This glossary includes:

• The most common privacy terms broken down into simple, straightforward language.
• Relevant examples to help you understand how the terms practically apply to your business.

Whether you jump up and down at the thought of privacy practices (there are a few of us!), or want to run for the hills, this guide is going to help you navigate the ever changing world of privacy laws.

The bottom line is that privacy is not going anywhere. To stay ahead of the game, you will need to familiarize yourself with some of the data privacy jargon so you know what to do and when to do it. Customers are demanding transparency now—and if they suspect that you are being less than forthcoming with them, one of your competitors will snap them up faster than you can summon an apology.

Privacy is innovation. Let it become your competitive advantage.

Welcome to a new age of doing business.

Glossary of Privacy Terms:

A

Accountability – A data controller should always obtain consent of an individual or implement reasonable organizational measures to ensure that an individual’s personal information is properly protected before sharing the data.

Accuracy – Under GDPR, personal data collected must be correct, maintained, and must have the ability to be deleted or corrected if inaccurate.

Ad Targeting – Providing advertisements to a specific audience based on attributes such as location, browsing behavior, purchase history, and demographics.

Adequacy Decision – A decision made by the European Commission that a non-EU country offers an adequate level of protection of personal data through its own domestic privacy laws or international commitments it has made.  When the European Commission has determined that a country meets the requirements for an adequacy decision it allows for that country to conduct cross-border data transfers.

Adverse Action – Any decision or action by a business that adversely affects their consumer.

Anonymization – The process of altering personal data so that it is no longer identifiable. This process is irreversible.

Appropriate Safeguards – This is a term used in GDPR in several different contexts such as, (1) transferring personal data to countries outside of the European Union, (2) the processing of special categories of data, and (3) the processing of personal data in a law enforcement context. It usually refers to the application of the general data protection principles [1].

API (Application Programming Interface) – Software standards that allow machine to machine communication and specify how software components

Appropriate Safeguards – This is a term used in GDPR in several different contexts such as, (1) transferring personal data to countries outside of the European Union, (2) the processing of special categories of data, and (3) the processing of personal data in a law enforcement context. It usually refers to the application of the general data protection principles. should interact with one another.

Asset – A system, database, application, website, physical storage, or any other form that can store or process personal data.

Attorney General (AG) – Attorney General in the United States

Authentication – The process of authorizing whether an entity is who they claim to be.

Authorization – The process of determining whether a user is permitted to have access rights to a specific resource.

Automated Decision Making – A term from GDPR used to describe when a system uses technology without human involvement to create profile or make a decision.

Autonomy Privacy – When an individual can behave as they wish (including online behavior) without the concern of being observed or tracked.

B

B2B – Business to Business – This abbreviation is used to describe sales that occur directly from one business to another.

B2C – Business to Customer – This abbreviation is used to describe sales that occur directly from a business to a customer.

Behavior Advertising – When a business tracks an individual’s online behavior then targets that individual with specific ads based off of their tracked behavior.

Big Data – Refers to large data sets that grow exponentially and are so complex and massive that they require special procession applications.

Binding Corporate Rules – Also referred to as BCRs that were developed by the EU Article 29 Working Party.  BCRs are internal rules, approved by the data protection authority in the applicable EU member state, which allow multinational corporations, international organizations, and groups of companies to share personal data outside of the EU while still being in compliance with EU data protection laws.

Binding Safe Processor Rules – Principles for processors to follow to protect an individual’s personal data. If a business’s processor is approved as a “safe processor” then that business can conduct international transfers (under GDPR).

Biometric Data –  It refers to data generated by automated means that can identify or confirm the identity of a person such as behavioral or physical characteristics. Examples include fingerprint, retina scan, voice print, facial characteristics, identifying DNA information. In many global laws biometric data is deemed a “special category.”

Breach Disclosure – The act of notifying regulators and victims of incidents that affect their confidentiality, anonymity, and the security of their personal information.

C

California Consumer Protection Act (CCPA) – Signed into law in 2018, and will take effect in January 2020, this act introduces new privacy rights for individuals living within the state of California. It is the first sweeping privacy law in the United States.

California Investigative Consumer Reporting Agencies Act – A California state law that enforces employers to notify their consumers before obtaining and using their consumer report.

California Online Privacy Protection Act (CalOPPA) – This act requires all websites interacting with California residents to provide a privacy statement to users.

CAN-SPAM – Controlling the Assault of Non-Solicited Pornography And Marketing- Passed in 2003, a U.S. law that sets the rules for commercial emails and messages.

CASL – Canadian Anti-Spam Legislation – Passed in 2013, this Canadian law protects all emails, texts, instant messages, and automated mobile phone messages sent commercially to computers and phones, or accessed by them, in Canada.

