Privacy Regulations

Photo by [AbsoluteVision](https://unsplash.com/@freegraphictoday?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText) on [Unsplash](https://unsplash.com/photos/bSlHKWxxXak)
Tags: Privacy GDPR CCPA CPRA 
Dylan Bulmer Headshot
Published: 2023-01-08

Avg. read time: 11 mins.


On November 3rd of 2022, I gave a 30-minute presentation on Privacy Regulations within the United States and all across the world. In this post, I'm going to go over the slides I presented, they are also attached to the bottom of this page!

What is Privacy?

There is no one correct definition of privacy. In 1983, Parent described privacy as "[T]he control over personal information about oneself." [1] Others describe it as the value that provides us the ability to control the access others have to our data. [2][3][4] Finally, I'd like to include my own definition that I tell when presenting to my local school district which is the ability to have complete control over your information. When I state "complete control," what does that mean? I am referring to the "[r]ights of the data subject" and six of the seven guiding principles of the European Union General Data Protection Regulation (GDPR).

Privacy Regulations

United States Regulation

There are hundreds of privacy regulations around the world, all of which are handled differently. Within the United States, a majority of our regulations are designed around either a sector or industry. Some examples include the Family Educational Rights and Privacy Act of 1974 (FERPA) geared towards the Department of Education or the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which deals with the healthcare industry. More recently, many states such as California, Virginia, and Colorado have passed state-wide privacy regulations. The United States is also known to enact regulations that, although legally binding, could be considered “soft-law;” laws that need to be enforced by the company or organization. In other words, these groups need to do their ‘due diligence,’ ensuring the regulations are being upheld. This way of enforcing regulations is much different compared to other countries, which will be discussed shortly.

Worldwide Regulation

In contrast, countries like Canada, the Philippines, Brazil, and New Zealand, and regions such as the European Union have regulations that span a much wider area and they have enacting agencies that ensure the regulations are being met. For instance, to enforce the GDPR, there are data protection authorities in each of the 27 member states, separate from the government, that enforce the regulation.

There are also international agreements between countries. In 2016, the EU–U.S. Privacy Sheild was created and deemed to address the GDPR adequately. It was created to replace the former U.S.–EU Safe Harbor agreement which allows for the transfer of personal data from the European Union to the United States. Companies, classified as participants in the legal text, need to opt into the regulation in order to transfer the data and need to abide by the principles. In 2017, the Swiss-U.S. Privacy Shield was created under similar agreement terms. Recently, in 2020, the EU Justice Court invalidated the European Commission’s adequacy determination for the Privacy Shield, in other words, the EU-U.S. Privacy Shield is no longer deemed to adequately comply with the GDPR. Although the Privacy Shield is no longer valid, companies still need to fulfill their obligations under the framework.

Maine Regulation

Locally, in Maine, we have been perceived to have two of the strictest privacy regulations in the United States. I’m going to apologize now for any legalese that may not make sense during this section. 😬

The title of the first bill is quite long, it is the “Privacy of broadband Internet access service customer personal information.” [5] It states that Internet Service Providers (ISPs) may not “use, disclose, sell or permit access” [5:1] to customers’ personal information without the customer's consent. If a customer has given their consent, they have the right to revoke it at any time with no penalty, and ISPs cannot change their rates or deny/give discounts based on whether or not a customer gives consent. Make sure you read what you’re signing Mainers!

The second bill is titled “Facial surveillance.” This bill is quite interesting, it is “An Act To Increase Privacy and Security by Regulating the Use of Facial Surveillance Systems by Departments, Public Employees and Public Officials.” [6] Within the text, it states that a public employee or official, this includes law enforcement, may not “obtain, retain, possess, access, [n]or use” any facial surveillance system (FSS). They may not enter into an agreement with a third party for said purposes, nor can they “[i]ssue a permit or enter into any other agreement that authorizes a [third] party” to facilitate stated purposes. There are some exceptions to this, such as: ”[u]sing evidence relating to an investigation of a specific crime that may have been generated from a facial surveillance system.” This specific exception is a bit confusing to me, but by reading the rest of the exceptions, I presume that this is the accidental usage of FSS-generated data.

General Data Protection Regulation

All quotes in this section reference footnote seven[7] unless otherwise cited.

