Glossary

A data controller should always obtain the consent of an individual or implement reasonable organizational measures to ensure that an individual’s personal information is properly protected before sharing the data.

Under GDPR, personal data collected must be correct, and maintained, and must have the ability to be deleted or corrected if inaccurate.

Providing advertisements to a specific audience based on attributes such as location, browsing behavior, purchase history, and demographics.

A decision made by the European Commission that a non-EU country offers an adequate level of protection of personal data through its own domestic privacy laws or international commitments it has made. When the European Commission has determined that a country meets the requirements for an adequacy decision it allows for that country to conduct cross-border data transfers.

Any decision or action by a business that adversely affects its consumer.

The process of altering personal data so that it is no longer identifiable. This process is irreversible.

Software standards that allow machine-to-machine communication and specify how software components should interact with one another.

This is a term used in GDPR in several different contexts such as, (1) transferring personal data to countries outside of the European Union, (2) the processing of special categories of data, and (3) the processing of personal data in a law enforcement context. It usually refers to the application of the general data protection principles.

A system, database, application, website, physical storage, or any other form that can store or process personal data.

Attorney General is an official with legal responsibility for enforcing laws in the United States. There is a federal-level Attorney General for the entire United States. Each State also has its own state Attorney General who is an officer of their respective State Government.

The process of authorizing whether an entity is who it claims to be.

The process of determining whether a user is permitted to have access rights to a specific resource.

A term from GDPR used to describe when a system uses technology without human involvement to create a profile or make a decision.

When an individual can behave as they wish (including online behavior) without the concern of being observed or tracked.

This abbreviation is used to describe sales that occur directly from one business to another.

This abbreviation is used to describe sales that occur directly from a business to a customer.

When a business tracks an individual’s online behavior and then targets that individual with specific ads based on their tracked behavior.

Refers to large data sets that grow exponentially and are so complex and massive that they require special procession applications.

Also referred to as BCRs that were developed by the EU Article 29 Working Party. BCRs are internal rules, approved by the data protection authority in the applicable EU member state, which allows multinational corporations, international organizations, and groups of companies to share personal data outside of the EU while still being in compliance with EU data protection laws.

Principles for processors to follow to protect an individual’s personal data. If a business’s processor is approved as a “safe processor” then that business can conduct international transfers (under GDPR).

It refers to data generated by automated means that can identify or confirm the identity of a person such as behavioral or physical characteristics. Examples include fingerprints, retina scans, voice prints, facial characteristics, and identifying DNA information. In many global laws biometric data is deemed a “special category.”

Enacted in 2008 to protect biometric information about Illinois residents. It includes a number of requirements that any company that collects or stores biometric information must follow.

The act of notifying regulators and victims of incidents that affect their confidentiality, anonymity, and the security of their personal information.

Signed into law on 9/15/22, will take effect on 7/1/24. This law imposes a number of obligations on businesses that control or process the personal data of California children, as well as granting them expanded rights and protections against a variety of harm.

Signed into law in 2018, and taking effect in January 2020, this act introduces new privacy rights for individuals living within the state of California. It is the first sweeping privacy law in the United States. Combined with the CPRA (which amended the CCPA), the current law in CA is called either the CCPA, as amended, or sometimes simply the CCPA.

This act requires all websites interacting with California residents to provide a privacy statement to users.

Controlling the Assault of Non-Solicited Pornography And Marketing- Passed in 2003, a U.S. law that sets the rules for commercial emails and messages.

Passed in 2013, this Canadian law protects all emails, texts, instant messages, and automated mobile phone messages sent commercially to computers and phones, or accessed by them, in Canada.

A CDP helps companies create a single point of view of their customers by storing web page views, email clicks, payment transactions, and other similar information.

Imposes requirements on the operators of websites directed towards children under 13 years of age.

An executive-level employee in a corporation responsible for all product-related matters, such as supply management, negotiating prices and contracts, and sourcing for the company.

