Data Defined

What is a User?

You and I - and your neighbors, and our moms too! Users are just individuals that visit a website, including to utilize a product or services. Users can be external or internal.  External users might be individuals who: browse the website, interact with the website, purchase through the website, etc. Internal users might employees of the company.

What is Data?

Biometric data is information that can be used to identify a person using their body’s dimensions, such as the iPhone’s fingerprint and facial recognition technology.

Consumer data is typically related to a user’s purchasing history, such as previous purchasing history, predictions of purchasing intent, or even records of what a person owns.

Employment/Professional data is information about a person’s working experience, such as work history or a job evaluation.

Geolocation data is information on a user’s physical location or their movements through an internet-connected device (devices like a browser, computer, or mobile device). These documents are generally intended for websites. In some instances, users need to share geolocation data for app functionality, such as a ride hailing app.

Internet activity is data regarding a user’s online activity, aggregated or not, often used to personalize what the user sees in terms of suggested content, advertisements, etc.

Sensory data is information that is generated by the human body and detected by the human senses, including audio, visual, thermal, electronic, or olfactory data.

Student education information and records are tied to a student and maintained by an educational agency or institution, such as grades or class schedules.

Users’ characteristics is information that describes or segments users into groups, such as their gender or age.

What is Sensitive Information?

Sensitive information can identify characteristics like a person’s opinions, personal preferences, or details that could lead to harm and fraud if the data is leaked, breached, or compromised.

What is Sensitive Personal Information?

Sensitive personal information is a legal category of personal information that must be collected, stored, and used under stricter guidelines to comply with laws like the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA). For example, under California law, they include the following information: 

  • Biometric data (face, iris, palm, voice, fingerprint, etc.)

  • Contents of private communications such as emails, texts, voice calls etc. (not directed to the company)

  • Criminal history and/or status as a victim of a crime

  • Device identifier (e.g. IMEI), depending on jurisdiction

  • Financial account or payment card information when combined with authentication information

  • Genetic data (and other health data such as disability or treatment)

  • Government Identifiers such as SSN, Driver's License or any other unique personal identifier assigned by a government to individuals

  • Inferences based on personal data, alone or in combination with other data, which indicate any of the above types of sensitive personal data

  • Political opinions (including party affiliation)

  • Precise location data (generally agreed to mean latitude and longitude location to more than 2 decimal points)

  • Racial or ethnic origin

  • Religious or philosophical beliefs

  • Sexual orientation or sexual preferences

  • Status as transgender or nonbinary

  • Trade union membership

What is an “Inference”?

Under the CCPA, Inference means “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” An inference is a deduction about a consumer’s characteristics, such as “single,” “likely voter”, “online shopper,”, etc. The deduction is based on information known to the company either through active collection of users’ purchasing history, social media use, etc. or through purchasing from data providers. Some businesses create inferences using their own proprietary methods, and then sell the inferences to others for commercial purposes. 

The CCPA requires businesses to disclose internally generated inferences to consumers.

What is Derivative Data?

Derivative data is information generated by the visit of a website or app. It’s information such as a user's IP address, browser, operating system, language preferences, referring URLs, device name, country from which the visit takes place, etc.

What is Third Party Data?

Third-party data is personal information about the users from sources other than the user themselves. The sources can range from from publicly available sources like government records and social media to closed sources like data brokers, industry reports, and third-party scraping tools. 

Practices Defined

What is Affirmative Consent?

Under the major data privacy laws like the GDPR, user consent is required before data collection starts, and especially before sending marketing or promotional materials The company can’t assume that consent obtained for a specific purpose extends to other activities.

What are Third-party Services?

Third-party Services are entities that provide any service for the business, such as marketing services, payment processing, hosting services, customer service, etc.

If the business uses cookie providers, online advertisers, or adtech for targeted advertising, the company is sharing consumers' personal information.

What does it mean to “Sell”?

"Selling" is the exchange of personal data for monetary or other valuable consideration by the company to a third-party. Selling is not exclusively limited to monetary payment.

What does “Valuable Consideration” mean?

“Valuable Consideration” includes developing, changing, or improving the company’s core services and offerings. It also includes developing, changing, or improving data analysis or other insight generation that’s not the company’s core services and offerings. 

What does it mean to “Disclose”?

"Disclose" means the company makes users' personal information known either within the company or to external parties. For example, the company is disclosing users' personal information to Google if the company uses Google Analytics, AdSense, etc. If the company uses workplace tools that ingest users’ personal information (inbound marketing, sales, customer service, etc.), the company is disclosing users’ personal information to those third parties providing the software service.

What does it mean to “Share”?

Under the CCPA, “Sharing” means making known a consumer's personal information to a third party for cross-context behavioral advertising, or targeted advertising. For example, an ad shown to a consumer for a product that is related to that consumer's internet search qualifies as cross-context behavioral advertising. This includes advertising through platforms like Google, Meta, Amazon, and X fka Twitter. 

What is a UooM or GPC?

Global Privacy Control is one type of universal opt-out mechanism (UooM). UooM refers to browser settings or other software that users can configure to tell the company what that user’s privacy preferences are for the websites they visit. It allows consumers to opt out of the sale of their personal information or to opt out of being tracked online. UooM is a standardized signal sent to all visited websites. Once in force, the following US states' privacy laws will require certain businesses to honor GPC or other UooMs: 

  • Colorado

  • Connecticut

  • Delaware

  • Montana

  • New Hampshire

  • New Jersey

  • Oregon

  • Texas

What are Data Processing Agreements?

Data Processing Agreements are often required between companies and their third-party service providers. If the business collects personal information from users and relies on a third-party to process the data, it will need a DPA. DPAs is a contract that compels third-party service providers the company works with to themselves comply with applicable data privacy laws - GDPR, CCPA, VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut). DPAs are in place to protect the company. 

What is a Business Affiliate?

A Business Affiliate is an entity that controls, is controlled by, or has shared control with another entity, for example, Meta owns Instagram. Business affiliates include the parent company, subsidiaries, and joint venture partners.

What is a Business Transfer?

When the business enters conversations or negotiations for a sale, merger, or even financing round, it should ensure that users are informed of how their personal information may be shared, transferred, or otherwise managed.

About the Project

About the Project

Document Library

Document Library