talk to an expert
Data, Privacy

California Releases Draft Rules for CCPA

California’s Department of Justice has developed and released a draft of implementing regulations for the state’s upcoming data privacy law. The rules clarify how the state will enforce the California Consumer Privacy Act (CCPA) and explain what businesses have to do to ensure they are following the law.

The draft implementing regulations for CCPA groups the actions businesses have to take around five key components: how to notify consumers about what data is being collected; how to handle the consumer requests for information; how to verify the identity of consumers making the requests; how to handle requests for information for children younger than 16 years old; and what needs to be done to avoid discriminating against consumers who don’t want their data or sold. The comment period for the draft rules end Dec. 6.

Privacy is an “inalienable right” in California, and CCPA will reset “the power dynamic between [consumers] and businesses,” California Attorney General Xavier Becerra said at a press conference announcing the draft implementation. The CCPA “allows you to pull the curtain back and see what information companies have collected about you, so that if you want, you could have that data deleted.”

The implementation rules lay out the things businesses have to think about as CCPA becomes law. “We want businesses to understand consumers have rights,” Becerra said. “Everyone has an obligation to know their rights and responsibilities under CCPA.”

The CCPA isn’t just for businesses that collect data online. A business that “substantially interacts with consumers offline” also has to notify the consumer about the data being collected and provide an offline opt-out mechanism.

The new law also requires businesses to be “transparent” about the data’s value, so that “consumers know how their information is valuable to the business,” Becerra said. Towards that end, businesses have to clarify the “service difference” a business may offer in exchange of personal information, so that the consumer can make an informed decision.

California may be the first state to have such a far-reaching data privacy law, but it isn’t alone. However, most local laws have focused on one or two aspects of consumer privacy, such as opt-outs and collection. The breadth of California’s law means that companies have to make changes all across the data lifecycle. “We may be the first, but we won’t be the last.” Becerra said.

The law goes into effect on Jan. 1, but the rules implementing and enforcing the law won’t go into effect until July 1, said Stacey Schesser, California’s supervising deputy attorney general.

Data, Privacy

Device IDs: Driving the future of digital advertising

Mention a “cookie” and most people expect a chocolate chip treat to appear. However, when talking about digital marketing, cookies are references text files on a browser that associate bits of data to a specific user.

Cookies are created when a user visits a website to keep track of their movements within the site, helping the user remember their login, preferences, and other information. Many online retailers use cookies to keep track of the items in a user’s shopping cart as they explore the site. Without cookies, your shopping cart would reset to zero every time you clicked a new link on the site. That would make it impossible to buy anything online.

Types of Cookies
The two most common types of cookies are first-party and third-party. Both types of cookies contain browser information and can perform the same functions. However, the real difference between the types of cookies has to do with how they are created and used.

  • First-party: These cookies are originated from the primary domain visited by the user, used to personalize that users experience on that primary domain.
  • Third-party: These cookies don’t originate from the primary domain visited by the user. The most common use of third-party cookies is to track users who click on advertisements and associate them with the referring domain.

Cookies have become the most common method of identifying website users and allowing for a personalized browsing experience on a desktop (we discuss mobile below). However, with growing awareness of privacy issues, the introduction of laws like the General Data Protection Regulation (GDPR), CCPA, Apple’s ITP, Firefox’s ETP and now Chrome’s ITP, some are saying the end of cookies is near.

More on Third-Party Cookies
For the MarTech industry, ad targeting is a huge deal. Third-party cookies are used to gather the information on user behavior such as websites visited, time spend, clicks, location, and more. This information creates a unique profile of the user to show them only relevant and personalized ads.

The lifespan of third-party cookies has been threatened for a while. In 2017, Apple first released ITP aka Intelligent Tracking Prevention for the Safari browser. With ITP 1.0, Safari wanted to prevent third-party cookies from tracking users across different sites. And now, they have ITP 2.2 coming soon to strengthen that protection against user tracking.

