Privacy & Compliance (GDPR, CCPA, HIPAA)

Privacy regulations give individuals rights over their data: you can ask a company what they have on you, correct it, delete it, take it elsewhere. Companies must deliver these rights on demand — usually within 30 days.

The big three: **GDPR** (EU, strict, penalties up to 4% of global revenue), **CCPA/CPRA** (California, similar spirit, more permissive), **HIPAA** (US, health-specific — any org handling US medical data). Others to know: **LGPD** (Brazil, GDPR-inspired), **PIPEDA** (Canada), **APPI** (Japan), **PDPA** (Singapore).

Key GDPR concepts: **Personal data** (anything identifying a person — name, email, IP, cookie, location, device ID), **Lawful basis** (you need a legal reason to process: consent, contract, legal obligation, vital interests, public interest, legitimate interests), **Data subject rights** (access, rectification, erasure, portability, objection, restriction), **DPIA** (Data Protection Impact Assessment — required for high-risk processing), **DPO** (Data Protection Officer — mandatory role for some orgs).

Practical consequences for systems: (a) **map personal data** — you must know every place it lives; (b) **delete on request** — including backups and ML models where feasible; (c) **log consent** — prove when/how/for what; (d) **notify breaches** within 72h; (e) **cross-border transfers** — EU data can only leave the EU under specific conditions (SCCs, adequacy decisions).

Penalties are real. GDPR fines have hit €746M (Amazon), €405M (Instagram/Meta). For small companies, the risk is less the fine and more reputational: losing customer trust after a public breach is very expensive.