Legislator Privacy Guide and Glossary of Privacy Terms

Abbie Gruwell 11/12/2021

screen text that has the term "personal data" highlighted in body content

Personal data is the new frontier for regulation in security, consumer advertising, and civil liberties. The rise of the data economy has policymakers, industry experts, economists and consumers considering the implications of data privacy policies on business and society.

The growth in connectivity has greatly increased the amount of personally identifiable information consumers generate and share with businesses, advertisers, and other third parties. With new laws in many states and the international standard of the General Data Protection Regulation (GDPR), businesses and governments are now being required to adjust to a more complex regulatory regime. New policies will define how consumers protect their data and how businesses and governments operate in the future.

The NCSL Privacy Work Group was developed as a sub-group of the Task Force on Cybersecurity to connect and educate legislators on issues such as consumer data privacy, algorithms, government data usage, transparency, big data, law enforcement issues, and intersections between data privacy and cybersecurity.

This product serves as a guide for legislators who are considering privacy legislation in their state. Privacy legislation can be complex, with states taking a variety of approaches and legislation changing significantly over time. However, some trends have emerged, and this guide attempts to provide legislators with a basic understanding of privacy frameworks, policy considerations, and common term definitions. NCSL will continue to play a significant role in guiding states on principles to consider when crafting privacy policy and advocating for state sovereignty at the federal level.

The guide first discusses common provisions in enacted state comprehensive privacy laws in California, Colorado and Virginia and discusses compliance considerations. The guide then provides descriptions of common terms and definitions found in both enacted and 2021 introduced privacy legislation and notes those that are substantially similar to one another.  

This guide and glossary was written and compiled by Abbie Gruwell, former Sr. Committee Director, NCSL. NCSL is grateful to the members and sponsors of NCSL's Privacy Work Group who provided feedback and suggestions for improvement. However, the members of the NCSL Privacy Work Group and its sponsors do not endorse any particular policy contained in this guide, and the options included here do not imply endorsement by NCSL. Susan Frederick and Pam Greenberg, NCSL staff to the Privacy Work Group, also contributed to the document. 

The glossary near the end of this guide provides greater detail about terms and definitions frequently used in privacy legislation. Use CTRL-F to search within each section. 

Privacy Legislation Basics

Many privacy laws contain substantially similar provisions, and some states have drawn inspiration from one or more other states when crafting their legislation. However, each state’s approach is unique, and when considering new consumer privacy laws in a jurisdiction, it is important to tailor these provisions to the jurisdiction’s unique needs.

The conversation around privacy frameworks often centers around the rights of the consumer, which can be numerous – the right to copy, access, and correct; the right to delete or transfer personal data; the right to opt-out of the sale or limit the use of personal data; and the right to non-discrimination are a few. States are now also focusing on broader data management principles like purpose and use limits, minimization, and even retention disclosures. In Virginia, controllers must limit the collection of data to only what is “adequate, relevant, and reasonably necessary in relation to the purpose for which the data is processed,” and some states, like Colorado, list specific processing purposes. These purposes generally still require the consent of the consumer, but some allowances are made in certain states for purposes that are reasonably compatible with the disclosed purpose.

New considerations have emerged in recent legislation, such as addressing consumer privacy in automated decision-making. Terminology like “decisions that produce legal or similarly significant effects concerning a consumer” has appeared in Virginia, Colorado, North Carolina, Connecticut, and other states, which address data processing decisions that result in the provision or denial of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water.

Common Components of State Laws

State laws referenced in this section include the California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code §§ 1798.100 et seq.; the California Consumer Privacy Rights Act (CPRA) Proposition 24 (approved Nov. 2020); the Colorado Privacy Act, Colo. Rev. Stat. §§ 6-1-1301 et seq. (2021 SB 190); and the Virginia Consumer Data Protection Act, Va. Code § 59.1-575 (2021 HB 2307/2021 SB 1392).

Covered entities

Generally, covered businesses and other entities are defined either by revenue thresholds, data volume thresholds, or a requirement that the entity does business in the state. Many states have generally agreed on similar definitions of terms like “processor” and “controller” that are critical to determining requirements for data handlers. In Virginia, certain government entities are exempt.

Protected consumers

States have varied in their approach to who is protected by their privacy law. For instance, some states specifically carve out job applicants, employees, and contractors from being covered by the data handling requirements.

Personal data

Personal data, or personally identifiable data, can be construed narrowly or broadly to encompass various types of data, sometimes including things like a consumer’s name, address, geolocation data, preferences, biometric information, and telephone number.

Many states make an exception for pseudonymized, deidentified, or publicly available information. Other types of data that may be exempt or treated differently include employee data, aggregate data, household data, and activities protected by the First Amendment. Several states provide carve-outs for business-to-business transactions, or data that is already regulated under federal law. In some cases “sensitive data” is defined and regulated more strictly than other types of data.

Actions that trigger compliance

How a state defines the actions taken by a business or third party, such as “sale,” has a significant impact on how broadly the statute will be applied. Collection, use, disclosure, transfer, and other actions, whether for monetary or other consideration (depending on the state) may also trigger an entity to fall under the purview of the statute.

Consent requirements

A state’s approach to opt-in, opt-out, global opt-out, and other consent regimes have evolved significantly over the past several years. Many states have adopted the same general requirement for a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement” to the processing of their data.

Delayed implementation date

All current state privacy laws include delayed effective dates to provide time for covered entities to ensure they are able to comply with new requirements and allow the state to develop its enforcement mechanisms. For example, the Colorado Privacy Act includes an implementation date of July 1, 2023; the CPRA and Virginia Consumer Data Protection Act will go into effect on January 1, 2023.

