Data Privacy and Compliance Glossary
From the CCPA and GDPR to web beacons, understanding the jargon, terms, and definitions of the data privacy world is the first step towards compliance.
Accuracy
Data Accuracy is the principle that businesses must take every reasonable step to ensure that data is accurate, and where necessary, up-to-date.
Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) is the encryption standard for security-sensitive non-classified material in the United States.
Algorithm
An Algorithm is a mathematical process or set of rules for equations applied to a block of data.
Americans with Disabilities Act (ADA)
The Americans with Disabilities Act (ADA) is a U.S law that aims to protect individuals with disabilities against discrimination.
Anonymization
Data Anonymization is the process by which personally identifiable information (PII) is altered to render it anonymous so that it cannot be traced back to an individual. There are three primary techniques for achieving data anonymization: suppression, generalization, and noise addition.
Article 29 Working Party
The Article 29 Working Party (WP29) was a European Union organization made up of the data protection authorities of EU member states that acted as an independent advisory body on data protection and privacy. It was replaced by the European Data Protection Board (EDPB) when the General Data Protection Regulation (GDPR) went into effect.
Audit
A compliance audit is an audit performed to discover an organization's level of compliance with regulatory guidelines. The compliance audit evaluates the strength and completeness of security and privacy policies and risk management processes.
Availability
Data availability is the process of making data "available" when needed by an organization or by the data subject. The General Data Protection Regulation, and several other privacy regulations, require a business to ensure the availability of personal data upon request from a data subject.
Behavioral Advertising
Advertising that is targeted at individuals based on the tracking and observation of their behavior.
Big Data
Large sets of data collected at high velocity and volume, which can be analyzed to reveal consumer or human behavior insights.
Biometrics
Data concerning the physical characteristics of an individual, such as DNA, iris patterns, face patterns, or fingerprints. Article 9 of the General Data Protection Regulation as a special category of data for which processing is not allowed except in specific circumstances.
Breach Disclosure
The process of notifying officials, regulators, and/or the victims of data breaches that affect personal data. Data breach disclosure rules vary by jurisdiction. Under the GDPR, a data controller must notify regulators and/or victims of the data breach within 72 hours of discovery.
Brexit
Brexit was the withdrawal of the United Kingdom from the European Union on January 31st, 2020. The UK is the only country to withdraw from the EU since its creation in 1993. Following Brexit, the GDPR was brought into UK law as the ‘UK GDPR’ and was retained as domestic law through a transition period in 2020. In 2021, UK lawmakers announced their intention to distance UK privacy law from the GDPR. However, any changes will need to be deemed adequate by the EU, to preserve data transfers between the EU and UK.
Caching
Caching is the process of saving local copies of content to reduce the need to repeatedly download content.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act, or CCPA, is a state-level data privacy law that regulates how businesses are allowed to gather, store and handle the personally identifiable information (PII) of California citizens. The CCPA went into effect on January 1st, 2020, and was the first state-level consumer privacy law passed in the United States. Key provisions of the CCPA include the consumer’s right to opt-out of the sale of their data, typically via a “Do not sell my data” button and the “private right of action” which gives private citizens the right to legal action against businesses that mishandle their PII. On January 1st, 2023, the CCPA will be replaced by the California Privacy Rights Act (CPRA), which will take its place as California’s presiding privacy legislation.
California Privacy Rights Act (CPRA)
The California Privacy Rights Act (CPRA) is a state-level privacy rights law in California, which significantly expands upon the CCPA by strengthening the data privacy rights of California citizens, increasing regulation of the use of PII, establishing a government enforcement agency, and more. The CPRA takes effect on January 1st, 2023.
Chief Privacy Officer
A c-level position in an organization or business that is responsible for managing privacy practices and compliance with privacy laws.
Children's Online Privacy Protection Act (COPPA) of 1998
A U.S. federal law aimed at protecting the online privacy and rights of children under the age of 13. COPPA applies to the operators of any commercial websites or online services directed at children under the age of 13 as well as any websites that have knowledge that they are collecting PII from children under the age of 13. Under COPPA, operators of such websites must post a privacy notice on their homepage, provide notice about data collection processes to children's parents, and must obtain parental consent before collecting personal information. Operators must also give parents a choice on whether or not their child's personal information will be disclosed to third parties, must provide an opt-out for data collection, and must provide the opportunity to have personal information deleted.
Colorado Privacy Act (CPA)
The Colorado Privacy Act (CPA) is a data privacy law with jurisdiction in the US State of Colorado. It is the third state-level comprehensive privacy law to pass in the United States. The CPA goes into effect on January 1st, 2023, and outlines new data privacy rights for Colorado citizens including the right to opt-out, the right to access, the right to deletion, the right to correction, and the right to data portability.
Consent Banner
A consent banner is a notice on a website that informs visitors of the use of reaching technologies like cookies and web beacons and may ask them to take action by opting in or out of tracking. Consent banners are required by most data privacy regulations.
Consent Management
Consent management is a system or process by which an organization informal users of its data privacy and tracking practices, obtains their consent for tracking, and manages and enforces their privacy preferences. Consent management is a crucial factor in demonstrating compliance with privacy laws and regulations.
Consent Management Platform (CMP)
A consent management platform (CMP) is a tool or set of tools that helps organizations automate the consent management process. A robust CMP helps brands obtain user consent, manages user privacy preferences, and enforces those preferences in compliance with privacy regulations. CMPs help brands protect user and customer data privacy and stay compliant with regulations like the GDPR, CCPA, PIPL, and more.
Consumer Data Protection Act (CDPA)
The Consumer Data Protection Act (CDPA) is a state-level consumer privacy law in the US State of Virginia. The CDPA provides citizens of the Commonwealth of Virginia with six data privacy rights: the right to access, the right to collect, the right to deletion, the right to data portability, the right to opt-out, and the right to appeal. The CDPA was the second state-level privacy law to pass in the United States and took a less strict approach than its predecessor, the CCPA.
Cookie
Cookies are small text files that carry information used to identify users as they browse the web. Cookies are typically used to improve the user's web browsing experience by helping websites remember things like logins, preferences, and shopping carts, but they can also be a privacy risk. For example, third party cookies can be used to track a user's web activity across domains without their consent. Because of these privacy implications, cookies are increasingly regulated by privacy legislation like the EU's GDPR and California's CCPA.
Cookie Compliance
Cookie compliance is the process of adhering a website's cookie and tracking practices to the standards set forth by privacy laws and directives like the GDPR and CCPA. Depending on the jurisdiction, this could be as simple as notifying users that they are being tracked (notice only consent), or as complex as asking users for their permission to track their activity, storing, and enforcing those preferences, and offering them the option to change those preferences at any given time. Penalties for noncompliance vary but can reach as high as 4% of annual turnover, under the GDPR. For most organizations, a consent management platform is the easiest, most cost-effective approach to cookie compliance.
Cookie Consent
Cookie consent is the process of obtaining a user's consent to track their browsing activity with cookies.
Cookie Directive
The Cookie Directive is an amendment to the ePrivacy Directive that requires user consent before the placing of tracking cookies.
Cookie Wall
A Cookie Wall, or a tracking wall, is very similar to notice-only consent but requires the users of a website to ‘agree’ or ‘accept’ cookies, tracking, and/or data processing in order to use the website. A cookie wall does not give the user an opportunity to reject tracking and data processing and is considered illegitimate consent under many regulations, such as the GDPR, under which cookie walls are a non-compliant approach to consent management.
Cross-Border Data Transfer
The transfer of personal information from one legal jurisdiction to another.
Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is a client-side attack in which an attacker inserts malicious scripts into a legitimate application, which then piggybacks onto the altered script within the user’s web browser. These attacks are common in web applications written in JavaScript, CSS, VBScript, ActiveX and Flash.
Cure Period
A cure period is an allotted time period following a notice of noncompliance during which an organization is given an opportunity to remediate, or "cure," non-compliant data practices to avoid penalties. For example, the CPA grants a 30-day cure period for violators
Dark Pattern
A dark pattern is a user experience that is intentionally designed to frustrate, trick, or guide users towards actions and outcomes that may not be in their best interest such as signing up for recurring subscriptions or consenting to give away personal information.
Data Adequacy
Data Adequacy is a status granted by the European Commission to nations outside of Europe that it deems as providing a level of personal data protection comparable to that provided by the GDPR. Data adequacy is required to permit cross-border data transfers outside of the EU.
Data Breach
A data breach is any unauthorized access to or acquisition of data that compromises the security or confidentiality of personal information.
