A
Access (HIPAA) - ability or means necessary to read, write, modify, or communicate data / information or otherwise make use of any system resource.
Access Control (HIPAA) - the first Technical Safeguard Standard of the HIPAA Security Rules. It is described in HIPAA compliance as the responsibility for all healthcare providers to allow access only to those users (or software programs) that have been granted access rights.
Accountability and Governance (UK GDPR) - Data protection principle. Controllers and processors are responsible for
- (1) complying with GDPR and
- (2) demonstrating compliance with GDPR.
Adequacy Decision (GDPR) - permits a cross-border data transfer outside the EU, or onward transfer from or to a party outside the EU without further authorization from a national supervisory authority (Article 45(1), GDPR).
Advertising and marketing (CPRA) - a communication by a business or a person acting on the business' behalf in any medium intended to induce a consumer to obtain goods, services, or employment.
Advertising (GDPR) - any organization which attracts people to its website and wants to collect data via a form must communicate clearly to that person what the data is going to be used for.
Aggregate Consumer Information (CCPA / CPRA) - information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. "Aggregate consumer information" does not mean one or more individual consumer records that have been deidentified.
Anonymized Information (APPI) - individual’s information that has been processed by deleting information or maintaining in such a manner that does not allow for the identification of the individual.
Anonymization of Personal Data (GDPR) - the process of encrypting or removing personally identifiable data from data sets so that the person can no longer be identified directly or indirectly.
APPI - the Act on the Protection of Personal Information of Japan (Act No. 57 of 2003), including all regulations enacted in connection therewith, as the same may be amended, supplemented, or replaced from time to time.
Anti-Social Forces (Japan) - an organized crime group (boryokudan), an organized crime group member (boryokudan in) or an associated member of an organized crime group (boryokudan jun koseiin), a corporation related to an organized crime group (boryokudan kankei kigyo) or an organization related to an organized crime group (boryokudan kankei dantai), a corporate racketeer (sokaiya), a group engaging in criminal activities under the pretext of conducting social or political campaigns (shakai undo to hyobo goro), a crime group specialized in intellectual crimes (tokushu chino boryokushudan), or any other similar person, entity or organization.
Authorization (HIPAA) - consent obtained from an individual that permits a covered entity or business associate to use or disclose that individual's protected health information to someone else for a purpose that would otherwise not be permitted by the HIPAA Privacy Rule.
B
Binding Corporate Rules (GDPR) - personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity
Biometric Data (GDPR) - personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Biometric information (CCPA) - means an individual's physiological, biological, or behavioral characteristics, including an individual's deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information. Cal. Civ. Code § 1798.140
Biometric Information (CPRA) - an individual's physiological, biological, or behavioral characteristics, including information pertaining to an individual's deoxyribonucleic acid (DNA), that is used or is intended to be used singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
Breach (HIPAA) - acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information
Business (CCPA) -
- (1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers' personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
- (A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
- (B) Alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- (C) Derives 50 percent or more of its annual revenues from selling consumers' personal information.
- (2) Any entity that controls or is controlled by a business as defined in paragraph (1) and that shares common branding with the business. "Control" or "controlled" means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. "Common branding" means a shared name, servicemark, or trademark. Cal. Civ. Code § 1798.140
Business (CPRA) -
- (1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
- (A) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
- (B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households.
- (C) Derives 50 percent or more of its annual revenues from selling or sharing consumers' personal information.
- (2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business and with whom the business shares consumers' personal information. "Control" or "controlled" means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. "Common branding" means a shared name, servicemark, or trademark that the average consumer would understand that two or more entities are commonly owned.
- (3) A joint venture or partnership composed of businesses in which each business has at least a 40 percent interest. For purposes of this title, the joint venture or partnership and each business that composes the joint venture or partnership shall separately be considered a single business, except that personal information in the possession of each business and disclosed to the joint venture or partnership shall not be shared with the other business.
- (4) A person that does business in California, that is not covered by paragraph (1), (2), or (3), and that voluntarily certifies to the California Privacy Protection Agency that it is in compliance with, and agrees to be bound by, this title.
Business Associate (HIPAA) - person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate.
Business Associate Agreement (HIPAA) - A Business Associate Contract, or Business Associate Agreement, is a written arrangement that specifies each party's responsibilities when it comes to PHI. HIPAA requires Covered Entities to only work with Business Associates who assure complete protection of PHI.
Business Operators (APPI) - an entity using a personal information database for us in its business.
Business Purpose (CCPA) - the use of personal information for the business' or a service provider's operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:
- (1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- (2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- (3) Debugging to identify and repair errors that impair existing intended functionality.
- (4) Short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer's experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
- (5) Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
- (6) Undertaking internal research for technological development and demonstration.
- (7) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business. Cal. Civ. Code § 1798.140
Business Purpose (CPRA) - the use of personal information for the business' operational purposes, or other notified purposes, or for the service provider or contractor's operational purposes, as defined by regulations adopted pursuant to paragraph (11) of subdivision (a) of Section 1798.185, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the purpose for which the personal information was collected or processed or for another purpose that is compatible with the context in which the personal information was collected. Business purposes are:
- (1) Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- (2) Helping to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for these purposes.
- (3) Debugging to identify and repair errors that impair existing intended functionality.
- (4) Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer's current interaction with the business, provided that the consumer's personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business.
- (5) Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
- (6) Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.
- (7) Undertaking internal research for technological development and demonstration.
- (8) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
C
California Privacy Protection Agency (CPRA) - California state government agency created under the California Privacy Rights Act (CPRA) to implement and enforce the California Consumer Privacy Act of 2018 (CCPA) and CPRA.
California Privacy Rights Act (CPRA) - Ballot initiative passed during the November 2020 election, amending and expanding the CCPA. The CPRA will go into full effect January 1, 2023.
California Consumer Privacy Act of 2018 (CCPA) - Law designed to provide consumers with more control over the personal information that businesses collect about them.
Collects, Collected, Collection (CCPA / CPRA) - means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer's behavior.
Commercial Purposes (CCPA) - to advance a person's commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. "Commercial purposes" do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism. Cal. Civ. Code § 1798.140
Commercial Purposes (CPRA) - to advance a person's commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.
Confidential Communications (HIPAA) - a request that the insurance provider limit disclosures of confidential patient information to third parties, such as the insurance plan holder. The federal regulations impose certain obligations on health insurance providers when responding to such requests.
Consent (CPRA) - any freely given, specific, informed, and unambiguous indication of the consumer's wishes by which the consumer, or the consumer's legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use, or similar document, that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of dark patterns does not constitute consent.
Consent (GDPR) - any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Consumer (CCPA / CPRA) - a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.
Contingency Plan (HIPAA) - Required Administrative Safeguard. Policies and procedures for responding to an emergency that impacts systems or locations that contain Personal Health Information.
Contractor (CPRA) - a person to whom the business makes available a consumer's personal information for a business purpose, pursuant to a written contract with the business, provided that the contract:
- (A) Prohibits the contractor from:
- (i) Selling or sharing the personal information.
- (ii) Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract, or as otherwise permitted by this title.
- (iii) Retaining, using, or disclosing the information outside of the direct business relationship between the contractor and the business.
- (iv) Combining the personal information that the contractor receives pursuant to a written contract with the business with personal information that it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that the contractor may combine personal information to perform any business purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185, except as provided for in paragraph (6) of subdivision (e) and in regulations adopted by the California Privacy Protection Agency.
- (B) Includes a certification made by the contractor that the contractor understands the restrictions in subparagraph (A) and will comply with them.
- (C)
- (1) Permits, subject to agreement with the contractor, the business to monitor the contractor's compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.
- (2) If a contractor engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the contractor engages another person to assist in processing personal information for that business purpose, it shall notify the business of that engagement, and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth in paragraph (1).
Control / Controlled (CCPA / CPRA) - ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company.
Controller (GDPR) - natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Controller Data (GDPR) - Personal Data of the Controller, Personal Data having the same definition as in the GDPR.
Covered Entity (HIPAA) -
- (1) a health plan,
- (2) a health care clearinghouse, and
- (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by 45 CFR § 160.103.