Covered entity’s right to cure violations

Some privacy legislation provides businesses with the opportunity to remedy violations before they suffer punitive action. These provisions can reduce litigation but may come with the added cost to the state of notifying businesses of violations and overseeing the cure process. A right to cure provision may require a state to consider the capacity of their jurisdictions to oversee enforcement.

Consumer rights

  • Right to access, confirm, and correct information
    Many privacy regulations give consumers the right to access, review, and correct personal information that is stored by a covered entity. Provisions that give consumers this right generally outline the process for requesting information and the time limit businesses have before they must respond to the request.
  • Right to delete information
    The provision gives protected consumers the right to have their personal data permanently erased by a covered business. Most privacy regulations that include a consumer right to delete information usually provide exceptions for businesses in situations when deletion would be overly burdensome for businesses.
  • Right to data portability
    In some cases, individuals may need to obtain and reuse their personal data for their own purposes between different service providers. The right to portability allows a consumer to move, copy, or transfer personal data easily without affecting the usability or security of the data.
  • Right to opt out
    A right to opt-out means that a consumer has the right to tell a business to stop selling their personal information. This right does not preclude all transfers of data to a third party, but generally precludes the transfer of a consumer’s personal information to a third party in exchange for consideration, monetary or otherwise. Consumers may also, in some states, opt out of targeted advertisements. While Virginia and Colorado allow an opt-out of certain types of profiling that have a significant impact on consumers, no state currently allows an opt-out of automated decision-making.

Notice and transparency

States are further emphasizing notice about the use of a consumer’s personal data. Certain specified disclosures may be required, such as categories of personal data collected, purposes for processing, how consumers can exercise their rights, categories of personal data shared with third parties, and categories of third parties with whom personal data is shared. Colorado, for example, requires a "reasonably accessible, clear, and meaningful privacy notice.”

Purpose, use and retention limits

Some states limit the allowed purposes of data processing and include proportionality and data minimization obligations. The CPRA requires the disclosure of retention periods and that personal information may not be used in a manner that is “incompatible with the disclosed purpose for which the personal information was collected” without notifying the consumer.

Privacy impact or data protection assessments

Colorado, California and Virginia are requiring data protection or privacy assessments that document processing, selling data, or other activities. These assessments often focus on high-risk data processing activities such as processing for targeted advertising or profiling, the sale of personal data, or processing of sensitive data.

Security requirements

Some states require data controllers to establish and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data maintained by the controller.

Less Common Components in Privacy Laws

Non-discrimination policy

Some privacy legislation includes non-discrimination policies. These policies are aimed to protect consumers who exercise any rights that may be protected by the statute. In areas where there are covered businesses that may own a substantial market share in their industry, nondiscrimination policies can be useful to protect consumers from being removed from the market.

Data broker registration requirements

A few states, including California, define “data brokers” by the business’s relationship with consumers. The former two require them to register with or provide certain disclosures to the state. Nevada law requires that data brokers provide an opt-out.

Consumer’s right to private action

Privacy legislation may give consumers the right to sue a business that violates privacy policies. These provisions usually include a time limit for consumers to bring cases, as well as a limit on recovery and apportionment of attorney’s fees.

The searchable glossary near the end of this guide provides greater detail about terms and definitions frequently used in privacy legislation. 

Legislative Strategies

Many times, legislators can learn about successful outcomes from each other. Below are some tips from Virginia that may help bring a privacy bill across the finish line.

  1. Pick your sponsor in the other chamber. Does a member have an interest in privacy legislation? In Virginia, the Assembly sponsor, Del. Cliff Hayes, approached Sen. Dave Marsden because he has data centers in his district, which made him a natural choice.
  2. Run identical bills in both chambers to avoid a conference situation.
  3. Know who your stakeholders are and engage them early in the process. Buy-in is important
  4. Address the thorny issues like private right of action. Virginia’s bill empowers the attorney general in this area.

Compliance Considerations

As states develop differing privacy frameworks, there are challenges inherent in the compliance landscape that may inform privacy legislation development. Balancing consumer protection and regulatory clarity is often an important consideration for legislators, and state leadership in privacy regulation serves as a deterrent for federal preemption.

Complying with the varied data privacy laws requires businesses to consider data inventories and management, treatment of employment-related and business-to-business data, data protection assessments, privacy policy language, consumer request procedures, security, third party relationships, common branding, and more. States often use exemptions, and data volume or revenue thresholds to reduce the burden of these compliance requirements on small businesses or those that handle small amounts of personal data.

States may also consider costs of compliance for government. States may need to provide funding for enforcement agencies, as did California for the California Privacy Protection Agency. A private right of action may lead to higher associated court costs for increased case volume, but in some states may serve as an important consumer enforcement option.

Current state laws and 2021 bills provide examples of compliance considerations for lawmakers, such as:

Annual revenue or data volume thresholds determine whether an entity is covered

EXAMPLE: The CPRA raises the data volume requirement to businesses that control or process data for more than 100,000 consumers, over the CCPA’s 50,000.

Virginia’s data volume requirement covers businesses that control or process greater than 100,000 consumer's personal data in one year; and businesses that control or process greater than 25,000 consumer's personal data and derive over 50% of gross revenue from selling consumer data. The sale of data must be for monetary consideration.

Differing agencies, entities and individuals involved in enforcement

EXAMPLE: Many states place enforcement with the state Attorney General, but often have varying fees for violations. The Virginia Attorney General has exclusive enforcement authority, but in Colorado district attorneys have jurisdiction in addition to the attorney general.

