What I’ve Learned About Privacy Law as a Marketer for a Privacy Company

I recently attended a privacy law event that Sourcepoint sponsored. I think I was the sole marketer in a room of about 100 attorneys, mostly in-house counsel. At some point the topic turned to the challenge of aligning marketing and legal teams on matters of privacy and data governance. 

“Rogue marketers,” someone groaned, “they’re always putting tracking technologies on the website without telling us!” 

Bridging the Marketing-Legal Divide

As a marketer who markets privacy software to legal counsel, it feels like I’m never not consulting with our own general counsel. I rely on her perspective for our product marketing, for her insight into regulatory updates and litigation trends and, of course, for her legal advice regarding our own data practices. 

The comments that followed in that room full of 100 attorneys, however, confirmed that ours is not a typical marketing-legal dynamic.

“My only wish is to make my marketing and product teams attend a privacy training session that won’t make their eyes glaze over,” one lawyer said to murmurs of agreement.

Over the last five years, even as the state laws have kept rolling out, I’ve observed a persistent gap between the privacy aspirations of the C-suite and what the marketing organization understands about privacy. Onstage at Cannes Lions, CMOs may do fireside chats about privacy and responsible marketing, but the rank-and-file have campaign goals to meet and behind the scenes, privacy and legal teams are still perceived as obstacles. 

Privacy Marketing Operations?

With privacy regulations having reduced our ability to measure, retarget, and leverage third-party data (which were arguably not that accurate to begin with), it’s tempting to view first-party data as something of a silver bullet. As marketers, we want to know everything we can about our customer. We want all. the. data. Maybe we won’t be able to do anything with it right now, but it might come in handy…someday. Unfortunately, that approach is not privacy friendly. Just ask your lawyer.

As we head into 2025, it’s time to shed the mindset that all first-party data is good data. There are many reasons to build privacy-by-design into your marketing organization: it builds brand equity, it prevents your company from breaking the law, it feels like the “right” thing to do. These are all commendable motivations.

But what if complying with privacy laws actually…makes us better at our jobs? Perhaps privacy compliance just needs a rebrand. 

Five Absolutely True Facts About Marketing Privacy 

1. Most companies have more data than they know what to do with.

The instinct to collect all possible consumer data “just in case” is understandable but increasingly risky. Beyond regulatory requirements for data minimization, storing excess data creates operational inefficiencies and potential liabilities.

A streamlined data strategy has practical benefits. It allows you to cut storage and processing costs. Websites and apps perform better without bloated data collection. Customer insights are easier to surface and action on.

The most valuable insights come from understanding why you’re collecting certain data. Who’s using that data? Where did it come from? Instead of asking “what data can we collect?”, start with “what data do we need to achieve our goals?”

2. If your technology partners aren’t buttoned up with regard to privacy, that’s your problem, too.

Recent enforcement actions make it clear: you can’t outsource accountability. When your marketing technology vendors mishandle your consumer data, regulators hold you responsible. We saw proof of this in 2023 and 2024 with several high-profile cases involving tracking pixels that shared sensitive data without proper consent or controls.

Fortunately, vetting your vendors has a business upside beyond compliance. Streamline your marketing stack and optimize your tech spend. Regular audits of tracking technologies often reveal redundant tools, unauthorized data collection, and opportunities to optimize performance. By maintaining a curated roster of vendors, you can actually reduce page load times and improve user experiences.

3. You are probably collecting and sharing sensitive data (according to someone’s definition).

The definition of sensitive data has expanded significantly. It’s not just health information or financial data anymore — the FTC and many state privacy laws now consider precise geolocation, browsing history, and even inferred characteristics as sensitive data requiring special handling.

For marketers, this means being thoughtful about data collection practices. Before implementing new tracking technologies or launching campaigns, consider whether the data could reveal sensitive information about individuals. Are we collecting more data than necessary for our marketing objectives? Do we have the appropriate consent mechanisms in place? 

Perhaps one day all personal information will be treated as sensitive by lawmakers. Until then, be thoughtful about potential privacy harms and when in doubt, return to fact #1: Most companies have more data than they know what to do with.

4. Your legal team actually wants to be your thought partner. 

Rather than viewing legal as the “department of no,” make them your strategic advisors. Go to them early. They’re smart and they’re there to help. It’s much easier to work together from the jump than to go through the painful exercise of untangling legacy third-party scripts from your products down the road. Work with them to craft easy-to-understand consumer privacy experiences that feel like an extension of your brand. Approaching privacy as a cross-functional project rather than a legal burden is always going to be more successful (and certainly more fun).

5. When it comes to regulatory scrutiny, you can get an A for effort (or at least partial credit).

Even if 100% perfect compliance is not an achievable goal (especially when each state’s requirements vary and are subject to ongoing interpretation), documented good-faith efforts matter. Show your work. Create processes that capture what terms & conditions consumers agreed to and when. Keep an inventory of your third-party technologies and involve legal in creating a due diligence process that will help make sure your website and apps aren’t bloated with unnecessary or unauthorized downstream tech.

These audit trails demonstrate your commitment to responsible data practices — something both regulators and consumers increasingly value. They can also deflate the impact of any trendy privacy class action litigation. More importantly, they help build a privacy-first culture that can actually help your marketing team operate in a more organized and efficient manner. 

Plot Twist

There you have it, privacy laws might be the tough love marketers needed all along. They’re forcing us to be more intentional, more efficient, and perhaps, better at our jobs. And who knows? Maybe one day you’ll find yourselves at a privacy law event surrounded by 100 marketers instead.

Looking for more practical insights on how to make your marketing more privacy compliant? Download our Guide to Bridging the Legal and Marketing Divide.