Article 28 outlines the relationship between data controllers and data processors—requiring both parties to agree to a detailed contract.

GDPR Article 30 states that data controllers and processors must create and maintain records of all processing activities (ROPA).

Article 32 requires that data controllers and data processors secure consumer data using the “appropriate technical and organizational measures.”

Article 6 outlines the six scenarios for lawful data processing under the GDPR.

Article 9 of the GDPR prohibits data controllers from processing data from “special categories of personal data.”

Authorized agents are an individual or organization who’s permitted by privacy laws like GDPR and CCPA to fulfill data rights on behalf of a consumer.

Passed in 2018, the California Consumer Privacy Act (CCPA) created data rights for CA residents and requirements for CA businesses processing personal data.

Established by the CPRA, the California Privacy Protection Agency (CPPA) is a new privacy regulator tasked with creating and enforcing California privacy law.

Passed in 2020, the California Privacy Rights Act (CPRA) amended California’s first major privacy law, the California Consumer Privacy Act (CCPA).

Passed on July 8, 2021, the Colorado Privacy Act (CPA) was the third state-based privacy law in the US with enforcement beginning on July 1, 2023.

In the context of privacy, consent refers to when a consumer knowingly gives a company permission to process their personal data.

Dark patterns are when an organization uses coercive interface design to push users into an action or certain set of actions.

Data controllers decide how personal data will be processed by their organization, considering the “nature, scope, context and purposes of [data] processing.”

Data mapping is a process that helps organizations understand where their data is stored and how it is used—an important tool for privacy law compliance.

Data processors enact the decisions made by data controllers and are defined by GDPR Article 4.

GDPR Article 4 defines data subjects as “an identified or identifiable natural person.” By this definition, data subjects are just people.

Data subject access requests (DSAR) are when a consumer or individual asks to see what personal data a company or organization has collected about them.

Do Not Track (DNT) is a browser setting that tells websites not to place cookies.

‘Do not sell’ is a CCPA provision stating that consumers have the right to tell a business not to sell their data for the purposes of targeted advertising.

Facebook’s Limited Data Use (LDU) limits the use of data from California (CA) residents, helping businesses remain CCPA compliant.

The GDPR defines personal data is “any information which are related to an identified or identifiable natural person.” (Article 4)

A complex piece of legislation with 99 articles total, the GDPR has seven core principles that unify all the various requirements.

The GDPR grants citizens of the EU certain data rights including the right to be informed, right of access, right to rectification, and more.

The General Data Protection Regulation (GDPR) is a landmark data privacy law that was passed in 2016 and went into force in May 2018.

Global Privacy Control (GPC) is a browser extension that signals publishers and platforms your preference that they limit collection of your data.

The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law that controls how financial institutions deal with individuals’ private information.

The Health Insurance Portability and Accountability Act (HIPPA) requires medical practices to protect the privacy of your health information.

The General Data Protection Law (LGPD) is Brazil's data privacy and protection law.

Personally identifiable information (PII) is any data that could potentially identify a specific individual.

Pseudonymization is the process of replacing personally identifiable fields within a data record with one or more artificial identifiers or pseudonyms.

Record of processing activities (ROPA), required by Article 30, outlines all data processing and categories of data processing an organization engages in.

Schrems II was a court decision that invalidated Privacy Shield—the US-EU agreement that had been regulating trans-Atlantic data transfer.

Cookies are small text files placed in your browser the websites you visit, storing data including location, preferences, and what you did while on the site.

The UCPA placed new obligations on businesses processing consumer data in Utah, while giving Utah citizens new data rights.

The Virginia Consumer Data Protection Act (CDPA) created new requirements for organizations that process data for Virginia residents.