Introduced in 2016, and effective in 2018, The European Union General Data Protection Regulation, also commonly referred to as the GDPR, is one of the strictest and most effective privacy regulations to date.

"Rights of the data subject"

Chapter three (3) of the GDPR is titled “Rights of the data subject” which describes in detail what rights consumers have over what and how their data is collected and processed. There are five (5) sections; I will briefly go over sections two (2) and three (3) which are titled “Information and access to personal data” and “Rectification and erasure,” respectively.

Article 15 is the “[r]ight of access by the data subject.” It allows users of a product to access their personal data that’s been collected as well as information such as the purposes of processing their data, what categories of information are being collected, and much more. This article closely relates to article 12, “[t]ransparent information, communication and modalities for the exercise of the rights of the data subject.”

Article 16, the “[r]ight to rectification,” is also commonly referred to as the right to correct. This article is quite short and to the point; it states that the user shall have the right to correct any information relating to themselves that is inaccurate.

Article 17, the “[r]ight to erasure,” also known as the right to delete and the right to be forgotten states that the user can delete their data without unnecessary delay from the controller as long as one of the following applies:

  1. The information gathered is no longer necessary for the purpose of processing.
  2. The user withdraws their consent for processing their data, and “where there is no other legal ground for the processing.”
  3. The user objects to the processing of their data.
  4. Their data has been unlawfully processed.
  5. The data needs to be deleted for a legal obligation by the EU or a Member State.
  6. The data subject is a child, under the age of 16, and has been collected by an online service.

There is much more to this article, but the main points have been addressed.

Article 18 is the “[r]ight to restriction of processing.” The user has the right to restrict a company from processing their data where the data is inaccurately being processed based on verification, the processing is unlawful, the data is no longer needed by the company for the proposes of processing, or the user objects to the processing of their data and the company has no grounds to override the request. Essentially, the user can request to stop the processing of their data as long as there is a valid reason. This article relates closely to article 21, the “[r]ight to object.”

Article 20 is the “[r]ight to data portability.” Finally, this article allows the user to request at any time all of their data that has been collected and processed in a machine-readable format. This is so that if the user wants to give their data to a different company, they can. This data must also be processed automatically, no human interaction on the company's side is permitted.

I cherry-picked these articles specifically because they encompass most of the foundational basis of the GDPR as well as they are the most important articles concerning how an end-user interacts with a company.

Privacy by Design

Article 25, “[d]ata protection by design and by default,” addresses “[p]rivacy by [d]esign,” a key issue identified by the GDPR. This is the act of implementing “appropriate technical and [organizational] measures” from recital 78 and “implement data-protection principles,” which will be discussed next.

This article is closely related to an emerging field called privacy engineering where the role aims to provide methodology and tools to ensure that privacy is being protected. One book that discusses privacy engineering is “Information Privacy Engineering and Privacy by Design” by William Stallings which introduces best practices from the early stages of the software development life cycle of defining privacy requirements to managing privacy after implementation.

Guiding Principles

The GDPR has laid out seven guiding principles in article 5. These principles help set up how personal data should be protected throughout the rest of the regulation.

Lawfulness, fairness, and transparency. All data processed by the controller must be done lawfully, fairly, and done so in a transparent manner, meaning that the end user must be informed about all processing.

Purpose limitation. When collecting data, the organization must identify and limit the purposes of collecting and processing data and not collect data for unnecessary purposes, or process data for other reasons in the future.

Data minimization. Closely related to purpose limitation, data minimization can be considered as data collection limitation. An organization can only collect necessary data for the purposes previously identified.

Data accuracy. All data collected must be accurate and kept up-to-date. The organization must take whatever steps are necessary to ensure that data is accurate. This is why many companies such as Google ask if the information they have collected about you is accurate.

Storage limitation. Data collected cannot be stored longer than for the reasons of processing unless it is to be achieved and used later in accordance with article 89, “Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”

Data integrity and confidentiality. All data collected by the processor must have security measures in place to protect against unauthorized usage of the user’s personal data.

Accountability. Finally, the organization collecting the data is responsible for complying with the previous six principles.

California Consumer Protection Act

I want to preface that reading the official legislation for the CCPA after California’s Proposition 24 was passed makes it quite hard to distinguish the rights before and after the amendments. I did my best to separate the information by reading prop 24 itself, but some information might still be mixed with the CPRA.

