Email Marketing Best Practices Flashcards

Question

What is best practice when you have old or inactive addresses in your mailing list?

Answer 1

Purge old and inactive addresses from your mailing lists. Don't keep names and emails that you haven't emailed in months. Don't spend money on sending emails that aren't even being opened.

Answer 2

- Deliver what you promise. Send emails at the frequency that you promised and your subscribers agreed to. - You want emails to be personal, relevant, and anticipated.

Answer 3

Most spam filters use content - or keyword - based logic.

Answer 4

- Incorporating email volume from any one sender, customer complaints into algorithms. - Function on a score basis and filter messages that rate high as spam after the characteristics of the message (content, volume, response, sender) have been reviewed using anti-spam filters.

Answer 5

- Website sign-ups - Mobile sign-ups - Single Opt-In vs Double Opt-In - Social Media - In-store promotions - Sales and Customer Service Calls

Answer 6

- Requires users to give an email address before they can create an account on your website. - Promote your online loyalty program by requiring an email address to register. - Offer users an incentive for subscribing, use a pop-up form for website visitors that reads, "Subscribe to our mailing list and get 10% off."

Answer 7

- If you have a mobile app, create an option to opt in to emails when users register for or use it. - Consider buying mobile app ads. You can use these types of ads to encourage customers to subscribers to your emails. Use with caution as this can annoy and turn off customers.

Answer 8

- Single opt-in requires a person to respond only once to opt-in for future sends - EX: Run a mobile campaign that asks users to text a keyword to a specific short code in order to opt in to a campaign. - Double opt-in requires a person to respond affirmatively and then confirm that affirmative response in order to opt in for future sends. - This is a good way to ensure that an email address is entered correctly and validated. It catches those that have typos when their email is entered originally. - EX: Ask users to send a keyword and their email address, and then open their email and confirm their choice to opt in.

Answer 9

- Promote content via any type of social media that requires an email to access. EX: Cloud Kicks advertises via Facebook. Their ad shows up in your newsfeed and you are interested in promoted product. You click the post, and it goes to their Facebook page. There, you see a link to subscribe to their monthly newsletter. This is a great way to acquire subscribers.

Answer 10

- Have sales associates ask customers for their email address during the checkout process. - Set up an in-store sign to ask customers to text a code to receive a coupon. This method combines the in-store and mobile methods for opt-in. When they text that code, ask them to send their email address along with that code.

Answer 11

Any call a customer makes to your company is a great way to collect email addresses. When customers call to speak to someone or seek help, ask for their email address. This helps service reps access the customer's account.

Answer 12

Inbound sales and service calls Sales = 71% Service = 63%

Answer 13

Website sign ups

Answer 14

- Don't force it. - Offer incentives. - Make a good first impression. - Set up a Welcome series. - Plan content carefully. - Personalize it.

Answer 15

Welcome programs can create some of the highest open and click rates of any email messaging.

Answer 16

- First, set customers' expectations on how frequent your emails are. Subscribers want to know what to expect. - Next, when crafting content, make sure to use text to convey your message appropriately when recipients' email programs block images. Ensures message is conveyed even if images are blocked. - Finally, keep in mind your content hierarchy. Place the most important and relevant information at the top of the emails so subscribers see it first. Keep important info above fold.

Answer 17

Any for-profit company that receives the Personal Information of a California resident AND meets any of the following: - Has an annual revenue of $25 million - Handles the data of 50,000 CA consumers or devices - Derives 50% or more of its revenue from selling PI

Answer 18

A business does not have to collect PI directly from Consumers for CCPA to apply. The CCPA will apply if a company meets the definition of Business even if it has no direct contact with Consumers, if it receives data from other Businesses or sources.

Answer 19

- Right to NOTICE - Right to ACCESS - Right to OPT OUT (or opt in) - Right to request DELETION - Right to EQUAL SERVIES & PRICING

Answer 20

- Consumers have the right to receive clear and transparent information about the categories and types of PI that Businesses are collecting about hem. - Businesses must inform consumers at or before the point of collection of the categories of PI that will be collected and the purposes for which these categories will be use. - Consumers are entitled to know the identify of the third parties their PI is being shared with.

Answer 21

Consumers have the right to request that a Business disclose any or all of the following: - The categories of PI collected about them. - The categories of sources from which PI is collected. - The purpose for which their PI was collected. - The third parties with which the Business shares PI - The specific pieces of PI (name, email, etc) the Business holds about a customer.

