Privacy Laws & Compliance

For most of computing history, "what data we keep and why" was a legal-team problem you could ignore as an engineer. That era is over. In 2018 the European Union's GDPR created one strict privacy law; by 2025 there were roughly 157 active data-protection regulations worldwide (up from 128 in 2022). This wave changes how you do your job directly: it dictates how you design database schemas, what you're allowed to write into logs, whether you must build a "delete my account" pipeline, and even which country your servers can live in. This section is deliberately practical. The goal is to teach you what you must build, not to turn you into a lawyer.

First, two words you'll use constantly. PII means "personally identifiable information" — any data that points to a specific human (name, email, IP address, device ID, location, purchase history). Personal data is the broader term GDPR uses for the same idea. Privacy law is fundamentally about how you treat PII.

11.1 Privacy vs. Security — they overlap but are not the same

Engineers often conflate these. They are different questions.

Security

Protecting data from unauthorized access. Measured by the CIA triad: Confidentiality (only allowed people see it), Integrity (it isn't tampered with), Availability (it's there when needed).

Privacy

Whether you should have or use the data at all, and respecting people's rights over their own data — collecting only what's justified, using it only for stated reasons, deleting it when asked.

11.2 GDPR — the template everyone copies

The General Data Protection Regulation (EU/EEA, in force since 25 May 2018) is the model the rest of the world imitates — the so-called "Brussels Effect." Learn its core concepts and most other laws will feel familiar.

Controller vs. Processor

A controller decides why and how personal data is processed — usually the company collecting it. The controller carries most of the legal responsibility. A processor only acts on the controller's instructions — your cloud host, your email-sending vendor, your analytics tool.

Lawful basis (Art. 6)

You cannot collect data "just because." For every processing activity you need exactly one of six justifications: consent, contract (needed to deliver the service), legal obligation, vital interests, public task, or legitimate interests.

Data subject rights and the DSAR

A DSAR (Data Subject Access Request) is when a person asks you to act on their rights: tell them what you hold (access), fix it (rectification), delete it (the "right to be forgotten," Art. 17), export it in a portable format (portability), or stop processing it. You must respond, for free, within about one month.

72-hour breach notice (Art. 33/34)

When a controller becomes "aware" of a breach likely to risk people's rights, it must notify the supervisory authority within 72 hours, and notify affected individuals too if the risk is high. A processor must tell its controller "without undue delay." 72 hours is brutal — you can only hit it if detection, logging, on-call, and a rehearsed incident runbook already exist before the breach.

DPIA, data minimization, and privacy by design

A DPIA (Data Protection Impact Assessment, Art. 35) is a documented risk assessment required before high-risk processing (large-scale sensitive data, systematic monitoring, profiling, new tech). It's privacy's version of a design review. Data minimization and privacy by design (Art. 25) mean: collect only what you need, keep it only as long as needed, and make privacy the default — don't bolt it on later.

Fines and real cases

GDPR fines reach up to €20M or 4% of global annual revenue, whichever is higher. Total fines now exceed €7.1B since 2018. Memorable ones:

• Meta — €1.2B (2023): illegal EU→US data transfers (the record fine).
• TikTok — €530M (May 2025): transferring EEA user data to China without adequate safeguards; plus €345M earlier for children's data.
• LinkedIn — €310M (2024): behavioral-advertising processing without a valid lawful basis.
• Uber — €290M (2024): transferring driver data to the US without safeguards.
• Meta — €251M (Dec 2024): the 2018 "View As" breach exposing ~29M accounts.

The pattern to remember: the biggest fines are about (a) cross-border transfers and (b) ad-tech/profiling without a lawful basis.

11.3 The US — a patchwork, not one law

The US has no single federal privacy law. As of 2025–26, about 20 states have comprehensive consumer-privacy laws, all sharing a baseline: privacy notice, opt-out of "sale or sharing," extra rules for sensitive data, and access/delete rights.

California leads. The CCPA (2020), amended by the CPRA (fully effective 2023), gives rights to know, delete, correct, opt out of "sale or sharing," and limit use of sensitive personal info. It's enforced by a dedicated agency, the CPPA, as well as the state Attorney General. 2025 enforcement sharpened:

• Honda — $632,500 (Mar 2025): made opt-out too hard, used asymmetric cookie-banner choices, weak vendor contracts.
• Healthline — $1.55M (Jul 2025): largest CCPA settlement — leaked article titles revealing readers' health conditions to ad partners, plus non-compliant vendor contracts.
• Tractor Supply — $1.35M (Oct 2025): largest CPPA administrative fine to date.

The lessons: regulators target dark patterns (deceptive UI that nudges you away from privacy choices), broken "Do Not Sell" links, ignoring the Global Privacy Control (an automatic browser opt-out signal), and missing data-processing terms in vendor contracts. California also finalized ADMT (Automated Decision-Making Technology) and risk-assessment rules in 2025, effective 1 Jan 2026 — an early sign the US is converging toward AI-governance and DPIA-style duties.

11.4 Sector-specific and special-category laws

11.5 The GDPR-likes spreading globally

Because of the Brussels Effect, GDPR-shaped laws are now everywhere. If you have users abroad, assume a privacy law applies to you.

