Data privacy refers to the right of users to have control over how their information is collected, used, and shared. When most people think about data privacy, they generally think about data privacy laws or regulation. But there are actually several sources of data privacy. In addition to laws, one primary source of data privacy is market forces or the power that we as consumers have to influence companies around what information they'll collect from us and how they'll be able to use that information. For companies that are collecting information from their users, even though they might use that information in a way that's legal, if consumers don't like how they're using that information, they'll simply choose not to share that information with the company or not to be customers of that company anymore. Therefore, as consumers, we have a great deal of control to influence companies in the direction of protecting our privacy. Technology is another important driver of data privacy. As technologies such as cyber security or new approaches to modeling which ensure privacy of the underlying data. As these technologies mature, they can increase data privacy and ensure that data that's used in various ways is protected and secured. Several industries also have active self-regulation around how companies which are in that industry are able to use the data that they collect from their users. Industry such as education have certain agreements in place between companies who operate in the industry around what information they're collecting and how they're able to use that information. What is generally protected under data privacy law? Typically, data privacy regulations cover what's called Personally Identifiable Information or PII. PII refers to non-public information that can be tied back to an identified or an identifiable person. For example, someone's address or someone's phone number or email account would be considered non-public information that can be directly tied back to a certain individual person. There is a subset of personal information called sensitive information, which may have some additional and more strict data privacy rules. Sensitive information will include things such as identification numbers or social security numbers, financial information, or someone's medical records. PII may be either directly identifiable or indirectly identifiable. Examples of directly identifiable information would be somebody's name, someone's phone number, or their street address. Indirectly identifiable information refers to a collection of attributes that can allow for re-identification of the person to whom that data belongs. For example, suppose we are a company and we collect information from our users. We glance into the database of information that we have. We pick out an individual user. We can see that this user is a Polish citizen who's living in Munich Germany, who works in the insurance industry, who is between 50 and 54 years old, who drives a BMW, and he lives within a certain region of the city. Even though this collection of attributes may not be directly identifiable to that certain individual, it's highly likely that we could use all of these attributes in combination together to re-identify that specific user. PII generally excludes data that's fully anonymized or de-identified such that it's impossible to re-identify the name of any individual person within the data set. It also generally excludes aggregated data, especially if it's done in a way that it's impossible to identify which users or which members are part of the sample that's been aggregated. One of the challenging things to figure out in data privacy is which laws can apply to your company's operations. Generally, if your organization offers online services, even if they happen to be free to users in a certain country or it analyses or processes the data from users within that country, then you're required to follow the privacy laws of that specific country, regardless of physical location of your company. Whether your company happens to have offices within that country or not, whether your company is storing or processing the data within that country. If you're providing the services into citizens of that country or you're processing data from users within the country, you're required to follow that country's privacy laws. In many countries, such as the US, you're required to follow both federal or national laws which may apply, as well as laws of individual States or regions. For example, in the US, increasing number of States have their own statewide privacy laws. Companies which do business within the US and serve citizens across the country are required to follow the privacy laws of each individual State in which they have users.
