Privacy Glossary
Common privacy policy terms explained in plain English
Data Collection & Types
- Personal Data (Personal Information)
- Any information that can identify you directly or indirectly. This includes obvious identifiers like your name and email, but also things like your IP address, device IDs, or browsing patterns when combined with other data.
- PII (Personally Identifiable Information)
- A subset of personal data that can directly identify you on its own—your full name, Social Security number, driver's license, passport number, or biometric data like fingerprints.
- Sensitive Personal Data
- Information requiring extra protection due to its nature: health records, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, genetic data, or financial information.
- Aggregate Data
- Statistical information compiled from many users that doesn't identify any individual. For example, "60% of our users are between 25-34 years old."
- Anonymous Data (Anonymized Data)
- Data that has been processed to remove all identifying information permanently. Truly anonymized data cannot be traced back to you, even when combined with other information.
- Pseudonymous Data
- Data where your identity is replaced with a code or alias. Unlike anonymous data, it can potentially be re-linked to you if someone has access to the "key" connecting the pseudonym to your identity.
- Metadata
- Data about data—information describing how, when, and where your data was created or used. For a photo, this might include the time taken, location, and device used, even if the image itself seems innocuous.
- Behavioral Data
- Information about your actions and patterns: what you click, how long you stay on a page, your purchase history, or your app usage habits.
- Device Identifiers
- Unique codes assigned to your devices—like your phone's advertising ID, MAC address, or IMEI number—that allow companies to recognize your device across different apps and websites.
Tracking Technologies
- Small text files stored on your device by websites you visit. They can remember your preferences (helpful) or track your behavior across sites for advertising purposes (potentially invasive).
- Cookies set by the website you're actually visiting. Generally used for functionality like keeping you logged in or remembering items in your shopping cart.
- Cookies set by domains other than the one you're visiting—typically advertisers and analytics companies. These enable cross-site tracking and targeted advertising.
- Temporary cookies that are deleted when you close your browser. These are typically used for essential functions like maintaining your login during a single visit.
- Cookies that remain on your device for a set period (days, months, or years) even after you close your browser. Used to remember you between visits.
- Web Beacons (Pixel Tags, Tracking Pixels)
- Tiny, invisible images embedded in web pages or emails. When loaded, they send information back to the sender—confirming you opened an email or visited a page, along with your IP address and browser details.
- Browser/Device Fingerprinting
- A tracking technique that identifies you by collecting details about your browser settings, installed fonts, screen resolution, and other device characteristics. This creates a unique "fingerprint" that can track you even without cookies.
- Local Storage
- A way for websites to store data in your browser that persists longer and holds more information than cookies. Unlike cookies, this data isn't automatically sent with every request.
- SDK (Software Development Kit)
- Code packages that app developers include to add features like analytics, advertising, or social sharing. SDKs often collect data and share it with the companies that provide them.
Data Sharing & Parties
- Data Controller
- The company or organization that decides why and how your personal data is collected and used. They're ultimately responsible for how your data is handled.
- Data Processor
- A company that handles personal data on behalf of the data controller. For example, a cloud storage provider storing customer data for an online retailer.
- Third Party
- Any company or entity other than you and the company whose privacy policy you're reading. This could include advertisers, analytics providers, payment processors, or business partners.
- Service Provider
- Companies hired to perform specific functions—like sending emails, processing payments, or hosting websites. They typically access your data only to perform their designated task.
- Affiliate
- Companies related through common ownership or control. Data shared with "affiliates" stays within a corporate family but may still be used for purposes beyond your original interaction.
- Data Broker
- Companies that collect personal information from various sources and sell or license it to other businesses. You typically have no direct relationship with these entities.
- Sale of Data
- Exchanging personal information for money or other valuable consideration. Some privacy laws define this broadly to include sharing data for targeted advertising, even without direct payment.
Legal Bases & Consent
- Consent
- Your freely given, informed agreement to data collection or use. Valid consent should be specific, unambiguous, and as easy to withdraw as it was to give.
- Opt-In
- A system where data collection or sharing doesn't happen unless you take an explicit action to allow it. This provides stronger privacy protection than opt-out.
- Opt-Out
- A system where data collection or sharing happens by default, and you must take action to stop it. The burden is on you to find and use the opt-out mechanism.
- Legitimate Interest
- A legal basis allowing companies to process your data without consent if they have a valid business reason and it doesn't override your rights. This is often used broadly and can be difficult to challenge.
