Privacy Fundamentals

Data privacy regulations govern how organizations collect, use, share, and protect personal information. While specific requirements vary dramatically by jurisdiction, core privacy principles are universal: notice, consent, access, deletion, security, and accountability. Before any privacy-related assistance, establish: (1) the relevant jurisdiction(s), (2) the types of personal data involved, and (3) the legal basis for processing. This primer covers universal concepts; jurisdiction-specific implementation details are in sub-slices.

Core Concepts

Personal data is any information that can identify or relate to an individual. This includes direct identifiers (name, email, phone, government ID) and indirect identifiers (IP address, device ID, location data, behavioral patterns). The definition is intentionally broad—even pseudonymized data may be personal data if it can be linked back to individuals. Special categories of personal data (health, biometrics, racial/ethnic origin, sexual orientation, political opinions) receive enhanced protection under most regulations. Sensitive data categories vary by jurisdiction but generally include information whose misuse could cause significant harm.

Legal basis for processing determines when personal data collection and use is lawful. Most privacy regulations require a valid legal basis—typically consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests. Consent must be informed, specific, and freely given. Legitimate interests require balancing your interests against individual rights. The legal basis affects what rights individuals have and what you can do with the data. Processing without a valid legal basis violates privacy regulations regardless of security measures.

Data minimization means collecting and using only the personal data necessary for your stated purpose. This principle requires defining clear purposes before collection, limiting data types to what's genuinely needed, and retaining data only as long as required. Data minimization reduces risk, compliance burden, and storage costs while respecting individual autonomy. Organizations often collect "just in case" data that violates this principle—collect only what you actively need.

Purpose limitation restricts use of personal data to the purposes communicated at collection (or compatible purposes). Using data for materially different purposes requires new notice and potentially new consent. This prevents function creep where data collected for one purpose gradually expands to other uses without user awareness. Purpose limitation requires documenting why you collect each data type and restricting downstream uses accordingly.

Storage limitation means keeping personal data only as long as necessary to fulfill the purpose or meet legal obligations. Many organizations default to indefinite retention, but privacy regulations require defined retention periods and deletion procedures. Retention periods should be documented in privacy policies, records retention schedules, and data inventories. Automated deletion after retention periods reduces risk and compliance burden.

Privacy Principles

Notice and transparency require communicating how you collect, use, and share personal data. Privacy notices must be clear, accessible, and comprehensible—not legal jargon buried in fine print. Effective notices explain what data is collected, why it's collected, who it's shared with, how long it's kept, and what rights individuals have. Notice must occur before or at collection, not retroactively. Some jurisdictions require just-in-time notices for sensitive data or new purposes.

Consent is agreement to specific processing of personal data. Valid consent must be informed (individual understands what they're agreeing to), specific (granular, not bundled with terms of service), freely given (not coerced or as condition for service), and revocable. Pre-checked boxes, implied consent, and consent buried in terms of service typically don't qualify. Withdrawing consent must be as easy as giving it. Consent obtained before a regulation takes effect may need refreshing if it wasn't informed and specific.

Individual rights enable people to control their personal data. Core rights include access (know what data you have), rectification (correct inaccurate data), erasure/deletion (remove data upon request), portability (receive data in usable format), objection (opt out of processing), and restriction (limit how data is used). Not all rights apply in all circumstances—legal obligations, contractual necessity, and legitimate interests may limit certain rights. Rights requests must be handled promptly, typically within 30 days, though some jurisdictions require faster responses.

Security protects personal data from unauthorized access, loss, alteration, or destruction. Security measures must be appropriate to the risk—more sensitive data requires stronger safeguards. Technical measures include encryption (at rest and in transit), access controls, pseudonymization, and regular security testing. Organizational measures include staff training, confidentiality agreements, and incident response procedures. Security is an ongoing obligation, not a one-time implementation.

Accountability requires demonstrating compliance with privacy principles. Organizations must document what data they collect, why, how it's used, who it's shared with, and how rights are honored. Data inventories, processing records, privacy impact assessments, and audit trails provide accountability. When violations occur, accountability includes notifying regulators and affected individuals, cooperating with investigations, and implementing corrective measures.

Major Privacy Regulations

GDPR (General Data Protection Regulation) applies to processing of personal data of EU/EEA residents, regardless of where the organization is located. GDPR has broad territorial scope—if you offer goods or services to EU residents or monitor their behavior, GDPR applies. Maximum penalties are €20 million or 4% of global annual revenue, whichever is higher. GDPR requires data protection officers for certain organizations, privacy impact assessments for high-risk processing, and specific consent mechanisms for children under 16. For detailed GDPR requirements, see GDPR Primer.

CCPA and CPRA (California Consumer Privacy Act and California Privacy Rights Act) applies to businesses that collect California residents' personal information and meet revenue, data volume, or data sale thresholds. Covered businesses must honor consumer rights to know, delete, correct, and opt out of sale or sharing. CPRA added rights to limit use of sensitive personal information and opt out of automated decision-making. Penalties are $2,500-$7,500 per violation, plus private right of action for data breaches. For detailed CCPA and CPRA requirements, see CCPA/CPRA Primer.

