Fides now supports e2e data subject rights fulfillment, free & open-source. 🚀

Data Privacy Acronym List

For newcomers, the world of data privacy can feel a little like alphabet soup. There are so many acronyms floating around the data privacy world that understanding which laws, activities, and concepts belong where is a real challenge.

With an ever-growing data acronym list, the world of data privacy can feel a little like alphabet soup whether you’re a newcomer or a privacy pro. Data privacy is a complex field, but the vocab does not need to be overwhelming. To bring genuine data privacy to more businesses and users, we believe that a little education goes a long way.

We curate this running Data Acronym Resource where you can find all data privacy abbreviations from A – Z in a single, central location. Bookmark this page for handy reference — we regularly update the list with new terms and link more resources. Check out our Latest Updates section if you just need a quick refresher on any new terms from the past couple of weeks.

Table of Contents

Latest Updates

  • May 13, 2022: We added CTDPA and FERPA to the “Laws” section. We added ML to the “Concepts and Tools” section.
  • April 29, 2022: We added DSA to the “Pending Legislation” section. We added CBPR to the “Organizations and Roles” section. We added AMP and CI to the “Concepts and Tools” section.
  • April 15, 2022: We added HITECH to the “Laws” section. We added FAIR and PaC to the “Concepts and Tools” section.

Back to Top

Laws

These measures are either in effect, or already passed and approaching the start of their enforcement period.

Acronym

Description

BIPA

Biometric Information Privacy Act

State privacy law in Illinois governing how businesses can handle users’ biometric information, effective since 2008.

CCPA

California Consumer Privacy Act

State privacy law in California, effective since 2020 and to be followed by the CPRA in 2023.

CDPA

Consumer Data Protection Act

State privacy law in Virginia, going into effect in 2023.

COPPA

Children’s Online Privacy Protection Act

Federal rule in the United States that regulates how online services can handle the personal information of children under 13 years of age.

CPRA

California Privacy Rights Act

Upcoming state privacy law in California to replace the CCPA in 2023.

CTDPA

Connecticut Data Privacy Act

State privacy law in Connecticut, going into effect in 2023.

DPA

Data Protection Act

Federal privacy act in the United Kingdom, effective since 2018.

ECPA

Electronic Communications Privacy Act

Federal law in the US, effective since 1986, that extends previous legislation against phone wiretapping to protect the contents of computer communications while they are being made, in transit, and stored on computers.

FCRA

Fair Credit Reporting Act

Federal law in the US, effective since 1970, that regulates credit agencies’ collection of credit report information as well as individuals’ access to such information.

FERPA

Family Educational Rights and Privacy Act

Federal law in the US, effective since 1974, that regulates access and processing of education-related data.

FISA

Foreign Intelligence Surveillance Act

Federal law in the US, effective since 1978, that establishes processes for surveillance of communications, a provision that has been an ongoing point of contention in international data-transfer negotiations, especially between the US and the EU.

GDPR

General Data Protection Regulation

Privacy law for the European Union, effective since 2018.

GDPR-K

General Data Protection Regulation-Kids

An informal term to refer to the protections specific to children’s data in the European Union under GDPR, particularly GDPR’s Article 8 and Recital 38.

GLBA

Gramm-Leach-Bliley Act

Federal statute in the United States that, among other measures, requires financial organizations to disclose their data safeguards to their users; effective since 1999.

HIPAA

Health Insurance Portability and Accountability Act

Federal medical privacy law in the United States governing protections for patients’ health information.

HITECH

Health Information Technology for Economic and Clinical Health (Act)

A US federal law, enacted in 2009, that seeks to close loopholes in HIPAA and promote privacy-respecting adoption of electronic health records among healthcare institutions.

LGPD

Lei Geral de Proteção de Dados Pessoais (Portuguese for General Personal Data Protection Law)

Data privacy law in Brazil, effective since 2020 with sanctions for violations starting in 2021.

NPICIC

Nevada Privacy of Information Collected on the Internet from Consumers Act

State privacy law in Nevada for websites’ privacy policies, effective in its amended form since 2019.

PDPL

Personal Data Protection Law

Federal privacy act in Saudi Arabia, going into effect in 2023.

PIPEDA

Personal Information Protection and Electronic Documents Act

Federal privacy law in Canada, effective since 2000.

PIPA

Personal Information Protection Act

Federal data protection law in Japan, effective since 2005, sometimes referred to as the Personal Information Protection Law (PIPL). See also: China’s draft Personal Information Protection Law (PIPL) in the Laws section.

PIPL

Personal Information Protection Law

Federal privacy bill in China, passed in 2021. See also: Japan’s Personal Information Protection Act (PIPA), sometimes referred to as the Personal Information Protection Law (PIPL), in the Laws section.

POPI(A)

Protection of Personal Information Act

Federal privacy act in South Africa, effective since 2020.

UCPA

Utah Consumer Privacy Act

State privacy law in Utah, going into effect in 2023.

Back to Top


Pending Legislation

These measures are under consideration but not yet passed.

Acronym

Description

DMA

Digital Markets Act

Proposed EU legislation that aims to address unfair business practices among large providers of digital services, including through regulation of end-user profiling, presented in 2020.

DSA

Digital Services Act

Proposed EU legislation that seeks to codify protections against unfair targeted advertising, illegal content, and disinformation; presented in 2020 and as of April 2022, the legislation awaits formal approval and will be directly applicable across the EU no earlier than January 1, 2024.

ePR

ePrivacy Regulation

Proposed EU regulation with specific privacy guidelines for electronic communications, presented in 2017.

PDP

Personal Data Protection Bill

Federal privacy bill in India, presented in 2019.

Back to Top

Organizations and Roles

Acronym

Description

AEPD

Agencia Española de Protección de Datos (Spanish for Spanish Data Protection Agency)

Spanish agency responsible for upholding data privacy law in the country.

ANPD

Autoridade Nacional de Proteção de Dados (Portuguese for National Data Protection Authority)

Brazilian agency responsible for upholding data privacy law in the country.

CAC

Cybersecurity Administration of China

Chinese agency responsible for upholding data protection law in the county and for implementing technical specifications for the country’s PIPL.

CARU

Children’s Advertising Review Unit

US agency responsible for regulating advertising as it relates to children under the age of 12.

CBPR

Cross-Border Privacy Rules (Forum)

A multilateral collaboration between the United States, Japan, Singapore, the Philippines, South Korea, Chinese Taipei, and Canada to promote interoperability and bridge regions’ data privacy rules.

CDPO

Certification des compétences du DPO

Individual certified by the International Association of Privacy Professionals to practice privacy in accordance with France’s CNIL agency.

CIPM

Certified Information Privacy Manager

Title for an individual certified by the International Association of Privacy Professionals to build privacy into operations, e.g., audits and risk management.

CIPP

Certified Information Privacy Professional

Title for an individual certified by the International Association of Privacy Professionals to practice privacy in legal and compliance settings.

CIPT

Certified Information Privacy Technologist

Title for an individual certified by the International Association of Privacy Professionals to build privacy into engineering and IT functions.

CJEU

Court of Justice of the European Union

Judicial body charged with interpreting and applying EU law in EU member countries.

CNIL

Commission National de l’Informatique et des Libertés (French for National Commission on Informatics and Liberty)

French agency responsible for upholding data privacy law in the country.

CNPD

Commission Nationale pour la Protection des Données (French for National Data Protection Commission)

Luxembourgish agency responsible for upholding data privacy law in the country.

CPPA

California Privacy Protection Agency

Agency responsible for implementing and enforcing the CPRA in California, beginning in 2023.

DPA

Data Protection Authority

Independent authority in an EU member country that oversees the application of GDPR and relevant country-specific laws; a legacy term for ISA.

DPC

Data Protection Commission

Ireland’s agency for upholding privacy law in the country, notably including Facebook’s EU base in Dublin.

DPO

Data Protection Officer

Point-person for a company’s privacy compliance and training under GDPR.

EDPB

European Data Protection Board

Independent organization for implementing data protection regulations in the EU, working in concert with DPAs and the EDPS.

EDPS

European Data Protection Supervisor

Independent authority in the EU charged with overseeing how EU entities process personal data.

ENISA

European Network and Information Security Agency

The European Union’s cybersecurity agency, aiming to support EU member states in meeting cybersecurity requirements and to provide expert guidance. Though the acronym remains, the organization’s full name is now the European Union Agency for Cybersecurity.

FDPIC

Federal Data Protection and Information Commissioner

Switzerland’s data protection authority.

FTC

Federal Trade Commission

US federal agency responsible for enforcing regulations pertaining to consumer protection and market competition.

IAB

Interactive Advertising Bureau

A trade group that builds systems like the Transparency and Consent Framework to govern real-time bidding on advertising.

IAPP

International Association of Privacy Professionals

Organization that conducts research, creates resources, and provides professional development among privacy professionals; body that grants certifications like CIPM, CIPP, and CIPT.

ICO

Information Commissioner’s Office

United Kingdom’s agency for upholding privacy law in the country.

ISA

Independent Supervisory Authority

Independent authority in an EU member country that oversees the application of GDPR and relevant country-specific laws; GDPR’s updated term for DSA.

ISO

International Organization for Standardization

An independent, non-governmental, and international organization that sets standards across technology and manufacturing. Some of its standards, namely 18013-5, are inspired by privacy frameworks like Privacy by Design.

NIST

National Institute of Standards and Technology

US federal agency that sets guidelines for innovation across technical fields and establishes frameworks for cybersecurity and privacy.

OAIC

Office of the Australian Information Commissioner

Australian agency responsible for upholding rights related to data privacy, freedom of information, and government information in the country.

OPC

Office of the Privacy Commissioner

This acronym could refer to either New Zealand or Canada’s agency for upholding privacy law in the respective country, depending on the context in which the acronym is used.

PCPD

Privacy Commissioner for Personal Data

Hong Kong agency responsible for upholding data privacy law in the region.

PDPC

Personal Data Protection Commission

Singapore agency responsible for upholding data privacy law in the country.

PIPC

Personal Information Protection Commission

South Korean agency responsible for upholding data privacy law in the country.

Back to Top

Activities

Acronym

Description

ADM, SADM

Automated Decision-Making, Solely Automated Decision-Making

The process by which a computer makes a decision given data as input, without human involvement. For SADM, no human is involved at any stage of the process.

BCR

Binding Corporate Rule

Policy for data protection applying to EU companies that transfer EU residents’ personal data outside of the EU.

DPA

Data Processing Agreement

Agreement between parties that share EU citizens’ personal data , as required under GDPR.

DPIA

Data Protection Impact Assessment

Risk evaluation carried out for a data processing activity, legally required in certain cases under Virginia’s CDPA and the EU’s GDPR.

DSR, DSAR, SAR

Data Subject Request

 A consumer’s request to a business to access, delete, or not sell the personal information that the business holds on them. The activities covered under a DSR depend on the applicable law.

ETL

Extract, Transform, Load

General data management term for the process of combining data from multiple sources.

IDFA

Identifier for Advertisers

A unique device identifier for targeting users for advertising purposes, and advertisers’ access to such identifiers on Apple’s mobile devices now requires explicit user consent following the iOS 14.5 update.

MFA, 2FA

Multi-Factor Authentication (aka 2FA for 2-Factor Authentication)

Process of verifying identity through more than one mechanism, e.g., sending a code to a user’s phone after they have entered their password.

MPC

Multi-Party Computation

Cryptography practice in which multiple parties run computations while their inputs are kept private from one another.