• Brazil — LGPD: very GDPR-like; the EU published a draft "adequacy" decision for Brazil in Sep 2025.
• China — PIPL (since Nov 2021): GDPR-like consent plus strict data-localization and tight export rules; no adequacy-style import path, so getting data out of China is genuinely hard.
• UK — UK GDPR: post-Brexit clone; EU–UK adequacy renewed Dec 2025, valid to 2031.
• India — DPDP Act 2023: the DPDP Rules were notified 13 Nov 2025, creating the Data Protection Board of India. Phased rollout — procedural rules live now, consent-manager and breach powers ~Nov 2026, full obligations ~May 2027. Penalties up to ₹250 crore (~$30M).
• Canada — PIPEDA, and dozens more worldwide.

11.6 Cross-border transfers — a genuinely hard engineering topic

GDPR restricts sending personal data outside the EEA unless the destination offers "adequate" protection. There are three legal paths:

1. Adequacy decisions — the EU declares a whole country (or scheme) safe, e.g. the UK, or US firms certified under the Data Privacy Framework.
2. SCCs (Standard Contractual Clauses) — EU-approved contract templates between the data exporter and importer. The most common tool.
3. BCRs (Binding Corporate Rules) — internal rules approved for transfers within one corporate group.

The EU–US Data Privacy Framework (DPF, adopted 2023) is today's bridge for US transfers — but it's under live legal threat. Privacy activist Max Schrems is pushing a "Schrems III" challenge that could reach the EU's top court and strike it down, just as its predecessors Safe Harbor and Privacy Shield were struck down. Treat transatlantic transfers as perpetually fragile.

Data residency

Data is stored/processed in a given region, but transfers are allowed with safeguards.

Data localization

Stricter — data may never leave the country, including backups and even support access.

  EU user data leaving the EEA -- pick a legal path:

  +-----------+      Adequacy?  --> country on EU "safe" list --> OK
  | EU/EEA    |
  | personal  |----  SCCs?      --> signed EU contract templates --> OK
  | data      |
  +-----------+      BCRs?      --> approved intra-group rules   --> OK
                          |
                     none of these --> transfer is ILLEGAL
                     (this is what fined Meta €1.2B)

11.7 The EU AI Act — the next wave

The EU AI Act (in force since 1 Aug 2024) is the first big risk-tiered AI law. It sorts AI systems into four tiers:

Timeline (note recent changes): rules for general-purpose AI (foundation models) have applied since 2 Aug 2025. A 2026 "Digital Omnibus" simplification package (provisional agreement ~May 2026) deferred the main high-risk deadlines — Annex III high-risk systems now due ~2 Dec 2027, Annex I products ~2 Aug 2028, and Article 50 transparency rules ~2 Dec 2026. Fines reach €35M or 7% of global turnover — even higher than GDPR. The takeaway: AI governance is becoming a formal compliance discipline (model documentation, dataset governance, "fundamental rights impact assessments"), and the US (California's ADMT) is heading the same way.

11.8 What engineers must actually do — the practical checklist

This is the heart of the section. Compliance becomes concrete engineering work:

1. Data map / RoPA (Records of Processing Activities, Art. 30): document what PII you collect, why, where it lives, who you share it with, and how long you keep it. You can't comply with anything without this.
2. DSAR machinery: a reliable way to find, export, and delete one person's data everywhere — including backups, caches, logs, analytics, and third-party processors.
3. Minimization + retention: don't collect or keep what you don't need; automate deletion on a schedule.
4. Consent plumbing: real, granular, withdrawable consent capture; honor opt-out signals like the Global Privacy Control.
5. Security controls the laws now mandate: encryption at rest and in transit, access controls, MFA.
6. DPIAs / risk assessments before high-risk or AI features.
7. Breach response: detection, logging, on-call, and a rehearsed 72-hour runbook naming who notifies whom.
8. Vendor management: a signed DPA/SCC with every processor — missing terms fueled the Honda and Healthline fines.
9. Region/residency-aware architecture: region-pinned databases and care that logs/analytics don't ship PII abroad.

11.9 Why this is a growing field (and the cost of getting it wrong)

The regulatory pile-up created a brand-new discipline: privacy engineering — engineers who build privacy in, rather than lawyers reviewing it after the fact. Membership of the IAPP (the field's professional body) has doubled to 120,000+. There are thousands of open "privacy engineer" roles, with senior US compensation around $300K+ (some AI-privacy roles $400K+). Relevant certifications: CIPP, CIPT, CIPM (IAPP) and CDPSE (ISACA).

Common mistakes

• Scattering PII into logs, caches, and analytics — which makes deletion impossible.
• Treating consent as the catch-all lawful basis when contract or legitimate interests fit better.
• Having no data map / RoPA, so you can't answer "where is this person's data?"
• Fake or hard-to-find "Do Not Sell" links and asymmetric cookie banners (dark patterns — actively fined).
• Forgetting backups when you delete a user's data.
• Missing DPA/SCC terms with vendors.
• Assuming "we're US-only, GDPR doesn't apply" — it does if you serve EU residents.
• Storing CVV or unencrypted card numbers.

Best practices

• Privacy by design and by default — bake it into schemas and defaults, don't bolt it on.
• Data minimization — collect and keep the least you can.
• Encryption everywhere (at rest and in transit) plus MFA and least-privilege access.
• Automate retention and deletion on a schedule.
• Maintain a living RoPA / data map.
• Rehearse breach response so 72 hours is achievable.
• Honor the Global Privacy Control and other opt-out signals.
• Run a DPIA before any risky or AI-driven feature.