Criminal Offense Data (UK GDPR) - Protection is afforded to the processing of offender or suspected offender data. Processing data related to a criminal conviction, offense or related security measures requires a lawful basis and either official authority or a separate condition as set forth in Article 10.
Cross Boarder Processing (GDPR) - means either:
- (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
- (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Cross Context Behavioral Advertising (CPRA) - the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.
D
Dark pattern (CPRA) - a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice, as further defined by regulation.” Cal. Civ. Code § 1798.140.
Data Aggregation - process by which data is gathered and expressed in a summary form.
Data Breach (APPI) - leakage, destruction or damage to personal information.
Data Breach (CCPA / CPRA) - disclosure of an individual’s personal information by a business without authorization.
Data Breach (GDPR) - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
Data Broker (CCPA) - a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.
Data Concerning Health (GDPR) - personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Data Controller (GDPR) - The person who decides why and how personal data will be processed (e.g., owner or employee in an organization who handles data).
Data Processor (GDPR) - A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations.
Data Processing (GDPR) - any action performed on data, whether automated or manual. Examples include collecting, recording, organizing, structuring, storing, using, and erasing.
Data Processing Agreement (DPA) (GDPR) - agreement between a data controller and data processor that regulates any personal data processing conducted for a business purpose.
Data Transfers (GDPR) - an intentional sending of personal data to another party or making the data accessible by it, where neither sender nor recipient is a data subject
Deidentified (CCPA) - information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:
- (1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
- (2) Has implemented business processes that specifically prohibit reidentification of the information.
- (3) Has implemented business processes to prevent inadvertent release of deidentified information.
- (4) Makes no attempt to reidentify the information.
Deidentified (CPRA) - information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer provided that the business that possesses the information:
- (1) Takes reasonable measures to ensure that the information cannot be associated with a consumer or household.
- (2) Publicly commits to maintain and use the information in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subdivision.
- (3) Contractually obligates any recipients of the information to comply with all provisions of this subdivision. Cal. Civ. Code § 1798.140
De-identified Data (HIPAA) - Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information. This data is no longer classified as PHI.
Designated methods for submitting requests (CCPA / CPRA) - a mailing address, email address, internet web page, internet web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to Section 1798.185. Cal. Civ. Code § 1798.140
Device (CCPA / CPRA) - any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device." Cal. Civ. Code § 1798.140
DHHS (HIPAA) - US Department of Health and Human Services
Disclosure (HIPAA) - release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.
Direct Marketing (GDPR) - Collecting personal data from potential customers, creating profiles about those potential customers and their preferences, and then sending personalized communications to them.
E
Electronic Health Record (HIPAA) - an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
Enterprise (GDPR) - a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity
Filing System (GDPR) - any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis
Financial Incentive (CCPA) - a program, benefit, or other offering, including payment to consumers, related to the collection, deletion, or sale of personal information. Cal. Code Regs.. tit. 11, Section 999.301(j).
G
General Data Protection Regulation (GDPR) - European Union (EU) privacy and data protection regulation that establishes guidelines for the collection and processing of personal information from individuals who reside in the EU.
Genetic Data (GDPR) - personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Group Health Plan (HIPAA) - an employee welfare benefit plan (as defined in section 3 of the Employee Retirement Income and Security Act of 1974 (ERISA), 29 U.S.C. 1002(1)), including insured and self-insured plans, to the extent that the plan provides medical care (as defined in section 2791(a)(2) of the Public Health Service Act (PHS Act), 42 U.S.C. 300gg-91(a)(2)), including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that:
- (1) Has 50 or more participants (as defined in section 3(7) of ERISA, 29 U.S.C. 1002(7)); or
- (2) Is administered by an entity other than the employer that established and maintains the plan
Group of Undertakings (GDPR) - a controlling undertaking and its controlled undertakings.
