This glossary includes:
- The most common privacy terms broken down into simple, straightforward language.
- Relevant examples to help you understand how the terms practically apply to your business.
Whether you jump up and down at the thought of privacy practices (there are a few of us!), or want to run for the hills, this guide is going to help you navigate the ever-changing world of privacy laws.
The bottom line is that privacy is not going anywhere. To stay ahead of the game, you will need to familiarize yourself with some of the data privacy jargon so you know what to do and when to do it. Customers are demanding transparency now—and if they suspect that you are being less than forthcoming with them, one of your competitors will snap them up faster than you can summon an apology.
Privacy is innovation. Let it become your competitive advantage.
Welcome to a new age of doing business.
Glossary of Privacy Terms
A
One of the fundamental privacy principles that stresses the importance of ownership of the privacy program, training, record-keeping and responsible processing of personal information.
Under GDPR, personal data collected must be correct, and maintained, and must have the ability to be deleted or corrected if inaccurate.
Providing advertisements to a specific audience based on attributes such as location, browsing behavior, purchase history, and demographics.
A decision made by the European Commission that a non-EU country offers an adequate level of data protection through its own domestic privacy laws or international commitments it has made. An adequacy decision allows for personal information to be transferred from the EU to the country deemed adequate without additional safeguards.
A term used to describe when a system uses technology without human involvement to create a profile or make a decision.
A decision or action by a business that adversely affects a consumer.
An Attorney General is an official with legal responsibility for enforcing laws in the United States. There is a federal Attorney General as well as an Attorney General of each state responsible for enforcement in their respective state.
An advanced form of artificial intelligence that focuses on autonomous decision-making and performing tasks with limited or no human involvement.
Computer systems that can perform complex tasks normally done by human decision-making and reasoning.
The process of altering personal data so that it is no longer identifiable. This process is irreversible.
Software standards that allow machine-to-machine communication and specify how software components should interact with one another.
This is a term used in GDPR in several different contexts such as, (1) transferring personal data to countries outside of the European Union, (2) the processing of special categories of data, and (3) the processing of personal data in a law enforcement context. It usually refers to the application of the general data protection principles.
A system, database, application, website, physical storage, or any other form that can store or process personal data.
The process of authorizing whether an entity is who it claims to be.
The process of determining whether a user is permitted to have access rights to a specific resource.
When an individual can behave as they wish (including online behavior) without the concern of being observed or tracked.
B
This abbreviation is used to describe sales and services that occur directly from one business to another.
This abbreviation is used to describe sales and services that occur directly from a business to a customer.
BCRs are a data transfer mechanism that allows multinational corporations, international organizations, and groups of companies to share personal data outside of the EU while still being in compliance with EU data protection laws.
When a business tracks an individual’s online behavior and then targets that individual with specific ads based on their tracked behavior.
Large data sets that grow exponentially and are so complex and massive that they require special processing applications.
Principles for processors to follow to protect an individual’s personal data. If a business’s processor is approved as a “safe processor” then that business can conduct international transfers (under GDPR).
Data generated by automated means that can identify or confirm the identity of a person such as behavioral or physical characteristics. Examples include fingerprints, retina scans, voice prints, facial characteristics, and identifying DNA information. In most privacy laws biometric data is considered sensitive personal information.
An Illinois law protecting the biometric data of state residents. The law requires companies to obtain consent for processing biometric data and includes a private right of action.
The act of notifying regulators and victims of data incidents that may affect the confidentiality, integrity, or availability of their personal information.
Refers to the operational reasons for which a business collects, uses, or shares personal information.
C
Signed into law on 9/15/22, will take effect on 7/1/24. This law imposes a number of obligations on businesses that control or process the personal data of California children, as well as granting them expanded rights and protections against a variety of harm.
This act requires all websites interacting with California residents to provide a privacy statement to users.
This act requires all websites interacting with California residents to provide a privacy statement to users.
Passed in 2003, the US’s CAN SPAM Act established rules for commercial emails and expanded to text messaging. It requires marketers to be truthful and provide recipients the ability to opt out of future marketing communications.
Passed in 2013, CASL regulates the sending of commercial electronic messages (CEMs) to Canadian residents. It requires consent for sending CEMs in most cases.
The first comprehensive consumer privacy law in the US, CCPA introduced new privacy rights to California residents, created the sole privacy-specific regulator in the country with its’ CPRA amendments, and began a wave of state privacy legislation that continues to grow.
