Know Thy Principles
This principle states you should only collect data that is strictly necessary for a specific purpose.
Data Minimization
This European regulation gives users the right to data portability.
What is the General Data Protection Regulation (GDPR)?
A product team logs user IPs and search history without notifying users.
What is a transparency or notice violation?
This three-letter acronym refers to an audit framework that ensures service providers securely manage data.
What is SOC 2?
This U.S. law protects the online privacy of children under 13.
What is COPPA (Children’s Online Privacy Protection Act)?
Under GDPR, this is the amount of time a company has to report a data breach once discovered.
What is 72 hours?
This California law gives consumers the right to request deletion of their personal data.
What is the California Consumer Privacy Act (CCPA)?
This federal agency enforces privacy violations in the U.S.
What is the FTC?
This type of testing helps discover vulnerabilities in your product.
What is penetration testing or pen testing?
This education law limits the sharing of student educational records.
What is FERPA (Family Educational Rights and Privacy Act)?
This principle means being open with users about how you handle their data.
What is transparency?
The GDPR gives users this right to move their data between services.
What is the right to data portability?
A vendor requests full user analytics data, and you approve it without legal review.
What is unauthorized third-party sharing?
This internal document outlines how the company handles personal data breaches.
What is an Incident Response Plan?
Under COPPA, you need this before collecting personal information from a child.
What is verifiable parental consent?
When designing features with high privacy risk, product managers should conduct this privacy evaluation.
What is a Data Protection Impact Assessment (DPIA)?
This type of agreement is needed when working with these service providers or clients to govern the use of data.
What is a data processing agreement "DPA"?
A mobile game collects voice recordings from users without verifying their age or seeking parental permission.
What is a COPPA consent violation?
Your product must block access from this group of countries subject to comprehensive U.S. sanctions.
What are embargoed countries (e.g., Cuba, Iran, North Korea, Syria, Crimea region)?
This principle ensures children’s data is collected in a way that aligns with developmental needs.
What is age-appropriate design?
Before launching a new data-collecting feature, PMs should complete this internal step.
What is a privacy by design review?
This regulation requires extra safeguards when transferring EU data to the U.S.
What are Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework?
You build a UI that makes it hard for users to opt out.
What is a "dark pattern" violation?
This U.S. agency enforces and oversees economic and trade sanctions.
What is OFAC (Office of Foreign Assets Control)?
This “plus” method is acceptable for internal use of data with no third-party sharing.
What is Email Plus?