This glossary includes:
- The most common privacy terms broken down into simple, straightforward language.
- Relevant examples to help you understand how the termspractically apply to your business.
- An option to download a printable PDF for easy reference.
Whether you jump up and down at the thought of privacy practices (there are a few of us!), or want to run for the hills, this guideis going to help you navigatethe ever changing world of privacy laws.
The bottom line is that privacy is not going anywhere. To stay ahead of the game, you will need to familiarize yourself with some of the data privacy jargonso you know what to do and when to do it. Customers are demanding transparency now—and if they suspect that you are being less than forthcoming with them, one of your competitors will snap them up faster than you can summon an apology.
Privacy is innovation. Let it become your competitive advantage.
Welcome to a new age of doing business.
Glossary of Privacy Terms:
Accountability – A data controller should always obtain consent of an individual or implement reasonable organizational measures to ensure that an individual’s personal information is properly protected before sharing the data.
Adequacy Decision – A decision made by the European Commission that a non-EU country offers an adequate level of protection of personal data through its own domestic privacy laws or international commitments it has made. When the European Commission has determined that a country meets the requirements for an adequacy decision it allows for that country to conductcross-border data transfers.
Adverse Action – Any decision or action by a business that adversely affects their consumer.
Anonymization – The process of altering personal data so that it is no longer identifiable. This process is irreversible.
Appropriate Safeguards – This is a term used in GDPR in several different contexts such as, (1) transferring personal data to countries outside of the European Union, (2) the processing of special categories of data, and (3) the processing of personal data in a law enforcement context. It usually refers to the application of the general data protection principles .
API (Application Programming Interface) – Software standards that allow machine to machine communication and specify how software components should interact with one another.
Asset – A system, database, application, website, physical storage, or any other form that can store or process personal data.
Authentication – The process of authorizing whether an entity is who they claim to be.
Authorization – The process of determining whether a user is permitted to have access rights to a specific resource.
Automated Decision Making – A term from GDPR used to describe when a system uses technology without human involvement to create profile or make a decision.
Autonomy Privacy – When an individual can behave as they wish (including online behavior) without the concern of being observed or tracked.
Big Data – Refers to large data sets that grow exponentially and are so complex and massive that they require special procession applications.
Binding Corporate Rules – Also referred to as BCRs that were developed by the EU Article 29 Working Party. BCRs are internal rules, approved by the data protection authority in the applicable EU member state, which allow multinational corporations, international organizations, and groups of companies to share personal data outside of the EU while still being in compliance with EU data protection laws.
Binding Safe Processor Rules – Principles for processors to follow to protect an individual’s personal data. If a business’s processor is approved as a “safe processor” then that business can conduct international transfers (under GDPR).
Biometric Data – It refers to data generated by automated means that can identify or confirm the identityof a person such as behavioral or physical characteristics. Examples include fingerprint, retina scan, voice print, facial characteristics, identifying DNA information. In many global laws biometric data is deemed a “special category.”
Breach Disclosure – The act of notifying regulators and victims of incidents that affect their confidentiality, anonymity, and the security of their personal information.
California Consumer Privacy Act (CCPA) – This is a comprehensive, state-level privacy law that goes into effect January 2020 in the state of California. This law gives specific privacy rights to the consumers and allows for them to opt-out of the sale of their personal data.
California Online Privacy Protection Act (CalOPPA) – This act requires all websites interacting with California residents to provide a privacy statement to users .
Chief Privacy Officer – A leadership position in an organization that is responsible for managing privacy risks, laws, and policies.
Child’s Age – The age of a child varies by country and privacy law. Generally,it is between 13 and 16 years old.
Choice – Giving an individual the power to determine if, how, and what personal information is collected about them.
Collection Limitation – A principle arguing that there should be limitations to the collection of personal information.
Communications Privacy – This type of privacy protects communications such as, postal mail, telephone activity, email, and other types of communication.
Confidentiality – The act of protecting data against unauthorized or unlawful processing. The GDPR states that organizations must be able to maintain confidentiality.
Consent – According to GDPR, consent is the act of a data subject agreeing to specific data processing and for consent to be valid it must be freely given, specific, informed, and unambiguous. The data subject must be able to easily withdraw their consent after it is given.
