The GDPR imposes a number of technical requirements on software (including ML/AI) all of which we review: privacy by design and default; DPIA technical accuracy; legal basis mapping and compliance including consent demonstrability, consent fidelity, denied consent degradation robustness; by column and by row data classification; controller / processor nomination including accidental controller processing, security reasonableness; data sovereignty and region management including HA/DR implications; data location inventories; dataset ageing and pseudonymization.

Global Clients/Targets For global clients subject to the GDPR, we evaluate only the additional regulatory factors the CCPA brings above GDPR, specifically the addition of “household” to personal information, the password encryption safe harbor standard, and the extremely broad definition of “sale” and mandatory home page opt-out.

US-only Clients/TargetsFor US-only projects, in addition to the above we assess the full CCPA, including identification of all data collected and how stored and tagged, notice tracking, consent tracking, reasonable and proportionate business purpose validation, consumer rights compliance and propagation, non-discrimination compliance, and value provided by data for financial incentive data usage.

HIPAA’s Privacy and Security rules impose a number of administrative, physical and technical safeguards on software. We assess HIPAA compliance of “Business Associates” – the HIPAA term for SaaS and other technology providers – across a range of relevant technical areas: understanding of PHI and which data and dataset qualify as PHI, deidentification under either safe harbor or expert determination standards, risk analysis and risk management technical accuracy and implementation history, compliance with HIPAA itself and HIPAA require Business Associate Agreements including data usage allowances, covered entity compliance support and/or impairment, emergency mode procedures and breach notification preparedness.

We also evaluate Children's Online Privacy Protection Rule (COPPA) Family Educational Rights and Privacy Act (FERPA) FERPA SOX Indiana's Biometric Information Privacy Act (BIPA)