Several states have considered, but not passed, a private right of action. The CPRA has a private right of action that is limited to certain types of security incident attributable to failure to maintain reasonable security.

The ULC Model Act includes a provision that allows an Attorney General to determine that a covered business complied with the privacy statute if they can show that the business complies with a comparable personal data protection law in anther jurisdiction.

Some states have created new entities to oversee enforcement and official guidance.

Violations may trigger varied timelines to cure, fines, and investigations

EXAMPLE: The CPRA removed the CCPA’s 30-day period to cure before a fine is levied, whereas the Virginia law requires that the Attorney General must provide a controller or processor with a 30-day written notice of a violation, and Colorado allows 60 days to cure in Colorado if cure is “deemed possible.”

The Colorado and Virginia laws provide some protection for controllers and processors if a third party, controller, or processor that receives the personal data violates the law as long as they have no actual knowledge that the recipient intended to violate the requirements.

Standards for deidentification

EXAMPLE: Many states generally define de-identified data as “information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer,” but some add additional requirements that businesses with de-identified data must take certain measures to ensure that the data cannot be re-identified, like contractually obligating recipients of the information to comply with provisions of the law. Definitions for de-identification are derived from the Federal Trade Commission’s (FTC) three-part test laid out in its 2012 Privacy Framework.

Data controllers may be exempt from complying with consumer requests if 1) the data is de-identified and the request would be unreasonably burdensome to associate the request with the personal data, 2) the controller does not use the data to recognize the consumer, and 3) the controller does not sell or disclose the personal data to any third party other than a processor. Virginia's law follows this framework.

Glossary of Privacy Terms

State privacy bills contain entirely disparate definitions as well as similar terms that are defined  with some differences. Definitions are important because they dictate the applicability, legal duties, and the scope of legislation. Disparate definitions among states may create additional compliance challenges.

This glossary identifies terms used in enacted comprehensive state privacy legislation and prepares members to identify or create “best practices” to guide state lawmakers. Some states have not yet enacted comprehensive privacy legislation but have introduced bills to do so. Where appropriate, states with similar definitions to enacted bills in introduced, but not yet passed legislation are noted. Other non-statutory glossaries or collections of definitions include the International Association of Privacy Professionals' Glossary of Privacy Terms.

Key to Abbreviations

Enacted and 2021 introduced comprehensive privacy bills are referenced in the definitions listed below. Abbreviations for enacted bills are shown in bold. Prevailing definitions are presented in italics. Notable deviations from the prevailing definitions are underlined.

Definitions listed in bold throughout this section are from the following states with enacted legislation:

Other comprehensive privacy bills introduced in 2021 referenced in this section are: 

  • AL - Alabama Consumer Privacy Act, 2021 HB 216
  • AK - Alaska 2021 SB 116
  • AZ - Arizona 2021 HB 2865
  • CT - Connecticut 2021 SB 893
  • FL - Florida 2021 HB 969
  • IL - Illinois Consumer Privacy Act, 2021 HB 3910
  • KY - Kentucky 2021 HB 408
  • MA - Massachusetts Information Privacy Act, 2021 SD 1726
  • MD - Maryland 2021 SB 930
  • MN - Minnesota Consumer Data Privacy Act 2020-21 HF 1492
  • MS - Mississippi 2021 SB 2612
  • ND - North Dakota 2021 HB 1330
  • NY A - New York 2021-2022 A 680
  • NY 21 - New York 2021-2022 S 567
  • NYPA - New York 2021-2022 S 6701
  • NYPD - New York 2021-22 A 6042 (Digital Fairness Act)
  • NC - North Carolina 2021 SB 569 (North Carolina Consumer Privacy Act)
  • ND - North Dakota 2021 HB 1330
  • OH - Ohio 2021 HB 376 (Ohio Personal Privacy Act)
  • OK - Oklahoma 2021 HB 1602 (Oklahoma Computer Data Privacy Act)
  • PA - Pennsylvania 2021 HB 1126
  • TX - Texas 2021 HB 3741
  • UT - Utah 2021 SB 200
  • WPA 21 - Washington SB 5062 (Washington Privacy Act of 2021)
  • WPPA - Washington 2021-22 HB 1433 (Washington People’s Privacy Act)
  • ULC – Uniform Law Commission, October 16-17, 2020 Draft – “Collection and Use of Personally Identifiable Data Act" (Note: Some ULC definitions included here may differ from the ULC's final "Uniform Personal Data Protection Act.") 

Note: Bills were reviewed in spring/summer 2021. Definitions in the bills above may have changed in subsequent versions. 

Use CTRL-F to search within this section.

Terms/Definitions

1. “Advertising and marketing,” “advertisement”

CCPA, CPRA – “Advertising and marketing” means a communication by a business or a person acting on the business’ behalf in any medium intended to induce a consumer to obtain goods, services, or employment.

2. "Affiliate"

VA, MN, NC, OH, WPA 21, CT – "Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity [NC, OH, CT – or shares common branding with another legal entity]. For the purposes of this definition, "control" or "controlled" means (i) ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company; (ii) control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or (iii) the power to exercise controlling influence over the management of a company.

CO – “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity. As used in this subsection, "control" means (a) ownership of, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the entity, directly or indirectly, or acting through one or more persons; (b) control in any manner over the election of a majority of the directors, trustees, or general partners of the entity or of individuals exercising similar functions; or (c) the power to exercise, directly or indirectly, a controlling influence over the management or policies of the entity as determined in 12 U.S.C. SEC. 5481 (24).

