For newcomers, the world of data privacy can feel a little like alphabet soup. There are so many acronyms floating around the data privacy world that understanding which laws, activities, and concepts belong where is a real challenge.
With an ever-growing data acronym list, the world of data privacy can feel a little like alphabet soup whether you’re a newcomer or a privacy pro. Data privacy is a complex field, but the vocab does not need to be overwhelming. To bring genuine data privacy to more businesses and users, we believe that a little education goes a long way.
We curate this running Data Acronym Resource where you can find all data privacy abbreviations from A – Z in a single, central location. Bookmark this page for handy reference — we regularly update the list with new terms and link more resources. Check out our Latest Updates section if you just need a quick refresher on any new terms from the past couple of weeks.
These measures are either in effect, or already passed and approaching the start of their enforcement period.
|AIA||Artificial Intelligence Act|
Proposed by the European Commission to create a legal framework for regulating companies’ use of AI.
|AADC||Age-Appropriate Design Code|
These codes place legal restrictions on how companies design online products and services for children. There is a version of this code in the UK and in California.
|BIPA||Biometric Information Privacy Act|
State privacy law in Illinois governing how businesses can handle users’ biometric information, effective since 2008.
|CCPA||California Consumer Privacy Act|
State privacy law in California, effective since 2020 and to be followed by the CPRA in 2023.
|CDPA||Consumer Data Protection Act|
State privacy law in Virginia, going into effect in 2023.
|COPPA||Children’s Online Privacy Protection Act|
Federal rule in the United States that regulates how online services can handle the personal information of children under 13 years of age.
|CPRA||California Privacy Rights Act|
Upcoming state privacy law in California to replace the CCPA in 2023.
|CTDPA||Connecticut Data Privacy Act|
State privacy law in Connecticut, going into effect in 2023.
|DMA||Digital Markets Act|
EU legislation that aims to address unfair business practices among large providers of digital services, including the regulation of end-user profiling. Adopted in July, 2022.
|DPA||Data Protection Act|
Federal privacy act in the United Kingdom, effective since 2018.
|DSA||Digital Services Act|
EU legislation that codifies protections against unfair targeted advertising, illegal content, and disinformation. Adopted in July, 2022.
|ECPA||Electronic Communications Privacy Act|
Federal law in the US, effective since 1986, that extends previous legislation against phone wiretapping to protect the contents of computer communications while they are being made, in transit, and stored on computers.
|FCRA||Fair Credit Reporting Act|
Federal law in the US, effective since 1970, that regulates credit agencies’ collection of credit report information as well as individuals’ access to such information.
|FERPA||Family Educational Rights and Privacy Act|
Federal law in the US, effective since 1974, that regulates access and processing of education-related data.
|FISA||Foreign Intelligence Surveillance Act|
Federal law in the US, effective since 1978, that establishes processes for surveillance of communications, a provision that has been an ongoing point of contention in international data-transfer negotiations, especially between the US and the EU.
|GDPR||General Data Protection Regulation|
Privacy law for the European Union, effective since 2018.
|GDPR-K||General Data Protection Regulation-Kids|
An informal term to refer to the protections specific to children’s data in the European Union under GDPR, particularly GDPR’s Article 8 and Recital 38.
Federal statute in the United States that, among other measures, requires financial organizations to disclose their data safeguards to their users; effective since 1999.
|HIPAA||Health Insurance Portability and Accountability Act|
Federal medical privacy law in the United States governing protections for patients’ health information.
|HITECH||Health Information Technology for Economic and Clinical Health (Act)|
A US federal law, enacted in 2009, that seeks to close loopholes in HIPAA and promote privacy-respecting adoption of electronic health records among healthcare institutions.
|KOSA||Kids Online Safety Act|
A bill that would provide more data protections to minors (under 17) online Introduced in Congress in February 2022.
|LGPD||Lei Geral de Proteção de Dados Pessoais (Portuguese for General Personal Data Protection Law)|
Data privacy law in Brazil, effective since 2020 with sanctions for violations starting in 2021.
|LPPD||Law on the Protection of Personal Data|
Data privacy law in Turkey, effective since 2016.
