PrivacyReffFlashCards
Accountability
The use of organizational and technical measures which demonstrate that personal data is handled in compliance with relevant law.
Adequate Level of Protection
Confirmation that a data transfer accounts for the rule of law and legislation, respect for human rights, data protection rules, professional rules and security measures, data subject rights, independent supervisory authorities, and any international commitments.
Adverse Action
Any business, credit, or employment action that affects consumers negatively, such as denying or canceling credit, insurance, employment, or promotion. A credit transaction where the consumer accepts a counteroffer would not count.
American Institute of Certified Public Accountants
The U.S. professional organization of certified public accountants that co-created the WebTrust seal program.
Americans with Disabilities Act
A U.S. law that prohibits discrimination against certain individuals with disabilities
Anti-discrimination Laws
Indications of special classes of personal data. If these exist based on a class or status, it is likely that the personal information is subject to more prescriptive data protection regulation.
APEC Privacy Principles
A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. These promote electronic business in the Asia-Pacific region with a balance of information privacy and business need.
Background Screening/Checks
Verifying an applicant’s ability to function in the working environment in a way that ensures the safety and security of existing workers. These could involve checking a person’s educational background or past criminal activity. Employee consent requirements may be negotiated with work councils and varied by member state.
The Bank Secrecy Act
A U.S. federal law requiring U.S. financial institutions, money services businesses, or entities that sell money orders or provide cash transfer services, to report, retain, and record qualified financial transactions to the federal government. This is meant to help the government investigate instances of money laundering, tax evasion, terrorist financing and other criminal activities.
Behavioral Advertising
Advertising targeted at individuals based on the observations about their activity over time, most often done via automated processing of personal data, or profiling.
Binding Corporate Rules
An appropriate GDPR safeguard for cross-border transfers of personal data between two or more entities of a corporate group. These ensure that the same high level of personal data protection is followed by all members of the group through a set of enforceable rules.
Binding Safe Processor Rules
Binding Corporate Rules that may now be used for both controllers and processors under the GDPR.
Breach Disclosure
An organization must notify regulators and/or victims of incidents that have impacted the confidentiality and security of personal data. This transparency mechanism brings light to operational failures, helps mitigate harm, and assists in the identification of causes of failure.
Bring your own device(BYOD)
Allowing employees to use their own personal computing device for work.
California Consumer Privacy Act
The first state-level comprehensive privacy law in the U.S. which applies to businesses that collect personal information from California consumers. This law created consumers’ rights to access, deletion, opt-out of sale, and nondiscrimination while also imposing specific transparency and disclosure obligations. The precursor to the California Privacy Rights Act, which will enter into force Jan 1, 2023
California Investigative Consumer Reporting Agencies Act
The California state law establishing that employers must notify applicants and employees of any intention to obtain and use their consumer report
California Online Privacy Protection Act
This act requires that all websites targeted to California citizens must provide a privacy statement to visitors with an easy-to-find link. Websites that collect personal data from individuals under 18 years of age must permit those children to delete their data. Websites are required to inform visitors of which Do Not Track mechanisms they support, if any.
California Privacy Rights Act
This act amended the California Consumer Privacy Act with more consumer privacy protections and an enforcement agency, the California Privacy Protection Agency. The provisions entering into force January2023 will apply in retrospect up to January 2022
Case Law
Law principles established by judges in previous decisions. When similar issues come back up, judges use the prior decisions as precedents and keep new case decisions consistent.
CCTV
An acronym for “closed circuit television” which has become shorthand for any video surveillance system. These can be hosted via TCP/IP networks and accessed remotely, and the footage very easily shared
Children’s Online Privacy Protection Act(COPPA) of 1998
A U.S. federal law applying to operators of commercial websites and online services either directed to children under the age of 13 or known to collect personal information from children under the age of 13. Operators are required under this law to post a privacy notice on the website, provide notice about collection practices to parents, obtain verifiable parental consent before collecting personal information of children, give parents the choice about whether their child’s personal information will be shared with third parties, provide parents with rights to access, delete, and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of children’s personal information.
