With an ever-growing list of acronyms, the world of data privacy can feel a little like alphabet soup whether you’re a newcomer or a privacy pro. Data privacy is a complex field, but the vocab does not need to be overwhelming. To bring genuine data privacy to more businesses and users, we believe that a little education goes a long way.
We curate this running Acronym Resource where you can find all data privacy abbreviations from A – Z in a single, central location. Bookmark this page for handy reference — we regularly update the list with new terms and link more resources. Check out our Latest Updates section if you just need a quick refresher on any new terms from the past couple of weeks.
Table of Contents
Latest Updates
- April 9, 2021: We added ePR to the “Pending Legislation” section. We added IAPP to the “Organizations and Roles” section. We added BCR to the “Activities” section.
- March 19, 2021: We added CPPA, OPC, and FDPIC to the “Organizations and Roles” section.
Laws
These measures are either in effect, or already passed and approaching the start of their enforcement period.
BIPA | Biometric Information Privacy Act
State privacy law in Illinois governing how businesses can handle users’ biometric information, effective since 2008. |
CCPA | California Consumer Privacy Act
State privacy law in California, effective since 2020 and to be followed by the CPRA in 2023. |
CDPA | Consumer Data Protection Act
State privacy law in Virginia, going into effect in 2023. |
COPPA | Children’s Online Privacy Protection Act
Federal rule in the United States that regulates how online services can handle the personal information of children under 13 years of age. |
CPRA | California Privacy Rights Act
Upcoming state privacy law in California to replace the CCPA in 2023. |
DPA | Data Protection Act
Federal privacy act in the United Kingdom, effective since 2018. |
GDPR | General Data Protection Regulation
Privacy law for the European Union, effective since 2018. |
GLBA | Gramm-Leach-Bliley Act
Federal statute in the United States that, among other measures, requires financial organizations to disclose their data safeguards to their users; effective since 1999. |
HIPAA | Health Insurance Portability and Accountability Act
Federal medical privacy law in the United States governing protections for patients’ health information. |
LGPD | Lei Geral de Proteção de Dados Pessoais (Portuguese for General Personal Data Protection Law)
Data privacy law in Brazil, effective since 2020 with sanctions for violations starting in 2021. |
NPICIC | Nevada Privacy of Information Collected on the Internet from Consumers Act
State privacy law in Nevada for websites’ privacy policies, effective in its amended form since 2019. |
PIPEDA | Personal Information Protection and Electronic Documents Act
Federal privacy law in Canada, effective since 2000. |
POPI | Protection of Personal Information Act
Federal privacy act in South Africa, effective since 2020. |
Pending Legislation
These measures are under consideration but not yet passed.
ePR | ePrivacy Regulation
Proposed EU regulation with specific privacy guidelines for electronic communications, presented in 2017. |
PDP | Personal Data Protection Bill
Federal privacy bill in India, presented in 2019. |
PIPL | Personal Information Protection Law
Federal privacy bill in China, presented in 2020 |
Organizations and Roles
AEPD | Agencia Española de Protección de Datos (Spanish for Spanish Data Protection Agency)
Spanish agency responsible for upholding data privacy law in the country. |
ANPD | Autoridade Nacional de Proteção de Dados (Portuguese for National Data Protection Authority)
Brazilian agency responsible for upholding data privacy law in the country. |
CDPO | Certification des compétences du DPO
Individual certified by the International Association of Privacy Professionals to practice privacy in accordance with France’s CNIL agency |
CIPM | Certified Information Privacy Manager
Title for an individual certified by the International Association of Privacy Professionals to build privacy into operations, e.g. audits and risk management. |
CIPP | Certified Information Privacy Professional
Title for an individual certified by the International Association of Privacy Professionals to practice privacy in legal and compliance settings. |
CIPT | Certified Information Privacy Technologist
Title for an individual certified by the International Association of Privacy Professionals to build privacy into engineering and IT functions.. |
CJEU | Court of Justice of the European Union
Judicial body charged with interpreting and applying EU law in EU member countries. |
