1. What is GDPR

GDPR stands for General Data Protection Regulation

It is a legal framework that protects the data privacy rights of anyone who lives in the European Union, as well as people in Iceland, Lichtenstein, and Norway - countries that are part of the European Economic Area (EEA) single market - and Switzerland. 

Note - the UK’s Data Protection Act (DPA) was amended in 2021 to integrate EU GDPR requirements. So, while the country is not technically covered by the GDPR post-Brexit, its data privacy regulations are very similar.

A Brief History of GDPR

The European Commission started planning the bill in January 2012, as it looked to reform the Union’s data protection regulations. 

Agreement by the European Parliament and Council was reached in April 2016, and GDPR came into force in May 2018.

GDPR takes the place of the EU’s Data Protection Directive - an archaic, decade’s old law, whose minimal standards for processing data inadequately protected personal information in our modern digital age.

Today, GDPR is considered one of the strictest data privacy laws in the world, and its impact since 2018 has been striking - countries and sub-states have used it as a model for building their own data privacy laws, companies have been hit with multi-million-dollar non-compliance fines, and online marketing will never be the same again. 

GDPR opens consumer access to the personal data held by companies and restricts what companies can do with this information.

What are Consumer Rights under GDPR?

GDPR is built around the protection of the eight basic rights of data subjects, as laid out in Articles 12-23:

For a better grasp of all the lingo, you can refer to our Glossary of Terms.

What does GDPR Consider Personal Data?

The EU GDPR only applies to personal data, which it considers to be any information that relates to an identifiable person. Anything that can confirm your physical presence somewhere is also classified as personal data under GDPR - this includes things like CCTV footage and fingerprints.

What does GDPR Consider Sensitive Personal Data?

The GDPR places certain types of sensitive personal data into a “special category” that must be treated with extra security. This includes information related to:

  • Political opinions
  • Race or ethnicity
  • Religion or philosophical beliefs
  • Sexuality or a person’s sex life
  • Trade union membership
  • Genetic information
  • Biometric data - when processed to identify someone

What are the Penalties for Non-Compliance of GDPR?

GDPR requirements are enforced by the national data protection authorities of EU and EEA member states, and by private right of action - as with Max Schrems and his NYOB advocacy group.

It has established a two-tier sanctions system and companies found to have misused data according to GDPR can be fined either:

  • Up to €10 million, or 2% of the worldwide annual revenue from the previous year - whichever is higher
  • Up to €20 million, or 4% of the worldwide annual revenue - whichever is higher.

Who does GDPR Apply To?

According to the European Commission, GDPR applies to:

  1. A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or,
  2. A company established outside the EU and is offering goods/services (paid or for free), or is monitoring the behavior of individuals in the EU

Effectively, GDPR applies to companies that collect data from or market to the European Union, or are prepared to serve citizens and residents there. 

In practice, compliance is mandatory for any company that makes its website or services available to EU citizens. 

It's even mandatory for companies that hold the personal data of just one person living in the EU - even if there is no company office in the Union. 

Who does GDPR Not Apply To?

Since GDPR reaches outside the territorial scope of the European Union, the number of formal GDPR exemptions is very small:

  1. Companies that actively discourage the processing of EU citizen data
  2. Companies that process EU citizen data, without directly targeting subjects or monitoring their behavior 

The European Commission states that some GDPR obligations will not apply to companies where processing personal data isn’t a core business activity - such as the appointment of a Data Protection Officer.

Informal Exemptions to GDPR

There are a range of scenarios that free companies from the oversight of GDPR.

If you’re not operating in the EU, you may be exempt from GDPR if you don’t use an EU language, currency or refer to EU consumers - this is tricky given the usage of some of these languages around the world so your intent is important. 

You’d need to also ensure that EU residents can’t register for an account or purchase anything.

If your company does collect data, you may be exempt if you don’t process personal data - i.e. anything that can be used by itself to identify someone. Anonymous data is also not covered by GDPR.

There remain some specific scenarios that fall outside the scope of GDPR - they don’t apply to many private companies and vary from EU country to EU country.

Overall, they relate to very specific parts of the GDPR. Particular companies might not need to provide people with the personal data on file, or they might not need to communicate certain information in their privacy notice. Here are some examples:

  • Law enforcement is exempt from GDPR in specific situations
  • Journalism is exempt from GDPR, if compliance means suppressing press freedoms
  • Universities are exempt from giving students access to exam papers in specific situations.

What are GDPRs Key Principles?

Article 5 establishes seven principles that act as an overarching framework to guide the handling of personal data. Data controllers must comply with these principles, and be able to demonstrate adherence at any time.

1. Lawfulness, Fairness, and Transparency

Lawfulness means that you should have a good reason for collecting and processing data. 

Fairness means you should never purposely withhold your reason for collecting and processing data, and means you won’t mishandle or misuse it. 

Transparency means being open, clear and honest with data subjects about who you are and what you’re going to do with personal data.

2. Purpose Limitation

GDPR states that personal data is “collected for specified, explicit and legitimate purposes”. 

You must clearly establish your purpose for collecting data, communicate this to users in a privacy notice and ensure that your activities stay within these set limits. If not, you must acquire further consent from users, unless there is a legal precedent for doing so.

