Skip to main content


In 2018, the protection of Internet users' personal data was strengthened considerably. Fines for companies making improper use of personal data have multiplied (up to 130-fold). This legal revolution has been brought about the General Data Protection Regulation (GDPR).

The GPDR was adopted by the European Parliament in 2016 and became effective on May 25, 2018. The regulation affects all companies that process the personal data of European users’ personal data wherever the company itself is based’.

Disclaimer : Kameleoon does not provide legal advice regarding GDPR. This page only aims to inform readers about the major challenges GDPR brings and how Kameleoon's personalization tool complies with this regulation.

Any organization breaking the new rules risks fines of up to 4% of their overall turnover, or €20 million, according to the severity of the infraction.


Under GDPR, you no longer have the right to collect personal data if the user hasn't explicitly authorized you to do so. Your data management policy needs to be perfectly clear. You do not have the right to process a visitor's personal data unless they have explicitly agreed to this.


With GDPR, transferring a customer's personal data outside the European Union becomes illegal. A company operating on several continents and using tools that centralize customer data outside the EU breaches the new regulation. The same is true for any company operating in Europe and centralizing user data outside the EU.


Yahoo, MySpace, eBay, Sony, Ashley Madison, Dropbox, Tumblr, LinkedIn, Adobe, etc.: Data theft happens all the time. In the past, companies tried to hide these glitches as long as they could. With the GDPR, corporations have 72 hours from the moment the breach is known to inform the relevant authorities. Users also have to be informed, although the GDPR doesn’t set a timeframe for this. However, it’s a matter of common sense and of keeping trust to inform users as soon as possible.


Under GDPR, you must be able to provide all of a visitor’s data at their request, in a structured, unencrypted format.


A person who has given you his or her data has the right to ask you to erase it entirely. If they do, you have to comply.


The nomination of a Data Protection Officer (or DPO) is mandatory for all corporations processing user data on a large scale or regularly tracking data subjects or sensitive information. This also applies to the public sector, independently of the purpose or type of processing.


  • Data Collection

In its standard setup, Kameleoon's platform doesn't collect or process any personal data as defined by the GDPR. The only data collected is anonymized browsing data which doesn't allow a visitor to be identified. However, our customers are able to inject existing personal data from their technology ecosystem (such as CRM or DMP solutions) into Kameleoon, to improve analysis and results. In this case, the Customer has total control over the information they use and should only selects authorized data. Kameleoon processes this personal data in a totally GDPR-compliant way and follows the Customer's written instructions and data processing procedures.

  • IP Anonymization

As the IP address is considered personal data, Kameleoon doesn’t process or save it but replaces it with a randomly generated ID. This guarantees complete anonymization and a higher level of data protection.

  • Encryption

Kameleoon complies with security standards and offers the encryption of information under certain conditions. Kameleoon’s JavaScript communicates in HTTPS with if the original (custormer's) page is also in HTTPS.

  • Portability

Kameleoon enables the Customer to deliver the entirety of a given visitor's collected data at their demand.

  • Right to be forgotten

Kameleoon can erase any personal data within 72 hours. Moreover, visitors have the possibility to opt out of the personalized experiences they are offered. To prevent their data from being used for personalization, visitors have access to a link offering to deactivate tracking and any type of data processing. The Customer only needs to add a link to the website’s privacy policy page. Our Disable Legal Consent method should be called once you know that the visitor declines the use of Kameleoon. It disables Kameleoon normal operation mode. For more information, please refer to this article.



  • Nomination of a DPO

Our security and GDPR compliance program is supervised by a Data Protection Officer named in January 2018.

  • Response in case of an incident

Our incident management program enables us to react to security breaches on a 24/7 basis. If visitor or customer data is impacted, the Customer is informed without delay, as stipulated in the contract.

  • Security insurance plan

Kameleoon's security measures take into account state-of-the-art technology and GDPR requirements. Kameleoon guarantees confidentiality, integrity, availability and traceability of the Customer's data and keeps an updated written documentation detailing implemented technical and organizational security measures.

  • EU-based servers

Kameleoon’s servers are situated in Europe. No personal data whatsoever circulates outside the EU, so our customers are sure to comply with GDPR’s data circulation restrictions.

  • Product development and new features

All new features we develop will be GDPR compliant. We follow strict guidelines to guarantee compliance with personal data protection rules.