Privacy requirements

Area 2: Security, Confidentiality, and Privacy (35-45%)

Your Progress

0 of 95 questions attempted

Does the organization process personal data of EU/EEA residents?

Yes

GDPR applies — consent or legal basis required, data subject rights, 72-hour breach notification, DPO may be required

Does the organization collect personal information of California residents and meet revenue/data thresholds?

Yes

CCPA/CPRA applies — right to know, delete, opt-out of sale; no private right of action except for breaches

Does the organization handle protected health information (PHI) as a covered entity or business associate?

Yes

HIPAA applies — Privacy Rule, Security Rule, Breach Notification Rule; BAAs required with business associates

General data protection best practices apply — monitor for state-specific privacy laws and industry regulations

Feature	GDPR	CCPA/CPRA	HIPAA
Jurisdiction	EU/EEA residents	California residents	US healthcare (covered entities and BAs)
Data covered	All personal data	Personal information linked to consumer/household	Protected health information (PHI)
Legal basis required	Yes (consent, contract, legitimate interest, etc.)	No (opt-out model)	Treatment, payment, operations (no consent for TPO)
Right to delete	Yes (right to erasure)	Yes	Limited (amendment, not deletion)
Breach notification	72 hours to supervisory authority	Without unreasonable delay	60 days to individuals, HHS, and media if >500
Penalties	Up to 4% of global annual revenue or EUR 20M	$2,500 per violation; $7,500 if intentional	$100-$50,000 per violation; $1.5M annual cap per category