Data Controller
Under the GDPR, a Data Controller is defined as the person or entity that determines how and why data is collected and used by an organization. A data controller can be an individual person, a private company, or any other legal entity. Controllers are accountable to the strictest levels of GDPR compliance and are responsible for the GDPR compliance of any Data Processors they use to process data.
Data Loss Prevention (DLP)
Data loss prevention (DLP) is a set of processes or tools that are used to prevent the loss, misuse, or unauthorized access to sensitive data.
Data Minimization
Data minimization is the principle that a data controller should only collect and process personal data that is strictly necessary.
Data Portability
Data portability is the ability to move data easily between programs, files, computing environments, and applications. In many jurisdictions, data subjects have the right to request their personal data from a data controller, which they must receive in a structured, common, and machine-readable format.
Data Processor
Under the GDPR, a data processor is defined as a legal entity or individual that processes personal data on behalf of a data controller, according to the controller's instructions.
Data Protection Authority (DPA)
Data Protection Authorities (DPAs) are the public authorities responsible for the application of data protection laws in EU member states. DPAs have extensive enforcement powers and can impose fines of up to 4% of a company’s global annual revenue.
Data Protection Policy
A policy that outlines the privacy and security measures a business or organization takes in the processing of personal data.
Data Protection Principles
The guiding principles of the GDPR, outlined under article 5 of the law. The data protection principles of the GDPR are lawfulness, fairness, and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Integrity and confidentiality.
Data Security Law (DSL) of the People's Republic of China
The Data Security Law (DSL) of the Peoples Republic of China is a Chinese law passed in 2021 for the purpose of protecting critical data for national security and public interest. The law introduced a "data classification system" by which the Chinese government can classify data based on importance and publish standards of data protection for each class.
ePrivacy Directive
The Privacy and Electronic Communications Directive 2008/58/EC on Privacy and Electronic Communications, or ePrivacy Directive, is an EU law, passed in 2002, that is focused on protecting privacy and personal data in electronic communication. The ePrivacy Directive focused primarily on telecom companies, cell carriers, and ISPs. The ePrivacy Directive is widely regarded as the predecessor to the GDPR and the nascent ePrivacy Regulation.
ePrivacy Regulation
The ePrivacy Regulation (ePR) is a proposed EU regulation that would repeal and expand upon the ePrivacy Directive, and would act in conjunction with the GDPR to strengthen privacy rights and enforcement in the EU.
Erasure
The erasure of personal data. Under Article 17(1) of the GDPR, data subjects have the right to request the erasure of their personal data if the data is no longer needed for its original purpose and no new lawful purpose exists, if the lawful basis for the processing is the data subject’s consent and the consent is withdrawn, or if the data has been processed unlawfully.
EU-US Privacy Shield
The EU-US Privacy Shield is a data transfer agreement negotiated in 2016 by U.S. and EU authorities.
European Data Protection Board (EDPB)
The European Data Protection Board (EDPB) is the body responsible for ensuring consistent application of the GDPR. The EDPB is made up of the heads of the supervisory authorities of the EU member states, as well as the European Data Protection Supervisor and a delegate from the European Commission.
Fair and Accurate Credit Transactions Act (FACTA) of 2003
The Fair and Accurate Credit Transactions Act (FACTA) is a 2003 expansion on the FCRA focused on identity theft prevention. The act allows consumers to obtain a free credit report once a year and lets consumers request alerts for suspected identity theft. FACTA also gave the Federal Trade Commission authority to promote rules regarding identity theft.
Fair Credit Reporting Act (FCRA)
The Fair Credit Reporting Act (FCRA) is a U.S. federal law enacted in 1970 that governs data collection, consumer access, and correction, and permissible purposes of credit reporting.
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a U.S. federal law that establishes standards for the privacy protection of student educational records. FERPA applies to all academic institutions that receive funds from U.S. Department of Education programs.
Fingerprinting
Fingerprinting, or browser fingerprinting, is the process of differentiating between users based on the instance of the web browser they are using. Log files may also be used to identify visitors to a network or website.
First-Party Cookies
First-party cookies are cookies that are directly set and stored by the website a user visits. First-party cookies are only available to the domain that created them, as opposed to third-party cookies, which are available to any domain that loads the third-party server's code.