A CDP helps companies create a single point of view of their customers by storing web page views, email clicks, payment transactions, and other similar information.
Personal information that is linked or reasonably linkable to a consumer and identifies a consumer’s past, present, or future physical or mental health. Very, very broad term used by Maryland and Connecticut privacy laws, as well as Washington’s My Health, My Data Act.
An executive-level employee in a corporation responsible for all privacy-related matters.
An executive-level employee in a corporation responsible for all product-related matters, such as supply management, negotiating prices and contracts, and sourcing for the company.
An executive-level employee in a corporation usually responsible for leading product organization.
An executive-level employee who has the responsibility to identify/manage risks as they arise and develops a security strategy to protect the organization’s data and assets from breaches and to identify and manage risks as they arise.
Software that is used by companies to document and manage a user’s consent choices prior to collecting, sharing, or selling user data from online sources such as websites and apps that use cookies, embedded videos, and other tracking technologies.
The principle of limiting the collection of personal information to only the quantity and the type of information that is necessary.
This type of privacy protects communications such as postal mail, telephone activity, email, and other types of communication.
The state of being protected from intentional or accidental unauthorized access or use. A fundamental principle of privacy and security, companies should work to protect the confidentiality of personal information as a best practice and to meet their legal obligations.
Consent is the act of a data subject agreeing to specific data processing and for consent to be valid it must be freely given, specific, informed, and unambiguous. The data subject must be able to easily withdraw their consent after it is given.
Also referred to as a “daisybit,” is a series of numbers added to an ad bid request, which identifies the consent status of an ad tech vendor.
An individual who purchases goods and/or services.
An entity that makes decisions about the processing of personal information. It often has a direct relationship with the individual.
A series of steps on your website that, if followed by a prospect, will facilitate a lead capture (see lead capture).
A small text file that a website may drop on a user’s device for the sake of tracking certain categories of information.
A classification of cookies based on their purpose and the type of data collected.
Cookies placed by the website the user is visiting.
Cookies placed by a company different than the one the user is browsing. For example, advertising, analytics, or social media cookies.
Cookies that are stored on the user’s device until the user deletes the cookie or it expires. These cookies are often used to save language preferences, store login credentials, and personalize advertising.
Cookies that are active only for the period of time that the user is browsing the website.
Imposes requirements on the operators of websites directed towards children under 13 years of age.
Signed into law on 7/8/2021, takes effect 7/1/2024 . This law provides Colorado residents with the right to opt out of targeted advertising, the sale of their personal data, and certain types of profiling. Data controllers will need to honor user-selected universal opt-outs for targeted advertising and sales.
Term can mean: Chief Procurement Officer, Chief Privacy Officer, or Chief Product Officer
Amendments to the CCPA that went into effect in 2023 that expanded companies’ obligations and Californians’ privacy rights and created a privacy-specific regulator.
California’s dedicated privacy regulator, created under the CPRA amendments, the agency works with the state attorney general to enforce and provide guidance on the CCPA.
Amendments to the CCPA that went into effect in 2023 that expanded companies’ obligations and Californians’ privacy rights and created a privacy-specific regulator.
A company that provides support to the pharma, biotech, and medical device industries through contracted research services.
The transportation of personal data from one jurisdiction (usually country) to another. For the GDPR, this refers to any transportation of personal data from the European Economic Area to a third country (only allowed if the European Commission has determined that they have adequate protection measures).
A statement that invites an individual to conduct a certain action such as, “Click here to continue reading”.
Signed into law on 5/10/2022, took effect on 7/1/2023. This law places several obligations on businesses that control or process the personal data of Connecticut consumers and grants a set of rights to Connecticut consumers.
The percentage of your audience that follows through with clicking from your homepage to another part of your website as directed by a marketing or sales campaign.
D
The unauthorized loss, exposure, or disclosure of personal or confidential information that compromises the confidentiality, integrity, or availability of the information. The legal definition of a data breach may vary based on jurisdiction.
The segmentation of data based on characteristics such as sensitivity and risk that allow organizations to apply appropriate privacy and security protections to each class.
Unique pieces of information such as name, address, IP address, date of birth, etc.
Also known as the Right to Deletion under CCPA, it allows the data subject to request that the data controller or company delete and stop sharing their personal data. There are a few exceptions to this under each of privacy law.