PRA

Private Right of Action

A right granted under certain laws by which individuals, rather than a government entity like the Attorney General’s office, can sue an organization for violating the law.

RoPA

Record of Processing Activities

Inventory of how, why, and with whom a business handles EU citizens’ personal data, as required under GDPR.

SAST

Static Application Security Testing

An established process for testing software security within the CI/CD process. Its proactive nature has inspired similarly proactive approaches to privacy in software development.

SCC

Standard Contractual Clause

Legal mechanism for sharing the personal data of European Economic Area’s citizens with entities outside of the European Economic Area.

Back to Top

Concepts and Tools

Acronym

Description

AES

Advanced Encryption Standard

An algorithm for encryption of electronic data, certified by the National Institute of Standards and Technology; the size of the key can be 128, 192, or 256 bits—this size label may be affixed to the acronym itself: AES-128, AES-192, AES-256.

AMP

Accelerated Mobile Pages

A framework developed by Google to enable faster loading of mobile pages, with the pages served from Google’s servers rather than those of the original publishers.

API

Application Programming Interface

A set of rules to enable the interchange of different applications’ data and services, mediating between pieces of software.

ATT

App Tracking Transparency

Anti-tracking feature from Apple, rolled out with the 2021 iOS 14.5 update, which requires apps to receive an iPhone user’s explicit consent in order to track the user’s unique advertising identifier.

AV

Autonomous Vehicle

A vehicle that is able to perform its necessary operations and interactions with the surrounding environment without a human driver.

CI

Continuous Integration

The process of individual software developers contributing their code to a shared software project at high frequency, supported by a version control system and a suite of tools to ensure that new contributions meet standards for code quality.

DSA

Digital Signature Algorithm

An algorithm adopted by the US government for verifying the authenticity of data.

E2E(E)

End-to-End (Encryption)

An encryption practice in which the cryptographic keys needed to read a message are only accessible at the endpoints of the communication: the sender and the receiver, to the exclusion of intermediate parties such as service providers.

EHR

Electronic Health Record

A digital version of a patient’s medical charts, including information such as diagnoses, medical history, test results, and other medical details.

FAIR

Factor Analysis of Information Risk

A model for modern privacy that enables the management and measurement of privacy risk using a taxonomy of risks, their magnitudes, and their frequencies.

FHE

Fully Homomorphic Encryption

Encryption practice which allows an arbitrary number of computations on the encrypted data.

FIPPs

Fair Information Practice Principles

Privacy framework that has shaped privacy legislation as well as privacy engineering initiatives, a predecessor more modern approaches like Privacy by Design (PbD).

FLoC

Federated Learning of Cohorts

One of Google’s proposed alternatives to cookies for individualized third-party tracking on its Chrome browser, relying on tracking users in groups rather than as individuals. Discontinued in January 2022 in favor of the Topics API.

GPC

Global Privacy Control

A browser setting for individuals to signal their privacy preferences (e.g., Do Not Sell My Personal Information under CCPA) to all sites visited.

GTM

Google Tag Manager

System for web developers to manage user tracking on their businesses’ websites.

HMAC

Hash-based Message Authentication Code

A tool for authenticating messages, using any relevant cryptographic hash function. For instance, using the SHA-256 hash function to calculate the HMAC is referred to as HMAC-SHA256.

IoT

Internet of Things

The interconnected network of devices embedded with computing and sensing abilities, particularly in contexts such as the home or workplace with devices that might not resemble computers in a traditional sense, e.g., a home thermostat with internet connectivity.

IPA

Interoperable Private Attribution

A proposal for measuring ad campaigns that aims to preserve users’ privacy using multiparty computation and data aggregation, while providing useful metrics to advertisers.

LDU

Limited Data Use

Feature offered by Facebook in 2020 to businesses, aiming to limit businesses’ collection of Californians’ personal information in order for them to comply with the CCPA.

