Data Protection Fundamentals: Core Privacy Principles

Primary Focus

Individual rights regarding personal information

Protection of information assets from unauthorized access

Both protect personal data

Core Question

"Should we collect/use this data?"

"How do we protect the data we have?"

"How do we protect what we're allowed to have?"

Regulatory Frameworks

GDPR, CCPA, HIPAA Privacy Rule, PIPEDA

ISO 27001, NIST CSF, SOC 2, HIPAA Security Rule

Data breach notification laws

Key Controls

Consent management, purpose limitation, data minimization

Access controls, encryption, monitoring

Pseudonymization, access logging

Success Metric

Individual control over personal information

Confidentiality, integrity, availability of information

Personal data remains protected and properly used

Failure Impact

Privacy violation, regulatory penalty, trust erosion

Data breach, system compromise, business disruption

Unauthorized disclosure of personal information

Organizational Owner

Chief Privacy Officer, Data Protection Officer

Chief Information Security Officer, CISO

Joint accountability

Direct Identifiers

Name, SSN, driver's license number, passport number

Yes

Yes

Yes (if health-related)

Highest protection priority

Indirect Identifiers

IP address, device ID, cookie identifier, email address

Yes (identifiable individual)

Yes

Yes (if linked to health data)

Context-dependent identification

Demographic Data

Age, gender, race, ethnicity, marital status

Yes

Yes

Yes (when combined with health info)

May be sensitive data under GDPR

Financial Data

Credit card numbers, bank accounts, income, credit score

Yes

Yes

No (unless health-related)

Payment card data also subject to PCI DSS

Health Information

Medical records, diagnoses, prescriptions, genetic data

Yes (sensitive category)

Yes

Yes (core definition)

Highest regulatory scrutiny

Biometric Data

Fingerprints, facial recognition, retinal scans, voice prints

Yes (sensitive category)

Yes (when used for identification)

Yes (if in medical record)

Increasingly regulated separately

Location Data

GPS coordinates, address, geofencing data

Yes (when linked to individual)

Yes

Yes (if in medical record)

Real-time location particularly sensitive

Behavioral Data

Browsing history, purchase history, app usage

Yes (creates profile)

Yes

Possibly (if reveals health condition)

Aggregation can still be personal data

Professional Data

Job title, employer, work email, professional licenses

Yes

Yes

No (unless patient data)

B2B context doesn't eliminate privacy obligations

Communications

Emails, messages, call logs, video recordings

Yes

Yes

Yes (if patient communications)

Content and metadata both protected

Dignitary Harm

Violation of individual autonomy and right to control personal information

Unauthorized disclosure of medical condition, sexual orientation, religious beliefs

Individual

High (damage to dignity can't be "undone")

Economic Harm

Financial loss or economic disadvantage

Identity theft, employment discrimination, credit denial based on sensitive data

Individual

Medium (financial restoration possible but time-intensive)

Physical Harm

Risk to personal safety

Stalking via location data, domestic violence victim address disclosure

Individual

High (safety risk may persist even after data removal)

Reputational Harm

Damage to personal or professional reputation

Public disclosure of embarrassing information, career-damaging revelations

Individual

High (reputation damage spreads beyond control)

Emotional Distress

Psychological impact of privacy violation

Anxiety from data breach, distress from unauthorized surveillance

Individual

Medium (counseling can help, but impact varies)

Discrimination

Unfair treatment based on protected characteristics

Hiring bias from inferred race/age, insurance denial from health predictions

Individual

High (proving and remedying discrimination is complex)

Chilling Effect

Self-censorship due to surveillance concerns

Avoiding legitimate health research, political expression, or association

Society

Very high (societal harm difficult to measure/address)

Power Imbalance

Asymmetric control over personal information

Platform terms changes, data uses beyond individual control

Individual + Society

Very high (structural issue requiring regulatory intervention)

Legal Basis

Processing must have legitimate legal ground

Identify and document lawful basis (consent, contract, legal obligation, legitimate interest)

Processing without identifying legal basis, relying on invalid consent

Compliance

Processing must comply with applicable laws

Map data flows to legal requirements, ensure cross-border transfers comply with adequacy decisions

Unauthorized international transfers, violation of sector-specific laws

Legitimate Processing

Processing must serve lawful purpose

Document business/legal justification for each processing activity

Processing for purposes incompatible with original collection

Reasonable Expectations

Processing shouldn't violate reasonable privacy expectations

Don't use health app data for insurance underwriting unless explicitly disclosed and consented