The exercise of authority and control over the management of data assets. It is the planning, supervision, and control of data management and use.
A record of the personal information an organization processes, including means and method of collection, where it is stored, with whom it is shared, sensitivity, and more.
A process of protecting data by replacing it with fictitious data. This ensures that unauthorized users cannot access the original data and allows authorized users to work with the data for testing, development, or analysis.
A foundational privacy principle that means organizations should only collect personal information necessary for identified purposes, only use it for those purposes, and only retain it for as long as necessary for the purposes identified.
A privacy right under GDPR and other laws that requires organizations to provide individuals with a copy of their personal information upon request. It also includes the right for individuals to request that a Controller transfer their personal information to another similar Controller in some circumstances.
See Supervisory Authority
An agreement between the EU-US that enables organizations to transfer of personal information from the European Economic Area to the US in compliance with the GDPR. US organizations that self-certify to EU-US Data Privacy Framework (EU-U.S. DPF) are deemed adequate by the European Commission. Switzerland and the UK have separate but similar DPF agreements with the US.
As required under GDPR, organizations engaging in high-risk processing activity must complete an assessment of the activity’s risk to the rights of individuals and outlines potential measures to mitigate those risks. Each EU member state has a non-exhaustive list of processing activities that require a DPIA.
Under the GDPR, a data protection role that monitors compliance with the GDPR and has specific responsibilities in regards to DPIAs and communicating with supervisory authorities. The DPO must be knowledgeable, appropriately resourced, have independence, and report directly to company leadership.
An organized compilation of data.
A natural person who is the subject of the data held by a Controller or Processor.
One of the fundamental privacy principles, companies should maintain personal information so that it is accurate, complete, and up-to-date.
A digital repository for storing data (typically large amounts of data).
A broad term for removing identifiable characteristics from personal data effectively anonymizing the data. Many US state laws have specific rules for maintaining and sharing de-identified data.
Signed into law on September 11, 2023, took effect on January 1, 2025. DPDPA closely follows the Connecticut model, however, Delaware has lowered the scoping threshold. This law places several obligations on businesses that control or process the personal data of Delaware consumers and includes a lack of exemption for non-profits, except those that are exclusively dedicated to preventing insurance crime, and a unique definition for genetic information, including transgender or non-binary status in its definition of sensitive personal information.
A DSP is a system that allows digital advertising inventory buyers to manage multiple ad exchanges in one central place. It often uses information from a DMP. It is designed to find the best website for the advertisement.
An exemption from or relaxation of a law.
An industry association that establishes and enforces responsible privacy practices across the industry for relevant digital advertising, providing consumers with enhanced transparency and control through multifaceted principles that apply to multi-site data and cross-app data gathered in either desktop, mobile web or mobile app environments.
Digital fingerprints are log files pulled from original content that represent the content’s defining characteristics and are used by content owners to identify website visitors. A log file can be the visitor’s IP address, a time stamp, or even the visitor’s browser preferences (think type of font, color scheme, etc.).
This type of signature is used to authenticate an electronic document (often used in emails).
Advertising and marketing information specifically directed towards targeted individuals.
Most commonly refers to a browser setting that gives individuals the ability to request that applications disable tracking of their online behavior and activities.
E
The act of monitoring an individual through behavioral tracking technologies, email and text scanning, geolocation tracking, and other electronic means. This type of surveillance is typically unknown to the individual.
The process of converting plaintext (any type of data) into an encoded version that can only be decoded by the individual with the proper decryption key. Encryption is a security measure that protects personal information to ensure that the data is only accessible/readable by those with authorization.
A commonly used social media metric that reports the amount and type of interaction a particular piece of content receives.
A natural or legal person or entity performing economic actions.
This EU directive passed in 2002 and was later amended in 2009. It works with the GDPR to create data protection rules for electronic communications, marketing, and cookies. The European Commission has considered many updates to the ePD to better align it with GDPR, however none have yet passed.
Your business must offer equal opportunities to all consumers for goods and services. Per the CCPA, your organization must ensure that there is not any discrimination by: (1) denying goods and services, (2) providing different prices and rates for goods, or (3) providing a different level of goods or services based on a consumer’s use of CCPA rights.
The acronym for the European Union which is a political and economic union comprised of 27 member states located primarily in Europe.