CDP – (Customer Data Platform) – A CDP helps companies create a single point of view of their customers by storing web page views, email clicks, payment transactions, and other similar information.

Chief Privacy Officer – A leadership position in an organization that is responsible for managing privacy risks, laws, and policies.

Children’s Online Privacy Protection Act of 1998 (COPPA) – Imposes requirements on the operators of websites directed towards children under 13 years of age.

Child's Age – The age of a child varies by country and privacy law. Generally,it is between 13 and 16 years old.

Choice – Giving an individual the power to determine if, how, and what personal information is collected about them.

CISO – Chief Information Security Officer – An executive level employee who has the responsibility to identify/manage risks as they arise and develops a security strategy to protect the organization's data and assets from breaches and to identify and manage risks as they arise.

CMP (Consent Management Platform) – software that is used by companies to legally document and manage a user's consent choices prior to collecting, sharing, or selling user data from online sources such as websites and apps that use cookies, embedded videos, and other tracking technologies.

Collection Limitation – the principle of limiting the collection of personal information to only the quantity and the type of information that is necessary.

Communications Privacy – This type of privacy protects communications such as, postal mail, telephone activity, email, and other types of communication.

Confidentiality – The act of protecting data against unauthorized or unlawful processing. The GDPR states that organizations must be able to maintain confidentiality.

Consent String – also referred to as a “daisybit,” is a series of numbers added to an ad bid request, which identifies the consent status of an ad tech vendor. 

Consent – According to GDPR, consent is the act of a data subject agreeing to specific data processing and for consent to be valid it must be freely given, specific, informed, and unambiguous. The data subject must be able to easily withdraw their consent after it is given.

Controller – Per the GDPR, the controller is “the natural or legal person, public authority, agency or other body which determines the purposes and means of processing data.”

Conversion Path – A series of steps on your website that, if followed by a prospect, will facilitate a lead capture(see lead capture).

Cookie Category – a classification of cookies based on their purpose and the type of data collected.

Cookie – A small text file that a website my drop on a user's device for the sake of tracking certain categories of information.

Cookies (1st party) – Cookies placed by the website the user is browsing

Cookies (3rd party) – Cookies placed by a company different than the one the user is browsing.  For example, advertising, analytics, or social media cookies

Cookies (Persistent) – Cookies that are stored on the user's device until the user deletes the cookie or it expires.  Online shopping carts often use this type of cookies.

Cookies (Session) – Cookies that a reactive only for the period of time that the user is browsing the website

CPA (Colorado Privacy Act) – Signed into law on 7/8/2021, takes effect 7/1/2024 . This law provides Colorado residents with the right to opt out of targeted advertising, the sale of their personal data and certain types of profiling. Data controllers will need to honor user-selected universal opt-outs for targeted advertising and sales.

CPO – Chief Procurement Officer – An executive level employee in a corporation responsible for all product related matters, such as supply management, negotiating prices and contracts, and sourcing for the company.

CPRA (California Privacy Rights Act) –  a ballot initiative that amends the CCPA and includes additional privacy protections for consumers. The Majority of CPRA's provisions  go into effect Jan. 1, 2023.

CRO (Contract Research Organization) – a company that provides support to the pharma, biotech, and medical device industries through contracted research services.

Cross-Border Data Transfers – The transportation of personal data from one jurisdiction (usually country)  to another.  For the GDPR, this refers to any transportation of personal data from the European Union to a third country (only allowed if the European Commission has determined that they have adequate protection measures).

CTA (Call to Action) – A statement that invites an individual to conduct a certain action such as, “Click here to continue reading”.

CTDPA (Connecticut Data Privacy Act ) – Signed into law on 5/10/2022, set to take effect on 7/1/2023. This law places several obligations on business that control or process the personal data of Connecticut consumers and grants a set of rights to Connecticut consumers.

CTR – Click Through Rate – The percentage of your audience that follows through with clicking from your homepage to another part of your website as directed by a marketing or sales campaign.

Customer Access – Giving the customer access to the personal information an organization is collecting as well as giving them the ability to review, delete, and edit their personal information.

D

DAA (Digital Advertising Alliance) – establishes and enforces responsible privacy practices across the industry for relevant digital advertising, providing consumers with enhanced transparency and control through multifaceted principles that apply to multi-site data and cross-app data gathered in either desktop, mobile web, or mobile app environments. 

Data Breach – The unauthorized access and procurement of data that compromises the security of personal identifiable information maintained by a collector.

Data Classification – When an organization gives different levels of authorization to individuals to access a data inventory in order to protect the data.

Data Concerning Healthy – This refers to any information regarding an individual’s physical or mental health.

Data Element – Unique pieces of collected information such as name, address, IP address, data of birth, etc.