No Deception

Processing methods must be honest

Don't hide data collection in buried terms, don't misrepresent data uses

Balanced Interests

Processing shouldn't create unjustified harm

Weigh organizational benefit against privacy impact; reject practices with disproportionate risk

Identity

Who is collecting data

At collection

Clear, prominent

Purpose

Why data is being collected

At collection

Specific, not vague

Categories

What data is being collected

At collection

Detailed list

Recipients

Who will receive the data

Before sharing

Named or categorized

Retention

How long data will be kept

At collection

Specific periods or criteria

Rights

What rights individuals have

At collection

Actionable instructions

Consequences

What happens if data isn't provided

When relevant

Clear explanation of impact

Collection

Define specific purpose before collection

Written purpose statement in privacy notice and internal documentation

Can you state the purpose in one clear sentence?

Processing

Use data only for specified purpose

Processing activities mapped to stated purposes

Does each use align with disclosed purpose?

Secondary Use

Assess compatibility before new uses

Compatibility assessment documenting relationship to original purpose

Is the new use reasonably expected by individuals?

Retention

Keep data only while purpose remains valid

Retention schedules tied to purpose completion

Does retention period match purpose duration?

Process payment transaction

Fraud detection on same transaction

Marketing to customer

Fraud detection directly serves transaction; marketing is unrelated benefit to company

Deliver healthcare service

Clinical research (de-identified)

Selling patient lists to pharmaceutical companies

Research advances care (compatible); selling lists serves commercial interest unrelated to care

Provide email service

Spam filtering

Reading emails to target advertising

Spam filtering serves email functionality; ad targeting serves separate business model

Employment application

Background check for same role

Marketing database for recruiters

Background check serves hiring decision; marketing database serves unrelated commercial purpose

Customer support request

Product improvement based on aggregated trends

Individual customer profiling for upselling

Aggregate improvement serves better support; individual profiling serves sales goals

Is this data element necessary for the stated purpose?

Can we accomplish the purpose without it?

Remove from collection

Reduced data = reduced risk

Is this granularity necessary?

Do we need precise data or would approximate suffice?

Collect less precise version

Birth year instead of birthdate; ZIP code instead of address

Is collection from this population necessary?

Do we need this data from everyone or just subset?

Limit collection to necessary users

Collect payment data only from paying customers, not free trial users

Is this frequency of collection necessary?

Do we need continuous updates or periodic snapshots?

Reduce collection frequency

Weekly aggregates instead of real-time tracking

Location

Continuous precise GPS

Route line generalized to 100m precision, deleted after workout summary generated

85% reduction in location data retained

Name

Full legal name required

Display name (user choice) for social features; full name only if purchasing

Reduced identification risk for free users

Birthdate

Full date required

Birth year only (age verification)

Eliminated specific birthdate exposure

Contact

Email and phone both required

Email required; phone optional for 2FA

60% reduction in phone number collection

Health Metrics

All metrics for all users

Only metrics relevant to user's chosen activities

Menstrual cycle data only collected if user activates period tracking

Social Graph

Automatic contact syncing

Opt-in manual connection

Eliminated contact list harvesting

Photos

Full resolution stored indefinitely

Compressed, retained only while shared, deleted with post

92% reduction in photo storage

Payment

Card stored for all users

Tokenized card data only for paying subscribers

Eliminated card data for 78% of users (free tier)

Initial Verification

Validate data at collection point

Every collection

Validation rules, error handling

Periodic Verification

Confirm data remains accurate

Risk-based (high-risk: quarterly; low-risk: annually)

Verification procedures, audit logs

User Updates

Provide mechanism for individuals to correct data

Continuous availability

Self-service tools, correction request processes

Systematic Correction

Identify and correct systematic inaccuracies

When discovered

Root cause analysis, correction plans

Deletion

Remove data that cannot be corrected

When correction not possible

Deletion logs, retention policy exceptions

Credit Reporting

Wrong credit score calculation

Loan denial, higher interest rates, employment rejection

Fair Credit Reported Act violations ($100-$1,000 per violation)

Healthcare

Incorrect medication allergy

Adverse drug reaction, patient harm

HIPAA violation, medical malpractice

Background Check

Wrong criminal record attributed

Employment denial, housing rejection, reputational damage

Fair Credit Reporting Act, defamation

Facial Recognition

Misidentification

False arrest, wrongful detention

Civil rights violations, false imprisonment

Algorithmic Decision

Training data bias

Discriminatory outcomes

Fair Housing Act, Equal Credit Opportunity Act violations

Transaction Processing

Duration of transaction + dispute period

Legal/contractual obligation

90-180 days post-transaction

Accounting Records

7 years (US tax law)

