Marketing Compliance

RPM Marketing Compliance

RPM works hard to run effective marketing compliant campaigns. Our successful marketing campaigns include quality leads, trusting consumers, more clicks to conversions, repeat customers, customer referrals, reputable brands and the FIPPS—transparency, choice, accountability, security, and information correction. RPM believes that by complying with consumer data protection laws, standards, principles, and regulations, we out-compete organizations that do not.

RPM’s focus on producing quality results requires us to establish careful and thorough marketing compliance processes that protect our partners from legal consequences. Each campaign is created within established processes that ensure compliance and is thoroughly vetted before going live. We are fully aware of the consequences of marketing compliance.

Why it matters that RPM complies and cares

Website accessibility lawsuits filed under the American with Disabilities Act (ADA) have increased 34% since 2017 and rose 75% from 2018 to 2021 (3). In fact, similar lawsuits may be filed under state human rights and civil rights laws. The ADA requires businesses, with or without a physical location, to ensure their websites are “accessible” for people with disabilities (4). Plaintiff’s firms are finding companies that do not comply and hitting them with costly lawsuits, and these lawsuits do not just affect large businesses (5) and are not isolated to a industry (6).

In 2020, over 10,982 ADA lawsuits were filed (9). Any business with a website that does not comply is potentially a target, and that includes small businesses. Some companies choose to ignore compliance hoping they will fly under the radar, but the consequences of being caught make this an unwise strategy.

The penalties of non-compliance can be financially, operationally, strategically, and even reputationally devastating for any small business.


4. 5.



Financial risk, fees, and penalties

The costs of non-compliance vary depending on what law or regulation is violated. Fines can range from thousands to millions of dollars. For example, GDPR infractions can lead to fines of up to $24.1 million or 4% of annual global turnover (whichever is higher). Since January 2020, GDPR fines have risen 40% (10). The civil penalty for a violation of the California Consumer Privacy Act (CCPA) is $2,500 per violation and $7,500 for intentional violations (11). Anyone who violates the Telemarketing Sales Rule (TSR) is subject to penalties up to $42,350 per violation (12), and the list goes on and on.

As we mentioned before, small businesses are not exempt from enforcement, but a small business may escape fines under the CCPA, if it does not meet the threshold which includes satisfying at least one of the following: annual gross revenues more than $25 million, possessing the personal information of 50,000 consumers, or deriving 50% or more of its annual revenue from selling consumers’ personal information (13). The TSR is quite different from the CCPA in that there is a history of small businesses being fined and, in some cases, banned for life from telemarketing services.



Marketing compliance issues that impact performance marketers

THE REGULATIONS: Performance marketing may be subject to the following regulations. The list is inexhaustive.

General Data Protection Regulation (GDPR)

A European Union law regulating data protection and privacy, which are more stringent than US laws. The GDPR applies to the processing of personal data in the EU by an established EU data controller or processor and the processing of personal data by a controller or processor outside the EU. Therefore, GDPR has an expansive application. The law went into effect in May 2018.

California Consumer Privacy Act (CCPA)

The first comprehensive US state consumer privacy law was enacted by the state of California. The CCPA provides extra protection for the personal information of California residents. The law broadly defines personal information and grants California residents several rights. The law went into effect in January 2020 and was enforced starting in July 2020.

California Privacy Rights Act (CPRA)

A state of California statute that revises and expands the CCPA. The CPRA imposes limits on data col- lection, retention, and use. The law goes into effect July 1, 2023, at which time the CPRA will effectively replace the CCPA. Businesses are expected to have the necessary changes for compliance by mid-2022 because it applies to information collected in the prior 12 months.

National Do-Not-Call (DNC) Registry

Since July 2003, consumers who do not want to receive unsolicited telemarketing calls to their residential landlines and wireless lines can register their numbers on the National DNC Registry: a national database administered by the FTC. Telemarketing companies must have procedures in place to avoid calling numbers on the DNC Registry.

Telephone Consumer Protection Act of 1991 (TCPA)

The TCPA primarily regulates the tools telemarketers use to make calls to consumers, such as: automatic telephone dialing system (ATDS); and artificial and prerecorded voice recordings, and the type of telephone line contacted. The TCPA covers wireless, fax, and landlines and requires businesses to obtain prior express written consent before dialing or texting a consumer using ATDS. The penalties for violations can be up to $500 per incident, with violations trebled up to $1,500 for knowing and willful violations.