An individual appointed by an organization to represent it in the EU for data protection purposes. The GDPR requires this position for certain organizations that operate in the EU but are not established there.
An agreement between the US and EU to allow personal information to be transferred to the US from the EU. Organizations that self-certified to Privacy Shield were deemed to have adequate protections similar to GDPR. Privacy Shield was invalidated and the EU-US Data Privacy Framework replaced it.
The executive branch of the European Union.
The EDPB is an EU body responsible for the application of GDPR ensuring consistency across the EU. It is comprised of representatives from Supervisory Authorities in each EU member state and the European Commission. The EDPB replaced the Article 29 Working Party.
The EDPS is responsible for ensuring EU institutions are upholding their privacy and data protection obligations when processing personal information.
F
This US federal law requires accurate data collection, gives the right to consumers to correct their information, and limits the use of consumer reports and data collection.
This US federal law, amending the Fair Credit Reporting Act (FCRA), adds provisions designed to improve the accuracy of consumers’ credit-related records.
This US federal law protects the privacy of students and their records.
This US institution protects consumers and collects and acts on complaints about organizations. It also prohibits unfair and deceptive trade practices per Section 5.
A new way that browsers could enable interest-based advertising on the web, in which the companies who today observe the browsing behavior of individuals instead observe the behavior of a cohort of similar people.
The process of collecting personal information directly from individuals such as customers, website visitors, or social media followers.
A new way that browsers could enable interest-based advertising on the web, in which the companies who today observe the browsing behavior of individuals instead observe the behavior of a cohort of similar people.
An outsourced privacy professional who provides their time and guidance to a company on an ongoing basis, generally part-time and remotely.
When a data subject voluntarily consents to the processing of data and where there is no risk of significant consequences if they do not choose to provide consent. The GDPR requires that a data subject’s consent is freely given.
G
A US federal law that requires financial institutions to be transparent with customers about their processing of non-public personal information and provides customers with opt-out rights for certain sharing of their information.
The EU data protection regulation that sets the rules for private-sector processing of personal information of individuals within the European Economic Area. It became effective May 25, 2018.
Personal data relating to inherited or acquired genetic data that is unique to the individual. An example could be an individual’s gene sequence.
This US federal law prohibits discrimination based on genetic information by health insurance companies and employers.
The use of a mobile device’s GPS or other technology to create a virtual geographic boundary, which allows software to track and trigger a response (such as serving an advertisement). Increasingly there are rules restricting Geofencing and tracking.
A common implementation of a Universal Opt-Out Mechanism (UUOM) that allows individuals to set permissions for electronic tracking at the browser level. Many US state consumer privacy laws require online companies to honor opt-out requests via UOOMs.
H
A U.S. federal law that includes privacy and security rules for the healthcare industry. HIPAA applies only to healthcare providers, health plans, healthcare clearinghouses, and business associates. The HIPAA Privacy Rule includes privacy rights for patients and data minimization obligations for covered entities, among other protections.
Part of the American Recovery and Reinvestment Act of 2009, it amends and strengthens HIPAA.
I
Advertising business organization that develops industry standards, conducts research, and provides legal support for the online advertising industry.
Signed into law on March 28, 2023, took effect on January 1, 2025. This law is considered very business friendly, placing several obligations on businesses that control or process the personal data of IOWA consumers. ICDPA contains a 90-day right to cure period that doesn’t sunset, a 90-day allowance for responding to privacy rights requests, and an opt-out right that only includes sale, among other business-friendly provisions.
Refers to data that can be linked to a specific person, thus identifying that person.
A consent model in which the user is presumed to have given consent due to their relationship with the organization or their prior actions. This term is being phased out of privacy parlance with changes to consent obligations that specify it must include an action indicating agreement.
Signed into law on 5/1/2023, will take effect on 1/1/2026. This law imposes a number of obligations on businesses that control or process the personal data of Indiana consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.
A natural person whose personal data is collected, held or processed by a controller or processor. Also referred to as data subject and consumer.
This is the process of collecting, using, disclosing, storing, and deleting data.
The use of technical, administrative, and physical safeguards to protect the confidentiality, integrity, and availability of information.
When an individual has been provided with all of the necessary information to make a decision about data processing. Under GDPR, the data subject must be informed when providing consent.
In regards to data, integrity refers to the accuracy, consistency, and trustworthiness of the data.
