Select Page

The era of the free Internet is over. Actually, it’s been over for some time, it’s just that now everyone is noticing – and taking action.

Back in the old days, you had to offer valid, meaningful information, in the form of a white paper, eBook, infographic or other Lead Magnet in exchange for people’s emails. But about 10 years ago, something shifted. Emails became much easier to proliferate and manage.

From the 90’s to around 2006, the majority of Internet users had, at most, two emails – one for personal and one for business. But in 2004 Gmail was introduced. MySpace had launched the year before, but when Facebook opened its virtual doors to the public in September of 2006, social media began to explode.

While some of us had multiple emails for years, the rise of social media and Gmail made it more likely that lots of people would have multiple emails. Especially since they were now virtually free. For example, I pay $1 a year to 100GB of email storage. I use only about 40% of that for well over 1-million saved emails.

Kooky New Technology

Along the line, as emails exploded, the Internet demigods sought ways of still capturing pertinent data on the people who used them every day – even if they used different ID cards (emails). But they already had at least one powerful tool to exploit.

Back in 1994, Lou Montulli had “invented” a little packet of text for the Netscape Internet browser that saved a few essential preferences. This text packet was stored in a behind the scenes folder and accessed by the browser and many of the sites on the Internet. He called the packet a cookie, after the Unix packets “magic cookies.” In Unix, the magic is the encoding that governs how the info is seen and interpreted.

But over time, Netscape engineers realized that they could store more and more info in these cookies. Instead of just being a user-id, first they were tasked with retailer retention – tracking purchases loaded into online shopping carts – including after you’ve left the site, recording how many times a user has seen a certain banner advertisement, and things like that.

But once the, um, cookie jar was opened, the genie was out of the bottle, if you’ll excuse my mixed metaphors. Cookies now became a treasure trove of data – and not just for the site you’re visiting. I recently ran across a dedicated job site that had over 200 cookies, not for the job site, but for third party outside retailers to place advertising.

Of course, that info was also no longer restricted to Netscape. Google, Twitter, Bing, Facebook, Amazon, eBay, Target, the US Postal Service – just about anyone with a website now tracks and collects mountains of data about you via cookies. That’s why the things you search for seem to follow you to other sites days and weeks after you’ve finished your research.

How the Cookie Crumbles

Of course, once it became public knowledge that this was happening, people started pointing to 1984 and similar story frameworks, demanding their privacy be defended. Right before they invested in always-listening speaker assistants. Alexa, play Alanis Morissette.

Government functionaries, not to be outdone when there’s a crisis they can profit from, rushed in and in the past couple of years, two laws were put into effect designed to limit the harvesting and use of user’s data. (Not counting medical data protected by HIPAA).

At the time of this writing, there were two major legislative actions defining use of user privacy. One is technically only for European residents, although when it went into effect, websites and email servers across the globe took steps to comply. The other is for residents of the state of California, but similarly affects all of the United States and beyond.

What Unites Them

The two laws have their differences, but let’s look at the similarities first.

Both require compliance. Businesses that store information on consumers in either California or the EU, regardless of where in the world that business is physically located, must observe the restrictions and rights of the customers under the appropriate law, or face stiff fines.

Both laws also require any affected companies to give the consumers access to the data that has been collected about them. The consumer also has the right to request that the collected data is erased. Bear in mind that Facebook recently was forced by the courts to pay a $5-Billion fine for not imforming their customers about the existence of tracking data on their users and its security.

One thing that neither law defines well is saving and use of Pseudonymous or Deidentified data- information collated, typically for research, but not specific to a particular user or household. Technically, this data is not personal because it’s not explicitly tied to a user.

Now let’s detail the significant differences between the laws:


The General Data Protection Regulation (GDPR) was created by the European Union and implemented on May 25, 2018 (The original EU Cookie Law was enacted 7 years earlier). The language of the GDPR is broad and applies to all organizations that might interact with data from EU residents.

The GDPR defines two categories of customer’s personal data – standard, such as names, mailing addresses, and IP addresses; and special categories, including religious views, sexual orientation, political opinions and the like. Basically, any information relating to an identified or identifiable data subject is covered.

Consumers under the GDPR can also correct or complete the information gathered by companies.


California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law shortly after GDPR went into effect. It became the law of the state on January 1, 2020. It has some interesting specifics – it only applies to for-profit companies that meet any of the following requirements:

  1. Has over $25 million in annual gross revenue.
  2. Has over 50,000 consumers’ personal information for commercial purposes.
  3. Earns over 50% of annual revenue from the sale of consumers’ personal information.

The law also applies to a business that controls or is controlled by a business meeting the above three requirements, and/or shares common branding with a covered business, such as a shared name, service mark, or trademark.

The CCPA is also only applicable to personal data that is not available from governmental records.

Consumers under CCPA have the right to opt-out of the collection of anything outside the bare minimum needed to maintain customer experience on a site.

Be a Smart Cookie

Of course, there are more intricacies than can be easily covered by this summary. If you’d like a more explicit breakdown to check against, I recommend either this one from the Center for Democracy and Technology or this high-level comparison chart from Practical Law.

CCPA & GDPR are likely only the beginning. As awareness of the value of personal data grows, expect more states and countries to enact laws to protect their affected consumers.

Because even in the midst of these laws growing in effectiveness, the United States decennial Census, the 23rd since 1790, is being delayed. All thanks to concerns over privacy of electronic data. This issue isn’t going away anytime soon, and being compliant now – even if you have no customers in the affected areas – will be to your advantage in the future.

If you’d like more info on how to connect with and find your customers organically, without harvesting their data, please reach out. Grow the Dream has been helping small businesses take a strategic approach to their marketing for over 10 years.