Why You Should Care
Chrome is following in Apple’s footsteps and released a new set of controls that allow users to see all of the cookies currently stored by the browser and give them the option of blocking any trackers they don’t like. With Google Chrome accounting for nearly 70 percent of the global desktop internet browser market share, the MarTech industry is getting nervous.

The cookie also poses obstacles in the mobile space — if they even work at all. There is a new term called ‘the unreachables’, the mobile-only users, who don’t really engage on desktop computers and don’t interact with traditional media. No cookies for them.

Goodbye Cookie, Hello Device ID
The cookie isn’t dead yet, but as protection against user tracking, browser privacy and the growth of mobile users continues to grow, device IDs will be redefining the role and the usefulness of cookies.

Cookies don’t deliver the holistic view that device IDs do. Device IDs provide better and more reliable data. They present a clear view of a user based on deterministic data across longer, if not indefinite, stretches of time. Cookies only track a single session and the average “lifespan” of the cookie is no more than three weeks, creating discrepancies when measuring long term user journeys.

Device IDs are a more efficient way of targeting and reaching customers via connected devices more accurately. There is a science of how to properly collect and curate accurate device IDs to an individual and if done right, ad spend will be utilized wisely and profitably, if it’s done wrong, spending and ROI will be disastrous.

Device IDs will drive this future; cookies will not.

CCPA, Data, Privacy

How is CCPA Different from GDPR?

The California Consumer Privacy Act has been coined California’s GDPR, referring to the comprehensive data protection law that took effect in May 2018 in Europe, just one month before the CCPA was passed. The CCPA, which is set to take effect January 2020, creates new rights for Californians and other obligations for businesses handling their information. The CCPA is said to be a model of the GDPR, however, there are some clear differences between each legislation.

Both the CCPA and the GDPR give individuals certain rights to how their personal information is collected and used, but there are several important contrasts to be aware of. Because California has a much larger economy than the UK, the implications of penalties may be even more severe than that of the GDPR. Even though the CCPA does not go into effect until 2020, we are already seeing it influence federal legislation.

Understand the similarities and differences between the GDPR and CCPA.

Who It Protects
‘Consumers’ who are California residents ‘Data Subjects’ in the European Union
Personal Information
Defined as any information that ‘identifies, relates to, describes, is capable of being associated with, or could reasonability be linked directly or indirectly, with a particular consumer or household.” This includes not only identifies like name or address, but extends to browsing history, behavioral data and more. Defined as any information relating to an identified or identifiable natural person, directly or indirectly. This usually mean data like address, license plate numbers, SSN, blood type, bank account information, and more.
Rights Granted
Grants consumers five rights:

1. The right to disclosure

2. The right to deletion

3. The right to access

4. The right to opt-out

5. The right to non-discrimination

Grants data subjects eight rights:

1 . The right to be informed

2. The right to access

3. The Right to rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. Rights in relation to automated individual decision making, including profiling

Right to Deletion
CCPA right to deletion applies to data collected from and about the consumer GDPR right to deletion applies to all data collected about the consumer
Who Must Comply
“California businesses” of substantial size (with regards to revenue or number of consumers affected) that collect consumer personal data Any “data controllers” (who determine the purpose and means of processing the data) and “data processors” (who process this data for the controller) that holds personal data of EU citizens.
Basis for Consent
Allows sites to collect and sell your data if you sign up or make an online purchase and only offers consumers the right to opt-out. Requires consumers to opt-in to data collection by instructing sites to get consent before collecting data.
Time allowed to respond to a request
Responsible parties have 30 days to respond to a request Responsible parties have 40 days to respond to a request
Financial Penalties
Organizations in breach can be fines up to $2,500 per violation for negligent violations and up to $7,500 per violation for intentional violations. Organizations in breach can be fined up to 4% of annual global turnover or EUR 20 million.


While in many ways the GDPR and the CCPA align, there are notable differences between the two regulations. The GDPR’s definitions are often broader, while the CCPA has taken a more specific approach to its scope. That does not mean however that companies that are GDPR compliant don’t need to worry about the CCPA.


