privacy laws.


By Starr Drum

A quick guide to spotting issues with privacy laws.

Privacy law is growing and evolving at a rapid pace. It can be overwhelming even for practitioners specializing in privacy to keep up with the changing requirements and even more challenging for law students or attorneys specializing in other areas of law. To help you identify which privacy laws apply, I ’ve come up with an alliterative privacy issue-spotting mechanism: “the four Ps of privacy.”

The “four Ps” also serve as a useful tool for practitioners and organizations to ensure they are conducting a complete evaluation of relevant privacy issues to learn whether privacy laws are implicated and determine the scope that privacy counsel should consider and apply. Evaluating the four Ps of privacy is also a process I recommend my law students to follow when attacking their final in my privacy law class.

The four Ps of privacy are people, places, platforms, and purposes. Each one is covered in more detail below.


With very limited exceptions, privacy laws only apply where human people—natural persons—are involved. Typically, these people must be identified or identifiable by some means on an individual level to implicate privacy laws. If people are not involved, privacy laws are not in play.

If it turns out people are involved, there is a two-pronged assessment within this “P.” The first assessment involves what type of people are within scope, both on their own and in relation to the entity collecting their personal information. Employees? Customers? Prospective employees or customers? Patients? Website visitors? Adults? Children?

Second, what categories of personal information are being collected from or about these people? Names? Social security numbers? Fingerprints? IP addresses? Different privacy obligations apply to different types of people and the categories of personal information processed. Those requirements change further depending on how the remaining Ps come into play.


Geography, or “place,” plays a crucial role in the application of privacy laws. Privacy laws typically apply to residents of the jurisdiction where the privacy law has been passed. Still, some privacy laws cast a wider net and reach beyond their territorial borders. Much attention has been paid to privacy laws coming from places like California, Brazil, and Europe because of their broad potential geographic scope. Knowing the locations where the people involved live, work, and, potentially, travel will identify the geography-specific privacy laws that should be evaluated.


The mechanisms that are used to collect, store, or share information can alter privacy obligations. There are several privacy laws that only govern certain platforms, such as websites, phones, cameras, Internet of Things devices, and vehicles. Additionally, the owners of certain platforms such as mobile app stores and social media networks have imposed specific privacy requirements on their users.


Finally, the purposes for which information is being processed will round out the privacy identification process. Is the collected information being used for advertising? For treatment? For security purposes, such as to verify someone’s identity? The purposes of any personal information collection, use, and sharing, can trigger additional legal obligations.

Four Ps in Practice

The four Ps can help companies gauge overall privacy compliance or assess compliance obligations when they undertake new initiatives that implicate one or more of the four Ps. So, how does this work in practice? Say, for example, a brick-and-mortar retailer in Buffalo, New York, wants to set up a website to sell its merchandise and wants to start sending marketing emails to its customers. The company is based in New York, but its brick-and-mortar customers may be from other places, like Canada or Pennsylvania since the company is setting up a website that may sell merchandise to other jurisdictions. The people newly within the scope of this company’s potential privacy obligations are website visitors and customers. The platforms being added are a website and emails. Finally, the purposes of the website and emails are to facilitate e-commerce transactions and potentially to track individuals who access the website or open the emails and to market to them.

Going through the process of assessing the four Ps will set the company on the right path to identifying and evaluating the specific privacy laws it needs to consider as it undertakes new initiatives.

By Starr Drum

Starr Drum is a shareholder with Maynard Cooper & Gale in Birmingham, Alabama.

Sourced from ABA American Bar Association