Category GDPR

Does GDPR Apply To Non-EU Citizens?

The GDPR (General Data Protection Regulation) was a revolutionary law created to ensure that organizations do more than have check/uncheck privacy policy boxes on their websites. It forced enterprise-wide changes which ultimately led to the transformation of business operations. 

In addition, it made the cost of negligence very high. It ensured that non-compliance resulted in hefty fines of 20 million Euros or 4% of a firm’s yearly turnover, whichever is higher.  

Due to GDPR, organizations today need to ensure that they are on the right side of the privacy policy regulations. Businesses and individuals often ask: do I need a cookie policy for my site? The answer is—yes, to those planning to do business with the EU or its residents.  

The following information is intended to help you understand the way GDPR works and discover if your business is compliant or not. Another privacy law you may need to be aware of is the California Consumer Privacy Act (CCPA). Check out this article for a look at CCPA vs. GDPR.

To learn more about consent management platform software and how it’ll help with GDPR compliance, connect with our team of privacy experts at Ketch. 

The Need For GDPR

Data protection has become a critical concern for everyone, from governments and businesses to individuals. With great advancements in the world of technology and the internet, this was always going to be necessary. 

The use and misuse of data has become increasingly prevalent, which has helped to highlight the gaping holes that exist when it comes to data protection laws. Companies and individuals are being affected, so governments worldwide have had to go back to the drawing board to come up with amendments for their data privacy laws to keep up with the changing times. 

This is why most experts in the data privacy policy field consider GDPR a great new protection standard. It has replaced the previous data protection laws in the European Union and in the UK, which had the 20-year-old DPA (Data Protection Act).

GDPR is considered a unified data protection law for all those residing within the European Union, which also includes oversight on data transferred in and out of the region. For those who are not familiar with GDPR, you must get acquainted with it to protect you, your business, and your customers.

Which Companies Come Under The Purview Of The GDPR?

One of the most significant impacts of the GDPR is the high number of companies doing business across the Atlantic that come under its purview. Even though all organizations that operate within the European Union have to comply with GDPR, US-based businesses also have to adhere to it if they want to transact business with EU residents.

Be it a for-profit company, a non-profit charity, or a public firm, any of these institutions collecting personal information on people residing in the EU will have to abide by GDPR rules. As you can see, the GDPR applies to anyone doing business within the EU or with its residents and engaged in collecting their data.


Firms that do not operate inside the EU but gather, store, or process the personal information of EU residents also come under the jurisdiction of the GDPR. Every third-party organization that works for or with companies providing goods and services to EU residents also comes under the purview of GDPR. 

This is why many businesses and industries, both in Europe and the US, are affected by the GDPR. This also applies to a site’s first party cookie policy. All in all, the GDPR has managed to create so many ripples across the corporate world that no one can ignore its impact.

How Is CCPA Different Than GDPR?

The CCPA (California Consumer Privacy Act) and the GDPR (General Data Protection Regulation) are both laws that emerged to provide individuals with greater power and control over their personal information. 

Both laws are responsible for regulating organizations that gather and use such data in a variety of ways.

A Brief Overview Of The CPPA

The CCPA offers California residents increased control and transparency over how companies collect and use their data. It predominantly applies to those businesses operating in California or those that handle or share the personal data of California residents.

A Brief Overview Of The GDPR

The GDPR was formulated to give European Union residents increased control and transparency over how firms collect and utilize their data. It also applies to organizations operating in and out of the EU that process the personal information of EU residents.

It is essential to say that there is a lot more to the story than the briefs provided above. As a result, it’s a good idea to know how both these regulations work so as to help keep your organization legally compliant and boost customer trust. 

It is also a good idea to familiarize yourself with some GDPR cookie consent examples, to see how various businesses are adhering to the recent privacy policy regulations. 


The CCPA increases data transparency for Californians about how their personal information is collected and transferred. On the other hand, the GDPR is responsible for the regulation of data privacy across the EU. It was formed to replace some of the previous data protection laws across Europe that had a single framework. 

It is important to note that even though GDPR is primarily intended for the EU, it still has implications on businesses operating in the United States. This is why some businesses who were asking if GDPR applies to non-EU citizens have gone to the trouble of finding out. 