The California Consumer Protection Act (CCPA) was published on June 28th, 2018, and made effective January 1st of 2020. At the time of writing this post, it is the current governing privacy regulation in California and protects the people residing in the state.

Similar to the GDPR, the CCPA has rights to the individual. Some of these are the right to access, the right to delete, the right to restrict processing, and the right to date portability.

The CCPA does not explicitly define a child, but specific rights have been defined for an individual between the ages of 13 and 16. These rights are the right to opt-in. Children in this age range cannot be opted in by default to sell or share their data with third parties, the individual must provide consent through the act of opting in. And of course, if the individual has opted-in either on purpose or by accident, they have the right to opt-out.

Through discussion, we have found the CCPA is not effective enough to protect individuals' privacy. One important aspect to point out is that there is no right to rectify/right to correct. Although not mentioned here or on my slides, there is also no principle to ensure data minimization or any sort of privacy by design measures.

Califonia Privacy Rights Act

The Califonia Privacy Rights Act (CPRA) was introduced on November 13th, 2019, and passed via Proposition 24 in November 2020. It is planned to become effective January 1st of 2023 and looking back to January 1st of 2022. Proposition 24 is an amendment to the CCPA and it introduces a new agency, the California Privacy Protection Agency (CPPA). This agency consists of a five-member board and works as a third party to implement and enforce privacy regulations in California; very similar to how the EU has third-party data protection authorities across all 27 states.

Some of the notable modifications made include the right to correct and the addition of data minimization. There is also a new category for Sensitive Personal Information (SPI) with additional rights including the right to restrict the use of SPI and collection notification of SPI as well as the right to access information about automated decision-making and the right to opt-out of automated decision-making technology.

Delving deeper, SPI is classified as information that reveals an individual’s:

  • SSN, driver's license, state ID, or passport number.
  • Account login credentials including financial (bank) account, debit card, or credit card accompanied by a password or access code.
  • Precise geolocation.
  • Racial or ethnic origin.
  • Contents of mail, email, or text messages.
  • Genetic data.

I have had people ask me about the difference between geolocation and precise geolocation. When dealing with a location in mobile applications, for instance, you can get a general location based on IP address and WiFi data such as knowing an individual is on campus if they are accessing a website through the university’s internet, while precise geolocation is the exact, or close to exact location you are at such as the longitude and latitude you are currently sitting/standing.

With the CPRA, individual rights now extend to third parties. For instance, when you request to have your information deleted, the company needs to inform the third parties they sold or shared information with, to also have your information deleted. A business must also inform the user of their data retention practices.

The final changes I want to mention include children's privacy. In addition to the existing rights, companies can no longer ask a child between 13 and 16 years of age to opt-in after they declined previously for 12 months or until they turn 16, whichever comes first. There is also a violation fee of $7,500 per child affected under the age of 16.


  1. Parent, W. A. (1983). Privacy, Morality, and the Law. Philosophy & Public Affairs, 12(4), 272–273. http://www.jstor.org/stable/2265374 (accessed 28 October 2022). ↩︎

  2. Gavison, R. (1980). Privacy and the Limits of Law. The Yale Law Journal, 89(3), 421–471. Available at: https://doi.org/10.2307/795891 (accessed 28 October 2022). ↩︎

  3. Allen, A. (1988). Uneasy Access: Privacy for Women in a Free Society ↩︎

  4. Moore, Adam D., Privacy: Its Meaning and Value (2003). American Philosophical Quarterly, Vol. 40, pp. 215-227, Available at: https://ssrn.com/abstract=1980880 (accessed 28 October 2022). ↩︎

  5. 129th MAINE LEGISLATURE. (2019). BROADBAND INTERNET ACCESS SERVICE CUSTOMER PRIVACY [PDF]. https://mainelegislature.org/legis/bills/getPDF.asp?paper=SP0275&item=1&snum=129 (accessed 19 October 2022). ↩︎ ↩︎

  6. 130th MAINE LEGISLATURE. (2021). FACIAL SURVEILLANCE [PDF]. Available at: https://legislature.maine.gov/legis/bills/getPDF.asp?paper=HP1174&item=1&snum=130 (accessed 19 October 2022). ↩︎

  7. GDPR. (2018). General Data Protection Regulation (GDPR). Available at: https://gdpr-info.eu/ (accessed 26 October 2022). ↩︎