Data Privacy
Glossary

Unique physical or behavioral characteristics that can be used to identify an individual, including fingerprints, facial recognition data, voiceprints, iris scans, and gait analysis. Under the SECURE Data Act and most state privacy laws, biometric data is classified as sensitive data requiring opt-in consent before collection or processing.

A California state privacy law enacted in 2018 (and significantly amended by the CPRA in 2020) that grants California residents rights to know what personal data is collected about them, to delete that data, to opt out of the sale of their data, and to non-discrimination for exercising these rights. The CCPA applies to for-profit businesses that meet certain revenue or data processing thresholds. If the SECURE Data Act is enacted, it would preempt the CCPA.

A freely given, specific, informed, and unambiguous indication of agreement by which a data subject permits the processing of their personal data. Under the SECURE Data Act, consent requirements vary by data type: general personal data may be processed on an opt-out basis, while sensitive data categories require affirmative opt-in consent. Pre-checked boxes, bundled consent, and inferred consent do not satisfy opt-in requirements.

An entity that determines the purposes and means of processing personal data. Under the SECURE Data Act, controllers bear the primary compliance burden — including maintaining a written privacy program, conducting data protection assessments, fulfilling consumer rights requests, and ensuring processors operate under written contracts. The term is equivalent to "data controller" under GDPR.

A 2020 California ballot initiative that significantly amended and expanded the CCPA. The CPRA created the California Privacy Protection Agency (CPPA), established new rights (right to correct, right to limit use of sensitive personal information), and introduced a limited private right of action for data breaches. The CPRA would be preempted by the SECURE Data Act if enacted.

An unauthorized acquisition, access, use, or disclosure of personal data that compromises the security, confidentiality, or integrity of that data. Under the SECURE Data Act, covered businesses must notify the FTC within 72 hours of discovering a breach affecting 500 or more consumers, and must notify affected consumers without unreasonable delay. The Act would preempt all 50 state breach notification laws.

The process of identifying and documenting all personal data an organization collects, processes, stores, and shares — including the source of the data, its purpose, where it flows, and who has access to it. Data mapping is a foundational compliance activity required before conducting a gap analysis or data protection assessment. It is also essential for fulfilling consumer rights requests under the SECURE Data Act.

The principle that organizations should collect, process, and retain only the personal data that is reasonably necessary, proportionate, and limited to what is required to fulfill a specific, disclosed purpose. The SECURE Data Act codifies data minimization as a mandatory requirement — businesses cannot collect data speculatively for undefined future uses. Each data element collected must be tied to a clear, documented purpose.

A documented analysis that weighs the benefits of a processing activity against the risks it poses to consumers. Under the SECURE Data Act, data protection assessments are mandatory before engaging in high-risk processing activities including: processing sensitive data, targeted advertising, selling personal data, profiling with significant effects, and any processing presenting foreseeable risk of harm. The FTC may request DPAs during investigations.

The process of removing or altering information that identifies or could identify an individual, such that the data can no longer be reasonably linked to a specific person. Properly de-identified data is generally not subject to privacy law obligations. However, the standard for de-identification varies by law — the SECURE Data Act requires that re-identification be technically infeasible, not merely unlikely.

The legal doctrine by which federal law supersedes conflicting state laws under the Supremacy Clause of the U.S. Constitution. The SECURE Data Act contains a broad preemption clause that would nullify any state law "relating to" its provisions — replacing the current patchwork of 21+ state privacy laws (including CCPA, CPRA, VCDPA, CPA, and others) with a single federal standard. Some sector-specific state laws may partially survive depending on final legislative language.

The primary U.S. federal agency responsible for consumer protection and competition enforcement. Under the SECURE Data Act, the FTC serves as the primary enforcement authority — authorized to pursue civil penalties of up to $10,000 per violation per day for knowing or willful violations. The FTC is also authorized to issue implementing regulations post-enactment. The FTC currently enforces data privacy obligations under Section 5 of the FTC Act.

The European Union's comprehensive data protection regulation, effective since May 2018. GDPR applies to any organization processing the personal data of EU residents, regardless of where the organization is located. It requires a lawful basis for all processing, grants individuals extensive rights, mandates data protection by design, and imposes fines of up to 4% of global annual revenue for violations. The SECURE Data Act draws inspiration from GDPR but differs in enforcement, consent standards, and scope.

Data that identifies or can be used to identify the precise physical location of an individual. Under the SECURE Data Act, precise geolocation data — defined as location within a radius of 1,750 feet — is classified as sensitive data requiring opt-in consent. This includes GPS coordinates, cell tower triangulation data, and Wi-Fi positioning data that can pinpoint a person's location.