The following information shows how the two sets of laws compare:

  • The CCPA is designed to provide date rights to consumers who live in California, whereas the GDPR offers such protections to EU residents.
  • The CCPA tends to deal with information that relates to, identifies, links to, or describes a consumer or household, with a few exceptions. On the other hand, the GDPR deals with any personal data associated with an individual. It does not include households, and only anonymous data is exempt.
  • The CCPA applies to profit-making businesses that operate in California, meet several monetary conditions, and have several service providers. In the case of GDPR, data controllers and processors who deal with the personal information of EU individuals are regulated.

Both of these regulations came about to protect people living in a world where there is increased global interconnectivity and where the international transfer of data has become more elaborate and frequent. 

Furthermore, forward strides made in the technology sector have also resulted in the misuse of data, causing many scandals and sophisticated cyber attacks. All this has led to the need for better privacy protection laws.


Both the CCPA and GDPR apply to individual organizations in various ways, and even though there may be some nuances in terms of scope that distinguish these two sets of legislation, their goals remain similar. 

By looking at how they complement each other, you will be able to create scalable data privacy and security regulations that will comply with both of them.

What Are Some GDPR Cookie Consent Examples?

Suppose your business happens to be headquartered in the EU or you conduct a significant amount of business with residents of the EU. In that case, you will have to comply with the EU Cookies Directives. This means that you will have to inform your site visitors that you are using cookies and get their consent to use them.

There are several ways you can go about showcasing a cookie consent notification on your site. You can make use of simple banner notifications such as a fixed footer notification or a header notification. You could also opt for a pop-up notice.  

In this piece, we will take a look at some examples of small business GDPR privacy policies and the kind of wording they use. However, before we get to that, it is vital that we first look at what a cookie policy is and why it’s necessary.

For more help with cookie policies and GDPR compliance with consent management software, connect with Ketch.

Defining A Cookie Policy

The primary goal of a cookie policy is to let visitors to your website or app know that you are using cookies.

At a bare minimum, a good cookie policy should provide the following information:

  • the kinds of cookies you are using
  • how you are using the cookies
  • how your visitor can manage the cookie settings on their devices

Your Cookies Policy is where people will find detailed information regarding your use of cookies and how they can manage the cookie settings on whatever device they might be using.

The Importance Of A Cookie Policy

It is also important that you understand CCPA vs. GDPR because, unless your company is situated in the EU or specifically targets EU residents, you are not required by law to put up a Cookies Policy on your website. You can have a simple clause that addresses your usage of cookies and place it in your Privacy Policy. This will be enough.

On the other hand, if your business happens to be in the EU or targets citizens living in the region, you will be required by the EU Cookies Directive to put up a separate Cookies Policy on your site.

GDPR Cookie Consent Examples

In The (EU)

According to the EU Cookie Directive, one must post an entirely separate Cookies Policy on their site and ensure that any cookie usage complies with EU Cookies Law. 

For instance, Amazon's UK site has a specific Cookies Notice that covers the lower half of the homepage. It explains why they use cookies and how the information is used. Amazon’s notice also asks visitors to either accept cookies or customize them. The latter option offers more specific choices to make.

The law also dictates that you inform your end-users and site visitors that you are using cookies. Let them know why you are doing so and get informed consent before placing any cookies on their devices.

In The United States

Businesses and companies headquartered in the US are not required to post a separate Cookies Policy on their site or adhere to the EU Cookies Directive unless they are transacting business with EU citizens.    

Most companies in the US opt to include a Cookies Clause in their Privacy Policy to let end-users know of their presence. Others add information regarding their cookie usage in a section titled We Collect.

For example, ALDO's US Privacy Policy has a Cookies section that describes briefly what cookies are and how they are used.


Businesses have several options for how and where to display a cookie consent notice on their site. Wherever you place it, it needs to be prominent. Your notice should also inform users of why you are using cookies and what they are consenting to if they accept your use of cookies.

Understanding Small Business GDPR Privacy Policy

A privacy policy is an essential legal agreement that every business should have, especially a small one. It helps to ensure that owners avoid hefty fines and other kinds of liabilities regarding personal data violation issues. It also shows customers that your business is firmly committed to the protection of their personal information.

GDPR And EU Residents

As a small business owner, you have to make sure that your policy is user-friendly and covers all your data handling processes. You can adhere to such legal requirements by adding a privacy policy on your small business website as soon as possible.

