Privacy Grid

Categorizing Privacy: 

When privacy professionals talk about privacy laws, we say here’s a law, it has some features. What we have not done often or with much robustness, is to categorize our privacy laws, to put them into discrete buckets that allow us to think about them comparatively.

I’ve used existing and newly created ontologies to categorize laws relevant to US-centric privacy practices and the CIPP/US certification offered by IAPP. This is not meant as a study guide, though I originally started building it for my own study. I see it now as a reference guide that can be used to gain insight into the privacy landscape.

We knew privacy law was a complex patchwork. I’ve highlighted that complexity by categorizing laws in new ways:

Scope: The initial categorization I’ve made is on Scope. This is a characterization of each law based on its breadth. It’s an expansion of the Comprehensive vs Sectoral identification often made about privacy laws. I’ve expanded this classification to include the following:

• Comprehensive: privacy laws that cover the widest range of organizations and activities
• Broad: privacy laws that cover many organizations and activities but can’t be considered comprehensive
• Sectoral: privacy laws that apply to a specific industry or business sector
• Topical: privacy laws that apply to a specific topic or technology 
• Criminal Statute: extremely specific privacy laws with criminal penalties 
• Privacy Benefit: explicitly created for another purpose, where privacy rights are a fringe benefit

Silo: I’ve created a Silo classification based on the 1996 Simon Davies ontology from “Big Brother: Britain’s Web Of Surveillance And The New Technological Order.” This is a common classification, but I’ve never seen it applied to legislation in a systematic way. Here are the four types, with the definitions I utilized:

• Information Privacy: Establishment of rules governing collection and handling of PII (private data) e.g. Financial, Medical, Educational, Gov, Internet, Consumer Privacy
• Bodily Privacy: Protection of the physical self from invasive processes (private parts) e.g. Genetic Testing, Drug Testing, Body Cavity, Birth Control, Abortion, Adoption
• Territorial Privacy: Limits on an intrusion in domestic, work, public space (private places) e.g. Video surveillance, Identity checks, Home searches, Vehicle searches, Laptop searches, GPS
• Comm Privacy: Security and privacy of communications (private messages) e.g. Postal privacy, Phone Conversations, Email, Wiretaps, Social media, Mass Surveillance

Type: Privacy laws are further bucketed into Types. There are 3 major types: Rights, Rules, & Policing, with sub-types of each:

• Privacy Rights: laws directly regulating data privacy rights
• Free Speech Rights: laws impacting 1A / Freedom of Speech
• Anti-Discrim Rights: laws limiting the business use of sensitive data
• Surveillance Law Policing: laws allowing or limiting spying
• Anti-Crime Policing: laws primarily designed to fight crime
• Transparency Rules: laws requiring orgs & governments to expose info
• InfoSec Rules: laws focused on data security & data protection
• Self-Regulation Rules: self-imposed rulesets for building consumer trust, warding off regulation

Sector: Each law is assigned a primary Sector.  I’ve created an ontology consisting of 13 sectors. Legislation in the International Privacy category might have been broken out differently, but I choose to do it this way as my initial focus was on the CIPP/US corpus:

Protected Info: What information is protected by the law? I’ve summarized the legislation, creating 23 discrete buckets to describe the protected data:

Who’s Protected?: What audience is the law trying to protect? At times this can be messy. I have created 9 categories to describe who is being protected. In many cases is some form of consumer or citizen (see the list on the left). But there are other laws that are harder to box. I’ve also created a bucket for “Security” for legislation that focuses on protecting the State or the public good rather than any individual or organization:

Who’s Regulated?: What organizations is the law trying to protect? Sixteen categories are used here to describe the regulated organization, industry, or area. The All Controllers classification covers not just GDPR but laws that attempt to cover all entities, regardless of who they are (business, government, individual, other) or their Sector. Illegal Acts is a bucket that covers Criminal Scope laws like CFAA, ITADA, and the Video Voyeurism Prevention Act.