A numerical identifier assigned to each device that interacts with a computer network, most commonly, the TCP/IP network. The GDPR categorizes IP addresses as personal information.
J
The authority granted to a body to govern or legislate. It can also refer to the geographical region in which authority applies.
K
Signed into law on April 4, 2024, takes effect on January 1, 2026. This law follows the Washington Privacy Act model (with some less common provisions), placing several obligations on businesses that control or process the personal data of Kentucky consumers. KCDPA gives consumers opt-out rights for de-identified data and does not require consent to sell the personal information of minors 13 years or older.
L
The web page that an individual is led to after clicking on a banner, CTA, or paid search ad.
To collect personal information in the EU one of the following six circumstances must apply: (1) consent, (2) contract, (3) legal obligation, (4) vital interests, (5) public task, and (6) legitimate interests. You must also only process data in a way that does not negatively affect the individual from whom you are collecting data. Lastly, you must be transparent about the way that the data is collected and used.
An individual who is a potential customer.
Many privacy and data protection laws require organizations to establish a legal basis prior to collecting personal information. These legal bases vary by jurisdiction, but generally include consent, performance of a contract, vital interests, significant public interests, legal obligations, and legitimate interests.
Is a federal law in Brazil designed to unify 40 existing laws to regulate the processing of the personal data of individuals. It was passed on September 18, 2020, and was backdated, coming into effect on August 16, 2020.
Services that are provided based on geographic location.
M
A location, chosen by the data controller, for its central administration in the EU where it will be bound to applicable local laws and regulations.
Data that provides information to describe or provide context for other data but does not include the content of the data itself.
During login, this requires both a password and a second form of authentication such as a code sent to a phone, confirming a phone call, or entering an ever-changing password provided through an application.
Signed into law on 5/19/2023, will take effect on 10/01/2024. This law imposes a number of obligations on businesses that control or process the personal data of Montana consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.
Signed into law on April 6, 2024, 2024, took effect on October 1, 2025. MODPA follows the Washington Privacy Act model, however, contains significant differences. Maryland’s scoping threshold represents just .56% of the state’s population and the law has few entity-level exemptions, putting most non-profits in scope. Additionally, the law has unique sensitive data rules and requires data protection assessments for use of algorithms.
Signed into law on May 19, 2024, took effect on October 1, 2024. The MTDPA is a middle-of-the-road privacy law, with few surprises, placing several obligations on businesses that control or process the personal data of Montana consumers. Its low scoping threshold of 50,000 consumers means that MTDPA will cover a significant number of businesses that operate in the state, which has a relatively low population.
N
An organization is responsible for damages if it fails to meet the legal obligations to protect personal information.
Per GLBA, it is defined as identifiable financial information provided by a customer.
Signed into law on April 17, 2024, took effect on January 1, 2025. The law follows the Washington Privacy Act model, and it tracks closest with Texas in scope, eliminating the number of records processed as a qualifier and instead using a federal definition of a small business. Additionally, it has no obligation for consent to sell the personal information of minors 13 years and older and a unique provision around universal opt-out mechanisms.
NJDPA became effective on January 16, 2025. This law places several obligations on businesses that control or process the personal data of New Jersey consumers and follows the Washington Privacy Act model. NJDPA provides for the creation of supporting regulations, and includes unique aspects within definitions and consent obligations for children as well limited exemptions.
NHDPA became effective on January 1, 2025. The law follows the Washington Privacy Act model, closely aligning with the Connecticut Data Privacy Act. While New Hampshire’s law follows common principles, it tasks the Secretary of State with providing standards for privacy notices and submission methods for privacy rights requests.
O
A version of data masking that makes personal data difficult to understand in order to hide the actual data.
Signed into law on 6/18/2023, will take effect on 7/1/2024; it is effective for non-profits on 7/1/25. This law imposes a number of obligations on businesses that control or process the personal data of Oregon consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.
An individual makes an affirmative choice (e.g., checking a box) to allow an organization to process their personal information for the purpose identified.
An individual takes an action (e.g., unchecking a box) to ensure their personal information is not processed for the purpose identified.
P
Information that relates to an identified or identifiable person (also referred to as ‘Data Subject’ or ‘Individual’). Personal information includes Personally Identifiable Information and Sensitive Personal Information, and is also commonly referred to as Personal Data.
This refers to any information regarding an individual’s physical or mental health.
