Back to main menu

Email Best Practices

Data compliance survey: How seriously are businesses taking data privacy laws?

We surveyed 1000 professionals worldwide and asked them how they've adjusted to comply with data regulations like GDPR, CAN-SPAM, or CCPA.

Hermes protecting the door



Ah, privacy. No matter who you are or where you live, you probably appreciate its benefits in many areas of life. However, when most people think of privacy, they may not immediately think of data privacy… or how important it has become.

Consumer data has quickly become a valuable resource for many companies, but most consumers want at least some regulation when it comes to the data they share. As a result, many governments have passed data privacy laws that regulate the collection and use of consumer data, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or the Virginia Consumer Data Protection Act (CDPA).

This year marked the third anniversary of GDPR, and we were curious to see how these regulations have affected companies worldwide – and what they have (or haven’t!) done to fit in. To measure the effects, we surveyed 1000 professionals worldwide and asked them how they’ve dealt with the recent surge in consumers’ data consciousness.

So, what did we find? Let’s jump in.

Data Compliance Survey: Main takeaways

Our Data Compliance Survey showed that a large number of businesses are still not compliant with local data protection laws and regulations, and also highlighted the role technology and third-party providers play in this process.

Here are the main takeaways we found from surveying 1000 professionals:

  • A full 62.4% of survey respondents said that their company isn’t “completely compliant” with the data regulations that apply to them, including GDPR, CCPA, and CDPA.

  • A quarter (24.4%) of respondents don’t even know which data regulations apply to them.

  • Nearly half (44.7%) of our respondents’ companies have had to add or change their marketing technology to comply with applicable data regulations.

  • Some respondent companies report spending $10,000 or more each year to remain compliant with data regulations.

Read on to discover what changes companies have implemented, and the different ways in which North American and EMEA organizations think about data protection.

Data laws around the world

Across the globe, different governments have passed different regulations regarding data privacy, which companies need to know about – and comply with – if they want to do business in certain areas.

Most of our survey respondents were based in EMEA (65.4%) and North America (21.7%), which means that almost all organizations represented in the study fell under GDPR, CCPA, and/or the CAN-SPAM Act.

But understanding what laws apply comes down to knowing not only where the business operates, but also where its customers are based. 61.6% of respondents said they handled data from the EU, which requires GDPR compliance. A smaller number of respondents handled data from the UK (21.9%), California (21.1%), and Virginia (17.2%).

However, while most companies know where their customers are based, not as many are aware of the data privacy regulations that apply to them. In fact, nearly 25% of respondents said they didn't know if they fell under any jurisdictions.

Businesses’ compliance with data laws

No matter their knowledge level, most respondents were not following their region’s data laws. Only 37.6% of respondents told us that they’re fully compliant with GDPR, CCPA, the new Virginia CDPA or other applicable regulations.

There is a small bright spot – EMEA businesses are closer to being fully compliant than North American companies. While the number of “completely” compliant organizations in EMEA and North America was pretty similar, there were more EMEA respondents that claimed their businesses were “mostly” compliant.

But, even though some compliance is better than none, it still isn’t enough. You may think that being “mostly” compliant is okay, but it has bigger consequences than you’d realize. Any kind of non-compliance with data privacy laws affects your customers’ data safety, your business success, and your reputation.

Businesses can’t afford to be “nearly compliant”. If your business processes personal data, regardless of where you’re based, compliance with data privacy laws is not a choice. Any form of non-compliance can obviously hurt your organization’s reputation, but it can also put you at risk of breaching contractual commitments - and you could face legal actions and penalties.

Maylis de Bazelaire Legal & Privacy at Pathwire

How businesses have adjusted to achieve data compliance

As we can see, complying with data privacy regulations helps you avoid negative outcomes in the future, and ensures the success of your business. Good, right?