Data Erasure – Also known as the Right to be Forgotten under GDPR or Right to Deletion under CCPA, it allows the data subject to request that the data controller or company delete  and stop sharing their personal data.  There are a few exceptions to this under each of privacy law.

Data Governance –  The exercise of authority and control over the management of data assets. It is the planning, supervision and control over data management and use.

Data Inventory – The location, including how it is shared and organized, of personal data. Data inventory allows for the identification of inconsistent data versions.

Data Masking – The process of de-identifying data through anonymization, pseudonymization, or some other method of obscuring the identifiable data.

Data minimization – An organization must only use the personal data that is necessary to fulfill their primary reason for collecting the data.

Data Portability –  The right for the data subject to receive a copy of the data the data subject provided to the controller. The data should be presented in a structured, machine readable format that is commonly used.  It should be provided directly to the data subject or upon request by the data subject. The data subject also has the right to  share that information directly to another controller.

Data Protection Authority – See Supervisory Authority

Data Protection Impact Assessment (DPIA) – As required under GDPR, companies engaging in high risk processing activity must complete an assessment that identifies, assesses, and mitigates risks of a business' data processing activity. A DPIA should be performed for each different type of high risk processing activity.

Data Protection Offer (DPO) – A data privacy expert who ensures compliance with GDPR policies and procedures and generally reports directly to company management or the company board in some situations.

Data Quality – The practice of using personal data solely for the purpose for and the extent to which it is supposed to be used. Personal data should be maintained meaning that it should be accurate and up-to-date at all times.

Data Subject (Individual) – A natural person whose personal data is collected, held or processed by a controller or processor.

Data Warehouse – A digital repository for storing data (typically large amounts of data).

Dataset – An organized compilation of data.

De-Identification – The method of removing identifiable characteristics from personal data effectively anonymizing the data.

Deletion – Your organization must be prepared to delete a consumer's personal information, if requested. There are exceptions in which you can deny a request where the information is: (1) needed to complete a transaction for the reason it was collected, (2) used for a business relationship with the consumer, (3) used for a contract, (4) used to detect security incidents, (5) needed to participate in scientific, historical, or statistical research in the interest of the public, (6) used for internal uses that align with the consumer’s expectations, and (7) required to comply with legal obligation and  the law.

Derogation – An exemption from or relaxation of a law.

Digital Fingerprinting – Digital fingerprints are log files pulled from original content that represents the content’s defining characteristics and are used by content owners to identify website visitors. A log file can be the visitor’s IP address, a time stamp, or even the visitor’s browser preferences (think the type of font, color scheme, etc).

Digital Signature – This type of signature is used to authenticate an electronic document (often used in emails).

Direct Marketing – Advertising and marketing information specifically directed towards targeted individuals.

DMP – (Data Management Platform) – A DMP is used to collect, store, analyze and manage data for digital marketing purposes.  A DMP allows segmentation by audiences.

Do Not Track (DNT) – An application that gives individuals the ability to request that applications disable tracking of their online behavior and activities.

DSP – (Demand Side Platform) – A DSP is a system that allows digital advertising inventory buyers to manage multiple ad exchanges in one central place.  It often uses information from a DMP. It is designed to find the best website for the advertisement.

E

Electronic Surveillance – The act of monitoring an individual (typically unknown by the individual) through video, reading their communications, location services, and other electronic means.

Encrypted Data – The process of converting plaintext (any type of data) into an encoded version that can only be decoded by the individual with the proper decryption key. Encryption is a security measure that protects sensitive personal data to ensure that the data is only accessible/readable by those with authorization.

Engagement Rate – Commonly used social media metric that reports the amount and type of interaction a particular piece of content receives.

Enterprise – A natural or legal person or entity performing economic actions.

ePrivacy Directive/Regulation – In the EU in 2002, this directive passed and was later amended in 2009.  It addresses privacy regarding digital communication, digital marketing, and cookies.  An updated regulation is expected to be finalized in 2019.

Equal service and pricing – Your business must offer equal opportunities to all consumers for goods and services. Per the CCPA, your organization must ensure that there is not any discrimination by: (1) denying goods and services, (2) providing different price and rate for goods, or (3) providing a different level of goods or services based on a consumer’s use of CCPA rights.

EU – The acronym for the European Union which is a political and economic union comprised of 28 member states located primarily in Europe.

European Commission – The executive branch of the European Union.

European Data Protection Board (EDPB) – EDPB is an EU body responsible for the application of GDPR ensuring consistency across the EU.  It is comprised of a representative from the DPA in each EU member state and the European Commission.  It was formerly known as Article 29 Working Party (A29WP).