3. "Aggregate consumer information,” “aggregated data”

CPRA, CCPA, AL, AK, FL – "Aggregate consumer information" means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer [or household], including via a device. "Aggregate consumer information" does not mean [one or more] individual consumer records that have been de-identified.

4. "Authenticate"

VA, CO, NC, MN, CT, WPA 21 – "Authenticate" means verifying through reasonable means that the consumer, entitled to exercise his consumer rights in --, is the same consumer [CO, MN – or on behalf of] exercising such consumer rights with respect to the personal data at issue.

5. “Biometric information,” “biometric data”

VA, NC, CT – "Biometric data" means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. "Biometric data" does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.

CPRA, CCPA, AL, NY 21, FL – "Biometric Information" means an individual's physiological, biological, or behavioral characteristics, including information pertaining to an individual's deoxyribonucleic acid (DNA), that is used or intended to be used, singly or in combination with each other or with other identifying data, to establish individual Identity. Biometric Information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain Identifying Information.

WA - “Biometric identifier” is defined as data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises or other unique biological patterns or characteristics that is used to identify a specific individual.

6.Business”

CCPA, CPRA, NY 21, PA, AK, FL (substantially similar) – “Business” means:

  • A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the state, and that satisfies one or more of the following thresholds:
  • Has annual gross revenues in excess of twenty-five million dollars ($25,000,000) [PA – ten million dollars].
  • Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 [CPRA, AK – 100,000] or more consumers, households, or devices.
  • [AK – sold the personal information of a consumer, household, or device in the last 365 days]
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
  • Any entity that controls or is controlled by a business as defined in paragraph and that shares common branding with the business [CPRA - and with whom the business shares consumers' personal information]. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.
  • [CPRA - A joint venture or partnership composed of businesses in which each business has at least a 40 percent interest. For purposes of this title, the joint venture or partnership and each business that composes the joint venture or partnership shall separately be considered a single business, except that personal information in the possession of each business and disclosed to the joint venture or partnership shall not be shared with the other business.
  • A person that does business in California, that is not covered by paragraphs (1), (2), or (3) and that voluntarily certifies to the California Privacy Protection Agency that it is in compliance with, and agrees to be bound by, this title.]

7. “Business associate"

VA, CO, NC, CT, NYPA, WPA 21 – "Business associate" has the same meaning as in HIPAA.

8. "Business purpose"

CPRA, CCPA, NY 21, AL, AK, FL (substantially similar) – "Business purposes" means the use of personal information for the business' or a service provider's operational purposes, or other notified purposes; provided, that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information is collected or processed or for another operational purpose that is compatible with the context in which the personal information is collected. Business purposes shall include:

  • Auditing related to a [CCPA - current interaction with the consumer and concurrent transactions], including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions and auditing compliance with this specification and other standards,
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for such activity [CPRA – Helping    to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for these purposes],
  • [Debugging to identify and repair errors that impair existing intended functionality],
  • Short-term transient use, [CPRA - including but not limited to non-personalized advertising shown as part of a consumer's current interaction with the business] provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer's experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction,
  • Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services or providing similar services on behalf of the business or service provider,
  • [CPRA - Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer, provided that for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal Information of opted-out consumers which the service provider or contractor receives from or on behalf of the business with personal Information which the service provider or contractor receives from or on behalf of another person or persons, or collects from its own Interaction with consumers.]
  • Undertaking internal research for technological development and demonstration, and
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for or controlled by the business, and to improve, upgrade or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

9. "Child"

 VA, CO, MN, NC, OH, CT, WPA 21 – "Child" means any natural person (individual) under 13 years of age.

10. “Collects,”“collect,” “collected,” “collection”

CCPA, CPRA, NY 21, AL, AK, FL (substantially similar) – "Collects," "collected," or "collection" means buying, renting, gathering, obtaining, [NY 21 – using, monitoring, or making inferences based upon] receiving, or accessing any personal information [MA - online or offline] pertaining to a consumer by any means [MA - including receiving information from the individual or a third-party]. This includes receiving information from the consumer, either actively or passively, or by observing the consumer's behavior.

11. “Commercial purposes,” “commercial purpose”

CPRA, FL – "Commercial purpose" means to advance a person's commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide or exchange products, goods, property, information or services or enabling or effecting, directly or indirectly, a commercial transaction.

CCPA, NY 21, AL – "Commercial purposes" means to advance a person's commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. "Commercial purposes" do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.

12. “Compatible data practice”

ULC – “Compatible data practice” is data processing that is consistent with the ordinary expectations of individuals based on the context of data collection, or that is likely to substantially benefit such individuals.

13. “Consent"

VA, NC, AZ, OH, CT (substantially similar) – "Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

CO, CPRA, CCPA, MN (substantially similar) – "Consent" means a clear affirmative act signifying a consumer's [CCPA – or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer] freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data [CCPA, CPRA, MN - relating to the consumer for a narrowly defined particular purpose]. The following does not constitute consent:

  1. Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated  information;
  2. Hovering other, muting, pausing, or closing a given piece of content; and
  3. Agreement obtained through dark patterns.
     

14. “Consumer”

CO, VA, NC, MN, WPA 21, AZ, NYPA, NY A, CT (substantially similar) – “Consumer” means an individual who is a [state] resident acting only in an individual or household context; and does not include an individual acting in a [OH - business capacity or] commercial or employment context, [CO - as a job applicant, or as a beneficiary of someone acting in an employment context.] [OH - including contractors, job applicants, officers, directors, or owners].

CCPA, CPRA, AL – “Consumer” means a natural person who is a California resident, however identified, including by any unique identifier.

