Plain-English definitions of essential privacy and data protection terms for eCommerce teams.
A California state law that gives consumers the right to know what personal data businesses collect about them, the right to delete that data, and the right to opt out of its sale. Applies to businesses that meet certain revenue or data-volume thresholds and collect data from California residents.
A freely given, specific, informed, and unambiguous agreement by which an individual permits their personal data to be processed. Under GDPR, consent must be an affirmative act — pre-ticked boxes and implied consent do not qualify. Consent can be withdrawn at any time.
A software platform that collects, stores, and documents user consent preferences for data processing. CMPs enable websites to display consent banners, record user choices, and enforce those choices by blocking or activating tracking scripts based on the user's decision.
A 2020 ballot initiative that significantly amended and expanded the CCPA. The CPRA created new consumer rights (including the right to correct inaccurate data), established the California Privacy Protection Agency (CPPA) as the enforcement body, and introduced new requirements around sensitive personal information.
Connecticut's comprehensive consumer data privacy law, effective July 1, 2023. Gives Connecticut residents rights to access, correct, delete, and port their personal data, and to opt out of targeted advertising and the sale of personal data.
A company that collects personal data from various sources and sells, licenses, or otherwise shares it with third parties — typically without a direct relationship with the individuals whose data is being traded. Many privacy laws impose special obligations or restrictions on data brokers.
The organization that determines the purposes and means of processing personal data. Under GDPR, the data controller bears primary legal responsibility for ensuring that processing is lawful, and for upholding the rights of data subjects.
The process of identifying and documenting how personal data flows through an organization — where it is collected, where it is stored, how it is used, and which third parties it is shared with. Data mapping is foundational to privacy compliance and required for conducting DPIAs under GDPR.
A core privacy principle requiring that personal data collection be limited to what is strictly necessary for a specific, stated purpose. Collecting data beyond what is needed for the stated purpose violates this principle under GDPR and many other regulations.
An organization that processes personal data on behalf of a data controller, following the controller's instructions. Common examples include email service providers, CRMs, and analytics platforms. Under GDPR, processors must be bound by a Data Processing Agreement (DPA).
An identified or identifiable natural person whose personal data is being processed. Under GDPR and most modern privacy laws, data subjects have rights over their personal data, including the right to access, correct, delete, and port it.
A consumer right under CCPA and CPRA that allows California residents to opt out of the sale of their personal data. Businesses subject to CCPA must provide a clear 'Do Not Sell My Personal Information' link on their website and honor opt-out requests within 15 business days.
A legally binding contract between a data controller and a data processor that governs how personal data is handled. Required under GDPR whenever a controller uses a third-party processor. The DPA must specify the nature, purpose, and duration of processing, as well as the obligations and rights of each party.
A systematic process for identifying and mitigating privacy risks associated with a project, system, or type of processing. Required under GDPR when processing is likely to result in high risk to individuals — for example, large-scale processing of sensitive data, systematic monitoring, or use of new technologies.
A formal request submitted by an individual to exercise their privacy rights. Common DSR types include access requests (right to know what data is held), deletion requests (right to be forgotten), correction requests, and portability requests. Privacy regulations typically require businesses to respond within 30–45 days.
The European Union's primary data privacy law, in effect since May 25, 2018. GDPR applies to any organization that processes the personal data of EU residents, regardless of where the organization is based. It establishes rights for individuals, obligations for organizations, and penalties of up to €20 million or 4% of annual global turnover for non-compliance.
One of the six lawful bases for processing personal data under GDPR. Allows organizations to process data when they have a genuine business need that is not overridden by the individual's privacy rights. Requires a three-part test: purpose test, necessity test, and balancing test. Cannot be used to override rights that require explicit consent.
Any information that can identify a specific individual, directly or indirectly. Examples include names, email addresses, IP addresses, device identifiers, cookie IDs, purchase history linked to an account, and biometric data. What counts as personal data is interpreted broadly under GDPR.
A process for evaluating how a project or system affects the privacy of individuals. Closely related to a DPIA — the terms are often used interchangeably, though DPIA is the specific term used in GDPR. PIAs help organizations identify risks early and build privacy into systems by design.
An approach to systems and product design that embeds privacy protections from the earliest stages of development rather than adding them as an afterthought. A legal requirement under GDPR Article 25, which mandates 'data protection by design and by default.'
An individual's right to have their personal data deleted when it is no longer necessary for the purpose for which it was collected, when consent is withdrawn, or when the data has been processed unlawfully. Under GDPR, organizations must respond to erasure requests within one month.
A right under GDPR and some US state laws that allows individuals to receive a copy of their personal data in a structured, commonly used, machine-readable format — and to transmit that data to another organization. Applies when processing is based on consent or contract.
A category of personal data that carries higher privacy risk and requires stronger protections. Under GDPR, this includes racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, and sexual orientation. Under CPRA, it includes Social Security numbers, financial account credentials, geolocation, and communications content.
Utah's consumer data privacy law, effective December 31, 2023. Gives Utah consumers the right to access, delete, and port their personal data, and to opt out of targeted advertising and the sale of personal data. Considered one of the more business-friendly US state privacy laws.
Virginia's comprehensive consumer data privacy law, effective January 1, 2023. Grants Virginia residents rights to access, correct, delete, and port their personal data, and to opt out of targeted advertising, the sale of personal data, and certain types of profiling.
PieEye automates compliance across GDPR, CCPA, CPRA, VCDPA, and 50+ other regulations — with 500+ eCommerce integrations and white-glove onboarding.
Book a Demo