Answer 22

If a Business sells PI or discloses it for business purposes, Consumers have the right to request information about the categories of information being sold or disclosed.

Answer 23

- At any time, consumers have the right to tell Businesses to stop selling their PI

Answer 24

The CCPA allows the PI of children under 16 to be sold IF: - A child between the age of 13 and 16 affirmatively opts in, or - The parent or guardian of a child under 13 affirmatively authorizes the sale of their PI

Answer 25

Consumers have the right to request that Businesses delete their PI when such information was collected from the consumer.

Answer 26

Businesses do not have to comply with a deletion request if the business needs the consumer's PI to: - Perform a contract between the business and the consumer. - Detect security incidents. - Protect against malicious, deceptive, fraudulent, or illegal activity; or to prosecute those responsible for that activity. - Exercising free speech - Protecting or defending against legal claims - Retaining the data for internal uses reasonable aligned with the Consumer's expectations.

Answer 27

- This right does not restrict or prohibit a business from collecting PI, and it only applies after a consumer has exercised any or all other CCPA rights. - If a consumer exercises any of their rights under the CCPA, a business cannot then charge a different price or change the quality of services it provides that consumer based upon the consumer's exercising of rights under the CCPA.

Answer 28

- Honor Consumer Rights - Transparency - Disclosure - Consent - Train Employees & Staff - Ensure Vendors & subprocessors are subject to strict contracting terms

Answer 29

The CCPA requires businesses to create two or more designated methods for consumers to submit CCPA rights requests. Including, at a minimum, providing a toll-free telephone number. Additional acceptable methods for submitting requests include: - Providing a postal mailing address. - Providing an email address - Providing a link to an internet webpage or portal - Providing some other contact information whereby consumers may exercise their rights and submit a request under the CCPA

Answer 30

- Businesses have to disclose the categories of PI they collect and use before or at the time of collection. Disclosures must include the following: - The categories (types) of PI collected - The categories of sources from which PI is collected - The purpose for which the PI is collected - Any third parties that will have access to the PI - The CCPA requires that Businesses provide the above information in their public privacy or policy statement. If a business does not maintain a policy or privacy statement, they must provide the above disclosure on their website. These disclosures should be updated annually.

Answer 31

The disclosures a business provide a consumer are: - The categories (types) of PI collected - The categories of sources from which PI is collected - The purpose for which PI is collected - Any third parties that will have access to the PI

Answer 32

- The CCPA requires that Businesses engaged in activities that constitute a Sale under CCPA provide "a clear and conspicuous link on the Business' website, titled "DO NOT SELL MY PERSONAL INFORMATION", that leads to a page that allows a consumer to opt out of the sale for their PI.

Answer 33

Businesses CANNOT require consumers to create an account to opt out of selling. *** For consumers 16 years old or younger, this must be presented as an opt-in choice, not an opt-out

Answer 34

When businesses hire vendors to handle PI, the CCPA refers to these vendors as Service Providers. If a vendor qualifies as a Service Provider under the CCPA, then a written contract must be signed with the Service Provider that limits processing to the business purpose of the contract. The contract must also include, among other things, a certification from the Service Provider that it understands the restrictions and will comply with them.

Answer 35

- Businesses must make it easy for consumers to submit data access requests. - The identity of the requesting consumer must be verified to endure that sensitive information is not shared with the wrong person. After verification of identity and that the request is lawful, BUSINESSES MUST RESPOND TO RIGHTS REQUESTS WITHIN 45 DAYS and disclose and deliver the appropriate information and take the necessary action requested by the consumer.

Answer 36

One approach is to implement a RISK-BASED security program that identifies the security vulnerabilities of an organization and then takes measures to mitigate those risks.

Answer 37

- On 11/3/2020, the CPRA was approved by voters, which amends and builds upon the CCPA. - CPRA goes into effect 1/1/2023 - Creates better alignment with global privacy and data protection laws like the EU's GDPR - Businesses must comply when: - Annual revenue of $25 million dollars - Handles the data of 100,000 California consumers or devices - Derives 50% or more of its revenue from Selling or Sharing PI - Additional obligations. The CPRA adds specific provisions related , but not limited to: - Transparency (in the form of additional notice and disclosure requirements. - Audits and risk assessments. - Data retention - Contractual requirements between Businesses, Service Providers

Answer 38

- Fairness and transparency - Purpose Limitation - Data Minimization - Accuracy - Data Deletion - Security - Accountability

Answer 39

Organizations must always process personal data lawfully, fairly, and in a transparent manner

Answer 40

Organizations can collect personal data only for specified, explicit, and legitimate purposes. They cannot process personal data in a manner that is incompatible with those purposes.

