Lilly Tech Systems
Data Privacy Law
Master data privacy law worldwide. 50 deep dives across 300 lessons covering foundations (theory, fundamental right, torts, PbD, comparative systems), GDPR end-to-end (architecture, lawful bases, data subject rights, DPO, transfers, enforcement, ePrivacy, UK GDPR), US federal (HIPAA, GLBA, FERPA, COPPA, FTC), US state (CCPA/CPRA, CO, VA, CT, UT, TX, WA MHMDA, NY SHIELD), sectoral privacy, biometric privacy (BIPA, CUBI, WA), international (Canada, Brazil, China, India, Japan, Australia), and operations (PIAs/DPIAs, notices, breach response, transfers, PETs, emerging issues).
Privacy Law is one of our largest tracks because privacy regulation has become the single most important legal constraint on AI. The EU's GDPR, the US state privacy laws (CCPA/CPRA, Colorado, Virginia, Connecticut, and the growing list that follows the Washington MHMDA model), China's PIPL, India's DPDPA, Brazil's LGPD, and the sectoral rules (HIPAA, GLBA, FERPA, COPPA, BIPA) together form a compliance surface that almost every AI product has to navigate.
We wrote this track to be useful to three audiences simultaneously: the engineer building the system, the privacy professional reviewing it, and the operator making deployment decisions across jurisdictions. The lessons cover the statutes in detail but also the practical engineering patterns (data subject access request handling, consent flows, DPIAs for AI, cross-border transfers, retention, and the PETs that reduce legal risk). A system designed with these patterns in mind is much easier to defend under any of the regimes covered here.
All Topics
50 privacy law topics organized into 8 categories. Each has 6 detailed lessons with statutory frameworks, templates, and case briefs.
Foundations of Data Privacy Law
Privacy Law Foundations & Theory
Master the foundations of privacy law. Learn the major privacy theories (Warren & Brandeis, Solove's taxonomy, contextual integrity), the four privacy torts, and the conceptual architecture.
6 LessonsPrivacy as a Fundamental Right
Master privacy as a constitutional/human right. Learn the US constitutional privacy framework (4A, penumbra), EU Charter (Articles 7 & 8), ECHR Article 8, and international human rights law.
6 LessonsPrivacy Tort Doctrine (US)
Master the four US privacy torts. Learn intrusion upon seclusion, public disclosure of private facts, false light, and appropriation/right of publicity, with leading cases for each.
6 LessonsPrivacy by Design Legal Framework
Master Privacy by Design as a legal requirement. Learn Cavoukian's 7 principles, GDPR Article 25 obligations, FTC Section 5 application, and operationalizing PbD.
6 LessonsComparative Privacy Systems
Compare global privacy systems. Learn EU comprehensive vs US sectoral vs APAC mixed approaches, the convergence trends, and practical implications for global compliance.
6 LessonsData Subject Rights Framework
Master data subject rights across regimes. Learn access, rectification, deletion, portability, restriction, objection, and automated decision rights, with operational implementation patterns.
6 LessonsGDPR Deep Dive
GDPR Architecture & Scope
Master GDPR architecture and scope. Learn material/territorial scope, the controller/processor/joint controller framework, definitions of personal/sensitive data, and key exclusions.
6 LessonsGDPR Lawful Bases for Processing
Master the six GDPR lawful bases. Learn consent (Article 7 strict standards), contract, legal obligation, vital interests, public task, legitimate interests (LIA), and selecting the right basis.
6 LessonsData Subject Rights Under GDPR
Master GDPR data subject rights in operational depth. Learn DSAR handling, identity verification, response timelines, fees, exemptions, and the right-to-be-forgotten case law (Google Spain).
6 LessonsDPO Role & Independence
Master the DPO role under GDPR. Learn when DPO is required (Article 37), independence requirements, conflicts of interest, reporting line, qualifications, and DPO board guidance.
6 LessonsInternational Data Transfers (Schrems II)
Master international data transfers post-Schrems II. Learn adequacy decisions, EU-US Data Privacy Framework, SCCs, BCRs, derogations, transfer impact assessments (TIAs), and supplementary measures.
6 LessonsGDPR Enforcement & DPAs
Master GDPR enforcement. Learn the major DPAs (CNIL, ICO, DPC, Garante, BfDI), one-stop-shop mechanism, EDPB role, major fines (Meta €1.2B, Amazon €746M), and litigation.
6 LessonsePrivacy Regulation/Directive
Master ePrivacy. Learn the current Directive (2002/58/EC) cookie/tracking rules, the long-stalled ePrivacy Regulation, electronic communications confidentiality, and PECR (UK).
6 LessonsUK GDPR Post-Brexit
Master UK GDPR post-Brexit. Learn the UK GDPR architecture, Data Protection Act 2018, ICO enforcement, UK adequacy, the Data Protection and Digital Information Bill, and divergence from EU.