|NDPR||Nigeria Data Protection Regulation|
Data privacy law in Nigeria, effective since 2019.
|NPICIC||Nevada Privacy of Information Collected on the Internet from Consumers Act|
State privacy law in Nevada for websites’ privacy policies, effective in its amended form since 2019.
|PDP (Law)||Personal Data Protection (Law)|
Privacy law in Indonesia. Act passed in September 2022. Read here (only in Indonesian).
|PDPA||Personal Data Protection Act|
Privacy law in Argentina that protects citizen’s data privacy, effective since 2000.
|PDPA||Personal Data Protection Act|
Thailand’s data protection law, effective June 2022.
|PDPL||Personal Data Protection Law|
Federal privacy act in Saudi Arabia, going into effect in 2023.
|PECR||Privacy and Electronic Communications Regulations|
A UK law that protects citizens against direct marketing. This law makes it illegal to send someone direct marketing without their explicit consent. Established in 2003.
|PIPEDA||Personal Information Protection and Electronic Documents Act|
Federal privacy law in Canada, effective since 2000.
|PIPA||Personal Information Protection Act|
Federal data protection law in Japan, effective since 2005, sometimes referred to as the Personal Information Protection Law (PIPL). See also: China’s draft Personal Information Protection Law (PIPL) in the Laws section.
|PIPL||Personal Information Protection Law|
Federal privacy bill in China, passed in 2021. See also: Japan’s Personal Information Protection Act (PIPA), sometimes referred to as the Personal Information Protection Law (PIPL), in the Laws section.
|POPI(A)||Protection of Personal Information Act|
Federal privacy act in South Africa, effective since 2020.
|UCPA||Utah Consumer Privacy Act|
State privacy law in Utah, going into effect in 2023.
These measures are under consideration but not yet passed.
|ADPPA||American Data Privacy and Protection Act|
A proposed U.S. federal bill for general consumer privacy, not yet formally introduced as of June 10, 2022.
|DPB||Data Protection Bill|
A data protection bill that is being drafted in India now, introduced to Parliament in 2019.
|DPDIB||Data Protection and Digital Information Bill|
First data privacy reform bill introduced into UK Parliament since Brexit. Discussions began in July 2022.
Proposed EU regulation with specific privacy guidelines for electronic communications, presented in 2017.
|PDP||Personal Data Protection Bill|
Personal Data Protection Bill Federal privacy bill in India, presented in 2019, withdrawn in 2022.
|AEPD||Agencia Española de Protección de Datos (Spanish for Spanish Data Protection Agency)|
Spanish agency responsible for upholding data privacy law in the country.
A primary legal officer in a regional or federal government, often tasked with enforcement of consumer privacy law when the law does not contain a private right of action.
|ANPD||Autoridade Nacional de Proteção de Dados (Portuguese for National Data Protection Authority)|
Brazilian agency responsible for upholding data privacy law in the country.
|APD/GPA||Autorité de Protection des Données in French or Gegevensbeschermingsautoriteit in Dutch|
The Belgian Data Protection Authority. It is responsible for enforcing the GDPR in Belgium.
|APEC||Asia-Pacific Economic Cooperation|
An inter-government organization of 21 countries in the Asia-Pacific region. Established the CBPR Forum for interoperability of data transfers across member governments.
|BEUC||Bureau Européen des Unions de Consommateurs (French for European Consumer Organization)|
The umbrella term for 45 European consumer organizations in 32 countries that defend the interests of consumers.
|CAC||Cybersecurity Administration of China|
Chinese agency responsible for upholding data protection law in the county and for implementing technical specifications for the country’s PIPL.
|CARU||Children’s Advertising Review Unit|
US agency responsible for regulating advertising as it relates to children under the age of 12.
|CBPR||Cross-Border Privacy Rules (Forum)|
A multilateral collaboration between the United States, Japan, Singapore, the Philippines, South Korea, Chinese Taipei, and Canada to promote interoperability and bridge regions’ data privacy rules.
|CDPO||Certification des compétences du DPO|
Individual certified by the International Association of Privacy Professionals to practice privacy in accordance with France’s CNIL agency.