H
Health care (HIPAA) - care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:
- (1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and
- (2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
Health Care Clearinghouse (HIPAA) - a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and value-added networks and switches, that does either of the following functions:
- (1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
- (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
Healthcare Operations (HIPAA) - certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment
Health Care Provider (HIPAA) - a provider of services (as defined in section 1861 of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
Health Information (HIPAA) - any information, including genetic information, whether oral or recorded in any form or medium, that:
- (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Health Insurance Information (CCPA) - means a consumer's insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the consumer, or any information in the consumer's application and claims history, including any appeals records, if the information is linked or reasonably linkable to a consumer or household, including via a device, by a business or service provider. Cal. Civ. Code § 1798.140.
Health Insurance Issuer (HIPAA) - an insurance company, insurance service, or insurance organization (including an HMO) that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance. Such term does not include a group health plan.
Health Maintenance Organization (HIPAA) - a federally qualified HMO, an organization recognized as an HMO under State law, or a similar organization regulated for solvency under State law in the same manner and to the same extent as such an HMO.
Health Plan (HIPAA) - an individual or group plan that provides, or pays the cost of, medical care.
Homepage (CCPA) - the introductory page of an internet website and any internet web page where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application's platform page or download page, a link within the application, such as from the application configuration, "About," "Information," or settings page, and any other location that allows consumers to review the notice required by subdivision (a) of Section 1798.135, including, but not limited to, before downloading the application.
Homepage (CPRA) - means the introductory page of an internet website and any internet web page where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application's platform page or download page, a link within the application, such as from the application configuration, "About," "Information,'' or settings page, and any other location that allows consumers to review the notices required by this title, including, but not limited to, before downloading the application. Cal. Civ. Code § 1798.140.
Household (CPRA) - a group, however identified, of consumers who cohabitate with one another at the same residential address and share use of common devices or services." Cal. Civ. Code § 1798.140
I
Individual (HIPAA) - the person who is the subject of protected health information.
Individually Identifiable Health Information (HIPAA) - information that is a subset of health information, including demographic information collected from an individual, and:
- (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
- (i) That identifies the individual; or
- (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Infer or Inference (CPRA) - means the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” Cal. Civ. Code § 1798.140
Information Security Officer (ISO) - executive responsible for an organization’s information and data security.
Intentionally interacts (CPRA) - means when the consumer intends to interact with a person, or disclose personal information to a person, via one or more deliberate interactions, including visiting the person's website or purchasing a good or service from the person. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a person. Cal. Civ. Code § 1798.140
International Organization (GDPR) - an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries
L
Lawful Basis for Processing (UK GDPR) - Article 6 of the UK GDPR sets out the bases and at least one of the bases must apply when processing data:
- (a) consent;
- (b) contract;
- (c) legal obligation;
- (d) vital interests;
- (e) public task; and
- (f) legitimate interest.
Legally Authorized Representative (HIPAA) - a person who has legal authority to make decisions related to health care for an individual.
Limited Data Set (HIPAA) - identifiable healthcare information that the HIPAA Privacy Rule permits covered entities to share with certain entities for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met.
M
Main Establishment (GDPR) -
- (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
- (b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation
Marketing (GDPR) - Collecting personal data from potential customers, creating profiles about those potential customers and their preferences, and then sending personalized communications to them.
Minimum Necessary (HIPAA) - when using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. 45 CFR § 164.502
N
Nonpersonalized advertising (CPRA) - advertising and marketing that is based solely on a consumer's personal information derived from the consumer's current interaction with the business with the exception of the consumer's precise geolocation." Cal. Civ. Code § 1798.140
O
Opt-out (APPI) - manner by which a data subject is made aware of a proposed transfer of their personal information and given the opportunity to object.
P
Payment (HIPAA) - activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.
Person (CCPA / CPRA) - an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert. Cal. Civ. Code § 1798.140
Person (HIPAA) - a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.
Personal Data (APPI) - Personal Information that constitutes or is part of a database, and any other Personal Information that is defined as "Personal Data (kojin de-ta)" under the APPI.
Personal Data (GDPR) - any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Breach (GDPR) - breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Personal Information (APPI) - information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, and any other information that is defined as “Personal Information (kojin joho)” under the APPI.