An executive-level employee in a corporation responsible for all privacy-related matters.

An executive-level employee in a corporation usually responsible for leading product organization.

The age of a child varies by country and privacy law. Generally, it is between 13 and 16 years old.

Giving an individual the power to determine if, how, and what personal information is collected about them.

An executive-level employee who has the responsibility to identify/manage risks as they arise and develops a security strategy to protect the organization’s data and assets from breaches and to identify and manage risks as they arise.

Software that is used by companies to legally document and manage a user’s consent choices prior to collecting, sharing, or selling user data from online sources such as websites and apps that use cookies, embedded videos, and other tracking technologies.

The principle of limiting the collection of personal information to only the quantity and the type of information that is necessary.

This type of privacy protects communications such as postal mail, telephone activity, email, and other types of communication.

The act of protecting data against unauthorized or unlawful processing. The GDPR states that organizations must be able to maintain confidentiality.

Also referred to as a “daisybit,” is a series of numbers added to an ad bid request, which identifies the consent status of an ad tech vendor.

According to GDPR, consent is the act of a data subject agreeing to specific data processing and for consent to be valid it must be freely given, specific, informed, and unambiguous. The data subject must be able to easily withdraw their consent after it is given.

Per the GDPR, the controller is “the natural or legal person, public authority, agency or other body which determines the purposes and means of processing data.”

Personal information that is linked or reasonably linkable to a consumer and identifies a consumer’s past, present, or future physical or mental health. Very very broad!

A series of steps on your website that, if followed by a prospect, will facilitate a lead capture (see lead capture).

A classification of cookies based on their purpose and the type of data collected.

A small text file that a website may drop on a user’s device for the sake of tracking certain categories of information.

Cookies placed by the website the user is browsing.

Cookies placed by a company different than the one the user is browsing. For example, advertising, analytics, or social media cookies.

Cookies that are stored on the user’s device until the user deletes the cookie or it expires. Online shopping carts often use this type of cookie.

Cookies that a reactive only for the period of time that the user is browsing the website.

Signed into law on 7/8/2021, takes effect 7/1/2024 . This law provides Colorado residents with the right to opt out of targeted advertising, the sale of their personal data, and certain types of profiling. Data controllers will need to honor user-selected universal opt-outs for targeted advertising and sales.

Term can mean: Chief Procurement Officer, Chief Privacy Officer, or Chief Product Officer

A ballot initiative that amends the CCPA and includes additional privacy protections for consumers. The Majority of CPRA’s provisions went into effect Jan. 1, 2023. As it amends the CCPA, the official term of CA privacy law (aka the CCPA and CPRA combined) is the CCPA, as amended.

California’s dedicated privacy regulator, created under the CPRA, the agency implements and enforces the CCPA, as amended.

A company that provides support to the pharma, biotech, and medical device industries through contracted research services.

The transportation of personal data from one jurisdiction (usually country) to another. For the GDPR, this refers to any transportation of personal data from the European Union to a third country (only allowed if the European Commission has determined that they have adequate protection measures).

A statement that invites an individual to conduct a certain action such as, “Click here to continue reading”.

Signed into law on 5/10/2022, took effect on 7/1/2023. This law places several obligations on businesses that control or process the personal data of Connecticut consumers and grants a set of rights to Connecticut consumers.

The percentage of your audience that follows through with clicking from your homepage to another part of your website as directed by a marketing or sales campaign.

Giving the customer access to the personal information an organization is collecting as well as giving them the ability to review, delete, and edit their personal information.

Establishes and enforces responsible privacy practices across the industry for relevant digital advertising, providing consumers with enhanced transparency and control through multifaceted principles that apply to multi-site data and cross-app data gathered in either desktop, mobile web or mobile app environments.

The unauthorized access and procurement of data that compromises the security of personal identifiable information maintained by a collector.

When an organization gives different levels of authorization to individuals to access a data inventory in order to protect the data.

This refers to any information regarding an individual’s physical or mental health.

