LEXQUIRO PLLC is providing this glossary as a service. Every attempt has been made to define the terms correctly and clearly. However, privacy laws and regulations are subject to change. This means that the meanings of some terms may change. Different jurisdictions may use different definitions. Cases cited are available through Google Scholar (Case Law) and are provided for context, not legal authority. Therefore, you should not make legal decisions based on these definitions without first checking with an attorney.
Adhesion Contract (or Agreement) means a standardized contract generally offered on a take-it or leave-it basis, usually by the party with the most bargaining power. Many Website or application Terms of Service (TOS) are adhesion contracts. See generally: Terms of Service; Berksen v. GOGO LLC
Aggregate Consumer Information means information relating to a group or category of consumers or users. Such aggregated data may be anonymized. See generally: CCPA §1798.140(a).
Autonomous Privacy means the right to control one’s personal activities or intimate decisions. For example, a person exercises their autonomous privacy right when they keep their medical records and decisions private. Privacy legislation, such as the CCPA, GDPR, and HIPAA provide autonomous privacy rights.
Biometric Identifiers Act means legislation enacted in Washington State in 2017, as codified in the RCW §19.375 et seq. This law regulates the collection and attribution of biometric data to a specific uniquely identified individual. It requires disclosure about how biometric data will be used. In addition, notice and consent must be obtained from an individual before enrolling or changing the use of that individual’s biometric data. See generally: RCW §19.375 et. seq.
Biometric Information means an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), which could be used alone or in combination with other identifying data, to establish an individual data subject. See generally: CCPA §1798.140(b); GDPR Art. 4(14).
Biometric Privacy Information Act means legislation enacted in Illinois in 2008, as codified in ILCS §14/1 et seq. This law regulates the collection, use, safeguarding, handling, retention, and destruction of biometric information. See generally: ILCS §14/1 et seq.)
Breach. See Personal Data Breach.
Browser Wrap Agreement means an adhesion contract, such as a Website’s Terms of Service (TOS), where merely accessing the site, or downloading information creates the contract. The case Specht v. Netscape, generally held such agreements are legal, so long as the user had reasonable notice of the terms. See generally: Click Wrap Agreement; Scroll Wrap Agreement; Shrink Wrap Agreement; Berkson v. GOGO LLC,.
California Consumer Privacy Act of 2018 (CCPA) means legislation enacted in California in 2018, as codified in CA CIV §1798.100 et seq. This law goes into effect in Jan. 2020, and applies to California domestic and foreign companies that process the data of natural persons in California (commonly Californians). See generally: CA CIV §1798.100 et seq.
CCPA. See California Consumer Privacy Act.
Click Wrap Agreement means an adhesion contract, such as a Website’s Terms of Service (TOS), where clicking a checkbox creates the contract. See generally: Browser Wrap Agreement; Scroll Wrap Agreement, Shrink Wrap Agreement; Berkson v. GOGO LLC;.
Collect means the buying, renting, gathering, obtaining, receiving, or accessing a consumer’s personal data. See generally: CCPA §1798.140(e).
Commercial Purpose means advancement of a person, party, or organization’s economic interests. See generally: CCPA §1798.140(f).
Controller means a person or party, including an organization, that decides what personal data to collect, store, and process about a data subject. See Processor. See GDPR Art. 4(7).
Consent means any freely given, specific, informed, and unambiguous indication the data subject signifies agreement to the collection and processing of their personal data. See GDPR Art. 4(11).
Consumer. See Data Subject.
Data Anonymization means the processing of personal data so it makes such personal data no longer attributable to a specific data subject. See GDPR Art. 4(5).
Data Subject means a person whose personal data is collected, stored, and processed, or who’s data is being used to create a profile. GDPR Art. 4(1).
De-identified. See Data Anonymization. See CCPA §1798.140(h).
Data Protection Impact Assessment (DPIA) means an analysis of the impact of processing on the protection of personal data. Data controllers prepare the DPIA to define the nature, scope, context, and purposes of the collection and processing, to determine whether there is a high risk to the rights of data subjects. See GDPR Art. 35(1).