3. Data Minimization

This means collecting the least amount of data required to deliver your objective

4. Accuracy

This means that all the data you collect and store is correct. It requires setting up systems and regular audits to ensure that incorrect data is corrected, updated, or deleted.

5. Storage Limitation

GDPR forces you to justify how long you store personal data for. This can be done by establishing a storage limitation policy and anonymizing data once the set time period is over.

6. Integrity and Confidentiality (Security) 

This means you are required to keep personal data secure from internal and external risks, and protect it from unauthorized processing as well as accidental loss or damage.

7. Accountability

Companies must have appropriate processes, procedures and documentation in place to prove compliance with data processing principles, and supervisory authorities have the power to demand evidence of this at any time.

Understanding GDPR compliance

GDPR has established a new standard for the data protection of EU citizens and residents, and presents a challenge to companies that risk huge fines for non-compliance.

GDPR outlines certain obligations organizations must follow, which limits how personal data can be used. 

It also defines eight data subject rights that guarantee specific entitlements for an individual's personal data, ultimately giving individuals more autonomy over their personal information and how it is used.

But following GDPR requirements is not enough and you may wonder, what is GDPR compliance?

Companies must also be able to demonstrate on demand that they have policies and procedures in place to ensure that the data flow is secure at every point of the customer journey.

Compliance requires a full database audit, introducing opt-in consent systems, and establishing your legal basis for data collected. 

Companies will also need to look into cookie consent, standard privacy policy wording, privacy notices and third party activities. 

They’ll have to conduct risk assessments, secure data and prepare for breaches. 

Everything to do with data needs to be permanently and accurately documented - all to ensure that the data rights of EU users are respected at all times.

GDPR compliance should be seen as an opportunity. Privacy has long been a key concern for consumers, and adhering to stricter data regulations will build trust with consumers.

2. CCPA and other data privacy standards

As social and economic activities continue to migrate online, so too the importance of privacy and data protection continues to grow.

Countries around the world are taking steps to reform their legislation on the collection, use and sharing of personal data without the explicit consent of consumers - a resource now more valuable than gold (Economist).

What is the California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law. Introduced in 2020, it regulates the handling of the personal information of California residents.

It only applies to commercial companies.

A Brief History of CCPA

The California Consumer Privacy Act started life as a ballot proposal by a privacy group called Californians for Consumer Privacy. The initiative’s official language was approved by the Department of Justice on December 18, 2017, enabling the privacy group to start collecting signatures.

The CCPA was passed in the state legislature and signed by State Governor Brown on June 28, 2018. Five amendments were then enacted and signed by State Governor Newsom on October 11, 2019. The CCPA came into force on January 1, 2020, and necessitated the withdrawal of initiative 17-0039 of the Consumer Right to Privacy Act.

It is the first law of its kind in the US, and other states will be paying close attention to the practical implications as they create privacy laws of their own.

It will be replaced by the more expansive California Privacy Rights Act (CPRA) in 2023.

While a federal data privacy law for the US remains out of reach, compliance with the California Consumer Privacy Act (CCPA) is still a challenge. Only 11% of companies fully meet the regulation's standards, according to research from Cytrio. The report is based on a study of 5,175 US companies with revenues between $25 million and surpassing $5 billion over a six-month period.

The law begins by listing the five rights it has been designed to protect, so that’s a good jumping-off point:

  1. The right of Californians to know what personal information is being collected about them
  2. The right of Californians to know whether their personal information is sold or disclosed and to whom
  3. The right of Californians to say no to the sale of personal information
  4. The right of Californians to access their personal information
  5. The right of Californians to equal service and price, even if they exercise their privacy rights

Sanctions for non-CCPA-compliance

This law has introduced potentially crippling fines for the misuse of data. 

It has given the Californian Attorney General the power to fine companies up to $2,500 per violation - increasing to $7,500 if there was clear intent. 

Companies that suffer a data breach also risk a class-action lawsuit and payment of up to $750 to each affected consumer.

However, the law does give companies 30 days to rectify any misuse of data, if applicable.


CCPA has often been referred to as “America’s GDPR”. 

It is considered one of the strictest laws of its kind in the US and mirrors GDPR in terms of the data protection it gives California residents.

Like GDPR, CCPA includes the right to transparency, requiring companies to inform consumers about what data is collected, and how it is shared. It also gives consumers the right to access, delete, and opt-out of any data activity on request.

The CCPA provides some of the eight GDPR rights of data subjects, but is actually more constructed around emphasizing two additional rights - these are implicit in GDPR, but not recognized as rights themselves:

The right of Californians to say no to the sale of personal information (or “opt-out”)
The right of Californians to equal service and price, even if they exercise their privacy rights (or right to no retaliation)

Below is a side by side comparison of the two laws.




