Expanding into international markets can ensure success and longevity for your business, yet many businesses are reluctant to reach out to international markets for various reasons. Fear of failure to comply with data privacy laws is just one. It is true that data privacy laws are growing increasingly stricter. The good news is there is still plenty of room to advance international marketing initiatives and remain compliant with data privacy laws across the globe.

The Need to Act Now

Now is the time to ensure your marketing is in line with new data privacy laws. The balance between commercial interests and rights to privacy and data protection for data subjects (the person whose information is being collected) is tipping in favor of the data subjects. Enforcement efforts are growing more vigorous as local governmental agencies are given more power to assess heavy fines and penalties. It’s also important to remember that as the laws change in favor of privacy, existing marketing opportunities may disappear or become less cost-effective, since compliance will require significant additional resources.

Creating a Data Privacy Policy

A data privacy policy must be a core fixture of any e-commerce website. The data privacy policy should follow these general guidelines: 

  • It should be easy to find.
  • It should be written in clear language.
  • It should avoid vague and broad phrases regarding how personal information collected by the site will be used.
  • It must describe how the data subject can opt-in (give consent to collection) and/or opt-out (not receive any further emails).

And, more recently, data protection regulations are requiring the data privacy policy to set out the notification process in the event of a breach.

Register Your Data Privacy Policy

Once the data privacy policy is available for review by current or potential customers, your marketing initiatives must be reviewed to ensure the activities will not conflict with data privacy laws in your target market. An agreement is in place between the U.S. and the EU and the U.S. and Switzerland called the Safe Harbor Agreement. Once companies have self-certified, they are deemed to be in compliance with EU data privacy laws. Registration that your data privacy policy complies with the Safe Harbor Agreement is all it takes to self-certify. This is an important step in avoiding the data privacy hurdles that can put an end to your marketing efforts.

Direct Email Marketing from In-House or Vendor Lists

Use of email marketing lists can be a great way to reach potential consumers in new international markets. There are currently no specific restrictions on the use of such lists, provided that there is a mechanism allowing the recipient to opt out of receiving further emails. Many jurisdictions, including the EU, require that direct mail list participants must have consented to the transfer of their personal information to other commercial businesses. Choosing a reputable direct mail list vendor is of primary importance. Ultimately you will be responsible for the use of the personal information taken from the list.

Direct Marketing from Public Sources

Personal information obtained from publicly available sources may also be used in marketing initiatives, including direct marketing campaigns. Anonymized information —information from which a specific individual cannot be identified (for example targeting an ad to all those people who live in greater London) — may also be integrated into your marketing programs provided it cannot be de-anonymized by combining with other unique identifiers that could then be used to identify a specific person. It is important to update direct mail lists regularly, remove consumers who have made an opt-out selection, and update remaining mail list participants with any new information.  Otherwise, local data privacy regulatory bodies may assess fines and penalties.


Another useful marketing tool is cookie-based ad-tracking. Cookies provide user profiling and website tracking data, which can include personal information entered by data subjects in forms and registration pages. The use of cookies, however, is becoming more strictly scrutinized than any other marketing tool. New regulations now require the data subjects be notified when cookies are being utilized. Some companies have gone so far as to notify users that cookies are being used on the site and that remaining on the site will be deemed consent by the data subject to collection of information. This practice is not strictly legal, and in many countries consent obtained in this manner will be invalid, increasing the risk of attracting fines and penalties.


Any marketing activities that collect protected personal information must include a notice that the information is being collected, the purpose for the collection and, of course, provide a mechanism to opt out of receiving further emails. Include this notice each time direct marketing emails are sent to ensure future compliance, and once again, maintain an updated list, removing those who have made the choice to opt out. When preparing the notice, use clear and easily understandable language to describe the use that will be made of personal information, and avoid broad and overly vague statements. Don’t hide the opt-out choice.

Sending direct marketing to recipients that have made an opt-out choice may cause harm to your brand and reputation. A recent survey indicated that 43% of respondents cite fear of reputational damages to their brand as the major reason for complying with data protection law.

Data Transfer and Privacy Across Borders

Be aware of data protection regulations regarding transfers of personal information across borders. In most cases, transfers of protected personal information are only allowed if a transfer is made to a country with data protection laws that meet minimum requirements set by the country in which the data subject resides and the data subject consents to the collection and the transfer. If you intend to use a cloud provider or other vendor to assist with your marketing efforts, beware that those vendors located in countries with lax data privacy laws will not likely meet the required minimum thresholds.

With a little thought and careful planning, international marketing initiatives can produce successful results regardless of the constraints and compliance measures dictated by data protection laws.

Rather than accept the risk of noncompliance, let us remove that dark cloud of noncompliance and help your team achieve compliance with international data privacy laws today.

Skip to content