Privacy regulation has exploded globally β 137+ countries now have data protection laws. Rather than a unified global standard, organizations face a patchwork of overlapping, sometimes contradictory requirements. GDPR has become the de facto global benchmark, with many laws modeled on its core principles: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.
| Regulation | Jurisdiction | Enacted | Max Penalty | Key Requirements |
|---|---|---|---|---|
| GDPR | EU / EEA | May 2018 | β¬20M or 4% global revenue | Lawful basis, data subject rights, 72h breach notification, DPO, DPIA |
| CCPA/CPRA | California, USA | Jan 2020 / Jan 2023 | $7,500 per intentional violation | Right to know, delete, opt-out of sale, sensitive PI protections |
| HIPAA | USA (healthcare) | 1996 / ongoing updates | Up to $2M per violation category/year | PHI safeguards, BAA, breach notification, minimum necessary |
| LGPD | Brazil | Sep 2020 | 2% Brazil revenue, max R$50M | Closely mirrors GDPR; 10 lawful bases; data subject rights |
| PIPL | China | Nov 2021 | Β₯50M or 5% China revenue | Consent requirements; cross-border transfer restrictions; localization |
| PDPA | Thailand | Jun 2022 | THB 5M criminal fine | Consent-based; DPO requirement; breach notification within 72h |
| Australia Privacy Act | Australia | 1988 / 2023 amendments | AUD 50M | Australian Privacy Principles; proposed right to erasure (pending) |
Privacy by Design
Ann Cavoukian's Privacy by Design framework (embedded in GDPR Article 25) requires that privacy protections be built into systems and processes from the outset, not bolted on. The seven foundational principles: proactive not reactive; privacy as the default; embedded into design; full functionality (positive-sum); end-to-end security; visibility and transparency; respect for user privacy.
Lawful Basis for Processing
Every processing activity must have one of six lawful bases under Article 6. Consent is only one option β often not the most appropriate.
- Consent β freely given, specific, informed, unambiguous; can be withdrawn; not suitable for employment contexts
- Contract β processing necessary to perform a contract with the data subject
- Legal obligation β processing required by EU or member state law
- Vital interests β to protect someone's life; narrow, last resort basis
- Public task β public authorities carrying out official functions
- Legitimate interests β must pass a balancing test; most flexible but most scrutinized basis
Data Subject Rights
GDPR grants individuals eight rights over their personal data. Organizations must have processes to fulfill these requests within one month.
- Right of access (Art. 15) β copy of data and information about processing
- Right to erasure (Art. 17) β "right to be forgotten"; six grounds including withdrawal of consent
- Right to portability (Art. 20) β receive data in machine-readable format; transmit to another controller
- Right to object (Art. 21) β object to processing based on legitimate interests or direct marketing
- Right to restriction (Art. 18) β pause processing in certain circumstances
- Right to rectification (Art. 16) β correct inaccurate personal data
GDPR Enforcement & Fines
DPAs (Data Protection Authorities) across the EU have levied record fines, establishing that GDPR enforcement is real and severe.
- Meta β β¬1.2 billion (2023) β Irish DPC; unlawful transfers of EU user data to the US via SCCs
- Amazon β β¬746 million (2021) β Luxembourg CNPD; cookie consent violations
- Google Ireland β β¬90 million (2022) β French CNIL; unable to refuse cookies as easily as accepting
- 72-hour breach notification β to supervisory authority from awareness of breach; without undue delay to data subjects if high risk
DPIA β Data Protection Impact Assessment
Required under GDPR Article 35 when processing is "likely to result in a high risk" to individuals β particularly for systematic profiling, processing special categories of data at scale, or systematic monitoring of public areas. The DPIA must describe the processing, assess necessity and proportionality, identify and assess risks, and identify measures to address those risks. Consult your DPA if residual risk remains high after mitigation.
California Privacy Rights Act (CPRA)
The CPRA (effective Jan 2023) upgraded and expanded CCPA, creating a more GDPR-aligned framework for California residents.
- Applies to businesses above thresholds: $25M revenue, OR 100K+ consumers' data, OR 50%+ revenue from selling PI
- Opt-out of sale and sharing β includes cross-context behavioral advertising (not just literal sale)
- Sensitive PI categories β SSN, financial, health, biometric, geolocation, sexual orientation; additional opt-out rights
- Right to correct β new right added by CPRA, not in original CCPA
- GPC signal β Global Privacy Control; browsers that send GPC header must be treated as opt-out of sale
- California Privacy Protection Agency (CPPA) β dedicated enforcement agency created by CPRA
US State Privacy Laws
In the absence of federal privacy legislation, a growing number of US states have enacted comprehensive privacy laws β all broadly modeled on GDPR/CCPA.