Privacy and Electronic Communications Regulations (“Cookie Consent Law”)

The so-called “Cookie Consent Law” is an aspect of the European Union Data Privacy Framework requiring a cookie consent banner on every website that uses any kind of tracking that can be accessed by EU citizens.

The benefits of marketing compliance

Marketing compliance is not just about avoiding the legal consequences of non-compliance. There is also a significant upside to an organization’s compliance efforts. Marketing regulations and standards are instituted and enforced to protect consumers from false advertising and unfair and fraudulent practices in the marketplace. A strategic marketing compliance program can do just that while protecting brand integrity and increasing consumer trust. As we will see below, this can lead to additional benefits.

Higher quality leads and traffic

Leads and traffic that are generated with accurate claims and transparent processes are more likely to be higher-quality leads. They opted in to receive your marketing because they want exactly what is being offered rather than being tricked into opting in with deception. You want leads that are compliant because they are more likely to be leads that are interested in what your company is offering.

Gain a competitive advantage

A report from the Capgemini Research Institute found that GDPR compliance had a wide range of benefits for companies including a “positive impact on the organization’s revenues, customer trust, brand image, and improved cybersecurity practices.” They discovered that GDPR compliant companies were more likely to outperform non-compliant companies in terms of the quality of their lead quality, customer satisfaction, and revenue. According to the research, “92% of executives from compliant firms say their organization has gained a competitive advantage thanks to the GDPR (21) (22).”



How to get started with compliance

The goal of compliance with rules and regulations is to protect the consumer from deceitful and unfair marketing practices while also protecting their data. With that end goal in mind, it is useful to think like a consumer by putting yourself in their place and viewing your marketing practices from their perspective.

Is your marketing accurate? Would you feel misled if you made a purchase based on your marketing material?

Is your marketing so ambiguous it could be misleading? Would you get an accurate picture of your product or service from your marketing material?

Are you able to back up your claims? Would you be able to convincingly prove your claims?

Are you doing everything you can to protect consumer privacy and data? Would you feel safe giving information to your company knowing how it is handled, stored, and used?

Areas to consider:

• Brand guidelines
• Statements and representations
• Claims made without evidence
• Deceptive claims
• Claims about competition
• The terms of exclusive offers such as sales and promotions
• Contests and sweepstakes
• The handling of consumer data and how it is used
• The capture of data from minors
• Age-appropriate materials

• Offensive messaging or imagery

While this is not a complete list of all the areas of concern for your company, it can be a starting point for more in-depth analysis.

RPM makes compliance a priority

We make it clear to all our employees that marketing compliance is a top priority. This does not mean that every employee within our company is expected to understand all the nuances of the many laws, but everyone knows that compliance with these standards is an essential goal for our marketing team.

Within the marketing team, every piece of marketing material for every campaign is expected to be compliant. Every RPM marketer understands the relevant rules and guidelines and tools that make it possible to be confident the marketing they help produce is compliant.

Lead generation involves several regulations around deceptive advertising, consent, and data management, so auditing a lead generation process requires examination of the entire lead generation process including how the data is stored and processed. We try to avoid characterizing compliance as a nuisance or unimportant. Rather, we highlight its importance and value. Our team is also educated on the benefits of complying and being ethical and protecting our customers.

Create a compliance process for your organization

It is not enough to claim your company cares about compliance, you need to implement a system and processes that ensure it. This system should monitor compliance standards and changes, then ensure those expectations are communicated clearly to team members. It should also take compliance into your creative processes so that marketing materials are produced with compliance in mind. Potential violations or concerns should be flagged early so that they can be corrected as marketing is produced. This will help avoid delays and missed deadlines. Finally, there should be a final check that ensures marketing is compliant before it goes live.

A comprehensive compliance management process includes at least five components:

1. Industry insights and monitoring

Your company needs a way to stay current on legal developments such as enforcement actions and lawsuits that impact the interpretation of laws. The legal landscape around these regulations changes slightly over time as new case law decides gray areas.

2. Internal training

Your company should hold training for all employees and more specific guidance for each employee that gives them specific guidance on how these compliance laws are relevant to their role as well as how to help the company ensure compliance with regards to their specific duties and responsibilities. This training should be easy to digest and include reference guides that can be consulted day-to-day as needed. Ideally these guides should be web- based so that they are easy to update and out-of-date files floating around are less of a concern.

3. Complaint management procedure

Your company needs a defined process for how to respond to consumer complaints as well as complaints that are submitted to regulatory agencies such as the FTC. The ability to respond promptly and competently is an important signal that your company values compliance and is trying to comply.

4. Documented procedures and policies

Do not assume that employees will know how to handle legal issues as they arise. Instead, provide carefully considered step-by-step instructions on how to address legal issues. This documentation should include how to handle these events internally as well as with any external partners and service providers.

5. Regulatory technology solutions

Although not required, RegTech solutions can make compliance efficient and predictable by automating the monitoring of employees and partners to ensure they are following the established guidelines. It is time-consuming and even impossible to do this without technology, depending on the size of your organization.

Tools for marketing compliance

Jornaya offers solutions to help marketers create exceptional experiences for their customers and prospects, while respecting the consumer’s privacy, preference, and permission. Their TCPA Guardian solution helps companies manage TCPA risk by providing real-time data on consumers’ consent to be contacted, as well as a visual rendering of the consumer providing consent that can be easily accessed in the event of a complaint.

Jornaya helps you maintain TCPA compliance by:

• Letting you set criteria for the visibility of the disclosure based on your compliance standards.
• Verifying that the language in the disclosure presented to the consumer meets your requirements.

• Informing you—in real time—which leads you to meet your TCPA guidelines. • Providing a compliance report that you can quickly obtain in the event of a complaint.

Jornaya’s LeadiD technology allows TCPA Guardian to act as an independent witness to a consumer’s experience on a lead form and validate that each lead was generated in accordance with your compliance standards. It also provides persuasive proof that the consumer indeed saw the TCPA disclosure and consented to be contacted, which has been used to help clients successfully respond to TCPA lawsuits (23).

ActiveProspect is a company that offers a variety of useful tools for consent-based marketing. Their LeadsConduit tool allows you to personalize your leads process while remaining compliant.

Another tool, LeadsBridge, allows you to generate leads from social media in a compliant way. They are in partnership with all the major social media companies, including TikTok, Facebook, Instagram, and YouTube. LeadsBridge is especially useful for compliance since it can be difficult for companies to remain compliant and work successfully across a variety of platforms.

However, their most useful tool for compliance is TrustedForm. TrustedForm is a documenting service that allows you to record customer consent on a third-party database in case you need to verify consent in the future. TrustedForm also gives you insight into your leads, informing you if a lead seems suspicious.


Tools for marketing compliance

Consumer Consent is a slightly different tool for compliance. Consumer Consent is an organization with over 500 member companies, all of whom are committed to promoting consumer consent. The Consumer Consent Council is self-regulating, meaning that it is a group of individuals from the performance marketing industry who want to support ethical marketing.

RPM is proud to be a member of the Consumer Consent Council. It is a fantastic opportunity to help change the discussion about consent from a reactive discussion to a proactive discussion.

For more specific compliance services, we suggest turning toward Do Not Call Compliance. Do Not Call Compliance offer list purging services that help telemarketing companies ensure that their contact lists are DNC compliant. Do Not Call Compliance offer free seminars on compliance to help individuals and businesses remain compliant. They also help companies access state and national DNC lists so that they can keep them for their records.

Another unique service that Do Not Call Compliance offers is scrubbing records. Whenever you scrub your list, they will keep a record of that scrubbing, so that you can show that record if you inadvertently call someone on the DNC list.

OneTrust is a giant in the consent management world. They manage the most used consent management platform. Their popularity comes from their worldwide network of solutions for regulations from different countries. Like Do Not Call Compliance, they offer certification programs that allow individuals and companies to learn more about compliance.

Their most useful tool is their Convercent tool. Convercent is an ethics and compliance cloud platform that houses your ethics and compliance training so that you can keep your employees up to date.

Ensuring compliance from third parties

You are liable.

Your company can be held liable for the marketing of third parties you hire to help with your marketing. Your company is responsible for the marketing produced by third parties you hire. Your company cannot avoid legal consequences by claiming they were unaware of what a third party they hired was doing.

But checking campaigns produced by a marketing agency for compliance once they are produced is not a smart strategy. If you find a campaign is not compliant after it is produced, you have wasted the time and resources that went into creating it. This can eat away your campaign budget and set your timeline back by months. Even worse, if you do not catch the non-compliance before the campaign goes live, you may be subject to fees, penalties, and the ongoing consequences of a damaged reputation.

For this reason, it is important that you have confidence the third party you are working with can produce campaigns that comply.