When it comes to the GDPR, any small business owner or individual running an e-commerce store must comply with the EU’s data privacy regulations.

The GDPR also offers its EU citizens control over:

  • who has access to their personal information
  • what happens to their personal information
  • how their data is shared and stored

The GDPR sets strict compliance laws on business owners, even those with companies that have fewer than 250 employees.

The whole basis of GDPR is to ensure that private individuals have more control over their privacy. It is a notion that revolves around the concept of consent, whereby business owners now need unequivocal authorization to handle, share, store, or process a person’s information.  

If you are running a small business or an e-commerce site, then it is highly likely that GDPR will apply to you. As a result, you must understand your compliance obligations.

Understanding What Is Considered As Personal Data

One of the primary roles of the GDPR is to provide a clear and precise definition of personal data. This was done in Article 4. 

According to the statute, personal information is any data that can help identify a person, their family, or household. This means that if you collect information that others may use to identify an individual, such as their home address, name, email, or phone number, it will be considered protected data under GDPR.

Whether you decide to send an email newsletter or capture a customer’s details through a prize drawing, you will still have to take the necessary steps to safeguard that information and ensure it remains confidential. 

In addition, for you to be on the compliant side of the law, anytime you believe that you have collected personal data through your business in any way, treat it as such. Do not assume anything.

Law Requirements

When running a business that requires customers to give personally identifiable information whenever they purchase your product or service, you will have to provide a Privacy Policy on your website or somehow make it available at your storefront or office. 

In case you need more clarification, you can look at various GDPR cookie consent examples

Personally identifiable information serves as the universal description of any data used to contact, identify, or locate a person. It includes but is not limited to the following:

  • date of birth
  • telephone number
  • full name
  • email address
  • credit card numbers
  • national identification number
  • screen names or handles
  • physical addresses
  • IP addresses (if tracked)


Enterprises in the EU also need to know whether GDPR applies to US customers. This is because the need for a Privacy Policy is worldwide.

Although the US doesn’t have federal privacy protection laws, various states have taken steps to rectify this situation. For instance, California passed its privacy law called the California Consumer Privacy Act (CCPA). 

Because it is highly populated, it would be safe to assume that you must adhere to the statutes of the CCPA if you transact business within residents of the state. In this way, the CCPA applies to a significant number of American companies across the country, and EU companies as well.


Does GDPR Apply To US Customers?

Companies and individuals on either side of the Atlantic may feel that since the General Data Protection Regulation (GDPR) is a European Union mandate, it is only applicable to EU countries. However, this is not the case. Some of its laws also apply to US customers who purchase with EU based companies.

The reality is that the GDPR's application is more about who you are targeting than where your business is headquartered. This means that if you are a US national seeking to buy goods from an EU based company, you will need to familiarize yourself with GDPR and how it applies to you. If you are an EU business, then you may wonder if GDPR applies to your US based customers. 

There is also a lot to learn about the small business GDPR privacy policy. However, most individuals in the US still require some convincing regarding this matter.

For a reliable and easy consent management solution, connect with Ketch to learn more. 

US Data Privacy Regulations

The GDPR applies to practically every individual or business that handles personal data within the EU or is responsible for transferring personal data of people within the region. This means that if you intend to do business with an EU based company, you will be protected by some of GDPRs regulations.

Furthermore, when dealing with EU based companies, it is essential that you remember the United States has no particular data privacy laws with such a broad application like the GDPR. Various federal and state regulations overlap to form some piecemeal data protection package, with specific sectors like healthcare being the main focus. 

At times, this type of setting can make compliance difficult since data protection laws can vary from state to state. It should also be mentioned that the level of data protection needed by GDPR is usually high enough to satisfy those required by the relevant US laws.

Understanding How GDPR Applies to US Customers

Transferring of Personal Data between The EU and The US

The GDPR uses the term Personal Data whereas the equivalent term in the United States is Personally Identifiable Information (PII), which is viewed differently from state to state. 

Still, there are some general differences between the definitions of Personal Data and PII. For instance, in the EU, financial data and national insurance digits are not viewed as sensitive in the strict legal definition. On the other hand, the same elements are often considered highly sensitive when it comes to US privacy legislation. This means that US citizens are in some way covered by the GDPR privacy laws, but not in all aspects. 

