Title search:

View Archive


Marketing Privacy Glossary
Term Acronym Definition
Access Control List ACL A list of objects, and who is allowed to access each object.
Act on Protection of Personal Information APPI - Japan Japan law, applying to businesses that hold personal information of more than 5,000 people. It requires companies to specify the purpose PII is utilized. Data subjects can request disclosure of information that is held about them.
Active Data Collection   Collection of data provided directly by the subject.
Ads/Marketing Compliance Manager   System to manage data regulations related to advertising and marketing activities, such as gathering consent.
Affective computing   branch of artificial intelligence dealing with measurement or simulation of human emotions
Algorithmic Trust   psychological phenomenon that people perceive algorithms as more trustworthy than humans
Anonymization   The process of removing personal identifiers from a data set, so that identity cannot be derived from the remaining data. Anonymization is irreversible. Compare pseudonymization.
Appropriation   Using another person's identity without their approval.
Authentication   The process of ensuring a person (or other entity) possesses a piece of information they have previously provided. Compare with verification, which ensures a person is who they claim to be. For example: a password proves a user is authorized to access a social media account (authentication) but additional proof is needed to show the account was opened by the person whose name is on it (verification).
Automated Policy Inheritance   Ability to govern data by the rulies under which it was originally captured, regardless of where the data is subsequently used.
Automated Subject Requests   Automated system to fulfill data subject access requests.
Biometric Information Privacy Act BIPA Illinois law that restricts collection of biometric data and gives private individuals the right to sue for damages after a violation.
Bodily Privacy   Privacy related to a person's body, such as physical searches or drug tests.
Breach Disclosure   Practices related to informing authorities or subjects if their data is exposed.
Bring Your Own Device BYOD Practice of allowing workers to access company systems through their personal devices.
Bring Your Own Identity BYOID practice of enabling Web site visitors authenticate themselves by connecting to identities they have etablished in other systems such as Facebook, LinkedIn, Google, Amazon, etc.
Browser Fingerprinting   Practice of identifying a device over time by storing and comparing a combination of technical attributes associated with the Web browser used on that device, typically without explicit permission; provides an alternative to other identification methods; may violate privacy rules.
California Consumer Privacy Act CCPA - US, California Privacy law implemented in State of California in 2020; includes extensive personal rights regarding data use.
California Privacy Rights and Enforcement Act of 2020 (also known as Proposition 24) CPREA California law, appearing as Proposition 24 in November, 2020 election, that expands privacy rights provided within California Consumer Privacy Act (CCPA).
Children's Online Privacy Protection Act COPPA - US U.S. federal law governing how Web sites treat data for people under age 13.
C-I-A Triad   Information security principles: confidentiality, integrity, availability.
Consent   Permission granted by a data owner to use their information for specified purposes; may be implicit or explicit.
Consent Mgmt Platform CMP System that collects consent in compliance with legal requirements.
Content Data   The actual text, images, and other information contained within a communication, or information derived from this; contrasts with metadata, which is limited to routing, etc.
Contextual Advertising   Advertising based on the content of a Web site or search query where the ad appears; does not require information about the individual receiving the advertisement.
Cookie   Small file installed on a Web browser to capture user information and share it with the cookie owner.
Cookie Consent Manager   System that collects consent to use Web browser cookies to store information about a user.
Cookie Directive   Ammendment to the European Union ePrivacy Directive, adopted in 2009, that requires user consent to installation of cookies and other online tracking technologies.
Corporate Owned, Personally Enabled COPE Corporately Owned, Personally Enabled: the business practice of providing employees with computing devices for personal use.
Cross Border Data Transfers   Movement of data from one legal jurisdiction to another. May be forbidden or governed by rules to ensure protections granted in the original jurisdiction are maintained.
Customer Access   Ability for a consumer to review and manage data collected about them; see Data Subject Access Requests.
Customer Identity and Access Management CIAM Technology that manages, authenticates, and verifies customer identity and profile data
Cybersquatting   creation of a Web domain name similar to a another, popular domain, done to divert traffic or force a purchase by the rightful owner.
Dark Patterns   Methods used to trick users into taking unintended actions, including purchases or revealing personal data.
Data Removal   Practices related to deleting data from company systems, either on request or on retention schedule. May require removing or masking data in connected systems, back-ups, etc. Includes keeping records to prove requested removals have taken place.
Data Aggregation   Analytical method that creates summary measures (sum, average, median, etc.) of similar data items, often to obscure information about single individuals.
Data Anonymization   See Anonymization.
Data Breach   Any unauthorized access to data collected by an organization.