European Data Protection Supervisor (EDPS) – The EDPS has the responsibility to ensure that EU institutions and bodies are providing individuals with the right to privacy when processing personal information.

F

Fair Credit Reporting Act – This act requires accurate data collection, gives the right to consumers to correct their information, and limits the use of consumer reports and data collection.

Family Educational Rights and Privacy Act (FERPA) – The FERPA protects the privacy of students and their records.

Federal Trade Commission (FTC) – This agency protects consumers and collects and acts on complaints about organizations. It also prohibits unfair and deceptive trade practices per Section 5.

First-Party Collection – The data subject gives permission directly to the controller to collect their information.

FLoC (Federated Learning of Cohorts) – a new way that browsers could enable interest-based advertising on the web, in which the companies who today observe the browsing behavior of individuals instead observe the behavior of a cohort of similar people.

Fractional Privacy Officer – An outsourced privacy professional who provides their time and guidance to a company on an ongoing basis, generally part-time and remotely.

Freely Given – When a data subject voluntarily consents to the processing of data and where there is no risk of significant consequences if they do not choose to provide consent.The GDPR requires that a data subject’s consent is freely given.

G

General Data Protection Regulation (GDPR) – A privacy regulation and legal framework that sets guidelines for the collection and processing of personal data of individuals within the EU.  It became effective May 25, 2018.

Genetic Data – Personal data relating to inherited or acquired genetic data that is unique to the individual. An example could be an individual's gene sequence.

GLBA Gramm-Leach Bliley Act – A US federal law that requires financial institutions to explain to customers how private information is protected, how personal information is shared, and how a customer can opt- out of information shared with third parties.

H

HIPAA –  Health Insurance Portability and Accountability Act.  It is a US federal law that provides privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers.  An important distinction is that not all health information is automatically covered under HIPAA.

I

IAB (Interactive Advertising Bureau) – Advertising business organization that develops industry standards, conducts research, and provides legal support for the online advertising industry.

Identifiable Data – Refers to data that can be linked to a specific person, thus identifying that person.

Implied Consent – A consent model in which the user is given prior notice about cookies and tracking technologies, and by continuing further into the site, it is implied that they have given consent. Cookies and other trackers are not active initially until they continue onto the site.

Individual Rights – Data Subject Access Requests are often referred to as Individual Rights. These rights generally include: the right to be informed, the right of access, the right to rectification, the right to erasure/to be forgotten, the right to restrict processing, the right to data portability, the right to object, rights in relation to automated decision making and profiling, and the right to opt-out of the sale of data.

Individual – A natural person whose personal data is collected, held or processed by a controller or processor. Also referred to as data subject.

Information Lifecycle – This is the process of collecting, processing, using, disclosing, storing, and deleting data.

Information Security – The act of securing information in order to prevent unauthorized access or misuse of information.

Informed – When an individual has been provided all the necessary information to make a decision about data processing.  Under GDPR, the data subject must be informed when  providing consent.

Integrity and confidentiality – If your organization is collecting and processing personal data, then you must ensure that you are implementing the appropriate security measures for protecting personal data.

Integrity – In regards to data, integrity refers to the accuracy, consistency, and trustworthiness of the data. The GDPR requires organizations to uphold the integrity of the data that they are collecting.

Internet Protocol Address (IP Address) – A numerical identifier assigned to each device that interacts with a computer network, most commonly, the TCP/IP network. The GDPR categorizes IP addresses as personal information.

J

Jurisdiction – The authority granted to a body to govern or legislate. It can also refer to the geographical region in which authority applies.

L

Landing Page – The web page that an individual is led to after clicking on a banner, CTA, or paid search ad.

Lawfulness, fairness, and transparency – To collect personal information in the EU one of the following six circumstances must apply: (1) consent, (2) contract, (3) legal obligation, (4) vital interests, (5) public task, and (6) legitimate interests. You must also only process data in a way that does not negatively affect the individual to whom you are collecting data from. Lastly, you must be transparent about the way that the data is collected and used.

Lead capture – The process of acquiring the name and email of a potential customer so that you can contact that lead in the future.

Lead –  An individual who is a potential customer.

Legal Basis – The GDPR requires that a controller must meet one of six legal circumstances in order to collect personal information. The six legal bases include: (1) consent, (2) contract, (3) legal obligation, (4) vital interests, (5) public task, or (6) legitimate interests.

LGPD (Brazilian General Data Protection Law) –  is a federal law in Brazil designed to unify 40 existing laws to regulate processing of the personal data of individuals. It was passed on September 18, 2020 and was backdated, coming into effect on August 16, 2020.

Limitation of processing to legitimate purposes – If personal data is being collected then it must only be used for the primary reason stated.

Limitation on time period of storage – Per the GDPR, personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.

