Chapter 8. Navigating the Legal Side of Privacy

You’ve learned so much about privacy definitions and technologies in this book so far. As you apply them in the context of your work, you’ll inevitably find this requires understanding the legal aspects of privacy.

Legal factors are not the only reason to apply privacy—nor do I see them as the driver of privacy-first data science. For some, however, they are the primary impetus for implementing privacy-enhancing technologies (PETs). In many large organizations, privacy is first understood as a compliance problem and then later implemented in technology. Even if you consider yourself a privacy champion and want to lead initiatives based on the technology and social aspects of privacy, teaming with the legal or privacy team makes sense. You can use their knowledge and guidance to convince the business of the value of privacy initiatives.

This chapter explores two very different pieces of privacy legislation: the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). This review will help you understand how to translate regulations into technological decisions and how to review and audit those decisions for compliance.

You’ll then take a look at contracts, privacy policies, internal guidelines, and policies to understand how regulatory needs are translated into the organization. Sometimes these are written by internal counsel, other times with external legal assistance, which means you ...