Domestic Company means an entity, such as a limited liability company or a corporation, operating within the state where it incorporated.
Expectation of Privacy means a test introduced in Katz v. United States, to determine when and where the government has intruded on a person’s privacy. In Katz, the court held that the Fourth Amendment protects people, not places. In addition, what a person exposes to the public, even in the person’s home or office will generally not be protected. On the other hand, what a person seeks to preserve as private, even in an area accessible to the public, generally is protected. The case introduced a two part test. First did the person exhibit an actual (subjective) expectation of privacy? Second, is that expectation of privacy one that society is prepared to recognize as “reasonable?” See generally: Fourth Amendment.
Facial Recognition means the use of algorithms and other processes to create a “signature” or unique pattern for an individual. This pattern can be used to detect the individual on subsequent observations. Although the unique pattern or template is calculated using photographs or images, only the pattern is permanently stored.
Foreign Company means an entity, such as a limited liability company or corporation, operating outside of the state where it incorporated.
Fourth Amendment means the amendment to the U.S. Constitution which provides that people are to be secure in their persons, houses, papers, and effects, against unreasonable search and seizures, and that no warrants shall issue without probable cause. The Fourth Amendment is available here. See: Expectation of Privacy.
General Data Protection Regulation (GDPR) means Regulation (EU) 2016/679 of the European Parliament and the Council of 27, April 2016 and is the law that applies to companies and organizations in and outside of the EU, that process the personal data of natural persons in the EU. The full English text of the GDPR is available here.
Health Insurance Portability and Accountability Act (HIPAA) means legislation enacted by the U.S. Congress in 1996 as codified in Public Law 104-191 or 110 STAT. 1936. The Act is available here.
Illinois Compiled Statutes (ILCS) means the state laws of Illinois. The ILCS are available here.
Informational Privacy means the right to control if, how, and when data about a person is made public or shared with others. Privacy legislation, such as the CCPA, GDPR, and HIPAA generally address informational privacy.
Personal Data means any information relating to an identified or identifiable person. Most privacy laws define personal data broadly. For example, even a dynamic Internet Protocol (IP) address, may be considered personal data. See GDPR Art. 4(1).
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR Art. 4(12).
Personal Information. See Personal Data. See CCPA §1798.185(0)(1) and §1798.185(2).
Privacy means the right to be left alone, free from intrusion into or interference with one’s life. Under some privacy laws, such as the GDPR, privacy is a fundamental human right. See GDPR Rec.(1).
Processing means performing operations on personal data or sets of personal data. See CCPA §1798.185(q); GDPR Art. 4(2).
Processor means a person or party, including an organization, which processes personal data about data subjects, for a controller. See Controller. See GDPR Art. 4(8).
Profiling means any form of processing of personal data to evaluate certain personal aspects relating to a data subject in particular, to analyze or predict aspects of the data subject’s behavior. See GDPR Art. 4(4).
Pseudonymization. See Data Anonymization.
Revised Code of Washington (RCW) means the laws of Washington state. RCWs are available here.
Scroll Wrap Agreement means an adhesion contract, such as a Website’s Terms of Service (TOS), where a contract is created when a user scrolls through the terms and clicks a checkbox to acknowledge their agreement. See generally: Browser Wrap Agreement; Click Wrap Agreement; Shrink Wrap Agreement; Berkson v. GOGO LLC;
Shrink Wrap Agreement means an adhesion contract, such as a Website’s Terms of Service (TOS), where a contract is created when a user removes the shrink wrap from a box of software or hardware. Generally, fine print or a label on the box puts the user on notice that by opening the package, they have agreed to the terms of the contract. See generally Berkson v. GOGO LLC; Browser Wrap Agreement; Scroll Wrap Agreement.
Sell means the sale, rent, release, disclosure, dissemination, making available, transferring, or otherwise communicating by any means, personal information. See CCPA §1798.185(t); §1798.185(2).
Terms of Service.
Third party means a person, public authority or agency, other than controller, data subject, or processor. See CCPA §1798.185(w); GDPR Art. 4(10).