Don’t expect this to be the last privacy act, either — there are many more on the horizon. Companies should be prepared to meet more stringent data privacy regulations that focus on data discovery, security, and classification. Stay tuned…

CCPA, Data, Privacy

The California Consumer Privacy Act: CCPA 101

Just when you settled into a post GDPR routine, there is a new consumer privacy law looming. The California Consumer Privacy Act of 2018, also known as CCPA, goes into effect on January 1, 2020, and will have implications for marketing to consumers.

In a nutshell, CCPA will empower people to know the types of personal information businesses collect about them, and give them the right not to agree to the sale of their personal data to other parties. More specifically, CCPA introduces the following:

  • Right to know all data collected by a business on you
  • Right to say NO to the sale of your information
  • Right to DELETE your data
  • Right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection.
  • Mandated opt-in before sale of children’s information (under the age of 16)
  • Right to know the categories of third parties with whom your data is shared
  • Right to know the categories of sources of information from whom your data was acquired
  • Right to know the business or commercial purpose of collecting your information
  • Enforcement by the Attorney General of the State of California
  • Private right of action when companies breach your data

What Businesses Will Be Affected by the CCPA?
While the CCPA could be influential in shaping additional consumer data regulations, for now the law’s scope is limited to mid-to large-sized businesses that do business in California. Companies are subject to the terms of the CCPA when they meet one of the following conditions:

  • Annual revenue exceeds $25 million
  • Company receives data from at least 50,000 people, households, or devices every year
  • Company earns at least 50 percent of its annual revenue from selling personal data

Are There Any Penalties?
Currently, penalties in the law can include up to $7,500 per incident. Meaning that a data breach involving 10,000 customers could end up costing a business as much as $75 million.

When Does the CCPA Go into Effect?
Technically, the CCPA went into effect when it was signed into law on June 28, 2018. However, the requirements will go into effect on January 1, 2020. That said, January 1 is not the end of the line. The California Attorney General has until July 2, 2020 to publish regulations. (Legislation is what the legislative body passes. Regulations are the standards for enforcing the law.) Also, the Attorney General cannot bring legal action against violators of the CCPA until either July 1, 2020 or six months after the final regulations are published, whichever comes first. More to come…


Data Quality And Protection With GDPR

Everyone is talking about the General Data Protection Regulation, also known as GDPR, but do you know exactly what it means? How it will impact individuals and companies? Or better yet, how to prepare for it?

What is GDPR?
GDPR is a set of regulations designed to give individuals in the European Union (EU) more control over their personal data. It enforces strict new rules on controlling and processing personally identifiable information (PII). These regulations also extend the protection of personal data and data protection rights by giving control back to the people of the EU.

What is considered personal data under the GDPR?
Personal data under the GDPR is defined to include personally identifiable data points like name and email address, as well as less precise data points like cookies, device IDs (MAIDs), and IP address.

When is GDPR happening?
Beginning May 25 2018, the EU’s General Data Protection Regulation will bring about the greatest change to European data security in 20 years.

What companies are impacted by GDPR?
GDPR applies to all companies and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. Even non-EU established companies will be subject to GDPR. If your company is collecting data on individuals in Europe, then it’s subject to GDPR.

Why does GDPR matter to a company?
There are penalties for those companies who don’t comply with GDPR. Those fines are defined as up to 4% of annual global revenue or 20 million Euros, whichever is greater.

Throtle and GDPR
GDPR validates what Throtle has said from day one: data is the most valuable asset in today’s digital world. And while GDPR does create certain challenges for companies, it also creates opportunity.

Domestic companies should use best practices to comply with the GDPR regulations, i.e. scrubbing all data and domains so they are free of any EU data, having data suppliers verify they are not collecting EU data and clearly posting privacy and GDPR policies on their sites.

Companies like Throtle, who show they value an individual’s privacy, are transparent about data usage and the management of customer data, build deeper trust with their clients.

For more information about the EU GDPR please visit

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound