Regulatory Changes

New data privacy laws and regulations—such as the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Privacy and Electronic Communications Regulations (PECR)—are designed to help consumers have more visibility and control over the data that companies are collecting. As a personalization vendor which, by default, collects anonymized user data and, with the enablement and use of certain features, can identify specific customers, Monetate is responsible for helping clients comply with these regulations. This documentation contains details about Monetate's stance on data privacy laws and what tools it provides to aid in compliance.


The European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act share many of the same concepts. Both laws only apply to their respective constituents. However, companies have begun to incorporate these concepts into their operations in anticipation of broader adoption.

In general, these laws apply to Monetate in two ways. In each case, consumers submit a request to you. Those requests are then passed to Monetate in the form of customer IDs via an API endpoint.

  1. Right to Be Forgotten
    • What is it? Consumers can request that a company erases their personal data so that they are no longer being tracked and to ensure the consumer's data is deleted across their full ecosystem.
    • Monetate's actions After receiving the request through the API, the user for each customer ID is erased from Monetate's database and will be removed if identified in any future sessions.
    • Consumer Data Privacy API
  2. Right to Access
    • What is it? Consumers have the right to access their personal data and can submit a request to companies to view what data they've collected.
    • Monetate's actions After receiving the request through the API, Monetate then outputs all the data it has collected for each customer ID to a CSV, which you can receive via SFTP and then aggregate into a customer profile.
    • Consumer Data Access API


In the UK, The Privacy and Electronic Communications (Amendment) Regulations 2018 (ePrivacy Regs), or PECR, came into force on 17 December 2018.

The PECR covers several areas, including marketing by electronic means, the use of cookies and similar technologies, security of public electronic communication services, and the privacy of customers using such communication networks and services. The GDPR does not replace the PECR but sits alongside them. They give people specific privacy rights in relation to electronic communications. All applicable companies that use cookies, or similar technology in interacting with UK customers, must now comply with the PECR.

The PECR prohibits companies from transmitting or instigating the transmission of unsolicited electronic communications to consumers for the purposes of direct marketing, unless that individual has given their prior consent to receive such communications or if the sender can demonstrate an existing commercial relationship with the recipient.

If a site uses cookies to interact with UK customers, then it must do the following:

  • State what cookies will be set
  • Explain what the cookies will do
  • Obtain consent to store cookies on devices, and consent must be actively and clearly given

Cookies don't require consent if they are classified as essential and meet one of the two criteria:

  • They are used solely for the purpose of carrying out or facilitating the transmission of a communication over an electronic communications network
  • The storage or access is strictly necessary for the provision of an information society service requested by the user

Monetate recommends that clients classify Monetate cookies as essential because the platform is used to carry out and facilitate communication related to customers' experiences on the website. This includes but is not limited to the visual display of imagery, text, and UX/UI layout. Some of the experiences hide images and content on the landing page that the client doesn't want the customer to see. If the Monetate ID (the mt.v cookie) isn't classified as essential, then the information that needs to be hidden isn't hidden. While Monetate believes that consent is not required, it does recommend explaining to visitors that cookies are being used to track engagement and to refine user experience as a means of enhancing their future site experience.

Additional Documentation

Refer to these resources for more information about the regulations discussed in this documentation: