About Us
Charlyn Ho, founder and CEO of Rikka Law, walking in Washington DC

Who We Are

A boutique technology law firm that drives client success

Charlyn Ho, founder and CEO of Rikka Law, with an abstract technology handshake graphic representing the firm's leadership in technology and AI law

Our Leadership

Meet Charlyn Ho, CEO, Managing Member and Founder

Hand zooming in on a checkmark graphic representing Rikka Law's verified strategic partnerships

Partnerships

Proud to work alongside organizations shaping the future of technology & business

Magnifying glass on an orange background representing Rikka Law case studies and capability spotlights

Case Studies

Capability spotlights offering a closer look at real Rikka engagements

Graphic representing Rikka Law frequently asked questions

Frequently Asked Questions

Answers to the questions clients ask most

What We Do
Rikka Law R icon with a handshake over an abstract blue nodes background representing business and technology transactions legal services

Business & Technology Transactions

Practical legal guidance for the deals that drive your business.

Rikka Law R icon with a green lock over a dark circuit board background representing data privacy and cybersecurity legal services

Privacy & Cybersecurity

Stay compliant in an increasingly complex regulatory landscape

Rikka Law R icon with a VR headset over a dark abstract background representing legal services for startups and emerging technology companies

Startup & Formation

Smart AI-powered legal support built for startups and small firms

Rikka Law R icon with a robot hand over a dark abstract background representing AI governance and automation legal services

AI & Automation

Strategic counsel for organizations at every stage of their AI journey

Rikka Law R icon with a Lady Justice scales statue over a dark abstract greenish blue background representing legal staff augmentation and human capital management services

Human Capital Management

Flexible legal talent when you need it, without the overhead of a full-time hire

Rikka Law R icon with a notebook, pen, and glasses over a dark painterly abstract background representing Rikka Law's practical legal education and training programs for lawyers

Legal Education & Training

Advance your legal career with bespoke training programs

Resources
Abstract green illustration of a lightbulb with a brain inside representing Rikka Law's legal insights and technology law commentary

News & Insights

Analysis on the evolving intersection of law, technology, business, & policy

Before You Deploy AI podcast episode highlighted over an orange magnifying glass background representing Rikka Law's podcast series

Podcasts

Conversations on AI, law, and the technology shaping modern business

Woman holding a film clapperboard over a purple abstract background representing Rikka Law's video resources

Video Library

No-cost, straight-talk video guides on AI and technology law

The cover of Charlyn Ho's, founder and CEO of Rikka Law, upcoming book AI-Savvy Lawyer

AI-Savvy Lawyer

Get early access to Charlyn's book

Charlyn reviewing data privacy compliance checklist, representing Rikka Law's free compliance resources for businesses

Compliance Checklists

Free compliance checklists, ready to download

Rikka Academy logo over a repeating Rikka Law icon background with a dark purple overlay representing Rikka Academy's practical legal training platform for lawyer

Rikka Academy

Elevate Your Contract Drafting and Negotiation Skills

Contact Us
Rikka Academy

Know Your Terms Before You Fill Out a Single Field

All Rikka Posts
Person highlighting a legal contract at a desk representing the key privacy law terms and definitions needed to build an accurate data map
Headshot photo of Charlyn Ho, CEO Rikka Law Group | Co-Founder Enzio.ai at Rikka Law
Charlyn Ho
CEO Rikka Law Group | Co-Founder Enzio.ai
June 17, 2026·Insights

This is the second part of a four-part series on how to build and maintain a data map. The first part explained what a data map is, what it captures, and when privacy law requires one.

Data maps are practical tools, but they are built on legal concepts — and using those concepts loosely leads to a map that looks complete while leaving real compliance gaps. Before your team sits down to fill out a data map, there are a handful of defined terms that come up in every row, every column, and every conversation with your privacy attorney. Getting them right from the start saves significant rework later.

Personal Data Is Broader Than You Think

Privacy laws protect information that can be linked to a specific individual. This is typically called “personal data” or “personal information” depending on the law — the terms are functionally equivalent for most purposes. The scope is wider than most people expect.

Personal information clearly includes names, email addresses, phone numbers, and Social Security numbers. It also includes IP addresses, cookie identifiers, device IDs, and location data. The governing question is not whether the information directly names someone, but whether it could reasonably be used to identify them.

One important nuance: masking or replacing a person’s name with a code does not automatically make the data non-personal. If your business holds other information that could be used to trace that code back to a real individual, the data is still considered personal under most privacy laws. When in doubt, treat it as personal and document it accordingly.

Sensitive Data Triggers Additional Obligations

Some categories of personal data receive heightened protection because their exposure creates particular risks. The GDPR calls this “special category data.” Many U.S. state laws use the term “sensitive data.” The categories vary somewhat by law but generally include:

  • Government identifiers (Social Security numbers, driver’s license numbers)
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic or biometric data used to identify a person
  • Health or medical information
  • Data about a person’s sex life or sexual orientation

If your business collects or uses any of these, additional compliance obligations almost certainly apply. Rikka’s data map template includes a dedicated field specifically to flag sensitive data — a flag that should go directly to your legal team for analysis.

Processors and Third Parties Are Not the Same Thing

This distinction is among the most consequential in privacy law, and it is frequently misunderstood.

A processor— called a “service provider” under most U.S. state laws — is a vendor that handles personal data on your behalf, under your instructions, to perform a specific service. Your payroll provider, your email marketing platform, your cloud storage vendor: these are processors. They use the data to serve you, not for independent purposes of their own.

A third party is an entity that receives personal data and uses it for its own purposes. Sharing customer data with an advertising network or a data broker are examples of third-party sharing. Privacy laws treat this category of sharing with considerably more scrutiny — in some cases requiring disclosure to consumers or granting consumers the right to opt out entirely.

Your data map has separate columns for processors and third parties because your legal obligations for each are different. When assessing which category a vendor falls into, the central question is: is this company using the data solely to provide a service to us, or for purposes of its own?

Data Subjects Are More Than Your Customers

A data subject is any individual whose personal information your business collects, stores, or uses. Your customer list is the obvious starting point, but data subjects also include employees, job applicants, contractors, vendors, and website visitors. If your business serves other businesses, the individual contacts at those companies are data subjects too.

Identifying data subjects accurately matters because some privacy laws grant different rights to different categories of individuals, and your obligations may vary accordingly.

What This Means Going Forward

These definitions are not abstract. They determine how you categorize each row of your data map, what legal obligations attach to each processing activity, and what your privacy policy ultimately needs to say. The next part in this series covers the mechanics of gathering the information you need — specifically, who in your organization to talk to and where the answers are already hiding.

Rikka helps businesses translate privacy law’s defined terms into practical compliance programs. Contact us to discuss how these definitions apply to your specific data practices.

This content is for informational purposes only and does not constitute legal advice.