15. “Contractor”

CPRA, CCPA – ““Contractor” means a person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business, provided that the contract:

  • Prohibits the contractor from:
    • Selling or sharing the personal information.
    • Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract, or as otherwise permitted by this title.
    • Retaining, using, or disclosing the information outside of the direct business relationship between the contractor and the business.
    • Combining the personal information that the contractor receives pursuant to a written contract with the business with personal information that it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that the contractor may combine personal information to perform any business purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185, except as provided for in paragraph (6) of subdivision (e) and in regulations adopted by the California Privacy Protection Agency.
  • Includes a certification made by the contractor that the contractor understands the restrictions in subparagraph (A) and will comply with them.
  • Permits, subject to agreement with the contractor, the business to monitor the contractor’s compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.

If a contractor engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the contractor engages another person to assist in processing personal information for that business purpose, it shall notify the business of that engagement, and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth in paragraph (1).

16. "Controller,” “control”

CO, VA, MN, NC, AZ, CT, NYPA, WPA 21, NY A – "Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

17. "Covered entity"

VA, CO, NC, CT, NYPA, WPA 21 – "Covered entity" has the meaning ascribed to that term in HIPAA.

18. “Cross-context behavioral advertising”

CCPA, CPRA– "Cross-context behavioral advertising” means the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.

19. “Dark pattern”

CO, CCPA, CPRA - “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice (as further defined by regulation).

20. “Data broker”

CCPA – "a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

21. “Data controller”

ULC – “Data controller” means a person that, alone or jointly with others, initially collects personal data from or about an individual

22. “Data processor”

ULC – “Data processor” means a person that has received authorized access to personal data, pseudonymous data, or deidentified data from the controller.

23. "Decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer"

VA, CO, NC, CT, WPA 21, MN (substantially similar) – "Decisions that produce legal or similarly significant effects concerning a consumer" means a decision made by the controller that results in the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water.

24. "Deidentified data," “deidentified,” “deidentified information”

CO, CPRA, CCPA, MN, WPA 21, NYPA – “Deidentified data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, an [NYPA – particular consumer] identified or identifiable natural person, [CO - or a device linked to such person], provided that the controller that possesses the data:

  • Takes reasonable measures to ensure that the data cannot be associated with a natural person [NYPA – or device];
  • Publicly commits to maintain and use the data only in a deidentified fashion and not attempt to reidentify the data, [CCPA, CPRA, NYPA – except that the controller or processor may attempt to reidentify the information solely for the purpose of determining whether its deidentification process satisfy the requirements of this subdivision]; and
  • Contractually obligates any recipients of the information to comply with all provisions of this subsection.

VA – “De-identified data" means data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person. A controller that possesses "de-identified data" shall comply with the requirements of subsection A of § 59.1-577.

25. “Designated methods for submitting requests”

CCPA, CPRA, NY 21 – “Designated methods for submitting requests” means a mailing address, email address, internet web page, internet web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, [CCPA, CPRA - and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to --]. [NY 21 - If the consumer does not maintain an account with the business, the business shall provide an opportunity for the consumer to designate whether the consumer wishes to receive the information required to be disclosed pursuant to subdivisions two and three of this section by mail or electronically, at the consumer's option].

26. “Designated request address"

NV – "Designated request address" means an electronic mail address, toll-free telephone number, or website established by an operator through which a consumer may submit a verified request to an operator.

27. “Device”

CCPA, CPRA, AL – "Device" means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device."

28. “Health care facility” 

CO – "Health care facility” means any entity that is licensed, certified, or otherwise authorized or permitted by law to administer medical treatment in this state."

29. "Health care information"

CO "Health care information" means individually identifiable information relating to the past, present, or future health status of an individual."

30. "Health care provider"

VA – “Health care provider” means the same as that term is defined in § 32.1-276.3.

CO – “Health care provider” means a person licensed, certified, or registered in this state to practice medicine, pharmacy, chiropractic, nursing, physical therapy, podiatry, dentistry, optometry, occupational therapy, or other healing arts under title 12.

31. “Health insurance information”

CCPA, AL, FL – "Health insurance information" means a consumer's insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the consumer, or any information in the consumer's application and claims history, including any appeals records, if the information is linked or reasonably linkable to a consumer or household, including via a device, by a business or service provider. 

32. “Health record”

VA – “Health record” means the same as that term is defined in §32.1-127.1:03.

33. “Homepage”

CCPA, CPRA, OK, AL, AK, FL, NY 21 – "Homepage" means the introductory page of an Internet website and any Internet webpage where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application's platform page or download page, a link within the application, such as from the application configuration "About," "Information" or settings page, and any other location that allows consumers to review the posting required by this section.

34. “Household”

CCPA, CPRA – “Household” means a group, however identified, of consumers who cohabitate with one another at the same residential address and share use of common devices or services.

35. "Identified or identifiable natural person"

VA, MN, NC, AZ, CT, WPA 21 – "Identified or identifiable natural person" means a person who can be readily identified, directly or indirectly.

CO, NY A – "Identified or identifiable natural person" means a person who can be identified, directly or indirectly, in particular by reference to specific information including, but not limited to, a name, an identification number, specific geolocation data, or an online identifier.

36. “Incompatible data practice”

ULC – “Incompatible data practice” is a data practice that is not a compatible data practice or a prohibited data practice, and for which consent must be obtained from the individual.

37. “Infer,” “inference”

CCPA, CPRA, AL, NY 21 – "Infer" or "inference" means the derivation of information, data, assumptions, or conclusions from facts, evidence or another source of information or data.

38. "Institutions of higher education"

VA – "Institution of higher education" means a public institution and private institution of higher education.