HIPAA (Health Insurance Portability and Accountability Act) governs protected health information (PHI) in the United States. HIPAA applies to covered entities (healthcare providers, health plans, clearinghouses) and business associates who handle PHI. HIPAA requires reasonable safeguards, patient authorization for most uses beyond treatment/payment/operations, and breach notification within 60 days. HIPAA is domain-specific (healthcare) rather than jurisdiction-specific, though it's US federal law. For detailed HIPAA requirements, see US Healthcare Primer.

GLBA (Gramm-Leach-Bliley Act) requires financial institutions to protect customer financial information and provide privacy notices explaining sharing practices. GLBA applies to banks, credit unions, insurers, and other financial services companies. It requires annual privacy notices and opt-out rights for certain information sharing.

COPPA (Children's Online Privacy Protection Act) restricts collection of personal information from children under 13 without verifiable parental consent. COPPA applies to websites and online services directed to children or that knowingly collect children's data. Violations can result in fines up to $46,517 per violation.

Jurisdiction matters enormously—privacy requirements vary significantly by country, state, and even city. Multi-jurisdictional situations require compliance with all applicable regulations, which may conflict. Always establish jurisdiction before providing specific privacy guidance.

Data Subject Rights

Right of access entitles individuals to know what personal data you hold about them, where it came from, why you're processing it, and who you're sharing it with. Access requests must be fulfilled promptly (typically 30 days, some jurisdictions require faster) and without excessive delay. Responses should be in a clear, structured format. You can charge a reasonable fee only in limited circumstances and cannot use fees to discourage requests.

Right to rectification allows individuals to correct inaccurate or incomplete personal data. Organizations must correct errors promptly upon request and verify accuracy of contested information. Rectification requests may also involve completing incomplete records. If data was shared with third parties, you must notify them of corrections unless this is impossible or involves disproportionate effort.

Right to erasure (also called "right to be forgotten") requires deleting personal data in specific circumstances: when it's no longer necessary for the original purpose, consent is withdrawn, objection is successful, data was unlawfully processed, or legal obligations require deletion. Erasure isn't absolute—legal obligations, contractual necessity, and legitimate interests may justify retention. Deletion must be comprehensive (including backups, archives, and third-party copies) unless technical impossibility prevents it.

Right to data portability enables individuals to receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller. Portability applies only to data provided by the individual (not inferred data) and data processed by consent or contract. This right facilitates switching services and reduces lock-in effects.

Right to object allows individuals to opt out of processing based on legitimate interests or direct marketing. Objection to legitimate interests processing requires you to stop unless you can demonstrate compelling legitimate grounds that override individual interests. Objection to direct marketing requires immediate cessation with no justification needed.

Right to restriction limits how personal data is processed while accuracy is contested, processing is unlawful, or you no longer need the data but the individual requires it for legal claims. During restriction, you can store data but process it only with consent, for legal claims, to protect rights of others, or for important public interest.

Cross-Border Data Transfers

Transfer restrictions limit moving personal data from one jurisdiction to another. Most privacy regulations restrict transfers unless the destination provides "adequate" protection or appropriate safeguards are in place. Transfer restrictions prevent jurisdiction shopping where data is moved to places with weaker privacy protections.

Adequacy decisions recognize that certain jurisdictions provide equivalent protection, allowing free flow of data without additional safeguards. The EU has granted adequacy to countries including Canada, Japan, UK, and others. Adequacy decisions are subject to review and can be withdrawn if conditions change.

Standard contractual clauses (SCCs) are pre-approved contracts that provide legal safeguards for data transfers when adequacy doesn't apply. SCCs impose obligations on data importers to protect personal data. Organizations must implement SCCs correctly—signing them without ensuring importer compliance violates transfer restrictions.

Binding corporate rules (BCRs) allow multinational organizations to transfer data internally under approved policies that meet regulatory requirements. BCRs require significant documentation and regulatory approval but provide flexible intra-organizational transfers.

Derogations provide limited exceptions for transfers without adequacy or safeguards: explicit consent, contractual necessity, important public interest, legal claims, vital interests. Derogations are narrow and typically require case-by-case assessment.

Transfer mechanisms under GDPR are detailed in GDPR Primer.

Breach Notification

Personal data breaches are security incidents that lead to accidental or unlawful destruction, loss, alteration, or unauthorized access to personal data. Not every security incident is a breach—only those affecting personal data and causing risks to individuals.

Notification to regulators must occur within specific timeframes when breaches pose risks to individuals. GDPR requires notification within 72 hours of becoming aware of the breach. Other jurisdictions have different timelines (60 days for HIPAA, varies by state for CCPA). Notification must describe the breach, categories of data affected, likely consequences, and measures taken.

