A tool for enforcing limited disclosure rules in a software application, typically an unmodified database. The invention enables individual queries to respect data subjects' preferences and choices by storing privacy semantics, classifying data items into categories, rewriting incoming queries to reflect stored privacy semantics, and masking prohibited values. Privacy semantics include individual data subject choices and privacy policies comprise rules describing authorized data recipients and authorized data access purposes. Privacy policies may require specific consent from data subjects. The invention assigns each (purpose, recipient) pair a view over each database table, so entire tuples and individual cells can have particular privacy semantics. Purposes and recipients are inferred based on the application issuing the query. Masking is performed at the individual cell level, and may employ NULL or other predetermined indicia for prohibited values. The invention is cost-efficient and scalable to large databases.