GDPR / CCPA Compliance

GDPR (the EU's General Data Protection Regulation, in force since 2018) and CCPA / CPRA (California's Consumer Privacy Act and its 2020 amendment) are the two foundational privacy regulations governing personal-data processing in advertising. GDPR applies to any processing of EU residents' data regardless of where the processor is located; CCPA applies to processing of California residents' data above a revenue threshold.

Key concepts: GDPR classifies biometric data (face features, gait, voice) as "special category" requiring explicit affirmative consent for processing. CCPA classifies the same data as "sensitive personal information" with opt-out rights. Both define a "data controller" (decides what to do with data) and "data processor" (acts on the controller's behalf) relationship with different liability profiles.

For DOOH with on-screen cameras, the relevant compliance pattern is GDPR Article 9: edge inference that never moves raw biometric data off the device sidesteps the explicit-consent requirement because the data never leaves the device boundary. The Trillboards sensing SDK is designed around this — face vectors live and die on-device; only aggregate counts get uploaded.

Other adjacent regulations include the EU's AI Act (in force 2024, applies to high-risk AI systems — DOOH attention-measurement is borderline), the EU ePrivacy Directive (cookie-consent rules), and emerging US state-level laws (Colorado, Virginia, Texas) that broadly mirror GDPR's structure.