Keep Your Organization Safe

When your marketing team complies with regulations, it ensures your business is honoring consumer privacy while creating trusted, valuable relationships with your customers.

In a time when almost half of consumers have stopped buying from a company over privacy concerns, your job is getting harder and harder.

Protect your brand reputation and limit legal expenses. Invest in solutions that confirm clear and conspicuous consent in real-time while ensuring compliance with evolving consumer privacy and protection regulations, including Telephone Consumer Protection Act (TCPA).

What RPM does to ensure compliance.

RPM works hard to be a leader in compliant marketing. This commitment to compliant performance marketing has earned us trust in an industry that often lacks trust. Building trust in our products and our clients is something we strive for. As we continue to grow and develop, we make sure to take the right steps to not only protect ourselves but those who we work with.

There are a few steps that we have taken to ensure compliance, including creating a compliance team, using industry tools to monitor compliance, being members of Consumer Consent, and maintaining proprietary blacklists. Let us break down each of these measures and talk about how they have made RPM a giant when it comes to compliance.

• Compliance Team

Our compliance team makes sure that a human monitors all compliant checks are valid meaning nothing is getting through our APIs without a pair of human eyes. Our team monitors calls, transcribing the calls and highlighting phrases that seem problematic using Observe AI. At the end of the day, they compile a report of any issues that they see in our team so that these issues can be resolved proactively.

• Consumer Consent

Being members of Consumer Consent means we are an organization that helps the performance of marketing businesses remain compliant even as regulations change. We proactively make sure to stay on top of industry changes that may affect lead generation transactions.

• Transparent Partnerships

At the end of the day, we are not here just to collect a check. RPM is here to be your strategic partner to work with your company goals. We tailor our campaigns to give you the best result. If you or anyone on your team notices an issue with compliance our team is here to help.

• Attending Compliance Focused Conferences

RPM is always looking to grow our knowledge of the industry. We invest in ourselves so we can better our performance campaigns. Our team works with industry experts to stay in front of any compliance issues that may arise.

• Maintaining Blacklists

Finally, we maintain blacklists that keep track of bad actors who we will not work with anymore. These blacklists have grown over the years

We have a strenuous vetting process for publishers that we will work with, and this vetting process helps us ensure that we are working with people who value compliance as much as we do. We make every effort to be transparent in our marketing process because we want our partners to feel comfortable working with us. In an industry where trust is everything, we pride ourselves on being honest and forthright in everything we do.

Vetting third parties
Protect your brand reputation and limit legal expenses. Invest in solutions that confirm clear and conspicuous consent in real-time while ensuring compliance with evolving consumer privacy and protection regulations, including Telephone Consumer Protection Act (TCPA).

• Conduct an interview with any outside agency with the goal of capturing their views on compliance.

• Are they educated in the relevant rules and regulations?
• Are they up to date on the latest compliance regulations?
• Do they have processes in place that ensure compliance?
• Will they let you check their work for compliance?
• Are they open to being transparent about all aspects of marketing campaigns and data handling?
• Are they willing to let your team review their marketing materials and plans early in the process, so you can raise concerns early?

If they view it as a nuisance or unnecessary, their values might not align with a company that seeks compliance as the right way to do business. They might be more prone to cutting corners or bending the rules.

This leads to the first excuse commonly given regarding active TCPA compliance monitoring. “We periodically review all of our websites for compliance.” This is not sufficient. Serial plaintiffs and TCPA plaintiff lawyers easily poke holes in that argument as you are unable to prove the consumer (or class of consumers) provided expressed written consent at the time they filled out the form. If you had to prove the lead you received four months ago, saw the TCPA disclosures and consented, could you?

Another popular organizational mindset is “My vendors will indemnify me for TCPA compliance.” This approach is not legally viable. If you respond to a lead that has not given you consent to call or text, regardless of where the lead was generated, you are liable. In 2015, Dish Network lost a bid to overturn a $61 million TCPA judgement against them by arguing that the company they were using to generate leads had indemnified them. The courts rejected that argument and forced Dish to pay.

It is important to note that not only do all levels of the industry need to mitigate TCPA compliance risk, but they also need to demonstrate persuasive proof of consent when challenged by a litigant. Having the vendor provide website screenshots and IP addresses is not enough. Being able to provide witnessed consent of the specific lead event by the complaining consumer (or class of consumers) from a neutral third party frequently defeats an attorney demand letter before litigation even begins.