Privacy Grid

◈ Last edit: Nov 12, 2021
◈ 222 Privacy Laws Covered
◈ Ontology, Links, Research

Unique data. Hand-curated.

A Wikipedia for Privacy Laws

Privacy Grid lives on the Cinchy Platform. This gives us great control in a zero-copy environment and it lets us share data in what is effectively a Wikipedia for Privacy Laws!

  • Collaborative dataset for privacy, data protection, and compliance pros.
  • Granular detail on international privacy legislation
  • Anyone can contribute new laws, data points, and commentary
  • Curate! Become a Custodian for a law or a country. Show off your acumen!
  • CIN: Privacy Grid is part of the Collaborative Intelligence Network
Privacy Grid

An Introduction to Privacy Grid

PIPL Sample: Detailed Record

Form View for PIPL

Access Privacy Grid via CIN

Join the Collaborative Intelligence Network for free to gain access.
Join CIN and then ping Jeff Jockisch for details.

Categorization in the Privacy Grid

Categorizing Privacy: 

When privacy professionals talk about privacy laws, we say here’s a law, it has some features. What we have not done often or with much robustness, is to categorize our privacy laws, to put them into discrete buckets that allow us to think about them comparatively.

I’ve used existing and newly created ontologies to categorize laws relevant to US-centric privacy practices and the CIPP/US certification offered by IAPP. This is not meant as a study guide, though I originally started building it for my own study. I see it now as a reference guide that can be used to gain insight into the privacy landscape.

We knew privacy law was a complex patchwork. I’ve highlighted that complexity by categorizing laws in new ways:

  • Scope :: Comprehensive, Sectoral, Topical, more
  • Silo :: Info, Bodily, Territorial, Communication
  • Type :: Rights, Rules, Policing (+ sub-levels)
  • Sector :: Consumer, Financial, Medical, Employ, 9 more
  • Protected Info :: 23 categories
  • Protected Entity :: 9 cats – Consumer to Business
  • Regulated Entity :: 16 cats – All Controllers to Specific

Scope: The initial categorization I’ve made is on Scope. This is a characterization of each law based on its breadth. It’s an expansion of the Comprehensive vs Sectoral identification often made about privacy laws. I’ve expanded this classification to include the following:

  • Comprehensive: privacy laws that cover the widest range of organizations and activities
  • Broad: privacy laws that cover many organizations and activities but can’t be considered comprehensive
  • Sectoral: privacy laws that apply to a specific industry or business sector
  • Topical: privacy laws that apply to a specific topic or technology 
  • Criminal Statute: extremely specific privacy laws with criminal penalties 
  • Privacy Benefit: explicitly created for another purpose, where privacy rights are a fringe benefit

Silo: I’ve created a Silo classification based on the 1996 Simon Davies ontology from “Big Brother: Britain’s Web Of Surveillance And The New Technological Order.” This is a common classification, but I’ve never seen it applied to legislation in a systematic way. Here are the four types, with the definitions I utilized:

  • Information Privacy: Establishment of rules governing collection and handling of PII (private data) e.g. Financial, Medical, Educational, Gov, Internet, Consumer Privacy
  • Bodily Privacy: Protection of the physical self from invasive processes (private parts) e.g. Genetic Testing, Drug Testing, Body Cavity, Birth Control, Abortion, Adoption
  • Territorial Privacy: Limits on an intrusion in domestic, work, public space (private places) e.g. Video surveillance, Identity checks, Home searches, Vehicle searches, Laptop searches, GPS
  • Comm Privacy: Security and privacy of communications (private messages) e.g. Postal privacy, Phone Conversations, Email, Wiretaps, Social media, Mass Surveillance

Type: Privacy laws are further bucketed into Types. There are 3 major types: Rights, Rules, & Policing, with sub-types of each:

  • Privacy Rights: laws directly regulating data privacy rights
  • Free Speech Rights: laws impacting 1A / Freedom of Speech
  • Anti-Discrim Rights: laws limiting the business use of sensitive data
  • Surveillance Law Policing: laws allowing or limiting spying
  • Anti-Crime Policing: laws primarily designed to fight crime
  • Transparency Rules: laws requiring orgs & governments to expose info
  • InfoSec Rules: laws focused on data security & data protection
  • Self-Regulation Rules: self-imposed rulesets for building consumer trust, warding off regulation

Sector: Each law is assigned a primary Sector.  I’ve created an ontology consisting of 13 sectors. Legislation in the International Privacy category might have been broken out differently, but I choose to do it this way as my initial focus was on the CIPP/US corpus:

  • Consumer Privacy
  • Financial Privacy
  • Medical Privacy
  • Employment Privacy
  • Education Privacy
  • InfoSec / Breaches
  • Telecomm / Marketing
  • Media & Privacy
  • Government Records
  • Public Safety
  • Law Enforcement
  • National Security
  • International Privacy

Protected Info
: What information is protected by the law? I’ve summarized the legislation, creating 23 discrete buckets to describe the protected data:

  • ? Contact Info
  • ? PII – Personally Identifiable Info
  • ? SPI – Sensitive Personal Info
  • ? NPI – Non-Public Info
  • ⚕️ PBI – Protected Biometric Info
  • ⚕️ PGI – Protected Genetic Info
  • ⚕️ PHI – Protected Health Info
  • ? Employment info
  • ? Education Records
  • $ Financial Marketing
  • $ Financial Records
  • $ Credit Cards
  • $ Consumer Reports
  • ? Personal Comms
  • ? CPNI – Customer Proprietary Network Info
  • ? Protected Speech
  • ? Journalism
  • ?? Census Data
  • ?? Gov Data
  • ?? FII – Foreign Intelligence Info
  • ?️ Images
  • ? Incident Records
  • ?️ Info from a “protected computer”

Who’s Protected?
: What audience is the law trying to protect? At times this can be messy. I have created 9 categories to describe who is being protected. In many cases is some form of consumer or citizen (see the list on the left). But there are other laws that are harder to box. I’ve also created a bucket for “Security” for legislation that focuses on protecting the State or the public good rather than any individual or organization:

  • Consumers
  • Citizens
  • Students/Parents
  • Employees
  • Research subjects
  • Journalists
  • Businesses
  • Platforms
  • Security

Who’s Regulated?
: What organizations is the law trying to protect? Sixteen categories are used here to describe the regulated organization, industry, or area. The All Controllers classification covers not just GDPR but laws that attempt to cover all entities, regardless of who they are (business, government, individual, other) or their Sector. Illegal Acts is a bucket that covers Criminal Scope laws like CFAA, ITADA, and the Video Voyeurism Prevention Act.

  • All Controllers
  • Businesses
  • Employers
  • Online businesses
  • Online publishers
  • Marketers
  • Telemarketers
  • Financial orgs
  • Healthcare orgs
  • Video businesses
  • Educators
  • Researchers
  • Government
  • Law Enforcement
  • Communications
  • Illegal Acts