39. “Intentionally interacts”

CCPA, CPRA – “Intentionally interacts” means when the consumer intends to interact with a person, or disclose personal information to a person, via one or more deliberate interactions, including [such as] visiting the person’s website or purchasing a good or service from the person. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a person.

40. “Nonpersonalized advertising”

CCPA, CPRA – “Nonpersonalized advertising” means advertising and marketing that is based solely on a consumer’s personal information derived from the consumer’s current interaction with the business with the exception of the consumer’s precise geolocation. 

41. “Person”

CCPA, CPRA, AL, AK, FL, NYPA, NY 21 – "Person" means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and [NYPA – or other firm or similar body, or any unit, division, agency, department, or similar subdivision thereof, any other organization or group of persons acting in concert.

ULC – “Person” means an individual, estate, business or nonprofit entity, or other legal entity. The term does not include a public corporation, government or governmental subdivision, agency, or instrumentality.

42. "Personal data," “personally identifiable information,” “personal information”

VA, CO, NYPA, MN, NC, AZ, WPA 21, CT – "Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person [OH - processed by a business for a commercial purpose]. "Personal data" does not include de-identified data or publicly available information [OH - pseudonymized, deidentified, or aggregate data].

ULC – “Personal data” means information that identifies or describes a particular individual by name or by other direct identifiers such as addresses, recognizable photographs, telephone numbers, and social security numbers. The term does not include pseudonymized data or deidentified data.

CCPA, CPRA, PA (substantially similar) – “Personal information” means information that identifies, relates to, describes, is [CCPA – reasonably] capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  • [CCPA, CPRA - Any categories of personal information described in subdivision (e) of Section 1798.80.]
  • Characteristics of protected classifications under [state] or federal law.
  • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • Biometric information.
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
  • Geolocation data.
  • Audio, electronic, visual, thermal, olfactory, or similar information.
  • Professional or employment-related information.
  • Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
  • Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
  • [CPRA - Sensitive personal information.]

“Personal information” does not include publicly available information. For purposes of this paragraph, “publicly available” means information that is lawfully made available from federal, state, or local government records. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge [CPRA - or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the Information to a specific audience]. “Personal information” does not include consumer information that is deidentified or aggregate consumer information.

NV – “Personally Identifiable Information” is a natural person’s first name or first initial and last name in combination with one or more of the following data elements, when the name and data elements are not encrypted: Social Security Number; Driver’s license number or identification card number; Account number, credit card number, debit card number, in combination with any required security code, access code, or password that would permit access to that person’s financial account.

43. “Precise geolocation,” “precise geolocation data”

VA, NC, CT – "Precise geolocation data" means information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet. "Precise geolocation data" does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

CCPA, CPRA, AK – “Precise geolocation” means any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations.

44. “Probabilistic identifier”

CCPA, CPRA, NY 21, AL, FL – "Probabilistic identifier" means the identification of a consumer or a device to a degree of certainty of “more probable than not” based on any categories of personal information included in, or similar to, the categories enumerated in section -- of this subdivision.

45. "Process", "processing", “processing information”

VA, MN, NC, OH, CT, AZ, WPA 21, NYPA, NY A (substantially similar) – "Process" or "processing" means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification [MA – selling, retaining, licensing, deidentifying, correlating, disposing of] [NY A – recording, organization, structuring, adaptation or alternation, retrieval, consultation, dissemination or otherwise making available, alignment or combination, restriction, deletion, or destruction] [NYPA – creation, generation, derivation, monetization] of personal data. [MA - this term includes using personal information in automated decision systems].

CCPA, CPRA, AL, AK, FL – “Processing" means an operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.

CO – “Process” or “processing” means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller director a processor to process personal data.

ULC – “Processing” means performing an operation on personal or pseudonymized data, whether or not by automated means, including collection, use, storage, disclosure, analysis, prediction, or modification. “Process” has a corresponding meaning.

46. "Processor"

VA, CO, MN, NC, OH, AZ, CT, WPA 21, NYPA, NY A – “Processor” means a natural or legal person [entity] that processes personal data on behalf of the controller [OH – a business subject to this chapter].

47. "Profiling"

VA, CO, CPRA, CCPA, MN, NC, AZ, CT, WPA 21, NY 21 (substantially similar) – "Profiling" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's [CPRA, CCPA - performance at work] economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

ULC – “Profiling” means processing to evaluate, analyze, or predict an individual’s economic status, health, personal preferences, interests, character, reliability, behavior, social or political views, physical location, movements or demographic characteristics, including race, gender, and sexual orientation. The term does not include evaluation, analysis, or prediction based on an individual’s contemporaneous activity, such as search queries or access to a particular website, if no personal data is retained for use after completion of the processing.

48. "Protected health information"

VA, CO, NC, CT, NYPA, WPA 21 – “Protected health information” means the same as the term is established by HIPAA.

49. "Pseudonymous data," “pseudonymize,” “pseudonymization”

VA, CO, CCPA, CPRA, AL, MN, NC, CT, FL, WPA 21, OH (substantially similar) – "Pseudonymous data" means [CPRA, CCPA - the processing of] personal data [CPRA, CCPA - in a manner that renders the personal data no longer attributable] that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

ULC – “Pseudonymized data” means information that was derived from personal data by removing direct identifiers. A controller or processor can create pseudonymized data by replacing direct identifiers with a unique ID or other code that allows the pseudonymized data to be converted back to personal data with the use of a decryption key. The term includes information containing Internet protocol addresses or other data related to a particular devices as long as direct identifiers are not included. The term does not include deidentified data.

