Data Privacy Acronym List
With an ever-growing list of acronyms, the world of data privacy can feel a little like alphabet soup whether you’re a newcomer or a privacy pro. Data privacy is a complex field, but the vocab does not need to be overwhelming. To bring genuine data privacy to more businesses and users, we believe that a little education goes a long way.
We curate this running Acronym Resource where you can find all data privacy abbreviations from A – Z in a single, central location. Bookmark this page for handy reference — we regularly update the list with new terms and link more resources. Check out our Latest Updates section if you just need a quick refresher on any new terms from the past couple of weeks.
Table of Contents
Latest Updates
- July 2, 2021: We added PIPA to the “Laws” section. We added DMA to the “Pending Legislation” section. We added FHE, FIPPs, and PHE to the “Concepts and Tools” section. We updated POPI(A) in the “Laws” section as well as PIPL in the “Pending Legislation” section.
- June 14, 2021: We added IDFA, MPC, and PRA to the “Concepts and Tools” section.
- May 21, 2021: We added FISA to the “Laws” section. We added E2E(E), IoT, and UA to the “Concepts and Tools” section.
- April 30, 2021: We added CARU, DPC, FTC, ICO and NIST to the “Organizations and Roles” section. We added ATT and FLoC to the “Concepts and Tools” section.
- April 9, 2021: We added ePR to the “Pending Legislation” section. We added IAPP to the “Organizations and Roles” section. We added BCR to the “Activities” section.
- March 19, 2021: We added CPPA, FPIC, and OPC to the “Organizations and Roles” section.
Laws
These measures are either in effect, or already passed and approaching the start of their enforcement period.
| BIPA |
Biometric Information Privacy Act State privacy law in Illinois governing how businesses can handle users’ biometric information, effective since 2008. |
| CCPA |
California Consumer Privacy Act State privacy law in California, effective since 2020 and to be followed by the CPRA in 2023. |
| CDPA |
Consumer Data Protection Act State privacy law in Virginia, going into effect in 2023. |
| COPPA |
Children’s Online Privacy Protection Act Federal rule in the United States that regulates how online services can handle the personal information of children under 13 years of age. |
| CPRA |
California Privacy Rights Act Upcoming state privacy law in California to replace the CCPA in 2023. |
| DPA |
Data Protection Act Federal privacy act in the United Kingdom, effective since 2018. |
| FISA |
Foreign Intelligence Surveillance Act Federal law in the US, effective since 1978, that establishes processes for surveillance of communications, a provision that has been an ongoing point of contention in international data-transfer negotiations, especially between the US and the EU. |
| GDPR |
General Data Protection Regulation Privacy law for the European Union, effective since 2018. |
| GLBA |
Gramm-Leach-Bliley Act Federal statute in the United States that, among other measures, requires financial organizations to disclose their data safeguards to their users; effective since 1999. |
| HIPAA |
Health Insurance Portability and Accountability Act Federal medical privacy law in the United States governing protections for patients’ health information. |
| LGPD |
Lei Geral de Proteção de Dados Pessoais (Portuguese for General Personal Data Protection Law) Data privacy law in Brazil, effective since 2020 with sanctions for violations starting in 2021. |
| NPICIC |
Nevada Privacy of Information Collected on the Internet from Consumers Act State privacy law in Nevada for websites’ privacy policies, effective in its amended form since 2019. |
| PIPEDA |
Personal Information Protection and Electronic Documents Act Federal privacy law in Canada, effective since 2000. |
| PIPA |
Personal Information Protection Act Federal data protection law in Japan, effective since 2005, sometimes referred to as the Personal Information Protection Law (PIPL). See also: China’s draft Personal Information Protection Law (PIPL) in the Pending Legislation section. |
| POPI(A) |
Protection of Personal Information Act Federal privacy act in South Africa, effective since 2020. |
Pending Legislation
These measures are under consideration but not yet passed.