|CFPB||Consumer Financial Protection Bureau|
U.S. Government agency that protects consumers in financial sectors.
|CIPM||Certified Information Privacy Manager|
Title for an individual certified by the International Association of Privacy Professionals to build privacy into operations, e.g., audits and risk management.
|CIPP||Certified Information Privacy Professional|
Title for an individual certified by the International Association of Privacy Professionals to practice privacy in legal and compliance settings.
|CIPT||Certified Information Privacy Technologist|
Title for an individual certified by the International Association of Privacy Professionals to build privacy into engineering and IT functions.
|CISO||Chief Information Security Officer|
A senior-level executive who is responsible for maintaining information-related compliance and protecting consumer data.
|CJEU||Court of Justice of the European Union|
Judicial body charged with interpreting and applying EU law in EU member countries.
|CNIL||Commission National de l’Informatique et des Libertés (French for National Commission on Informatics and Liberty)|
French agency responsible for upholding data privacy law in the country.
|CNPD||Commission Nationale pour la Protection des Données (French for National Data Protection Commission)|
Luxembourgish agency responsible for upholding data privacy law in the country.
|CPO||Chief Privacy Officer|
A new executive-level position in businesses and organizations. This role is responsible for managing risks associated with data privacy laws and regulations.
|CPPA||California Privacy Protection Agency|
Agency responsible for implementing and enforcing the CPRA in California, beginning in 2023.
|DPA||Data Protection Authority|
Independent authority in an EU member country that oversees the application of GDPR and relevant country-specific laws; a legacy term for ISA.
|DPC||Data Protection Commission|
Ireland’s agency for upholding privacy law in the country, notably including Facebook’s EU base in Dublin.
|DPO||Data Protection Officer|
Point-person for a company’s privacy compliance and training under GDPR.
|EDPB||European Data Protection Board|
Independent organization for implementing data protection regulations in the EU, working in concert with DPAs and the EDPS.
|EDPS||European Data Protection Supervisor|
Independent authority in the EU charged with overseeing how EU entities process personal data.
|ENISA||European Network and Information Security Agency|
The European Union’s cybersecurity agency, aiming to support EU member states in meeting cybersecurity requirements and to provide expert guidance. Though the acronym remains, the organization’s full name is now the European Union Agency for Cybersecurity.
|FDPIC||Federal Data Protection and Information Commissioner|
Switzerland’s data protection authority.
|FCC||Federal Communications Commission|
A U.S. agency that manages radio, television, wire, satellite, and cable communications across the country.
|FPF||Future of Privacy Forum|
A think tank based in Washington, DC, that advocates for data privacy in support of emerging technologies.
|FTC||Federal Trade Commission|
US federal agency responsible for enforcing regulations pertaining to consumer protection and market competition.
|GAO||Government Accountability Office|
U.S. agency that works for Congress. Known as the “congressional watchdog,” it gathers and provides Congress with non-partisan fact-based information.
|HDPA||Hellenic Data Protection Authority|
Data protection organization in Greece responsible for enforcing GDPR.
|IAB||Interactive Advertising Bureau|
A trade group that builds systems like the Transparency and Consent Framework to govern real-time bidding on advertising.
|IAPP||International Association of Privacy Professionals|
Organization that conducts research, creates resources, and provides professional development among privacy professionals; body that grants certifications like CIPM, CIPP, and CIPT.
|ICO||Information Commissioner’s Office|
United Kingdom’s agency for upholding privacy law in the country.
|IMDA||Independent Supervisory Authority|
A government agency in Singapore that develops and regulates information communications and media sectors in the country.
|ISA||Independent Supervisory Authority|
Independent authority in an EU member country that oversees the application of GDPR and relevant country-specific laws; GDPR’s updated term for DSA.
|ISO||International Organization for Standardization|
An independent, non-governmental, and international organization that sets standards across technology and manufacturing. Some of its standards, namely 18013-5, are inspired by privacy frameworks like Privacy by Design.
