With an ever-growing list of acronyms, the world of data privacy can feel a little like alphabet soup whether you’re a newcomer or a privacy pro. Data privacy is a complex field, but the vocab does not need to be overwhelming. To bring genuine data privacy to more businesses and users, we believe that a little education goes a long way.

We curate this running Acronym Resource where you can find all data privacy abbreviations from A – Z in a single, central location. Bookmark this page for handy reference — we regularly update the list with new terms and link more resources. Check out our Latest Updates section if you just need a quick refresher on any new terms from the past couple of weeks.


Table of Contents


Latest Updates

Back to Top

  • April 9, 2021: We added ePR to the “Pending Legislation” section. We added IAPP to the “Organizations and Roles” section. We added BCR to the “Activities” section.
  • March 19, 2021: We added CPPA, OPC, and FDPIC to the “Organizations and Roles” section.

Laws

These measures are either in effect, or already passed and approaching the start of their enforcement period.

Back to Top

BIPA Biometric Information Privacy Act

State privacy law in Illinois governing how businesses can handle users’ biometric information, effective since 2008.

CCPA California Consumer Privacy Act

State privacy law in California, effective since 2020 and to be followed by the CPRA in 2023.

CDPA Consumer Data Protection Act

State privacy law in Virginia, going into effect in 2023.

COPPA Children’s Online Privacy Protection Act

Federal rule in the United States that regulates how online services can handle the personal information of children under 13 years of age.

CPRA California Privacy Rights Act

Upcoming state privacy law in California to replace the CCPA in 2023.

DPA Data Protection Act

Federal privacy act in the United Kingdom, effective since 2018.

GDPR General Data Protection Regulation

Privacy law for the European Union, effective since 2018.

GLBA Gramm-Leach-Bliley Act

Federal statute in the United States that, among other measures, requires financial organizations to disclose their data safeguards to their users; effective since 1999.

HIPAA Health Insurance Portability and Accountability Act

Federal medical privacy law in the United States governing protections for patients’ health information.

LGPD Lei Geral de Proteção de Dados Pessoais (Portuguese for General Personal Data Protection Law)

Data privacy law in Brazil, effective since 2020 with sanctions for violations starting in 2021.

NPICIC Nevada Privacy of Information Collected on the Internet from Consumers Act

State privacy law in Nevada for websites’ privacy policies, effective in its amended form since 2019.

PIPEDA Personal Information Protection and Electronic Documents Act

Federal privacy law in Canada, effective since 2000.

POPI Protection of Personal Information Act

Federal privacy act in South Africa, effective since 2020.


Pending Legislation

These measures are under consideration but not yet passed.

Back to Top

ePR ePrivacy Regulation

Proposed EU regulation with specific privacy guidelines for electronic communications, presented in 2017.

PDP Personal Data Protection Bill

Federal privacy bill in India, presented in 2019.

PIPL Personal Information Protection Law

Federal privacy bill in China, presented in 2020


Organizations and Roles

Back to Top

AEPD Agencia Española de Protección de Datos (Spanish for Spanish Data Protection Agency)

Spanish agency responsible for upholding data privacy law in the country.

ANPD Autoridade Nacional de Proteção de Dados (Portuguese for National Data Protection Authority)

Brazilian agency responsible for upholding data privacy law in the country.

CDPO Certification des compétences du DPO

Individual certified by the International Association of Privacy Professionals to practice privacy in accordance with France’s CNIL agency

CIPM Certified Information Privacy Manager

Title for an individual certified by the International Association of Privacy Professionals to build privacy into operations, e.g. audits and risk management.

CIPP Certified Information Privacy Professional

Title for an individual certified by the International Association of Privacy Professionals to practice privacy in legal and compliance settings.

CIPT Certified Information Privacy Technologist

Title for an individual certified by the International Association of Privacy Professionals to build privacy into engineering and IT functions..

CJEU Court of Justice of the European Union

Judicial body charged with interpreting and applying EU law in EU member countries.

