All Collections
FAQs & Troubleshooting
Data Protection and CCPA & GDPR Compliance
Data Protection and CCPA & GDPR Compliance

Mutiny is fully compliant with CCPA/GDPR and SOC2, and will keep your data protected. Learn how to implement Mutiny with cookie consent.

Updated over a week ago

This article highlights:

  • What the GDPR & CCPA are and how they’re applicable to Mutiny

  • Mutiny's role in complying with these regulations as a data processor 

  • Your role in protecting sensitive personal information as a data controller 

What's it all about?

The GDPR and CCPA are legal frameworks for how businesses process and handle personal data of individuals. Both frameworks determine the responsibilities for organizations to ensure the protection and privacy of personal data, develops certain rights for individuals regarding their personal data, gives power to regulatory bodies to enforce these rules and even impose fines to rule-breaking organizations.

Mutiny is considered a service provider, or a processor of data, under the CCPA and GDPR whereas your business is considered the controller of your data. 

This means, that Mutiny simply processes any data that customers request. We never sell, share, or distribute your personal data. As the data controller, you maintain full ownership of your data.

Mutiny is fully compliant with the GDPR and CCPA, and is SOC2 Type 2 compliant. 

Mutiny is GDPR & CCPA compliant

Mutiny's compliance with both the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) directly reflects our dedication to protecting your data.

In order to give your customers the best experience possible, Mutiny processes publicly available company data and first party personal data that allows you to deliver customized experiences to your website's visitors. The information that you provide us with and the data that we gather about your visitors on your behalf are used only for the purpose of helping you deliver personalized experiences to your visitors. 

What data does Mutiny process?

  • Mutiny uses publicly available business IP-based data, such as firmographic and geographic context

  • Mutiny collects data based on customers’ behaviors with your website

  • Optionally, customers can choose to integrate first party/CRM data for use in personalization strategies

If you’re using cookies on your website, you'll be responsible for requesting user consent in compliance with the CCPA and GDPR before setting any cookies other than those deemed strictly necessary for site operation.

There are two ways to collect customer consent - opt in or opt out. The preferred method for personalization is opt out so that visitors can receive personalized experiences on their first page view, without seeing the page content visibly change or refresh, and to maximize the number of visitors seeing personalized experiences.

How to implement Mutiny for opt out **preferred**

Add the Mutiny client code in the <head> tag of your HTML template (instructions here). If the user opts out of cookie tracking, calling the following function will prevent Mutiny from tracking them:


This function should only be called after a user opts out of cookie tracking.

How to implement Mutiny for opt in

Mutiny has an SDK that can be fired when the user consents to cookie tracking. The Mutiny client code should still be installed in the <head> tag of your HTML template so personalization can be applied to the page without a flicker. Mutiny will only start storing cookies/tracking when the user explicitly opts in to tracking. No personalization will be applied until the user's next page load.

To implement the SDK, simply paste the following directly between the <script> tags of the Mutiny client code (you can get your unique client code snippet here):


When the visitor consents to cookie tracking, call the following function to enable tracking in Mutiny:


A closer look at GDPR, CCPA, and Mutiny’s compliance

Detailed information for both frameworks are listed below. 


The EU issued the GDPR as a way of bringing the outdated Data Protection Directive up to speed with the current state of technology. It outlines a list of regulations governing the processing of personal data from European consumers, regardless of business location. 

The law both brings up new responsibilities for data processors and plainly states the accountability of the data owners. 

Who does the GDPR impact?

Any company that stores or processes personal information (data) about EU citizens within EU states, regardless if they have a business presence within the EU. Specific criteria for companies include: 

  • No presence in the EU, but it processes personal data of European residents.

  • More than 250 employees.

  • Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.

For clarity, Mutiny would fall into the first category, and would be required to adhere to the GDPR framework, as we may process personal data of European residents. 

What is the definition of data?

Any information that can directly or indirectly identify a data subject. For the scope of Mutiny, the most important aspects of data are: online identifiers such as IP addresses, cookies, geolocation, or radio frequency tags; device identifiers such as MAC addresses;

personal identifying information (PII) such as name, employee number, email address emails, instant messages, photos, economic, or social data. 

How is Mutiny GDPR compliant?

There are 99 articles that determine data protection, compliance, and enforcement rules. The most relevant aspects of GDPR compliance for website personalization are below:

  • Ask visitors if they want to opt-in or opt-out and systematically respect that decision

  • Only use the provided data for the specific purpose (of personalization)

  • Do not sell, market, or share individual’s personal data 

  • Allow individuals to be able to delete their personal data 

  • Notify our customers, appropriate supervisory authority, and users of a data breach within 72 hours

  • Implement technical and organizational measures to anonymize and encrypt personal data, maintain ongoing maintenance and validation of processing systems and services, and the ability to restore personal data in the event of a physical or technical security breach

  • Designated Security Officer

In addition, for our Enterprise customers we are able to execute a Data Protection Addendum along with the Mutiny Order Form to specify the rights, responsibilities, and processes for both parties.


The CCPA was enacted into California law with the goal of strengthening consumer privacy rights by limiting access to sensitive consumer data. It applies to most for-profit companies that collect, share, or sell the personal data of California consumers, regardless of business location. You can think of the CCPA as California’s corollary to the European GDPR. 

Similar to the GDPR, the act mandates that businesses must disclose what information is being collected from consumers and also gives them the right to forbid the sale of their personal data.

Who does the CCPA impact?

Businesses are subject to the CCPA if one of more of the following are true:

  • Has gross annual revenues in excess of $25 million

  • Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices (within California)

  • Derives 50 percent or more annual revenues from selling consumers’ personal information 

For clarity, Mutiny would fall into the second category, and would be required to adhere to the CCPA framework, as we may receive personal data of 50,000 or more California residents. 

What is the definition of data?

CCPA defines personal data as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This law differs from others by including household information in the scope of the definition of personal data.

Personal information may include but is not limited to name, email address, biometric data, IP address, Internet of Things information, geolocation data, professional or employment information, and other information. You can see that there is a lot of overlap between the GDPR and CCPA definitions of data and personal information. 

How is Mutiny CCPA compliant?

As with the GDPR, there are many aspects of the CCPA that are relevant for website personalization. Mutiny is compliant through these processes:

  • Updating the Mutiny Privacy Policy with respect to the CCPA 

  • Ask visitors if they want to opt-in or opt-out and systematically respect that decision 

  • Only use the provided data for the specific purpose (of personalization)

  • Do not sell, market, or share California resident’s personal data 

  • Allow individuals to be able to delete their personal data upon verification of the individual

  • Maintain records of data information requests 

  • Implement and maintain a data inventory

  • Implement reasonable security measures to ensure the confidentiality, integrity, and availability of personal data. 

Data Deletion

There are two ways to leverage data deletion:

  1. European and California residents can exercise their data deletion requests by sending Mutiny Visitor IDs (mutinyVisitorId) User IDs (userId) from your Segment pipeline to:

  2. To programmatically remove requested data, you can leverage Mutiny's data deletion API. Read more about how to gain access and how it works here.

Final Notes

All customers and individuals can access the full Mutiny Privacy Policy here.

All customers and individuals can access the full Mutiny Terms of Service here. 

Enterprise customers can request to add a Data Protection Addendum to your Order Form by contacting your Mutiny point of contact. 

Don't be a stranger

If you have any questions, we’re here to help! Please feel free to contact us at any time, either through intercom chat or via 

Did this answer your question?