Unique pieces of collected information such as name, address, IP address, date of birth, etc.

Also known as the Right to be Forgotten under GDPR or Right to Deletion under CCPA, it allows the data subject to request that the data controller or company delete and stop sharing their personal data. There are a few exceptions to this under each of privacy law.

The exercise of authority and control over the management of data assets. It is the planning, supervision, and control of data management and use.

The location, including how it is shared and organized, of personal data. Data inventory allows for the identification of inconsistent data versions.

The process of de-identifying data through anonymization, pseudonymization, or some other method of obscuring the identifiable data.

An organization must only use the personal data that is necessary to fulfill their primary reason for collecting the data.

The right for the data subject to receive a copy of the data the data subject provided to the controller. The data should be presented in a structured, machine-readable format that is commonly used. It should be provided directly to the data subject or upon request by the data subject. The data subject also has the right to share that information directly with another controller.

The agreement between the US and the EU that enables companies to engage in cross-border transfer of personal data in compliance with the GDPR. It enables eligible U.S. companies to self-certify their participation in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), facilitating cross-border transfers of personal data in compliance with EU law. It applies to transfers to the European Economic Area, UK, and Switzerland. It replaced the previous Privacy Shield Certification.

See Supervisory Authority

As required under GDPR, companies engaging in high-risk processing activity must complete an assessment that identifies, assesses, and mitigates risks of a business’ data processing activity. A DPIA should be performed for each different type of high-risk processing activity.

Under the GDPR, a data privacy expert who ensures compliance with GDPR policies and procedures and generally reports directly to company management or the company board in some situations.

The practice of using personal data solely for the purpose of and the extent to which it is supposed to be used. Personal data should be maintained meaning that it should be accurate and up-to-date at all times.

A natural person whose personal data is collected, held, or processed by a controller or processor.

A digital repository for storing data (typically large amounts of data).

An organized compilation of data.

The method of removing identifiable characteristics from personal data effectively anonymizing the data.

Your organization must be prepared to delete a consumer’s personal information if requested. Frequently There are exceptions in which you can deny a request where the information is: (1) needed to complete a transaction for the reason it was collected, (2) used for a business relationship with the consumer, (3) used for a contract, (4) used to detect security incidents, (5) needed to participate in scientific, historical, or statistical research in the interest of the public, (6) used for internal uses that align with the consumer’s expectations, and (7) required to comply with legal obligation and the law.

An exemption from or relaxation of a law.

Digital fingerprints are log files pulled from original content that represent the content’s defining characteristics and are used by content owners to identify website visitors. A log file can be the visitor’s IP address, a time stamp, or even the visitor’s browser preferences (think type of font, color scheme, etc.).

This type of signature is used to authenticate an electronic document (often used in emails).

Advertising and marketing information specifically directed towards targeted individuals.

A DMP is used to collect, store, analyze, and manage data for digital marketing purposes. A DMP allows segmentation by audiences.

An application that gives individuals the ability to request that applications disable tracking of their online behavior and activities.

A DSP is a system that allows digital advertising inventory buyers to manage multiple ad exchanges in one central place. It often uses information from a DMP. It is designed to find the best website for the advertisement.

The act of monitoring an individual (typically unknown by the individual) through video, reading their communications, location services, and other electronic means.

The process of converting plaintext (any type of data) into an encoded version that can only be decoded by the individual with the proper decryption key. Encryption is a security measure that protects sensitive personal data to ensure that the data is only accessible/readable by those with authorization.

A commonly used social media metric that reports the amount and type of interaction a particular piece of content receives.

A natural or legal person or entity performing economic actions.

In the EU in 2002, this directive passed and was later amended in 2009. It addresses privacy regarding digital communication, digital marketing, and cookies. An updated regulation is expected in the future.

Your business must offer equal opportunities to all consumers for goods and services. Per the CCPA, your organization must ensure that there is not any discrimination by: (1) denying goods and services, (2) providing different prices and rates for goods, or (3) providing a different level of goods or services based on a consumer’s use of CCPA rights.