|KVKK||Turkish Personal Data Authority|
Government body that protects the data of Turkish citizens, formed in 2017
|NIST||National Institute of Standards and Technology|
US federal agency that sets guidelines for innovation across technical fields and establishes frameworks for cybersecurity and privacy.
|NPC||National Privacy Commission|
Responsible for monitoring and ensuring data privacy compliance in the Philippines. Founded in 2012.
|OAIC||Office of the Australian Information Commissioner|
Australian agency responsible for upholding rights related to data privacy, freedom of information, and government information in the country.
|ODPC||Office of the Data Protection Commission|
Kenyan agency responsible for upholding data privacy law in the country. Founded in 2019.
|OECD||Organization for Economic Cooperation and Development|
Intergovernmental organization with 38 member countries. It creates policies that manage cross-border data flows among different governmental jurisdictions.
|OPC||Office of the Privacy Commissioner|
This acronym could refer to either New Zealand or Canada’s agency for upholding privacy law in the respective country, depending on the context in which the acronym is used.
|PCPD||Privacy Commissioner for Personal Data|
Hong Kong agency responsible for upholding data privacy law in the region.
|PDPC||Personal Data Protection Commission|
Singapore agency responsible for upholding data privacy law in the country.
|PIPC||Personal Information Protection Commission|
South Korean agency responsible for upholding data privacy law in the country.
|ADM, SADM||Automated Decision-Making, Solely Automated Decision-Making|
The process by which a computer makes a decision given data as input, without human involvement. For SADM, no human is involved at any stage of the process.
|BCR||Binding Corporate Rule|
Policy for data protection applying to EU companies that transfer EU residents’ personal data outside of the EU.
|DPA||Data Processing Agreement|
Agreement between parties that share EU citizens’ personal data , as required under GDPR.
|DPIA||Data Protection Impact Assessment|
Risk evaluation carried out for a data processing activity, legally required in certain cases under Virginia’s CDPA and the EU’s GDPR.
|DSR, DSAR, SAR||Data Subject Request|
A consumer’s request to a business to access, delete, or not sell the personal information that the business holds on them. The activities covered under a DSR depend on the applicable law.
|ETL||Extract, Transform, Load|
General data management term for the process of combining data from multiple sources.
|IDFA||Identifier for Advertisers|
A unique device identifier for targeting users for advertising purposes, and advertisers’ access to such identifiers on Apple’s mobile devices now requires explicit user consent following the iOS 14.5 update.
|MFA, 2FA||Multi-Factor Authentication (aka 2FA for 2-Factor Authentication)|
Process of verifying identity through more than one mechanism, e.g., sending a code to a user’s phone after they have entered their password.
Cryptography practice in which multiple parties run computations while their inputs are kept private from one another.
|PRA||Private Right of Action|
A right granted under certain laws by which individuals, rather than a government entity like the Attorney General’s office, can sue an organization for violating the law.
|RoPA||Record of Processing Activities|
Inventory of how, why, and with whom a business handles EU citizens’ personal data, as required under GDPR.
|SAST||Static Application Security Testing|
An established process for testing software security within the CI/CD process. Its proactive nature has inspired similarly proactive approaches to privacy in software development.
|SCC||Standard Contractual Clause|
Legal mechanism for sharing the personal data of European Economic Area’s citizens with entities outside of the European Economic Area.
|AES||Advanced Encryption Standard|
An algorithm for encryption of electronic data, certified by the National Institute of Standards and Technology; the size of the key can be 128, 192, or 256 bits—this size label may be affixed to the acronym itself: AES-128, AES-192, AES-256.
|AMP||Accelerated Mobile Pages|
A framework developed by Google to enable faster loading of mobile pages, with the pages served from Google’s servers rather than those of the original publishers.
|API||Application Programming Interface|
A set of rules to enable the interchange of different applications’ data and services, mediating between pieces of software.
|AR / VR|| Augmented Reality / Virtual Reality|
Augmented reality projects virtual images and characters through the screen. Virtual reality is a computer simulation of an alternate world.
|ATT||App Tracking Transparency|
Anti-tracking feature from Apple, rolled out with the 2021 iOS 14.5 update, which requires apps to receive an iPhone user’s explicit consent in order to track the user’s unique advertising identifier.