In addition, US based individuals who are in possession of EU residents’ personal data have to abide by the GDPR rules if they wish to conduct business in the region.

Individuals' Rights

The GDPR was formulated on the premise that the relevant authorities should protect personal data and that people needed to have control over how other parties used their information. Some of these rights include the right to data portability, erasure, rectifying inaccurate data, withdrawal of consent, objection, restriction, and access.

US based customers, or website visitors' rights tend to be more limited even though US laws stipulate that detailed information ought to be provided to them at the time that personal data is being collected, even if the company is based in the EU. There are usually no other access rights offered to data subjects. The right to erase data collected may also not be not possible.

In the US, the laws extending the most data rights concern children. This means that parents are allowed to view the personal information gathered by a website about their child and to delete or correct it. All this is provided for under the Children's Online Privacy Protection Act. However, the GDPR does not have such considerations.

Cross-Continent Transfers

GDPR states that the transfer of personal data outside the European Economic Area (EEA) is restricted. The reason for this is to ensure that the data rights available to area residents are not undermined because an international provider has the data. As a result, the international transfer of personal information is subject to the EU-US Corporate Rules and the Model Contractual Clauses.

On the other hand, US law imposes few limits when it comes to transferring personal information outside the country. And even though US regulations continue to apply to data even after it has left the country, they usually focus on making sure that US entities remain liable for it.

This is to say that when dealing with companies in the EU, both GDPR and local privacy rules apply since you will be engaging in business with EU based customers.


The GDPR protects the personal data of individuals primarily in the EU, regardless of where it is collected, used, or stored. However, US clients doing business with EU companies can still enjoy some of its rights when it comes to the protection of their data.

If United States companies, universities, or non-profits offer goods or services to those residing in the EU or track their online activity, they may need to comply with GDPR laws.  

How Has GDPR Affected Marketing?

Most companies say that the GDPR (General Data Protection Regulation) is too demanding. The law has forced them to re-evaluate the way they collect and handle the personal data belonging to visitors to their website or app. 

The marketing departments in most companies have also been forced to make some changes, especially when it comes to the digital sector.

Whether your firm conducts data analysis regarding customers' online activities or uses an emailing list to send out electronic marketing materials, such procedures need to be framed within the confines imposed by the GDPR. 

It is also important to understand the new data protection rules for small businesses.

How The GDPR Regulations Have Affected The Marketing Sector

The new regulations for transparency and accountability highlighted in the GDPR concerning collecting and processing personal information have become a concern for many marketing experts today. 

However, this comes as no surprise. Looking at how businesses will operate moving forward, we can expect to see some problems complying with GDPR.

There may be some legal precedent that companies may look to when it comes to the processing of data related to direct marketing. However, as stipulated by Recital 47 of the GDPR, consent would still be required as a matter of principle because of the more detailed provisions set in the Privacy framework.

Following are some of the other concerns that marketers may have to address when it comes to GDPR:

  • There could be issues around consent if it wasn’t requested correctly and transparently.
  • Data subjects may not have received the correct information regarding the process of acquiring their personal information.
  • In some cases, data may be processed for purposes unrelated to those explained when obtaining consent from the subject.
  • Is privacy shield required for GDPR?

According to most marketing experts, going back and implementing GDPR on current data is the same as rendering a significant portion of it obsolete or unusable. And even in cases where consent is obtained correctly before going forward, most data subjects will fail to opt-in.  

All this boils down to the simple fact that data for analysis is set to decrease with GDPR requirements.  

With the new e-privacy laws in place, most marketers' general rule of thumb has become to obtain opt-in consent from the subject before sending any marketing communications. 

However, there is an exemption for those situations where the contact details are obtained from customers under the pretext of a sale, provided they are used by the same organization to market similar products or services. 

Whenever these kinds of cases occur, a soft opt-in must be presented with every message when the contact details of the data subject are first gathered.

What Measures Can The Marketing Team Take?

The issue is that marketing departments have to comply with GDPR both in principle and in spirit. There is simply no way around it. As a result, this typically involves:

Being transparent regarding how they use the personal data they collect. This may include utilizing a privacy notice or other method to proactively inform the data subject why you are collecting their personal information and how you intend to use it.

