CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
September 19, 2022
In the world of data privacy, your ability to be compliant hinges, in part, upon your ability to interpret legalese and wade through alphabet soup. At Osano, we don’t believe that it should require hours of researching obscure terminology just to understand how to follow the law. That’s why we put together this glossary of frequently used data privacy terms.
Whenever you’re reading content related to data privacy and come across a term whose full meaning escapes you, come back to this page and see if we’ve included a definition in the list below.
Under data privacy regulations, children's data is often treated with special consideration. Different data privacy laws define children differently, with many laws defining children as individuals under the age of 13. Notably, children are often considered as being unable to give consent to data collection; instead, their parents or guardians must give consent for them.
When data privacy laws refer to "consumers," they are usually referring to natural persons who are residents of the relevant jurisdiction.
Most commonly referenced in the GDPR, a controller is the individual or organization that determines the purposes and means of processing personal data. This concept is closely related to a processor.
Organizations that collect and sell individuals' personal data. Data brokers' primary business is the sale of personal data, in contrast to other businesses that may use their consumers' personal data for QA, analytics, or other business purposes.
Most often mentioned in relation to the GDPR, a data subject is the individual associated with collected data. If a business collects data from its consumers, for instance, each of those consumers is a data subject.
A lawyer and data privacy activist, Max Schrems is the chairman and founder of noyb (an acronym for "none of your business"). Max Schrems and noyb have been involved in a number of significant cases related to data privacy, such as Schrems I, Schrems II, the invalidation of the Safe Harbor and Privacy Shield frameworks, as well as a number of ongoing privacy disputes.
noyb (an acronym for "none of your business") is a non-profit organization co-founded by lawyer and data privacy activist Max Schrems. The organization initiates court cases and media projects intended to call attention to private sector violations of the GDPR.
Aggregate data refers to data collected from a group of individuals that do not contain any personally identifiable information. An example might be the number of website visitors in a day — this metric cannot be used to identify a single individual.
Biometric data is personal information that can be used to identify an individual based on their intrinsic physical or behavioral traits. This includes DNA, fingerprints, handwriting, and so on. Often, data privacy regulations include biometric data in an elevated category that requires additional safeguards, such as the CCPA/CPRA, which classifies biometric data as sensitive personal information.
De-identified data is data that has had personally identifiable information removed and cannot be reasonably used to identify or associate with a particular individual.
Personal information is information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked (directly or indirectly) with a particular person.
Personally identifiable information (or PII) is any information that could be used to determine an individual's identity or information that is linkable to an individual.
Information that is available to the general public, such as names and addresses in a telephone book. Certain data privacy regulations treat publicly available information separately from other personal information.
Sensitive personal information refers to data that an individual would reasonably expect to have a greater degree of privacy over, such as health or financial information.
A concept in the CCPA/CPRA, a business purpose is the use of personal information to achieve an operational goal (in contrast to a commercial purpose, where the point of collecting personal information is to sell it, rather than use it to improve the business). The CCPA/CPRA also considers using personal information for other goals to be a business purpose so long as the consumer has been notified and the use of personal information is necessary and proportionate. The CCPA identifies the following seven business purposes: 1) auditing, 2) security, 3) debugging, 4) short-term, transient use, 5) performing services on behalf of the business or service provider, 6) internal research, and 7) quality assurance and improvement.
In the context of data privacy, there are different types of consent. Implicit consent means the data subject has been made aware of data collection, and that by taking an action (such as continuing to use a site), they are implicitly consenting to that data collection. Explicit consent generally means that a data subject has taken an affirmative action indicating that they freely, unambiguously, and with full understanding agree to have their data processed (such as by clicking a box to agree to the use of advertising cookies in a banner that meets further requirements). These types of consent can also be thought of as opt-out consent (i.e., you consent to data collection unless you actively opt out) and opt-in consent (i.e., you consent to data collection only if you actively opt in).
Consent management is the set of practices associated with informing users how your business collects and uses data, providing them with the opportunity to consent to or refuse such use, acting upon their consent or refusal, and storing a record of their consent or refusal. Businesses use consent management platforms (CMPs) like Osano to carry out these tasks.
The transfer of personal information from one jurisdiction to another. Since data privacy laws differ across countries and states, cross-border data transfers are often given special treatment in data privacy laws. The EU, in particular, requires that the receiving jurisdiction and organization have adequate data protection practices in place.
Advertising that targets an individual consumer based on personal information obtained from the consumer's activity across businesses, websites, and other systems. This term is used in the CPRA, but it's also referred to as targeted advertising in other contexts.
The set of policies and procedures that an organization implements in order to comply with data privacy laws.
When collecting personal information, the principle of data minimization dictates that businesses should only collect data that is relevant, necessary, and adequate for the purpose of the collection. If a business collects your information to process a payment, for example, it shouldn't also collect your browsing history.
The idea that one's personal data is included within their right to privacy and the set of laws, standards, and business practices associated with protecting individuals' privacy when it comes to their data.