Jurisdiction of law

Any entity processing personal data with:

  • An establishment in the EU
  • Offering goods and services in the EU
  • Monitors user behavior in the EU

Applies to any for-profit entity operating in California that does any of the following, annually:

  • Makes $25m+ in gross revenue
  • Handles personal data of 50,000+ consumers, household or devices
  • Brings in 50%+ of revenue from selling the personal information of consumers


  1. National data protection authorities
  2. Private right of action
  1. Californian Attorney General
  2. Private right of action for breaches reportable under CCPA

Extent of fines

GDPR has a two tier sanctions system, and national data protection authorities are empowered to fine companies either:

  • Up to €10 million, or 2% of the worldwide annual revenue from the previous year - whichever is higher
  • Up to €20 million, or 4% of the worldwide annual revenue - whichever is higher


The Californian Attorney General is empowered to fine companies:

  • Up to $2,500 per violation - increasing to $7,500 when data misuse was clearly intended
  • Up to $750 per consumer affected by data breach through class-action lawsuits

Companies given a 30-day rectification period, if applicable.

Data Protection Officer obligations



Scope of information concerned

Personal data related to a person - including device identifying data.

Personal data “capable of being associated with” a consumer or household.

Covers employees



Discriminates between processors and controllers

Yes, with clearly defined obligations for each of them.

Distinguishes between businesses and service providers, but obligational differences are poorly defined.

Additional restrictions on sensitive data



Respects right to access



Respects right to erasure



Respects right to rectification



Respects right to portability


Yes, but only implied in relation to the consumer right of access to personal information.

Respects right to restrictions processing



Respects right to be notified


Requires that companies notify consumers “at or before the point of collection” of the type of personal information collected and what it will be used for.

Respects right to object


Consumers have the right “to say no to the sale of personal information”.

Respects right to reject automated decision-making



No retaliation (right to not be discriminated against)



Interpretation of consent

Consent must be freely given, specific, informed, unambiguous and withdrawable (usually through an opt-in).

Consent required for the sale of personal information. Certain actions require explicit opt-in consent like the sale of children’s data.

Compels privacy policy disclosures



Requires new homepage link


Requires homepage link stating “Do Not Sell My Personal Information” 

Data retention obligations



Restrictions to profiling



Restrictions to international data transfers



Provides special considerations for children



Data security obligations



Data breach reporting obligations



Contracts with Service Providers


Not mandatory, but beneficial

‘Privacy by design’ obligations




What other privacy standards are there?


GDPR has inspired a wide range of national legislation that offer similar - though not identical - levels of data protection. 

Below is a list of countries that the European Commission believes has laws adequate for data protection under GDPR:

Personal Data Protection Act No 25,326, constitutional protections 

Personal Data Protection Law 
Individuals risk a potential one-year prison sentence for unlawfully transferring personal data out of the country.

General Data Protection Law LGPD 

Personal Information Protection and Electronic Documents Act (PIPEDA) 

Data Security Regulations 

Act on the Protection of Personal Information (APPI) 

Data Protection Act 

Data Protection Act 

New Zealand
Privacy Act 

Data Protection Regulation 

Law No. 6534/20 on the Protection of Personal Credit Data

Law No. 13 

South Africa
Protection of Personal Information (POPI) Act 
Like a number of African data protection regulations, POPI distinguishes itself from GDPR in that it only applies to South African companies processing data within the country, and is less strict on consent for non “special category” data.

South Korea
Personal Information Protection Act (PIPA) 
2011, 2020
Considered one of the strictest data privacy laws in the world.

Personal Data Protection Act 

Law on Protection of Personal Data No. 6698 

United Kingdom
Data Protection Act (2018)
The law was amended from 2021 to integrate requirements from the EU GDPR.

Data Protection and Privacy Act 

Act on the Protection of Personal Data and Habeas Data Action 

If you want to find a law that hasn’t been mentioned here, find the full list on UNCAD's data privacy information portal.

3. Latest GDPR News

GDPR is in the news constantly of late.

In this section, you will find the latest GDPR news today. It covers GDPR enforcement, data breaches, and updates on data protection policies - both in Europe and across the world:

Scroll down the page or click the links above to jump to a section.

GDPR Top Stories

France - the Latest DPA to Declare Google Analytics Illegal

February, 2022 - France’s data privacy authority has ruled that Google Analytics is in breach of GDPR Article 44, which prohibits the transfer of personal data outside of the EU/EEA unless the recipient country can provide adequate data protection.

This decision comes hot on the heels of the Austrian Data Protection Authority’s similar ruling on Google Analytics in the private action brought to court by Max Schrems.

Learn more in the full news story

IAP Europe Fined €250,000 by DPA for GDPR violations

February 2022 - Belgium's data protection authority has fined Europe’s digital marketing and advertising association €250,000 for violating its Transparency and Consent Framework (TCF).

The decision to sanction IAB Europe and limit the use of TCF, along with the requirement to delete all current data, will impact publishers, advertisers, tech companies, and big tech companies like Google and Amazon. 

Learn more in the full news story

CJEU Strikes Down EU-US Privacy Shield

July 2020 - The Court of Justice of the European Justice (CJEU) has this week ruled that companies cannot store EU citizen website traffic data in the US.

This landmark decision effectively terminated the bilateral agreement between the EU and US on data sharing, and has widespread implications for many companies - including the biggest players in the tech industry.

Learn more in the full news story.

