Data Security & Privacy
Glossary
This glossary is intended as a general reference and does not constitute legal advice. Definitions may vary slightly by jurisdiction and applicable law.
A
Anonymization
The process of removing or modifying identifying information from data so that individuals cannot reasonably be identified, directly or indirectly.
Authentication
The process of verifying the identity of a user, device, or system before granting access.
Authorized Agent
A person or entity permitted to act on behalf of a consumer when exercising privacy rights.
B
Biometric Data
Data generated from unique biological characteristics, such as fingerprints, facial scans, or voiceprints, that can be used to identify an individual.
Breach (Data Breach)
Unauthorized access to, acquisition of, disclosure of, alteration of, destruction of, or loss of personal information.
C
Consent
A freely given, specific, informed, and unambiguous indication of an individual’s agreement to the processing of personal data for a particular purpose.
Consumer
An individual whose personal data or personal information is collected, processed, or stored by an organization.
Controller (Data Controller)
The person or organization that determines why and how personal data is processed.
Cross-Border Data Transfer
The movement of personal data from one country or jurisdiction to another.
D
Data Minimization
The principle that organizations should collect, use, and retain only the personal data reasonably necessary for and narrowly tailored to a specified purpose.
Data Processing
Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
Data Processor
A person or organization that processes personal data on behalf of a controller.
Data Protection Assessment (DPA/DPIA)
A documented assessment evaluating privacy risks associated with certain data processing activities.
Data Retention
The length of time personal data is stored before deletion or anonymization.
Data Subject
The individual to whom personal data relates (commonly used in GDPR and international privacy laws).
De-identification
The removal or masking of identifiers to reduce the likelihood that personal information can be reasonably linked to an individual.
E
Encryption
The conversion of data into a coded format to prevent unauthorized access.
G
GDPR (General Data Protection Regulation)
The European Union’s comprehensive privacy law governing the processing of personal data.
I
Incident Response Plan
A documented process for detecting, responding to, mitigating and recovering from security incidents or data breaches.
P
Personal Data / Personal Information
Information that identifies, relates to, describes, or can reasonably be linked to an individual.
Privacy Notice (Privacy Policy)
A public statement explaining how an organization collects, uses, shares, stores, retains and protects personal data and sets forth applicable privacy rights and procedures.
Privacy by Design
An approach that incorporates privacy protections into systems, products, and business processes from the outset.
Profiling
Automated processing of personal data to evaluate, analyze or predict aspects of an individual’s behavior, preferences, interests, economic situation, health or other characteristics.
Pseudonymization
Replacing identifying information with artificial identifiers while maintaining the ability to reconnect the data under controlled conditions.
R
Right of Access
The right of an individual to know whether an organization holds personal data about them and to obtain a copy.
Right to Correct (Rectification)
The right to request correction of inaccurate personal information.
Right to Delete (Erasure)
The right to request deletion of personal data under certain circumstances.
Right to Opt Out
The right to direct an organization not to engage in certain processing activities, including the sale of personal data or targeted advertising.
Right to Data Portability
The right to receive personal data in a usable format and transfer it to another service provider.
T
Third Party
An individual or organization that is not the consumer, controller, processor, or an affiliate acting on behalf of the controller.
Targeted Advertising
Advertising based on a consumer’s activities over time and across websites, applications, or services to predict preferences or interests.
Maryland-Specific Terms (MODPA)
MODPA (Maryland Online Data Privacy Act)
Maryland’s comprehensive privacy law establishing consumer privacy rights and business obligations regarding personal data.
Consumer Health Data
Personal data used to identify a person’s physical or mental health status, including reproductive and gender-affirming healthcare information.
Data Protection Assessment (MODPA)
A documented evaluation required for processing activities that present a heightened risk of harm to consumers.
Common U.S. Regulatory Acronyms
COPPA – Children’s Online Privacy Protection Act
FERPA – Family Educational Rights and Privacy Act
GLBA – Gramm-Leach-Bliley Act
HIPAA – Health Insurance Portability and Accountability Act
FTC – Federal Trade Commission
NIST – National Institute of Standards and Technology
International Privacy Acronyms
GDPR – European Union General Data Protection Regulation
UK GDPR – United Kingdom version of GDPR
PIPEDA – Canada’s Personal Information Protection and Electronic Documents Act
LGPD – Brazil’s General Data Protection Law
APPI – Japan’s Act on the Protection of Personal Information
Reliable Sources for More Information
Maryland Attorney General – Data Privacy Resources:
Maryland Data Privacy Resources
Maryland Online Data Privacy Act (MODPA):
Maryland Online Data Privacy Act of 2024
Federal Trade Commission (FTC) Privacy & Security Guidance:
FTC Privacy and Security Resources
International Association of Privacy Professionals (IAPP) Privacy Glossary:
IAPP Privacy Glossary