Privacy by Design Is Now an International Standard

April 12, 2023

In February, the International Organization for Standardization (ISO) adopted a new standard to protect privacy throughout the lifecycle of a consumer product. The new standard is based on the Privacy by Design principles, and they set out 30 requirements for embedding data privacy into consumer products and services. And, while US companies aren’t required to comply with them, the new standard can serve as a compliance benchmark or set of best practices.  

 What are the ISO standards?  

The ISO is an independent, non-government organization that develops consensus-based standards for technology, management, and manufacturing.  

What do the ISO standards mean for California Companies? 

There is no obligation or requirement for California companies to comply with or implement the ISO Standards. They simply offer guidance about good privacy practices. They may indicate the direction of future privacy laws, however. So, working towards them can help to ‘future-proof’ your privacy program.  

What do the ISO standards for Privacy by Design cover?  

Some of the new ISO standards include guidance and examples of:  

  • How designers and engineers can make choices that empower consumers to enforce their privacy rights.  
  • Procedures for responding to consumer complaints.  
  • Better documentation procedures.  
  • Guidance to measure efficiency and effectiveness.  
  • Relevant organizational roles and accountabilities.  
  • Conducting (better) privacy risk assessments.  
  • Operationalization privacy controls and data management throughout the data lifecycle.  
  • Preparing for (and recovering from) data breaches.  

Key Takeaways for California Companies 

OneTrust outlined these seven key takeaways:  

  1. Ensure your designers implement measures for the different life cycles of consumer personally identifiable information and the product/service life cycles.  
  2. Reference the ISO/IEC 27701 and the NIST Privacy Framework in developing a privacy information management system.  
  3. Empower consumers to exercise their privacy rights through control and choice.  
  4. Ensure someone is accountable for privacy by design implementation and management.  
  5. Communicate transparently with consumers about privacy.  
  6. Conduct (thorough) Privacy Impact Assessments as needed.  
  7. Ensure your privacy controls are implemented (and being followed) at the operational and product life levels.  

What’s Next?  

Your company can purchase the high-level standards (with examples) and the use-case documents here 

Alternatively, if you’d like assistance improving your company’s privacy, reach out. Our privacy attorneys would love to help.


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you