Requesting clear and explicit consent from any data subject they approach. Pre-checked boxes may be used for answering questions. The individual may then just uncheck a box if that’s their choice.

Making sure you are open and approachable to the subject's requests when collecting data. Although fulfilling every request is not mandatory, there will be instances where you will need to observe the subject's rights.


Of course, just like with most other things, complying with GDPR is easier said than done. But following the right path and doing things the right way will help the marketing department today and in the future. 

The key is to adhere to GDPR guidelines and ensure that any data you collect is viable and can be used for the benefit of your business

How To Respond To A GDPR Request

The “right to access” is one of the rights that the General Data Protection Regulation (GDPR) affords people in the European Union (EU). It gives consumers the power to obtain a copy of their personal data and other supplementary information that has been collected online by a business. It also gives them the right to ask the business how and why their data is collected and used—and whether that has been done legally. 

To ensure these rights are upheld, the GDPR requires businesses to know how to respond to a GDPR request (aka subject access request or SAR), which involves steps such as verifying requests, identifying data, and securely delivering copies of that information to the requester.

How Do People Make Subject Access Requests?

A person can make an SAR verbally or in writing or even through social media. There’s no need to use certain language, refer to any data privacy laws, or direct the request to specific contacts. As long as it’s clear that a person is asking for their own personal data, then it’s valid.

People can even make SARs through third parties such as relatives, friends, or solicitors, though businesses must ensure that the third party has the authority to request information on another’s behalf.

If children make SARs, businesses must determine whether the minor is sufficiently competent to understand their rights. If so, the business can respond to the child directly. Otherwise, a parent or guardian must exercise the rights of the child on their behalf.

How To Respond To A SAR

To effectively respond to a SAR, businesses (and under the new data protection rules for small businesses, these include all company sizes) must have a GDPR request response process. This procedure should act as the guideline for your company in responding, processing, and recording SARs, and it should be included in a GDPR-compliant, updated privacy policy. But how often should a privacy policy be updated? Read more here to find out.

The steps to respond to a SAR are:

Recognize The Request

Once you receive a SAR, you must comply “without undue delay”. At the latest, you should respond within one month after receiving the valid request, confirmation of the requestor’s identity, or a fee. You can extend the time to comply by up to two months if the request is complex or if the individual has sent in multiple SARs.

A request is considered complex based on the nature or volume of the SAR or the resources of a business to process it. Some examples include technical issues, confidentiality problems, or the requirement of specialist work.

Verify And Clarify The Request

Because of the nature of personal data, it’s important to ensure that it’s only accessible to the relevant individual (the data subject). Businesses must be responsible for the verification of a requestor’s identity, using whatever proof of identification that will confirm that the requestor is asking for their own personal data (e.g. an I.D.). The exception applies when a SAR is made through a third party, in which case, the business must seek reassurance that the third party is authorized to make the request on another’s behalf.

Additionally, businesses can clarify SARs with their requestors, particularly if the request deals with a particularly large amount of data. That said, clarification isn’t necessary if the business chooses to perform a reasonable search instead.

Identify The Personal Data Requested

Businesses must make reasonable and proportionate efforts to find and retrieve the information requested from its hard copy or electronic files. These may include data in various forms such as texts, audio, or video. 

Securely Disclose The Personal Data

Individuals are entitled to a copy of the personal data (and other supplementary information) requested. If someone requests a large amount of data, businesses can provide excerpts. Businesses may also exclude some data that is exempted from SARs or redact non-relevant information.

Before disclosing personal data, it’s important to know the preferred medium for the response. Usually, if someone submits their request by email, you can respond the same way to share the personal data. But they may also request a different form of response that is more accessible to them, such as via email or fax.

Keep A Record Of Requests Made

All SARS should be kept on record to keep track of the personal data disclosed and the steps taken to comply with the SAR. This can be helpful in case the requestor brings up any issues with enforcers of the law.


Responding to GDPR requests is the responsibility of businesses. So it’s imperative for all companies that do business with consumers in the European Union to comply with the regulations on consumers’ right to access.

What Are The Seven GDPR Principles?