Answer 41

Organizations can collect only personal data that's adequate, relevant, and limited to what's necessary for the intended purpose.

Answer 42

Personal data must be accurate and, where necessary, up to date.

Answer 43

Personal data must be kept only for as long as it's needed to fulfill the original purpose of collection.

Answer 44

- Organizations must use appropriate technical and organization security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or altercation. - Depending on the specific use case and personal data processed, the use of data segregation, encryption, pseudonymization, and anonymization is recommended, and in some cases required, to help protect personal data.

Answer 45

- ENCRYPTION - The GDPR does not require organizations to encrypt personal data. However, depending on the circumstances, ***the law encourages encryption as an effective way to help ensure the security and confidentiality of personal data***. In particular, ***the law suggests that encryption may be appropriate for sensitive personal data and specific types of data managed by highly regulated companies.*** - PSEUDONYMIZATION - The GDPR encourages organizations to use psuedonymization as a risk-based measure to protect data security and the rights of individuals. In certain scenarios, organizations can utilize pseudonymization as a measure to enable the use of data beyond the original purpose. However, pseudonymized data is still considered personal data under the GDPR. - ANONYMIZATION - If data is truly anonymized, then the data does not constitute personal data under the GDPR. However, the bar to be considered anonymous is high. It must be impossible for any individual to be identified from the data by any further processing or by combining it with other information.

Answer 46

A data controller is responsible for implementing measures to ensure that the personal data is handled in compliance with the principles of the GDPR. This includes appointing a data protection officer, imposing contractual obligations on processors, and using the principles of "privacy by design" and "privacy by default". Additionally, a data controller must be able to demonstrate compliance, including keeping a record of processing activities by conducting privacy impact assessments.

Answer 47

PRIVACY BY DESIGN The idea that when organizations plan a new processing activity or develop or implement a new product, service, or feature, they must design such activities and products with the GDPR principles in mind, to ensure they put appropriate safeguards in place to protect privacy. PRIVACY BY DEFAULT The idea that organizations must always use the most "privacy friendly" default settings when collecting, processing, or storing data. DATA PROTECTION IMPACT ASSESSMENTS Analyses of new processing activities to identify and address privacy risks.

Answer 48

The GDPR grants data subjects a number of rights regarding how controllers handle their data. These rights require controllers to have systems in place to respond to and effectively address data subjects' requests. - Data Access - Right to Object - Data Rectification - Restriction of Processing - Data Portability - Right to Erasure

Answer 49

Under the GDPR, if an organization is processing their personal data, the controller must provide the data subject with information about processing, including the specific data processed, the purpose of the processing, and the other parties with whom such data has been shared.

Answer 50

If the processing is for direct marketing purposes.

Answer 51

Data subjects can request that a controller correct or complete personal data if the data is inaccurate or incomplete.

Answer 52

Data subjects can request that a controller stop access to and modification of their personal data. EX: the controller can mark or use technological means to ensure that such data will not be further processed by any party.

Answer 53

In certain cases, data subjects have the right to ask a controller to provide their personal data in a structured, commonly used, and machine-readable format (.csv file for example) so that they can transmit their own personal data to another country.

Answer 54

Also known as the "right to be forgotten", this right empowers data subjects to request that a data controller delete or remove their personal data in situations such as the following: - When the data is no longer needed for the original purpose - When the data subject withdraws consent - When the data subject objects to the processing and the controller has no overriding legitimate interest in the processing.

Answer 55

BINDING CORPORATE RULES - Also known as BCR's, they are company-wide data protection policies approved by European data protection authorities to facilitate transfers of personal data from the European Economic Area (EEA) to countries outside the EEA. - BCRs are based on strict privacy principles established by European Union data protection authorities. STANDARD CONTRACTUAL CLAUSES - Also known as "model clauses", these are legal contracts between parties who are transferring personal data from Europe to countries outside the EEA. - The European Commission drafted and approved the standard contractual clauses, which contain detailed obligations related to the protection of personal data.

Answer 56

- Get Buy-in and Build your Team - Assess your Organization - Establish Controls and Processes - Document Compliance