Controller – Per the GDPR, the controller is “the natural or legal person, public authority, agency or other body which determines the purposes and means of processing data.”
Cookie – A small amount of data generated by a website and saved by the web browser .
Cross-Border Data Transfers – The transportation of personal data from one jurisdiction (usually country) to another. For the GDPR, this refers to any transportation of personal data from the European Union to a third country (only allowed if the European Commission has determined that they have adequate protection measures).
Customer Access – Giving the customer access to the personal information an organization is collecting as well as giving them the ability to review, delete, and edit their personal information.
Data Breach – The unauthorized access and procurement of data that compromises the security of personal identifiable information maintained by a collector.
Data Classification – When an organization gives different levels of authorization to individuals to access a data inventory in order to protect the data.
Data Concerning Healthy – This refers to any information regarding an individual’s physical or mental health.
Data Element – Unique pieces of collected information such as name, address, IP address, data of birth, etc.
Data Erasure – Also known as the Right to be Forgotten under GDPR or Right to Deletion under CCPA, it allows the data subjecttorequest thatthe data controller or company delete and stop sharing their personal data. There are a few exceptionsto thisunder each of privacy law.
Data Inventory – The location, including how it is shared and organized, of personal data. Data inventory allows for the identification of inconsistent data versions.
Data Masking – The process of de-identifying data through anonymization, pseudonymization, or some other method of obscuring the identifiable data.
Data Portability – The right for the data subject to receive a copy of the data the data subject provided to the controller. The data should be presented in a structured, machine readable format that is commonly used. It should be provided directly to the data subject or upon request by the data subject. The data subject also has the right to share that information directly to another controller.
Data Protection Authority – See Supervisory Authority
Data Protection Offer (DPO) – A data privacy expert who ensures compliance with GDPR policies and procedures and generally reports directly to company management or the company board in some situations.
Data Protection Impact Assessment (DPIA) – As required under GDPR,companies engaging in high risk processing activitymust completean assessment that identifies, assesses, and mitigates risks of a business’ data processing activity. A DPIA should be performed for each different type of high risk processing activity.
Data Subject (Individual) – A natural person whose personal data is collected, held or processed by a controller or processor.
Dataset – An organized compilation of data.
Data Quality – The practice of using personal data solely for the purpose for and the extent to which it is supposed to be used. Personal data should be maintained meaning that it should be accurate and up-to-date at all times.
Data Warehouse – A digital repository for storing data (typically large amounts of data).
De-Identification – The method of removing identifiable characteristics from personal data effectively anonymizing the data.
Derogation – An exemption from or relaxation ofa law.
Digital Fingerprinting – Digital fingerprints are log files pulled from original content that represents the content’s defining characteristics and are used by content owners to identify website visitors. A log file can be the visitor’s IP address, a time stamp, or even the visitor’s browser preferences (think the type of font, color scheme, etc).
Digital Signature – This type of signature is used to authenticate an electronic document (often used in emails).
Do Not Track (DNT) – An application that gives individuals the ability to request that applications disable tracking of their online behavior and activities.
Electronic Surveillance – The act of monitoring an individual (typically unknown by the individual) through video, reading their communications, location services, and other electronic means.
Encrypted Data – The process of converting plaintext (any type of data) into an encoded version that can only be decoded by the individual with the proper decryption key. Encryption is asecurity measure that protectssensitivepersonal data to ensure that the data is only accessible/readable by those with authorization.
Enterprise – A natural or legal person or entity performing economic actions.
EU – The acronym for theEuropean Union which is a political and economic union comprised of 28 member states located primarily in Europe.
First-Party Collection – The data subject gives permission directly to the controller to collect their information.
Fractional Privacy Officer – An outsourced privacy professional who provides their time and guidance to a company on an ongoing basis, generally part-time and remotely.
Freely Given – When a data subject voluntarily consents to the processing of data and where there is no risk of significant consequences if they do not choose to provide consent.The GDPR requires that a data subject’s consent is freely given.
General Data Protection Regulation (GDPR) – A privacy regulation and legal framework that sets guidelines for the collection and processing of personal data of individuals within the EU. It became effective May 25, 2018.
Genetic Data – Personal data relating to inherited or acquired genetic data that is unique to the individual. An example could be an individual’s gene sequence.
Identifiable Data – Refers to data that can be linked to a specific person, thus identifying that person.
Individual – Also referred to as data subject.
Individual Rights – Data Subject Access Requests are often referred to as Individual Rights. These rights generally include: the right to be informed,theright of access, theright to rectification,theright to erasure/to be forgotten,theright to restrict processing,theright to data portability,theright to object, rights in relation to automated decision making and profiling, and the right to opt-out of the sale of data.
Information Lifecycle – This is the process of collecting, processing, using, disclosing, storing, and deleting data.
Information Security – The act of securing information in order to prevent unauthorized access or misuse of information.
Informed – When an individual has been provided allofthe necessary information to make a decision about data processing. Under GDPR, the data subject must be informed when providing consent.
Integrity – In regards to data, integrity refers to the accuracy, consistency, and trustworthiness of the data. The GDPR requires organizations to uphold the integrity of the data that they are collecting.
Internet Protocol Address (IP Address) – A numerical identifier assigned to each device that interacts with a computer network, most commonly, the TCP/IP network. The GDPR categorizes IP addresses as personal information.
Jurisdiction – The authority granted to a body to govern or legislate. It can also refer to the geographical region in which authority applies .
Legal Basis – The GDPR requires that a controller must meet one of six legal circumstances in order to collect personal information. The six legal bases include: (1) consent, (2) contract, (3) legal obligation, (4) vital interests, (5) public task, or (6) legitimate interests.
Location-Based Service – Services that are provided based on geographic location.
Main Establishment – A location, chosen by the data controller, for its central administration in the EU where it will be bound to applicable local laws andregulations
Metadata – Data that gives additional information to describe or provide context for other data.
Multi-Factor Authentication – During login, this requires both a password and a second form of authentication such as a code sent to a phone, confirming a phone call, or entering an ever changing password provided through an application.
Negligence – An organization is responsible for damages if it fails to meet the legal obligations to protect personal information.
Non-Public Personal Information – Per GLBA, it is defined as identifiable financial information provided by a customer.
Obfuscation – A version of data masking that makes personal data difficult to understand in order to hide the actual data.
Opt-In – An individual makes an affirmative choice to share his or her personal information with a third party.
Opt-Out – An individual takes a step (such as clicking a button or checking a box) that disallows third parties to share their personal information.
Personal Data(also referred to as ‘Personal Information’) – Information that relates to an identified or identifiable person (also referred toas’Data Subject’ or ‘Individual’)
Privacy by Design (PbD) – Incorporating privacy at the beginning and throughout the entire design and engineering processof product and service development.
Privacy Impact Assessment – A process, often a questionnaire, used by a company to identify and assess privacy risks throughout a product or system lifecycle. It helps identify data collected, used, shared, and stored and allows the company to determine what should be done to mitigate risks when processing personal data.
Privacy Rule – Per HIPAA, this rule requires institutions and organizations to protect an individual’s medical records and information.
Private Right of Action – This provides individuals the right to file a lawsuit (against the violator) if harmed by a violation of the law.
Processor – Per the GDPR, “natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.”
Processing – Any activity performed on personal data, whether or not by automated means, including collection, use, recording, etc.
Profiling – The use of personal data that is used to evaluate, analyze, or to predict data subject behavior and to make decisions based on that outcome. Profiling is generally performed automatically by systems.
Pseudonymization – It is a procedure where personal data fields within a data record are replaced by one or more artificialidentifiers so that the personal data not be attributed to one single individual. This process is reversible by an authorized individual therefore it is not permanent like anonymization.
Recipient – The natural person, public authority, agency, another body or company to which personal data is disclosed.
Records of Processing Activities (RoPA) – Often referred to as the Article 30 report. This is a required set of records that documents in detail the data processing activities that the company is responsible for. There are specific items to be included in the Article 30 report,such as; (1)the purpose of processing, (2)the description of the categories of data subjects andpersonal data,(3)the categories of recipients to whom the personal data has been or will be disclosed, (4) cross border transfers, (5) the lawful basis relied upon, and more.