Choice
The concept that consent must be freely provided and data subjects have a true choice whether to provide personal data or not, without which it is unlikely the consent would be considered valid under GDPR.
Cloud Computing
Information technology services provided over the Internet by organizations for internal users or third-party suppliers. The service options may be software, infrastructure, hosting, or platforms for applications ranging from personal e-mail to corporate data storage.
Collection
Limitation
The fair information practices principle
which says that there should be limits in the
collection of personal data, where data
should be gathered y fair and lawful means
with the knowledge or consent of the data
subject.
Commercial
Activity
This refers to any transaction, act or conduct,
or any regular course of conduct that is
commercial as defined by PIPEDA, which may
include selling, bartering or leasing of donor,
membership, or other fundraising lists.
Non-profit associations, unions, and private
schools may exist outside of this definition.
Commercial
Electronic
Message
Electronic messaging in any form, including e-mail, SMS text messages, and messages sent via social media where the purpose could be deemed asencouraging participation in a commercial activity. These may be electronic messages that offer to promote, purchase, sell, or lease products, goods, or services.
Common
Law
Undocumented legal principles developed
over time according to on societal
expectations and customs.
Communications
Privacy
The class of privacy that encompasses
protection of the means of correspondence,
including mail, phone conversations,
and e-mail
Comprehensive
Laws
Laws governing the collection, use, and
disclosing of personal information in both
public and private sectors.
Computer
Forensics
Assessing and inspecting an information
system for clues after being compromised
or exploited.
Confidentiality
The principle that data should be protected
against unauthorized or unlawful processing.
Confirmed
Opt-In
An email consent for direct marketing
where marketers send a confirmation email
eliciting a response ahead of the actual
marketing e-mail.
Consent
The confirmation of an individual’s agreement
to the collection, use, and disclosure of
their personal data.
There are two thoughts on this:
opt-in (making an affirmative action) and
opt-out (implied by lack of action).
Affirmative /
Explicit
Consent
The type of consent requiring that an
individual indicate agreement with a data
controller through active communication.
Implicit
Consent
The type of consent that is inferred from
the action or inaction of the individual.
Consent
Decree
A judgment into which the parties enter
by consent. The defendant usually agrees to
stop alleged illegal activity and pay a fine,
without any admission. A judge needs to
approve and formalize the agreement
reached between a U.S. federal or state
agency and an adverse party.
Consumer
Financial
Protection
Bureau
The independent bureau within the Federal
Reserve created by the Dodd-Frank Act
with enforcement power to take action
against abusive acts and practices as included
in the law.
Consumer
Reporting
Agency
Any person or entity that assembles or
evaluates personal information in order to
provide consumer reports to third parties
Cookie
A small text file stored on a client machine
to be retrieved by a web server. These keep
track of the end user’s browsing activities
and pool individual requests into sessions.
They also allow users to stay signed in.
Types include first party, third party, session,
and persistent.
Credit
Freeze
A security measure initiated by a consumer
to locks their data with consumer reporting
agencies to prevent identity thef.
Credit
Reporting
Agency
Any organization that regularly engages in
compiling or evaluating personal information
in order to provide consumer reports to third
parties under the Fair Credit Reporting Act.
Customer
Access
The customer’s ability to view, correct, or
delete the personal information collected
from or about them.
Customer
Information
Data relating to private-sector clients, healthcare
patients, and the public for public-sector
agencies that provide services
Data
Breach
The unauthorized collection of computerized data that interrupts the security, confidentiality, or integrity of personal information maintained by a data collector.
Data
Classification
A scheme organizing different categories of
data with appropriate handling and access.
Data
Controller
The natural or legal person, public authority,
agency or any other body who alone or
jointly decides the intentions and means
of personal data processing.
Data
Elements
A piece of data with a distinct definition
which can’t be whittled down further.