Location-Based Service – Services that are provided based on geographic location.

M

Main Establishment – A location, chosen by the data controller, for its central administration in the EU where it will be bound to applicable local laws and regulations

Metadata – Data that gives additional information to describe or provide context for other data.

Multi-Factor Authentication – During login, this requires both a password and a second form of authentication such as a code sent to a phone, confirming a phone call, or entering an ever-changing password provided through an application.

N

Negligence – An organization is responsible for damages if it fails to meet the legal obligations to protect personal information.

Non-Public Personal Information – Per GLBA, it is defined as identifiable financial information provided by a customer.

O

Obfuscation – A version of data masking that makes personal data difficult to understand in order to hide the actual data.

Opt-In – An individual makes an affirmative choice to share his or her personal information with a third party.

Opt-Out – An individual makes an affirmative choice (such as clicking a button or checking a box) that disallows third parties to share their personal information.

P

Personal Data (also referred to as ‘Personal Information’) – Information that relates to an identified or identifiable person (also referred to as ‘Data Subject' or ‘Individual')

PIPEDA – Personal Information Protection and Electronic Documents Act – Canada's version of the GDPR, which requires businesses to obtain an individual's consent when they collect, use or disclose that individual's personal information.

Pixel or Tag – a 1×1 tracking pixel (also called a pixel tag or just tag) is a pixel that is embedded into the HTML code of a website, online advertisement, marketing email, or video.  Each time an individual loads the site, email, video, or ad, the pixel tag is loaded.  This sends a request to the web server that is hosting the pixel. Information about the behavior on the site and about the visitor is sent back and forth from the pixel.  Often when a pixel fires, a cookie is dropped.  See above for definitions of the different types of cookies.  Pixels are commonly used in online advertising such as Facebook and in analytics like Google Analytics.

PPC – Pay Per Click – The cost accrued each time a digital advertisement is clicked through.

Privacy by Design (PbD) – Incorporating privacy at the beginning and throughout the entire design and engineering process of product and service development.

Privacy Impact Assessment (PIA) – A process, often a questionnaire, used by a company to identify and assess privacy risks throughout a product or system lifecycle.  It helps identify data collected, used, shared, and stored and allows the company to determine what should be done to mitigate risks when processing personal data.

Privacy Policy – A disclaimer that is located on an organization’s website that lays out how the website uses and collects personal information.

Privacy Rule – Per HIPAA, this rule requires institutions and organizations to protect an individual’s medical records and information.

Privacy Shield Certification – Framework designed by the U.S. Department of Commerce and the European Commission and Swiss Administration. It is a framework that allows  It is designed to have a company to self-certify to a set of data protection requirements that will enable it to transfer personal data from the EU or Switzerland to the US.

Private Right of Action – This provides individuals the right to file a lawsuit (against the violator) if harmed by a violation of the law.

Processing – Any activity performed on personal data, whether or not by automated means, including collection, use, recording, etc.

Processor – Per the GDPR, “natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.”

Profiling – The use of personal data that is used to evaluate, analyze, or to predict data subject behavior and to make decisions based on that outcome. Profiling is generally performed automatically by systems.

Pseudonymization – It is a procedure where personal data fields within a data record are replaced by one or more artificial identifiers so that the personal data not be attributed to one single individual.  This process is reversible by an authorized individual therefore it is not permanent like anonymization.

QR Code – is a type of matrix barcode (or two-dimensional code) that can be scanned by smartphones or specific QR barcode readers to transmit encoded data.

R

Real Time Bidding (RTB) – Real time bidding is an automated auction process for the purchase of online advertising inventory impressions on websites

Recipient – The natural person, public authority, agency, another body or company to which personal data is disclosed.

Records of Processing Activities (RoPA) – Often referred to as the Article 30 report.  This is a required set of records that documents in detail the data processing activities that the company is responsible for. There are specific items to be included in the Article 30 report, such as; (1) the purpose of processing, (2) the description of the categories of data subjects and personal data,(3) the categories of recipients to whom the personal data has been or will be disclosed, (4) cross border transfers, (5) the lawful basis relied upon, and more.

Rectification (Also referred to as the “Right to Correct) – The right of an individual to request that an organization or third party correct their personal information. Under the GDPR, individuals have the right to rectification and controllers must fix inaccurate personal data if requested.

Redaction – The process of removing or obscuring information from documents.

Regulation – A binding legislative act that details how a company should comply with said regulation. This could be industry imposed and self-regulatory framework like the Digital Advertising Alliance's Self-Regulatory Framework or it could be imposed by lawmakers such as the ePrivacy Directive.

Re-identification – This occurs when de-identified data is matched back to an individual, therefore, making the individual identifiable.

Representative – A data protection authority in the EU appointed by the data processor or controller.