The acronym for the European Union which is a political and economic union comprised of 27 member states located primarily in Europe.

The executive branch of the European Union.

EDPB is an EU body responsible for the application of GDPR ensuring consistency across the EU. It is comprised of a representative from the DPA in each EU member state and the European Commission. It was formerly known as Article 29 Working Party (A29WP).

The EDPS has the responsibility to ensure that EU institutions and bodies are providing individuals with the right to privacy when processing personal information.

This act requires accurate data collection, gives the right to consumers to correct their information, and limits the use of consumer reports and data collection.

This Act, amending the Fair Credit Reporting Act (FCRA), adds provisions designed to improve the accuracy of consumers’ credit-related records.

The FERPA protects the privacy of students and their records.

This agency protects consumers and collects and acts on complaints about organizations. It also prohibits unfair and deceptive trade practices per Section 5.

The data subject gives permission directly to the controller to collect their information.

A new way that browsers could enable interest-based advertising on the web, in which the companies who today observe the browsing behavior of individuals instead observe the behavior of a cohort of similar people.

An outsourced privacy professional who provides their time and guidance to a company on an ongoing basis, generally part-time and remotely.

When a data subject voluntarily consents to the processing of data and where there is no risk of significant consequences if they do not choose to provide consent. The GDPR requires that a data subject’s consent is freely given.

A privacy regulation and legal framework that sets guidelines for the collection and processing of personal data of individuals within the EU. It became effective May 25, 2018.

Personal data relating to inherited or acquired genetic data that is unique to the individual. An example could be an individual’s gene sequence.

Prohibits discrimination based on genetic information by health insurance companies and employers.

The use of a mobile device’s GPS or other technology to create a virtual geographic boundary, which allows software to track and trigger a response (such as serving an advertisement). Increasingly there are rules restricting Geofencing and tracking.

A US federal law that requires financial institutions to explain to customers how private information is protected, how personal information is shared, and how a customer can opt out of information shared with third parties.

A technical specification/implementation of a UOM. Accepting and acting on this specific signal is an increasingly common requirement in many data privacy laws. Recognition is already required in CA.

The federal law in the U.S. that requires privacy standards to protect medical records and other health information be developed. The HIPAA Privacy Rule restricts Covered Entities (mainly health plans and healthcare providers such as doctors, hospitals, and other healthcare providers) from using or sharing protected health information other than for purposes of treatment, payment, and healthcare operations. It is important to note that not all entities in the healthcare sector and not all health information is covered under HIPAA.

Part of the American Recovery and Reinvestment Act of 2009, it amends and strengthens HIPAA.

Advertising business organization that develops industry standards, conducts research, and provides legal support for the online advertising industry.

Refers to data that can be linked to a specific person, thus identifying that person.

A consent model in which the user is given prior notice about cookies and tracking technologies, and by continuing further into the site, it is implied that they have given consent. Cookies and other trackers are not active initially until they continue onto the site.

Signed into law on 5/1/2023, will take effect on 1/1/2026. This law imposes a number of obligations on businesses that control or process the personal data of Indiana consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.

Data Subject Access Requests are often referred to as Individual Rights. These rights generally include the right to be informed, the right of access, the right to rectification, the right to erasure/to be forgotten, the right to restrict processing, the right to data portability, the right to object, rights in relation to automated decision making and profiling, and the right to opt-out of the sale of data.

A natural person whose personal data is collected, held or processed by a controller or processor. Also referred to as data subject.

This is the process of collecting, processing, using, disclosing, storing, and deleting data.

The act of securing information in order to prevent unauthorized access or misuse of information.

When an individual has been provided with all of the necessary information to make a decision about data processing. Under GDPR, the data subject must be informed when providing consent.

In regards to data, integrity refers to the accuracy, consistency, and trustworthiness of the data. The GDPR requires organizations to uphold the integrity of the data that they are collecting.