CNIL | Commission National de l’Informatique et des Libertés (French for National Commission on Informatics and Liberty)
French agency responsible for upholding data privacy law in the country. |
CNPD | Commission Nationale pour la Protection des Données (French for National Data Protection Commission)
Luxembourgish agency responsible for upholding data privacy law in the country. |
CPPA | California Privacy Protection Agency
Agency responsible for implementing and enforcing the CPRA in California, beginning in 2023. |
DPA | Data Protection Authority
Independent authority in an EU member country that oversees the application of GDPR and relevant country-specific laws; a legacy term for ISA. |
DPO | Data Protection Officer
Point-person for a company’s privacy compliance and training under GDPR. |
EDPB | European Data Protection Board
Independent organization for implementing data protection regulations in the EU, working in concert with DPAs and the EDPS. |
EDPS | European Data Protection Supervisor
Independent authority in the EU charged with overseeing how EU entities process personal data. |
FDPIC | Federal Data Protection and Information Commissioner
Switzerland’s data protection authority. |
IAPP | International Association of Privacy Professionals
Organization that conducts research, creates resources, and provides professional development among privacy professionals; body that grants certifications like CIPM, CIPP, and CIPT. |
ISA | Independent Supervisory Authority
Independent authority in an EU member country that oversees the application of GDPR and relevant country-specific laws; GDPR’s updated term for DSA. |
OPC | Office of the Privacy Commissioner
New Zealand’s agency for upholding privacy law in the country. |
PCPD | Privacy Commissioner for Personal Data
Hong Kong agency responsible for upholding data privacy law in the country. |
PIPC | Personal Information Protection Commission
South Korean agency responsible for upholding data privacy law in the country. |
PPA | Privacy Protection Agency
Enforcement agency under California’s CPRA. |
Activities
BCR | Binding Corporate Rule
Policy for data protection applying to EU companies that transfer EU residents’ personal data outside of the EU. |
DPA | Data Processing Agreement
Agreement between parties that share EU citizens’ personal data , as required under GDPR. |
DPIA | Data Protection Impact Assessment
Risk evaluation carried out for a data processing activity, legally required in certain cases under Virginia’s CDPA and the EU’s GDPR. |
DSR, DSAR, SAR | Data Subject Request
A consumer’s request to a business to access, delete, or not sell the personal information that the business holds on them. The activities covered under a DSR depend on the applicable law. |
ETL | Extract, Transform, Load
General data management term for the process of combining data from multiple sources. |
MFA, 2FA | Multi-Factor Authentication (aka 2FA for 2-Factor Authentication)
Process of verifying identity through more than one mechanism, e.g. sending a code to a user’s phone after they have entered their password. |
RoPA | Record of Processing Activities
Inventory of how, why, and with whom a business handles EU citizens’ personal data, as required under GDPR. |
SCC | Standard Contractual Clause
Legal mechanism for sharing the personal data of European Economic Area’s citizens with entities outside of the European Economic Area. |
Concepts and Tools
GTM | Google Tag Manager
System for web developers to manage user tracking on their businesses’ websites. |
LDU | Limited Data Use
Feature offered by Facebook in 2020 to businesses, aiming to limit businesses’ collection of Californians’ personal information in order for them to comply with the CCPA. |
PbD | Privacy By Design
Framework for building privacy into the design of technologies. |
PET | Privacy Enhancing Technologies
Tools designed to strengthen users’ privacy and to use minimal amounts of personal information, e.g. pseudonymization. |
PII | Personally Identifiable Information
Information that could reasonably identify a unique individual; different regulations have different designations of what pieces of information are considered personally identifiable. |
RbAC | Role-based Access Control
Security and privacy framework with permissions assigned according to personnels’ specific roles. |
RTBF | Right to Be Forgotten
Data right under some privacy laws, in which an individual can request that their personal information be removed from certain databases; sometimes used to refer to GDPR’s right to erasure. |
UUID | Universally Unique Identifier
128-bit value used in software and encryption as a distinct label. |