Restriction of Processing – The right of a data subject to limit the future processing of their own stored personal data.

Retention – The notion that organizations should only retain personal information for as long as it is needed to fulfill the original statement of purpose.

Right to Access – Also known as the Data Subject Access Right (DSAR). This right allows the data subject to request in writing to be provided a copy of the personal data being processed by the controller. The controller should also provide an explanation for the purpose of processing the data subject's personal data.  Privacy laws differ in how long a controller has to respond to a DSAR.

Right to be Forgotten or Right to Deletion – Also referred to as Data Erasure, it entitles the data subject to request that the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.

ROI – Return on Investment – A performance measure used to determine how profitable something will be in relation to the amount of effort it will take to produce it.

S

SaaS (Software as a Service) – A software hosted by another company that holds the information you provide them in a cloud.

Sensitive Personal Information – Information regarding an individual’s race, ethnicity, marital status, religion, health records, sexuality, social security number, license, etc.

SLA – Service Level Agreement – An agreement set up between the sales and marketing teams in a company to outline the responsibilities and expectations for each team.

SMB – Small to Medium Business – Companies with approximately 10-500 employees.

Spam – Unsolicited information that is sent to an individual typically via electronic communication.

Specific – Consent cannot be gathered for broad or unspecified uses. The data subject must give consent for specific and clearly spelled out uses and must be consulted if the use changes.

SSP – (Supply (or sell) Side Platform) – A SSP is a technology platform that allows publishers to automate the selling of their online advertising inventory. They are designed to allow publishers or website owners to maximize the price of their advertising inventory.

Super Cookie – Similar to a cookie, however this tracking mechanism lasts after all cookies have been deleted.

Supervisory Authority (SA) – A public authority that is established by a member state of the EU that oversees the execution of GDPR regulations.

T

TCPA – Telephone Consumer Protection Act. A US federal law that restricts marketing and debt collection automated dialing and pre-recorded messages.  It covers cell phones, landlines, text messages, and unsolicited faxes.  It also covers phone numbers listed in the Do Not Call Registry.

Territorial Privacy – This type of privacy limits intruding into an individual’s territorial environment such as their home or workplace.

Third-Party– Any legal person, public authority, agency, or other body other than the data subject.

Transfer Impact Assessment (TIA) – an analysis of the impact and security implications of a transfer to a country outside the EEA that has not received an adequacy decision. 

Transparency – As an organization, you must share, if requested, the type of personal information you are collecting, where you are collecting personal data from, what you are using the data for, whether or not you are selling it, and to whom you are sharing the data with.

U

UCPA  (Utah Consumer Privacy Act) – Signed into law on 3/24/2022, will take effect on 12/31/2023. This law imposes a number of obligations on businesses that control or process the personal data of Utah consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.

UK-GDPR – The United Kingdom General Data Protection Regulation is the UK’s data privacy law that governs the processing of personal data from individuals inside the UK. The UK-GDPR was drafted as a result of the UK leaving the EU, which resulted in the EU’s GDPR not applying domestically to the UK any longer.

Unambiguous Consent – When an individual provides consent fully understanding the outcome of their decision. The organization must clearly articulate the outcome in a way where the individual fully understands.

V

VCDPA (Virginia Consumer Data Protection Act) – Signed into law on 2/3/21, will take effect on 1/1/2023 in the state of Virginia. This law gives specific privacy rights to the consumers and allows for them to opt-out of the sale of their personal data.

Laws/Enforcement Bodies/Roles Section:

Attorney General (AG) – Attorney General in the United States

California Consumer Protection Act (CCPA) – Signed into law in 2018, and will take effect in January 2020, this act introduces new privacy rights for individuals living within the state of California. It is the first sweeping privacy law in the United States.

California Investigative Consumer Reporting Agencies Act – A California state law that enforces employers to notify their consumers before obtaining and using their consumer report.

CAN-SPAM – Controlling the Assault of Non-Solicited Pornography And Marketing- Passed in 2003, a U.S. law that sets the rules for commercial emails and messages.

CASL – Canadian Anti-Spam Legislation – Passed in 2013, this Canadian law protects all emails, texts, instant messages, and automated mobile phone messages sent commercially to computers and phones, or accessed by them, in Canada.

Children’s Online Privacy Protection Act of 1998 (COPPA) – Imposes requirements on the operators of websites directed towards children under 13 years of age.

CISO – Chief Information Security Officer – An executive level employee who has the responsibility to identify/ manage risks as they arise and toinvolves  develops a security strategy to protect the organization's data and assets from breaches. and to identify and manage risks as they arise.

CPO – Chief Procurement Officer – An executive level employee in a corporation responsible for all product related matters, such as supply management, negotiating prices and contracts, and sourcing for the company.

