User-facing privacy rights — consent capture, lawful basis, data-subject requests, tracking opt-outs, and disclosure obligations to the individual.
The user-rights layer: does the individual user retain the rights the law grants them over their data?
In scope. Consent capture, storage, and revocation; lawful basis for processing; data-subject access / deletion / portability / objection requests; privacy disclosures in user-facing surfaces; cookie classification and consent gating of non-essential tracking; parental consent for children's data; opt-out mechanisms; purpose-limitation enforcement.
Not in scope. Industry-mandated organizational controls without a direct user-rights dimension (PCI-DSS, SOC2, FISMA) — those are regulatory-conformance. Raw storage correctness of the data being processed — that's data-integrity. Encryption-at-rest choice — that's cryptography-and-secrets.
Distinct because. The beneficiary of a fix here is the individual user. regulatory-conformance's beneficiary is the regulator or auditor. HIPAA overlaps both (patient rights + covered-entity obligations) and carries both taxons; GDPR leans privacy-consent primary with regulatory-conformance secondary when the specific defect is compliance-reporting-shaped.
Conceptual sub-structure. Consent (capture / storage / enforcement), data-subject rights, disclosures, tracking opt-outs, children's data.