At RICHT LAW FIRM, we help businesses achieve clarity and compliance at the intersection of privacy, marketing, and technology law. The world of data privacy is full of complex terminology and rapidly evolving regulations. This resource is designed to demystify the key acronyms and terms you’ll encounter in privacy compliance, marketing technology, and data governance. Whether you’re a business owner, compliance officer, or legal professional, this guide will help you navigate the essential language of data privacy.
Key Data Privacy Acronyms & Terms
| Acronym / Term | Definition |
|---|---|
| AADC | Age-Appropriate Design Code. Guidelines for child-friendly online services, adopted in the UK and California. |
| AI | Artificial Intelligence. Technology that simulates human intelligence, raising unique privacy and ethical considerations. |
| AIA | Artificial Intelligence Act. EU regulation governing ethical AI development and deployment. |
| Anonymization | The process of modifying or removing personal information so it cannot identify an individual. |
| APEC CBPR | Asia-Pacific Economic Cooperation Cross-Border Privacy Rules. Framework for secure data transfer among member economies. |
| BCR | Binding Corporate Rules. Internal corporate policies for transferring personal data within multinational organizations. |
| BIPA | Biometric Information Privacy Act. Illinois law regulating the use and storage of biometric data. |
| Breach Notification | Requirement to notify individuals or authorities of accidental or unauthorized data access, loss, or disclosure due to a data breach or “incident.” |
| CCPA | California Consumer Privacy Act. Grants California residents rights over their personal data. |
| CDPA | Consumer Data Protection Act. Virginia law governing data protection and consumer rights. |
| CMP | Consent Management Platform. Technology for collecting and managing user consent for data processing. |
| CNIL | French data protection authority enforcing GDPR. |
| COE 108+ | Modernized Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. |
| COPPA | Children’s Online Privacy Protection Act. U.S. law requiring parental consent for data from users under 13. |
| CPRA | California Privacy Rights Act. Expanded version of CCPA, adding new protections and enforcement mechanisms. |
| CPA | Colorado Privacy Act. State privacy law granting residents rights over their data. |
| DPA | Data Protection Authority. Regulatory body enforcing privacy laws in a jurisdiction. Also, Data Processing Agreement—a contract governing data processing. |
| DPIA | Data Protection Impact Assessment. Risk assessment to identify and mitigate privacy risks in data processing. |
| DSAR | Data Subject Access Request. A request by an individual to access, correct, or delete their personal data held by an organization. |
| DSR/SAR | Data Subject Request / Subject Access Request. General terms for requests to exercise data rights. |
| EDPB | European Data Protection Board. Ensures consistent application of GDPR across the EU. |
| eIDAS | Electronic Identification, Authentication, and Trust Services. EU regulation for secure electronic transactions. |
| FCRA | Fair Credit Reporting Act. U.S. law regulating collection and use of consumer credit information. |
| FIPPs | Fair Information Practice Principles. Foundational privacy principles for data systems. |
| GDPR | General Data Protection Regulation. Comprehensive EU privacy law governing data protection and user rights. |
| GLBA | Gramm-Leach-Bliley Act. U.S. law requiring financial institutions to protect customer data. |
| HIPAA | Health Insurance Portability and Accountability Act. U.S. law protecting health information privacy and security. |
| ISO/IEC 27701 | International standard for implementing privacy information management systems. |
| LGPD | Lei Geral de Proteção de Dados. Brazil’s General Personal Data Protection Law. |
| LDU | Limited Data Use. Restriction on how certain data can be processed or shared. |
| MNPI | Material Nonpublic Information. Sensitive information that could impact financial markets if disclosed. |
| NIST | National Institute of Standards and Technology. U.S. agency providing data security and privacy guidelines. |
| NPI | Nonpublic Personal Information. Information provided by a consumer to a financial institution not publicly available. |
| PbD | Privacy by Design. Embedding privacy into the design and operation of systems and processes. |
| PDPA | Personal Data Protection Act. Privacy laws in countries such as Singapore and Thailand. |
| PECR | Privacy and Electronic Communications Regulations. UK law supplementing GDPR for marketing and cookies. |
| PI | Personal Information. Any data relating to an identified or identifiable individual. |
| PIA | Privacy Impact Assessment. Process to evaluate privacy risks of a project or system. |
| PII | Personally Identifiable Information. Data that identifies a specific individual (e.g., name, SSN, email). |
| PIPL | Personal Information Protection Law. China’s comprehensive data privacy law. |
| PIPEDA | Personal Information Protection and Electronic Documents Act. Canada’s data privacy law for private sector organizations. |
| PLDPA | Personal Liability Data Protection Act. Proposed U.S. legislation imposing penalties on executives for data breaches. |
| POPIA | Protection of Personal Information Act. South African law regulating personal data processing. |
| PSD2 | Payment Services Directive 2. EU regulation for secure online payments, including privacy requirements. |
| ROPA | Record of Processing Activities. Mandatory documentation under GDPR detailing how data is processed, such as via data mapping. |
| RTBF | Right to Be Forgotten. The right to have personal data erased upon request. |
| SCCs | Standard Contractual Clauses. Legal mechanism for transferring data from the EU to non-EU countries. |
| SPI | Sensitive Personal Information. Data requiring higher protection, such as health, biometric, or financial data. |
| DPF | Data Privacy Framework. Agreement for data flow between the U.S. and EU. |
| TLS/SSL | Transport Layer Security / Secure Sockets Layer. Protocols for securing online communications. |
| UPR | Universal Privacy Rights. Concept advocating globally recognized data privacy rights. |
| VCDPA | Virginia Consumer Data Protection Act. Privacy law providing Virginia residents rights over their personal data. |
| WP29 | Article 29 Working Party. EU advisory body that preceded the European Data Protection Board. |
Additional Foundational Terms
- Accountability: The obligation of organizations to demonstrate compliance with data protection laws.
- Automated Decision-Making: Use of algorithms or technology to make decisions with legal or significant effects, without human intervention.
- Biometric Data: Information derived from physical characteristics (e.g., fingerprints, facial recognition).
- Consent: Freely given, specific, informed, and unambiguous indication of the data subject’s wishes regarding data processing.
- Data Discovery: The process of identifying and classifying personal data across systems to ensure compliance and support data subject rights.
- Data Mapping: Creating a detailed inventory of data flows and processing activities within an organization.
- Data Minimization: Collecting and processing only the data necessary for a specific purpose.
- Encryption: Securing data by converting it into a coded format to prevent unauthorized access.
- Privacy Policy: A statement outlining how an organization collects, uses, and protects personal data.
- Third Country: A nation outside the jurisdiction of a specific data protection law (e.g., outside the EU for GDPR purposes).