Rectification (Also referred to as the “Right to Correct) – The right of an individual to request that an organization or third party correct their personal information. Under the GDPR, individuals have the right to rectification and controllers must fix inaccurate personal data if requested.
Redaction – The process of removing or obscuring information from documents.
Regulation – A binding legislative act that details how a company should complywith said regulation. This could be industry imposed and self-regulatoryframework like the DigitalAdvertising Alliance’s Self-Regulatory Framework or it could be imposed bylawmakers such as the ePrivacy Directive.
Re-identification – This occurs when de-identified data is matched back to an individual, therefore, making the individual identifiable.
Representative – A data protection authority in the EU appointed by the data processor or controller.
Restriction of Processing – Theright of a data subject to limit the future processing of their own stored personal data.
Retention – The notion that organizations should only retain personal information for as long as it is needed to fulfill the original statement of purpose.
Right to be Forgotten or Right to Deletion – Also referred to as Data Erasure, it entitles the data subject to request that the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.
Right to Access – Also known as the Data Subject Access Right (DSAR). This right allows the data subject to request in writing to be provided a copy of the personal data being processed by the controller. The controller should also provide an explanation for the purpose of processing the data subject’s personal data. Privacy laws differ in how long a controller has to respondto a DSAR.
Sensitive Personal Information – Information regarding an individual’s race, ethnicity, marital status, religion, health records, sexuality, social security number, license, etc.
Spam – Unsolicited information that is sent to an individual typically via an electronic communication.
Specific – Consent cannot be gathered for broad or unspecified uses. The data subject must give consent for specific and clearly spelled out uses and must be consulted if the use changes.
Supervisory Authority – AData Protection Authority (DPA) or Supervisory Authority are often used interchangeably. In GDPR, supervisory authority is specifically called out. An individual public authority established by an EU member state that supervises the compliance with a specific regulation such as GDPR. Each country has its own authority. For example, in the UK, it is the Information Commissioner’s Office (ICO) and in France, it is the CNIL. Sometimes a supervisory authority is used more broadly in other laws such as financial regulation.
Super Cookie – Similar to a cookie, however this tracking mechanism lasts after all cookies have been deleted.
Territorial Privacy – This type of privacy limits intruding into an individual’s territorial environment such as their home or workplace.
Third Party – Any legal person, public authority, agency, or other body other than the data subject.
Transparency – An organization is required to be open in the way that they collect and use personal data.
Unambiguous Consent – When an individual provides consent fully understanding the outcome of their decision. The organization must clearly articulate the outcome in a way where the individual fully understands.
Laws/Enforcement Bodies/Roles Section:
Attorney General (AG) – Attorney General in the United States
California Consumer Protection Act (CCPA) – Signed into law in 2018, and will take effectin January 2020, this act introduces new privacy rights for individuals living within the state of California. It is the first sweeping privacy law in the United States.
California Investigative Consumer Reporting Agencies Act – A California state law that enforces employers to notify their consumers before obtaining and using their consumer report.
CAN-SPAM – Controlling the Assault of Non-Solicited Pornography And Marketing- Passed in 2003, a U.S. law that sets the rules for commercial emails and messages.
CASL – Canadian Anti-Spam Legislation – Passed in 2013, this Canadian law protects all emails, texts, instant messages, and automated mobile phone messages sent commercially to computers and phones, or accessed by them, in Canada.
Children’s Online Privacy Protection Act of 1998 (COPPA) – Imposes requirements on the operators of websites directed towards children under 13 years of age.
CISO – Chief Information Security Officer – An executive level employee who has the responsibility to identify/ manage risks as they arise and toinvolves develops a security strategy to protect the organization’s data and assets from breaches. and to identify and manage risks as they arise.
CPO – Chief Procurement Officer – An executive level employee in a corporation responsible for all product related matters, such as supply management, negotiating prices and contracts, and sourcing for the company.
ePrivacy Directive/Regulation – In the EU in 2002, thisdirective passed and was later amended in 2009. It addresses privacy regarding digital communication, digital marketing, and cookies. An updated regulation is expected to be finalized in 2019.
European Commission – The executive branch of the European Union.