GDPR News Archive 

GDPR Enforcement News

Biggest Financial Penalties to Date

1July 2021Luxembourg€746 millionAmazonInadequate cookie consent policy.
2September 2021Ireland€225 millionWhatsappData processing poorly explained in privacy notice.
3January 2022France€90 millionGoogle IrelandInadequate cookie consent procedures on YouTube.
4December 2021France€60 millionFacebookInadequate cookie consent procedures.
5January 2022France€60 millionGoogle LLCInadequate cookie consent procedures on YouTube.
6June 2020France€50 millionGoogleInadequate privacy notice.
7October 2020Germany€35 millionH&MMonitoring of employees without consent
8February 2020Italy€27.8 millionTIMVariety of unlawful actions, mostly relating to unsolicited contact.
9October 2020UK€22 millionBritish AirwaysData breach affecting 400,000 customers.
10October 2020UK€20.4 millionMarriottData breach to guest reservation database.

Updates on Other Data Protection Policies

New Privacy Laws

February 2022 - Californian lawmakers are drafting a new bill to protect the personal online data of children. This follows on from the UK’s recently enacted regulations on children’s code.

December 2021 - Zimbabwe brings into force its first privacy act - the Data Protection Act No. 05/2021.

December 2021 - Jordan’s Council of Ministers approved the 2021 Personal Data Protection Draft Law, submitting it to the kingdom’s House of Representatives.

October 2021 - Rwanda brought into law its first data protection legislation, Law No. 058/2021.

October 2021 - An amendment to Hong Kong’s data protection laws came into force, criminalizing doxxing.

September 2021 - Singapore’s Personal Data Protection Commission publishes its revised privacy guidelines.

August 2021 - Japan’s Personal Information Protection Commission issued guidelines for the 2020 amendments to its Act on the Protection of Personal Information (APPI), clarifying previously unclear aspects of the law.

September 2021 - China’s Data Security Law comes into force.

August 2021 - Cape Verde amends its 2001 Data Protection Act, bringing it closer to GDPR in on a number of key privacy issues.

June 2021 - The European Commission launches talks aimed at adopting an “adequacy decision” for the transfer of personal data to South Korea. This means that it is happy that South Korean data privacy laws meet GDPR requirements.

April 2021 - Burkina Faso enacts its Data Protection Act, replacing outdated legislation from 2004.

March 2021 - Zambia enacted the Data Protection act, becoming the 31st African country to pass data protection legislation.
Regulations and Guidance

December 2021 - Senegal’s data protection authority released regulations related to data retention periods for different classifications of data that range from six months to 10 years.

December 2021 - Kenya published its Data Protection Regulations that fleshes out its 2019 Data Protection Act. It tightens up national privacy laws on a range of issues that would be recognizable to anyone that has been following the GDPR.

June 2021 - South Africa issued POPIA guidance notes on the processing of special personal information and the personal information of children. This followed instructions in March and April on applications for prior authorization and exemptions for the unlawful processing of personal information respectively.

March 2021 - Uganda adopted its Data Protection and Privacy Regulations - this complements its Data Protection and Privacy Act and provides further details on issues that include its data protection authority, data management obligations, and data subject rights.

4. The Implications of GDPR on Digital Marketers

GDPR is a huge obligation for marketers.

Digital marketing is all about using websites, search engines, emails, and social media to drive consumer engagement with your company and boost revenue.

How does GDPR Affect Marketing?

GDPR and marketing go hand-in-hand, with the law introducing quite a few essential requirements for marketers.

Data Consent

Consent is a big component of GDPR requirements. In practice, this is about having opt-ins across your marketing ecosystem.

You need to actively seek explicit permission from users for the collection and use of their personal data. Pre-ticked opt-ins are yesterday’s news as, to comply with GDPR, consent needs to be a deliberate choice.

Data Access

GDPR has given EU residents more control over how their personal data is collected and used - including the ability to access, transfer or remove it. 

It is your responsibility as a marketer to ensure that you respect these wishes and have systems in place to quickly access these requests.

Data Focus

GDPR requires that you have a legal justification for any personal data collected. 

All this means is that you only collect the data you need to provide your customer with a quality product or service.

Why Comply with GDPR?

Beyond the implications of GDPR fines, GDPR compliance brings with it a range of benefits for marketers:

  • Creates a sustainable marketing strategy
  • Increases trust with clients and customers
  • Optimizes data accuracy, organization, and security
  • Upgrades available martech options
  • Improves relationships with DPO, C-Suite, and other departments
  • Gives peace of mind from conducting business in an ethical fashion

How to Comply with GDPR? 

GDPR & Your Website

The information gleaned from website cookies has long been a useful tool for marketers in the digital age, enabling them to personalize outreach based on behavioral analysis that follows users around the internet.

However, GDPR requires consent for cookie collection - consent that is clear, specific, and unambiguous. 

Users must also be able to withdraw their consent at any time.


Marketers need to consider how they collect, process, and handle data. With regards to the CRM, you need to look at:

  • Kind of data: companies can only collect and store data that they can legally justify to provide consumers with their product or service
  • Data storage and transfer: companies should encrypt personal data to secure it from the risk of unauthorized access or a data breach
  • Data processing: companies should process personal data in a way that prevents it from being used to identify data subjects
  • Data access: companies need to audit their systems and processes to see who has access to different types of data on file.

GDPR & Your Email Marketing

GDPR compliance for email marketing means preventing unwelcome or spam communications - consumers need to have opted-in to enter prolonged email campaigns.