6 LessonsUS Federal Privacy
US Privacy Law Landscape
Map the US privacy landscape. Learn why the US lacks a comprehensive federal privacy law, the sectoral approach, FTC's central role, federal preemption debates, and APRA proposal.
6 LessonsHIPAA Deep Dive
Master HIPAA in depth. Learn the Privacy Rule, Security Rule, Breach Notification Rule, BAA requirements, Safe Harbor de-identification, OCR enforcement, and the HITECH Act.
6 LessonsGLBA & Financial Privacy
Master GLBA financial privacy. Learn the Privacy Rule, Safeguards Rule, Pretexting Rules, scope (financial institutions), CFPB rule on data rights (1033), and FCRA interaction.
6 LessonsFERPA & Education Privacy
Master FERPA. Learn the educational records definition, parental/student consent, directory information, school official exception, third-party vendor agreements, and Department of Education guidance.
6 LessonsCOPPA & Children's Privacy
Master COPPA. Learn scope (under 13), verifiable parental consent, notice requirements, retention limits, FTC's COPPA enforcement, the 2013 amendments, and proposed 2024 updates.
6 LessonsFTC Section 5 & Privacy Enforcement
Master FTC Section 5 privacy enforcement. Learn unfair vs deceptive standards, consent decrees, privacy program orders, the Cambridge Analytica/Facebook order, and recent enforcement priorities.
6 LessonsUS State Privacy Laws
CCPA/CPRA Deep Dive
Master CCPA/CPRA in depth. Learn scope, consumer rights (know, delete, correct, opt-out, limit sensitive PI), CPPA regulations, ADM rules, risk assessments, and enforcement.
6 LessonsColorado Privacy Act
Master Colorado Privacy Act. Learn scope, consumer rights, sensitive data rules, profiling/targeted advertising opt-out, universal opt-out (Global Privacy Control), DPIA requirements.
6 LessonsVirginia CDPA
Master Virginia CDPA. Learn scope, consumer rights, opt-in for sensitive data, controller/processor obligations, AG enforcement (no private right of action), and 30-day cure period.
6 LessonsConnecticut & Utah Privacy Laws
Master CT CTDPA and UT UCPA. Learn the differences from CCPA/VA, Connecticut's universal opt-out and youth-related provisions, Utah's narrower scope, and dual-state compliance.
6 LessonsTexas TDPSA
Master Texas TDPSA (effective July 2024). Learn scope, consumer rights, sensitive data opt-in, sale of sensitive data restrictions, AG enforcement, and the 30-day cure period.
6 LessonsWashington My Health My Data Act
Master WA MHMDA. Learn the broad health data definition (including consumer health data outside HIPAA), opt-in consent requirements, geofencing prohibitions, and private right of action.
6 LessonsNY SHIELD Act
Master NY SHIELD Act. Learn the breach notification expansion, data security requirements (administrative, technical, physical safeguards), and AG enforcement under New York law.
6 LessonsState Privacy Compliance Strategy
Master multi-state privacy strategy. Learn the strictest-state baseline approach, common framework patterns, scope thresholds, universal opt-out implementation, and ongoing monitoring.
6 LessonsSectoral Privacy
Health Privacy Beyond HIPAA
Master health privacy beyond HIPAA. Learn the gaps HIPAA leaves (mobile health, fitness apps, consumer wearables), state health privacy laws (CMIA, MHMDA), and FTC enforcement.
6 LessonsFinancial Privacy Beyond GLBA
Master financial privacy beyond GLBA. Learn FCRA & ECOA privacy provisions, CFPB rules, FTC Red Flags Rule, state financial privacy (NY DFS), and credit card data rules (PCI DSS).
6 LessonsEducation Privacy Beyond FERPA
Master education privacy beyond FERPA. Learn PPRA (surveys/marketing), state student privacy laws (CA SOPIPA, NY Ed Law 2-D), and ed-tech vendor data agreements.
6 LessonsTelecom Privacy (CPNI)
Master telecom privacy (CPNI). Learn the FCC CPNI rules, opt-in/opt-out for marketing, breach notification, location-based services, and the 2024 FCC privacy actions.
6 LessonsDriver Privacy Protection (DPPA)
Master Driver's Privacy Protection Act (DPPA). Learn the DMV records protection scheme, permitted uses, civil cause of action, and intersection with state DMV privacy.
6 LessonsVideo Privacy (VPPA)
Master Video Privacy Protection Act (VPPA). Learn 'video tape service provider' definitions, the rise of VPPA tracking-pixel litigation, statutory damages, and current cases.