Legal requirement

7 years post-transaction

Employee Records

7 years post-employment

EEOC record retention

7 years after separation

Medical Records

Varies by state (typically 7-10 years)

Legal requirement, care continuity

State-specific period

Marketing Consent

Until withdrawn or 3 years inactivity

Consent validity

Withdrawal or 3 years no engagement

Customer Account

Active relationship + 90 days

Business necessity

Account closure + 90 days

Security Logs

90 days (standard), 1-2 years (high-risk)

Security investigation, compliance

End of retention period

Video Surveillance

30-90 days

Security investigation

End of retention period unless incident flagged

1. Data Inventory

Catalog all personal data holdings

Complete data map

Data Protection Officer

2. Legal Analysis

Identify retention requirements by jurisdiction and law

Legal retention matrix

Legal Counsel

3. Business Justification

Document business need for retention beyond legal minimum

Business case documentation

Business Unit Owners

4. Risk Assessment

Evaluate privacy risk of extended retention

Risk scoring

Privacy Team

5. Policy Development

Create retention schedules balancing legal, business, and risk factors

Retention policy by data category

DPO + Legal

6. Technical Implementation

Configure automated deletion

Deletion jobs, logs

Engineering

7. Monitoring

Verify deletion occurs as scheduled

Deletion audit reports

Compliance Team

Highly Sensitive

SSN, financial account numbers, health diagnoses, genetic data, biometric identifiers

Encryption at rest and in transit, MFA, extensive logging, DLP, regular audits

AES-256 at rest, TLS 1.3 in transit

Role-based + attribute-based, least privilege, regular recertification

Sensitive

Full name + DOB, email + demographics, location history, purchase history

Encryption in transit, logical access controls, monitoring

TLS 1.2+ in transit, encryption at rest recommended

Role-based access, annual access reviews

Standard

Aggregated analytics, anonymized data, public information

Basic access controls, standard monitoring

TLS in transit

Standard authentication, periodic access reviews

Access Management

Role-based access control (RBAC), multi-factor authentication (MFA), privileged access management (PAM), regular access reviews

Critical

$20K-$150K initially

Encryption

Data at rest encryption, data in transit encryption (TLS), database encryption, encrypted backups

Critical

$15K-$100K initially

Network Security

Firewalls, network segmentation, intrusion detection/prevention, DDoS protection

Critical

$50K-$200K annually

Endpoint Protection

Endpoint detection and response (EDR), antivirus, device encryption, mobile device management (MDM)

High

$30K-$120K annually

Data Loss Prevention

DLP tools, email filtering, USB/device control, cloud access security broker (CASB)

High

$40K-$180K annually

Monitoring & Logging

SIEM, log aggregation, security analytics, audit trails

High

$60K-$250K annually

Vulnerability Management

Vulnerability scanning, patch management, penetration testing

High

$25K-$100K annually

Incident Response

IR plan, IR team, forensics capability, breach notification procedures

Critical

$30K-$200K (preparation + retainer)

Backup & Recovery

Encrypted backups, offsite storage, recovery testing, business continuity planning

Critical

$20K-$100K annually

Security Awareness

Training programs, phishing simulation, security champions, policy acknowledgment

High

$15K-$60K annually

Data Inventory / Data Map

Catalog what personal data is processed, where, why, and how

Quarterly or upon significant change

Data Protection Officer

GDPR Art. 30, CCPA implied

Privacy Impact Assessment (PIA) / DPIA

Assess privacy risks of new processing activities

Before new processing begins

Privacy Team + Project Owner

GDPR Art. 35 (high-risk processing)

Records of Processing Activities (RoPA)

Document processing purposes, categories, recipients, transfers

Annually or upon change

Data Protection Officer

GDPR Art. 30

Data Protection Policies

Define how organization implements privacy principles

Annually or upon regulatory change

Legal + Privacy

All frameworks

Privacy Notices

Inform individuals about data processing

Upon material change

Legal + Privacy

GDPR Art. 13-14, CCPA § 1798.100

Consent Records

Document when and how consent obtained

Ongoing (per interaction)

Marketing + Product

GDPR Art. 7, CCPA § 1798.135

Data Processing Agreements (DPAs)