A vehicle that is able to perform its necessary operations and interactions with the surrounding environment without a human driver.
|BCR||Binding Corporate Rules|
A framework for allowing corporations to transfer data internationally in a way that complies with EU regulations.
The process of individual software developers contributing their code to a shared software project at high frequency, supported by a version control system and a suite of tools to ensure that new contributions meet standards for code quality.
|DFFT||Data Free Flow with Trust|
A proposed principle for rule-making in cross-border data flows, championed by Japan at the G20 Summit in 2019. It was a part of the Osaka Track, an international initiative for cross-government cooperation and trust on data flows.
|DNS||Domain Name System|
A distributed system that enables a domain name to be mapped to IP addresses and thus deliver information over the internet. The lack of privacy considerations in the design of this system decades ago has prompted concern and research over how to promote user privacy in DNS transactions.
A characteristic of a system that provides data about a group of individuals without allowing any query to enable inference about a particular individual. In practice, this privacy definition is achieved through the careful addition of statistical noise to a dataset.
|DPV||Data Protection Vocabulary|
A taxonomy or knowledge graph for standardizing concepts in data processing.
|DSA||Digital Signature Algorithm|
An algorithm adopted by the US government for verifying the authenticity of data.
An encryption practice in which the cryptographic keys needed to read a message are only accessible at the endpoints of the communication: the sender and the receiver, to the exclusion of intermediate parties such as service providers.
Technologies that students use in their remote, hybrid, or in-person schoolwork to participate in a variety of school-related activities. Examples include test-proctoring software and school-issued computing devices.
|EHR||Electronic Health Record|
A digital version of a patient’s medical charts, including information such as diagnoses, medical history, test results, and other medical details.
|FAIR||Factor Analysis of Information Risk|
A model for modern privacy that enables the management and measurement of privacy risk using a taxonomy of risks, their magnitudes, and their frequencies.
|FHE||Fully Homomorphic Encryption|
Encryption practice which allows an arbitrary number of computations on the encrypted data.
|FIPPs||Fair Information Practice Principles|
Privacy framework that has shaped privacy legislation as well as privacy engineering initiatives, a predecessor more modern approaches like Privacy by Design (PbD).
|FLEDGE||First Locally-Executed Decision Over Groups Experiment|
A proposed tool within Google’s Privacy Sandbox, to be made available in preview and beta in 2022, which Google claims will support custom audience targeting for ads while minimizing cross-app and third-party sharing of user identifiers.
|FLoC||Federated Learning of Cohorts|
One of Google’s proposed alternatives to cookies for individualized third-party tracking on its Chrome browser, relying on tracking users in groups rather than as individuals. Discontinued in January 2022 in favor of the Topics API.
A mode of operation for cryptographic methods, often used in conjunction with the Advanced Encryption Standard.
|GPC||Global Privacy Control|
A browser setting for individuals to signal their privacy preferences (e.g., Do Not Sell My Personal Information under CCPA) to all sites visited.
|GTM||Google Tag Manager|
System for web developers to manage user tracking on their businesses’ websites.
An area of design and research that addresses how humans engage with physical and digital aspects of computers, so that system designs align with human needs and expectations.
|HMAC||Hash-based Message Authentication Code|
A tool for authenticating messages, using any relevant cryptographic hash function. For instance, using the SHA-256 hash function to calculate the HMAC is referred to as HMAC-SHA256.
|INDTA|| International Data Transfer Agreements|
A contractual agreement that establishes compliant international data transfers within the European Union.
|IoT||Internet of Things|
The interconnected network of devices embedded with computing and sensing abilities, particularly in contexts such as the home or workplace with devices that might not resemble computers in a traditional sense, e.g., a home thermostat with internet connectivity.
|IPA||Interoperable Private Attribution|
A proposal for measuring ad campaigns that aims to preserve users’ privacy using multiparty computation and data aggregation, while providing useful metrics to advertisers.
|LDU||Limited Data Use|
Feature offered by Facebook in 2020 to businesses, aiming to limit businesses’ collection of Californians’ personal information in order for them to comply with the CCPA.