Data Breach Notification (EU)   The process of informing subjects whose data has been exposed by a breech. Many privacy regulations impose specific requirements for when, how, and how quickly notifications must be made.
Data Classification   Process of determining the type of data stored in a particular object or field, so the data can be handled as required for that data type.
Data De-Identification   The process of removing personal identifiers from a data set, so that identity cannot be derived from the remaining data. May be reversible (pseudonymization) or irreversible (anonymization).
Data Lifecycle Management DLM Systematic approach to managing data from acquisition through use to disposal.
Data Mapping   Process of tracking where each type of data is stored in company systems, to facilitate data management processes.
Data Masking   Process of hiding actual values of data elements without changing the format.
Data Minimization   The practice of collecting and using the minimum amount of personal data needed for a particular purpose.
Data Pipeline   Technology to automate the process of ingesting, preparing, and exposing data for analytics and operations.
Data Portability   ability to move personal data from one system to another, despite format or structural differences
Data Portability   ability to easily move personal data between systems, to avoid lock-in by original system
Data Privacy   Ideas and practices relating to control of personal data, especially by the subject.
Data Protection Authority DPA National body responsible for enforcing data protection regulations under GDPR.
Data Protection Impact Assessment DPIA Assessment of how a proposed project may impact data privacy, including risks. Required for significant projects under GDPR. Analysis that defines the privacy risks created by a proposed process or project and identifies steps to control the risks.
Data Redaction   Techique to preserve privacy by removing a portion of data, such as names from a document or digits from an ID number.
Data Retention   Practices related to storing data for specified time periods and deleting it after the period ends.
Data Schema   Structure used to organize stored data.
Data Subject Access Rights, or Data Subject Access Request DSAR Processes related to accepting and executing requests by a data subject to an organization to review, change, and delete data about the subject held by the organization.
Data Subject Rights Management   Processes related to giving subjects control over data an organization has collected about them.
Data Watermarks   Technique for tagging data with its origin in ways that cannot be removed and are hidden from unauthorized users.
DataOps   Methodology to improve data quality and currency in support of analytics and data processing.
Deletion Validation   Technique for confirming that data has been erased.
Denial of Service DoS cyber attack that disrupts a system by creating an unmanageable volume of interactions
DIFC Data Protection Law No.5 of 2020 DIFC - UAE UAE privacy law effective October 2020. Designed to match EU privacy standards.
Differential Privacy   technique to share data while preserving privacy by exposing only pools of individual records that cannot be used to detect the presence of a specific individual
Digital Fingerprinting   Practice of identifying a device over time by storing and comparing a combination of technical attributes associated with the device, typically without explicit permission. See browser fingerprinting.
Digital Rights Management DRM Techniques to track ownership and use of digital assets. Typically applied to content such as writing, music, or video but may apply to any type of data.
Disassociability   Technique of removing information from a data set that can be used to identify an individual while still allowing a system to meet its purpose.
DNS spoofing   attack method that corrupts the Domain Name System by altering entries that direct traffic to the proper IP address, sending traffic somewhere else
Do Not Track DNT Request by a data subject that a system not capture or share information about the subject's behavior. Usually applied to tracking Web site behavior for marketing purposes.
Draft Decree on Personal Data Protection DPDP - Vietnam Vietnam proposed law governing collection and use of personal data
Encryption   Technique of transforming data so it cannot be understood, but can be transformed back into its original format with an algorithm and/or key. In this sense, encyption is reversible. Compare to masking or anonymization, which are not reversible.
Family Education Rights and Privacy Act FERPA - US U.S. federal law governing access to student data held by educational institutions.
Federal Information Security Management Act FISMA - U.S. U.S. law establishing information security framework for federal agencies
Federated Learning of CoHorts FLoC Method for grouping consumers based on browser behaviors without revealing personal identities. Used for privacy-safe ad targeting.
Fuzzing   software testing or attack method that submits large amounts of random data to a system
General Data Protection Regulation GDPR - EU European Union regulation governing treatment of data collected about EU residents. Grants rights to individuals and imposes requirements on organizations collecting personal data.
Google Privacy Sandbox   Technology being developed by Google to enable ad targeting without use of cookies.
Gramm-Leach-Bliley Act GLBA - U.S. U.S. law establishing data sharing notification and security rules for financial institutions
Granular consent options   Practice of defining consent options related to specific uses, data types, or data users.
Health Information Technology for Economic and Clinical Health Act HITECH - U.S. U.S. law establishing breach reporting and notification rules for health information
Health Insurance Portability and Accountability Act HIPPA - US United State law that regulates health insurance. It includes data privacy, security, and confidentiality. Healthcare providers and others covered by HIPPA have permission to use patient data if it relates to treatment, payment, or other healthcare needs. Any use of patient personal health information (PHI) for marketing or sales would require specific consent.