If your organization is collecting and processing personal data, then you must ensure that you are implementing the appropriate security measures for protecting personal data.

A numerical identifier assigned to each device that interacts with a computer network, most commonly, the TCP/IP network. The GDPR categorizes IP addresses as personal information.

The authority granted to a body to govern or legislate. It can also refer to the geographical region in which authority applies.

The web page that an individual is led to after clicking on a banner, CTA, or paid search ad.

To collect personal information in the EU one of the following six circumstances must apply: (1) consent, (2) contract, (3) legal obligation, (4) vital interests, (5) public task, and (6) legitimate interests. You must also only process data in a way that does not negatively affect the individual from whom you are collecting data. Lastly, you must be transparent about the way that the data is collected and used.

The process of acquiring the name and email of a potential customer so that you can contact that lead in the future.

An individual who is a potential customer.

Generally a concept regarding the legal basis to collect personal information. The GDPR requires that a controller must meet one of six legal circumstances in order to collect personal information. The six legal bases include: (1) consent, (2) contract, (3) legal obligation, (4) vital interests, (5) public task, or (6) legitimate interests.

Is a federal law in Brazil designed to unify 40 existing laws to regulate the processing of the personal data of individuals. It was passed on September 18, 2020, and was backdated, coming into effect on August 16, 2020.

If personal data is being collected then it must only be used for the primary reason stated.

Per the GDPR, personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

Services that are provided based on geographic location.

A location, chosen by the data controller, for its central administration in the EU where it will be bound to applicable local laws and regulations.

Data that gives additional information to describe or provide context for other data.

During login, this requires both a password and a second form of authentication such as a code sent to a phone, confirming a phone call, or entering an ever-changing password provided through an application.

Signed into law on 5/19/2023, will take effect on 10/01/2024. This law imposes a number of obligations on businesses that control or process the personal data of Montana consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.

An organization is responsible for damages if it fails to meet the legal obligations to protect personal information.

Per GLBA, it is defined as identifiable financial information provided by a customer.

A version of data masking that makes personal data difficult to understand in order to hide the actual data.

Signed into law on 6/18/2023, will take effect on 7/1/2024; it is effective for non-profits on 7/1/25. This law imposes a number of obligations on businesses that control or process the personal data of Oregon consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.

An individual makes an affirmative choice to share his or her personal information with a third party.

An individual makes an affirmative choice (such as clicking a button or checking a box) that disallows third parties to share their personal information.

Information that relates to an identified or identifiable person (also referred to as ‘Data Subject’ or ‘Individual’)

Canada’s version of the GDPR, which requires businesses to obtain an individual’s consent when they collect, use, or disclose that individual’s personal information.

a 1×1 tracking pixel (also called a pixel tag or just tag) is a pixel that is embedded into the HTML code of a website, online advertisement, marketing email, or video. Each time an individual loads the site, email, video, or ad, the pixel tag is loaded. This sends a request to the web server that is hosting the pixel. Information about the behavior on the site and about the visitor is sent back and forth from the pixel. Often when a pixel fires, a cookie is dropped. See above for definitions of the different types of cookies. Pixels are commonly used in online advertising such as Facebook and in analytics like Google Analytics.

The cost accrued each time a digital advertisement is clicked through.

Incorporating privacy at the beginning and throughout the entire design and engineering process of product and service development.

A process, often a questionnaire, used by a company to identify and assess privacy risks throughout a product or system lifecycle. It helps identify data collected, used, shared, and stored and allows the company to determine what should be done to mitigate risks when processing personal data.

A disclaimer that is located on an organization’s website that lays out how the website uses and collects personal information.

Per HIPAA, this rule requires institutions and organizations to protect an individual’s medical records and information.

