Privacy Law Glossary
Plain-English definitions of key privacy law terms used across US state privacy legislation. Each term includes legal definitions, examples, and FAQ.
31 terms defined
C
Consent Management Platform (CMP)
Software that helps businesses collect, manage, and store user consent for data processing activities. A CMP typically provides cookie consent banners, preference centers, and records of consent for compliance with privacy laws. It acts as the bridge between user preferences and the technical implementation of those choices.
Consumer
The individual whose personal data is being processed. Under most state privacy laws, a consumer is a resident of the state acting in an individual (not commercial) capacity. The term is the US equivalent of "data subject" under the GDPR.
Cookie
A small text file stored on a user's device by a website. Cookies can be first-party (set by the site being visited) or third-party (set by external services like analytics or advertising platforms). Third-party cookies are a primary mechanism for cross-site tracking and are a key focus of privacy regulations.
Cure Period
A window of time (usually 30-60 days) that a business is given to fix a privacy violation after being notified, before enforcement action is taken. Many early state privacy laws included cure periods, but the trend is toward removing them to strengthen enforcement.
D
Data Broker
A business that knowingly collects and sells or licenses the personal information of consumers with whom it does not have a direct relationship. Data brokers aggregate data from public records, commercial sources, and online tracking to build consumer profiles that are sold to other businesses for marketing, risk assessment, or people search purposes.
Data Controller
The entity (person or organization) that determines the purposes and means of processing personal data. In simpler terms, the controller is the company that decides why and how personal data is collected and used. California uses the equivalent term "business."
Data Minimization
The principle that businesses should only collect, process, and retain the minimum amount of personal data that is reasonably necessary for the specific purpose disclosed to the consumer. This prevents excessive data collection and reduces privacy risks.
Data Portability
A consumer's right to receive their personal data from a business in a structured, commonly used, and machine-readable format so it can be transferred to another service provider. This prevents vendor lock-in and gives consumers control over their data.
Data Processor
An entity that processes personal data on behalf of a data controller, following the controller's instructions. Processors do not decide how or why data is used. California uses the equivalent term "service provider."
Data Subject Access Request (DSAR)
A formal request from a consumer to a business asking to know what personal data the business holds about them. Also called a consumer rights request or verifiable consumer request. Businesses must respond within a legally specified timeframe, usually 45 days.
De-identification
The process of removing or modifying personal identifiers so that data can no longer be reasonably linked to a specific individual. De-identified data is generally exempt from privacy law requirements, but the business must take reasonable measures to ensure the data cannot be re-identified and must contractually prohibit recipients from re-identifying it.
G
Geolocation Data
Data derived from technology (such as GPS, Wi-Fi, or cell tower triangulation) that identifies a person's precise physical location. "Precise" geolocation typically means data accurate to within a radius of 1,750 feet or less. Precise geolocation data is classified as sensitive data under most state privacy laws.
Global Privacy Control (GPC)
A technical specification that allows users to signal their privacy preferences to websites through their browser. When enabled, GPC sends an HTTP header and JavaScript property telling websites that the user does not want their personal data sold or shared. Multiple state laws now require businesses to honor GPC signals.
O
Opt-In Consent
A model where the consumer must take an affirmative action to agree before their data can be processed for a specific purpose. The consumer must be informed of what they are agreeing to and must actively indicate consent (e.g., checking an unchecked box). Required for processing sensitive data and children's data under most state laws.
Opt-Out
A consumer's right to tell a business to stop certain data processing activities, such as selling personal information, sharing for targeted advertising, or profiling. Unlike opt-in consent, an opt-out model allows processing by default until the consumer objects. All comprehensive state privacy laws provide opt-out rights.
P
Personal Data
The term used by most state privacy laws outside California to describe information linked or reasonably linkable to an identified or identifiable individual. Functionally similar to "personal information" but typically narrower, excluding publicly available information and de-identified data.
Personal Information
Any information that identifies, relates to, describes, or could reasonably be linked to a particular person or household. This includes obvious identifiers like names and email addresses, but also less obvious data like browsing history, purchase records, geolocation data, and device identifiers.
Privacy Impact Assessment
A formal evaluation that businesses must conduct before engaging in certain high-risk data processing activities. Also called a data protection assessment. It analyzes the benefits and risks of the processing activity to consumers and the business, and must weigh whether the processing presents a heightened risk of harm.
Private Right of Action
The ability of individual consumers to file lawsuits directly against businesses for privacy violations, rather than relying on the state attorney general to enforce the law. Most state privacy laws do NOT include a private right of action. California's CCPA has a limited private right of action only for data breaches.
Profiling
Any form of automated processing of personal data to evaluate, analyze, or predict aspects of a person's behavior, preferences, economic situation, health, location, or other personal aspects. Some state laws give consumers the right to opt out of profiling decisions that produce legal or similarly significant effects.
Purpose Limitation
The principle that personal data should only be collected for specified, explicit, and legitimate purposes, and should not be further processed in ways that are incompatible with those purposes. Businesses must disclose why they collect data and cannot use it for unrelated purposes without additional consent.
R
Right of Access
A consumer's right to know what personal data a business has collected about them, including the categories of data, specific pieces of data, sources, purposes of collection, and third parties with whom data is shared. This is the foundational consumer right in all state privacy laws.
Right to Delete
A consumer's right to request that a business delete the personal data it has collected about them. The business must also direct its service providers and contractors to delete the data. There are exceptions for data needed for legal claims, regulatory compliance, security, and completing transactions.
Right to Erasure
Another term for the right to delete, more commonly used in European (GDPR) contexts but increasingly referenced in US privacy discussions. Functionally identical to the right to delete under state privacy laws.
S
Sale of Personal Information
Providing personal information to a third party in exchange for money or other valuable consideration. Under the CCPA, the definition is very broad and can include sharing data with advertising partners even when no money changes hands if the business receives other benefits. Consumers have the right to opt out of the sale of their personal information.
Sensitive Data
A category of personal data that requires heightened protection due to its nature. Typically includes racial or ethnic origin, religious beliefs, health data, sexual orientation, genetic and biometric data, precise geolocation, and data from known children. Most laws require opt-in consent before processing sensitive data.
Sharing of Personal Information
A concept introduced by the CPRA that covers providing personal information to third parties for cross-context behavioral advertising, even without monetary exchange. This closed a loophole where companies argued that sharing data with ad networks was not a "sale" because no money was exchanged.