A field focused on the development and usage of technologies that imitate some aspects of human learning, such that they gradually become more successful at specific tasks.
|NLP||Natural Language Processing|
An area of computer science and linguistics that addresses ways in which software systems can analyze and process human language. Examples include automated transcription and sentiment analysis.
An approach that treats personal data in such a way that its privacy attributes are explicit and governable within the code environment.
|PbD||Privacy By Design|
Framework for building privacy into the design of technologies.
|PET||Privacy Enhancing Technology|
A tool designed to strengthen users’ privacy and to use minimal amounts of personal information, e.g., pseudonymization.
|PGP||Pretty Good Privacy|
One of the first publicly available public-key cryptography systems, in which sender of a message uses a public key specific to the recipient to encrypt a message (often using the Rivest-Shamir-Adleman algorithm), and the recipient uses a private key—known to no other party—to decrypt the message.
|PHE||Partially Homomorphic Encryption|
Encryption practice which allows a single computation on the encrypted data.
|PII||Personally Identifiable Information|
Information that could reasonably identify a unique individual; different regulations have different designations of what pieces of information are considered personally identifiable.
|PSI||Private Set Intersection|
A type of secure multiparty computation where multiple parties can compute the elements shared among their respective datasets—without revealing any other information about those dataset.
|QR||Quick Response (Code)|
A two-dimensional barcode that can point to a URL or application, posing risks to security and privacy if the code, for instance, links to a dangerous website or compromises device settings.
|RBAC||Role-Based Access Control|
Security and privacy framework with permissions assigned according to personnels’ specific roles.
|RFID||Radio Frequency Identification|
A type of tag that transmits a radio signal via a small antenna, used to send information over greater distances than tools that use other electromagnetic waves (e.g., infrared). RFID tags are sometimes implemented to track the location of objects, such as inventory moving through a commercial checkpoint.
One of the oldest public-key cryptosystems, the strength of which derives from the difficulty of factoring products of large prime numbers.
|SDK||Software Development Kit|
A collection of tools for developing software applications with respect to particular platform or system requirements, such as those required for Android or iOS apps.
|SDLC||Software Development Life Cycle|
The ongoing and iterative process for building software, spanning stages like designing, developing, testing, and reviewing.
|SFE||Secure Function Evaluation|
A cryptography problem where all users contribute their data to a shared function. This function’s output is the only additional information gained by each user.
|SHA||Secure Hash Algorithm|
A suite of cryptographic hash functions adopted by the National Institute of Standards and Technology.
|SSL||Secure Sockets Layer|
Deprecated cryptographic protocol that was often used for securing websites, email, and other communications. Its successor is Transport Layer Security.
|TADPF||Trans-Atlantic Data Privacy Framework|
Announced agreement to support EU-U.S. data flows that uphold both regions’ privacy expectations. As of April 1, 2022, it is an in-principle agreement, not yet providing details on its implementation.
|TCF||Transparency and Consent Framework|
A system developed by the Interactive Advertising Bureau to power real-time bidding on advertising through processes like signaling users’ consent preferences to vendors.
A tool designed to improve a user’s understanding of how their personal data is collected and processed, e.g. a user-facing dashboard that shows the extent of user profiling.
|TLS||Transport Layer Security|
Cryptographic protocol most commonly known for website security, the successor to the deprecated Secure Sockets Layer.
Short for “User Agent string,” information on a browser that communicates which browser is being used, the device it’s being used on, and the version of the browser.
|UUID||Universally Unique Identifier|
128-bit value used in software and encryption as a distinct label.
|VCR||Verifiable Consumer Request|
An alternative term for a data subject request (DSR), used in the text of the California Consumer Privacy Act.
|VPN||Virtual Private Network|
A network over a public network so that parties can exchange information as if they were connected by a private network.
|ZKP||Zero-Knowledge Proof, or Zero-Knowledge Protocol|
A cryptographic process by which someone can prove to a distinct verifier that a given statement is true, without revealing any information to the verifier or the broader world besides the truth of the statement. At a high level, it is a means of enforcing honesty with minimal privacy leakage; its applications include authentication and blockchain transactions.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo