Managing consent records in Marketing Cloud on Core (aka Marketing Cloud Growth or Advanced Edition) has raised many questions. While most agree with the concept of consent, generating individual consent records each time a sales team member adds a new lead in Salesforce can be tedious. I’ve been asked many times if I could just create a flow to add consent when new leads are created. The answer is “Yes” and here’s how you can do it too. 

Disclaimer

I’ve been called a marketer, consultant, and Salesforce Admin over my career, but I’ve never been called a lawyer. Privacy policies and opt-in requirements vary from country-to-country and even state-to-state. Before implementing this solution, consult with your legal team to ensure that you are in compliance with your organization’s legal requirements.

Consent Fields

Before creating consent records, we first need to understand the requirements. When doing a consent import, the following fields are captured in the wizard and through the import template. This process is very simple and the magic happens behind the scenes.

• Channel – Communication delivery method (Email or SMS)
• Communication Subscription – The individual subscription name (ex. Newsletter)
• Consent Status – Indicates whether an individual has “Opted In” or “Opted Out” at the subscription level.
• Email – Email address of the individual captured on the consent record.
• Consent Date – The date/time that consent was captured.

When digging in a bit more, I found a field named Communication Subscription Consent Id. This field combines the email address and the Communication Subscription Channel Type Id with “#” between them to create a new field. This field is the key to creating a consent record.

Example

• mike.morris@sercante.com#0eBHs0000010zyOMAQ
  
  

Communication Subscription vs. Communication Subscription Chnl Type Id

It’s important to know the difference between these fields and where to find them. When creating your Communication Subscription Consent Id field in your flow, you’ll need to be sure to use the correct value.

The difference between these fields is that Communication Subscription Chnl Type Id references the email subscription and the channel. Communication Subscription is channel agnostic and only references the subscription.

Example

• Communication Subscription – 0XlHs00000111ZZKAY
  • Refers to the Newsletter subscription

• Communication Subscription Chnl Type Id – 0eBHs00000111n0MAA
  • Refers to the Newsletter subscription and email channel

You can find these values by creating a Salesforce report using the Communication Subscription Channel Type report type. You’ll see one record for each subscription and channel. In this example, I have four subscriptions on my preference page as I’m just using the email channel. If the SMS channel was in use, there would be 8 records.

Both of these values are going to be needed when creating your flow, so make a report in your org and be sure to save it. You can also view these values by accessing the records from the Communication Subscriptions and Communication Subscription Channel Types objects if you prefer.

Record-Triggered Flow Build

We’re finally to the fun part. But before we get started, consider a few questions.

• Which object should trigger the flow?
• When should the flow trigger?
• What entry conditions should be used?
• Are there any countries or states where double opt-in is required?

Start Element

I want my flow to only run when new leads are created. I also want to exclude leads that were created from a form submission. Marketing Cloud on Core forms require a consent element, so we don’t need to update these leads. Your start criteria will differ based on your needs.

Scheduled Path

Record-triggered flow can’t execute actions that make external callouts in a path that runs immediately. You can address this by adding a scheduled path with a slight delay. My path has a 1-minute delay from when the lead was created.

Decision Element

I did not exclude countries that require double opt-in from my start element intentionally. I decided to let them enter the flow and use a decision element to route them down a second path. The idea is that I can later add an action to send a transactional email to these leads encouraging them to update their subscription preferences.

Action Elements

Salesforce set us up for success by including the MessagingConsent.MessagingConsent action. All we need to do is configure it correctly and our consent records will be created. Like consent imports, you’ll need action for each of your subscriptions by channel.

When configuring actions, you’ll need to set values for the inputs below.

• CommunicationSubscriptionChannelType*
  • This is the id that relates to the communication subscription and channel.
• ConsentCapturedDateTime
  • Date/time that consent was captured.
• ConsentId
  • This is the concatenated field that we discussed earlier that includes the email address and the Communication Subscription Channel Type Id. 
• ConsentStatus
  • Set value to OPT_IN or OPT_OUT.
• ContactPointValue
  • The email address of the triggering record.
• Name*
  • The communication subscription (id) from the report that we created earlier. This is the id that relates to the subscription only (does not include the channel).
    

*Note: You can create content records without these values, but I prefer to include them to more closely resemble the records created from consent imports.

Formula Resources 

Next, we need to generate the consentid field that will be needed in the action elements. This can be done using a formula to generate the value using the email address (of the triggering record) and the Communication Subscription Chnl Type Id. You’ll need one resource per Communication Subscription Chnl Type Id.

Example Formula

• {!$Record.Email} & “#” & “0eBHs00000111n0MAA”

Configured Action Element

Here’s an example of an action element that has been fully configured.

Final Flow

Here’s a look at the final flow. 

Testing

After activating your flow, create a new lead in Salesforce. Upon creation, the consent values will be set to Opt Out. After a few minutes (allowing time for the scheduled path to run), verify the consent record was created by viewing the Communication Subscription Consent DMO in Data Explorer in Data Cloud.

Once the data from Data Cloud syncs back to the lead record, the consent values will be updated to Opt In in the Privacy Consent Status component.

Respect Consent & Be Responsible  

The best practice recommendation is to create consent records using the consent element on form-triggered flows or by completing consent imports. While these recommendations make sense, generating consent records for individual records created by users can present challenges.

Record-triggered flows offer a good solution for automating consent records, but organizations must ensure compliance with regional, state, and company legal requirements. When in doubt, err on the side of caution and prioritize transparency in consent management.

Original article: How to Create Marketing Cloud Consent Records with a Record-Triggered Flow

©2025 The Spot. All Rights Reserved.

The post How to Create Marketing Cloud Consent Records with a Record-Triggered Flow appeared first on The Spot.

In today’s international and digital business landscape, modern marketers often coordinate messaging and strategy across multiple countries or regions. Luckily, Marketing Cloud Account Engagement (Pardot) is an ideal tool to support those types of global marketing strategies. That’s because it enables marketers to find a balance between global coordination and initiatives that reflect the challenges and regulations of local markets. 

Here are functions and customizations in Marketing Cloud Account Engagement that support an international marketing strategy.

Crossing Language Barriers

One of the most important considerations for an international marketing strategy is delivering high-quality, localized content that doesn’t provide any barriers to engagement through the local language.

Enable international users in a single Marketing Cloud Account Engagement instance

Administrators and individual users within Account Engagement can control the time zone, language and data formats in which the user interface (UI) is displayed. 

Languages and locales currently support:

• English
• Japanese
• German
• Spanish
• French

This can be configured by an Account Engagement admin upon creating a user record. Go to Account Engagement Setting > User Management Users. 

Individual users can control their language and locale settings under Account Engagement Settings > Account Engagement > My Profile.

Marketing Asset Creation

While the user interface is limited to languages supported by Salesforce, all marketing assets in Account Engagement can be developed and customized in any language. For the most part, this just involves typing/inserting content in the language desired, but the following points detail areas where advanced customization is necessary to change the display language.