6 LessonsBiometric Privacy
BIPA (Illinois) Deep Dive
Master BIPA in operational depth. Learn the Cothron v White Castle decision, statutory damages math, 'biometric identifier/information' definitions, written consent requirements, and major settlements.
6 LessonsTexas CUBI
Master Texas CUBI. Learn the consent and destruction requirements, $25K per violation civil penalty, AG-only enforcement, and how CUBI compares to BIPA.
6 LessonsWashington HB 1493
Master Washington HB 1493. Learn the consumer notice and consent requirements, scope (commercial purpose), AG-only enforcement, and Washington's biometric privacy approach.
6 LessonsEU Biometric Rules (GDPR)
Master EU biometric privacy. Learn GDPR Article 9 special category rules, Article 9(2) lawful bases, EU AI Act biometric prohibitions, and EDPB guidance on biometrics.
6 LessonsInternational Privacy
Canada PIPEDA & CPPA
Master Canadian privacy law. Learn PIPEDA structure, the 10 fair information principles, OPC enforcement, the Consumer Privacy Protection Act (CPPA proposal), and provincial laws (Quebec Law 25, BC, Alberta).
6 LessonsBrazil LGPD
Master Brazil LGPD. Learn the 10 lawful bases (more than GDPR's 6), data subject rights, ANPD enforcement, sensitive data rules, international transfers, and major fines.
6 LessonsChina PIPL
Master China PIPL. Learn the seven lawful bases, data classification (general/sensitive/important), consent requirements, cross-border transfer rules (CAC review/SCC/certification), CAC enforcement.
6 LessonsIndia DPDPA
Master India's Digital Personal Data Protection Act (DPDPA 2023). Learn scope, data fiduciary obligations, data principal rights, consent requirements, DPB enforcement, and the (still pending) Rules.
6 LessonsJapan APPI
Master Japan's Act on the Protection of Personal Information (APPI). Learn the 2022 amendments, anonymized vs pseudonymized info, data subject rights, PPC enforcement, and EU adequacy.
6 LessonsAustralia Privacy Act
Master Australia Privacy Act. Learn the 13 Australian Privacy Principles (APPs), notifiable data breach scheme, OAIC enforcement, the 2024 reform tranches, and AI-specific provisions.
6 LessonsPrivacy Operations & Specialized
Privacy Impact Assessments (PIAs/DPIAs)
Master PIAs and DPIAs. Learn when each is required, the standard PIA/DPIA template, stakeholder consultation, mitigations documentation, and integration into the SDLC.
6 LessonsPrivacy Notice Drafting
Master privacy notice drafting. Learn the multi-jurisdictional notice requirements, layered notice approach, just-in-time notices, and the dark patterns prohibitions to avoid.
6 LessonsData Breach Response
Master data breach response. Learn incident response runbooks, multi-jurisdictional notification timelines, regulator notification (GDPR 72-hour, state laws), and class action defense.
6 LessonsCross-Border Transfer Mechanisms
Master cross-border transfer mechanisms. Compare GDPR (adequacy/SCCs/BCRs), UK IDTA, Brazil LGPD transfers, China CAC review, and the practical multi-mechanism approach for global data flows.
6 LessonsPrivacy Engineering & PETs
Master privacy engineering. Learn privacy-enhancing technologies (DP, federated learning, secure multi-party computation, homomorphic encryption, ZKPs, anonymization) and operational deployment.
6 LessonsEmerging Privacy Issues
Engage with emerging privacy issues. Learn AI training data privacy, neurotech privacy (brain data), Web3/blockchain privacy, IoT privacy, location data, and privacy in the metaverse.
6 LessonsWhy a Data Privacy Law Track?
Privacy law is the most fragmented and fastest-evolving practice area globally. This track gives you a single comprehensive map.
Foundations + GDPR
14 deep dives: privacy theory (Warren & Brandeis, Solove, Nissenbaum), fundamental right, privacy torts, PbD, comparative systems, data subject rights; GDPR end-to-end (architecture, lawful bases, DSR, DPO, transfers, enforcement, ePrivacy, UK GDPR).
US Federal + State
14 deep dives: US sectoral landscape (HIPAA, GLBA, FERPA, COPPA, FTC Section 5); US state laws (CCPA/CPRA, CO, VA, CT, UT, TX, WA MHMDA, NY SHIELD, multi-state strategy).
Sectoral + Biometric + International
16 deep dives: sectoral privacy (health, financial, education, telecom, driver, video); biometric (BIPA, CUBI, WA, EU); international (Canada, Brazil LGPD, China PIPL, India DPDPA, Japan APPI, Australia).
Privacy Operations
6 deep dives: PIAs/DPIAs, privacy notice drafting, data breach response, cross-border transfer mechanisms, privacy engineering & PETs, emerging issues (AI training data, neurotech, Web3, IoT, metaverse).