General Data Protection Regulation, known as GDPR for short, is a collection of regulations enacted by the European Union (EU) to preserve the data and privacy concerns of EU residents and others outside the region. At its inception in 2018, GDPR had six fundamental principles; the seventh was added later.

Considering that it serves both companies and people in protecting their information, GDPR is essential. In any case, this regulation may appear complicated, as working out GDPR compliance can be intense for software or tech firms.

So, do you understand the GDPR principles? If not, how will you protect your data and people's right to confidentiality? Please continue reading to learn about them!

The Seven GDPR Principles

The seven data protection principles of GDPR are as follows: 1) Lawfulness, fairness, and transparency, 2) Purpose limitation, 3) Data minimization, 4) Accuracy, 5) Storage limitation,  6) Integrity and confidentiality, and 7) Accountability. 

Here, we'll take a look at each principle and tell you how they ought to work within your GDPR compliance methods.

Principle 1: Lawfulness, Fairness, And Transparency

The first principle requires businesses to guarantee that their information collection techniques comply with the law. 

In conjunction with that, they must not violate the law or conceal any relevant factor from information subjects.

To stay legal, you need to have a solid understanding of the regulation and its principles regarding information collection. In addition, you must tell visitors to your site or app the kind of information you gather and explain why you're collecting it. 

Principle 2: Purpose Limitation

This principle says that individual information must be acquired in a unique manner for a specific purpose. Also, it is not permitted to use that data in any way other than the purpose for which it was gathered. 

Principle 3: Data Minimization

The third principle was intended to ensure that information gathered would be just enough to serve the intended purposes. 

It essentially implies that information which is not needed for a specific purpose can't be gathered at all.

Data minimization also requires that the collected data is accurate and updated. Outdated information must, by law, be deleted.

Principle 4: Accuracy

This principle refers to the precision or accuracy of data collected and stored. It implies that the information gathered is exact and refreshed to remain precise consistently. The precision of individual data is indispensable to information assurance. 

As per GDPR, every possible step should be taken to amend incorrect or inadequate information. So, individual data that is irrelevant to its initial purpose should be erased or amended immediately.

Principle 5: Storage Limitation

The GDPR lays out storage limits with this principle. Storage limitation has to do with the way that individual information should be put away in a structure. 

In other words, information should be stored in a manner that makes it available for as long as necessary. The data may be held however long it serves the underlying purpose. 

When the information is considered superfluous, businesses need to erase individual information to make space for new information.

Principle 6: Integrity And Confidentiality

While the previous principles fundamentally dealt with the data and data collection process itself, this one deals unequivocally with the security factor. 

As indicated by the GDPR, individual information should be managed to guarantee the complete security of the individual's information. That includes assurance against unapproved or unlawful processing of data.

Since IT is continually changing, the GDPR is purposely unclear concerning specific steps businesses should take for compliance.

Principle 7: Accountability

Just as the name of this final principle makes clear, it simply informs businesses that they are fully accountable for any failure to comply with the GDPR law.


Now that you have an idea of what GDPR signifies, you can comprehend why consistency with these guidelines is a particularly significant need for any tech firms managing personal information for individuals residing in the EU and some additional regions. 

If you think information security and administration are excessively complicated, ‍you're not alone. Book a meeting with Ketch to get support with GDPR compliance and learn about data privacy management tools. 

They present an adaptable information control platform for firms to meet all kinds of information protection and administration needs. 

One final suggestion for further research is to look into the California Consumer Protection Act (CCPA) and advertisers; find out how the law applies to them regardless of their location.

How Do You Know If You Are GDPR Compliant?

When the General Data Protection Regulation (GDPR) was introduced 3 years ago, lots of companies, some with big names like Google and British Airlines, were found to be culpable under the purview of the new European Union (EU) law.

The necessity of GDPR is undeniable; it helps both individuals and organizations protect their data. But compliance with the GDPR, which spans 11 chapters containing 19 articles, can be difficult for tech businesses (both in the EU and outside it) to figure out on their own.

So, how do you know if you are GDPR compliant? This article will provide a basic answer to that question. Additional relevant information can be found using the links in this post.

Who Needs To Adhere To The GDPR?

In the event that you are found to be noncompliant with GDPR, claiming ignorance is not enough to get you out of trouble. Nor is compliance simply a matter of checking off some boxes.