Companies need to seek explicit consumer consent for how their personal data will be used before sending out any emails. This includes when companies acquire email lists from third parties.

GDPR & Your Software

Companies developing software need to ensure that the GDPR requirements of “privacy by default and design” are built in from the beginning.

What this means is that data privacy measures are included into the software from the earliest stages of development.

5. What are the Implications of GDPR on Your Marketing Tech Stack?

At its heart, GDPR is there to protect the personal data of EU citizens - and control who a company can share this information with.

Digital marketing, and the related technology, are fueled by this personal data. 

GDPR thus considers the providers of each of these platforms in your stack - as well as other third parties who can access your personal data - to be “data processors”.

Since your company remains the “data controller” under GDPR terminology, this means that you are ultimately accountable for what these platforms do with your data. 

You need to be certain of the quality of this data, how it is collected, and how it flows through your martech ecosystem.

GDPR-Compliant Software Solutions

For marketers, software solutions refers to the tools that enable them to market in a smarter way - so as to better achieve their digital goals. 

It’s a huge industry, with the global marketing technology market estimated to be worth $344.8 billion in 2021 (MarTech Alliance).

Martech’s growth has been striking, and the landscape has changed dramatically between 2011 and 2020. 

Figures from Martech Alliance show that the number of vendors has skyrocketed from 150 to 8,000 during this time - that’s a 5,233% increase, illustrating the importance of this technology to companies today.

Why is Martech Important?

It’s common for various departments within a company to operate in silos, with sub-optimal collaboration processes. 

When used properly, Martech can remove these silos and bring departments closer together - enabling them to work more effectively towards shared goals, while delivering a better customer experience.

Some other benefits of Martech include:

  • Better content creation: improve a marketer’s understanding of how effective their content delivery is, enabling them to understand performance, optimize experience, and deliver tailored content
  • Improved efficiency: automate repetitive and time-intensive tasks, enabling employees to focus on other things
  • Improved consumer targeting: create strategies that are individually tailored to each individual customer, resulting in stronger customer relationships, greater trust, and repeat business.

Issues with Adoption

While technology is constantly changing, organizations can remain somewhat inflexible. Martech can empower companies to keep up with increasing customer expectations, but they must utilize their solutions effectively.

What Categories of MarTech are there?

The range of martech options is wider than ever before.

While there is obviously some overlap, martech options largely fall into the following six categories:

1. Advertising

Integrate different advertising and promotion platforms used for paid ads and streamline the following areas:

2. Content Performance

Improve your content creation, automation, and other processes. Examples include:

  • Search engine optimization (SEO)
  • Content management systems (CMS)
  • Digital asset management (DAM)

3. Data and Analytics

Streamline data collection and analysis; optimize your website, improve product UX etc. Examples include:

  • Customer data platforms (CDP)
  • Data management platforms (DMPs)
  • Website analytics
  • Predictive analytics

4. Management

Used for improving managerial collaboration, communication, and project delivery. Examples include:

  • Budgeting and finance
  • Communication
  • Project management
  • Recruitment
  • Time tracking

5. Sales

Enable your marketing and sales teams to better collaborate, automate processes, and execute sales and customer management at scale. 

Such tools can in fact connect multiple departments - beyond marketing and sales, to customer support, success, and finance too. Examples include:

  • Customer relationship management (CRM)

6. Social Media

This category of marketing technology includes:

What is a Marketing Stack?

Simply put, your marketing stack is the collection of various technologies that your department is using. 

As individual tools, they will typically only provide limited benefit work - but, if you are able to successfully marry the data (between tools and departments) and automate processes, they can be the foundations of a successful strategy. 

By developing a marketing tech stack, marketing departments can visualize how their different platforms and systems are working together, with the goal of integrating everything for an enhanced internal and external user experience.

How can you ensure GDPR compliance with martech?


  • Hire a data processing officer
  • Compile a report of martech used by your company to identify any “data processors”
  • Demand that each martech platform provides documentation of their GDPR compliance
  • Decide which martech to keep and which to replace
  • Prioritize quality over quantity when it comes to customer personal data
  • Be open about what you do with personal data
  • Sign a data processing agreement with your data processors

In the modern world, it would be nigh on impossible for companies to grow at the desired pace without an integrated Martech stack.

When used correctly, these tools optimize what can be achieved with the personal data on file. But it’s absolutely essential to ensure that each platform and each process is GDPR compliant. 

6. The Future of GDPR

GDPR was carried into the world on a wave of optimism about the future of consumer data privacy protection. 

Yet, while it remains one of the strictest data privacy frameworks in the world, its full potential has yet to be realized.

This article runs through consumer privacy, GDPR and its effects on the future of marketing. It looks at the law’s successes and difficulties, before running through what the future holds for privacy laws and the companies that are at their mercy,

The positives so far

GDPR has undoubtedly increased the seriousness with which companies handle personal data, and the speed at which companies have improved security practices has been quite surprising.

Even before the massive €746 million fine given to Amazon, company board executives must have been all too aware of the risk that GDPR posed to them; it spurred huge investment in privacy policies and systems, and has created a culture of data privacy by design and accountability.

