Data Security & Privacy
FAQs
Frequently Asked Questions (FAQs) on Data Privacy and Protection Laws
GDPR, U.S. Federal Privacy Law, California Privacy Law, and Maryland MODPA
These FAQs are provided for general educational purposes only and do not constitute legal advice. Data privacy and data protection obligations vary based on applicable law and the specific facts and circumstances.
General Privacy Law FAQs
What are data privacy laws and data protection laws?
Data privacy laws generally govern how personal information may be collected, used, shared, and disclosed, focusing on individuals’ rights and organizational transparency.
Data protection laws generally focus more broadly on safeguarding personal data through security, confidentiality, integrity, and breach prevention measures, although the terms are often used interchangeably in practice.
See GDPR Articles 5, 24, and 32; Cal. Civ. Code §§1798.100 and 1798.150; Md. Commercial Law §14-4607; GDPR Official Text; California CCPA Resources; Maryland Privacy Resources
What is personal data or personal information?
Personal data or personal information generally refers to information that identifies or can reasonably identify an individual, including names, email addresses, IP addresses, or biometric data.
See GDPR Article 4(1); Cal. Civ. Code §1798.140(v); GDPR Article 4 Definitions; California Privacy Definitions
What is sensitive personal data?
Sensitive personal data includes health information, biometric data, precise geolocation, racial or ethnic origin, and financial account information.
See GDPR Article 9; Cal. Civ. Code §1798.140(ae); GDPR Article 9 Special Categories of Data; California Sensitive Personal Information Rules
What rights do consumers have under privacy laws?
Most comprehensive privacy laws provide rights to access, correct, delete, and obtain copies of personal data and to opt out of certain processing activities, although such rights vary by jurisdiction and sector.
See GDPR Articles 15–22; Cal. Civ. Code §§1798.100–1798.121; Md. Commercial Law §14-4603.
GDPR FAQs
What is the GDPR?
The GDPR is the European Union’s comprehensive law regulating the processing of personal data.
See Regulation (EU) 2016/679; Official GDPR Portal
Who must comply with GDPR?
GDPR generally applies to organizations operating in the EU or processing data of individuals located in the EU.
See GDPR Article 3; GDPR Territorial Scope
What lawful basis is required under GDPR?
Organizations must have a lawful basis such as consent, contract necessity, legal obligation, or legitimate interests before processing personal data.
See GDPR Article 6; GDPR Article 6 Lawfulness of Processing
What are GDPR consent requirements?
Consent must be freely given, informed, specific, unambiguous and capable of being withdrawn.
See GDPR Article 7; GDPR Consent Requirements
What is the “right to be forgotten”?
Individuals may request deletion of personal data when it is no longer necessary or consent is withdrawn.
See GDPR Article 17; GDPR Right to Erasure
What is privacy by design?
Organizations must incorporate privacy protections into systems and processes from the outset.
See GDPR Article 25.
What are GDPR data breach notification requirements?
Controllers generally must notify the appropriate supervisory authority within 72 hours after becoming aware of qualifying breaches.
See GDPR Article 33.
What penalties exist under GDPR?
GDPR fines can reach €20 million or 4% of annual global revenue, whichever is greater.
See GDPR Article 83.
What are international data transfer restrictions under GDPR?
Transfers of EU personal data outside the EU require approved safeguards such as Standard Contractual Clauses.
See GDPR Article 46.
U.S. Federal Privacy Law FAQs
Does the United States have a single federal privacy law?
No. The United States uses a sector-specific privacy framework with separate laws for healthcare, finance, children’s privacy, and consumer protection.
What is HIPAA?
HIPAA establishes privacy and security requirements for protected health information handled by healthcare providers, insurers, and their business associates.
See 45 CFR Parts 160 and 164; HIPAA Overview
What is COPPA?
COPPA regulates online collection of personal information from children under age 13.
See 15 U.S.C. §§6501–6506; COPPA Rule Information
What is GLBA?
The Gramm-Leach-Bliley Act requires financial institutions to safeguard customer financial information.
See 15 U.S.C. §§6801–6809; FTC GLBA Guidance
What role does the FTC play in privacy enforcement?
The FTC enforces federal consumer protection laws, including prosecuting unfair or deceptive business practices involving privacy and cybersecurity obligations.
See Section 5 of the FTC Act; FTC Privacy and Security Enforcement
California Privacy Law FAQs
What are the CCPA and CPRA?
The CCPA and CPRA provide California residents with privacy rights and impose obligations on covered businesses.
See Cal. Civ. Code §1798.100 et seq.; California Privacy Rights Information
What rights do California consumers have?
California consumers may access, correct, delete, and opt out of the sale or sharing of personal information.
See Cal. Civ. Code §§1798.100–1798.121.
What is a “sale” or “sharing” of personal information under California law?
A sale includes exchanging personal information for valuable consideration, while sharing generally relates to targeted advertising.
See Cal. Civ. Code §§1798.140(ad) and (ah).
What is sensitive personal information under CPRA?
Sensitive information includes Social Security numbers, precise geolocation, racial or ethnic origin, and financial account credentials.
See Cal. Civ. Code §1798.140(ae).
What is the California Privacy Protection Agency?
The California Privacy Protection Agency is California’s dedicated privacy regulator.
See California Privacy Protection Agency
Does California require privacy notices?
Yes. Businesses must provide notices describing data collection, use, disclosure, and consumer rights.
See Cal. Civ. Code §1798.130.
Maryland MODPA FAQs
What is MODPA?
