Comprehensive privacy legislation must create strong obligations for all companies that handle consumer data. These obligations will only be strong enough to protect consumer privacy and instill trust, though, if they reflect how a company interacts with consumer data. Privacy laws worldwide distinguish between two types of companies: (1) businesses that decide how and why to collect consumer data, which act as controllers of that data and (2) businesses that process the data on behalf of another company, which act as processors of that data.