Personal Information (CCPA) -
- (1) information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
- (A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
- (B) Any categories of personal information described in subdivision (e) of Section 1798.80.
- (C) Characteristics of protected classifications under California or federal law.
- (D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- (E) Biometric information.
- (F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement.
- (G) Geolocation data.
- (H) Audio, electronic, visual, thermal, olfactory, or similar information.
- (I) Professional or employment-related information.
- (J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act ( 20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99 ).
- (K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
- (2) "Personal information" does not include publicly available information. For purposes of this paragraph, "publicly available" means information that is lawfully made available from federal, state, or local government records. "Publicly available" does not mean biometric information collected by a business about a consumer without the consumer's knowledge.
- (3) "Personal information" does not include consumer information that is deidentified or aggregate consumer information. Cal. Civ. Code § 1798.140
Personal Information (CPRA) -
- (1) information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
- (A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
- (B) Any personal information described in subdivision (e) of Section 1798.80.
- (C) Characteristics of protected classifications under California or federal law.
- (D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- (E) Biometric information.
- (F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website application, or advertisement.
- (G) Geolocation data.
- (H) Audio, electronic, visual, thermal, olfactory, or similar information.
- (I) Professional or employment-related information.
- (J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act ( 20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99 ).
- (K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
- (L) Sensitive personal information.
- (2) "Personal information" does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. For purposes of this paragraph, "publicly available" means: information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. "Publicly available" does not mean biometric information collected by a business about a consumer without the consumer's knowledge.
- (3) "Personal information" does not include consumer information that is deidentified or aggregate consumer information. Cal. Civ. Code § 1798.140
Personal Information Controller / Business Operator Handling Personal Information (APPI) – business operator using a database containing personal information for its business.
Personal Information Protection Commission (PPC) (APPI) - independent agency that, among others, protects the rights and interests of individuals and promotes the proper and effective use of personal information.
Personal Representative (HIPAA) – A person with legal authority to make health care decisions on behalf of the individual
Precise Geolocation (CPRA) - any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations.
Principal (data subject) (APPI) – the individual who is the subject of the personal information.
Privacy Policy (CCPA / CPRA) - statement that a business shall make available to consumers describing the business's practices, both online and offline, regarding the collection, use, disclosure, and sale of personal information, and of the rights of consumers regarding their own personal information.
Privacy Rule (HIPAA) – established the US national standards to protect individuals’ medical records and other personal health information.
Probabilistic identifier (CCPA / CPRA) - the identification of a consumer or a consumer's device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information." Cal. Civ. Code § 1798.140
Processing (CCPA) - any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means. Cal. Civ. Code § 1798.140
Processing (CPRA) - any operation or set of operations that are performed on personal information or on sets of personal information, whether or not by automated means. Cal. Civ. Code § 1798.140
Processing (GDPR) - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor (GDPR) – natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Profiling (CPRA) - any form of automated processing of personal information, as further defined by regulations pursuant to paragraph (16) of subdivision (a) of Section 1798.185, to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Cal. Civ. Code § 1798.140
Profiling (GDPR) - any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymize, Pseudonymization (CCPA / CPRA) - the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer. Cal. Civ. Code § 1798.140
Pseudonymisation (GDPR) - the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Protected Health Information (PHI) (HIPAA) - individually identifiable health information:
- (1) Except as provided in paragraph (2) of this definition, that is:
- (i) Transmitted by electronic media;
- (ii) Maintained in electronic media; or
- (iii) Transmitted or maintained in any other form or medium.
- (2) Protected health information excludes individually identifiable health information:
- (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
- (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
- (iii) In employment records held by a covered entity in its role as employer; and
- (iv) Regarding a person who has been deceased for more than 50 years.
Publicly Available (CCPA) - information that is lawfully made available from federal, state, or local government records.
Publicly Available (CPRA) - information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. "Publicly available" does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
R
Recipient (GDPR) - a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Relevant and Reasoned Objection (GDPR) - an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union.
Representative (GDPR) - a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation.
Request to Delete (CCPA / CPRA) - a consumer request that a business delete personal information about the consumer that the business has collected from the consumer,
Request to Know (CCPA / CPRA) - a consumer request that a business disclose personal information that it has collected about the consumer pursuant to Civil Code sections 1798.100, 1798.110, or 1798.115. It includes a request for any or all of the following:
- (1) Specific pieces of personal information that a business has collected about the consumer;
- (2) Categories of personal information it has collected about the consumer;
- (3) Categories of sources from which the personal information is collected;
- (4) Categories of personal information that the business sold or disclosed for a business purpose about the consumer;
- (5) Categories of third parties to whom the personal information was sold or disclosed for a business purpose; and
- (6) The business or commercial purpose for collecting or selling personal information.
Research (CCPA) - scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer's interactions with a business' service or device for other purposes shall be:
- (1) Compatible with the business purpose for which the personal information was collected.
- (2) Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
- (3) Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
- (4) Subject to business processes that specifically prohibit reidentification of the information.
- (5) Made subject to business processes to prevent inadvertent release of deidentified information.
- (6) Protected from any reidentification attempts.
- (7) Used solely for research purposes that are compatible with the context in which the personal information was collected.
- (8) Not be used for any commercial purpose.
- (9) Subjected by the business conducting the research to additional security controls that limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose. Cal. Civ. Code § 1798.140
Research (CPRA) – scientific analysis, systematic study, and observation, including basic research or applied research that is designed to develop or contribute to public or scientific knowledge and that adheres or otherwise conforms to all other applicable ethics and privacy laws, including, but not limited to, studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer's interactions with a business' service or device for other purposes shall be:
- (1) Compatible with the business purpose for which the personal information was collected.
- (2) Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, by a business.
- (3) Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain, other than as needed to support the research.
- (4) Subject to business processes that specifically prohibit reidentification of the information, other than as needed to support the research.
- (5) Made subject to business processes to prevent inadvertent release of deidentified information.
- (6) Protected from any reidentification attempts.
- (7) Used solely for research purposes that are compatible with the context in which the personal information was collected.
- (8) Subjected by the business conducting the research to additional security controls that limit access to the research data to only those individuals as are necessary to carry out the research purpose. Cal. Civ. Code § 1798.140
Respondent (HIPAA) – a covered entity or business associate upon which the Secretary has imposed, or proposes to impose, a civil money penalty.
Right of Access (UK GDPR) – commonly known as a subject access request (SAR). Individuals have the right to access and obtain a copy of their personal information. SARs can be made verbally and / or in writing.
Right to Delete (CCPA / CPRA) – individuals may request a business delete the personal information they collect about the requesting individual and to tell their service providers to do the same. There are exceptions that allow business to keep the information.
Right to be Forgotten / Right to Erasure (GDPR / UK GDPR) – an individual’s right to ask organizations to delete their personal data.
Right to be Informed (UK GDPR) – transparency requirement under the UK GDPR. An individual’s right to be informed about the collection and use of their personal data.
Right to Know (CCPA / CPRA) - individuals may request that businesses disclose what personal information they have collected, used, shared, or sold about that individual, and why they collected, used, shared, or sold that information. Specifically, an individual may request that businesses disclose:
- The categories of personal information collected
- Specific pieces of personal information collected
- The categories of sources from which the business collected personal information
- The purposes for which the business uses the personal information
- The categories of third parties with whom the business shares the personal information
- The categories of information that the business sells or discloses to third parties
Right to Non-Discrimination (CCPA / CPRA) – businesses cannot discriminate against consumers for exercising the rights provided under the CCPA.
Right to Object (UK GDPR) – under some circumstances, individuals have the right to object to the processing of their personal data.
Right to Opt-out (CCPA / CPRA) – individuals may request a business stop selling their personal information. With some exceptions, businesses cannot sell an individual’s personal information after they receive an individual’s opt-out request. An individual can latter provide the business with their affirmative authorization to allow the sale of their personal information.
Right to Data Portability (UK GDPR) – individuals have the right to obtain and use their personal data for their own purposes across different services.
Right to Rectification (UK GDPR) – individuals can ask verbally or in writing that inaccurate personal data attributed to that individual be rectified or completed if incomplete.