The Maryland Online Data Privacy Act (“MODPA”) is Maryland’s comprehensive consumer privacy law regulating how businesses collect, use, share, and protect personal data. For more information see “Is your business ready for MODPA”.
See Md. Commercial Law §14-4601 et seq.; Maryland MODPA Resources
Does MODPA apply only to large companies?
No. Many small and medium-sized businesses may fall within MODPA because of websites, digital marketing, analytics tools, customer databases, or e-commerce operations.
Does a business need to be physically located in Maryland for MODPA to apply?
No. MODPA may apply to businesses located outside Maryland if they target Maryland residents or process their personal data.
What types of information are considered “personal data” under MODPA?
Personal data includes information linked or reasonably linkable to an identifiable individual, including names, email addresses, IP addresses, browsing activity, and geolocation data.
What is “sensitive data” under MODPA?
Sensitive data includes biometric information, precise geolocation, health information, racial or ethnic origin, and children’s personal data.
What rights do Maryland consumers have under MODPA?
Maryland consumers may access, correct, delete, and obtain copies of personal data and opt out of targeted advertising and data sales.
See Md. Commercial Law §14-4603.
Why should businesses review vendor agreements for MODPA compliance?
MODPA requires contracts between controllers and processors addressing confidentiality, security safeguards, processing instructions, and compliance obligations.
Does MODPA require data minimization?
Yes. Businesses may collect and process only data reasonably necessary and proportionate to disclosed purposes.
See Md. Commercial Law §14-4607; Maryland MODPA Summary
How does MODPA affect digital marketing and website tracking?
Businesses using targeted advertising, cookies, analytics platforms, or online behavioral tracking may have additional compliance obligations under MODPA.
What cybersecurity obligations does MODPA impose?
MODPA requires businesses to implement reasonable administrative, technical, and physical security safeguards appropriate to the nature of the data processed.
What practical steps should businesses take to prepare for MODPA?
Businesses should review privacy policies, conduct data mapping exercises, update vendor contracts, assess cybersecurity safeguards, and establish procedures for responding to consumer requests.
What are the risks of noncompliance with MODPA?
Businesses may face regulatory enforcement, reputational harm, operational disruption, contractual disputes, and potential liability under the Maryland Consumer Protection Act.
Why should business owners treat MODPA as more than a legal issue?
MODPA affects customer trust, cybersecurity readiness, vendor management, operational governance, and long-term business risk management.
Who enforces MODPA?
The Maryland Attorney General enforces MODPA.
See Maryland Attorney General Privacy Resources
Data Controller and Processor FAQs
What is a data controller under GDPR?
A data controller determines why and how personal data is processed.
See GDPR Article 4(7); GDPR Controller Definition
What is a data processor under GDPR?
A data processor processes personal data on behalf of a controller.
See GDPR Article 4(8); GDPR Processor Definition
What is the difference between a controller and a processor?
The controller decides the purpose and means of processing, while the processor follows the controller’s instructions.
See GDPR Articles 4(7)–(8).
What responsibilities do data controllers have?
Controllers must ensure lawful processing, provide privacy notices, honor consumer rights, maintain security safeguards, and report breaches.
See GDPR Articles 5, 6, 24, 32, and 33.
What responsibilities do data processors have?
Processors must follow documented instructions, maintain security, protect confidentiality, and assist controllers with compliance obligations.
See GDPR Article 28; GDPR Processor Obligations
What is a Data Processing Agreement (DPA)?
A DPA is a written contract governing how a processor handles personal data for a controller.
See GDPR Article 28(3).
What is a “service provider” under California privacy law?
A service provider processes personal information on behalf of a business pursuant to a written contract.
See Cal. Civ. Code §1798.140(ag).
What is a “contractor” under California privacy law?
A contractor is a person or entity receiving personal information from a business under contractual restrictions limiting data use.
See Cal. Civ. Code §1798.140(j).
What are the California equivalents of controllers and processors?
California generally uses the terms “business,” “service provider,” and “contractor” instead of controller and processor.
See Cal. Civ. Code §1798.140.
Does MODPA recognize controllers and processors?
Yes. MODPA expressly distinguishes between controllers and processors and imposes obligations on both.
See Md. Commercial Law §§14-4601 and 14-4605.
What obligations do processors have under MODPA?
Processors must follow controller instructions, maintain confidentiality, implement security safeguards, and assist with compliance obligations.
See Md. Commercial Law §14-4605.
GDPR vs. CCPA vs. MODPA FAQs
What is the biggest difference between GDPR and U.S. privacy laws?
GDPR is a comprehensive national framework applicable to the EU, while U.S. privacy law is a combination of federal and state laws.
Which law is stricter: GDPR, CCPA, or MODPA?
GDPR is generally considered the most comprehensive, while MODPA is considered among the strictest U.S. state privacy laws.
Which laws require a lawful basis for processing?
GDPR requires a lawful basis for all processing activities, while CCPA and MODPA focus more heavily on consumer rights and opt-out mechanisms.
See GDPR Article 6.
Which laws provide opt-out rights for targeted advertising?
CCPA/CPRA and MODPA expressly provide opt-out rights for targeted advertising and certain data-sharing activities.
See Cal. Civ. Code §1798.120; Md. Commercial Law §14-4603.
Do GDPR, CCPA, and MODPA all provide deletion rights?
Yes. All three laws provide consumers the right to request deletion of personal data in certain circumstances.
See GDPR Article 17; Cal. Civ. Code §1798.105; Md. Commercial Law §14-4603.