There are many legislative and regulatory compliance issues in regard
               to privacy. Many US regulations—such as the Health Insurance

               Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act of
               2002 (SOX), the Family Educational Rights and Privacy Act (FERPA),
               and the Gramm-Leach-Bliley Act—as well as the EU’s Directive
               95/46/EC (aka the Data Protection Directive), the General Data
               Protection Regulation (GDPR) (Regulation (EU) 2016/679), and the
               contractual requirement Payment Card Industry Data Security
               Standard (PCI DSS)—include privacy requirements. It is important to

               understand all government regulations that your organization is
               required to adhere to and ensure compliance, especially in the areas of
               privacy protection.

               Whatever your personal or organizational stance is on the issue of
               online privacy, it must be addressed in an organizational security
               policy. Privacy is an issue not just for external visitors to your online
               offerings but also for your customers, employees, suppliers, and

               contractors. If you gather any type of information about any person or
               company, you must address privacy.

               In most cases, especially when privacy is being violated or restricted,
               the individuals and companies must be informed; otherwise, you may
               face legal ramifications. Privacy issues must also be addressed when
               allowing or restricting personal use of email, retaining email,

               recording phone conversations, gathering information about surfing
               or spending habits, and so on.