Examples include date of birth, numerical
identifier, or location coordinates.
In isolation these may not be considered
personal data but they would be
when combined.
Data
Matching
Comparing personal data compiled from a number of sources, including personal information banks, in order to make decisions about the individuals to whom the data relate.
Data
Processing
Any operation or set of operations
performed on personal data including
alteration, collection, recording, restriction,
storage, use, retrieval, disclosure,
dissemination, combination, organization,
erasure, or destruction, whether
by automated means.
Data
Processor
The natural or legal person public authority,
agency or other body not employed by the
controller who processes personal data as
instructed by the controller.
Data
Quality
The fair information practices principle that says personal data should be relevant, accurate, up-to-date, and complete. Four questions to consider: does it meet the business needs; is it accurate; is it complete, and is it recent?
Data
Recipient
The natural or legal person, public authority,
agency, third party, or another body
getting personal data by disclosure.
This would not apply to public authorities
getting personal data in the context of an
EU or member state law inquiry.
Data
Subject
An identified or identifiable natural person
about whom the organization has personal
information.
Deceptive
Trade
Practices
The actions of corporate entities who mislead or misrepresent products or services to consumers and customers in the context of US federal law. The FTC and attorney general or office of consumer protection would respond to these issues. Law typically allows enforcement by the government and actions for damages brought by harmed consumers.
Defamation
Common law tort focuses on this concept,
which is defined as a communication intending
to harm another’s reputation
Digital
Finger printing
Using log files to identify a website visitor for
security and system maintenance purposes.
Log files typically include URLs, web browsers,
font preferences, operating systems,
IP addresses, and time stamps.
Digital
Signature
A protective measure for the authenticity of
an electronic document, such as an e-mail,
text file, spreadsheet or image file. It would
be rendered invalid if anything is changed
in the electronic document post attachment
Direct
Marketing
Direct contact made to an individual by the
seller, in contrast to mass media marketing
through radio or TV.
Do Not
Track
A potential policy allowing consumers the
right to opt out of web tracking, in the same
vein as the existing US Do-Not-Call Registry.
Do-Not-Call
Implementation
Act of 2003
This act granted the FTC authority to create
the National Do-Not-Call Registry.
The registry is open to all consumers who
wish to place their phone number on the
national list to stop telemarketers (except
political activities and non-profits)
from calling unsolicited.
Do-Not-Call
Improvement
Act of 2007
This act amended the US
Do-Not-Call Implementation Act to make
registration permanent in place of the
requirement for re-registration
Dodd-Frank Wall
Street Reform
and Consumer
Protection Act
US Congress passed this act in 2010 to
restructure and enhance financial regulation.
This created the Consumer Financial
Protection Bureau with rule-making
authority over FCRA, GLBA, and other laws.
Electronic
Communications
Privacy Act of
1986
The Electronic Communications Privacy
and Stored Wire Electronic Communications
Acts combined, which reformed the
Federal Wiretap Act of 1968. This law
protects e-mail and phone calls while being
made, stored on computers, and in transit.
Electronic
Discovery
Information exchanged between parties
and their attorneys in preparation for trial.
Electronic
Health
Record
An individual’s medical file that may be
shared across multiple healthcare settings
via computer. Examples include radiology
images, medical history, medication and
allergies, personal stats, immunization
status, laboratory test results, vital signs,
demographics, and billing information.
Electronic
Surveillance
Monitoring that is done through electronic
means, using things like video surveillance,
communications, and location.
Employee
Information
Personal information reasonably necessary
for an organization to collect, use, or disclose
in order to establish, maintain, or terminate
employment or volunteer work.
Employment
at Will
The understanding that the employment
contract can be ended by the employee or the
employer at any moment for any reason.
The Equal
Employment
Opportunity
Commission
The independent US federal agency enforcing
laws against discrimination in the workplace.
