GDPR, CCPA and Accedo One’s integrated vendors

For businesses operating in today's digital marketplace, data privacy isn't just a legal checkbox; it's a critical component of brand reputation. The advent of comprehensive regulations - like the General Data Protection Regulation (GDPR) and the California Privacy Act (CCPA) - has set a new global benchmark for how personal information must be handled.

Ignoring these powerful mandates can lead to significant penalties and a loss of consumer confidence. Understanding these regulations and implementing proper compliance measures is essential for modern businesses.
‍

GDPR: Europe's Privacy Framework

The General Data Protection Regulation took effect in 2018. The GDPR represents one of the most comprehensive privacy laws globally, applying to any organization that processes personal data of EU residents - regardless of where the organization is located.   

GDPR establishes strict principles for data processing, requiring organizations to demonstrate lawful basis for collecting personal data and implement data minimization practices.

The most important data protection principles according to the GDPR: 

• Lawfulness, Fairness, and Transparency: Your data processing activities must have a clear legal basis, be conducted equitably, and be fully transparent to the data subject. This means communicating clearly how and why their data is being used.
  
  
• Purpose Limitation: Data collected for one legitimate, explicitly stated purpose cannot be subsequently used for another, unrelated purpose without further consent or a new legal basis. Define your purposes precisely and adhere to them.
  
  
• Data Minimization: Collect and process only the personal data that is strictly necessary and relevant to achieve your specified purposes. Avoid excessive data collection; leaner data sets reduce risk.
  
  
• Accuracy: Maintain the accuracy and up-to-dateness of all personal data. Implement processes for correcting or erasing inaccurate data promptly.
  
  
• Storage Limitation: Retain personal data only for the period absolutely necessary to fulfill the purpose for which it was collected. Establish clear data retention policies and mechanisms for secure deletion.
  
  
• Integrity and Confidentiality (Security): Process personal data in a manner that ensures its appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. This mandates robust technical and organizational measures, such as encryption and access controls.
  
  
• Accountability: As the data controller, you bear the responsibility for demonstrating compliance with all these principles. This requires maintaining comprehensive records of processing activities, implementing data protection policies, and having procedures in place to prove adherence.

GDPR grants EU residents extensive rights including the right to access their data, request corrections, demand erasure ("right to be forgotten"), restrict processing, and object to certain data uses. 

Organizations must implement appropriate security measures, conduct privacy impact assessments for high-risk activities, and report data breaches within 72 hours.

GDPR official sources:

• European Union. "Regulation (EU) 2016/679 of the European Parliament and of the Council." EUR-Lex. https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng
• GDPR.eu. "General Data Protection Regulation (GDPR) Compliance Guidelines." https://gdpr.eu/
• GDPR-info.eu. "General Data Protection Regulation (GDPR) – Legal Text." https://gdpr-info.eu/

CCPA: California's Consumer Privacy Act

The California Consumer Privacy Act, effective from 2020, applies to for-profit businesses meeting specific thresholds: annual revenues exceeding $25 million, processing data of 100,000+ California residents annually, or deriving 50%+ of revenue from selling California residents' data.

Under CCPA, California residents have several key rights: 

• Right to Know: Consumers can request to know what personal information a business has collected about them, including the categories of information, sources, and purposes of collection.
  
  
• Right to Delete: Consumers can request the deletion of their personal information.
  
  
• Right to Opt-Out: Consumers can opt-out of the sale of their personal information.
  

Right to Non-Discrimination: Businesses cannot discriminate against consumers for exercising their CCPA rights.
‍

To meet this requirement, businesses are required to provide clear links on their websites titled  "Do Not Sell or Share My Personal Information" if they engage in such practices. Organizations must also implement reasonable security measures to protect personal information and provide clear privacy policies detailing their data practices.

CCPA official sources:

• California Department of Justice. "California Consumer Privacy Act (CCPA)." Office of the Attorney General. https://oag.ca.gov/privacy/ccpa
• Osano. "CCPA Full Text - AB 375, Title 1.81.5, The California Consumer Privacy Act of 2018." https://www.osano.com/ccpa
• International Association of Privacy Professionals (IAPP). "CCPA and CPRA Resources." https://iapp.org/resources/topics/ccpa-and-cpra/

Both regulations require comprehensive data mapping, robust consent management systems, processes for handling individual rights requests, and detailed record-keeping.
‍

How does Accedo One support GDPR and CCPA? 

Accedo One provides ready-made integrations with your choice of two privacy management vendors in case either GDPR or CCPA requirements apply to you. With both solutions, you will set up, manage and track consent management in specialized tools. 
‍

OneTrust: comprehensive consent management

OneTrust offers a broad scope for privacy, security and data governance compliance without specializing in a particular industry. Accedo One’s integration gives you access to: 

• Data transparency including privacy permissions, third-party trackers and cookies with advanced scanning capabilities. 
• Capture and store cookie consent receipts and track who consented, when, and what they were told. 
• Allow individual users to manage their consent preferences and privacy rights. 
• Create brand-aligned consent banners with built-in, multilingual templates. 

OneTrust
‍

Sourcepoint: specialized consent solutions

Sourcepoint focuses specifically on consent management for digital publishers and media companies, in particular with regards to digital advertising and user data. 

• Multi-regulation consent management including geo-targeting different consent experiences globally. 
• Integrated marketing preference center moving from opt-out to opt-down. 
• Granular vendor insights and consent rate optimization. 

Sourcepoint
‍

In addition to these, Accedo One optionally provides a “Terms and Conditions” popup, requiring a first time user to read and accept the service’s terms and conditions prior to accessing the application. 

Should you choose OneTrust or Sourcepoint? There is no easy answer to this - both platforms offer thorough consent management options and a user management interface where you configure your choices. OneTrust is aimed at a wider variety of industries, while Sourcepoint is specifically focused on media. If you are interested in exploring a CMP (consent management platform), a good approach is to evaluate both platforms and choose the one that is a better fit for your needs. 
‍

How to get started

If either GDPR or CCPA apply to you and you would like to explore adding one of our integrations to your portfolio, speak to your Customer Success Manager to make them aware of the upcoming requirement. You will need to form a commercial relationship with the CMP vendor you end up choosing.