Data subject access request or data subject access rights. Sometimes referred to as a subject rights request or SRR. A DSAR is a type of request made by a data subject to exercise their rights over the data collected by an organization. Different laws provide different rights, but they could include the right to delete data, the right to access data, the right to correct data, and so on. A data subject might request, for example, that an organization delete all their personal information. Upon receiving and verifying that request, the organization will have a certain number of days to respond and act upon it, depending upon the relevant data privacy law.
Under the GDPR, data controllers need to demonstrate that they have a legal basis for processing consumer data. The GDPR lists six possible legal bases: 1) consent, 2) contractual requirement, 3) legal obligation, 4) vital interest, 5) public interest, and 6) legitimate interest of the controller. Additionally, the data controller needs to disclose their legal basis in their privacy notice. If their legal basis is a legitimate interest, then they need to identify what their legitimate interest is.
One of the six legal bases for data collection outlined in the GDPR, a legitimate interest is one where collecting data would be for the benefit of an organization or society in general. However, the collection must pose little risk of infringing on a data subject's privacy, and the data subject should reasonably expect that their data would be used in that way.
In the context of data privacy, opting in and opting out are related to consenting to data collection. Different data privacy laws require either opt-in or opt-out consent to data collection by default. If a data subject lives in a jurisdiction where opt-in consent is required, they must unambiguously indicate that they consent to data collection before data collection can occur, such as by clicking "Agree" on a cookie banner. If they don't take this action, then they cannot be considered to have consented to data collection. Jurisdictions that require opt-out consent work differently. So long as the user is notified of data collection, they are considered to have consented to data collection by continuing to use the website or application. Generally, jurisdictions that require opt-out consent also require businesses to provide a web page or link that allows users to opt-out of data collection.
Often referenced in relation to DSARs, portability refers to the ability for data to be easily accessed, viewed, and handled. When a data subject makes a DSAR request to access their data, for instance, many data privacy laws require that businesses provide the data subject their data in a portable format.
When a business violates a data privacy law, only certain entities can take enforcement actions. Often, an independent agency or authority will be tasked with enforcement, the office of the attorney general will enforce violations, or plaintiffs' attorneys will launch a class action lawsuit. However, few privacy laws permit individuals to sue businesses that violate the law. When data privacy laws do permit individuals to sue businesses in violation of the law, it's referred to as a private right of action.
Profiling refers to the automated processing of a data subject's personal data to evaluate, analyze, or predict certain personal aspects of that individual. This could include their personal preferences, work performance, movements, economic situation, and so on.
This principle asserts that businesses should determine the purpose behind their data collection in advance, and then only collect and use data in a manner that is limited to that purpose. See also data minimization.
In certain data privacy laws, there is a limited right to cure. This means that if the business is in violation of the law, they have the right to fix the violation before facing fines or penalties. Generally, there will be a right to cure in new legislation that expires after a certain amount of time while businesses work toward compliance.
Subject rights requests, or SRRs, are another term used to refer to DSARs.
Advertising that targets an individual consumer based on personal information obtained from the consumer's activity across businesses, websites, and other systems. See also cross-context behavioral advertising.
The California Consumer Protection Act (CCPA) was signed into law on June 28, 2018, making it the first state-level privacy law in the US. The CCPA applies to businesses that collect California residents' personal information. Later, in 2020, California passed the California Privacy Rights Act (CPRA), which amends the CCPA by adding additional protections, obligations, and clarifications.
The California Privacy Rights Act (CPRA) takes effect on January 1, 2023. It amends the CCPA to include additional protections, obligations, and clarifications. Among these changes, the CPRA regulates the share of personal data in addition to its sale, mandates the creation of the California Privacy Protection Agency (CPPA), created the concept of "sensitive personal information," and more.
The General Data Protection Regulation (GDPR) was adopted on April 14, 2016, and regulates the processing of personal information among European Union member states, the European Economic Area, and serves as the basis for the UK GDPR (post-Brexit). As one of the first modern omnibus data privacy regulations, it has become a model for other regulations around the world. It establishes the fundamental rights that consumers have over their data, regulates how businesses handle that data, and how they should handle international data transfers, among other items.
Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD) was enacted in August of 2018. It unified the many various laws in Brazil regulating personal data. The LGPD codifies the concepts of personal data, sensitive personal data, data subject rights, and requirements for collecting and processing personal data, among other items.
The Personal Information Protection and Electronic Documents Act (PIPEDA) became law on April 13, 2000, and governs how Canadian businesses collect, use and disclose personal information in the course of commercial business. Alberta, British Columbia, and Quebec also have privacy laws specific to those provinces.
The Privacy Shield was a legal framework that governed how personal data could be transferred between the EU and the US. The Privacy Shield was put into place after July 12, 2016 to replace the Safe Harbor provisions, which performed the same basic function as the Privacy Shield and were declared invalid by the European Court of Justice in the Schrems II ruling on July 16, 2020.