Discrimination complaints based on an
individual’s race, color, origin, religion, age,
intelligence, disability, and retaliation would be
investigated. Discrimination suits may be filed
against employers on behalf of alleged victims.
Established
Business
Relationship
A prior or existing connection between the
individual and a marketer that allows them to
call the individual even if they are on the DNC
registry. It would be formed by a voluntary two way
communication between the marketer and a
residential subscriber for the purpose of an inquiry,
application, purchase, or transaction
by the residential subscriber regarding
products or services offered.
EU Data
Protection
Directive
The first EU-wide legislation protecting
personal data use and privacy which was
adopted in 1995 and replaced by
GDPR in 2018.
EU-US Safe
Harbor
Agreement
A agreement between the EU and United States invalidated by the Court of Justice of the European Union in 2015 which allowed legal transfer of personal data between the US and the EU without an adequacy decision. The EU-US Privacy Shield replaced this agreement in 2016.
EU-US
Privacy
Shield
The data transfer mechanism created in 2016 to replace the invalidated US-EU Safe Harbor agreement which allowed for the transfer of personal data from the EU to the United States for participating companies before it was invalidated in 2020 by Max Schrems.
European
Commission
The executive body of the European Union created to implement the EU’s decisions and policies.It proposes drafts of legislation that are then handed over to Parliament and the Council of the EU. It also makes data transfer adequacy decisions.
Fair and
Accurate Credit
Transactions
Act of 2003
Anexpansion of the FCRA focusing on identity theft prevention and customer access. It requires credit reporting agencies to allow consumers a free credit report once in twelve months. It also empowers consumers to request alerts when there is suspicion of identity theft.
The Fair
Credit
Reporting Act
A US federal privacy law enacted in 1970
to demand relevancy and accuracy in data
collection, the provision of the ability for
consumers to access and correct their
information, and limitations on the use of
consumer reports for appropriate purposes,
like the extension of insurance or credit and
employment.
The Federal
Communications
Commission
The United States agency regulating interstate communications through satellite, radio, cable, and telecommunications. Its authority coincides with the FTC in privacy law for the enforcement and regulation provided by the Telephone Consumer Protection Act.
Federal
Trade
Commission
The primary consumer protection agency in
the US which compiles complaints about
companies, business practices, and identity
theft under the FTC Act and other laws.
They bring enforcement action from the
FCRA and Section 5 of the FTC Act on
unfair and deceptive trade practices.
Financial
Industry
Regulatory
Authority
A corporation acting as a regulator for
exchange markets and brokerage firms
to ensure that security exchange markets
operate transparently and protect investors.
It is subject to the Securities and Exchange
Commission.
Financial Institutions Reform, Recovery, and Enforcement Act of 1989
This act was passed after the savings and
loans crisis of the 1980s to allow financial
regulators to impose penalties for failing
to comply up to $5,000,000 for failure t
o comply with regulations including
GLBA’s information privacy requirements.
The Freedom
of Information
Act
A US. federal law ensuring access to
federal executive branch documents by
citizens.
There limited exemptions
GET
Method
Attributes from this method, as opposed to the POST HTML method, prescribe how form data is provided to a URL, particularly in name/value pairs showing passwords and other sensitive information in the browser’s address bar.
Global Privacy
Enforcement
Network
The collection of data protection authorities
set by an OECD recommendation for
collaboration among member countries
on enforcing privacy laws, developing
common priorities, sharing best practices,
and supporting joint enforcement
and awareness activities.
Gramm-Leach-
Bliley
Act (GLBA)
The Financial Services Modernization Act of 1999 reorganizing financial services regulation for any US company “significantly engaged” in financial activities. It pertains to the handling of non-public personal information, like a consumer’s name a nd address and interactions with financial institutions.
Health Breach
Notification
Rule
A US rule under HITECH requiring that vendors of personal health records and related entities inform consumers if the security of their individually identifiable health information is breached.
The Health Information Technology for Economic and Clinical Health Act (HITECH)
This act focuses on privacy and security issues
with PHI as defined by HIPAA.