Functional Cookies
Functional cookies are cookies that perform tasks related to the function of a website, such as remembering a user's login details or location. Without these cookies, the user would have to log in upon each visit to the website and would not receive personalized information.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a regulation in EU law that provides a single set of data privacy and protection rules for every member state in the European Union. Made up of 173 recitals and 99 articles, the GDPR is widely regarded as the toughest privacy and security law in the world. The GDPR applies to any organization that processes or collects the personal data of EU citizens, regardless of whether or not the organization is based in the EU. The GDPR created several new rights for EU citizens including the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, and the right to data portability. Under the GDPR, businesses must obtain a data subject's valid consent before tracking them or processing their information, and must give subjects the opportunity to withdraw consent at any given time. Penalties for violating the GDPR are very high. There are two tiers of penalties, which top out at €20 million or 4% of global revenue (whichever is higher). Data subjects also have the right to seek compensation for damages.
Governance
Data Governance is the process of managing the integrity and security of the data in an organization's systems. Governance practices are based on internal standards and policies as well as regional regulations.
Health Information Technology for Economic and Clinical Health (HITECH)
The Health Information Technology for Economic and Clinical Health Act, or HITECH is a U.S. federal law aimed at addressing privacy and security issues involving PHI.
Health Insurance Accountability and Portability Act (HIPAA)
The Health Insurance Accountability and Portability Act, commonly known as HIPAA is a federal law that regulates the flow of healthcare information and how medical PII is protected from fraud and theft.
Implied Consent
Implied consent or implicit consent is consent that is assumed without the explicit permission of the user. For example, a website that forces the user to accept tracking cookies to access content, or which opts a user in when the user navigates away from the consent banner without accepting or denying cookies.
Interactive Advertising Bureau (IAB)
The Interactive Advertising Bureau is a trade association that represents advertising businesses. The IAB develops industry standards such as the Transparency and Consent Framework.
ISO 27701
The ISO (International Organization for Standardization) 27001 standard is a standard of practice and certification for implementing an information security management system.
Lawfulness
One of the requirements established by the GDPR for processing personal data, along with fairness and transparency. For data processing to be considered lawful, data subjects must be aware of the processing, storage, and use of the data, and must give informed consent to said processing. The GDPR outlines six bases for the lawful processing of personal data: consent, necessity, contract requirement, legal obligation, protection of data subject, public interest, or legitimate interest of the controller.
Notice-Only Consent
Notice-only consent banners inform users that your website uses cookies, and may or may not inform them of the purpose of the cookies in use, but does not offer the user the ability to opt-out. By continuing to use your website, users are submitting their implicit consent to tracking. This approach is popular in the United States but is not compliant with the consent requirements set forth in the GDPR and similar regulations like the PIPL.
Opt-In Consent
An opt-in consent banner informs your visitors of the tracking technologies in use by your website and gives them distinct options to either reject all non-essential cookies or accept all cookies. The user is opted-out by default and must take explicit action to consent to tracking or data processing. This consent model is compliant with the GDPR.
Opt-Out Consent
An opt-out consent banner informs visitors of the cookies and tracking technologies your website uses and gives them an option to opt-out of either all or some tracking and data processing. Typically, the user is opted in by default and has to take manual action to opt-out. For example, they may need to uncheck several boxes to opt-out of different cookies and trackers. Opt-out consent banners are not compliant with the GDPR but are allowed under the CCPA and LGPD.
Performance Cookies
Performance cookies, or statistics cookies, are cookies that are used to monitor the performance of a website as a user interacts with it. For example, performance cookies may track the pages most frequently visited by users, the path a user takes through a website, or which links result in errors. Performance cookies do not collect any identifiable information on users and exist for the sole purpose of performance cookies is to improve website functionality.
Persistent Cookies
Persistent cookies are cookies that are stored on a user's device and persist until they are deleted by the user or by their browser. Persistent cookies help websites remember user's settings, preferences, and information like sign-on credentials. All persistent cookies have an expiration date and will be destroyed when they reach that date. The ePrivacy Directive dictates that persistent cookies should not last more than 12 months.
Personal Data
The synonym for PII used in the EU's privacy legislation. Under the GDPR, personal data is defined as "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Personal Data Protection Act (Thailand)
The Personal Data Protection Act B.E. 2562 (2019) (PDPA) is a Thai law that governs the digital rights of Thai citizens, and the data protection standards that businesses operating in Thailand must uphold. The PDPA affects not only Thai businesses, but also businesses based outside of Thailand that offer products and services to Thai citizens, or monitor their behavior online. The PDPA is largely based on the GDPR and appropriates several concepts and definitions from the EU law, such as data “controllers” and “processors." Under the PDPA, organizations must prove a legal basis for the collection and use of personal information, and consent is required in certain situations.
Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada is a federal privacy law that applies to private-sector organizations in Canada. The law is intended to "govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
Personal Information Protection Law (PIPL) of China
The Personal Information Privacy Law (PIPL) is China’s first comprehensive data privacy law, The PIPL was passed on August 20th, 2021, and went into effect on November 1st, 2021. Similar in size and scope to the EU’s General Data Protection Regulation (GDPR), the PIPL Imposes serious restrictions on how personal data can be collected, used, and managed. Along with China’s Data Security Law, the PIPL will form a framework that will give China’s government broad enforcement capabilities and create a strict compliance environment for the nation’s Big Tech companies—and international businesses operating in China—for years to come. According to the language of the law, the goals of the PIPL are to “protect the rights and interests of individuals” and facilitate the “reasonable use” of personal information through the regulation of personal information processing activities.
Personally Identifiable Information (PII)
Personally Identifiable Information (PII) is any information from which the identity of a person can be inferred, directly or indirectly. Social security numbers, phone numbers, addresses, and biometric data are all commonly considered PII, and IP address, geolocation, and behavioral data may also be considered PII.
Prior Consent
Prior Consent consent granted by a user prior to placing any cookies on their device except for strictly necessary cookies. Prior consent is required by the GDPR.
Privacy by Design
Privacy by Design is the philosophy that application and web design should promote privacy proactively by embedding privacy best practices in the design and development processes.
Real-time Bidding
Real-time bidding is the process of buying and selling online ad impressions in real-time auctions that occur in the time it takes a webpage to load. When a bid is won, the buyer's ad is instantly displayed on the publisher's site.
Remarketing
Remarketing is a marketing strategy that uses information learned from prior interactions to market to the same consumer multiple times in a digital environment.
Roach Motel
A roach motel is a dark pattern that provides an easy or straightforward user experience to sign up for or consent to something, but a much more difficult user experience path to cancel a service or revoke consent. One example is a subscription that can be started with the click of a button but must be canceled via a phone call or chat-bot
Session Cookies
A session cookie, also known as a temporary cookie or a non-persistent cookie, is a cookie that is stored temporarily on the browser and is destroyed as soon as the user logs off of the browser.
Soft Opt-In
A soft opt-in is a consent management practice in which consent is assumed when a user navigates away from a consent banner without rejecting or denying consent. A soft opt-in is not considered valid consent under the GDPR.
Strictly Necessary Cookies
Strictly necessary cookies are cookies that are necessary for the function and navigation of a website. Cookies that remember what items are in a user's shopping cart, or allow a user access to certain sections of a website are considered strictly necessary cookies. Under the GDPR, strictly necessary cookies are the only cookies that are exempt from requiring user consent.
Tag
Tags are short pieces of code written in JavaScript that perform a specific task on a website. In marketing and advertising, tags are used to collect information about users and how they behave on a website.
Targeting Cookies
Targeting cookies are cookies that are designed to gather information about the user and track their online activity to help marketers and advertisers display relevant advertisements and build visitor profiles and statistics for insights into advertising performance. Targeting cookies are almost always third-party, persistent cookies.
Third-Party Cookies
Third-party cookies are cookies that are created not by the domain you are visiting, but by third parties such as advertisers or analytics systems. Third-party cookies are usually added to a website via tags or scripts and are accessible to any website that loads the third-party server's code.
Transparency and Consent Framework (TCF)
The Transparency and Consent Framework (TCF) is an open-source framework developed by the Interactive Advertising Bureau (IAB) Europe and the IAB Tech Lab to standardize the process of obtaining user consent and communicating consent information to parties on the advertising supply chain.
The current iteration of the framework, TCF 2.0, was introduced in August 2019.
US-CERT
US-CERT is partnership between the Department of Homeland Security and the public and private sectors that aims to coordinate responses to internet security threats.
Valid Consent
Valid consent is consent that is informed, unambiguous, and given freely. In other words, the user must be informed exactly what they are consenting to and must be presented with a clear choice to opt-in or out of tracking and data processing, without coercion. Equally important, a user who had previously consented must be allowed to withdraw consent at a later time without penalty.