Privacy
by John Bandler
Privacy is important for every individual and every organization. Privacy threats include data breaches and companies who overshare, violating their privacy promises regarding customer information. Privacy is the subject of rapidly growing laws and regulations and is worth attention from every organization. For organizations, sound privacy practices can be good for business and avoid a legal problem. For individuals, privacy awareness is important for each of us and our families.
Privacy's origins and the types
Personal privacy is a concept that has existed for hundreds, even thousands of years. In 1890 Louis Brandeis, who would go on to be a Supreme Court Justice, co-authored a law review article on the subject and suggested an individual right to privacy which included a right to be left alone.
We can think of four main areas of privacy:
- Information privacy (data privacy)
- Communications privacy
- Territorial privacy
- Bodily privacy.
Data privacy is typically about the information (data) about consumers (including you and me) that is collected, stored, used, and shared.
Now think how all four privacy types are now wrapped up into data privacy. Most things you communicate are stored as data, so much information about your body and health is stored as data, and everywhere you go and linger is stored as data.
Privacy law introduced
Privacy law is a part of data law, and I cover data law in a separate article (see link at bottom).
Data law can be thought of as having four parts:
- Secure data disposal
- Data breach notification
- Cybersecurity
- Privacy.
For the most part, privacy law includes cybersecurity, breach notification, and data disposal requirements.
Data privacy vs. cybersecurity (for an organization)
From an organization's perspective, cybersecurity and privacy overlap to a degree, but with a large area of uniqueness, as depicted in this Venn diagram.
Thus, data privacy includes security, but also other many other elements. And cybersecurity involves securing many types of data and information systems, including individual (consumer) personal information, but also others. So they intersect but each also has distinct components.
(The intersection is not to scale and subject to debate. For simplicity we combined cybersecurity and information security into a single oval, and we are calling "data privacy" simply "privacy").
Organization privacy practices address consumer individual rights and organization decisions about how personal information about the individual is collected, stored, secured, shared, and used.
Privacy vs. cybersecurity (for an individual)
Individuals can look at privacy and cybersecurity from a different perspective, because they are protecting their own cybersecurity and privacy, and often that can be done together.
There is a high degree of overlap, and both can be worked on together. As you review settings on a device or platform, you can review your privacy and cybersecurity settings at the same time.
Privacy frameworks
Privacy frameworks are voluntary best practices for managing privacy. I summarize them in my book on cyberlaw, and cover them before privacy laws, since in many ways they preceded the laws and influenced them.
Privacy laws and regulations
Today, consumers have varying privacy statutory legal rights depending upon applicable jurisdictions and sectors.
Here's a few thoughts to keep in mind:
- "Privacy laws" and "cybersecurity laws" overlap. Indeed, almost every privacy law has a cybersecurity and data breach reporting component. I depict this in my diagram on cybersecurity and privacy law.
- The U.S. legal framework for privacy laws and regulations is a patchwork.
- A patchwork of laws and regulations, state vs. federal, and overlapping regulators and laws.
The European Union’s General Data Protection Regulation (GDPR) went into effect in 2018 and applies to many U.S. organizations who collect personal information of EU citizens.
In the U.S., the Federal Trade Commission Act carries some privacy protections for consumers with requirements for business. Individual sectors such as finance and health have their own privacy requirements.
In the absence of an overarching federal privacy law, states have started to enact their own privacy statutes, starting with California then followed by others. The reach of these state laws extends beyond the borders.
Typical privacy legal requirements
Privacy laws generally create rights for consumers regarding information about them held by a business. This consumer rights mean legal obligations for the business. Privacy rights include:
- Notice about privacy practices; how the company collects, stores, uses, and shares information about the consumer.
- Ability to access data about the consumer, correct it, ask it be deleted or limit processing, or transfer data to another service provider.
A business privacy program should generally follow these principles:
- Be lawful, fair, and transparent
- Limit collection, use, and processing of personal data
- Keep personal data only as long as needed (then purge)
- Keep personal data accurately
- Keep personal data secure with good cybersecurity
- Be accountable for the above.
For organizations, privacy is a component of information governance
Organizations need to manage their information systems and assets, a process known as information governance.
They should address cybersecurity, privacy, and business needs comprehensively, as a component of overall management.
This starts with having written policies for privacy, cybersecurity, and incident response. I have a number of resources on policy work, including my policies book, policies online course, and policy resources on this website.
This management can start with Bandler's Five Components for Policy Work and Management.
For individuals, privacy is important too
We should make conscious choices for our privacy, about the information we share, and we should teach the younger generations about this as well (and learn from them).
Conclusion
Knowledge of privacy is important for individuals and organizations. Individuals should strive to improve their awareness of privacy threats and choices they face. Organizations should develop privacy policies, comply with applicable legal requirements and protect consumer privacy.
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
Additional resources
- Law
- What is Privacy (in 20 minutes), https://youtu.be/xvdoZNULC-8 (video on YouTube)
- Cyberlaw
- Cyberlaw Book (Chapter 32 is about privacy)
- Data law
- Consumer privacy rights
- FTC Act
- NIST Privacy Framework
- Cybersecurity
- About the CIPP/US Privacy Certification and How to Study for It
- Cybersecurity, Privacy, You, and Your Organization
- Reuters articles on privacy hosted here:
- Externally hosted articles
- Privacy, you, and your business, John Bandler, Westchester & Fairfield County Business Journals, June 6, 2022, https://westfaironline.com/148491/privacy-you-and-your-business/
- CIPP/US: 5 things to know about privacy and cybersecurity law, John Bandler, InfoSec, February 2, 2022, https://resources.infosecinstitute.com/certification/cipp-us-5-things-to-know-about-privacy-and-cybersecurity-law/
- Privacy And You: Take A Step Forward On Data Privacy Day, John Bandler, informationsecuritybuzz.com, January 31, 2022, https://informationsecuritybuzz.com/articles/privacy-and-you-take-a-step-forward-on-data-privacy-day/
- Online courses
This article is hosted at https://johnbandler.com/privacy, copyright John Bandler, all rights reserved.
This article is also available on https://johnbandler.medium.com/privacy-7804466a1f4a (though not kept as up to date).
Originally posted 7/16/2022, updated 12/23/2025.