Cultural and behavioral changes within your organization may also need to be put into effect in order to fully protect the rights of your customers.

If your company collects, processes, or disseminates data obtained from citizens of the EU, it must abide by GDPR rules—even if your company itself does not operate there. 

So, don't wait to be penalized. In order to confirm compliance, do your due diligence; you must determine whether or not your company meets the following criteria.

Just in case you’re wondering: “what happens if I break GDPR law?”, follow the link to find out.

GDPR Compliance Guidelines

First and foremost, you must always ask for consent or permission when you are using or storing the data of your EU customers. Not only that, but your customers must also be informed of the reasons for collecting or storing their data. People want to know what you will be doing with their information.

You must also store electronic copies of their personal data, as any person who requests access to their private records on your server must be granted that access. Even if they don't request access, they need to be notified as to the storage location at the time of data collection.

Data security must be implemented at every step of the way in every product and process that your company is involved with, from the very beginning to the very end. 

Suppose your company is involved in data processing and monitoring on a large scale. In that case, you must also ensure that your data controllers and data processors have selected a data protection officer (DPO). 

Have you detected a data breach? Then, you must inform the authorities within 72 hours of the breach.

During this time, your data controller is also tasked with the responsibility of removing your customers' personal data from the company database. If you are sharing any information with a third party, it must be stopped immediately.

If your customers want to transfer their data from your controller to another of their choosing, you have to allow it. 

You must audit the data you store in your company's database. Everyone involved must be aware of the identities of the customers whose data you're storing, as well as the source of the data—where did it come from? Did it come directly from the customer or from a third party? 

If it's the latter, they must provide written agreements that they are permitted to own and/or share that information.

All client details available to you must be stored and listed in an organized and accessible manner. This includes names, bank details, IP addresses, phone numbers, etc. Discard any data that you don't directly need in order to operate.


If you're concerned about GDPR compliance, you're not alone. Many companies unknowingly skip some of the most essential steps in GDPR compliance and later receive a rude shock when they are faced with unhappy customers.

But the experts and professionals at Ketch are here to help. If you're unsure whether you've covered all the bases for GDPR compliance, contact us, and we'll help you figure it out. We are experts on GDPR, as well as privacy compliance tools.

The Road to GDPR & CCPA/CPRA Compliance: Not Exactly One and the Same

There’s no doubt that the EU General Data Protection Regulation (GDPR), which took effect in May of 2018, set into motion a growing awareness of how companies around the world handle consumer privacy data. GDPR set the stage for the introduction of global data privacy regulations as evidenced by the California Consumer Privacy Act (CCPA) that was signed into law on the heels of GDPR and went into effect on January 1, 2020. And already, CCPA protections will soon be expanded when it’s superseded on January 1, 2023 by the recently approved California Privacy Rights Act (CPRA).

The first law of its kind in the United States, CCPA/CPRA is often equated to GDPR. But while they both aim to give consumers control over how their personal information is collected, used, and shared, there are several differences between these two regulations that impact who is affected, what companies need to do to comply, and the risks associated with noncompliance. 

If your business is global and online, there’s a good chance that you’re subject to both CCPA/CPRA and GDPR, and just because you comply with one, doesn’t necessarily mean you comply with both. Let’s take a look at the top 5 areas where the two regulations differ.

Who and What Information is Protected?

CCPA/CPRA was established specifically to protect the rights of California residents, which the law defines as “a natural person who is a California resident” living in the state for any reason other than temporary or transitory purposes, as well as anyone living outside of the state who is considered a legal California resident. The law is aimed at consumers of household goods and services, employees and anyone involved in business-to-business transactions. In contrast, GDPR states that is protects ANY living identified or identifiable natural person, and that person does not need to be considered a resident of the EU or located within the EU. This is a much broader scope aimed more at companies offering goods and services in the EU rather than those only doing business with EU citizens.

CCPA/CPRA and GDPR both have broad definitions as to what constitutes personal data, which includes any information that can identify a consumer such as name, IP address, email, social security number, online cookie identifiers, etc. While similar in scope, CCPA/CPRA is more specific in clarifying the various categories of personal information and also clearly states that it includes anything that can be linked to a household as well as a consumer. GDPR does not specifically address households, but enforcement under GDPR’s governing authority has shown the law to include households since in reality, any information that can identify a household can also identify a consumer. 

