Data Privacy

What is data privacy?

Data privacy refers to the right of individuals to control how their personal information is collected, used, stored, and shared. It encompasses both the legal frameworks that regulate how organizations handle personal data and the principles that guide responsible data stewardship, including transparency, purpose limitation, and data minimization.

Why is data privacy important?

For individuals, data privacy protects against identity theft, discrimination, unwanted surveillance, and the misuse of personal information. For businesses, it is both a legal obligation and a competitive concern. Regulatory enforcement is accelerating: in early 2025 alone, CalPrivacyA fined Honda $632,500 for CCPA violations and took enforcement action against Todd Snyder for excessive verification on opt-out requests. Consumers are also exercising their rights at increasing rates. DataGrail's 2025 Privacy Trends Report found that Do Not Sell requests rose 37% year over year and data deletion requests climbed 82%.

What types of data are considered personal or sensitive?

These definitions vary by jurisdiction:

Under the GDPR, personal data means any information relating to an identified or identifiable natural person. Special categories of data (Article 9) include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation.

Under the CCPA as amended by the CPRA, personal information is broadly defined as information that identifies, relates to, or could reasonably be linked with a consumer or household. Sensitive personal information (SPI) includes social security numbers, financial account details, precise geolocation, racial or ethnic origin, the contents of mail or text messages, genetic data, biometric data, health information, and data concerning sex life or sexual orientation.

The distinction matters because sensitive/special category data triggers additional protections, stricter consent requirements, and higher penalties for violations.

How does data privacy differ from data security?

Data privacy governs the rights individuals have over their personal information and the rules organizations must follow when collecting, using, and sharing that data. Data security refers to the technical and organizational measures used to protect data from unauthorized access, breaches, or loss, including encryption, access controls, and incident response.

The two are related but distinct. An organization can have strong security (encrypted databases, firewalls, access controls) while still violating privacy laws by, for example, collecting data without a lawful basis or failing to honor opt-out requests. Conversely, a privacy-compliant organization that neglects security may still suffer a breach that exposes the data it was handling properly. Effective data management requires both.

What laws govern data privacy?

Major frameworks include:

• The General Data Protection Regulation (GDPR) in the EU and EEA, which regulates any organization that processes the personal data of individuals in those regions regardless of where the organization is based.
• The California Consumer Privacy Act (CCPA), as amended by the CPRA, which applies to for-profit businesses meeting certain thresholds and grants California residents rights to access, delete, correct, and opt out of the sale or sharing of their personal data.
• Over 1/3 of U.S. states have now enacted comprehensive privacy laws, including Colorado, Connecticut, Virginia, Texas, Oregon, and Montana, among others. Most follow a similar structure of consumer rights and business obligations, though specifics vary.
• Sector-specific U.S. regulations include HIPAA (health data), COPPA (children's data), and GLBA (financial data).
• Internationally, Brazil's LGPD, Canada's PIPEDA (currently being replaced by proposed legislation), South Korea's PIPA, and others regulate data privacy in their respective jurisdictions.

What are common data privacy practices for businesses?

Core practices include:

• Transparency: clearly disclose what data is collected, why, and with whom it is shared, through privacy policies and notices at the point of collection.
• Consent and lawful basis: obtain valid consent where required (such as for cookies under the ePrivacy Directive, or for processing special category data under the GDPR) and identify an appropriate lawful basis for all processing.
• Consumer rights fulfillment: provide mechanisms for individuals to access, correct, delete, and port their data, and to opt out of the sale or sharing of personal information.
• Data minimization: collect only the data necessary for a stated purpose and retain it only as long as needed.
• Vendor management: establish written contracts with service providers and third parties that include data handling obligations, as required by both the GDPR (Article 28) and the CPRA.
• Privacy by design: integrate privacy considerations into the development of products, systems, and processes from the outset, rather than retrofitting compliance after launch. The GDPR codifies this in Article 25.

What rights do individuals have under data privacy laws?

Rights vary by jurisdiction, but the most common include:

• The right to know/access what personal data an organization holds about you and how it is used.
• The right to delete (or "right to be forgotten" under the GDPR) personal data, subject to certain exceptions.
• The right to correct inaccurate personal information.
• The right to opt out of the sale or sharing of personal data (CCPA/CPRA) or to object to processing based on legitimate interest (GDPR).
• The right to data portability, allowing individuals to receive their data in a structured, machine-readable format.
• The right to limit the use and disclosure of sensitive personal information (CPRA).
• The right to non-discrimination for exercising privacy rights.
• The right to restrict processing and the right not to be subject to decisions based solely on automated processing, including profiling.

What is the future of data privacy?

The trajectory is toward more regulation, more enforcement, and more consumer awareness. Over 20 U.S. states have enacted privacy laws since 2018, and CalPrivacy's September 2025 regulation updates introduce new requirements around automated decision-making technology, risk assessments, and cybersecurity audits. At the federal level, the U.S. still lacks a comprehensive privacy law, though sector-specific rules continue to expand.

Enforcement is also becoming more granular. Regulators are no longer focused only on large-scale breaches. CalPrivacy’s enforcement actions in 2025 targeted specific UX failures (asymmetric consent banners, broken opt-out mechanisms) and operational gaps (missing vendor contracts, excessive verification). This signals that compliance is moving from "having a privacy policy" to "demonstrating that your systems actually do what the policy says."

For businesses, the practical implication is that privacy needs to be operational, not just aspirational. That means automated data discovery, real-time consent management, and documented governance processes that can withstand regulatory scrutiny.