Privacy regulations used to feel like someone else's problem for threat intelligence teams. Breach data was "already public," dark web scraping was defensible, and the job was to warn victims as fast as possible. That era is over. Modern privacy regulations, led by GDPR but rapidly joined by CCPA and a wave of US state laws, now shape every decision a threat intel vendor makes about collection, storage, enrichment, and disclosure. This is not a compliance footnote. It is reshaping what good threat intelligence even looks like.
The New Legal Baseline
Threat intelligence operates at the uncomfortable intersection of two legitimate goals: protecting organizations from attack, and protecting individuals from having their data processed without a lawful basis. Regulators are increasingly unwilling to let the first goal swallow the second.
GDPR Is the Gravitational Center
Even if your organization is not headquartered in the EU, GDPR probably applies to some fraction of your data. Its extraterritorial reach (Article 3) pulls in any processor offering services to EU data subjects or monitoring their behavior. For threat intelligence vendors that scrape global infostealer logs, the question is not whether GDPR applies, but to which records.
The core obligations that matter most for threat intel:
- Lawful basis (Article 6): Every processing activity must map to one of six lawful bases. For threat intel, the realistic options are legitimate interest, legal obligation, or consent. Consent is almost never practical at scale, so legitimate interest does most of the work.
- Special categories (Article 9): Data revealing health, sexual orientation, political opinions, trade union membership, religious beliefs, or biometric identifiers receives heightened protection. Breach dumps routinely contain this data, and your lawful basis has to meet a higher bar.
- Breach notification (Article 33): Controllers must notify supervisory authorities within 72 hours of becoming aware of a personal data breach. If your ingestion pipeline mishandles a dataset, you can trigger your own Article 33 obligations.
- Data subject rights: Access, erasure, and objection requests apply to threat intel just as they apply to marketing databases.
Legitimate Interest Is Not a Free Pass
Legitimate interest under Article 6(1)(f) is the most flexible lawful basis and the one most commonly relied on by threat intelligence providers. But it is conditional. You must demonstrate three things, usually through a legitimate interest assessment:
- The interest being pursued is genuine and specific (preventing fraud, detecting compromise)
- Processing is necessary to achieve that interest and no less intrusive option exists
- The individual's rights and expectations do not override the interest
"We found your data on the dark web so we can do whatever we want with it" is not a legitimate interest assessment. Regulators have been explicit that the public availability of data does not erase its status as personal data. If anything, the harm caused by further propagation can be a reason against processing.
CCPA and the US Patchwork
The United States does not have a federal privacy law, but the state-level patchwork has grown teeth. Threat intel teams that once assumed they were safely outside GDPR's orbit now face a domestic compliance problem of their own.
California
CCPA's definition of "personal information" in California Civil Code section 1798.140 is famously broad. It covers identifiers, internet activity, geolocation, professional information, and inferences drawn from any of the above. Breach data obviously qualifies. CCPA grants consumers rights to know, delete, correct, and opt out of the sale or sharing of personal information.
CPRA (the 2023 amendment) adds the concept of sensitive personal information and gives consumers explicit control over that category. Credentials, financial account numbers, precise geolocation, and health data all fall inside the sensitive bucket.
Texas, Virginia, Colorado, and Beyond
The second wave of state laws is broadly consistent in structure but varies in detail. A short tour:
- Texas HB 4 (Texas Data Privacy and Security Act, effective 2024) applies to organizations conducting business in Texas that process the data of Texas residents, with narrower small-business exemptions than some peers.
- Virginia VCDPA introduced the first post-CCPA comprehensive state law and established the opt-out plus data protection assessment model most states have copied.
- Colorado CPA is notable for its rulemaking detail, especially around universal opt-out mechanisms and required privacy impact assessments.
- Additional states: Connecticut, Utah, Oregon, Montana, Delaware, Iowa, Tennessee, and others have passed laws in the same family, with staggered effective dates through 2026.
For a threat intel vendor, the practical consequence is that a single ingestion pipeline needs to honor an overlapping set of obligations, and "we only serve US customers" no longer means "we are unregulated."
Running a DPIA on Threat Intel Ingestion
A Data Protection Impact Assessment is mandatory under GDPR Article 35 for high-risk processing, and threat intel ingestion almost always qualifies because of the volume, sensitivity, and sourcing of the data.
What a Good DPIA Covers
- Processing description: Sources, data categories, retention periods, recipients, and transfer destinations.
- Necessity and proportionality: Why this processing, why these fields, why this long.
- Risk to data subjects: Re-identification risk, propagation risk, incorrect attribution, discrimination, and secondary harm to already-breached individuals.
- Mitigations: Minimization, pseudonymization, access controls, retention caps, and objection handling.
- Residual risk rating: An honest assessment of what remains after mitigations.
Treat DPIAs as living documents. Each time you onboard a new data source or launch a new enrichment, revisit the relevant section. Our own approach is summarized in the privacy section of our documentation.
Data Minimization and Anonymization Techniques
Data minimization is required by GDPR Article 5(1)(c) and echoed in every modern state law. For threat intelligence that means collecting only what you need to warn victims and detect threats.
Practical Techniques
- Field-level minimization: Drop data fields that do not serve a warning or detection purpose. Many raw stealer logs contain browser history, screen resolution, and timezone data that no customer ever queries.
- Hashing for search: Store one-way hashes of identifiers for matching, and reveal the underlying value only when the data subject's organization requests a disclosure.
- Pseudonymization: Replace direct identifiers with tokens mapped in a separate, access-controlled table. This limits linkability within your platform.
- Anonymization: True anonymization is a high bar. If a data set can be re-identified with reasonable effort, regulators will still treat it as personal data. Be honest about which of your data is truly anonymized and which is merely pseudonymized.
- Retention limits: Define and enforce maximum retention windows per data category. Indefinite retention is rarely defensible.
- Access logging: Every query against sensitive data should leave an audit trail that can be surfaced in a subject access request.
Disclosure and the "We Found Your Data" Problem
The assumption that finding data on the dark web gives you a free hand to disclose it is legally dangerous and ethically sloppy.
Rules of Engagement
- Controller-to-controller disclosure: Warning a customer that their employees' credentials have been exposed is typically defensible under legitimate interest. Publishing the same data to a wider audience is not.
- Victim notification: Notifying an identified individual directly requires care. Some jurisdictions expect that notifications come from the original controller, not a third-party platform.
- Redaction in reports: Public threat reports should redact personal data that is not strictly necessary for the technical narrative.
- Law enforcement requests: Respond through formal channels with documented legal process. Informal cooperation can expose you to liability.
Conclusion
Privacy regulations are not killing threat intelligence. They are forcing it to grow up. The vendors that thrive in the next five years will be the ones that treat lawful basis, minimization, and disclosure discipline as core engineering requirements, not afterthoughts. Your customers will increasingly ask about your DPIAs, your retention policies, and your approach to special category data before they sign a contract. Having credible answers is now part of the product.
The good news is that privacy-respecting threat intelligence is also better threat intelligence. Tighter scoping produces cleaner data. Honest retention policies reduce liability. Documented lawful bases make cross-border deals easier. Compliance and quality point in the same direction.
Want a threat intelligence partner that takes data protection compliance seriously? Start a free trial of Revealer.US and see how privacy-respecting collection can still deliver the signal you need.