. Segmentation Fields
Safer fields to use
• Inferred Country (IP address)
• Country (form selection)
Riskier fields to use
• Account Billing Country (account)
• Account Shipping Country (account)

57. Segmentation Fields
Safer fields to use
• Inferred Country (IP address)
• Country (form selection)
Riskier fields to use
• Account Billing Country (account)
• Account Shipping Country (account)

58. Segmentation Fields
Safer fields to use
• Inferred Country (IP address)
• Country (form selection)
Riskier fields to use
• Account Billing Country (account)
• Account Shipping Country (account)
*Be mindful of enrichment!

59. Segmentation Field Priority
Prioritize One FieldPrioritize ANY Field

60. The Ideal Program Components
1. Fields
2. Segmentation

61. The Ideal Program Components
1. Fields
2. Segmentation
3. Program
Source:
https://media.giphy.com/media/H6KusZ8pzxtyymblnE/giphy.gif

62. SCRIM Methodology
Scalable - The solution will work equally well at 10x, 100x or 1000x the current volume.
Clear - The solution is clearly marked and what is happening can be easily understood by
anyone in the system.
Robust - The solution can be tweaked or modified in the future as needs change without
being entirely scrapped.
Intelligent - The solution reports on its own effectiveness with proactive exception reports
and comprehensive logic.
Modular - The solution is broken down into smaller components that interact together, to
future-proof the larger system and allow for reordering as needed.

63. Campaign is Requested

64. DEMO TIME!
To see full demo, please
refer to recorded session

65. Transitioning to Ideal Program

66. Steps to Migrate to New Program
• Build program skeleton
• Meet with legal/sales leadership
• Demo the program
• Discuss current process
• Ask if there are any needed changes to current process
• Build new fields
• Configure program
• Review configured program and all flows with legal/sales
• Migrate legacy data into new fields
• Discuss how missing data will be addressed
• Enable new program/disable existing
• Monitor records running through program

67. Thank you

68. What’s Next
• Follow-up email with recording
• Save the date, September 8, 2020 for MOPsCON
• Discount code for MOPsCON 2020 for all attendees
• Join the MOPsPROs Slack group
• Feel feel to contact us at Mopspros@etumos.com with any
other questions