50.“Publicly available information,” “publicly available”

VA, CO, NC, CT, OH (substantially similar) – "Publicly available information" means information that is lawfully made available through federal, state, or local government records, or information that a business [CO - controller] has a reasonable basis to believe is lawfully made available to the general public [VA - through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience].

ULC – “Publicly available information” means information that is (A) made available to the general public from federal, state, or local government records; (B) available in widely distributed media; (C) observable from a publicly accessible vantagepoint; or (D) that a person has a reasonable basis to believe is lawfully made available to the general public. For purposes of this definition:

  • a person has a reasonable basis to belief that information is lawfully made available to the general public if the person has taken steps to determine that the information is of the type that is available to the general public and that the data subject who can direct that the information not be made available to the general public has not done so, and
  • “Widely distributed media” means information that is available to the general public, including information from a publicly accessible website; a telephone book or online directory; a television, Internet, or radio program; or news media. This term includes information that is available from a website or other forum that has restricted access as long as the information is nevertheless available to a broad audience.

51. “Research”

CCPA, AL, FL – “Research” means scientific, systematic study and observation, including basic research or applied research that is [CPRA – is designed to develop or contribute to public or scientific knowledge] in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with a business’s service or device for other purposes shall be:

  • Compatible with the business purpose for which the personal information was collected.
  • Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
  • Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain [CPRA - other than as needed to support the research].
  • Subject to business processes that specifically prohibit reidentification of the information [CPRA - other than as needed to support the research].
  • Made subject to business processes to prevent inadvertent release of deidentified information.
  • Protected from any reidentification attempts.
  • Used solely for research purposes that are compatible with the context in which the personal information was collected.
  • [CCPA - Not be used for any commercial purpose.]
  • Subjected by the business conducting the research to additional security controls that limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose.

52. “Sale,” “sell,” “sold,” “selling,” “sale of personal data”

VA, CO, MN, NC, OH, AZ, CT (substantially similar) – "Sale of personal data" means the exchange of personal data for monetary [CO, OH - or other valuable] consideration by the controller to a third party. "Sale of personal data" does not include:

  • The disclosure of personal data to a processor that processes the personal data on behalf of the controller;
  • The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
  • The disclosure or transfer of personal data to an affiliate of the controller;
  • [OH - The disclosure of personal data from one business to another business without monetary or other valuable consideration];
  • [CO, CT - The disclosure of information that a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party];
  • [AZ – A third part with whom the consumer has a direct relationship for purposes of providing a product or service requires by the consumer or otherwise I a manner that is consistent with the consumer’s reasonable expectations considering the context in with the consumer provided the personal data to the controller.]
  • The disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience; or
  • The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

CCPA, CPRA, AL, AK (substantially similar) – “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. For purposes of this title, a business does not sell personal information when:

  • A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party [CPRA – or intentionally interact with a one or more third parties], [CCPA - provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.]
  • The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer’s personal information.
  • [CPRA - The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer's personal information or limited the use of the consumer's sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sale of the consumer's personal information or limited the use of the consumer's sensitive personal information].
  • [CCPA - The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:
    • The business has provided notice of that information being used or shared in its terms and conditions consistent with Section 1798.135.
    • The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.]
  • The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with this title. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with Section 1798.120. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act.

NV, NY A, WPA 21 (substantially similar) – "Sale," "sell" or "sold" means the exchange of [NV – covered] personal data for [NV – monetary] consideration by the controller to a third party [NV – to license or sell the covered information to additional persons]. "Sale" does not include the following:

  • the disclosure of personal data to a processor who processes the personal data on behalf of the controller;
  • the disclosure of personal data to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer or otherwise in a manner that is consistent with a consumer's reasonable expectations considering the context in which the consumer provided the personal data to the controller;
  • [WPA 21 - the disclosure of information that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience];
  • the disclosure or transfer of personal data to an affiliate of the controller; or
  • the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets, if consumers are notified of the transfer of their data and of their rights under this article and affirmatively consent to the disclosure and transfer of data.

53. "Security or safety purpose," “security and integrity”

CPRA, CCPA – “Security and integrity” means the ability of:

  • Networks or information systems to detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information.
  • Businesses to detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions and to help prosecute those responsible for those actions.
  • Businesses to ensure the physical safety of natural persons.

WPA 21 – means physical security, protection of consumer data, safety, fraud prevention, or asset protection

54. "Sensitive data," “Sensitive personal information”

VA, CO, MN, NC, AZ, CT, WPA 21 (substantially similar) – "Sensitive data" means a category of personal data that includes:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health [AZ – behavioral or psychological] diagnosis, sexual orientation, or citizenship or immigration status;
  •  The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  • The personal data collected from a known child; or
  • [VA, MN, NC, AZ, CT, WPA 21 - Precise geolocation data.]

CPRA – "Sensitive personal Information" means:

  • Personal information that reveals a consumer's social security, driver's license, state Identification card, or passport number; a consumer's account log-In, financial account, debit card, or credit card number In combination with any required security or access code, password, or credentials allowing access to an account; a consumer's precise geolocation; a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer's mall, email and text messages, unless the business Is the Intended recipient of the communication; a consumer's genetic data; and
  • The processing of biometric Information for the purpose of uniquely identifying a consumer; personal Information collected and analyzed concerning a consumer's health; or personal Information collected and analyzed concerning a consumer's sex life or sexual orientation. Sensitive personal Information that Is "publicly available" pursuant to this paragraph shall not be considered sensitive personal Information or personal information.