But complete data regulation compliance doesn’t just happen with a wave of a hand. It often requires companies to change the ways they gather and use personal data. That includes revisiting existing data collection and retention processes and looking at technology stacks and third-party providers to see where they can be improved.

A large portion of our respondents honed in on technology stacks in particular – when asked, 44.7% of them said they’d had to make changes to them. And, while most businesses spent less than $1,000, some (5.9%) had to spend $10,000 or more.

Regardless of the money and time that is spent on these changes, they’re undeniably important – especially in the email space. ESPs and assorted validation tools handle huge amounts of customer data, and using an EU-compliant ESP or validations tool – like Mailgun’s verification service – is crucial to ensure data safety and avoid the (sometimes literal) costs of non-compliance.

For some businesses, this has required auditing and changing their data collection processes and third-party providers. The survey found that 40% of respondents have implemented double opt-in consent and 20% have changed their ESP to become compliant.

Being compliant means using providers that are compliant too. Companies are responsible for the way third-party providers use and protect customer data just as much as they are responsible for their own data compliance. To be fully compliant, companies must commit to only using subcontractors that comply with all the relevant data protection regulations and provide the highest level of privacy and security.

Maylis de Bazelaire Legal & Privacy at Pathwire

How EMEA and North America view data privacy

While we’ve reviewed some similar uncertainties and actions in our respondent groups, it’s interesting to see how each region treats data privacy. Overall, 76.7% of respondents said that the EU appears to be more privacy-conscious than North America. While even North Americans generally agreed with this sentiment, it was more widespread in EMEA.

And when we looked at the results for each region, the data agreed with the respondents’ hypothesis. More than 50% of NA respondents didn’t know what data protection laws applied to their businesses, while in EMEA that number dropped to only 12%. Go, EMEA!

As we have seen before, EMEA businesses are often more rigorous about compliance. They were also more likely to change their technology to be compliant with laws (49.5% compared to NA’s 35.4%), and they tended to spend more money doing so – 28.4% of EMEA respondents spent over $1,000 for compliance changes, compared to 25.3% of NA respondents.

So, it’s obvious that EMEA companies consider data privacy to be a bigger deal than North America. However, no matter what the local attitudes are, it’s important to note that data privacy affects everyone equally. No matter where you are, it needs to be one of your top priorities.

Non-compliant organizations face high penalties from data privacy regulators, regardless of where they’re based. Aside from the reputational and contractual implications of not following the appropriate data protection regulations, non-compliance could result in important financial sanctions - up to 20 million euros, or 4% of the annual turnover for GDPR!


Maylis de Bazelaire Legal & Privacy at Pathwire

What to remember about data privacy

All has been revealed – as it turns out, our survey showed that a minority of respondents comply with applicable data privacy laws. But compliance is a must-have if you want to avoid fines, angry customers, and other not-so-fun consequences.

Additionally, relying on compliant third-party providers – like Mailjet’s email marketing platform, Mailgun’s sending infrastructure, or Mailgun’s Verifications – will help you protect your consumer data, maintain your customers’ trust, and avoid the legal and financial consequences of non-compliance. So keep your private needs private, and do the public work that needs to be done. Trust us, it’s worth it.

Still not sure if your business is GDPR compliant? We’ve got a kit full of resources to help you audit your data collection processes and third-party providers.

GDPR kit

GDPR kit for marketers

Want to make sure you never miss another trendy-or-trending email marketing moment? Sign up for our newsletter and get the latest email news in your inbox!

Popular posts

Hermes rides a firework next to a Goddess in front of a night sky with more fireworks

Email best practices

6 min

Top email marketing trends for 2022

Read More

Hermes on a moped delivering mail to a mailbox

Email best practices

8 min

Reducing email’s carbon footprint

Read More

Mother's day gift for Hera


14 min

Marketing calendar 2024: Dates you shouldn’t miss this year

Read More

It's never been easier to build connected experiences. Start sending with Mailjet today.Get started on your path
CTA icon