European Data Protection Board (EDPB) – EDPB is an EU body responsible for the application of GDPR ensuring consistency across the EU. It is comprised of a representative from the DPA in each EU member state and the European Commission. It was formerly known as Article 29 Working Party (A29WP).
European Data Protection Supervisor (EDPS) – The EDPS has the responsibility to ensure that EU institutions and bodies are providing individuals with the right to privacy when processing personal information.
Fair Credit Reporting Act – This act requires accurate data collection, gives the right to consumers to correct their information, and limits the use of consumer reports and data collection.
Family Educational Rights and Privacy Act (FERPA) – The FERPA protects the privacy of students and their records.
Federal Trade Commission (FTC) – This agency protects consumers and collects and acts on complaints about organizations. It also prohibits unfair and deceptive trade practices per Section 5.
GLBA Gramm-Leach Bliley Act – A US federal law that requires financial institutions to explain to customers how private information is protected, how personal information is shared, and how a customer can opt- out of information shared with third parties.
HIPAA – Health Insurance Portability and Accountability Act. Itisa US federal law that provides privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers. An important distinction is that not all health information is automatically covered under HIPAA.
Pipieda – Personal Information Protection and Electronic Documents Act – Canada’s version of the GDPR, which requires businesses to obtain an individual’s consent when they collect, use or disclose that individual’s personal information.
Privacy Shield Certification – Framework designed by the U.S. Department of Commerce and the European Commission and Swiss Administration. It is a framework that allows It is designed to have a company to self-certify to a set of data protection requirements that will enable it to transfer personal data from the EU or Switzerland to the US.
Supervisory Authority (SA) – A public authority which is established by a member state of the EU that oversees the execution of GDPR regulations.
TCPA – Telephone Consumer Protection Act. A US federal law that restricts marketing and debt collection automated dialing and pre-recorded messages. It covers cell phones, land lines, text messages, and unsolicited faxes. It also covers phone numbers listed in the Do Not Call Registry.
Ad Targeting – Providing advertisements to a specific audience based on attributes such as location, browsing behavior, purchase history, and demographics.
Behavior Advertising – When a business tracks an individual’s online behavior then targets that individual with specific ads based off of their tracked behavior.
B2B – Business to Business – This abbreviation is used to describe sales that occur directly from one business to another.
B2C – Business to Customer – This abbreviationisused to describe sales that occur directly fromabusiness to a customer.
CDP – (Customer Data Platform)-A CDP helps companies create a single point of view of their customers by storing web page views, email clicks, payment transactions, and other similar information.
Conversion Path – A series of steps on your website that,if followed by a prospect,will facilitate a lead capture(see lead capture).
Cookies – A small text file that a website my drop on a user’s device for the sake of tracking certain categories of information.
Cookies (1st party) – Cookies placed by the website the user is browsing
Cookies (3rd party) – Cookies placed by a company different than the one the user is browsing. For example, advertising, analytics, or social media cookies
Cookies (Persistent) – Cookies that are stored on the user’s device until the user deletes the cookie or it expires. Online shopping carts often use this type of cookies.
Cookies (Session) – Cookies that areactive only for the period of time that the user is browsing the website
CTA- Call to Action – A statement that invites an individual to conduct a certain action such as, “Click here to continue reading”.
CTR – Click Through Rate – The percentage of your audience that follows through with clicking from your homepage to another part of your website as directed by a marketing or sales campaign.
Direct Marketing – Advertising and marketing information specifically directed towards targeted individuals.
DMP – (Data Management Platform) – A DMP is used to collect, store, analyze and manage data for digital marketing purposes. A DMP allows segmentation by audiences.
DSP – (Demand Side Platform) – A DSP is a system that allows digital advertising inventory buyers to manage multiple ad exchanges in one central place. It often uses information from a DMP. It is designed to find the best website for the advertisement.
Engagement Rate – Commonly used social media metric that reports the amount and type of interaction a particular piece of content receives.
Landing Page – The web page that an individual is led to after clicking on a banner, CTA, or paid search ad.
Lead – An individual who is a potential customer.
Lead capture – The process of acquiring the name and email of a potential customer so that you can contact that lead in the future.
PPC – Pay Per Click – The cost accrued each time a digital advertisement is clicked through.