DAA (Digital Advertising Alliance) – establishes and enforces responsible privacy practices across the industry for relevant digital advertising, providing consumers with enhanced transparency and control through multifaceted principles that apply to multi-site data and cross-app data gathered in either desktop, mobile web, or mobile app environments. 

ePrivacy Directive/Regulation – In the EU in 2002, this directive passed and was later amended in 2009.  It addresses privacy regarding digital communication, digital marketing, and cookies.  An updated regulation is expected to be finalized in 2019.

European Commission – The executive branch of the European Union.

European Data Protection Board (EDPB) – EDPB is an EU body responsible for the application of GDPR ensuring consistency across the EU.  It is comprised of a representative from the DPA in each EU member state and the European Commission.  It was formerly known as Article 29 Working Party (A29WP).

European Data Protection Supervisor (EDPS) – The EDPS has the responsibility to ensure that EU institutions and bodies are providing individuals with the right to privacy when processing personal information.

Fair Credit Reporting Act – This act requires accurate data collection, gives the right to consumers to correct their information, and limits the use of consumer reports and data collection.

Family Educational Rights and Privacy Act (FERPA) – The FERPA protects the privacy of students and their records.

Federal Trade Commission (FTC) – This agency protects consumers and collects and acts on complaints about organizations. It also prohibits unfair and deceptive trade practices per Section 5.

GLBA Gramm-Leach Bliley Act – A US federal law that requires financial institutions to explain to customers how private information is protected, how personal information is shared, and how a customer can opt- out of information shared with third parties.

HIPAA –  Health Insurance Portability and Accountability Act.  It is a US federal law that provides privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers.  An important distinction is that not all health information is automatically covered under HIPAA.

IAB (Interactive Advertising Bureau) – Advertising business organization that develops industry standards, conducts research, and provides legal support for the online advertising industry.

Pipieda – Personal Information Protection and Electronic Documents Act –  Canada's version of the GDPR, which requires businesses to obtain an individual's consent when they collect, use or disclose that individual's personal information.

Privacy Shield Certification – Framework designed by the U.S. Department of Commerce and the European Commission and Swiss Administration. It is a framework that allows  It is designed to have a company to self-certify to a set of data protection requirements that will enable it to transfer personal data from the EU or Switzerland to the US.

Supervisory Authority (SA) – A public authority which is established by a member state of the EU that oversees the execution of GDPR regulations.

TCPA – Telephone Consumer Protection Act. A US federal law that restricts marketing and debt collection automated dialing and pre-recorded messages.  It covers cell phones, land lines, text messages, and unsolicited faxes.  It also covers phone numbers listed in the Do Not Call Registry.

VCDPA (Virginia Consumer Data Protection Act) – signed into law on 2/3/21, will take effect on 1/1/2023 in the state of Virginia. This law gives specific privacy rights to the consumers and allows for them to opt-out of the sale of their personal data.

Advertising Definitions:

Ad Targeting – Providing advertisements to a specific audience based on attributes such as location, browsing behavior, purchase history, and demographics.

Behavior Advertising – When a business tracks an individual’s online behavior then targets that individual with specific ads based off of their tracked behavior.

B2B – Business to Business – This abbreviation is used to describe sales that occur directly from one business to another.

B2C – Business to Customer – This abbreviation is used to describe sales that occur directly from a business to a customer.

CDP – (Customer Data Platform)-A CDP helps companies create a single point of view of their customers by storing web page views, email clicks, payment transactions, and other similar information.

Conversion Path – A series of steps on your website that, if followed by a prospect, will facilitate a lead capture(see lead capture).

Cookies – A small text file that a website my drop on a user's device for the sake of tracking certain categories of information.

Cookies (1st party) – Cookies placed by the website the user is browsing

Cookies (3rd party) – Cookies placed by a company different than the one the user is browsing.  For example, advertising, analytics, or social media cookies

Cookies (Persistent) – Cookies that are stored on the user's device until the user deletes the cookie or it expires.  Online shopping carts often use this type of cookies.

Cookies (Session) – Cookies that a reactive only for the period of time that the user is browsing the website

CTA- Call to Action – A statement that invites an individual to conduct a certain action such as, “Click here to continue reading”.

CTR – Click Through Rate – The percentage of your audience that follows through with clicking from your homepage to another part of your website as directed by a marketing or sales campaign.

Direct Marketing – Advertising and marketing information specifically directed towards targeted individuals.

DMP – (Data Management Platform) – A DMP is used to collect, store, analyze and manage data for digital marketing purposes.  A DMP allows segmentation by audiences.

