What is the General Data Protection Regulation or GDPR?
GDPR stands for the General Data Protection Regulation. The GDPR is a new European Union (“EU”) law that regulates the personal data of individuals in the EU. The GDPR harmonizes data privacy and security rules across Europe and introduces changes that require companies to update their privacy and security policies and practices.
Does the GDPR cover Jebbit’s data?
Jebbit has evaluated its services, and some of them are likely subject to the GDPR. The GDPR applies to the personal data of individuals in the EU, which is defined as any type of information that identifies or can be linked to an individual. In addition to the usual types of personal data (i.e., name, address, phone number, email), this definition can also include information such as online identifiers and any data tied to those identifiers.
What efforts has Jebbit taken to prepare for the GDPR?
We have made preparing for the GDPR a priority, and have reviewed and adjusted specific practices in ways intended to meet relevant GDPR requirements. For much of the data we process, we serve as a service provider (known as a “processor” under the GDPR) and we abide by the contractual commitments we have with our customers in this capacity.
What are Jebbit’s customers’ responsibilities under the GDPR?
Our brand, publisher, and agency customers with EU end users who offer goods or services in the EU may be required to comply with the regulation. If they fall under the Regulation, these customers must have a lawful basis for processing data, have in place measures to carry out EU data subjects’ rights requests, and provide adequate data security, among other requirements. Unfortunately, we cannot advise you as to whether you need to comply with the GDPR.
Will Jebbit’s services change for the GDPR?
Our services will not fundamentally change due to the GDPR. However, we continuously look to improve our services and, as we make updates to our services as offered in the EU, we will do so with GDPR in mind.
What is The California Consumer Privacy Act or “CCPA” ?
The California Consumer Privacy Act (“CCPA”) of 2018 has fundamentally changed the way brands are approaching consumer consent and its importance to doing business seamlessly across the USA. Like the EU’s General Data Protection Regulation (GDPR), CCPA necessitates changes to how brands treat consumers’ data privacy. The CCPA’s requirements will go into effect on July 1st, 2020.
In simplest terms, CCPA requires brands to enable three critical functions:
- The right to knowledge – Consumers have the right to know:
- What information a company is collecting about them
- How that information will be used
- If and with whom that information will be shared
- The right to be forgotten – With some exceptions, companies must delete all the information they have about a consumer at the consumer’s request
- The right to control who has access to their information – Consumers must be able to opt out of the sale of their information to third parties.
How personal information is defined
The CCPA interprets personal information broadly to include any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Crucially for marketers, this includes behavioral data from digital interactions between consumers and the brand, as well as any inferences the company draws from that data, such as a consumer’s preferences or buyer persona.
It’s also important to note that personal information does not need to be matched up with a person’s name—as long as that information can be identified as belonging to a unique individual, it doesn’t matter if the company can identify that individual by name or by another unique identifier, such as an IP address.
GDPR, CCPA and Jebbit’s compliance
Below is a summary table for the key requirements in GDPR and CCPA and the measures that Jebbit has taken to comply with both.
|Scope||EU Personal Data processed||California residents’ personal data collected (Narrower)|
|Right to Portability||Must export and import certain EU personal data in user-friendly format||All access requests must be exported in user-friendly format, but there are no import requirements (Narrower)||See Right to access.|
|Right to stop processing||Right to withdraw consent or otherwise stop processing of EU personal data||Right to opt out of selling personal data only; must include opt-out link on website (Narrower)||Under CCPA, Jebbit has service-provider relationships with its customers and as such any transfer of personal data from Jebbit to its customers and/or their partners isn’t considered sale to a third party – more here.
In addition, Jebbit does not sell consumer personal data.
Lastly, data collection via Jebbit includes an opt-in.
|Right to stop automated decision making||Right to require a human to make decisions that have legal effect||Not included in CCPA (Absent)||N/A|
|Right to stop 3rd party transfer||Right to withdraw consent for data transfer involving second purposes of special categories of data||Right to opt-out of selling personal data to 3rd parties (Narrower)||See answer above for right to stop processing|