The Old framework designed by the U.S. Department of Commerce and the European Commission and Swiss Administration. It was a framework that let a company to self-certify to a set of data protection requirements that will enable it to transfer personal data from the EU or Switzerland to the US. REPLACED BY THE DPF (See Definition)

This provides individuals the right to file a lawsuit (against the violator) if harmed by a violation of the law.

Any activity performed on personal data, whether or not by automated means, including collection, use, recording, etc.

Per the GDPR, “natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.”

The use of personal data that is used to evaluate, analyze, or predict data subject behavior and to make decisions based on that outcome. Profiling is generally performed automatically by systems.

It is a procedure where personal data fields within a data record are replaced by one or more artificial identifiers so that the personal data not be attributed to one single individual. This process is reversible by an authorized individual therefore it is not permanent like anonymization.

is a type of matrix barcode (or two-dimensional code) that can be scanned by smartphones or specific QR barcode readers to transmit encoded data.

Real-time bidding is an automated auction process for the purchase of online advertising inventory impressions on websites.

The natural person, public authority, agency, another body or company to which personal data is disclosed.

Often referred to as the Article 30 report. This is a required set of records that documents in detail the data processing activities that the company is responsible for. There are specific items to be included in the Article 30 report, such as; (1) the purpose of processing, (2) the description of the categories of data subjects and personal data,(3) the categories of recipients to whom the personal data has been or will be disclosed, (4) cross border transfers, (5) the lawful basis relied upon, and more.

The right of an individual to request that an organization or third party correct their personal information. Under the GDPR, individuals have the right to rectification and controllers must fix inaccurate personal data if requested.

The process of removing or obscuring information from documents.

A binding legislative act that details how a company should comply with said regulation. This could be industry industry-imposed and self-regulatory framework like the Digital Advertising Alliance’s Self-Regulatory Framework or it could be imposed by lawmakers such as the ePrivacy Directive.

This occurs when de-identified data is matched back to an individual, therefore, making the individual identifiable.

A data protection authority in the EU appointed by the data processor or controller.

The right of a data subject to limit the future processing of their own stored personal data.

The notion that organizations should only retain personal information for as long as it is needed to fulfill the original statement of purpose.

Also known as the Data Subject Access Right (DSAR). This right allows the data subject to request in writing to be provided a copy of the personal data being processed by the controller. The controller should also provide an explanation for the purpose of processing the data subject’s personal data. Privacy laws differ in how long a controller has to respond to a DSAR.

Also referred to as Data Erasure, it entitles the data subject to request that the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.

A performance measure used to determine how profitable something will be in relation to the amount of effort it will take to produce it.

A software hosted by another company that holds the information you provide them in a cloud.

Information regarding an individual’s race, ethnicity, marital status, religion, health records, sexuality, social security number, license, etc.

An agreement set up between the sales and marketing teams in a company to outline the responsibilities and expectations for each team.

Companies with approximately 10-500 employees. Defined by the small business administration, industry-specific definitions exist based on annual receipts and average employment.

Unsolicited information that is sent to an individual typically via electronic communication.

Consent cannot be gathered for broad or unspecified uses. The data subject must give consent for specific and clearly spelled out uses and must be consulted if the use changes.

An SSP is a technology platform that allows publishers to automate the selling of their online advertising inventory. They are designed to allow publishers or website owners to maximize the price of their advertising inventory.

Similar to a cookie, however this tracking mechanism lasts after all cookies have been deleted.

A public authority that is established by a member state of the EU that oversees the execution of GDPR regulations.

A US federal law that restricts marketing and debt collection automated dialing and pre-recorded messages. It covers cell phones, landlines, text messages, and unsolicited faxes. It also covers phone numbers listed in the Do Not Call Registry.

Signed into law on 5/18/2023, will take effect on 7/1/2024. This law imposes a number of obligations on businesses that control or process the personal data of Texas consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.

This type of privacy limits intruding into an individual’s territorial environment such as their home or workplace.

Any legal person, public authority, agency, or other body other than the data subject.