Identifiability   Degree to which data can be connected to a specific individual, in terms of precision (determining which individual), confidence (connecting to the right individual), and security (avoiding misrepresentation).
Identifier for Advertisers IDFA ID for Apple devices made available for advertising tracking. Apple rules added in 2020 require user consent for sharing with advertisers, limiting coverage.
Identity Verification   The process of ensuring that a person is who they claim to be. Compare with authentication, which confirms that a person possesses a piece of information they have previously provided. For example: a password proves a user is authorized to access a social media account (authentication) but additional proof is needed to show the account was opened by the person whose name is on it (verification).
Incognito mode   Browser feature that enables users to browse without allowing access to identifiers or tracking devices. Any similar technology in other systems.
Information Commissioner's Office ICO Agency in each European Union country that is responsible for regulating use of personal data.
Information Commissioner's Office ICO U.K. authority that monitors personal data use and enforces privacy rights of the public.
Information Governance   Process of managing data from through use to disposal, including privacy compliance.
Information Lifecycle   Systematic approach to managing data from acquisition through use to disposal.
Lawfulness of Processing Art 6 GDPR see Legal Basis for Processing
Laws to add:    
Legal Basis for Processing   The legal justification required under GDPR to use personal data. There are six justifications including consent and business necessity.
Lei Geral de Proteção de Dados LGPD - Brazil Brazil privacy law to be in effect by 2021. Includes extensive personal rights regarding data use. It applies to almost all sectors of economy, public and private; has extraterritorial scope, has a broad definition of what personal data is - and virtually any data can be considered personal and subject to law.
Ley Federal de Protección de Datos Personales en Posesión de los Particulares FDPL - Mexico Mexico law which went into effect in 2012. Closely follows APEC Privacy Framework. It protects any data that could lead to identifying a person and data controllers may only collect data relevant to their commercial purposes. Personal data must be deleted when the controller no longer needs or uses it.
Mandatory Access Control MAC Data access control built into an operating system.
Metadata (also see DRM)   Data that describes the data elements stored in a system.
Mobile Device Forensic Tools MDFT Technology to recover digital evidence from mobile devices, including mobile phones and other devices with communication abilities.
Mobile Device Management MDM Technology that allows remote control over mobile devices, typically by a corporate owner providing the device to its workers.
Multi-Factor Identification   Authentication process requiring two or more pieces of information, such as a password plus fingerprint.
Noise Addition   Injection of false information into a data set to make subject identification more difficult.
Notifiable Data Breaches Act NDB - Australia Australia law establishing breach reporting and notification rules
Onward Transfer   Transfer of data made by someone who did not receive it directly from the original data collector (controller). Example: a subcontractor for a data processor.
Payment Card IndustryData Security Standards PCI DSS global security standard for data related to credit and debit card processing
Perimeter Controls   Technology that protects entry into a network from the outside.
Persistent Storage   Storage of data in a medium that retains it indefinitely, such as tape or a hard drive.
Personal Data   Data that can be used to identify a specific individual, either by itself or in combination with other information.
Personal Data Protection Act PDPA - Singapore Singapore law governing collection and use of personal data
Personal Data Protection Bill PDP - India India proposed law governing collection and use of personal data
Personal Data Protection Draft PDP - Indonesia Indonesia proposed law governing collection and use of personal data
Personal Information   Data that is associated with a specific individual but does not necessary identify them, such as a purchase transaction.
Personal Information Protection and Electronic Documents Act PIPEDA - Canada Canada law that applies to private sector organizations across Canada that collect, use, or disclose personal information. Individuals have the right to access data held by organizations and have a right to challenge accuracy. PII can only be used for purposes for which collected and must be protected.
Personally Identifiable Information PII Data that directly identifies a specific individual, such as a name/address or passport number.
Policy Definition   Technology to define rules that govern use of personal data, often based on the data type, subject location, consent status, and other conditions.
Policy Enforcement   Ttechnology to enforce data privacy policies that are defined within a system.
Principal Agent Problem   problem that an agent may act in her own best interests, to the detriment of the principal she is representing
Privacy Act U.S. U.S. law governing collection of data about individuals by federal agencies
Privacy Assessment   Review of processes and technologies that an organization applies to privacy compliance.
Privacy by Default   Requirement under GDPR to collect the minimum required amount of personal data and to use it for only the specified purposes.
Privacy by Design PbD requirement under GDPR to include privacy compliance as a requirement in system design
Privacy Impact Assessment PIA Process or project analysis that defines what PII is involved, how it is handled to comply with privacy regulations, and how risks are mitigated.