- Contractual Necessity
- Processing data because it's required to fulfill a contract with you—like needing your address to ship a product you ordered.
- Legal Obligation
- Processing data because the law requires it, such as keeping tax records or reporting suspicious activity to authorities.
Your Rights
- Right to Access
- Your right to request a copy of the personal data a company holds about you, along with information about how it's being used.
- Right to Rectification (Correction)
- Your right to have inaccurate personal data corrected or incomplete data completed.
- Right to Erasure (Right to be Forgotten)
- Your right to request deletion of your personal data under certain circumstances. Companies may decline if they have legal obligations to retain the data.
- Right to Data Portability
- Your right to receive your data in a structured, commonly used format and transfer it to another service provider.
- Right to Object
- Your right to object to certain types of data processing, including direct marketing and processing based on legitimate interest.
- Right to Restrict Processing
- Your right to limit how a company uses your data while disputes about accuracy or legality are resolved.
- DSAR (Data Subject Access Request)
- A formal request exercising your right to access your personal data. Companies typically must respond within 30-45 days, depending on applicable laws.
- Do Not Sell My Personal Information
- A right under some privacy laws (like California's CCPA) allowing you to opt out of the sale of your personal information to third parties.
Data Protection Practices
- Encryption
- Converting data into a coded format that can only be read with the correct key. "In transit" encryption protects data while it's being sent; "at rest" encryption protects stored data.
- Data Minimization
- The principle of collecting only the personal data that's actually necessary for a specific purpose—nothing more.
- Purpose Limitation
- The principle that data should only be used for the specific purposes disclosed when it was collected, not repurposed for unrelated uses.
- Retention Period
- How long a company keeps your data. Look for specific timeframes rather than vague statements like "as long as necessary."
- Data Breach
- A security incident where personal data is accessed, disclosed, or stolen without authorization. Many laws require companies to notify affected users within a specific timeframe.
- Privacy by Design
- An approach where privacy protections are built into products and systems from the start, rather than added as an afterthought.
- DPIA (Data Protection Impact Assessment)
- A process for evaluating privacy risks before starting new projects or data processing activities that could significantly affect individuals.
Laws & Regulations
- GDPR (General Data Protection Regulation)
- The European Union's comprehensive privacy law, effective since 2018. It applies to any organization handling EU residents' data, regardless of where the organization is located, and provides strong individual rights.
- CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)
- California's privacy laws giving residents rights over their personal information, including the right to know what's collected, delete it, and opt out of its sale.
- COPPA (Children's Online Privacy Protection Act)
- A U.S. law requiring parental consent before collecting personal information from children under 13 and imposing strict rules on how that data can be used.
- HIPAA (Health Insurance Portability and Accountability Act)
- A U.S. law governing the privacy and security of health information. It applies to healthcare providers, insurers, and their business associates—but not necessarily to health apps or fitness trackers.
- DPA (Data Protection Authority)
- Government agencies responsible for enforcing privacy laws and protecting individuals' data rights. Each EU country has one, and they can investigate complaints and issue fines.
International Data Transfers
- Cross-Border Data Transfer
- Moving personal data from one country to another. This often requires specific legal mechanisms to ensure adequate protection in the destination country.
- Adequacy Decision
- A determination by regulators (like the EU) that another country's privacy laws provide sufficient protection for personal data to be transferred there freely.
- SCCs (Standard Contractual Clauses)
- Pre-approved contract terms that companies can use to legally transfer personal data between countries that lack an adequacy decision.
- Data Privacy Framework
- The current mechanism allowing personal data transfers between the EU and certified U.S. companies. It replaced Privacy Shield, which was invalidated by courts in 2020.
Red Flag Phrases
- Vague language that could mean anything from essential service providers to selling your data to advertisers. Look for specificity about who these partners are and why they need your data.
- "To improve our services"
- A catch-all justification that could cover legitimate product development or extensive profiling. Without specifics, this phrase allows broad data use.
- "As long as necessary"
- Indefinite retention period with no clear end date. Better policies specify actual timeframes tied to specific purposes.
- "We reserve the right to..."
- Language giving the company unilateral power to change practices. Pay attention to what they're reserving the right to do and whether you'll be notified.
- "Personalize your experience"
- Often a euphemism for behavioral tracking and targeted advertising, though it can also mean remembering your preferences.
- "We may modify this policy at any time"
- Indicates the company can change how they use your data without meaningful notice or consent. Look for commitments to notify you of material changes.