CNIL Commission National de l’Informatique et des Libertés (French for National Commission on Informatics and Liberty)

French agency responsible for upholding data privacy law in the country.

CNPD Commission Nationale pour la Protection des Données (French for National Data Protection Commission)

Luxembourgish agency responsible for upholding data privacy law in the country.

CPPA California Privacy Protection Agency

Agency responsible for implementing and enforcing the CPRA in California, beginning in 2023.

DPA Data Protection Authority

Independent authority in an EU member country that oversees the application of GDPR and relevant country-specific laws; a legacy term for ISA.

DPO Data Protection Officer

Point-person for a company’s privacy compliance and training under GDPR.

EDPB European Data Protection Board

Independent organization for implementing data protection regulations in the EU, working in concert with DPAs and the EDPS.

EDPS European Data Protection Supervisor

Independent authority in the EU charged with overseeing how EU entities process personal data.

FDPIC Federal Data Protection and Information Commissioner

Switzerland’s data protection authority.

IAPP International Association of Privacy Professionals

Organization that conducts research, creates resources, and provides professional development among privacy professionals; body that grants certifications like CIPM, CIPP, and CIPT.

ISA Independent Supervisory Authority

Independent authority in an EU member country that oversees the application of GDPR and relevant country-specific laws; GDPR’s updated term for DSA.

OPC Office of the Privacy Commissioner

New Zealand’s agency for upholding privacy law in the country.

PCPD Privacy Commissioner for Personal Data

Hong Kong agency responsible for upholding data privacy law in the country.

PIPC Personal Information Protection Commission

South Korean agency responsible for upholding data privacy law in the country.

PPA Privacy Protection Agency

Enforcement agency under California’s CPRA.


Activities

Back to Top

BCR Binding Corporate Rule

Policy for data protection applying to EU companies that transfer EU residents’ personal data outside of the EU.

DPA Data Processing Agreement

Agreement between parties that share EU citizens’ personal data , as required under GDPR.

DPIA Data Protection Impact Assessment

Risk evaluation carried out for a data processing activity, legally required in certain cases under Virginia’s CDPA and the EU’s GDPR.

DSR, DSAR, SAR Data Subject Request

A consumer’s request to a business to access, delete, or not sell the personal information that the business holds on them. The activities covered under a DSR depend on the applicable law.

ETL Extract, Transform, Load

General data management term for the process of combining data from multiple sources.

MFA, 2FA Multi-Factor Authentication (aka 2FA for 2-Factor Authentication)

Process of verifying identity through more than one mechanism, e.g. sending a code to a user’s phone after they have entered their password.

RoPA Record of Processing Activities

Inventory of how, why, and with whom a business handles EU citizens’ personal data, as required under GDPR.

SCC Standard Contractual Clause

Legal mechanism for sharing the personal data of European Economic Area’s citizens with entities outside of the European Economic Area.


Concepts and Tools

Back to Top

GTM Google Tag Manager

System for web developers to manage user tracking on their businesses’ websites.

LDU Limited Data Use

Feature offered by Facebook in 2020 to businesses, aiming to limit businesses’ collection of Californians’ personal information in order for them to comply with the CCPA.

PbD Privacy By Design

Framework for building privacy into the design of technologies.

PET Privacy Enhancing Technologies

Tools designed to strengthen users’ privacy and to use minimal amounts of personal information, e.g. pseudonymization.

PII Personally Identifiable Information

Information that could reasonably identify a unique individual; different regulations have different designations of what pieces of information are considered personally identifiable.

RbAC Role-based Access Control

Security and privacy framework with permissions assigned according to personnels’ specific roles.

RTBF Right to Be Forgotten

Data right under some privacy laws, in which an individual can request that their personal information be removed from certain databases; sometimes used to refer to GDPR’s right to erasure.

UUID Universally Unique Identifier

128-bit value used in software and encryption as a distinct label.

Back to Top