Privacy Impact Assessment Triggers   Events that require a privacy impact assessment to be conducted under GDPR, such as merging data sets containing personal data.
Privacy-Enhancing Technologies PET Technology that protects or perserves personal privacy, often by enabling subjects to expose the minimum amount of personal data needed to achieve a task.
Private Facts   personal information that is not publicly known, is not a legitimate public concern, and the subject prefers to remain private
Profiling   Techniques to classify or predict individual behavior based on personal data.
Programmatic Buying   Any form of automated advertising media buying, especially forms based on evaluating personal data of ad recipients.
Programmatic Digital Out-of-Home (pDOOH) pDOOH Out of home digital advertising, such as electronic billboards and in-store signs, that is sold via automated bidding.
Proportionality   Concept of balancing the amount of personal data collected for a process against the value and risks of that process.
Protection of Personal Information Act POPIA - South Africa South Africa privacy act protects personal information processed in South Africa and applies to any organization processing information in South Africa.
Provisioning   assignment of resources to a personal or system, typically when setting up a new account
Pseudonymisation   The process of removing personal identifiers from a data set, so that identity can subsequently be derived given additional data. Pseudonmyization is irreversible. Compare anonymization.
public safety data sets   data sets containing information related to public safety, such as crime statistics, traffic accident locations, flood plains, vehicle recalls, and epidemiological records.
Purpose Limitation (Principle of Finality)   Principle that the purpose of how data will be used should be specified when it is collected and subsequent use must not exceed the specified purposes or other legal bases.
Record of Processing Action ROPA Requirement under GDPR to document each use of personal data, including who handles it, how it is used, and put protections in place.
Rectification   The right for a subject to require corrections to inaccurate data held about the subject by an organization.
Right of Access   The right for a subject to view data held about the subject by an organization.
Right to Be Forgotten   The right for a subject to require an organization delete data held about the subject.
Right to Erasure   See Right to be Forgotten
Right to Restriction   The right for a subject to restrict how an organization uses data it holds about that subject.
Risk Analysis & Alert   Analysis of the risks posed by personal data held by an organization or used in a particular project or process.
Role-Based Access Controls   Data access controls based on assigning specific rights to specific user roles, with the intent of only granting to data when it is needed for a specific purpose.
Sarbanes-Oxley Act: SOX - U.S. U.S. law establishing governance and auditing requirements for public companies
Secondary Use   Using personal information for purposes not specified when it was collected.
Sensitivity Label   Label assigned by data subjects to indicate how important they feel it is to keep the data private.
Service Level Agreement SLA Set of performance measures that a vendor agrees to meet.
Single Factor Identification   Authentication process requiring a single piece of information, such as a password.
Social Engineering   Security attack method that relies on tricking authorized users into unintentionally enabling a breach, such as revealing a password or installing malicious software.
spoofing   see DNS spoofing
Standard Contract Clauses SCC Standard contract terms that specify how personal data will be used to ensure compliance with GDPR rules when the data is processed outside of European Economic Area (EEA)
Statistical Noise   Random variations in data values. May be introduced purposely as part of a differential privacy process to obscure actual values that can be used to reidentify individuals whose personal data is included in a data set.
Subject Erasure Handling   Process of removing subject data from an organization's systems in response to a subject access request.
Sugging   Selling under the guide of research.
Surveillance-as-a-Service   business model that is based on customers paying to be surveilled.
telematics   Technology to collect and distribute data generated by vehicles or related devices.
Territorial Privacy   Privacy related to a person's location, such as one's home or vehicle.
Third Party Consent   Consent for a property search granted by someone with legal access to the property who is not the subject of the search, such as a co-tenant.
Third Party Data Sharing   Data shared with someone who lacks a direct relationship to the subject.
Time-Stamping   Process of recording when an activity took place, used in audits and verification.
Tokenization   Process of replacing a specific data element with another element, often generic (e.g. replacing person's name with 'Name').
Transient Storage   Data storage that lasts only a brief period, such as during an interaction.
Transparency Consent Framework TCF Technical standards, policies, and provider registries developed by IAB Europe to help publishers comply with GDPR consent regulations.
UK GDPR   Post-Brexit version of EU's General Data Protection Regulation, modified as needed to refer to United Kingdom and its laws.
Unambiguous Consent   Consent that meets GDPR standard for being a clear, voluntary indication of user intent.
User-based Access Controls   Access based on rights granted to a specific user.
Workflow Management   Technology to follow a structured process to execute a task.
Zero Knowledge Proofs ZKP Data verification method that works without sharing the data being verified.
Zero-day vulnerability 0-day Security flaw that a software developer knows about but has not developed a patch to fix