ULC – “Sensitive data” means personal data that reveals:

  • racial or ethnic origin, religious belief, mental or physical health condition or diagnosis, an activity or preference related to general, sexual orientation, transgender status, citizenship, or immigration status;
  • passwords or other authenticating information, including biometric identifies used for authentication purposes;
  • credit card numbers;
  • tax identification numbers;
  • real time geolocation information;
  • financial information;
  • information related to a disease or health condition;
  • genetic sequencing information; or
  • information about an individual known to be under [13] years of age.

55. “Service,” “services”

CPRA, CCPA, AL, FL, NY 21 – "Service" or "services" means work, labor, and services, including services furnished in connection with the sale or repair of goods.

56. “Service provider”

CCPA, AL, FL – “Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.

CPRA – "Service provider" means a person that processes personal information on behalf of a business which receives from or on behalf of the business a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the person from: (A) selling or sharing the personal information; (B) retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract for the business, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract with the business, or as otherwise permitted by this title; (C) retaining, using, or disclosing the Information outside of the direct business relationship between the service provider and the business; and (D) combining the personal Information which the service provider receives from or on behalf of the business, with personal Information which it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that the service provider may combine personal Information to perform any business purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185, except as provided for in paragraph (6) of subdivision (e) of this Section and in regulations adopted by the California Privacy Protection Agency. The contract may, subject to agreement with the service provider, permit the business to monitor the service provider's compliance with the contract through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months.

If a service provider engages any other person to assist it in processing personal Information for a business purpose on behalf of the business, or if any other person engaged by the service provider engages another person to assist in processing personal Information for such business purpose, it shall notify the business of such engagement, and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth in paragraph (1).

57. “Share,” “shared,” “sharing”

CCPA, CPRA – “Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged. For purposes of this title, a business does not share personal information when:

  • A consumer uses or directs the business to intentionally disclose personal information or intentionally interact with one or more third parties.
  • The business uses or shares an identifier for a consumer who has opted out of the sharing of the consumer’s personal information or limited the use of the consumer’s sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sharing of the consumer’s personal information or limited the use of the consumer’s sensitive personal information.
  • The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with this title. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this title. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).

58. "Targeted advertising," “targeted content and advertising”

VA, CO, MN, NC, AZ, CT, NYPA, NY A, WPA 21 (substantially similar) – "Targeted advertising" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained [CO, AZ – or inferred over time] from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests. "Targeted advertising" does not include:

  • Advertisements based on activities within a controller's own websites or online applications;
  • Advertisements based on the context of a consumer's current search query, visit to a website, or online application;
  • Advertisements directed to a consumer in response to the consumer's request for information or feedback; or
  • [Processing personal data processed solely for measuring or reporting advertising performance, reach, or frequency].
  • [AZ – Does not include advertising to a consumer based on the consumer’s visits to a website, application, or online service that a reasonable consumer would believe to be associated with the publisher in which the advertising is placed based on common branding, trademarks, or other indica of common ownership or in response to the consumer’s request for information or feedback].

ULC – “Targeted content and advertising” means purely expressive content or advertising displayed to an individual on the basis of profiling.

59. “Targeted decisional treatment”

ULC – “Targeted decisional treatment” means differential treatment of, or offers made to, an individual on the basis of profiling.

60. "Third party"

VA, MN, NC, OH, CT, WPA 21, NYPA (substantially similar) – “Third party” means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller. [NYPA – a third party may also be a controller if the third party, alone or jointly with others, determines the purposes and means of the processing of personal data.]

CPRA – "Third party" means a person who is not any of the following:

  • The business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer's current interaction with the business under this title;
  • A service provider to the business; or
  • A contractor.

CCPA, NY 21, AL (substantially similar) – “Third party” means a person who is not any of the following:

  • The business that collects personal information from consumers under this title.
  • A person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract:
    • Prohibits the person receiving the personal information from:
    • Selling the personal information.
    • Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
    • Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
    • Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph and will comply with them.
  • A person covered by this paragraph that violates any of the restrictions set forth in this title shall be liable for the violations. A business that discloses personal information to a person covered by this paragraph in compliance with this paragraph shall not be liable under this title if the person receiving the personal information uses it in violation of the restrictions set forth in this title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation.

61. “Unique identifier,” “Unique personal identifier”

CPRA, CCPA, AL, FL, NY 21 (substantially similar) – “Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. For purposes of this subdivision, “family” means a custodial parent or guardian and any minor [CPRA – under 18 years of age] children over which the parent or guardian has custody, [FL – or a household].

62. “Verified request,” “verifiable consumer request,” “verifiable request”

NV, NYPA, AK (substantially similar) – “Verified request” means a request:

  • Submitted by a consumer [AK – or by a parent or legal guardian with legal custody of the consumer, or by a natural person or a person registered with the United States Secretary of State, authorized by the consumer to act on the consumer's behalf] to an operator for the purposes set forth in section 2 of this act; and
  • For which an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.

CPRA – "Verifiable consumer request" means a request that is made by a consumer, by a consumer on behalf of the consumer's minor child, by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer's behalf, or by a person who has power of attorney or is acting as a conservator for the consumer, and that the business can verify, using commercially reasonable methods, pursuant to regulations adopted by the Attorney General to be the consumer about whom the business has collected personal Information. A business is not obligated to provide information to the consumer, to delete personal information, or to correct inaccurate personal information pursuant to Section 1798,106, if the business cannot verify that the consumer making the request is the consumer about whom the business has collected Information or ls a person authorized by the consumer to act on such consumer's behalf.

CCPA, AL – “Verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to -- to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer if the business cannot verify that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.

Additional Resources