It’s projected that $9 billion will need to be spent to make the global economy GDPR-compliant (Forbes) - that’s $9 billion that is being invested in protecting the personal information of people living in the European Union. 

So, while GDPR compliance has been an endless headache for companies, it’s great news for Europe’s internet users. 

And, with the average salaries of privacy professionals increasing by more than $6,000 in just two years, GDPR has been pretty great news for them too.

Success for Brussels 

The introduction of GDPR is also a real success for the EU, making Europe the world’s data police and standard setter for international data privacy legislation.

Multinational companies also welcome the practicality of relying on a single privacy framework for compliance across all EU member states - though this has worked better in theory than in practice.

Catalyzing global data privacy reform

A rising tide lifts all ships, and lawmakers in over 120 countries are taking inspiration from GDPR when drafting their own legislation for the technology sector - this global shuffle towards stronger consumer rights being a further testament to the ambition of GDPR.

North America

In the US, only three states currently have GDPR-like privacy laws - these being Colorado, Virginia, and Connecticut. But this number will soon soar, with more than 30 states in the process of drafting bills. 

Looking forward, this could be all the pressure the US government needs to intensify efforts to introduce a federal law of its own and a replacement to the now defunct EU-US Privacy Shield agreement is long overdue.

The US can take inspiration from Canada’s national privacy legislation, with PIPEDA recognized by the European Commission as meeting many of the requirements of GDPR despite - chiefly - a different understanding of consent as the legal basis for data processing.


Africa is lagging behind Western pacesetters. There has been a drive from the African Union to catalyze GDPR-like legislation across the continent and half of the continent’s 54 countries have introduced data privacy laws of their own. 

South Africa has finally passed its Protection of Personal Information Act (POPI) after five years of work.

But while many of these share key GDPR principles, the continent as a whole lacks enforcement mechanisms and wider disparities provide challenges for multinational organizations operating there. 

There is also insufficient funding for the training of civil servants on the subject of data privacy, while the continent’s reliance on cybercafes instead of personal devices makes controlling the misuse of personal data harder. 

Overall though, data privacy laws in Africa have developed substantially over the last 3 years and the general trend is positive.

South America

The continent’s data privacy legislation dates back further than the US and the pace of reform in recent years has been striking.  

But, while Latin America has long modeled its privacy laws on European precedents to facilitate business, the lack of an overarching framework for the continent is a challenge for multinational organizations. 

Under a deal with MERCOSUR, data transfer to the EU is reliant on member Latin American nations introducing GDPR-like legislation, but only a handful of countries - Argentina. Paraguay, Uruguay and Brazil - have made the necessary steps so far.


Asia has also been tightening up its data privacy laws, and several countries in the region have updated legislation to bring it more in line with the European model. 

China looms large over the region, and it has introduced its own Personal Information Protection Law (PIPL).

Japanese and South Korean regulations meet GDPR standards for data privacy, and the overall trend is positive. However, the next few years will be a testing time for the region’s data privacy framework as data breaches continue to increase and regulators struggle with enforcement.

Increasing the Power of Private Citizens

The law has also provided a platform for private citizens to challenge companies in court. 

Max Schrems is the most famous example here, but there are now many more people who are using private rights of action and class action lawsuits to bring companies to the forefront of the courts. 

Enforcement is growing

As with all new laws, GDPR had teething problems and trouble finding its feet. 

According to research from DLA Piper, at least a few of the EU member states are becoming more willing to confront big tech companies, and GDPR fines increased by 700% in 2021 - with this trend likely to continue in 2022 too. 

The number of data breach notifications received by data protection authorities has also been consistently growing year after year, since the GDPR arrived on the scene in 2018.

GDPR fines have also been the spark for positive changes. 

After being hit by a €35.3m fine in October 2020, H&M responded by introducing a swathe of new measures to protect consumer personal data. 

This included appointing a new Data Protection Coordinator, as well as creating a long-term data protection strategy. 

H&M is also working on paying back compensation to the employees that were affected.

The difficulties so far

Despite these successes, challenges still remain.

Lack of Intercountry Harmonization

While GDPR is almost fully rolled out across the EU, the depth of integration varies from country to country. 

Supervisory authorities also vary in how they interpret GDPR, and enforcement can conflict with different local laws in each state.

There is also a slow turnaround in cross-border investigations at the moment.

This resultant lack of data privacy harmony among EU member states is a real frustration of privacy professionals. It also makes the development of standardized guidance difficult.

Confusing Nature of Compliance

That uncertainty still hangs over the business community about compliance does not paint GDPR in a good light. 

The wording of the law is highly ambiguous and many companies are loath to spend huge amounts of money redesigning their data systems from the ground up, if they can’t be certain that they will escape fines for the misuse of data.

Companies have also been sent into a spin by the GDPR’s overly broad definition of what a personal data breach is. 

The 72-hour breach notification has also created problems for companies, resulting in DPAs being swamped in unnecessary notifications as companies jumped the gun before fully understanding what was going on.

Resistance from Big Tech

Many tech multinationals are still sticking to business models built on data-harvesting revenue. 

