Technology
정의
Data privacy law governs how organizations collect, store, use, and share personal information — with GDPR (Europe) and CCPA (California) setting the most influential global standards that any business handling personal data must understand.
The EU's General Data Protection Regulation (GDPR), effective May 2018, applies to any organization worldwide that processes the personal data of EU residents — regardless of where the organization is located. GDPR establishes core principles: data minimization (collect only what you need), purpose limitation (use data only for the purpose it was collected), storage limitation (don't keep data longer than necessary), accuracy, security, and accountability. It grants individuals specific rights: the right to access their data, the right to correction, the right to erasure ('right to be forgotten'), the right to data portability, and the right to object to processing. GDPR fines can reach €20 million or 4% of global annual turnover — whichever is higher.
California's Consumer Privacy Act (CCPA, effective 2020, strengthened by CPRA in 2023) creates similar rights for California residents: the right to know what data is collected, the right to delete, the right to opt out of sale of personal data, and the right to non-discrimination for exercising privacy rights. CCPA applies to businesses above certain thresholds (annual revenue over $25M, or data on 100,000+ consumers, or deriving 50%+ of revenue from selling data). Similar laws are now in effect or pending in over a dozen US states, creating a patchwork compliance environment.
Practical GDPR/CCPA compliance involves a privacy audit (what data do you collect, where does it come from, where does it go?), a privacy policy that accurately reflects your data practices (written in plain language), cookie consent management (especially for analytics and advertising cookies), data processing agreements with vendors who handle your data, data subject request procedures (how you respond when someone invokes their rights), and a breach notification process.
Ignorance of data privacy law is not a defense — and regulators have demonstrated willingness to pursue companies of all sizes for non-compliance, not just Fortune 500 enterprises. More immediately, enterprise customers increasingly require data processing agreements and evidence of compliance before signing contracts. A business that cannot demonstrate GDPR compliance may simply be disqualified from selling to European companies or regulated industries.
A technology attorney or privacy consultant can conduct a gap assessment against applicable regulations, help you implement the required notices and consent mechanisms, draft compliant privacy policies and data processing agreements, and advise on the organizational policies and controls that regulators look for. Getting privacy right early — especially before significant growth in your user base — is far less costly than remediating non-compliance under regulatory pressure.