Notification to individuals is required when breaches pose high risks to rights and freedoms. GDPR requires direct notification "without undue delay" for high-risk breaches. Notification must be clear, describe the breach, explain risks, and advise protective measures. You can avoid individual notification if you've implemented measures that render data unintelligible (e.g., encryption).

Breach documentation must record all personal data breaches regardless of whether notification is required. Documentation enables accountability, demonstrates compliance, and supports incident response improvements.

Privacy Programs

Privacy programs systematically manage privacy compliance across an organization. Effective programs include policies (what you'll do), procedures (how you'll do it), training (ensuring people know), and monitoring (verifying it's happening). Privacy programs must be tailored to your organization's size, data processing activities, and regulatory obligations.

Data inventories document what personal data you collect, where it comes from, why you collect it, who you share it with, and how long you keep it. Inventories are foundational—you can't protect what you don't know you have. Inventories should be maintained and updated as processing activities change.

Privacy impact assessments (PIAs) evaluate privacy risks before implementing new processing activities. PIAs identify what data is collected, why, risks to individuals, and measures to mitigate risks. High-risk processing (systematic monitoring, sensitive data, large-scale processing) typically requires PIAs. PIAs are living documents that should be reviewed and updated as circumstances change.

Vendor management ensures third parties who process personal data on your behalf (processors, service providers) meet privacy obligations. Vendor agreements must define roles, responsibilities, and security requirements. Organizations remain responsible for their vendors' compliance—vendor violations can trigger your obligations.

Training and awareness ensure employees understand privacy obligations and how to handle personal data appropriately. Training should be role-specific, regular, and updated as regulations change. Privacy awareness creates a culture where employees recognize and respect privacy obligations.

Terminology

Data controller determines the purposes and means of processing personal data. The controller is the entity legally responsible for compliance. Organizations are controllers when they decide what data to collect and how to use it.

Data processor processes personal data on behalf of a controller. Processors act only on controller instructions and must provide appropriate security. Processors can be controllers for their own processing activities (employee data, marketing) while acting as processors for controller data.

Personal data breach is a security incident affecting personal data, not just any security event. Breaches must involve personal data and pose risks to individuals to trigger notification obligations.

Consent is agreement to specific processing. Not the same as accepting terms of service, implied agreement, or silence. Must be informed, specific, freely given, and revocable.

Legitimate interests is a legal basis allowing processing when necessary for your interests unless overridden by individual rights. Requires balancing test and can be objected to.

Pseudonymization replaces identifiers with pseudonyms, reducing identifiability while allowing analysis. Pseudonymized data remains personal data if it can be linked back to individuals.

Anonymization irreversibly removes identifiability, rendering data non-personal. True anonymization is difficult—most "anonymized" data is actually pseudonymized.

Key Numbers

GDPR breach notification: 72 hours to supervisory authority. CCPA breach notification: 60 days to attorney general. HIPAA breach notification: 60 days to affected individuals. GDPR penalty maximum: €20 million or 4% global revenue. CCPA penalty: $2,500-$7,500 per violation. GDPR access request response: 30 days (extendable by 60 days for complex requests). CCPA request response: 45 days (extendable by 45 days). GDPR DPO required when: systematic monitoring on large scale, or processing sensitive data on large scale.

Common Misconceptions

"Privacy policy equals compliance." Privacy policies describe what you do, but compliance requires actually doing what you say. Policy violations create legal risk and erode trust.

"Consent is always required." Many legal bases exist beyond consent—contractual necessity, legal obligations, legitimate interests. Consent isn't always appropriate or required.

"Encryption makes data anonymous." Encryption protects data but doesn't make it anonymous. Encrypted personal data remains personal data and subject to privacy regulations.

"HIPAA covers all health data." HIPAA applies only to covered entities and business associates handling PHI. Health data from apps, wearables, or non-covered entities may fall under general privacy regulations instead.

"Deletion means secure deletion." Merely deleting files doesn't remove data from backups, archives, third-party systems, or logs. Secure deletion requires comprehensive removal across all systems.

"Small businesses are exempt." While some regulations have thresholds (CCPA revenue/data volume, GDPR size criteria), many privacy obligations apply regardless of organization size. Small businesses often process significant amounts of personal data.

"GDPR only applies in Europe." GDPR applies to any organization processing EU/EEA residents' data, regardless of location. Territorial scope is broad—offering services to EU residents or monitoring their behavior triggers GDPR.

Jurisdiction Matters

Privacy requirements vary enormously by jurisdiction. GDPR requirements differ from CCPA, which differs from PIPEDA, LGPD, and state laws. Multi-jurisdictional situations require compliance with all applicable regulations, which may conflict. Always establish jurisdiction before providing specific privacy guidance.

For jurisdiction-specific requirements:

• GDPR (EU/EEA): See GDPR Primer
• CCPA/CPRA (California): See CCPA/CPRA Primer
• HIPAA (US healthcare): See US Healthcare Primer