This approach faces resistance from a very powerful tech lobby and GDPR violations remain a staple of the daily news. Conflict in this very public data war has included:

  • Amazon vs GDPR
  • Apple vs GDPR
  • Facebook vs GDPR
  • Google vs GDPR
  • Twitter vs GDPR

Enforcement efforts lagging behind requests

The initial optimism around this bill has been slowly replaced by frustration at the slow pace of enforcement.

The number of privacy violations exceeds what regulators can enforce, and a great many remain unaddressed. 

In 2021, GDPR regulators were notified about more than 130,000 personal data breaches (DLA Piper).

DPA’s are overworked. Between May 2018 and March 2020, data protection authorities handed out only 231 fines and sanctions - a drop in the ocean next to the 144,376 complaints filed during this time.

They’re also underfunded. A study by web browser, Brave, concluded that regulators have not been given the funding needed to effectively enforce GDPR. 

As a result, data protection authorities are reticent about taking big companies to task because of the huge legal budgets available to Facebook and Google, for instance.

Crucially, the number of data protection staff working across the EU has barely increased since 2019 - again because of funding shortages.

Ireland and the one-stop-shop rule

The Irish DPC office has been underfunded for over two decades now and the workload is high. It currently has investigations open on at least 17 huge multinational firms.

This is because GDPR has a “one-stop-shop” rule, which says that companies should be prosecuted in whichever member state they choose to situate their headquarters.

Ireland is the number 1 destination for US tech companies - meaning that the Irish DPC is leading investigations into some of the richest and most powerful Silicon Valley firms, on behalf of the whole of Europe. 

Restricting business growth and innovation

Innovation conflicts with the protection of individual rights and GDPR appear to be seriously hampering the EU’s capacity to develop new technology. 

Knowledge of many important technologies for the future was already widespread when GDPR was being drafted, but the regulations make it all but impossible to develop or even use them.

This comes at a time when the continent desperately needs digital solutions, and there is no practical guidance about how GDPR can accommodate new technologies moving forwards.

Artificial intelligence (AI)

This is straightjacketed by strict GDPR requirements to obtain consent when processing data, putting EU firms at a competitive disadvantage next to North American and Asian competitors.


Blockchain is a digital database of information (like financial transaction records) that can be used and shared across a decentralized, publicly accessible network. 

This technology is seen as a powerful tool for increasing data security and can be applied to everything from the secure sharing of medical data and voting mechanisms to NFT marketplaces and cross-border payments.

A key feature of blockchain technology is that the intrinsic personal data cannot be modified without the consent of everyone involved. 

So, despite blockchain having the potential to meet GDPR objectives - like the secure flow of data and information - the law requires that consumers can request the deletion of personal information, making the two incompatible at present.


GDPR requirements for data minimisation, purpose limitation and transfer of pseudonymised data outside of the EU makes it difficult to share health data.

It has also acted as a powerful check on health management during the COVID pandemic, since it restricted use of tracking data and data exchange between local health authorities.


In the last decade, Electronic Government measures have had a profound impact on the quality of the delivery of public services to citizens, though issues of privacy and security - central to GDPR - are causing momentum to be lost.

How will GDPR change in the future?

Ease of compliance

The European Commission wants to make it easier for smaller companies to comply with GDPR regulations. 

This would mean providing them with extra guidance, support and tools - like Standard Contractual Clauses, which companies can simply paste into their own customer contracts.

Ease of exercising GDPR rights

This includes seeing data portability beyond just banking and telecoms.

Private lawsuits

Private right of action and class action lawsuits are clear avenues for advancing how EU citizens can exercise their rights under GDPR. 

Such private lawsuits are anticipated to become more common, and these rulings will have a powerful impact on how GDPR will be interpreted in the coming years.

Proactive rather than reactive

Overall, the GDPR enforcement during the law’s first three years has been reactive - a result of either data breach notifications or data subject complaints. 

However, data protection authorities are now becoming much more proactive in targeting companies before any non-compliance issues have been filed. 

This sophistication in GDPR enforcement is only anticipated to grow in the years to come.

Data Protection Authority effectiveness

There is a push to improve how DPAs operate, particularly given how the case against Whatsapp illustrated the convoluted nature of GDPR’s enforcement mechanisms.

Improved effectiveness includes better collaboration between member state data protection authorities, with discussions continuing on how they can better work together to enforce GDPR. There is also support for a more centralized approach to enforcement.

This harmonization includes regional consistency and matching resources to the growing number of requests.

What does the future hold for companies?

Future legislation to look out for

EU ePrivacy Regulation

This will replace the ePrivacy Directive, introducing new rules on electronic communications. A draft proposal seen in April 2021 included regulations for artificial intelligence that were in line with GDPR.

Privacy shield replacement

Privacy Shield allowed US companies to process EU citizen data, as long as they adopted the GDPR’s higher privacy standards. However, US law meant that the US government could still monitor that data. 

After Max Schrems challenged this legal conflict, the Privacy Shield was struck down. It would be in everyone's interest to agree a replacement,

An Evolving Law

Given its seismic impact on global privacy laws, it is no wonder that GDPR is taking time to bed in. 

However, since its introduction in 2018, it has undoubtedly strengthened both security measures and consumer protection.

Much has also been learnt about where GDPR has succeeded and where improvements can be made in the future.

No doubt improvements made by other countries to data privacy legislation will also influence data privacy regulation and enforcement in Europe.

7. TWIPLA - privacy-first, GDPR compliant web data

What Makes TWIPLA Privacy-first?

For us, data privacy is an undebatable principle. 

We do not sell data or pass it on to any third parties. 

Data is aggregated and anonymized, and only used to provide the website owner with the stats and insights needed for improving site performance. These details cannot be traced back to any individual. 

What Data Protection and Privacy Laws are we Compliant With?

From the very first version of our app, our priority has always been the protection and privacy of the data that our customers trust us with. 

That is why we are focused on staying up to date with every data privacy law, and making sure that we are compliant with each one: BDSG, CCPA, CPA, DPA, ePrivacy, GDPR, LGPD, PECR, PIPEDA, PIPL, PDP, POPI, VCDPA, & TTDSG.

What Web Data do we Process?

The types and amounts of personal data we process are limited to those stated in the contract with the customer. We do not share it with third parties. We only process personal data as described in our Privacy Policy

Why and How do we Process Web Data?

At TWIPLA, we are aware of the trust that our customers place in our product and team, and our responsibility to keep your data and privacy secure. 

Therefore, we are transparent regarding the information we collect when you use our products and services, why we collect it, and how we use it to improve the service for you!

Our Terms of Use & Data Processing Agreement describe how we treat personal data in connection with the use of our App and how we take care of it.

Who has Access to Web Data?

All the data we gather for our customers is confidential information. 

TWIPLA’ employee access controls protect customer data from unauthorized access, and we use a special script to access a website owner’s data (both account data and their visitors’ data) and conduct audits to ensure the controls are enforced.

What is ISO 27001?

We are proud to be ISO 27001 certified

ISO 27001 is an internationally recognized standard that ensures that our app meets best practices for an information security management system.

These help our organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to us by third parties — such as websites and other customers or partners.

How do we Help Customers Manage the Privacy of their Web Data?

Using the innovative TWIPLA’ approach to consentless tracking, companies no longer need cookies or consent banners. 

The application does this with a Privacy Center, where users can choose from four different privacy modes:

  1. Default Privacy
  2. Basic Privacy
  3. Cookieless Tracking
  4. Complete Protection

What is Default Privacy Mode?

This is the default privacy setting when you first set up the app. Using this mode, nothing is anonymized. You will be able to access the following types of data: IP Address, Page History, Returning Visitors, Approximate Visitor Location, and Screen Resolution. No cookies are used, but we do use digital fingerprinting. A consent banner is required on the site.

What is Basic Privacy Mode?

Using this mode, IP addresses are anonymized. You will be able to access the following types of data: Page History, Returning Visitors, Approximate Visitor Location, and Screen Resolution. No cookies are used, but we do use digital fingerprinting. A consent banner is required on the site.

What is Cookieless Tracking Mode?

Using this mode, IP addresses are anonymized. You will no longer be able to access page history, but you can still access data on Returning Visitors, Approximate Visitor Location, and Screen Resolution. No cookies are used, but we do use digital fingerprinting. A consent banner is no longer required, as no data is being stored.

Starting with Cookieless Tracking mode, companies can start accessing more data, legally and ethically, without losing any cookie consent banner rejections. 

This approach uses digital fingerprints that can later be recognized.

Unlike cookies, fingerprints are not stored on a user’s device and, therefore, cannot provide data about what the visitor does outside of the sessions on that particular site. This makes cross-tracking impossible. 

Some anonymized data is stored, but only within the analytics environment and in an aggregated form, making it impossible to associate it with the habits and history of a particular individual.

What is Complete Protection Mode?

Using this mode, IP addresses are anonymized, page history is not displayed, returning visitors are only guessed, and screen resolutions are approximate.  You will still be able to access approximate Visitor Location. This is our most secure mode as no cookies, fingerprinting, or other data is stored. This means a cookie banner is not required.

Using Complete Protection, no tracking data or cookies are generated or stored and the details of a user’s device are never accessed. 

There is no digital fingerprint at all. No personal data is stored. No cookies are used. Only a unique ID. 

So, there is no need for consent - one less thing to worry about when managing a website. 

This also means that 100% of ethical statistical and analytical data is available for users to rely on when making website improvement decisions.


Is session recording and heatmap data considered personal data?

This data is not considered personal information as long as it is not linked to a specific IP address. By using Cookieless Tracking Mode and Complete Protection Mode, IPs are anonymized.

How does digital fingerprinting work?

Unlike cookies (which are set by services in the user’s browser storage), the fingerprint is already set for each browser, as a kind of user agent identifier (browser name, version, screen resolution, etc.)

What is the difference between digital fingerprinting and unique ID?

The fingerprint does not change often, while the unique ID is a different ID generated by us, as a hash on the server for each session.

Where is the digital fingerprinting data stored? How long is it stored? What happens with that data?

The fingerprint is NOT stored anywhere on the browser. It usually does not change, unless there is a browser version update, or an uninstallation and reinstallation. It is always calculated on-the-fly.

How is collecting data without using cookies or consent banners legal?

GDPR and other privacy laws are very specific when it comes to data that can create an approximate individual profile. By not storing any data and by not using IP addresses, activity patterns like page history, or exact locations or device settings, there is no way an individual profile can be identified.