Canada’s version of the GDPR, which requires businesses to obtain an individual’s consent when they collect, use, or disclose that individual’s personal information.
A tiny and often invisible image embedded into the code of a website, online advertisement, marketing email, or video. When an individual loads the site, email, video, or ad, the pixel is loaded, which transmits information to the web server hosting the pixel. Information about the individual’s behavior on the site and about the visitor is sent back and forth from the pixel. Pixels, also referred to as tags or web beacons are commonly used in online advertising.
The cost accrued each time a digital advertisement is clicked through.
A set of principles that focus on embedding privacy from the beginning of the development process to ensure products and services consider throughout the entire lifecycle.
A process where organizations identify and assess the privacy risk of a product or system. In general, PIAs gather information about how a product or system impacts personal information so that an organization can determine whether the risk is acceptable and/or what safeguards can be used to mitigate unacceptable risk.
A disclaimer that is located on an organization’s website that lays out how the website uses and collects personal information.
Data Subject Access Requests are often referred to as Privacy Rights. These rights generally include: the right to be informed, the right of access, the right to rectification, the right to erasure/to be forgotten, the right to restrict processing, the right to data portability, the right to object, rights in relation to automated decision making and profiling, and the right to opt-out of the sale of data.
This provides individuals the right to file a lawsuit (against the violator) if harmed by a violation of the law.
Any activity performed on personal information, whether or not by automated means, including collection, use, recording, etc.
An entity that processes personal information on behalf of a Controller and within the confines of a contract that prohibits the Processor’s ability to use or share the personal information for its own purposes. Also called Data Processor.
The use of personal data to evaluate, analyze, or predict data subject behavior and to make decisions based on that outcome. Profiling is generally performed automatically by systems.
The process of converting personal information into a form that does not allow it to be attributed to an individual without additional information. Unlike anonymization, the process is reversible.
Q
A type of matrix barcode (or two-dimensional code) that can be scanned by smartphones or specific QR barcode readers to transmit encoded data.
R
Real-time bidding is an automated auction process for the purchase of online advertising inventory impressions on websites.
The natural person, public authority, agency, another body or company to which personal data is disclosed.
The right of an individual to request that a Controller correct their personal information. Many privacy and data protection laws provide individuals the right to rectification, sometimes referred to as the right to correct.
The process of removing or obscuring information from documents.
This occurs when de-identified data is transformed in a way that it can once again be linked to an individual, making it personal information.
The right of a data subject to limit the processing of their personal information in certain circumstances for a finite period of time.
The RIDTPPA goes into effect January 1, 2026, and likely won’t have much of an impact for organizations already complying with other US state laws. However, the law has some confusing elements, especially around how it applies to personal information versus personally identifiable information, which isn’t defined but is used throughout the law.
The right of an individual to obtain access to the personal information a Controller holds about them. Often this right includes the right to receive a copy of their personal information as well.
The right of an individual to request that a Controller delete their personal data from its systems. Also referred to as the right to be forgotten or the right to erasure.
A performance measure used to determine how profitable something will be in relation to the amount of effort it will take to produce it.
A detailed record of the data processing activities that an organization is conducting on personal information as required by the GDPR. ROPAs must include details such as, the purpose of processing, the description of the categories of data subjects and personal data, the categories of recipients to whom the personal data has been or will be disclosed, cross-border transfers, (5) the lawful basis relied upon, and more.
S
A public authority which is established by a member state of the EU that oversees the execution of GDPR. Also referred to as Data Protection Authorities.
Software hosted by another company that holds the information you provide them in a cloud.
A category of personal information that requires higher levels of protection due to its sensitivity and potential to harm individuals. This is defined jurisdictionally, but often includes race, ethnicity, marital status, religion, health records, sexuality, biometrics, genetic information, and government identifiers.
An agreement set up between the sales and marketing teams in a company to outline the responsibilities and expectations for each team.
Companies with approximately 10-500 employees. Defined by the small business administration, industry-specific definitions exist based on annual receipts and average employment.
Unsolicited information that is sent to an individual typically via electronic communication.
An SSP is a technology platform that allows publishers to automate the selling of their online advertising inventory. They are designed to allow publishers or website owners to maximize the price of their advertising inventory.
T
A US federal law that restricts marketing and debt collection automated dialing and pre-recorded messages. It covers cell phones, landlines, text messages, and unsolicited faxes. It also covers phone numbers listed in the Do Not Call Registry.