Form error message

The native form error message for lacking required fields in Account Engagement displays in English by default “Please correct the errors below.” This cannot be customized within the form creation wizard, but instead must be customized within the layout template. 

To update, navigate to the layout template used by the form (Content > Layout Templates). Navigate to the form tab and replace the message after %%form-if-error%% with the desired text. 

The structure may not exactly match the included screenshot if you are using a layout template that significantly differs from the default. Use this reference for Layout Template Form Code to determine what components may need to be updated.

Encoding special characters

You may encounter situations in which characters display incorrectly when importing data to Account Engagement. To ensure all characters display correctly, you have to use UTF-8 encoding. 

Always confirm any exported data is edited and saved using UTF-8 encoding to ensure data is not improperly overwritten. To edit data with UTF-8 encoding in Excel, for example:

1. Export CSV data from Account Engagement
2. Navigate to Data > From Text (Get External Data) in Excel
3. Select the CSV export, and chose “Delimited” and File Origin > “Unicode (UTF-8),” then “Comma” to open the data with correct forming in Excel

Any custom layout templates developed for Account Engagement landing pages should also be sure to use UTF-8 encoding. Set the below meta tag in the <head> section of the layout template so any special characters render correctly.

<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8”>

Unsubscribe and Email Preference Center Pages

Account Engagement only allows for one global unsubscribe page, which can limit the feasibility of supporting multiple languages or unique messaging on the page. However, the suggested way to allow recipients to manage communication preferences is the email preference center (EPC) feature, which enables recipients to choose specific segments they would like to be included or excluded from, in addition to universally unsubscribing. 

Multiple EPCs can be set up under Account Engagement Email > Preferences Page, so customization to language and included distribution lists can be made per language. 

To  ensure the correct email preference center is included in different language emails, insert a link, choose “Email Preference Page,” and choose from the list of available pages. 

Learn about other customizations that can be made to Pardot unsubscribe and email preference pages.

“Not you?”/Form Reset Link

In the form creation wizard, under 3. Look and Feel > Advanced, is a handy setting to enable a link that allows viewers to reset Account Engagement pre-population and dynamic form functions, in case it is pre-populated with the wrong information (which may be the case due to shared devices, etc.) However, similar to the form required field error message discussed above, this only renders in English by default, in the format “Not Name? Click here.”

To resolve, creating another form layout template update is required. Insert the following script between the opening and closing <head> tag in the “layout” tab of the desired layout template.

<script type="text/javascript" src="/js/jquery/jquery.min. js"></script>

<script type="text/javascript">

//Replace the Not... string

$(document).ready(function(){ var span = $('span.description');

span.html(span.html().replace("Not","Desired Replacement for Not")); span.html(span.html().replace("Click Here","Desired Replacement for Click Here"));

});

</script>

International Privacy and Data Management

With growing international business, also comes managing compliance with the various data protection and privacy laws in place across your target markets. It’s important to consult with your company’s legal counsel to ensure understanding of the regulations across various jurisdictions. Fortunately, Account Engagement includes a variety of features to enable and enforce compliant data collection and protection. 

Tracking Cookies

Account Engagement uses a combination of third and first party cookies to track visitor web behavior and build a profile of data on prospects in your database. To customize how cookies behave and allow visitors to opt-out of tracking, you can:

• Enable first-party cookies and disable third-party cookies under Account Engagement Settings > Account Settings
• Honor “Do Not Track (DNT)”  headers under by enabling under Account Engagement Settings > Account Settings
• Customize Account Engagement cookie duration via Account Engagement Settings > Account Settings
• Display a banner requesting tracking opt-in in some or all countries via Account Engagement Settings > Domain Management > Edit Tracking Opt-in Preferences
• Utilize the Tracking and Consent API to integrate with other systems and create custom solutions

Communication Preferences

Many regulations require that explicit and informed consent be collected before a recipient can be emailed marketing materials, as well allow recipients to revoke that consent at any time. Some industries also require detailed records of communications sent. Account Engagement enables this via:

• A strict, platform-wide Permission-Based Marketing Policy that requires permission collected before email communications are sent
• Enable BCC function on all outbound emails for regulatory archival purposes
• Customizable, dynamic forms that allow addition of opt-in and privacy policy acknowledgement fields
• Automation to enable confirmed/double opt-in processes. 

Additional permission-based marketing resources: 

• Forms Are Great, But Confirmed Opt-In Is Better
• MailChimp Says Sayonara to Double Opt-In – Should Account Engagement Admins?

Data Security

Data stored in Account Engagement is kept securely to meet international data processing regulations, along with strict user login requirements. 

Here is documentation from Salesforce on these practices:

• Salesforce Single Sign-On Requirements
• Salesforce Multi-Factor Authentication
• Data Processing Addendums

Other Resources from The Spot on Managing Global Compliance

• GDPR Compliance in Account Engagement: The Freaky Fast & Un-Boring Guide
• 7 Huge Lessons GDPR Has Already Taught Us About Email Marketing
• CASL + Account Engagement, Explained Via Terrible Canadian Jokes
• What Marketers Need to Know About the California Consumer Privacy Act (CCPA)

What’s Next 

Need help finding the right mix of Account Engagement solutions to meet your localization and compliance requirements? Reach out to the team at Sercante to get help customizing features and content in your org and enable your global team. And leave us a comment below to let us know any tips or tricks you’ve picked up for managing international teams with Account Engagement!

Original article: Using Account Engagement (Pardot) in a Global Market

©2025 The Spot. All Rights Reserved.

The post Using Account Engagement (Pardot) in a Global Market appeared first on The Spot.

You’re a responsible marketer and adhere to the Salesforce Marketing Cloud Account Engagement (Pardot) Permission-Based Marketing Policy. You’ve enabled Marketing Data Sharing (MDS) rules to ensure that prospects who have not opted-in are not syncing to Pardot. Now you get a call from your Salesforce Admin about Pardot creating duplicates in Salesforce.

In this post, we’ll discuss how you can remain compliant AND prevent unintentional dupes in Salesforce.

Let’s start at the beginning

Most sales organizations use tools like Clearbit, Lusha, or ZoomInfo to research companies, find new contacts, review intent data, or enhance data. 

These are perfectly valid use cases and can be very beneficial to organizations. However, the problems start when marketing begins emailing these records through Pardot.

What’s the problem? The email addresses are valid.

Salesforce has a Marketing Cloud Account Engagement Permission-Based Marketing Policy that strictly prohibits the sending of emails to customers or prospects who have not expressly opted-in to receive them. 

“Our customers certify that they will not use rented, traded, or purchased lists, email append lists, or any list that contains email addresses captured in any method other than express, customer-specific opt-in when using our system to send emails.”

Sending emails to acquired records is a clear violation of the permission-based marketing policy and can result in the suspension or termination of your account. I’d hate to be the person responsible for that!

What’s a marketer to do?

Verify your connector preferences

The first thing is to understand your connector settings in Pardot. Most accounts will be configured to automatically create prospects in Pardot if they are created as a Lead or Contact in Salesforce. This means that ANY lead or contact created in Salesforce from ANY source is going to end up in Pardot and could unknowingly be emailed by your marketing team. 

