Vocabulary Flashcards
Accountability
The implementation of appropriate technical and organizational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.
Adequate Level of Protection
A transfer of personal data from the European Union to a third country or an international organization may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question, ensures an adequate level of protection by taking into account the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the international commitments the third country or international organization concerned has entered into in relation to the protection of personal data. Associated term(s): Adequacy
Adverse Action
Under the Fair Credit Reporting Act, the term “adverse action” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action. Associated law(s): FCRA
American Institute of Certified Public Accountants
AICPA
A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.
Acronym(s): AICPA
Associated term(s): Canadian Institute of Chartered Accountants, Seal Programs, WebTrust
Anti-discrimination Laws
Anti-discrimination laws are indications of special classes of personal data. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise.
APEC Privacy Principles
A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.
APEC
Asia-Pacific Economic Cooperative
Background Screening/Checks
Organizations may want to verify an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers. Background checks range from checking a person’s educational background to checking on past criminal activity. Employee consent requirements for such check vary by member state and may be negotiated with local works councils.
Bank Secrecy Act (BSA)
A U.S. federal law that requires U.S. financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities.
Link to text of law: The Bank Secrecy Act (BSA)
Acronym(s): BSA
Associated term(s): Financial Record Keeping and Reporting Currency and Foreign Transactions Act of 1970
Behavioral Advertising
Advertising that is targeted at individuals based on the observation of their behavior over time. Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.
Acronym(s): OBA Associated term(s): Online Behavioral Advertising, Behavioral Targeting, Contextual Advertising, Demographic Advertising, Premium Advertising, Psychographic Advertising, Remnant Advertising
Binding Corporate Rules
Binding Corporate Rules (BCRs) are an appropriate safeguard allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. BCRs compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and are approved by a member state data protection authority. To date, relatively few organizations have had BCRs approved.
Acronym(s): BCR
Binding Safe Processor Rules (BSPR)
Previously, the EU distinguished between Binding Corporate Rules for controllers and Binding Safe Processor Rules for processors. With the General Data Protection Regulation, there is now no distinction made between the two in this context and Binding Corporate Rules are appropriate for both.
Acronym(s): BSPR
Associated term(s): Binding Corporate Rules
Breach Disclosure
The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure. Associated law(s): FCRA, GLBA, HIPAA, various U.S. state laws Associated term(s): Breach notification
Bring Your Own Device
Use of employees’ own personal computing devices for work purposes.
Acronym(s): BYOD Associated term(s): Consumerization of information technology (COIT)
California Consumer Privacy Act
The first state-level comprehensive privacy law in the U.S. The CCPA applies broadly to businesses that collect personal information from California consumers, imposing extensive transparency and disclosure obligations. It also creates consumers’ rights to access their personal data and to request its deletion; to opt-out of the sale of their personal data; and to nondiscrimination on the basis of their exercising any of their CCPA rights. In Nov. 2020, California passed the California Privacy Rights Act, which amends the CCPA and includes additional consumer protections and business obligations. The majority of the CPRA’s provisions will enter into force Jan. 1. 2023, with a look back to Jan. 2022.
California Investigative Consumer Reporting Agencies Act
A California state law that requires employers to notify applicants and employees of their intention to obtain and use a consumer report.
Link to text of law: California Investigative Consumer Reporting Agencies Act
Acronym(s): CICRAA
California Online Privacy Protection Act
Requires that all websites catering to California citizens provide a privacy statement to visitors and a easy-to-find link to it on their web pages. Websites that carry personal data on children less than 18 years of age must permit those children to delete data collected about them. Websites also must inform visitors of the type of Do Not Track mechanisms they support or if they do not support any at all.
Link to text of law: California Online Privacy Protection Act
Acronym(s): CalOPPA
Associated term(s): Do Not Track
California Privacy Rights Act
The CPRA amends the California Consumer Privacy Act and includes additional privacy protections for consumers. It also creates an enforcement agency, the California Privacy Protection Agency. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to January 2022. The CPRA passed as a ballot initiative in Nov. 2020
Case Law
Principles of law that have been established by judges in past decisions. When similar issues arise again, judges look to the past decisions as precedents and decide the new case in a manner that is consistent with past decisions.
CCTV
Originally an acronym for "closed circuit television," CCTV has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns. Associated term(s): Video Surveillance
Children’s Online Privacy Protection Act (COPPA) of 1998
A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators: to post a privacy notice on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.
Acronym(s): COPPA
Link to text of law: 15 U.S.C. §§ 6501-6508