Signed into law on 5/18/2023, will take effect on 7/1/2024. This law imposes a number of obligations on businesses that control or process the personal data of Texas consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.
This type of privacy limits intruding into an individual’s territorial environment such as their home or workplace.
In general, an entity other than one of the two parties involved in the business relationship (individual/data subject and Controller). Privacy laws have slightly different definitions of Third Party, but it generally includes an exception for entities acting as a Processor.
An analysis of the impact and security implications of a transfer to a country outside the EEA that has not received an adequacy decision.
Signed into law on 5/11/2023, will take effect on 7/1/2025. This law imposes a number of obligations on businesses that control or process the personal data of Tennessee consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.
A foundational privacy principle that underscores the importance of notifying individuals of your privacy and data handling practices
U
Signed into law on 3/24/2022, will take effect on 12/31/2023. This law imposes a number of obligations on businesses that control or process the personal data of Utah consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.
The United Kingdom General Data Protection Regulation is the UK’s data privacy law that governs the processing of personal data from individuals inside the UK. The UK GDPR was drafted as a result of the UK leaving the EU, which resulted in the EU’s GDPR not applying domestically to the UK any longer.
The obligation to ensure organizations obtain consent only after it has clearly articulated the full scope of what the individual is consenting to.
A mechanism that allows web users to opt out of online tracking, usually via a browser setting. Many privacy laws require websites to honor UOOMs. The most common UOOM is the Global Privacy Control, and it – or its acronym, GPC – is often used interchangeably with UOOM.
V
Signed into law on 2/3/21, will take effect on 1/1/2023 in the state of Virginia. This law gives specific privacy rights to consumers and allows them to opt out of the sale of their personal data.
Prevents video tape service providers from disclosing video tape rental or sale records. The interpretation and application of VPPA are being tested and broadened to include modern technologies and avenues for consuming content (including online).
W
Exist in federal law in the Electronic Communications Privacy Act of 1986 and in many state laws, these acts prevent wiretapping. These laws, particularly state laws, have been an increasingly common basis for class action litigation around digital content, analytics, and other web services.
Signed into law on 4/27/2023, will take effect on 4/31/2024, 6/30/2024 for Small Businesses. The Geofencing ban has already begun. This law imposes a number of obligations on businesses that control or process the “Consumer Health Data” (defined) data of Washington consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.
GDPR Privacy Principle Terms:
Under GDPR, personal data collected must be correct, maintained, and must have the ability to be deleted or corrected if inaccurate.
An organization must only use the personal data that is necessary to fulfill their primary reason for collecting the data.
If your organization is collecting and processing personal data, then you must ensure that you are implementing the appropriate security measures for protecting personal data.
To collect personal information in the EU one of the following six circumstances must apply: (1) consent, (2) contract, (3) legal obligation, (4) vital interests, (5) public task, and (6) legitimate interests. You must also only process data in a way that does not negatively affect the individual to whom you are collecting data from. Lastly, you must be transparent about the way that the data is collected and used.
If personal data is being collected then it must only be used for the primary reason stated.
Per the GDPR, personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.
CCPA Privacy Principle Terms
As an organization, you must share, if requested, the type of personal information you are collecting, where you are collecting personal data from, what you are using the data for, whether or not you are selling it, and to whom you are sharing the data with.
As an organization, you must provide the choice to your consumer to opt out of having their data sold. You must include a “Do Not Sell My Personal Information” link on your homepage. You are also required to include a phone number in your policy to allow consumers to communicate with your organization. (At the date of this publication (8/6/2019), an amendment is pending to allow for an email or a phone number).
Your organization must be prepared to delete a consumer’s personal information if requested. There are exceptions in which you can deny a request where the information is: (1) needed to complete a transaction for the reason it was collected, (2) used for a business relationship with the consumer, (3) used for a contract, (4) used to detect security incidents, (5) needed to participate in scientific, historical, or statistical research in the interest of the public, (6) used for internal uses that align with the consumer’s expectations, and (7) required to comply with legal obligation and the law.
Your business must offer equal opportunities to all consumers for goods and services. Per the CCPA, your organization must ensure that there is not any discrimination by: (1) denying goods and services, (2) providing different prices and rates for goods, or (3) providing a different level of goods or services based on a consumer’s use of CCPA rights.