Contractually bind processors to privacy obligations

Upon vendor engagement or renewal

Procurement + Legal

GDPR Art. 28

Breach Response Plan

Define procedures for security incident response

Annually

Security + Privacy + Legal

GDPR Art. 33-34, State breach laws

Training Records

Document privacy training completion

Annually

HR + Compliance

SOC 2, ISO 27001, implied by all

Audit Logs

Record access to and processing of personal data

Continuous

IT + Security

HIPAA § 164.312(b), GDPR implied

Level 1: Reactive

Compliance activities only when forced by incident or audit

Minimal, created after-the-fact

Startups, organizations without privacy program

Level 2: Policy-Based

Written policies exist but implementation inconsistent

Policies documented but not operationalized

Small businesses, early-stage privacy programs

Level 3: Process-Based

Defined processes, regular execution, some automation

Comprehensive documentation, some gaps

Mid-size companies, maturing privacy programs

Level 4: Integrated

Privacy embedded in business processes, proactive risk management

Complete, current, accessible documentation

Large enterprises, privacy-forward organizations

Level 5: Optimizing

Continuous improvement, privacy as competitive advantage, metrics-driven

Real-time dashboards, automated evidence generation

Privacy leaders, heavily regulated industries

Right to be Informed

Know what data is collected and how it's used

Art. 13-14

§ 1798.100

§ 164.520 (Notice of Privacy Practices)

Low (privacy notice)

Right of Access

Obtain copy of personal data held

Art. 15

§ 1798.100

§ 164.524 (Access to PHI)

Medium (data retrieval and formatting)

Right to Rectification

Correct inaccurate personal data

Art. 16

Implied

§ 164.526 (Amendment)

Medium (validation and update processes)

Right to Erasure ("Right to be Forgotten")

Delete personal data under certain conditions

Art. 17

§ 1798.105

Limited

High (dependencies, backups, legal holds)

Right to Restrict Processing

Limit how data is used

Art. 18

N/A

N/A

High (flagging and enforcement)

Right to Data Portability

Receive data in machine-readable format and transfer to another controller

Art. 20

N/A

N/A

Medium to High (export format, interoperability)

Right to Object

Object to processing based on legitimate interests or for direct marketing

Art. 21

§ 1798.120 (Opt-out of sale)

N/A

Medium (suppression lists, preference management)

Rights Related to Automated Decision-Making

Not be subject to purely automated decisions with legal/significant effect

Art. 22

N/A

N/A

High (algorithm transparency, human review)

Request Intake

Receive and validate rights requests

Web form, email, API, customer portal

Identity verification system, ticketing system

Identity Verification

Confirm requestor is the data subject

Multi-factor authentication, KBA (knowledge-based authentication), manual verification

Identity management, customer database

Data Discovery

Locate all personal data for the individual

Data mapping, API queries, database searches

All systems containing personal data

Processing Logic

Apply business rules and legal requirements

Workflow engine, case management

Legal hold system, retention policies

Data Assembly

Compile data for delivery

ETL processes, export functions

Multiple source systems

Delivery

Provide data to requestor or execute deletion

Secure portal, encrypted email, API

Communication systems

Audit Trail

Log all actions for compliance demonstration

Audit logging, case history

SIEM, compliance reporting

Data Spread

Customer data in CRM, e-commerce, loyalty program, email marketing, customer service, analytics, etc.

Created unified customer ID mapping across systems; built API integrations to query each system

Identity Verification

High fraud risk (competitors requesting data, bad actors seeking information)

Implemented multi-step verification: email confirmation + last purchase verification + partial credit card match

Deletion Dependencies

Cannot delete from financial records (7-year legal retention), cannot delete from fraud prevention (ongoing investigations)

Built exception handling: delete from marketing/analytics, retain in financial/fraud systems with access restrictions

Format Requirements

GDPR requires "structured, commonly used, machine-readable format"

Standardized on JSON export with human-readable PDF summary

Response Timeline

GDPR: 30 days (extendable to 60); CCPA: 45 days (extendable to 90)

Implemented automated workflows for 80% of requests; manual queue for complex cases

Volume

Received 340 requests in first month post-implementation

Built self-service portal reducing manual processing from 2 hours per request to 15 minutes

Access Request

180

75%

25%

22 minutes

$18

Deletion Request

85

60%

40%

45 minutes

$37

Correction Request

42

90%

10%

12 minutes

$10

Opt-Out (Marketing)

520

95%

5%

3 minutes

$2

Do Not Sell

28

100%

0%

Automated

$0.50

Deletion Request with Active Fraud Investigation

Subject requests deletion while fraud investigation ongoing

Legal obligation to retain evidence vs. right to erasure

Deny deletion, cite legal obligation exception, restrict access to investigative team only

Access Request from Minor (Age 14)

Minor requests data, parent objects

Whose rights prevail?