Limit record entry with Marketing Data Sharing Rules

MDS is the safest way to make sure that data does not enter Pardot (Here’s a great post on MDS if you have questions – Pardot Marketing Data Sharing: Tips, Gotchas, and Setup). You can restrict which leads, contacts, opportunities, or custom objects sync to Pardot. The intent of MDS is to control the data that can be seen by the Pardot connector. The issue is that MDS does this job a little too well and this can result in duplicate leads being created in Salesforce.

MDS and duplicate records

Hold up a minute! Are you telling me that by doing the right thing, I could actually create duplicates in my Salesforce org? Yep.

Here’s the rub. Before creating a lead or contact in Salesforce, Pardot undergoes a series of checks to see if the prospect is in Salesforce already. The intent is to identify matching records and not create duplicates. Since MDS limits the visibility of the connector, Pardot is not able to find prospects who might be in SFDC from a source deemed “not marketable” if they visit your site and complete a Pardot form (for example).

For reference here are the checks performed by Pardot before creating a lead or contact in Salesforce.

• Is there a lead or contact with a matching CRM ID?
• Is there a contact with the same email address?
• Is there a lead with the same email address?
• Is the prospect assigned to a user in Pardot?

Here’s how we addressed this issue for one of my clients

Don’t activate MDS

It’s important that MDS is not activated in this solution. We want the prospects to sync from Salesforce to Pardot. We’re going to use custom fields and automation rules to make sure that we remain compliant and don’t create duplicates in Salesforce.

Create custom fields

The first step involves creating several custom fields in Salesforce and Pardot. We created first touch and last touch fields to capture the needed information on leads and contacts. In this case, we used Lead Source Detail and Lead Source Detail Most Recent.

• Lead Source Detail – This is a FIRST TOUCH field that identifies the specifics of where the lead originated (ex. ZoomInfo).
• Lead Source Detail Most Recent – This is a LAST TOUCH field that identifies the specifics of the most recent source that drove the prospect to your site (ex. LinkedIn).

Map data to your custom fields

We’re going to stick with the ZoomInfo example here since I see this product used in a lot of organizations. When setting up your CRM Integration in ZoomInfo, you have the ability to map fields to for your Account, Contact, and Lead Objects.

In this case, we mapped Lead Source (standard field) and the two custom fields that we created. We also set fixed values for each.

Based on this configuration, any new records added from ZoomInfo into Salesforce will have the fixed values specified. This is super important.

Automation Rules

Remember the Pardot prospect mailability upgrade that took place with the Winter ‘22 release? We’re going to take advantage of it to make sure that we comply with the Marketing Cloud Account Engagement Permission-Based Marketing Policy. Don’t remember the changes? No problem – check out this post “Are You Ready for the Pardot Prospect Mailability Upgrade?” from Erin Duncan.  

Automation Rule #1 – Set Do Not Email to TRUE 

This automation rule will look for prospects in Pardot where Lead Source Detail and Lead Source Detail Most Recent equal “zoominfo”. This lets us know that the prospect was added into Salesforce from ZoomInfo, synced to Pardot, and that the person did not opt-in. As a result, we’ll mark the record as “Do Not Email.”

Automation Rule #2 – Set Do Not Email to FALSE 

This automation rule will look for prospects in Pardot where Lead Source Detail is “zoominfo” and Lead Source Detail Most Recent is NOT “zoominfo.” This will show us that the person interacted with our marketing and is eligible to be emailed. It goes without saying that we only want to “activate” prospects who have given permission for us to email them. The Lead Source Detail Most recent field can be updated using completion actions or UTM parameters from URLs (that’s another post).

The short and sweet summary

This solution allows records added into Salesforce (that have not opted-in) to sync to Pardot. Automation rules in Pardot update the “Do Not Email” field based on Pardot interactions and opt-in status. This ensures that prospects who did not previously opt-in are updated correctly when they do opt-in and that no duplicates are created in Salesforce.

Let’s play by the rules AND not create duplicate records 

Based on how your organization uses tools like Clearbit, Lusha, or ZoomInfo and the volume of records added to your Salesforce org, MDS might be the best solution for you. However, if a high volume of records are being added into Salesforce, I would recommend that you give this solution some consideration. The chances of duplicates being created in your system grows exponentially based on the number of records being added from external sources.

If you have any questions about this solution, MDS, or anything related to Marketing Cloud Account Engagement or Marketing Cloud Engagement, contact us with your questions.

Original article: Pardot Marketing Data Sharing Rules: Prevent Duplicates in Salesforce

©2025 The Spot. All Rights Reserved.

The post Pardot Marketing Data Sharing Rules: Prevent Duplicates in Salesforce appeared first on The Spot.

You can keep your free snacks and ping pong tables. If we’ve learned one thing from the pandemic, it would be that employees really want the ability to work remotely — at least part of the time. While organizations have become more accepting of this new reality, IT departments are facing security challenges.  

In this post, we’re looking at Salesforce Marketing Cloud security best practices for hybrid and remote work environments. We’ll review some of the security settings in Marketing Cloud that will allow your remote employees to work safely and take some of the stress off of your IT team.

Marketing Cloud security for remote and hybrid work models

Since the onset of the pandemic, the number of remote workers has grown exponentially and the hybrid work model is becoming the new norm. A 2021 Mckinsey & Company survey found that 52% of workers prefer a more flexible working model moving forward. And listening to those wishes is helping many employers to avoid the effects of the Great Resignation at their companies.

Luckily, Marketing Cloud is built with security in mind and it can be configured to allow your employees to work securely — wherever they may be. 

Let’s take a look at some ways you can protect your data in addition to using multi-factor authentication (MFA).

Security Tip #1: Limit the Data in Salesforce Marketing Cloud

Salesforce Marketing Cloud is not a data warehouse. So don’t treat it like one. 

When bringing data into SFMC, ask yourself how it will be used for segmentation. If data will not be used for segmentation, don’t import or sync it over. Data like credit card numbers should NEVER be stored in Marketing Cloud.

Special attention also needs to be applied when handling Personally Identifiable Information (PII). The Department of Homeland Security defines PII as:

As any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department.

Linked PII is information that can be used by itself to identify an individual (ex. Social Security number) and linkable PII is information that can be used in combination with other information to identify an individual. Depending on the type of data in your account and the industries you serve, additional security measures like data at rest encryption, field level encryption and tokenized sending might be necessary.

Security Tip #2: Control Access with Marketing Cloud Business Units

Even before creating users, I like to see how organizations are structured. If your organization operates in several regions, all users might not need access to all the data. The best way to secure data is to not grant access to it in the first place!

This is where business units come in. Business units in Marketing Cloud allow you to control access to information by creating a hierarchical structure. They also allow you to control branding elements including email display name, email reply address, and physical mailing address at the business unit level. You can even control the settings to allow unsubscribe at the business unit level or the enterprise.

Business units don’t have to be limited to geography. Your hierarchy can be built based on your unique needs. Building a hierarchy based on products is a great use case.

Note: Business Units are available in Enterprise and Enterprise 2.0 accounts.

