What is Regulatory Compliance for ML Systems?

Regulatory compliance for ML systems means designing every stage of the machine learning pipeline so it satisfies legal obligations about personal data. General Data Protection Regulation (GDPR) in the EU and California Consumer Privacy Act (CCPA) in California are the most impactful regimes for global consumer products, both with extraterritorial scope. GDPR applies whenever you process personal data about EU residents, while CCPA applies to for profit entities meeting defined thresholds that process data about California residents. In ML systems, personal data extends far beyond raw identifiers like names or emails. Features, embeddings, event logs, and even model outputs count as personal data when they can identify or relate to a person or household. This means your training datasets, feature stores, and model artifacts all fall under regulatory scope. The stakes are significant. GDPR can fine up to 20 million euros or 4 percent of global turnover, whichever is higher, and requires breach notification within 72 hours. CCPA penalties run 2,500 dollars per unintentional violation and 7,500 dollars per intentional violation, with statutory damages of 100 to 750 dollars per consumer per incident. At scale, these add up quickly. A company processing 10 million California residents facing a data breach could face hundreds of millions in statutory damages alone.

A recommendation model trained on user clickstream data must comply with GDPR if it serves EU users, even if the company is based in the US

User embeddings in a feature store that can identify individuals are personal data, requiring consent management and deletion capabilities

Google applies differential privacy to telemetry, Apple uses on device processing to avoid centralizing personal data, Microsoft operates centralized DSAR systems across hundreds of data systems