| DMA |
Digital Markets Act Proposed EU legislation that aims to address unfair business practices among large providers of digital services, including through regulation of end-user profiling, presented in 2020. |
| ePR |
ePrivacy Regulation Proposed EU regulation with specific privacy guidelines for electronic communications, presented in 2017. |
| PDP |
Personal Data Protection Bill Federal privacy bill in India, presented in 2019. |
| PIPL |
Personal Information Protection Law Federal privacy bill in China, presented in 2020. See also: Japan’s Personal Information Protection Act (PIPA), sometimes referred to as the Personal Information Protection Law (PIPL), in the Laws section. |
Organizations and Roles
| AEPD |
Agencia Española de Protección de Datos (Spanish for Spanish Data Protection Agency) Spanish agency responsible for upholding data privacy law in the country. |
| ANPD |
Autoridade Nacional de Proteção de Dados (Portuguese for National Data Protection Authority) Brazilian agency responsible for upholding data privacy law in the country. |
| CARU |
Children’s Advertising Review Unit US agency responsible for regulating advertising as it relates to children under the age of 12. |
| CDPO |
Certification des compétences du DPO Individual certified by the International Association of Privacy Professionals to practice privacy in accordance with France’s CNIL agency |
| CIPM |
Certified Information Privacy Manager Title for an individual certified by the International Association of Privacy Professionals to build privacy into operations, e.g., audits and risk management. |
| CIPP |
Certified Information Privacy Professional Title for an individual certified by the International Association of Privacy Professionals to practice privacy in legal and compliance settings. |
| CIPT |
Certified Information Privacy Technologist Title for an individual certified by the International Association of Privacy Professionals to build privacy into engineering and IT functions.. |
| CJEU |
Court of Justice of the European Union Judicial body charged with interpreting and applying EU law in EU member countries. |
| CNIL |
Commission National de l’Informatique et des Libertés (French for National Commission on Informatics and Liberty) French agency responsible for upholding data privacy law in the country. |
| CNPD |
Commission Nationale pour la Protection des Données (French for National Data Protection Commission) Luxembourgish agency responsible for upholding data privacy law in the country. |
| CPPA |
California Privacy Protection Agency Agency responsible for implementing and enforcing the CPRA in California, beginning in 2023. |
| DPA |
Data Protection Authority Independent authority in an EU member country that oversees the application of GDPR and relevant country-specific laws; a legacy term for ISA. |
| DPC |
Data Protection Commission Ireland’s agency for upholding privacy law in the country, notably including Facebook’s EU base in Dublin. |
| DPO |
Point-person for a company’s privacy compliance and training under GDPR. |
| EDPB |
European Data Protection Board Independent organization for implementing data protection regulations in the EU, working in concert with DPAs and the EDPS. |
| EDPS |
European Data Protection Supervisor Independent authority in the EU charged with overseeing how EU entities process personal data. |
| FDPIC |
Federal Data Protection and Information Commissioner Switzerland’s data protection authority. |
| FTC |
Federal Trade Commission US federal agency responsible for enforcing regulations pertaining to consumer protection and market competition. |
| IAPP |
International Association of Privacy Professionals Organization that conducts research, creates resources, and provides professional development among privacy professionals; body that grants certifications like CIPM, CIPP, and CIPT. |
| ICO |
Information Commissioner’s Office United Kingdom’s agency for upholding privacy law in the country. |
| ISA |
Independent Supervisory Authority Independent authority in an EU member country that oversees the application of GDPR and relevant country-specific laws; GDPR’s updated term for DSA. |
| NIST |
National Institute of Standards and Technology US federal agency that sets guidelines for innovation across technical fields and establishes frameworks for cybersecurity and privacy. |
| OPC |
Office of the Privacy Commissioner New Zealand’s agency for upholding privacy law in the country. |
| PCPD |
Privacy Commissioner for Personal Data Hong Kong agency responsible for upholding data privacy law in the country. |
| PIPC |
Personal Information Protection Commission South Korean agency responsible for upholding data privacy law in the country. |
| PPA |
Privacy Protection Agency Enforcement agency under California’s CPRA. |
Activities
| BCR |
