Data Privacy, GPC Shayne Adler Data Privacy, GPC Shayne Adler

Don't Get Tripped Up: Global Privacy Control (GPC) and Your Business

In today's data-driven world, respecting user privacy isn't just good manners – it's increasingly a legal requirement and a cornerstone of customer trust. One of the important developments you need on your radar is the Global Privacy Control (GPC).

If you're a startup or a small to medium-sized business (SMB), you might be wondering, "Another acronym? What does this one mean for me?" Let's break it down.

What Exactly IS Global Privacy Control?

Think of GPC as a universal remote for online privacy preferences. It's a signal sent from a user's browser or device that automatically communicates their desire to opt out of the sale or sharing of their personal information online. The official GPC website explains it as a way for users to "notify businesses of their privacy preferences" (Global Privacy Control). Instead of users having to manually click "Do Not Sell My Information" on every website they visit, GPC allows them to set this preference once at the browser or extension level, as detailed by privacy-focused organizations like Termly.

Why Should Your Business Care About GPC? (Especially if you're a Startup or SMB!)

  1. It's Becoming Legally Mandatory: This is a big one. Several U.S. states with active privacy laws now require businesses to recognize and honor GPC signals as a valid opt-out request.

    • California: The California Attorney General's website explicitly states that under the CCPA (as amended by CPRA), GPC must be honored as a valid consumer request to opt-out of sale/sharing (State of California - Department of Justice).

    • Colorado: The Colorado Attorney General has confirmed that GPC is a recognized Universal Opt-Out Mechanism (UOOM) under the Colorado Privacy Act (CPA) that businesses must honor (Universal Opt-Out and the Colorado Privacy Act).

    • Connecticut: The Connecticut Data Privacy Act (CTDPA) also requires businesses to recognize opt-out preference signals like GPC, with these provisions effective as of January 1, 2025 (Understanding Connecticut's Enhanced Data Privacy Measures).

    • Ignoring these requirements could lead to non-compliance and potential penalties. For instance, CCPA violations can result in fines of $2,500 to $7,500 per violation (CCPA Fines & Penalties).

  2. Builds Customer Trust: In an era of heightened privacy awareness, consumers are looking for businesses that respect their choices. Honoring GPC signals demonstrates that you take privacy seriously. Statistics show a high level of consumer concern about data privacy; for example, Usercentrics reports that 86% of Americans say data privacy is a growing concern for them, and 84% of users are more loyal to companies with strong security controls (Usercentrics). This transparency can be a powerful differentiator and foster loyalty.

  3. Reduces Friction for Users (and You!): By automatically recognizing opt-out requests via GPC, you streamline the process for your users. This can lead to a better user experience compared to navigating complex cookie banners or privacy settings on every site. For you, it can simplify one aspect of managing user consent.

  4. Stay Ahead of the Curve: The privacy landscape is constantly evolving. GPC is part of a broader movement towards giving users more control over their data. Adopting it early shows foresight and positions your business as a responsible data steward.

What Do You Need to Do About GPC?

  • Understand Your Obligations: First, determine if the privacy laws requiring GPC recognition apply to your business. This usually depends on factors like your revenue, the amount of personal data you process, and where your users/customers are located.

  • Technical Implementation: Your website needs to be configured to detect the GPC signal from browsers that send it. The GPC website itself offers some guidance for developers, and resources like TrustCloud provide overviews of technical integration (TrustCloud Community). Once detected, your systems must treat it as a valid request to opt out.

  • Update Your Privacy Policy: Your privacy policy should clearly explain how you respond to GPC signals, informing users that you recognize this method of opting out.

  • Test and Verify: Ensure your GPC detection and response mechanisms are working correctly.

Navigating Compliance Doesn't Have to Be a Headache

We get it. As a startup or SMB, you're juggling a million things. Adding another compliance requirement to the pile can feel overwhelming. The good news is you don't have to figure it all out on your own.

At Aetos Data Consulting, we specialize in helping businesses like yours understand and implement data privacy and compliance measures in an affordable and manageable way. Whether it's assessing your GPC obligations, updating your policies, or building a broader compliance framework, we're here to provide expert guidance.

Respecting user privacy through tools like Global Privacy Control isn't just about avoiding fines; it's about building a sustainable, trustworthy business.

Read More
Data Privacy, Data Privacy Regulation Shayne Adler Data Privacy, Data Privacy Regulation Shayne Adler

Data Processing: The Heartbeat of Data Privacy (And Why You Should Care)

Ever wonder what really goes on behind the scenes when you hand over your email address to that online store? Or when you share your location with a ride-hailing app? It's all about data processing, the unsung hero (or sometimes villain) of the data privacy world.

Ever wonder what really goes on behind the scenes when you hand over your email address to that online store? Or when you share your location with a ride-hailing app? It's all about data processing, the unsung hero (or sometimes villain) of the data privacy world.

In the realm of data privacy, "data processing" isn't just about number crunching or complex algorithms. It's a broad term that encompasses virtually any action performed on personal data, including just storing the data. Think of it as the lifecycle of your information from the moment it's collected to the day it's deleted (and every step in between).

Data Processing: A Definition That Goes Beyond "Computing"

The GDPR and other data privacy laws cast a wide net when it comes to data processing, whether it's done manually or through automated systems.

This means that even activities like:

  • Collecting customer information on a paper form.

  • Storing employee records in a filing cabinet.

  • Sharing data with a partner organization via fax (yes, some people still use those!)

... all fall under the umbrella of data processing.

Why Data Processing is the Heart of Data Privacy

Data privacy regulations like the GDPR place strict obligations on organizations when it comes to processing personal data. This is because data processing activities can have a significant impact on individuals' privacy rights.

Here's why data processing is at the core of data privacy:

  • It's where the risks lie. Data breaches, unauthorized access, and misuse of information and personal data often occur during processing activities.

  • It's where control matters. Individuals have rights regarding how their personal data is processed, including the right to access, correct, and delete their information.

  • It's where transparency is key. Organizations need to be transparent about how they process personal data (throughout its life cycle), inform data subjects about their rights with respect to their personal data - such as the right to object to processing - and obtain proper express consent before processing data when necessary.

Examples of Data Processing in Action 

Data processing is happening all around us, every day. Here are a few examples:

  • Online shopping: When you enter your credit card details to buy that new gadget, the online store is processing your data, including personal data,  to complete the transaction.

  • Social media: Every time you like a post, share a photo, or send a message, the social media platform is processing your personal data to provide its services and also to monetize your personal data, typically for advertising purposes.

  • Healthcare: When you visit a doctor, your medical records  and personal data are processed to provide you with appropriate care.

  • Marketing: When you receive a personalized email promoting a product you might be interested in, your personal data has been processed for marketing purposes.

The Legal Implications: Why You Need to Get it Right

Data privacy regulations impose specific requirements on organizations that process personal data. These requirements often include:

  • Obtaining consent: Getting express permission from individuals before collecting and processing certain personal data where legally required.

  • Ensuring data security: Implementing appropriate technical and organizational measures to protect personal data.

  • Adhering to specific processing purposes: Only processing personal data for the purposes it was collected for, being transparent about those purposes to the data subjects, and not using it for any incompatible purposes.

  • Providing transparency: Informing individuals about how their personal data is being processed and  informing them of their rights.

  • Data minimization: limiting personal data collection and retention to the bare minimum necessary to accomplish the intended purpose 

Failure to comply with these requirements can lead to hefty fines, reputational damage, loss of customer trust, and legal challenges.

Aetos: Data Privacy Principles by Design

Navigating the complexities of data processing can be tricky, but you don't have to do it alone. Aetos Data Consulting is here to help you understand your obligations, implement best practices in a practical, business-friendly way, and ensure your data processing activities are compliant and ethical.

Contact us today to learn more about how we can help you protect your customers’ personal data and build trust with your customers.

Blog Title Card
Read More
Data Privacy, Data Privacy Regulation Michael Adler Data Privacy, Data Privacy Regulation Michael Adler

What is personal data? And what is Personally Identifiable Information?

A primer on personal data and personally identifiable information, and why it matters to you and your business.

Demystifying "Personal Data" under the GDPR

The General Data Protection Regulation (GDPR) is all about protecting personal data, but what exactly falls under that umbrella? Let's break it down in a way that's easy to understand.

Personal data, in the eyes of the GDPR, includes any information that can be used to identify a living individual. This can be done:

  • Directly: The information itself clearly identifies the person (e.g., their name, ID number).

  • Indirectly: Combining the information with other data points reveals the person's identity (e.g., their location data combined with their job title).

Here are a few important points to keep in mind:

  • Pseudonymized data is still personal data. Even if you replace identifying information with pseudonyms, it can still be considered personal data if it can be linked back to an individual.

  • Truly anonymized data is NOT personal data. Anonymization means the data is irreversibly de-identified, making it impossible to re-identify any individual. This is a high bar to clear!

  • Information about a deceased person is not personal data. The GDPR focuses on protecting the data of living individuals.

  • Information about companies or public authorities is not personal data. However, information about individuals within those entities (like sole traders or employees) can be personal data if it relates to them as individuals.

Identifiers and the Context Conundrum

An identifier is anything that helps distinguish one individual from another. While a name might seem like an obvious identifier, whether it actually identifies someone depends on the context.

For example, the name "John Smith" alone might not be enough to identify a specific person. But if you combine it with other information, like their address or date of birth, it becomes much easier to pinpoint who they are.

The GDPR provides a list of potential identifiers, including:

  • Name

  • Identification number

  • Location data

  • Online identifiers (like IP addresses and cookie identifiers)

But remember, context is key! Even seemingly innocuous information can become an identifier when combined with other data points.

Personally Identifiable Information vs. Personal Data: What's the Difference?

In the world of data privacy, you'll often encounter the terms "Personally Identifiable Information" (or PII) and "Personal Data." While they might seem interchangeable, there are key distinctions, especially when considering different legal frameworks and geographical contexts. Let's break down the nuances:

PII

  • Origin: Primarily used in the United States.

  • Definition: Information that can uniquely identify an individual or be linked to a specific person.

  • Scope: Generally focuses on specific types of data that directly identify someone.

  • Examples: Name, Social Security Number, passport number, email address.

  • Emphasis: On data used for direct identification.

Personal Data

  • Origin: Commonly used in the European Union and other countries, particularly in privacy laws like the GDPR (General Data Protection Regulation).

  • Definition: Any information relating to an identified or identifiable natural person (referred to as a "data subject").

  • Scope: Broader than PII, encompassing data that might not directly identify a person but can do so when combined with other information.

  • Examples: Name, IP address, cookie identifiers, location data, and even pseudonymized data if it can be re-linked to an individual.

  • Emphasis: On how data relates to individuals, even if identification requires additional steps or combining data points.

Key Differences at a Glance

Our handy table to compare PII and personal data.

Why It Matters

Understanding the difference between PII and Personal Data is crucial for businesses operating in different regions or handling data from diverse sources. The GDPR's broader definition of Personal Data means that companies must be more vigilant in protecting a wider range of information.

In summary, Personal Data is a more comprehensive term under the GDPR, while PII focuses on specific identifiable details, often in the US context.

Is it Personal Data? Unpacking Identifiability Under the GDPR

So, the GDPR is built on the concept of personal data. But what exactly is personal data? It's not always as straightforward as you might think. Let's break down the key elements of identifiability under the GDPR:

Direct Identifiability

Can you identify an individual directly from the information you have? If you can distinguish an individual from others solely by looking at the information you're processing, that individual is considered identified or identifiable.

It's important to remember that direct identifiability goes beyond just knowing someone's name. A combination of other identifiers, such as location data, online identifiers, or physical characteristics, may be enough to pinpoint an individual. If this is the case, the information may constitute personal data under the GDPR.

Indirect Identifiability

Even if you can't identify an individual directly from the information you hold, it might still be considered personal data if it can indirectly identify them. This means that by combining the information you have with other readily available information, an individual could be identified.

Consider these factors when assessing indirect identifiability:

  • The information you already hold: Could it be combined with other data you possess to identify an individual?

  • External information sources: Could someone use publicly available information or data from other sources to identify an individual based on the information you hold?

  • Technological advancements: Could new technologies or data analysis techniques make it easier to identify individuals in the future?

While the GDPR considers the possibility of someone reconstructing data to identify an individual, a slight hypothetical possibility isn't always enough. You need to assess the likelihood of identification based on the means reasonably likely to be used by a determined individual.

The "Relates To" Requirement

For information to be considered personal data, it must also "relate to" the identifiable individual. This means the information must concern the individual in some way, not just identify them.

To determine if data "relates to" an individual, consider:

  • Content: Is the data directly about the individual or their activities?

  • Purpose: Why are you processing the data?

  • Effects: What are the results or effects of processing the data on the individual?

Data can reference an identifiable individual without being personal data if it doesn't relate to them. For example, a dataset listing company names might include the name of a person who owns a business, but if the data is used for market analysis and not in a way that concerns the individual, it might not be considered their personal data.

When in Doubt, Proceed with Caution

In cases where it's difficult to determine if data is personal data, it's best to err on the side of caution. Treat the information with care, ensure you have a lawful basis for processing it, and implement appropriate security measures for its storage and disposal.

Remember, even inaccurate information can be personal data if it relates to an identifiable individual.

When Does Data Become Personal?

The GDPR has a broad definition of "personal data," encompassing any information relating to an identified or identifiable natural person. But what happens when the same data is processed by different organizations for different purposes? Can data be considered non-personal in one context and personal in another?

The answer is yes. The GDPR recognizes that data's relationship to an individual can change depending on the controller and their purpose for processing it.

For example, anonymized data that doesn't identify individuals for one controller might become personal data in the hands of another controller who has access to additional information that allows for identification.

Therefore, it's crucial to carefully consider the purpose for which data is being used to determine whether it falls under the GDPR's definition of personal data. A thorough analysis is essential to ensure compliance and avoid inadvertently processing personal data without a lawful basis.

Sensitive Personal Data Under the GDPR: Extra Protection for Sensitive Information

The GDPR provides heightened protection for "sensitive personal data," which includes categories of information that could be particularly harmful or discriminatory if misused. These categories are:

  • Racial or ethnic origin

  • Political opinions

  • Religious or philosophical beliefs

  • Trade union membership

  • Genetic data

  • Biometric data (for identification purposes)  

  • Health data  

  • Data concerning sex life or sexual orientation

Due to the sensitive nature of this data, the GDPR imposes stricter rules and requirements around its processing. This includes obtaining explicit consent from individuals, implementing appropriate safeguards, and conducting data protection impact assessments (DPIAs) in certain cases.

"Personal Information" Under the CCPA

A Broad Definition

Similarly, and yet a world apart, the California Consumer Privacy Act (CCPA) also has a broad definition of "personal information." It includes any information that identifies, relates to, or could reasonably be linked to a California resident or their household, directly or indirectly. This encompasses a wide range of data, including:

  • Identifiers: Name, email address, IP address, online identifiers

  • Commercial Information: Purchase history, browsing history

  • Geolocation Data: Precise location data

  • Professional or Employment-Related Information: Employment history, education information

  • Profiles: Profiles created about consumers by businesses, including pseudonymous profiles

  • Sensitive Personal Information: A subset of personal information with heightened protection (see below)

"Sensitive Personal Information" Under the CCPA: A Closer Look

The CCPA defines "sensitive personal information" as a specific category of personal information that requires even greater protection. California residents have the right to limit the use and disclosure of their sensitive personal information to only certain permitted purposes. This category includes:

  • Government identifiers: Social Security number, driver's license, state identification card, passport number

  • Financial account information: Account login, debit or credit card numbers, security codes, passwords

  • Precise geolocation: A consumer's precise location

  • Contents of mail, email, and text messages: Unless the business is the intended recipient

  • Genetic data

  • Biometric information: Processed for identification purposes

  • Health, sex life, or sexual orientation information

  • Racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership

By understanding the nuances of "personal information" and "sensitive personal information" under both the GDPR and the CCPA, businesses can ensure they are handling consumer data responsibly and complying with these important privacy laws.


Understanding the nuances between "personal information" and "sensitive personal information" under both the GDPR and the CCPA is crucial for businesses operating in today's data-driven world. By recognizing the distinct definitions and requirements of these privacy laws, organizations can ensure they are handling consumer data responsibly and ethically.

While the concepts of PII and personal data may seem complex, remember that the core principle is the same: protecting individuals' privacy. By prioritizing data protection and implementing robust compliance measures, businesses can foster trust with their customers, enhance their brand reputation, and contribute to a more responsible and ethical digital ecosystem.

If navigating these complexities feels overwhelming, Aetos Data Consulting is here to help. We offer expert guidance and tailored solutions to ensure your business complies with global data privacy regulations and handles personal data with the utmost care and respect. Contact us today to learn more about how we can support your journey towards data privacy compliance.

Title card for blog post
Read More
Data Privacy Regulation, Data Privacy, News Michael Adler Data Privacy Regulation, Data Privacy, News Michael Adler

CCPA Compliance in 2025: Updates to fines & Penalties

CCPA fines increased January 1, 2025 - here’s what you need to know.

As of January 1st, 2025, businesses subject to the California Consumer Privacy Act (CCPA) must be aware of significant updates to the potential fines and penalties for non-compliance. These adjustments, mandated by California law and tied to the Consumer Price Index (CPI), reflect the state's ongoing commitment to protecting consumer data privacy.

Key Changes:

  • Increased Administrative Fines: Fines for non-compliance have increased to $2,663 per violation.

  • Higher Penalties for Intentional Violations: Intentional violations or those involving the mishandling of data from minors (under 16) now carry a penalty of $7,988 per violation.

Implications for Businesses:

These increased penalties underscore the importance of prioritizing CCPA compliance. Businesses that handle the personal information of California consumers should review their data privacy practices and ensure they have the necessary safeguards in place to protect consumer data.

What Businesses Should Do:

  • Perform compliance audits

  • Review policies, and how they are being implemented

  • Educate your employees on CCPA requirements and best practices

  • Engage in incident response planning

Read more on the subject here.

Title Card: CCPA 2025 Updates
Read More