DSP – (Demand Side Platform) – A DSP is a system that allows digital advertising inventory buyers to manage multiple ad exchanges in one central place.  It often uses information from a DMP. It is designed to find the best website for the advertisement.

Engagement Rate – Commonly used social media metric that reports the amount and type of interaction a particular piece of content receives.

Landing Page – The web page that an individual is led to after clicking on a banner, CTA, or paid search ad.

Lead –  An individual who is a potential customer.

Lead capture – The process of acquiring the name and email of a potential customer so that you can contact that lead in the future.

PPC – Pay Per Click – The cost accrued each time a digital advertisement is clicked through.

Pixel or Tag – a 1×1 tracking pixel (also called a pixel tag or just tag) is a pixel that is embedded into the HTML code of a website, online advertisement, marketing email, or video.  Each time an individual loads the site, email, video, or ad, the pixel tag is loaded.  This sends a request to the web server that is hosting the pixel. Information about the behavior on the site and about the visitor is sent back and forth from the pixel.  Often when a pixel fires, a cookie is dropped.  See above for definitions of the different types of cookies.  Pixels are commonly used in online advertising such as Facebook and in analytics like Google Analytics.

QR Code – is a type of matrix barcode (or two-dimensional code) that can be scanned by smartphones or specific QR barcode readers to transmit encoded data.

Real Time Bidding (RTB) – Real time bidding is an automated auction process for the purchase of online advertising inventory impressions on websites

ROI – Return on Investment – A performance measure used to determine how profitable something will be in relation to the amount of effort it will take to produce it.

SaaS- Software-as-a-Service – A software hosted by another company that holds the information you provide them in a cloud.

SLA – Service Level Agreement – An agreement set up between the sales and marketing teams in a company to outline the responsibilities and expectations for each team.

SMB – Small to Medium Business – Companies with approximately 10-500 employees.

SSP – (Supply (or sell) Side Platform) – A SSPis a technology platform that allows publishers to automate the selling of their online advertising inventory.  They are designed to allow publishers or website owners to maximize the price of their advertising inventory.

GDPR Privacy Principle Terms:

Accuracy – Under GDPR, personal data collected must be correct, maintained, and must have the ability to be deleted or corrected if inaccurate.

Data minimization – An organization must only use the personal data that is necessary to fulfill their primary reason for collecting the data.

Integrity and confidentiality – If your organization is collecting and processing personal data, then you must ensure that you are implementing the appropriate security measures for protecting personal data.

Lawfulness, fairness, and transparency – To collect personal information in the EU one of the following six circumstances must apply: (1) consent, (2) contract, (3) legal obligation, (4) vital interests, (5) public task, and (6) legitimate interests. You must also only process data in a way that does not negatively affect the individual to whom you are collecting data from. Lastly, you must be transparent about the way that the data is collected and used.

Limitation of processing to legitimate purposes – If personal data is being collected then it must only be used for the primary reason stated.

Limitation on time period of storage – Per the GDPR, personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.

 

CCPA Privacy Principle Terms:

Transparency – As an organization, you must share, if requested, the type of personal information you are collecting, where you are collecting personal data from, what you are using the data for, whether or not you are selling it, and to whom you are sharing the data with.

Opt-Out – As an organization, you must provide the choice to your consumer to opt-out of having their data sold. You must include a “Do Not Sell My Personal Information” link on your homepage. You are also required to include a phone number in your policy to allow consumers to communicate with your organization. (At the date of this publication (8/6/2019), there is an amendment pending to allow for an email or a phone number).

Deletion – Your organization must be prepared to delete a consumer's personal information, if requested. There are exceptions in which you can deny a request where the information is: (1) needed to complete a transaction for the reason it was collected, (2) used for a business relationship with the consumer, (3) used for a contract, (4) used to detect security incidents, (5) needed to participate in scientific, historical, or statistical research in the interest of the public, (6) used for internal uses that align with the consumer’s expectations, and (7) required to comply with legal obligation and  the law.

Equal service and pricing – Your business must offer equal opportunities to all consumers for goods and services. Per the CCPA, your organization must ensure that there is not any discrimination by: (1) denying goods and services, (2) providing different price and rate for goods, or (3) providing a different level of goods or services based on a consumer’s use of CCPA rights.

Sources

[1] “International Association of Privacy Professionals”, Iapp.org, 2019. [Online]. Available: https://iapp.org/resources/glossary/. [Accessed: 06- Aug- 2019].

[2] “Definition of JURISDICTION”, Merriam-webster.com, 2019. [Online]. Available: https://www.merriam-webster.com/dictionary/jurisdiction. [Accessed: 06- Aug- 2019].

[3] “Cookie Definition”, Techterms.com, 2019. [Online]. Available: https://techterms.com/definition/cookie. [Accessed: 06- Aug- 2019].