Privacy provisions specified pertain to the
introduction of categories of violations
based on accountability corresponding to
penalty ranges.
The Health Insurance Portability and Accountability Act (HIPAA)
A US law passed to make national standards
for electronic healthcare transactions. It
requires that the U.S. Department of Health
and Human Services create regulations
securing the privacy and security of
personal health information.
Patients must opt in before their information
is shared with third parties
Information
Life Cycle
This approach recognizes different values
of data and data handling through an
organization between collection and
deletion. The stages involved are: collection,
processing, use, disclosure, retention,
and destruction.
Information
Privacy
The class of privacy which refers to the right of individuals, groups, or institutions to determine when, how, and to what extent information about them is disclosed to others.
Information
Security
Protecting information in order to prevent
loss, unauthorized access, and misuse.
This includes measuring threats and risks
to information and the processes and
measures to be taken to preserve the
confidentiality, integrity and availability
of information.
Junk Fax
Prevention
Act of 2005
This act created the Existing Business
Relationship exception to the US Telephone
Consumer Protection Act’s ban of fax-based
marketing without consent. It required
that marketing faxes include how to opt out
of future unsolicited communications.
Jurisdiction
A court’s authority to hear a specified case.
Courts must have authority over both the
type of dispute (subject matter) and the
parties (personal). It also refers to the
geographical area or subject-matter
applicable to such authority.
Location-Based
Service
Services that use location information to
provide applications and services, including
gaming, social networking, and
entertainment, usually needing geolocation
to identify the real-world geographic location
Medical
Information
Records or information received from
licensed physicians, hospitals, clinics,
or other medical facilities with the consent
of the related individual.
Minimum
Necessary
Requirement
The establishment that the level of information disclosed by healthcare providers to third parties is the smallest amount required to fulfill the desired purpose as provided by HIPAA.
Multi-Factor
Authentication
The authentication process using multiple
verification methods, like a password and
code sent to a phone number, or log-in
and biometric identifier.
National
Do-Not-Call
Registry
Consumers in the US put their phone
number on a list prohibiting unsolicited
calls from telemarketers. Registration is
permanent and enforced by FCC, FTC, and
state attorneys general for a fine of up to
$16,000 per violation.
The National
Labor Relations
Board
The US federal agency governing the National Labor Relations Act by holding elections to determine if employees want to receive union representation and investigating improper labor practices.
National
Security
Letter
A category of subpoena whose use was
expanded by The USA PATRIOT Act. Access
is administered by separate statutory provisions
without a court order to communication
providers, travel agencies, financial institutions,
and consumer credit agencies.
Negligence
An organization is liable for damages
related to any breach of legal duty to
protect personal information and if an
individual is harmed in the process.
Non-Public
Personal
Information
Personally identifiable financial information
resulting from a transaction or service made
for the consumer, shared by the consumer to a
financial institution, or otherwise collected by
the financial institution, as defined by GLBA.
OECD
Guidelines
A universal set of internationally accepted
privacy principles and guidance for countries
developing regulations related to cross-border
data flows and law-enforcement access to
personal data. The principles are Collection
Limitation, Data Quality, Purpose Specification,
Use Limitation, Security Safeguards, Openness,
Individual Participation, and Accountability.
Omnibus
Laws
Laws covering a wide range of organizations
or natural persons, not simply a specific
market sector or population
Online
Behavioral
Advertising
Websites or online advertising services that
track and analyze search terms, demographics,
online activity, offline activity, browser or
user profiles, location data, or preferences,
to offer advertising.
Opt-In
One of two approaches to choice, where
an individual makes an affirmative indication of
agreement, like checking a box to allow
the business to disclose the information to
third parties.
Opt-Out
One of two approaches to choice, where the
lack of action on the part of the individual is
taken as their implication of choice, so
for example, their information will be
shared with third parties if they don’t
uncheck a box.