Security Tip #3: Provide Users with the Correct Access Based on Need

Now that we’ve established our hierarchy and determined where users should be included, the next question is access level. Let’s start by talking about the differences between roles and permissions.

• Permissions are micro-level security.
  • Example: The ability to Create, Edit in Journey Builder.
• Roles are macro-level security.
  • They are a collection of permissions.

Permissions in Marketing Cloud are very granular. For this reason, the good folks at Salesforce have included default roles within Marketing Cloud based on common needs/scenarios (similar concept to the default user roles in Pardot). These are divided into Marketing Cloud and Email Studio Roles. I would highly recommend using these roles and limiting the creation of custom roles.

Marketing Cloud Roles and Permissions

When assigning roles to users, you should always start with the lowest level that permits the individual to do their job. I’m always amazed when I log into an account for the first time and see all users have the Marketing Cloud Administrator and Administrator roles assigned. There’s simply no reason for this. I generally like to have two admins in an organization. It’s always good to have a backup in the event of an emergency!

It’s also worth noting that SFMC defaults to the most restrictive value when multiple roles are assigned to a user. For example, if a user was assigned the Content Creator, Marketing Cloud Channel Manager, and the Marketing Cloud Viewer roles, they would not be able to send an email. This is due to the fact that the Marketing Cloud Viewer is the most restrictive of the three roles and does not permit email sending.

It’s very possible that the same user will have access to multiple business units, but perform different functions in each. That’s perfectly fine and SFMC has you covered. Roles can be assigned at the business unit level so the same user could have admin access in one and view only in another. This is very handy and should be utilized if users don’t need full access to all the BUs that they are part of.

Security Tip #4: Follow Login and Password Best Practices

Marketing Cloud allows admins to set security policies very easily within the Security Setting under setup. However, I’m really surprised by how often I see accounts where the standard Salesforce recommendations are not followed. Take a minute to audit your account to ensure that they comply with the recommended account settings from Salesforce included below.

Security Tip #5: Limit Logins by IP Address

The Restrict Logins by IP Address (IP Allowlisting) setting allows you to define a list of IP addresses that can access your account.

This feature is optional and is set to Off by default, but can quickly be activated under Setup > Security Setting > Username and Logins. When activating, you’ll have the option to log non-allowed IP addresses and permit access or log non-allowed IP addresses and block access. Don’t forget to add IP addresses to your allowlist under Setup > Security > Login IP Allowlist if you choose to use this feature. 

Security Tip #6: Limit Exports

Ask yourself this simple question…

Does this user need to extract data from SFMC to do their job?

If the answer is “no,” then don’t allow them to export. It’s that easy!

Data extracts are a security risk that I see in most accounts. While data in the hands of a user can be risky, the real concern is data sitting on a computer that is not properly secured. Once the data leaves SFMC, all bets are off. This is a huge risk with remote workers. Let’s mitigate this risk by limiting exports.

Data can be exported from SFMC using Data Extract activities in Automation Studio, from tracking in Email Studio, and from reports in Analytics Studio. While some reports can be viewed onscreen or downloaded as PDFs, email and file transfer locations are the primary ways that data is exported. 

Email Export 

Your data is sent from SFMC via email. This is pretty scary, but can be controlled with Export Email Allowlists. The email allowlist includes individual email addresses or domains that are authorized to receive email exports from your account.

Export Email Allowlists must be activated in your SFMC account by first selecting the Enforce Export Allowlist in Security Setting. You will then need to specify the individual email addresses and domains that are authorized to receive email exports within your Export Email Allowlist (Setup > Security > Export Email Allowlist).

File Transfer Locations 

Marketing Cloud also makes use of file transfer locations to import and export data. The most common location is the Enhanced FTP Account, but you can also add additional locations under Setup > Administration > Data Management > File Locations.

To access data from the Enhanced FTP Site, users must login. Access to the data can be controlled by limiting users and not sharing login credentials. Marketing Cloud allows up to 10 FTP users per MID, allocate them wisely! Users can be granted Read Only or Full access.

Security Tip #7: Automate and Review Audit Trails

Audit Trails in Marketing Cloud can be used to track account access and activity. Reports can be automated through Automation Studio or through REST API extracts.

Before audit trails can be exported, the following actions must be taken to enable them in your account.

• Enable Audit Trail Data Collection under Setup > Security > Security Settings
• Assign the Marketing Cloud Security Administrator role to the user who will be extracting the data

Once these requirements are met, automations can be created in Automation Studio to extract the access and activity logs. Salesforce recommends that audit trail data be retrieved periodically based on a rolling window.

There are a couple of things to keep in mind when creating your automations.

• You must create a Data Extract activity and select the desired extract type (Audit Trail Access Log or Audit Trail Activity Log).
• Data is extracted to the Marketing Cloud Safehouse, so a File Transfer activity is needed to securely transfer files to the FTP location of your choice.

The automation is pretty simple and will look like this when complete.

The Basic Audit Trails are a great place to start. They are included in your account and have a 30-day retention period. Advanced Audit Trails, which can be purchased for an additional fee, extend the retention period to 60-days and include additional data related to Email Studio, CloudPages, MobileConnect, and more. Learn more about Basic and Advanced Audit Trails. 

Take Action to Secure your Marketing Cloud account

This post includes some recommendations to help secure your Marketing Cloud account with the rise in remote workers. However, it is not inclusive of all the security capabilities of SFMC. 

For more information, check out the following Trailhead modules or post your questions in the comments section. We’re here to help you succeed with Marketing Cloud! You can contact us with any questions.

• Marketing Cloud Security
• Manage Users and Roles
• Manage Business Units

Original article: 7 Marketing Cloud Security Tips for a Hybrid Work Environment

©2025 The Spot. All Rights Reserved.

The post 7 Marketing Cloud Security Tips for a Hybrid Work Environment appeared first on The Spot.

We marketers have pivoted our strategies to comply with GDPR in the past, but a recent court ruling may have us scrambling to change the way we use Google Analytics with European website users.

In a groundbreaking court case, the Austrian Data Protection Authority decided that the use of Google Analytics is currently violating the GDPR. The primary reason Google Analytics is violating GDPR involves personal data privacy.

As a result, it’s time for marketers to wake up and pay closer attention to how they track and report on visitor data coming from European Union (EU) countries. 

What is GDPR?

The thing we’re talking about here is the General Data Protection Regulation (GDPR).  It’s a law passed by the EU in May 2017 that creates standards for organizations that market to, track, or handle personal data from EU residents.

GDPR applies to you if you’re doing business or marketing to people in the EU regardless of where your company is physically located.

Google Analytics is currently violating GDPR

The court case that led to the realization that Google Analytics violates GDPR stems from a complaint that landed on the doorstep of the Austrian Data Protection Authority (a.k.a. Datenschutzbehörde).

Here’s how it went down.

On August 14, 2020, a Google user accessed an Austrian website called NetDoktor, which has self-serve resources for learning about health issues. The website uses Google Analytics, which means data about the user is transmitted to Google. Website users have filed 100+ complaints since then with similar GDPR violations from Google Analytics. 

The issue at hand is that sensitive data about EU website users is traveling through Google’s servers and across the pond to the US and other non-EU countries. As a result, that data is not being subjected to the privacy standards established through GDPR. (official legal response from Google here)

So, in December 2021, the Austrian Data Protection Authority determined that the NetDoktor website’s usage of Google Analytics does not comply with GDPR. Other cases have come forward since that first case, which means this is something that’s here to stay.

What marketers on Salesforce need to know about GDPR and Google Analytics

If you’re a marketer using Salesforce Marketing Cloud or Tableau and you’re importing website user data through integrations with Google Analytics, then you’ll want to listen up. This is especially important if a large portion of your website users are located in a European Union country.

How to take action to stay GDPR compliant

We knew you’re a good seed. Here’s what you need to know to stay on the GDPR compliant side.

You’re already ahead of the curve if you’ve made the switch to first-party web tracking cookies. However, you’ll need to take additional steps to avoid legal action from website users living in EU countries regardless of the type of web tracking cookies you use (and we think you should switch to first-party cookies).

Verify privacy policy is up-to-date and available

Google Analytics requires all website owners using the Google Analytics Advertising features to display the privacy policy link on websites that utilize the service. And if you’re using advanced features to track website user data, then it’s likely that you’re using Google Analytics Advertising features.

Here’s what to include in your privacy policy:

• The Google Analytics Advertising Features you’ve implemented
• How you and third-party vendors use first-party cookies (such as the Google Analytics cookie) or other first-party identifiers, and third-party cookies (such as Google advertising cookies) or other third-party identifiers together
• How visitors can opt-out of the Google Analytics Advertising features you use. This includes features used through Ads Settings, Ad Settings for mobile apps, or any other available means (for example, the NAI’s consumer opt-out).

Enable cookie consent on your website

Letting your website users know you’re using tracking tools to gather data from them is a great way to stay compliant with GDPR while using analytics tools like Google Analytics.

You can use a cookie consent vendor, such as OneTrust, to collect informed consent prior to dropping the tracking cookies into the website user’s browser. Cookie consent vendors make it easy for you to deliver a banner to your website visitors that collects their consent for tracking website browsing data using tracking cookies before they are activated and set.

We recommend you enable IP anonymization on your Google Analytics account to ensure you use pseudonymous identifiers. In addition, you can set the time period before the data stored by Google Analytics is automatically deleted from servers. Then, include that time period in the Google Analytics cookie banner. 

The banner you use to collect cookie consent from website users should be a simple and clear message explaining:

• How user data is collected
• Purposes of data collection
• Duration of the data collected
• Vendors and technical details

If you’re using third-party cookies, the banner should also inform users that the website uses third-party cookies for profiling purposes to provide advertising insights.

What could happen if you take no action

So, maybe you missed the memo and you haven’t done anything to address your website’s usage of Google Analytics in EU countries. Or maybe you use some other analytics tracking tool, like Heap, Matomo, Statcounter, or Adobe Analytics, and didn’t realize this probably applies to you, too. 

Well, it’s a good thing you’re here. We advise you to do two things: 

1. Notify your legal counsel that there is a potential risk.
2. Get ahead of the regulations. 

Violating the regulations doesn’t necessarily mean the GDPR privacy police are going to show up on your doorstep tomorrow.  It means someone could complain about your collection of their web browsing data. That complaint could snowball into a lawsuit and all the expenses that go along with it.

That’s why it’s so important for you to collect informed consent before a cookie starts collecting data from a website user who’s visiting your site from an EU country. 

Still confused by all of this? Tell us about it in the comments section. 

Original article: GDPR and Google Analytics Updates in 2022

©2025 The Spot. All Rights Reserved.

The post GDPR and Google Analytics Updates in 2022 appeared first on The Spot.

In September 2021, Apple privacy changes will start having a big impact on Pardot email marketing reporting metrics. Are you ready to pivot your reporting strategy in response to the changes?

Apple announced some big, new privacy changes in June, and that’s what sparked the changes in email marketing reporting metrics. These changes are included with the Apple software update to iOS 15, iPadOS 15, macOS Monterey, and iCloud.com. 

One of these changes, Apple Mail Privacy Protection, is getting lots of attention in the marketing operations community. That’s because of the expected impact to the email open rate metric — a key performance indicator for most marketers. However, there are multiple new changes coming with the iOS update every Pardot professional should be aware of. 

In this article, we’ll cover all three: 

• Apple Mail Privacy Protection
• iCloud Private Relay
• Hide My Email

For each of these changes, we’ll share key features to be aware of plus how to get your org, team, and stakeholders ready. We know how hard these changes can be for your already-swamped team, so we’re here to help you through this. 

Respecting Apple user privacy 

Before we get started, I want to point something out. These changes are a huge win from the perspective of Apple and their users. By using this new software version, users can decrease the amount of data companies are collecting about their behavior and interests. This gives them more control over what information they share and when. 

Our job as ethical marketing professionals is to do three things:

1. Respect our users.
2. Treat their data with integrity.
3. Adapt to the ever-changing technology and regulatory landscape.

So, we’ll do our best to focus on the positive aspects of the changes by providing solutions to the challenges they present.

Apple Mail Privacy Protection

Marketers using Pardot set automations based on email opens because, typically, opening an email indicates that a prospect is interested in a product or service. But, the new Apple privacy changes will skew email open rates and make it more difficult to know when Apple users actually open an email.

Apple Mail Privacy Protection (MPP) has two key features: 

1. Open tracking prevention
2. IP protection

Essentially, Apple iOS 15 opens the email and downloads the content when an email hits a prospect’s inbox. This prevents accurate open tracking because all emails going to Apple devices will appear to be opened in reporting metrics. 

Apple also downloads the content through a series of proxy servers. This feature is obscuring the IP address of the email subscriber. As a result, Pardot can’t report on the user’s device and behavior accurately. 

How to adjust your marketing strategy

The first thing you need to do is answer the question, “What proportion of your database uses an Apple email client?” 

Here’s how to do that:

• Review some of your recent email sends. 
  1. Go to Pardot Reports > List Emails > Email Clients (in Pardot Lightning)
• Add up the percentages in the “Popularity” column. This will give you a ballpark estimate of the potential impact.

Is it 10%, 25%, or 50%+ of your audience? The greater the proportion of your audience using an Apple email client, the less reliable your email open rate metrics will be after the iOS 15 update.

Conversely, the non-Apple portion of your audience provides a reliable segment for email open stats and future testing (personalization, A/B, etc.)

Questions to ask

Now that you understand the severity with which your data could be impacted, consider the following questions: 

• Do you have any reports that include email open rate? 
• Who views these reports? 
• How can you proactively adjust these reports to decrease the importance of this metric? 
• How can you communicate with your stakeholders so that they know that the open rate is no longer reliable?

Next, do a thorough review of your Pardot automations. This includes automation rules, engagement studio programs, completion actions, dynamic lists, scoring, etc. Do any of these run based on open rate? If so, develop a plan to leverage an alternative trigger like email click* or form submission.  

*I put a big asterisk next to “email click,” as this metric has been endangered for a while. Email clicks can be caused by spam filters, so be cautious when using email click as a trigger on your automations or as a key metric in your reporting. 

Ultimately, this change is a step in the right direction for marketing teams. There’s never been a better time to shift your focus from vanity metrics like open rate and click through rate to more meaningful campaign performance metrics like conversions and return on investment (ROI).

Apple iCloud Private Relay

The new iCloud Private Relay feature will be baked into iCloud. Launching as a “public beta,” this feature functions similar to a VPN, encrypting all traffic leaving a user’s device when browsing with Safari. Private Relay leverages data encryption and anonymous IP addresses that hide a user’s location and web browsing activity. 

By hiding your specific IP address, Private Relay inhibits websites from building a profile based on your activity across multiple websites and selling your data to advertisers and data brokers. 

This feature is limited to paid iCloud account users who browse with Safari and turn on the Private Relay feature. (All paid iCloud accounts will be automatically upgraded to iCloud+ as part of the update.)

iCloud Private Relay disconnects your IP address from your DNS request (website that you’re visiting), which is great news to those seeking ultimate privacy and not wanting their activity information to be sold to advertisers. Unfortunately, it also disconnects website tracking that Pardot users have in place. With temporary IP addresses assigned, website activity will be difficult to associate to a known prospect. 

This capability does not hide the prospect’s geography. That means you can still track prospect regions, and IP addresses can be identified as proxy servers.

Apple Hide My Email

The last change to know about is Hide My Email. This update allows iCloud subscribers to log into a website using a randomized email address that ties back to their iCloud account. 

If your company allows public users to generate accounts or offers free trials, you could encounter a scenario in which a user takes advantage of Hide My Email to acquire multiple free trials.  

Hide My Email is also another challenging feature for Pardot users. That’s because it is once again disconnecting essential data (a prospect’s real email address) from website activity tracking. 

This functionality will impact open rate statistics. That means you will have to shift to other metrics such as click-through rate. It will also affect marketers who use email open rates for retargeting, and those who use email open rate as a varying factor for dynamic content. So you’ll have to pivot those strategies if you’re currently using email open rates for retargeting or dynamic content variations.

Focus on reporting metrics that matter most 

It’s normal to fear what we don’t understand. And these new privacy changes may seem scary without knowing why they’re actually good news. 

All of these privacy changes will impact marketing as a whole, making it harder and harder to track email activity and then associate it with activity in other channels. It is also an opportunity for marketers to take a fresh look at current strategies and craft new ways to put prospects in control.

Here are suggestions to address the changes and adjust your marketing strategy:

• Update your Email Preference Center to offer subscribers greater insight into the topics they already interact with and other topics that are available.
• Seek ways to connect email clicks with omnichannel metrics that demonstrate customer engagement. This includes:
  1. Offline purchases
  2. Account activity
  3. Website visits
  4. Mobile app activity
  5. SMS engagement
• Explore using link clicks, external activity such as webinar registrations, and other engagement signals instead of email opens as more accurate interest indicators.
• Find ways to understand the sentiment of an email message, perhaps with a thumbs up/down action or NPS-type of question within an email.
• Look for opportunities to link your marketing channels (email, website, social, etc.), and get the cross-connection data flowing.

iCloud Private Relay and Hide My Email — on top of third-party/first-party tracking cookie changes already afoot — necessitate creative thinking to make prospect activity connections that were once seamless.

Prospect privacy is paramount

These three Apple privacy changes are going to affect the way you currently work in Pardot. But that’s a good thing. Your prospects have more autonomy when interacting with your company through email and your website. All you have to do is adjust your strategy so you can focus on metrics that matter most rather than vanity ones.

Now that you’re better equipped to prepare for the Apple iOS 15 updates, it’s time to  formulate your game plan and switch up your marketing strategy to evolve with the changes.

You can always reach out to the team at Sercante for support while navigating it all. 

Thank you to Pam Carey and Joy Alphanso for contributing to this post.

Original article: Everything Pardot Admins Should Know About Apple Privacy Updates

©2025 The Spot. All Rights Reserved.

The post Everything Pardot Admins Should Know About Apple Privacy Updates appeared first on The Spot.

Are you trying to send something to opted out prospects in Pardot and wondering if operational emails could be a fit? This article breaks down everything you need to know.

1. What are Pardot operational emails?

Operational emails allow you to send critical information to a prospect even if they have previously unsubscribed.

This feature is great if you send legal notices, invoices, shipping confirmations, or internal company emails out of Pardot, but can greatly impact your sending reputation if it used for Marketing emails.

2. What is considered operational email?

Operational emails fall into two categories:

Transactional, meaning the prospect has initiated the transaction.

A few examples would be things like:

• Shipping notices
• Event registration confirmations
• Order confirmations
• Invoices

Relational, meaning the email contains critical information on how you do business with the prospect.

Examples of relational emails include:

• Critical system changes that require prospect action
• Terms of Service notices
• Legally required notices
• System outage notifications

3. All of our information is mission critical, can we send everything as operational?

With great power comes great responsibility. Use operational emails in Pardot wisely.

Remember, sending Marketing emails to unsubscribed prospects violates most SPAM laws and goes against the Marketing Cloud Account Engagement Permission Based Marketing Policy.

If you’re going to send something out as an operational email, it should contain no — as in ZERO — marketing content.

4. What is NOT allowed in operational emails?

Any email containing promotional, non-critical, or non-transactional information is considered “Marketing” and should not be included in an operational email.

Examples of marketing content include:

• Product announcements
• Event and webinar invites
• Permission Passes
• Surveys
• Company newsletters and announcements

5. Got it. How do I enable operational emails?

This feature has to be enabled by a Pardot Admin. Once it is, it will be available for use in list emails. To enable this feature:

Step 1: Within the Account Engagement Lightning app, select the “Account Engagement Settings” tab.

Step 2: Scroll to the bottom of the screen and select “Enable Operational Emails.”

Step 3: Review the Operational email restrictions notice and click Enable. It will look something like this:

6. Who can send operational emails?

Only Pardot Admins and custom user roles can send Operational emails.

If you have access to send Operational emails, you will see this option under Basic Info when setting up a List Email.

7. What if I’m not sending as a list email — Can it still be operational?

There are a few quirks to keep in mind about how this can be used in other areas of Pardot:

• Autoresponders sent from a Form or Form Handler will send to unsubscribed prospects.

• Autoresponders sent from an Automation Rule will not send to unsubscribed prospects.

• Emails from Engagement Programs cannot be sent as Operational… but you can vote for this feature to be added in the Trailblazer Community.

How are you using operational emails?

What other questions do you have about operational emails in Pardot? Are you trying to evaluate whether a specific use case is operational?

Let’s hear it in the comments!

Original article: Pardot Operational Emails: 7 FAQs on How & When to Use Them

©2025 The Spot. All Rights Reserved.

The post Pardot Operational Emails: 7 FAQs on How & When to Use Them appeared first on The Spot.

A lot has gone down the weekend — and I’m not just talking about Game of Thrones.

It’s been a little crazy in the world of Pardot and Salesforce admins for the last 72 hours. Starting Friday morning, customers started reporting widespread access, performance, and permissioning issues.

The internet promptly dubbed this #Permissiongeddon — and while it’s a cute and catchy name, it’s a pretty serious issue for many of our customers.

Happy Monday, guys! While you pour yourself a cup of joe, here’s a summary of what’s transpired and where you may have a little work to do this morning.

What Happened

Salesforce deployed a database script related to the Pardot integration user that resulted in granting users broader data access than intended.

For a short period of time, in affected orgs ALL users had modify all permissions on all objects. Meaning team members and customers could view and edit things that they weren’t supposed to.

This is massively problematic for obvious reasons — so as a stop gap measure, Salesforce blocked access to all users except admins in affected orgs. And in some cases for admins too. Users couldn’t log in, or if they could, they weren’t able to edit records normally.

Who Was Impacted

This was a pretty widespread issue, and particularly so among Pardot customers. Here’s who was hit:

• Most Pardot-enabled orgs
• Orgs that had Pardot in the past
• Some non-Pardot orgs that share an instance with Pardot orgs

909 people clicked “this issue affects me” on the Known Issue pages, but I haven’t seen a definitive measure of how many environments or customers were impacted by this. But in short, it’s a lot of people.

How Salesforce Has Addressed it Thus Far

Salesforce has been providing frequent updates on their progress remedying the issues. Communication channels have included trust.salesforce.com, email updates, tweets, and customer webinars. This Reddit thread, while unofficial, has also been informative.

The initial guidance from Salesforce was to restore functionality by change setting profiles & permissions from an unaffected Sandbox. If an unaffected Sandbox didn’t exist, the next best course of action was to manually rebuild profiles & permissions. This isn’t a great fix, as it’s a complex and time consuming process for admins — but for orgs where users needed immediate access, it was a better option than sitting around waiting.

On Friday night, Salesforce began deploying a script to restore permissions to their “pre-incident state.” If you or another admin made manual changes in the interim, here’s what to expect:

• If a Profile was deleted, it will not be resurrected.
• If a Profile was created, it will not be deleted.
• If a Profile was UPDATED, that edited profile will be overwritten to its “pre-incident state.”

As of Saturday, Salesforce thought 89% of customers were back in the game, but continued support tickets have indicated that there are more scenarios to address.

What to Do Now

Still with me? On that second cup of coffee yet? Let’s discuss what actions are needed:

1. Check if Your Org is (Still) Impacted

For starters, check is your org is still impacted. Can you log in? If you can log in, can you edit data? If you log in as a Standard User, can you edit data?

If the answer to all three of those is yes, you’re likely in the clear.

2. Option A to Fix Permissions: Wait for Salesforce

If you are still experiencing issues and have the ability to sit tight — give Salesforce a bit more time. They have all hands on deck working on a fix.

3. Option B to Fix Permissions: Update it Yourself

If you’re still experiencing issues and it’s mission critical to get users working in the system, consider updating your profiles and permissions with the instructions previously provided.

The risk of doing this is that Salesforce will eventually finish running its script and any edited profiles will be overwritten.

4. Expect Delays in the Sync Queue & Escalate if Needed

To prevent data loss while working on the fix, Salesforce paused the sync queue with Pardot for most orgs. This is now back up and running for MOST environments with the v1 connector.

The best way to see if you’re still impacted by this is to log into Pardot and go to Admin>Connectors and click the little gear icon by your Salesforce connector. If there’s a massive number next to “sync queue,” then you’re probably frozen and should avoid any massive data updates.

If you’re paused, support CAN get the sync back up and running if you put in a ticket. You may also want to give users a heads up to expect an extra flurry of email alerts when it kicks back into gear.

5. Hang Tight on Sandboxes

The priority is getting Production environments back in ship shape. Sandbox fixes are coming, but expect it to take a bit more time.

Don’t even bother to log a case if a Sandbox is impacted. Seriously, don’t. It will get put on the back burner’s back burner.

6. Make Sure You Have a Pardot-Only Admin User Handy

While admin access to Salesforce was disabled, we were still able to get into our Pardot orgs with non user sync, non-SSO logins. This is a good reminder to keep a least one Pardot-Only Admin account handy for desperate times. (You also need this for external integrations anyway.)

7. Stay Tuned for More Updates

I don’t envy the comms team at Salesforce right now — this is a communication challenge like no other.

One one hand, getting people information FAST is important. But at the same time, the guidance needs to be clear, and correct. Also, communicating there’s an inadvertent exposure of data isn’t a great idea until there’s a fix.

Communication channels have included in app banner messages, trust.salesforce.com, email updates, tweets, and customer webinars. Keep an eye on those for the latest and greatest, and I’ll post updates here as I get them.

Could communication have been a little smoother over the last few days? Sure. But to Salesforce’s credit, it’s clear that they have all engineering and product eyes on this situation and that the highest levels of leadership are engaged in the response. It’s a hard job, they’re human, and they’re doing the best they can.

Questions?

What questions do you have? What else are you hearing? Did I miss anything? Please share it in the comments!

Original article: #Permissiongeddon Next Steps: What Happened & What to Do Now

©2025 The Spot. All Rights Reserved.

The post #Permissiongeddon Next Steps: What Happened & What to Do Now appeared first on The Spot.

I’ve had an opportunity to speak at several user groups and regional community events about GDPR, and the one question that always comes up is:

“When is this coming to the dear old US of A?”

Honestly, the U.S. has been pretty lax compared to the rest of the world when it comes to online privacy regulations.

Heck, CAN-SPAM doesn’t even require opt-in consent (although most ESPs require it of their customers.)  My response to the above question has usually been something to the tune of:

“Yeah someday… but don’t hold your breath.”

Color me surprised, though.  Last week, a bill quickly made it through the California state legislature that suggests this tide might be changing. (Quickly meaning in less than a week — this thing was fast tracked, big time.)

Why California adopted a “mini GDPR” & what Pardot admins should do next

The California Consumer Privacy Act of 2018 (CCPA) has been touted as a “mini GDPR.” It doesn’t go into effect until 2020, and you can count on all kinds of stakeholders in the business community to push back… so it may evolve in the process of being implemented.

At a high level, the law states that consumers have rights to know and control how their personal data is used. Specifically, it lays out rights of individual consumers to:

• know whether their personal information is sold or disclosed
• require companies not to sell their personal data
• request that a business delete their personal information (with some exceptions)
• be treated equally and without discrimination if they choose to exercise their CCPA-protected rights (i.e. they can’t charge you more or deny service if you assert your right to privacy)

What info is covered under CCPA

GDPR’s definition of “personal data” is sweepingly broad.  The fact that my favorite color is green is protected under that legislation.

California’s definition of personal data is also pretty darn broad.  Of course, the basics like name, email, SSN, address, etc. are covered.  Additionally, things like:

• Browsing history
• Sales data
• Property ownership
• Buying preferences
• Advertising engagement metrics
• …and a lot more is covered.

Any information that is de-identified or publicly accessible is NOT covered under CCPA.  The definition of info falling in this category is that which is:

“Lawfully made available from federal, state or local government records or that is available to the general public.”

An interesting twist is that the Act explicitly allows companies to:

“offer financial incentives, including payments to consumers as compensation”

…in exchange for the ability to sell their information.  Curious to see how that one plays out.

Who needs to comply with the CCPA

The CCPA covers a much smaller subset of businesses than GDPR.  First, it only applies to companies who do business in California.  Additionally, business must meet ONE of these three criteria:

• Grosses $25M in annual revenue
• Holds the data of 50K or more people/households/devices
• Makes at least half of its revenue by selling personal data

There are a series of exemptions to this as well:

• Healthcare data governed by HIPAA
• Consumer data covered by the Fair Credit Reporting Act
• Info collected under the Gramm-Leach-Bliley Act (yeah, I had to Google that one. It’s a federal regulation that applies to banks and insurance companies.)
• Anything needed to complete transactions, detect security incidents, comply with state and federal laws, conduct research, etc.

There are also exceptions for “internal” uses of data that are:

“Reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.”

Wait, why do I care about California?

California tends to lead the nation in consumer protection.  The fact that they’re taking this kind of action means other states are likely to follow suit at some point.

And for course, practically speaking, 36 million people (12% of the US population) reside in California, so many businesses nationwide will be impacted.

What happens if I just ignore CCPA?

Well… it’s up to the California AG to enforce the law for the most part, but there’s a private right of action clause for certain types of breaches.  This is reminiscent of the piece of CASL that was suspended last year that allowed individual citizens to press charges against companies violating the law.

For privacy breaches, only the AG can initiate enforcement, and fines are up to $7,500 per violation.  The business has 30 days as a “right to cure” to address the issue before fines set in.

For security breaches, the AG or private citizens can press charges, and the fines stipulated are:

“In an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.”

Okay, what do I have to do next?

There are 18 months before this goes into effect.  So no need to make any rash, sudden movements.  But if you’ve been on the fence about actually complying with GDPR… well, there are 36 million more people on U.S. soil that will soon be asserting similar rights.

My near-term recommendations would be to:

• Document your practices for capturing subscribers and managing lists
• Set up an email preference center to ensure you’re sending people things they want
• Evaluate a double opt-in process to ensure your subscriber list is truly engaged and interested in heaving from you
• Implement an archiving strategy to “sunset” people that aren’t engaging with you
• Clearly communicate privacy policies (in actual English, not legalese)
• Consider getting an attorney involved to help you understand your risk/exposure in the geographic areas where you’re doing business

A lot of the CCPA is open to interpretation and will certainly be challenged in court.  But the trend here is clear — people want to have a better understanding of how their data is used and why, and have the ability to reclaim control of how it is used.

It’s an interesting time to be in the wonderful world of marketing automation, that’s for sure.

What’s your stance on these new and somewhat vaguely defined compliance requirements?  Any reactions or opinions on the new legislation in California?

Let me and your fellow readers know in the comments!

Original article: What Marketers Need to Know About the California Consumer Privacy Act (CCPA)

©2025 The Spot. All Rights Reserved.

The post What Marketers Need to Know About the California Consumer Privacy Act (CCPA) appeared first on The Spot.

It was the best of email marketing, it was the worst of email marketing.

If your inbox is anything like mine, it’s been absolutely crushed by all this GDPR hoopla.

It’s May 30^th.  The compliance deadline was the 25^th.  Will the opt in emails ever stop?  I’ve gotten at least 5 today.

I thought this was supposed to mean less spam, not more.

Anyway.

One can dream.

Nobody’s gone to jail yet, but still there have been some lessons learned.

The sheer volume of missives gracing my inbox has provided ample opportunity to reflect on what good and bad email marketing looks like.  A few key insights:

1. Fun wins, all day errday.

Does being jokey about GDPR make you a bad marketer?  I vote no.

The ones that were interesting are the ones that got read.  Like this gem:

My favorite part is of this entire email is:

“Okay so %%whoever you are%%,”

That’s one heck of a default value for no first name.

And then, the lists when you click through….

Bahaha.

Takeaway: Be different or be gone.

2. We don’t BCC people on emails.

Bless the hearts of the people at Ghostery who accidentally exposed their customers’ email addresses in the CC line of their email about how much they care about our privacy.

Seriously though, some underfunded marketer had the worst day ever, and my heart really does go out to them.

Get that guy or gal a Pardot license, dammit.

3. Yes means yes.

It’s really easy for people to say no to you.  There are a million other things competing for their time and attention.

So make it easy for them to say yes.

People have kind of mocked this example, but honestly, I think it’s brilliant.

People already have a way to say no – by doing nothing.  It’s quite accessible.  In fact, it’s built into everything – our subscribers and site visitors have that opportunity for inaction everyday.

So when possible, how might we guide them to take action and raise their hand to indicate interest?

4. List names matter if they’re exposed in an email preference center.

Ev-er-y-thing-client-fac-ing-needs-Q-A.

Or things like this happen, ya’ll:

Seriously, people forget that MailChimp list names are exposed to users.  At least in Pardot you can specifiy internal and external names.

Here’s a MUCH LESS funny example from the Oakland Police Department:

Yes, they have a list that includes “NO AF AM.”  I’ll let you draw your own conclusions on what those abbrevs mean.

Also “DEMS ONLY WOMEN ONLY”?

Mmmmmkay.

5. Print media matters.

I’m kind of digging print lately.  Mail is fun.  More blogs on that later.

In the meatime, shoutout to the analog marketers sending out notices like these:

I’m going to use “CUZ GDPR” as the excuse for why I can’t do things from now on.

Can’t do the dishes? GDPR.

Not making dinner? GDPR.

6. Privacy concerns aren’t limited to just one channel. 

Regardless of whether GDPR functions as intended (it won’t), it’s virtually impossible to make yourself a digital ghost.

So whenever, wherever you are, be sure to proclaim your consent or lack thereof…

7. Fines are the worst.

GDPR theoretically can fine companies up to 4% of their annual revenue for violating this legislation.

The optimist in me says:

“Yay privacy!”

The pessimist in me says that this is an impossible burden for small to mid-sized companies to comply with, and it unfairly hampers competiton.

It will be fascinating how this legislation fares in front of a judge and jury and how this evolves as cases are tried and as legal precent is established.

The Bottom Line

GDPR is going to usher in some important changes in the way we think about digital marketing, but there’s a lot that is still open to interpretation and that will continue to develop as people get dragged into a courtroom.

In all seriousness though… if you have a question or a “what if” scenario you need help with, let’s hear it in the comments!  What have you observed from companies scrambling to comply with the law? Examples to share?

Original article: 7 Huge Lessons GDPR Has Already Taught Us About Email Marketing

©2025 The Spot. All Rights Reserved.

The post 7 Huge Lessons GDPR Has Already Taught Us About Email Marketing appeared first on The Spot.