Binding Corporate Rule Policy for data protection applying to EU companies that transfer EU residents’ personal data outside of the EU. |
| DPA |
Data Processing Agreement Agreement between parties that share EU citizens’ personal data , as required under GDPR. |
| DPIA |
Data Protection Impact Assessment Risk evaluation carried out for a data processing activity, legally required in certain cases under Virginia’s CDPA and the EU’s GDPR. |
| DSR, DSAR, SAR |
A consumer’s request to a business to access, delete, or not sell the personal information that the business holds on them. The activities covered under a DSR depend on the applicable law. |
| ETL |
Extract, Transform, Load General data management term for the process of combining data from multiple sources. |
| IDFA |
Identifier for Advertisers A unique device identifier for targeting users for advertising purposes, and advertisers’ access to such identifiers on Apple’s mobile devices now requires explicit user consent following the iOS 14.5 update. |
| MFA, 2FA |
Multi-Factor Authentication (aka 2FA for 2-Factor Authentication) Process of verifying identity through more than one mechanism, e.g., sending a code to a user’s phone after they have entered their password. |
| MPC |
Multi-Party Computation Cryptography practice in which multiple parties run computations while their inputs are kept private from one another. |
| PRA |
Private Right of Action A right granted under certain laws by which individuals, rather than a government entity like the Attorney General’s office, can sue an organization for violating the law. |
| RoPA |
Record of Processing Activities Inventory of how, why, and with whom a business handles EU citizens’ personal data, as required under GDPR. |
| SCC |
Standard Contractual Clause Legal mechanism for sharing the personal data of European Economic Area’s citizens with entities outside of the European Economic Area. |
Concepts and Tools
| ATT |
App Tracking Transparency Anti-tracking feature from Apple, rolled out with the 2021 iOS 14.5 update, which requires apps to receive an iPhone user’s explicit consent in order to track the user’s unique advertising identifier. |
| E2E(E) |
End-to-End (Encryption) An encryption practice in which the cryptographic keys needed to read a message are only accessible at the endpoints of the communication: the sender and the receiver, to the exclusion of intermediate parties such as service providers. |
| FHE |
Fully Homomorphic Encryption Encryption practice which allows an arbitrary number of computations on the encrypted data. |
| FIPPs |
Fair Information Practice Principles Privacy framework that has shaped privacy legislation as well as privacy engineering initiatives, a predecessor more modern approaches like Privacy by Design (PbD). |
| FLoC |
Federated Learning of Cohorts One of Google’s proposed alternatives to cookies for individualized third-party tracking on its Chrome browser, relying on tracking users in groups rather than as individuals. |
| GTM |
Google Tag Manager System for web developers to manage user tracking on their businesses’ websites. |
| IoT |
Internet of Things The interconnected network of devices embedded with computing and sensing abilities, particularly in contexts such as the home or workplace with devices that might not resemble computers in a traditional sense, e.g., a home thermostat with internet connectivity. |
| LDU |
Feature offered by Facebook in 2020 to businesses, aiming to limit businesses’ collection of Californians’ personal information in order for them to comply with the CCPA. |
| PbD |
Framework for building privacy into the design of technologies. |
| PET |
Privacy Enhancing Technologies Tools designed to strengthen users’ privacy and to use minimal amounts of personal information, e.g., pseudonymization. |
| PHE |
Partially Homomorphic Encryption Encryption practice which allows a single computation on the encrypted data. |
| PII |
Personally Identifiable Information Information that could reasonably identify a unique individual; different regulations have different designations of what pieces of information are considered personally identifiable. |
| RbAC |
Role-based Access Control Security and privacy framework with permissions assigned according to personnels’ specific roles. |
| RTBF |
Right to Be Forgotten Data right under some privacy laws, in which an individual can request that their personal information be removed from certain databases; sometimes used to refer to GDPR’s right to erasure. |
| UA |
User Agent Short for “User Agent string,” information on a browser that communicates which browser is being used, the device it’s being used on, and the version of the browser. |
| UUID |
Universally Unique Identifier 128-bit value used in software and encryption as a distinct label. |