Age-dependent: <13 parent controls; 13-17 assess maturity and jurisdiction; 18+ individual controls

Deceased Individual's Data

Family member requests deceased person's data

No privacy rights after death in most jurisdictions

Follow estate law and terms of service; generally deny unless authorized by estate

Deletion Request for Shared Data

Person requests deletion of photo containing other individuals

One person's right to erasure vs. others' rights

Partial compliance: blur/remove requestor, retain photo with others if lawful

Access Request from Employee Terminated for Cause

Former employee requests all data including performance reviews, investigation records

Employment records retention vs. access right

Provide personal data; may redact third-party information; consult employment counsel

Portability Request for Proprietary Algorithm Outputs

Individual requests data generated by company's AI analysis

Is derived/inferred data "personal data" subject to portability?

Jurisdiction-dependent; EU: yes; US: less clear. Provide input data definitely, derived data possibly

New Technology Deployment

Art. 35: High risk processing

Not explicitly required

Recommended for any new system processing personal data

Systematic Monitoring

Art. 35: Large-scale systematic monitoring

Not explicitly required

Required for surveillance, tracking, behavioral analysis

Sensitive Data Processing

Art. 35: Large-scale processing of special categories

Not explicitly required

Required for health, financial, children's data

Automated Decision-Making

Art. 35: Decisions with legal/significant effect

Not explicitly required

Required for AI/ML making consequential decisions

Data Sharing/Transfer

Art. 35: If novel or high risk

Not explicitly required

Recommended for third-party sharing, international transfers

Large-Scale Processing

Art. 35: Large scale (>10,000 individuals)

Not explicitly required

Recommended threshold: >5,000 individuals

1. Project Description

What is being built, why, and how

What personal data will be processed? What is the business justification?

N/A (context setting)

2. Data Flow Mapping

Visual representation of data movement

Where does data come from? Who has access? Where does it go?

Identifies exposure points

3. Legal Basis Analysis

Lawful basis for processing

What is our legal ground for processing? Is consent appropriate?

Identifies compliance gaps

4. Necessity Assessment

Data minimization evaluation

Do we need all this data? Can we achieve purpose with less?

Reduces attack surface

5. Risk Identification

Privacy harms that could occur

What could go wrong? Who could be harmed? How severe?

Catalogues threats

6. Risk Analysis

Likelihood and impact assessment

How likely is each risk? What would the impact be?

Prioritizes mitigation

7. Mitigation Measures

Controls to reduce risk

What safeguards will we implement? What residual risk remains?

Demonstrates due diligence

8. Approval and Sign-Off

Accountability documentation

Who approved this? When? Under what conditions?

Creates audit trail

Catastrophic (Massive harm, regulatory action, major reputation damage)

Medium Risk

High Risk

High Risk

Critical Risk

Critical Risk

Major (Significant harm, regulatory investigation, reputation damage)

Low Risk

Medium Risk

High Risk

High Risk

Critical Risk

Moderate (Harm to individuals, potential regulatory inquiry)

Low Risk

Medium Risk

Medium Risk

High Risk

High Risk

Minor (Limited harm, manageable impact)

Low Risk

Low Risk

Medium Risk

Medium Risk

High Risk

Negligible (Minimal or no harm)

Low Risk

Low Risk

Low Risk

Medium Risk

Medium Risk

Critical

Do not proceed without fundamental redesign or executive acceptance of risk

Cancel project, major architectural changes, C-level sign-off required

High

Implement extensive controls, reduce to Medium or Low before proceeding

Add encryption, restrict access, implement DLP, independent security review

Medium

Implement standard controls, monitor closely

Standard security measures, periodic reviews, user training

Low

Accept risk with standard controls, document decision

Routine processing with baseline security

Training data re-identification

Possible

Major

High

De-identify training data, implement differential privacy, access controls

Algorithmic bias leading to disparate care

Likely

Catastrophic

Critical

Bias testing across protected classes, fairness metrics, human override capability

Unauthorized access to risk scores

Unlikely

Major

Medium

Encryption, role-based access, audit logging

Indefinite data retention

Almost Certain

Moderate

High

5-year retention limit, periodic model retraining with fresh data, deletion schedules

Score sharing with payers affecting coverage

Possible

Catastrophic

Critical

Prohibit payer sharing in contracts, technical controls preventing external access

Adequacy Decision

GDPR recognizes recipient country as providing adequate protection

None beyond standard GDPR compliance

Low

Very Low

Standard Contractual Clauses (SCCs)