A consent mechanism that requires an individual to take an affirmative action to agree to data processing before it occurs. Under the SECURE Data Act, opt-in consent is required for processing sensitive data categories. Opt-in consent cannot be obtained through pre-checked boxes, bundled agreements, or inferred from inaction. The individual must actively and clearly indicate agreement.

A mechanism that allows individuals to withdraw from or prevent certain data processing activities. Under the SECURE Data Act, consumers have the right to opt out of the sale of their personal data and targeted advertising. Unlike opt-in consent, opt-out mechanisms allow processing to proceed by default unless the individual takes action to stop it. Opt-out mechanisms must be clear, accessible, and easy to use.

Any information that identifies or is reasonably linkable to a specific individual. Under the SECURE Data Act, personal data includes names, email addresses, IP addresses, device identifiers, location data, browsing history, purchase history, and any other information that can be used to identify a person. Properly de-identified data and publicly available information are generally excluded from the definition.

An approach to systems engineering and product development that embeds privacy protections into the design and architecture of products and services from the outset, rather than as an afterthought. Privacy by design requires organizations to consider privacy implications at every stage of product development and to implement technical and organizational measures that minimize data collection and protect personal data by default.

A public-facing document that discloses an organization's data collection and processing practices to consumers. Under the SECURE Data Act, covered businesses must maintain a privacy notice that is reasonably accessible, clear, and written in plain language. The notice must disclose: categories of data collected, processing purposes, data sales and targeted advertising practices, consumer rights, and contact information for privacy inquiries. It must be updated within 30 days of any material change.

A qualified individual responsible for coordinating and overseeing an organization's data protection program. Under the SECURE Data Act, covered businesses must designate a privacy officer. The role can be filled by an employee, consultant, or outside privacy counsel. Responsibilities include maintaining the written privacy program, overseeing consumer rights request fulfillment, managing data protection assessments, and serving as the FTC point of contact during investigations.

A comprehensive, written framework that documents an organization's data privacy policies, procedures, and controls. Under the SECURE Data Act, covered businesses must maintain a written privacy program that includes: data inventory and mapping, privacy notice, consumer rights procedures, data protection assessments, vendor management protocols, breach response plan, and employee training. The program must be reviewed and updated regularly.

An entity that processes personal data on behalf of a controller, pursuant to the controller's instructions. Under the SECURE Data Act, processors have secondary compliance obligations — they must operate under written contracts with controllers, process data only as instructed, implement appropriate security measures, and assist controllers in fulfilling consumer rights requests. Processors cannot process data beyond the scope of the controller's instructions.

The automated processing of personal data to evaluate, analyze, or predict aspects of an individual's behavior, preferences, interests, performance, or location. Under the SECURE Data Act, profiling that produces legal or similarly significant effects on individuals is a high-risk processing activity requiring a data protection assessment. Examples include credit scoring, insurance risk assessment, and automated hiring decisions.

The Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act — a proposed federal privacy law that would create a single national standard for how businesses collect, use, and protect consumer data. If enacted, it would preempt all existing state privacy laws. The Act covers businesses processing data of 200,000+ U.S. consumers annually, requires opt-in consent for sensitive data, grants consumers four core rights (access, correction, deletion, portability), and is enforced by the FTC and state attorneys general.

Categories of personal data that receive heightened protection under privacy laws due to the particular risks their processing poses to individuals. Under the SECURE Data Act, sensitive data includes: health and medical information, biometric data, genetic data, precise geolocation data (within 1,750 feet), financial account information, government-issued identification numbers, racial or ethnic origin, religious beliefs, sexual orientation or gender identity, immigration status, and data of individuals under 16. Processing sensitive data requires affirmative opt-in consent.

The chief legal officer of a U.S. state, authorized to bring civil enforcement actions on behalf of state residents. Under the SECURE Data Act, state attorneys general may bring civil actions against businesses that violate the Act's provisions. This concurrent enforcement authority — alongside the FTC — means businesses face potential enforcement from both federal and state levels. State AGs currently enforce state privacy laws like CCPA and VCDPA.

The practice of serving advertisements to individuals based on personal data collected across different businesses, websites, or applications — also known as behavioral advertising or interest-based advertising. Under the SECURE Data Act, targeted advertising is a regulated processing activity that must be disclosed in the privacy notice, requires a data protection assessment, and is subject to consumer opt-out rights. Ad networks facilitating targeted advertising are treated as processors.

The transfer of personal data from one organization to another entity outside the original collection relationship. Under the SECURE Data Act, data sharing with processors requires written contracts specifying the nature, purpose, and duration of processing. Data sales — transfers for monetary or other valuable consideration — require consumer opt-out rights and privacy notice disclosure. Controllers remain liable for processor violations if they fail to conduct reasonable due diligence.