Pixel or Tag – a 1×1 tracking pixel (also called a pixel tag or just tag) is apixel that isembedded into the HTML code of a website, online advertisement, marketing email, or video. Each time an individual loads the site, email, video, or ad, the pixel tag is loaded. This sends a request to the web server that is hosting the pixel. Information about the behavior on the site and about the visitor is sent back and forth from the pixel. Often when a pixel fires, a cookie is dropped. See above for definitionsof the different types of cookies. Pixels are commonly used in online advertising such as Facebook and in analytics like Google Analytics.
QR Code – is a type of matrix barcode (or two-dimensional code) that can be scannedby smartphones or specific QR barcode readers to transmit encoded data.
Real Time Bidding (RTB) – Real time bidding is an automated auction process for the purchase of online advertising inventory impressions on websites
ROI – Return on Investment – A performance measure used to determine how profitable something will be in relation to the amount of effort it will take to produce it.
SaaS- Software-as-a-Service – A software hosted by another company that holds the information you provide them in a cloud.
SLA – Service Level Agreement – An agreement set up between the sales and marketing teams in a company to outline the responsibilities and expectations for each team.
SMB – Small to Medium Business – Companies with approximately 10-500 employees.
SSP – (Supply (or sell) Side Platform) – A SSPis a technology platform that allows publishers to automate the selling of their online advertising inventory. They are designed to allow publishers or website owners to maximize the price of their advertising inventory.
GDPR Privacy Principle Terms:
Accuracy – Under GDPR, personal data collected must be correct, maintained, and must have the ability to be deleted or corrected if inaccurate.
Data minimization – An organization must only use the personal data that is necessary to fulfill their primary reason for collecting the data.
Integrity and confidentiality – If your organization is collecting and processing personal data, then you must ensure that you are implementing the appropriate security measures for protecting personal data.
Lawfulness, fairness, and transparency – To collect personal information in the EU one of the following six circumstances must apply: (1) consent, (2) contract, (3) legal obligation, (4) vital interests, (5) public task, and (6) legitimate interests. You must also only process data in a way that does not negatively affect the individual to whom you are collecting data from. Lastly, you must be transparent about the way that the data is collected and used.
Limitation of processing to legitimate purposes – If personal data is being collected then it must only be used for the primary reason stated.
Limitation on time period of storage – Per the GDPR, personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.
CCPA Privacy Principle Terms:
Transparency – As an organization, you must share, if requested, the type of personal information you are collecting, where you are collecting personal data from, what you are using the data for, whether or not you are selling it, and to whom you are sharing the data with.
Opt-Out – As an organization, you must provide the choice to your consumer to opt-out of having their data sold. You must include a “Do Not Sell My Personal Information” link on your homepage. You are also required to include a phone number in your policy to allow consumers to communicate with your organization. (At the date of this publication (8/6/2019), there is an amendment pending to allow for an email or a phone number).
Deletion – Your organization must be prepared to delete a consumer’s personal information, if requested. There are exceptions in which you can deny a request where the information is: (1) needed to complete a transaction for the reason it was collected, (2) used for a business relationship with the consumer, (3) used for a contract, (4) used to detect security incidents, (5) needed to participate in scientific, historical, or statistical research in the interest of the public, (6) used for internal uses that align with the consumer’s expectations, and (7) required to comply with legal obligation and the law.
Equal service and pricing – Your business must offer equal opportunities to all consumers for goods and services. Per the CCPA, your organization must ensure that there is not any discrimination by: (1) denying goods and services, (2) providing different price and rate for goods, or (3) providing a different level of goods or services based on a consumer’s use of CCPA rights.
 “International Association of Privacy Professionals”, Iapp.org, 2019. [Online]. Available: https://iapp.org/resources/glossary/. [Accessed: 06- Aug- 2019].
 “Definition of JURISDICTION”, Merriam-webster.com, 2019. [Online]. Available: https://www.merriam-webster.com/dictionary/jurisdiction. [Accessed: 06- Aug- 2019].
 “Cookie Definition”, Techterms.com, 2019. [Online]. Available: https://techterms.com/definition/cookie. [Accessed: 06- Aug- 2019].