It was previously thought that the two regulations varied greatly when it came to sensitive information since CCPA did not originally fully address this category. However, CPRA now clearly addresses such information as geolocation, biometric data, health information, race or ethnic origin, sexual orientation and the likes. With that change, the only real significant difference in terms of what information is protected is that GDPR covers publicly available data while CCPA/CPRA does not. 

Who Has to Comply?

According to CCPA/CPRA, any for-profit entity doing business in California that meets any one of the following thresholds is required to comply:

  • Annual gross revenue in excess of $25 million
  • Buying, receiving or selling personal information of more than 50,000 consumers or households (expanded to 100,000 under CPRA come 2023)
  • Earning more than half of your annual revenue from selling personal information

Under this definition, your business does not need to be physically located in California, or even in the U.S. for that matter. The revenue threshold of $25 million also applies to ALL revenue, not just revenue attributed to California residents. Additionally, the definition of “selling personal information” is not confined to the classic sense of the word but rather includes disseminating or disclosing information in any way (click here for more on what constitutes a sale under CCPA/CPRA).

Unlike CCPA/CPRA, GDPR does not define specific thresholds but applies to ALL companies that offer goods or services in the EU, or that monitors the behavior of persons in the EU, irrespective of the company’s location. This essentially means that even if your company has minimal presence in the region with no established EU location, if you do any business in the EU, you need to comply. And don’t assume that you’re safe just because you aren’t selling into EU markets—if your website is accessible from the EU, you may be collecting data about Europeans, even if you never receive a single euro from those digital visitors.

What Rights Do You Need to Provide?

Under the right to be informed, CCPA/CPRA and GDPR both require businesses to provide information in advance about the personal data it collects and how it will be used via a privacy notice. Both regulations also establish the right of access, allowing consumers to know what personal information an organization holds. Right of access also requires you to provide the means for consumers to request access, disclose all categories of personal data and deliver the information to the consumer. There are some differences on the timing—the right to access under CCPA/CPRA applies only to information collected in the 12 months prior to the request with a deadline of 45 days to respond, while GDPR applies to all information with one month to respond. Both regulations do allow for extensions with notice. 

CCPA/CPRA and GDPR opt-out rights are similar in their overriding objective, but there is a substantial difference. CCPA/CPRA requires the right to opt out of the sale of personal information to third parties and requires a clear and conspicuous “Do Not Sell My Personal Information” link on a website’s homepage. GDPR isn’t quite as absolute, providing consumers with the right to opt-out of “processing data for marketing purposes” and withdraw consent to process personal data, as well as giving businesses an exception if they can demonstrate compelling legitimate grounds. 

While both regulations also give consumers the right to have their personal information deleted, one key difference is that GDPR also gives consumers the right to request that an organization corrects any inaccurate or incomplete personal information. CCPA/CPRA does not cover any rights of rectification.

 How Do You Ensure Security of Privacy Data?

CCPA/CPRA and GDPR are similar in that businesses need to ensure an appropriate level of security for privacy information, but while GDPR requires technical and organization measures to comply (i.e., encryption), CCPA/CPRA shifts this requirement more to consumer rights. Under CCPA/CPRA, consumers have a right to action for unauthorized access and exfiltration, theft, or disclosure of personal information as a result of a business’s inability to maintain appropriate security measures. 

What Are the Risks of Noncompliance? 

Penalties for noncompliance of CCPA/CPRA and GDPR both aim to hit where it hurts—your bottom line. Depending on the severity of the violation, GDPR fines can be up to 4% of annual global revenue or 20 million euros ($24 million USD), whichever is higher. CCPA/CPRA places their penalty fee on individual violations—$2500 per violation, with $7500 per violation for those concerning minors. 

CCPA/CPRA has no ceiling on the number of violations, so depending on your annual revenue, penalties can add up beyond those of GDPR. An online retailer doing business with a million Californians could quickly find themselves faced with $2.5 billion USD in fines if a data breach or other violation hits the company’s entire data set of customers. 

Meeting your obligations under both GDPR and CCPA/CPRA can seem daunting—especially given the differences between the two and the seemingly ever-changing rules. Get in touch today to learn how Ketch can help make your company fully GDPR and CCPA/CPRA compliant.