GDPR-approved contracts between data exporter and importer

Execute SCCs, assess recipient country laws, implement supplementary measures if needed

Medium

Low to Medium

Binding Corporate Rules (BCRs)

GDPR approval of intra-group privacy framework

Develop comprehensive privacy program, obtain regulatory approval (6-18 months)

Very High

Low

Consent

Explicit consent to international transfer

Informed, freely given, specific consent for each transfer destination

Low to Medium

Medium to High (consent may be withdrawn)

Contractual Necessity

Transfer necessary to perform contract with individual

Document necessity, limited to essential transfers

Medium

Medium

Derogations

Transfer necessary for legal claims, vital interests, public interest

Limited circumstances, document necessity

Low

Medium to High (narrow applicability)

Andorra

Adequate

None

2024

Argentina

Adequate

None

2024

Canada (commercial organizations)

Adequate

None

2025

Faroe Islands

Adequate

None

2024

Guernsey

Adequate

None

2024

Israel

Adequate

None

2024

Isle of Man

Adequate

None

2024

Japan

Adequate

Mutual arrangement with conditions

2024

Jersey

Adequate

None

2024

New Zealand

Adequate

None

2024

South Korea

Adequate

None

2025

Switzerland

Adequate

None

2024

United Kingdom

Adequate

Post-Brexit arrangement

Ongoing monitoring

United States (partial)

EU-U.S. Data Privacy Framework participants only

Organization must self-certify

Annual renewal required

Uruguay

Adequate

None

2024

Privacy Policy

Public privacy policy consistent with DPF principles

Self-attestation

Included

Data Processing Agreement

Agreement with service providers handling EU data

Template provided

Included

Dispute Resolution

Independent dispute resolution mechanism

Engage approved provider

$2,000-$8,000

Enforcement

Subject to FTC enforcement jurisdiction

Verify FTC jurisdiction applies

Included

Verification

Annual re-certification

Self-attestation and payment

$0 (but must maintain certification)

Supplementary Measures

Implement safeguards for government access concerns

Risk assessment, technical controls

$5,000-$50,000 (implementation)

1. Select Module

Choose appropriate SCC module (Controller-Controller, Controller-Processor, Processor-Processor, Processor-Controller)

Module selection rationale

Legal

2. Complete Annexes

Document data categories, processing purposes, technical/organizational measures

Completed Annex I and Annex II

Privacy + IT

3. Assess Transfer Impact

Evaluate recipient country laws, government access risks

Transfer Impact Assessment (TIA)

Legal + Privacy

4. Identify Supplementary Measures

Determine additional safeguards needed

Supplementary measures documentation

Privacy + Security

5. Execute Agreement

Obtain signatures from both parties

Fully executed SCCs

Legal

6. Implement Controls

Deploy technical and organizational measures

Implementation evidence

IT + Security

7. Monitor Compliance

Periodic review of effectiveness

Monitoring reports

Privacy

Low Risk (Adequacy decision country, limited data)

Standard security measures

Encryption in transit, access controls

Medium Risk (No adequacy, non-sensitive data, limited government access risk)

Enhanced security + organizational measures

Encryption at rest, data minimization, audit rights, contractual restrictions on government disclosure

High Risk (Sensitive data, significant government access concerns)

Strong technical measures + strict organizational controls

End-to-end encryption, multi-party computation, tokenization, data residency, legal challenges to government requests

Critical Risk (Special category data, hostile jurisdiction)

Maximum protection or avoid transfer

Fully homomorphic encryption, secure multi-party computation, or do not transfer

United States (COPPA)

Under 13 years

N/A (parental consent always required)

Verifiable parental consent, notice to parents, data minimization, deletion rights

European Union (GDPR)

Under 16 years (Member States may lower to 13)

13-16 (varies by country)

Parental consent below digital consent age, enhanced protections for profiling

United Kingdom (Age Appropriate Design Code)

Under 18 years

13

15 standards including default high privacy settings, no nudging, appropriate data sharing

California (CCPA, COPPA, AB 2273)

Under 13 (COPPA), Under 18 (CCPA), Under 18 (AB 2273)

13

Opt-in consent for selling data of minors, age-appropriate design, restricted profiling

Website directed to children under 13

Yes

Primary audience is children

General audience website with children's section

Yes (for children's section)

Actual knowledge of child users in that section

Website with age gate that effectively prevents children

Depends

If age gate is effective and enforced, possibly no; if not, yes

General audience website with actual knowledge of child users

Yes

Actual knowledge triggers COPPA

Teen-focused website (ages 13-17)

No (COPPA), Yes (other laws)

COPPA doesn't apply, but state laws and GDPR may

Credit Card Verification

$0.30-$1.50 (card processing fee)

15-35%

Yes

Poor (friction, privacy concern)

Parental Email + Follow-Up

$0.05

40-60%

Yes (if reasonable follow-up)

Moderate

Video Conference

$15-$40 (staff time)

5-15%

Yes

Very poor (high friction)

Government ID Upload

$2-$8 (verification service)

10-25%

Yes

Poor (privacy concern)

Digital Signature

$1-$3

20-40%

Yes

Moderate

Knowledge-Based Questions

$1.50-$4

25-45%

Yes (if robust)

Moderate

Age Verification

Cannot reliably verify child's age self-declaration

Implemented neutral age gate with clear explanation of COPPA to parents

$12,000 (development)

Parental Consent

72% consent request abandonment with credit card method

Switched to email-based consent with follow-up confirmation link

Reduced friction

Data Minimization

Collected extensive gameplay data for personalization

Reduced data collection for under-13 users to essential only (username, grade level, scores)

Redesign: $45,000

Third-Party Services

Used analytics and advertising partners that collected data

Eliminated behavioral advertising for under-13 users, switched to contextual ads only

Revenue impact: -18% for child segment

Consent Withdrawal

No process for parents to review/delete child's data

Built parent dashboard for data access and deletion

$28,000

1. Best Interests

Consider child's best interests in design decisions

Privacy-by-design for child users

2. Data Protection Impact Assessment

Conduct DPIA before launching service

Formal risk assessment required

3. Age Appropriate Application

Consider child's age/development in applying standards

Age-differentiated features and protections

4. Transparency

Provide concise, prominent, age-appropriate privacy information

Simplified privacy notices, possibly video/visual

5. Detrimental Use

Don't use data in ways detrimental to child's wellbeing

Restrict profiling, manipulative design

6. Policies and Community Standards

Publish and enforce child-appropriate policies

Content moderation, reporting mechanisms

7. Default Settings

High privacy settings by default unless compelling reason

Privacy-protective defaults

8. Data Minimization

Collect minimum data necessary

Reduced data collection for child users

9. Data Sharing

Don't disclose children's data unless justification

Strict limits on third-party sharing

10. Geolocation

Turn off geolocation by default

Location services opt-in only

11. Parental Controls

Provide age-appropriate parental controls if offered

Transparent parental oversight tools

12. Profiling

Turn off profiling by default

No behavioral advertising by default

13. Nudge Techniques

Don't use nudge techniques to encourage data disclosure or weaken privacy

Ethical design patterns

14. Connected Toys

Additional protections for internet-connected toys and devices

Enhanced security, clear privacy information

15. Online Tools

Provide accessible tools for children to exercise rights

Child-friendly privacy controls

Leadership

No designated privacy leader

Privacy Officer/DPO with defined authority

CPO reporting to CEO, board-level oversight

Policies

No formal privacy policies

Comprehensive policies, reviewed annually

Dynamic policies, continuous improvement, metrics-driven

Training

No privacy training

Annual training for all employees, role-specific content

Continuous training, privacy champions network, culture of privacy

Risk Management

No privacy risk assessment

Privacy Impact Assessments for high-risk projects

Proactive privacy risk identification, integrated into enterprise risk management

Data Governance

No data inventory

Comprehensive data inventory, updated quarterly

Real-time data mapping, automated discovery, governance by design

Vendor Management

No vendor privacy assessment

Vendor assessments, DPAs required

Continuous vendor monitoring, automated compliance verification

Rights Management

Ad hoc response to requests

Defined process, 30-day SLA

Self-service portal, automated processing, <7 day average

Incident Response

No breach response plan

Documented IR plan, defined roles

Automated breach detection, playbook-driven response, continuous improvement

Metrics & Reporting

No privacy metrics

Basic metrics (request volume, time to respond)

Comprehensive dashboard, predictive analytics, board reporting

1

Executive buy-in, budget approval, designate Privacy Officer

Executive sponsor identified, budget allocated, PO appointed

CEO, CFO

2

Initial data inventory (top 10 systems), regulatory applicability assessment

High-level data map, applicable regulations identified

Privacy Officer

3

Privacy policy development or update, cookie policy, website compliance

Published privacy notice, cookie banner deployed

Privacy + Legal

4

Rights request process design, intake form creation, response templates

Rights request procedure documented

Privacy Officer

5

Vendor inventory, DPA template development

Vendor list, DPA template ready

Privacy + Procurement

6

Privacy training content development

Training modules created

Privacy + HR

7

Privacy impact assessment template, pilot PIA on current project

PIA template, one completed PIA

Privacy Officer

8

Incident response plan development, breach notification templates

IR plan, notification templates

Privacy + Security + Legal

Consent Management Platform (CMP)

Website cookie consent, preference management

OneTrust, TrustArc, Cookiebot, Osano

$15,000-$80,000

Privacy Management Software

Centralized privacy program management, assessments, rights requests, vendor management

OneTrust, TrustArc, BigID, WireWheel

$50,000-$300,000

Data Discovery and Classification

Automated data discovery, sensitive data identification

BigID, Spirion, Varonis, Ground Labs

$30,000-$150,000

Data Subject Rights Automation

Automated rights request processing

OneTrust, DataGrail, Securiti, Mine

$20,000-$100,000

Vendor Risk Management

Third-party privacy assessment, continuous monitoring

OneTrust, Prevalent, SecurityScorecard, Whistic

$25,000-$120,000

Privacy Impact Assessment

Structured PIA workflow, collaboration, documentation

OneTrust, TrustArc, Nymity

$15,000-$60,000

Training and Awareness

Privacy training delivery, tracking, assessment

KnowBe4, NAVEX Global, SAI360

$10,000-$40,000

Amazon

Behavioral advertising without proper consent

€746M

2021

Consent must be freely given, specific, informed; cookie walls prohibited

Meta (WhatsApp)

Transparency failures, consent issues

€225M

2021

Privacy notices must be clear; consent mechanism must be compliant

Google Ireland

Transparency and legal basis failures for ad personalization

€90M

2022

Clear information about data processing required; legitimate interest claims scrutinized

H&M

Excessive employee monitoring

€35M

2020

Employee data subject to same protections; surveillance must be justified and proportionate

British Airways

Security failure leading to data breach

€22M

2020

Adequate security measures required; breach notification within 72 hours

Marriott

Security failure, third-party data breach

€20M

2020

Organizations responsible for acquired/inherited data; due diligence in M&A critical

Right to Know

What personal information is collected, used, shared, sold

Disclose categories and specific pieces upon request

45 days (extendable to 90)

Right to Delete

Delete personal information

Delete from systems and direct service providers to delete

45 days (extendable to 90)

Right to Opt-Out

Stop sale or sharing of personal information

Honor opt-out request, display "Do Not Sell or Share My Personal Information" link

Immediate

Right to Limit Use

Limit use of sensitive personal information

Honor limitation request for sensitive data

Immediate

Right to Correct

Correct inaccurate personal information

Make corrections upon request

45 days (extendable to 90)

Right to Non-Discrimination

Not be discriminated against for exercising rights

Cannot deny goods/services, charge different prices, or provide different quality (with limited exceptions)

N/A

Tier 1: Unknowing

Didn't know and couldn't reasonably know

$100-$50,000

$1,500,000

Tier 2: Reasonable Cause

Knew or should have known, but not willful neglect

$1,000-$50,000

$1,500,000

Tier 3: Willful Neglect (Corrected)

Willful neglect that was corrected within 30 days

$10,000-$50,000

$1,500,000

Tier 4: Willful Neglect (Not Corrected)

Willful neglect not corrected within 30 days

$50,000

$1,500,000

Premera Blue Cross

Data breach affecting 10.4M individuals

$6.85M

2020

Inadequate risk analysis, lack of security measures

Anthem

Data breach affecting 79M individuals

$16M

2018

Inadequate risk analysis, failed to implement security measures

Memorial Healthcare System

Multiple breaches, unencrypted laptops stolen

$5.5M

2017

Failure to implement encryption, inadequate risk management

Advocate Health Care

Unencrypted PHI on electronic devices

$5.55M

2016

Four breaches, failure to encrypt, inadequate risk analysis

Virginia

VCDPA

January 2023

>100,000 VA residents OR >25,000 VA residents + >50% revenue from personal data sales

No private right of action, 30-day cure period

Colorado

CPA

July 2023

Similar to Virginia

Universal opt-out mechanism required

Connecticut

CTDPA

July 2023

Similar to Virginia

Data protection assessments for certain processing

Utah

UCPA

December 2023

Similar to Virginia

More business-friendly, fewer consumer rights

Texas

TDPSA

July 2024

Similar to Virginia

Biometric data specific provisions

Oregon

OCPA

July 2024

Similar to Virginia

Strong consumer rights

Montana

MCDPA

October 2024

Similar to Virginia

Standard framework