Right to Restrict Processing (UK GDPR) – as an alternate to requesting the deletion of personal data, individuals can restrict the processing of their personal information under certain circumstances.
Secretary (HIPAA) – refers to the Secretary of Health and Human Services.
Security (HIPAA) - security or security measures encompass all of the administrative, physical, and technical safeguards in an information system
Security and Integrity (CPRA) - the ability of:
- (1) Networks or information systems to detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information.
- (2) Businesses to detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions and to help prosecute those responsible for those actions.
- (3) Businesses to ensure the physical safety of natural persons. Cal. Civ. Code § 1798.140
Security Rule (HIPAA) - establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
Sell, selling, Sale, or sold (CCPA) –
- (1) selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration.
- (2) For purposes of this title, a business does not sell personal information when:
- (A) A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party.
- (B) The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer's personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer's personal information.
- (C) The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:(i) The business has provided notice of that information being used or shared in its terms and conditions consistent with Section 1798.135.(ii) The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.
- (D) The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with Sections 1798.110 and 1798.115. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with Section 1798.120. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).
Sell, Selling, Sale, Sold (CPRA) –
- (1) selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration.
- (2) For purposes of this title, a business does not sell personal information when:
- (A) A consumer uses or directs the business to intentionally:
- (i) Disclose personal information.
- (ii) Interact with one or more third parties.
- (B) The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer's personal information or limited the use of the consumer's sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sale of the consumer's personal information or limited the use of the consumer's sensitive personal information.
- (C) The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with this title. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this title. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code). Cal. Civ. Code § 1798.140
- (A) A consumer uses or directs the business to intentionally:
Sensitive Personal Information (CPRA) –
- (1) Personal information that reveals:
- (A) A consumer's social security, driver's license, state identification card, or passport number.
- (B) A consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
- (C) A consumer's precise geolocation.
- (D) A consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership.
- (E) The contents of a consumer's mail, email, and text messages unless the business is the intended recipient of the communication.
- (F) A consumer's genetic data.
- (2)
- (A) The processing of biometric information for the purpose of uniquely identifying a consumer.
- (B) Personal information collected and analyzed concerning a consumer's health.
- (C) Personal information collected and analyzed concerning a consumer's sex life or sexual orientation.
- (3) Sensitive personal information that is "publicly available" pursuant to paragraph (2) of subdivision (v) shall not be considered sensitive personal information or personal information. Cal. Civ. Code § 1798.140
Service or Services (CCPA / CPRA) - work, labor, and services, including services furnished in connection with the sale or repair of goods.” Cal. Civ. Code § 1798.140
Service Provider (CCPA) - a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
Service Provider (CPRA) –
- (1) a person that processes personal information on behalf of a business and that receives from or on behalf of the business consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the person from:
- (A) Selling or sharing the personal information.
- (B) Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract for the business, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract with the business, or as otherwise permitted by this title.
- (C) Retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business.
- (D) Combining the personal information that the service provider receives from, or on behalf of, the business with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that the service provider may combine personal information to perform any business purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185, except as provided for in paragraph (6) of subdivision (e) of this section and in regulations adopted by the California Privacy Protection Agency. The contract may, subject to agreement with the service provider, permit the business to monitor the service provider's compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.
- (2) If a service provider engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the service provider engages another person to assist in processing personal information for that business purpose, it shall notify the business of that engagement, and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth in paragraph (1). Cal. Civ. Code § 1798.140
Share, Shared, Sharing (CPRA) -
- (1) sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
- (2) For purposes of this title, a business does not share personal information when:
- (A) A consumer uses or directs the business to intentionally disclose personal information or intentionally interact with one or more third parties.
- (B) The business uses or shares an identifier for a consumer who has opted out of the sharing of the consumer's personal information or limited the use of the consumer's sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sharing of the consumer's personal information or limited the use of the consumer's sensitive personal information.
- (C) The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with this title. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this title. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code). Cal. Civ. Code § 1798.140
Special Category Data (UK GDPR) – Personal data that requires additional protection because of its sensitive nature. Includes:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
Special Care Required Personal Information (APPI) - data that can be the basis for discrimination or prejudice. Medical history, marital status, race, religious beliefs, and criminal records, among others, fall under this category.