Signed into law on 5/11/2023, will take effect on 7/1/2025. This law imposes a number of obligations on businesses that control or process the personal data of Tennessee consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.

An analysis of the impact and security implications of a transfer to a country outside the EEA that has not received an adequacy decision.

As an organization, you must share, if requested, the type of personal information you are collecting, where you are collecting personal data from, what you are using the data for, whether or not you are selling it, and to whom you are sharing the data with.

Signed into law on 3/24/2022, will take effect on 12/31/2023. This law imposes a number of obligations on businesses that control or process the personal data of Utah consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.

The United Kingdom General Data Protection Regulation is the UK’s data privacy law that governs the processing of personal data from individuals inside the UK. The UK GDPR was drafted as a result of the UK leaving the EU, which resulted in the EU’s GDPR not applying domestically to the UK any longer.

When an individual provides consent fully understanding the outcome of their decision. The organization must clearly articulate the outcome in a way that the individual fully understands.

A method to automatically opt a web user out of certain data collection, usually via global privacy setting in a browser/device or a browser extension. These are increasingly required in many states and countries. For the most common type, see “GPC” definition. Note that GPC is sometimes used interchangeably with UOM to refer to the concept of universal opt-outs.

Signed into law on 2/3/21, will take effect on 1/1/2023 in the state of Virginia. This law gives specific privacy rights to consumers and allows them to opt out of the sale of their personal data.

Prevents video tape service providers from disclosing video tape rental or sale records. The interpretation and application of VPPA are being tested and broadened to include modern technologies and avenues for consuming content (including online).

Exist in federal law in the Electronic Communications Privacy Act of 1986 and in many state laws, these acts prevent wiretapping. These laws, particularly state laws, have been an increasingly common basis for class action litigation around digital content, analytics, and other web services.

Signed into law on 4/27/2023, will take effect on 4/31/2024, 6/30/2024 for Small Businesses. The Geofencing ban has already begun. This law imposes a number of obligations on businesses that control or process the “Consumer Health Data” (defined) data of Washington consumers and grants these consumers a range of new rights over the personal data that they previously provided to a business.

Under GDPR, personal data collected must be correct, maintained, and must have the ability to be deleted or corrected if inaccurate.

An organization must only use the personal data that is necessary to fulfill their primary reason for collecting the data.

If your organization is collecting and processing personal data, then you must ensure that you are implementing the appropriate security measures for protecting personal data.

To collect personal information in the EU one of the following six circumstances must apply: (1) consent, (2) contract, (3) legal obligation, (4) vital interests, (5) public task, and (6) legitimate interests. You must also only process data in a way that does not negatively affect the individual to whom you are collecting data from. Lastly, you must be transparent about the way that the data is collected and used.

If personal data is being collected then it must only be used for the primary reason stated.

Per the GDPR, personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.

As an organization, you must share, if requested, the type of personal information you are collecting, where you are collecting personal data from, what you are using the data for, whether or not you are selling it, and to whom you are sharing the data with.

As an organization, you must provide the choice to your consumer to opt out of having their data sold. You must include a “Do Not Sell My Personal Information” link on your homepage. You are also required to include a phone number in your policy to allow consumers to communicate with your organization. (At the date of this publication (8/6/2019), an amendment is pending to allow for an email or a phone number).

Your organization must be prepared to delete a consumer’s personal information if requested. There are exceptions in which you can deny a request where the information is: (1) needed to complete a transaction for the reason it was collected, (2) used for a business relationship with the consumer, (3) used for a contract, (4) used to detect security incidents, (5) needed to participate in scientific, historical, or statistical research in the interest of the public, (6) used for internal uses that align with the consumer’s expectations, and (7) required to comply with legal obligation and the law.

Your business must offer equal opportunities to all consumers for goods and services. Per the CCPA, your organization must ensure that there is not any discrimination by: (1) denying goods and services, (2) providing different prices and rates for goods, or (3) providing a different level of goods or services based on a consumer’s use of CCPA rights.