"Schrems I" is the term commonly used to refer to the court case Maximillian Schrems v Data Protection Commissioner. In this case, privacy advocate Max Schrems challenged the Irish data protection authority's refusal to investigate his complaint against Facebook Ireland for transferring data from the EU to the US. The complaint centered around evidence supplied by Edward Snowden indicating that US intelligence agencies could access personal data hosted on American tech platforms like Facebook, thereby violating Schrems' right to privacy under the EU's GDPR. As a result of this case, the Safe Harbor framework was invalidated.
"Schrems II" is the term commonly used to refer to the court case Data Protection Commission v Facebook & Schrems. In this case, the Irish Data Protection Commission referred the Schrems I case along with 11 questions to the Court of Justice of the European Union (CJEU). These questions centered around the validity of standard contractual clauses (SCCs) and the Privacy Shield to protect EU citizens' data in international transfers. As a result, the CJEU declared the Privacy Shield invalid and indicated that SCCs were not valid under certain circumstances.
When data is anonymized, it is stripped of personally identifiable information such that it can no longer be used to identify an individual.
Binding corporate rules are a GDPR safeguard that allows for cross-border data transfers within the same organization. If a multinational corporation wants to transfer data from its EU office to an office located in another country, it can use binding corporate rules to ensure the entire organization is following the same data protection principles.
Data discovery is the process of identifying all stores of data within an organization, gathering the data they contain, and centralizing that data to make it easier to work with.
Data governance is the set of principles, policies, and practices that define how a business identifies, meets, and enforces its information needs.
When personal data is pseudonymized, it is de-identified and cannot be associated with an individual. However, it can be re-identified if need be. The GDPR defines pseudonymization as "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information." So, using a code name to refer to an individual would be pseudonymous; the individual's identity can only be ascertained when the code name is combined with additional information about the encoding method. Under the GDPR, pseudonymous information is still treated as personal information.
A record of processing activity, or RoPA is a requirement under the GDPR in which businesses must put together a document that records all of the data processing activities that they perform. Businesses with more than 250 individuals are required to keep a RoPA, as well as businesses whose processing is likely to result in a risk to the rights and freedoms of data subjects, that process data frequently, process special categories of personal data, or process data related to criminal convictions or offenses. As a result, nearly all businesses subject to the GDPR are required to keep a RoPA. Often, this term is used interchangeably with a data map or data inventory.
Standard contractual clauses, or SCCs, are contractual clauses that require the parties to adhere to certain data protection safeguards when transferring data from the EU to other countries. Shortly after the Schrems II decision, the SCCs were updated, and businesses were advised that they had until December 27th, 2022, to update their contracts with the new SCCs. Certain US businesses are not eligible to rely on SCCs to receive data imports from the EU due to the potential for access by US intelligence agencies.
Automated decision-making refers to the act of machines making decisions without human involvement. Since this involves artificial intelligence and machine learning, automated decision-making can be subject to bias. Because these techniques depend upon their inputs, artificial intelligence and machine learning can yield results that reflect the biases (conscious or unconscious) of the individual who provided the inputs or biases present in the inputs themselves. As a result, automated decision-making is often regulated by data privacy laws.
A cookie banner is sometimes required explicitly by data privacy regulations, and sometimes it merely fulfills more general requirements. Cookie banners pop up on a website upon a visitors' first visit, informing the visitor about the website's data collection practices and either asking for permission to drop cookies on the visitor's browser or indicating that the website will drop cookies on the visitor's browser.
Cookies are small text files stored in a website visitor's browser by that website. These text files help websites remember information about their visitors, such as which items the visitor added to their shopping cart, what their login information was, what websites they visited previously, and more. Cookies serve a variety of purposes and have a range of implications for consumers' privacy.
First-party cookies are cookies set by the website that a visitor is on. The "first-party" in this case, is the same website that sets and reads the cookies. This is in contrast to third-party cookies, which are set by a third party to the website that the visitor is on and which often are used to track user behavior from site to site.
Tags are snippets of code that describe an element or function on a website. Tags often set tracking technologies like cookies, so one way to become compliant with data privacy regulations is to block tags that fire tracking technologies for which a user has not given consent.
Third-party cookies are tracking codes generated by companies other than the website that a web visitor has navigated to. Advertisers and social media networks typically use them to track users between websites to build a robust user profile for targeted advertising purposes. This data determines what ads to populate and where they will be most effective. Because these cookies track user behavior across websites, they are often treated with special consideration in data privacy regulations. The CCPA/CPRA, for instance, regulates cross-context behavioral advertising; third-party cookies track user behavior across contexts (i.e., websites), causing them to fall under this regulation. Many website browsers are phasing out support for third-party cookies.
Often referenced in conjunction with third-party and first-party cookies, zero-party data refers to personal information provided by the consumer themselves. This could be their personal preferences, their demographic information, their payment and shipping information, and so on.
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.