Data Privacy Compliance
Comprehensive guidance for implementing data privacy compliance across GDPR, CCPA, HIPAA, and other global data protection regulations.
When to Use This Skill
Use this skill when:
- Implementing GDPR, CCPA, or HIPAA compliance
- Conducting Data Protection Impact Assessments (DPIA)
- Managing data subject rights (access, deletion, portability)
- Implementing consent management systems
- Drafting privacy policies and notices
- Handling data breaches and incident response
- Designing privacy-by-design systems
- Conducting privacy audits and assessments
Key Regulations Overview
GDPR (General Data Protection Regulation)
Scope: EU residents' data, regardless of where company is located Key Requirements:
- Lawful basis for processing (consent, contract, legitimate interest, etc.)
- Data subject rights (access, deletion, portability, objection)
- Data Protection Impact Assessments for high-risk processing
- 72-hour breach notification requirement
- Records of processing activities
- Privacy by design and by default
Penalties: Up to €20M or 4% of global annual revenue
CCPA/CPRA (California Consumer Privacy Act)
Scope: California residents' data Key Requirements:
- Right to know what data is collected
- Right to delete personal information
- Right to opt-out of sale/sharing
- Right to correct inaccurate information
- Right to limit use of sensitive personal information
Penalties: Up to $7,500 per intentional violation
HIPAA (Health Insurance Portability and Accountability Act)
Scope: Protected Health Information (PHI) in the US Key Requirements:
- Privacy Rule (patient rights and information uses)
- Security Rule (safeguards for ePHI)
- Breach Notification Rule (60-day notification)
- Business Associate Agreements (BAAs)
Penalties: Up to $1.5M per violation category per year
Data Subject Rights Implementation
1. Right to Access (GDPR Art. 15 / CCPA § 1798.100)
Request Handler:
async function handleAccessRequest(userId, email) {
// Verify identity
const verified = await verifyIdentity(email);
if (!verified) throw new Error('Identity verification failed');
// Collect all personal data
const userData = await collectUserData(userId);
// Format for readability
const report = {
personalInfo: userData.profile,
activityLogs: userData.activities,
preferences: userData.settings,
thirdPartySharing: userData.dataSharing,
retentionPeriod: '2 years from last activity',
dataProtectionOfficer: 'dpo@company.com'
};
// Generate downloadable report
const pdf = await generatePDFReport(report);
// Log request for compliance
await logAccessRequest(userId, 'completed');
return pdf;
}
Response Timeline:
- GDPR: 1 month (extendable to 3 months)
- CCPA: 45 days (extendable to 90 days)
2. Right to Deletion (GDPR Art. 17 / CCPA § 1798.105)
Deletion Handler:
async function handleDeletionRequest(userId, email) {
// Verify identity
const verified = await verifyIdentity(email);
if (!verified) throw new Error('Identity verification failed');
// Check for legal obligations to retain
const mustRetain = await checkRetentionRequirements(userId);
if (mustRetain.required) {
return {
status: 'partial_deletion',
retained: mustRetain.data,
reason: mustRetain.legalBasis,
retentionPeriod: mustRetain.period
};
}
// Delete from all systems
await Promise.all([
deleteFromDatabase(userId),
deleteFromBackups(userId), // Mark for deletion in next backup cycle
deleteFromAnalytics(userId),
deleteFromThirdPartyServices(userId),
revokeAPIKeys(userId),
anonymizeHistoricalRecords(userId)
]);
// Confirm deletion
await sendDeletionConfirmation(email);
await logDeletionRequest(userId, 'completed');
return { status: 'deleted', timestamp: new Date() };
}
Exceptions (when deletion can be refused):
- Legal obligations (tax records, contracts)
- Public interest/scientific research
- Defense of legal claims
- Exercise of freedom of expression
3. Right to Data Portability (GDPR Art. 20)
Export Handler:
async function handlePortabilityRequest(userId, format = 'json') {
const userData = await collectUserData(userId);
// Structure in machine-readable format
const portableData = {
exportDate: new Date().toISOString(),
userId: userId,
data: {
profile: userData.profile,
content: userData.userGeneratedContent,
settings: userData.preferences,
history: userData.activityHistory
}
};
// Support multiple formats
if (format === 'csv') {
return convertToCSV(portableData);
} else if (format === 'xml') {
return convertToXML(portableData);
}
return portableData; // JSON by default
}
Requirements:
- Structured, commonly used, machine-readable format
- Ability to transmit directly to another controller
- Only applies to data provided by data subject
- Only for automated processing based on consent or contract
4. Right to Object (GDPR Art. 21)
Objection Handler:
async function handleObjectionRequest(userId, processingType) {
switch (processingType) {
case 'direct_marketing':
// Must stop immediately
await disableMarketing(userId);
await updateConsent(userId, 'marketing', false);
break;
case 'legitimate_interest':
// Assess if we have compelling grounds
const assessment = await assessLegitimateInterest(userId);
if (!assessment.compelling) {
await stopProcessing(userId, processingType);
}
return assessment;
case 'profiling':
await disableProfiling(userId);
await updateConsent(userId, 'profiling', false);
break;
default:
throw new Error('Invalid processing type');
}
await logObjectionRequest(userId, processingType, 'granted');
}
Consent Management
Consent Requirements (GDPR)
Valid Consent Must Be:
- Freely given (no coercion)
- Specific (for each purpose)
- Informed (clear language)
- Unambiguous (clear affirmative action)
- Withdrawable (as easy to withdraw as to give)
Consent Implementation:
<!-- Good: Granular consent -->
<form>
<h3>Privacy Preferences</h3>
<label>
<input type="checkbox" name="essential" checked disabled>
<strong>Essential cookies (Required)</strong>
<p>Necessary for website functionality</p>
</label>
<label>
<input type="checkbox" name="analytics" value="analytics">
<strong>Analytics cookies</strong>
<p>Help us improve our website by collecting usage data</p>
</label>
<label>
<input type="checkbox" name="marketing" value="marketing">
<strong>Marketing cookies</strong>
<p>Show you personalized ads based on your interests</p>
</label>
<button type="submit">Save Preferences</button>
<a href="/privacy-policy">Learn More</a>
</form>
Consent Record Storage:
const consentRecord = {
userId: 'user123',
timestamp: new Date().toISOString(),
consentVersion: '2.0',
purposes: {
essential: { granted: true, required: true },
analytics: { granted: true, purpose: 'Website improvement' },
marketing: { granted: false, purpose: 'Personalized advertising' }
},
ipAddress: '192.168.1.1', // For proof
userAgent: 'Mozilla/5.0...', // For context
method: 'explicit_opt_in' // or 'implicit', 'presumed'
};
await saveConsentRecord(consentRecord);
Cookie Banner (GDPR Compliant)
<div id="cookie-banner" role="dialog" aria-labelledby="cookie-title">
<h2 id="cookie-title">Cookie Preferences</h2>
<p>
We use cookies to enhance your experience. Choose which cookies you
allow us to use. You can change your preferences at any time.
</p>
<button onclick="acceptAll()">Accept All</button>
<button onclick="rejectNonEssential()">Reject Non-Essential</button>