Standard (HIPAA) - a rule, condition, or requirement:
- (1) Describing the following information for products, systems, services, or practices:
- (i) Classification of components;
- (ii) Specification of materials, performance, or operations; or
- (iii) Delineation of procedures; or
- (2) With respect to the privacy of protected health information.
Standard Contractual Clauses (GDPR) – guidelines that govern the exchange of personal information between EU and non-EU countries.
Subcontractor (HIPAA) - a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.
Subprocessor (GDPR) - any processor engaged by Processor to process Personal Data.
Supervisory Authority (GDPR) - an independent public authority which is established by an EU Member State pursuant to GDPR.
Supervisory Authority Concerned (GDPR) - a supervisory authority which is concerned by the processing of personal data because:
- (a) the controller or processor is established on the territory of the Member State of that supervisory authority;
- (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
- (c) a complaint has been lodged with that supervisory authority.
T
Technical Safeguards (HIPAA) - the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. 45 CFR Part 160 and Part 164, § 164.304.
Third Party (CCPA) - a person who is not any of the following:
- (1) The business that collects personal information from consumers under this title.
- (2)
- (A) A person to whom the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract:
- (i) Prohibits the person receiving the personal information from:
- (I) Selling the personal information.
- (II) Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
- (III) Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
- (ii) Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.
- (i) Prohibits the person receiving the personal information from:
- (B) A person covered by this paragraph that violates any of the restrictions set forth in this title shall be liable for the violations. A business that discloses personal information to a person covered by this paragraph in compliance with this paragraph shall not be liable under this title if the person receiving the personal information uses it in violation of the restrictions set forth in this title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation.
- (A) A person to whom the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract:
Third Party (CPRA) – a person who is not any of the following:
- (1) The business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer's current interaction with the business under this title.
- (2) A service provider to the business.
- (3) A contractor." Cal. Civ. Code § 1798.140
Third Party (GDPR) – natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
Third Party Identity Verification Service (CCPA) -
Trading Partner Agreement (HIPAA) - an agreement related to the exchange of information in electronic transactions, whether the agreement is distinct or part of a larger agreement, between each party to the agreement. (For example, a trading partner agreement may specify, among other things, the duties and responsibilities of each party to the agreement in conducting a standard transaction.)
Transaction (HIPAA) - the transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:
- (1) Health care claims or equivalent encounter information.
- (2) Health care payment and remittance advice.
- (3) Coordination of benefits.
- (4) Health care claim status.
- (5) Enrollment and disenrollment in a health plan.
- (6) Eligibility for a health plan.
- (7) Health plan premium payments.
- (8) Referral certification and authorization.
- (9) First report of injury.
- (10) Health claims attachments.
- (11) Health care electronic funds transfers (EFT) and remittance advice.
- (12) Other transactions that the Secretary may prescribe by regulation.
U
Unique Identifier (CPRA) - means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. For purposes of this subdivision, "family" means a custodial parent or guardian and any minor children over which the parent or guardian has custody. Cal. Civ. Code § 1798.140
Unique Identifier (CPRA) - a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device that is linked to a consumer or family. For purposes of this subdivision, "family" means a custodial parent or guardian and any children under 18 years of age over which the parent or guardian has custody. Cal. Civ. Code § 1798.140
Use (HIPAA) - with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
V
Verifiable Consumer Request (CCPA / CPRA) - a request that is made by a consumer, by a consumer on behalf of the consumer's minor child, by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer's behalf, or by a person who has power of attorney or is acting as a conservator for the consumer, and that the business can verify, using commercially reasonable methods, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.110 and 1798.115, to delete personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, if the business cannot verify, pursuant to this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer's behalf. Cal. Civ. Code § 1798.140
Violation or Violate (HIPAA) - as the context may require, failure to comply with an administrative simplification provision.
W
Workforce (HIPAA) - employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.
© 2024. All rights reserved. The content on this site is intended for informational purposes only.
Last updated February 02, 2023.