Privacy Legislation Grid

◈ Last edit: June 5, 2021
◈ 84 Privacy Laws Covered
◈ New Ontology, Links, Research

Unique data. Hand-curated.

Applying Ontology to Privacy Legislation

When privacy professionals talk about privacy laws, we say here’s a law, it has some features. What we have not done often or with much robustness, is to categorize our privacy laws, to put them into discrete buckets that allow us to think about them comparatively.

I’ve used existing and newly created ontologies to categorize laws relevant to US-centric privacy practices and the CIPP/US certification offered by IAPP. This is not meant as a study guide, though I originally started building it for my own study. I see it now as a reference guide that can be used to gain insight into the privacy landscape.

We knew privacy law was a complex patchwork. I’ve highlighted that complexity by categorizing laws in new ways:

  • Scope :: Comprehensive, Sectoral, Topical, more
  • Silo :: Info, Bodily, Territorial, Communication
  • Type :: Rights, Rules, Policing (+ sub-levels)
  • Sector :: Consumer, Financial, Medical, Employ, 9 more
  • Protected Info :: 23 categories
  • Protected Entity :: 9 cats – Consumer to Business
  • Regulated Entity :: 16 cats – All Controllers to Specific
Visit the Privacy Legislation Grid Infographic. An easy-to-reference PDF of the primary data from this research.
Submit suggestions for laws to be added, new features, or suggested fixes. If accepted, we will give you attribution.
Privacy Grid

A Searchable Grid of Privacy Legislation

Privacy LegislationYrJurisScopeSiloSectorType of LawTargeted InfoProtects Who?Regulates Who?Fed EnforceSt EnforcePrivate Right?Criminal Pen?Preempt?DSAR?Data Security?Loc Data?URL1URL2URL3URL4URL5Quick SumFull Legal

New Categorization Schemes for Privacy Laws

Categorizing Privacy: 

Scope: The initial categorization I’ve made is on Scope. This is a characterization of each law based on its breadth. It’s an expansion of the Comprehensive vs Sectoral identification often made about privacy laws. I’ve expanded this classification to include the following:

  • Comprehensive: privacy laws that cover the widest range of organizations and activities
  • Broad: privacy laws that cover many organizations and activities but can’t be considered comprehensive
  • Sectoral: privacy laws that apply to a specific industry or business sector
  • Topical: privacy laws that apply to a specific topic or technology 
  • Criminal Statute: extremely specific privacy laws with criminal penalties 
  • Privacy Benefit: explicitly created for another purpose, where privacy rights are a fringe benefit

Silo: I’ve created a Silo classification based on the 1996 Simon Davies ontology from “Big Brother: Britain’s Web Of Surveillance And The New Technological Order.” This is a common classification, but I’ve never seen it applied to legislation in a systematic way. Here are the four types, with the definitions I utilized:

  • Information Privacy: Establishment of rules governing collection and handling of PII (private data) e.g. Financial, Medical, Educational, Gov, Internet, Consumer Privacy
  • Bodily Privacy: Protection of the physical self from invasive processes (private parts) e.g. Genetic Testing, Drug Testing, Body Cavity, Birth Control, Abortion, Adoption
  • Territorial Privacy: Limits on an intrusion in domestic, work, public space (private places) e.g. Video surveillance, Identity checks, Home searches, Vehicle searches, Laptop searches, GPS
  • Comm Privacy: Security and privacy of communications (private messages) e.g. Postal privacy, Phone Conversations, Email, Wiretaps, Social media, Mass Surveillance

Type: Privacy laws are further bucketed into Types. There are 3 major types: Rights, Rules, & Policing, with sub-types of each:

  • Privacy Rights: laws directly regulating data privacy rights
  • Free Speech Rights: laws impacting 1A / Freedom of Speech
  • Anti-Discrim Rights: laws limiting the business use of sensitive data
  • Surveillance Law Policing: laws allowing or limiting spying
  • Anti-Crime Policing: laws primarily designed to fight crime
  • Transparency Rules: laws requiring orgs & governments to expose info
  • InfoSec Rules: laws focused on data security & data protection
  • Self-Regulation Rules: self-imposed rulesets for building consumer trust, warding off regulation

Sector: Each law is assigned a primary Sector.  I’ve created an ontology consisting of 13 sectors. Legislation in the International Privacy category might have been broken out differently, but I choose to do it this way as my initial focus was on the CIPP/US corpus:

  • Consumer Privacy
  • Financial Privacy
  • Medical Privacy
  • Employment Privacy
  • Education Privacy
  • InfoSec / Breaches
  • Telecomm / Marketing
  • Media & Privacy
  • Government Records
  • Public Safety
  • Law Enforcement
  • National Security
  • International Privacy

Protected Info: What information is protected by the law? I’ve summarized the legislation, creating 23 discrete buckets to describe the protected data:

  • ? Contact Info
  • ? PII – Personally Identifiable Info
  • ? SPI – Sensitive Personal Info
  • ? NPI – Non-Public Info
  • ⚕️ PBI – Protected Biometric Info
  • ⚕️ PGI – Protected Genetic Info
  • ⚕️ PHI – Protected Health Info
  • ? Employment info
  • ? Education Records
  • $ Financial Marketing
  • $ Financial Records
  • $ Credit Cards
  • $ Consumer Reports
  • ? Personal Comms
  • ? CPNI – Customer Proprietary Network Info
  • ? Protected Speech
  • ? Journalism
  • ?? Census Data
  • ?? Gov Data
  • ?? FII – Foreign Intelligence Info
  • ?️ Images
  • ? Incident Records
  • ?️ Info from a “protected computer”

Who’s Protected?
: What audience is the law trying to protect? At times this can be messy. I have created 9 categories to describe who is being protected. In many cases is some form of consumer or citizen (see the list on the left). But there are other laws that are harder to box. I’ve also created a bucket for “Security” for legislation that focuses on protecting the State or the public good rather than any individual or organization:

  • Consumers
  • Citizens
  • Students/Parents
  • Employees
  • Research subjects
  • Journalists
  • Businesses
  • Platforms
  • Security


Who’s Regulated?: What organizations is the law trying to protect? Sixteen categories are used here to describe the regulated organization, industry, or area. The All Controllers classification covers not just GDPR but laws that attempt to cover all entities, regardless of who they are (business, government, individual, other) or their Sector. Illegal Acts is a bucket that covers Criminal Scope laws like CFAA, ITADA, and the Video Voyeurism Prevention Act.

  • All Controllers
  • Businesses
  • Employers
  • Online businesses
  • Online publishers
  • Marketers
  • Telemarketers
  • Financial orgs
  • Healthcare orgs
  • Video businesses
  • Educators
  • Researchers
  • Government
  • Law Enforcement
  • Communications
  • Illegal Acts

Other Features of this Data Set:

In addition to the categorization, this CIPP/US Legislation Grid pack many other features:

  • Link to the Full Text of the Legislation
    — Click on the name of the law
  • Enforcement Information:
    — Federal / State Agencies involved, Private Right of Action, Criminal Penalties, Preemption
  • External Links to additional data for your research

  • DSAR provision?
  • Data Security coverage?
  • Location Data rules?

Since this is a live dataset, you can search it and sort it on any of the columns.