ML

Machine Learning

A field focused on the development and usage of technologies that imitate some aspects of human learning, such that they gradually become more successful at specific tasks.

PaC

Privacy-as-Code

An approach that treats personal data in such a way that its privacy attributes are explicit and governable within the code environment.

PbD

Privacy By Design

Framework for building privacy into the design of technologies.

PET

Privacy Enhancing Technology

A tool designed to strengthen users’ privacy and to use minimal amounts of personal information, e.g., pseudonymization.

PGP

Pretty Good Privacy

One of the first publicly available public-key cryptography systems, in which sender of a message uses a public key specific to the recipient to encrypt a message (often using the Rivest-Shamir-Adleman algorithm), and the recipient uses a private key—known to no other party—to decrypt the message.

PHE

Partially Homomorphic Encryption

Encryption practice which allows a single computation on the encrypted data.

PII

Personally Identifiable Information

Information that could reasonably identify a unique individual; different regulations have different designations of what pieces of information are considered personally identifiable.

QR

Quick Response (Code)

A two-dimensional barcode that can point to a URL or application, posing risks to security and privacy if the code, for instance, links to a dangerous website or compromises device settings.

RBAC

Role-Based Access Control

Security and privacy framework with permissions assigned according to personnels’ specific roles.

RFID

Radio Frequency Identification

A type of tag that transmits a radio signal via a small antenna, used to send information over greater distances than tools that use other electromagnetic waves (e.g., infrared). RFID tags are sometimes implemented to track the location of objects, such as inventory moving through a commercial checkpoint.

RSA

Rivest-Shamir-Adleman

One of the oldest public-key cryptosystems, the strength of which derives from the difficulty of factoring products of large prime numbers.

SDK

Software Development Kit

A collection of tools for developing software applications with respect to particular platform or system requirements, such as those required for Android or iOS apps.

SDLC

Software Development Life Cycle

The ongoing and iterative process for building software, spanning stages like designing, developing, testing, and reviewing.

SHA

Secure Hash Algorithm

A suite of cryptographic hash functions adopted by the National Institute of Standards and Technology.

SSL

Secure Sockets Layer

Deprecated cryptographic protocol that was often used for securing websites, email, and other communications. Its successor is Transport Layer Security.

TADPF

Trans-Atlantic Data Privacy Framework

Announced agreement to support EU-U.S. data flows that uphold both regions’ privacy expectations. As of April 1, 2022, it is an in-principle agreement, not yet providing details on its implementation.

TCF

Transparency and Consent Framework

A system developed by the Interactive Advertising Bureau to power real-time bidding on advertising through processes like signalling users’ consent preferences to vendors.

TLS

Transport Layer Security

Cryptographic protocol most commonly known for website security, the successor to the deprecated Secure Sockets Layer.

UA

User Agent

Short for “User Agent string,” information on a browser that communicates which browser is being used, the device it’s being used on, and the version of the browser.

UUID

Universally Unique Identifier

128-bit value used in software and encryption as a distinct label.

VPN

Virtual Private Network

A network over a public network so that parties can exchange information as if they were connected by a private network.

ZKP

Zero-Knowledge Proof, or Zero-Knowledge Protocol

A cryptographic process by which someone can prove to a distinct verifier that a given statement is true, without revealing any information to the verifier or the broader world besides the truth of the statement. At a high level, it is a means of enforcing honesty with minimal privacy leakage; its applications include authentication and blockchain transactions.

Back to Top

We’re applying open-source devtools to the most high-profile privacy cases in recent years. This time, we build a solution to a landmark case in biometric privacy and purpose specification.
In recognition of Women's History Month, Ethyca recently hosted the Women in Privacy Career Panel, featuring a group of accomplished privacy leaders. It was inspiring and informative to hear these women share insights they've gained over their careers. From the panel discussion and Q&A, we identify three common threads from the panelists when it comes to building a career in privacy tech.

Ready to get started?

Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!