- Virginia VCDPA β effective Jan 2023; controller/processor model; no private right of action
- Colorado CPA β effective Jul 2023; opt-out of targeted advertising, profiling; universal opt-out mechanism required
- Connecticut CTDPA β effective Jul 2023; closely mirrors Virginia; dark pattern prohibition
- Texas TDPSA, Oregon OCPA, Montana MCDPA β 2024 additions; 20+ states now have enacted laws
- Key difference from GDPR: most US laws use opt-out model (process by default, allow opt-out) vs GDPR's opt-in consent model
Federal Privacy Developments
The US Congress has repeatedly attempted and failed to pass a federal privacy law. The American Privacy Rights Act (APRA) is the most recent significant attempt.
- APRA would preempt most state laws (except Illinois BIPA and California for certain provisions)
- Would include a private right of action β the most controversial element
- Sector-specific federal laws remain in force regardless: HIPAA, GLBA, COPPA, FERPA, FCRA
- FTC continues to use Section 5 unfair/deceptive acts authority to enforce privacy commitments
PHI & Covered Entities
HIPAA protects Protected Health Information (PHI) β any individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate.
- PHI includes: 18 identifiers including name, address, dates, SSN, device IDs, photos, IP addresses when associated with health data
- Covered entities: health plans, healthcare clearinghouses, healthcare providers who transmit PHI electronically
- Business associates: vendors who create, receive, maintain, or transmit PHI on behalf of covered entities
- BAA (Business Associate Agreement): contractual requirement before sharing PHI with a BA; cloud providers (AWS, Azure, GCP) will sign BAAs
HIPAA Rules
HIPAA is implemented through several rules, each addressing different aspects of PHI protection.
- Privacy Rule β governs use and disclosure of PHI; establishes patient rights; minimum necessary principle
- Security Rule β technical, administrative, and physical safeguards for electronic PHI (ePHI); risk analysis required
- Breach Notification Rule β notify affected individuals within 60 days; notify HHS; notify media if 500+ in a state
- Omnibus Rule (2013) β extended HIPAA to BAs directly; increased penalties; changed breach definition
HIPAA Penalties
OCR (Office for Civil Rights) at HHS enforces HIPAA. Penalties are tiered based on culpability.
- Tier 1 β $100β$50K/violation; did not know and could not have known
- Tier 2 β $1Kβ$50K/violation; reasonable cause, not willful neglect
- Tier 3 β $10Kβ$50K/violation; willful neglect, corrected
- Tier 4 β $50K/violation, up to $2M/year; willful neglect, not corrected
- Largest fine: Advocate Health β $5.55M (2016) for laptop theft affecting 4M patients
Privacy Impact Assessment & Data Mapping
The foundation of any privacy program is knowing what personal data you collect, where it goes, who can access it, and why you have it.
- Record of Processing Activities (RoPA) β GDPR Article 30 requirement; inventory of all processing activities
- Data flow mapping β trace PI from collection through processing, storage, sharing, and deletion
- Privacy impact assessments β evaluate privacy risks of new projects before launch (Privacy by Design)
- Vendor inventory with data sharing inventory β know which vendors receive PI and under what legal basis
Consent Management
Consent Management Platforms (CMPs) help organizations capture, record, and honor user privacy preferences β required for GDPR cookie consent and opt-out mechanisms.
- CMPs: OneTrust, TrustArc, Cookiebot, Usercentrics
- IAB TCF (Transparency and Consent Framework) β ad tech standard for consent signals
- Consent must be specific, granular, and as easy to withdraw as to give
- Consent records must be retained as evidence; capture timestamp, version, and mechanism
Privacy Engineering Techniques
Technical controls that reduce privacy risk by limiting exposure of personal data.
- Data minimization β collect only what you need for the stated purpose; purge when purpose ends
- Pseudonymization β replace identifiers with pseudonyms; data remains useful; re-identification requires additional information
- Anonymization β irreversible removal of identifiers; no longer PI under GDPR if truly anonymous (k-anonymity, l-diversity)
- Differential privacy β add calibrated noise to analytics outputs; individual records cannot be inferred
Privacy Compliance Is a Continuous Program
Privacy compliance is not a one-time checklist exercise. Laws change (new state laws, GDPR amendments, NIST Privacy Framework updates), business processes evolve (new data flows, new vendors, new products), and enforcement guidance shifts based on DPA decisions. Build a program with annual reviews, a privacy-by-design gate in your SDLC, regular vendor reassessments, and a designated privacy owner (DPO where required, or CPO/Privacy Counsel otherwise).