Skip to Content Skip to Navigation

As a business owner, understanding basic data privacy terminology is crucial at a time when the world is undergoing a rapid digital transformation.

You might be familiar with a number of online privacy regulations, but the difference between compliance and violation can lie in the legal nuances of privacy concepts and definitions laid out in laws like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

To help you navigate our increasingly data-driven world, we’ve summarised five key privacy concepts you should be aware of from 2020.

Personal information

The exact definition of personal information varies slightly according to which privacy law you need to comply with.

Under the CCPA, personal information is “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Under the GDPR, personal information is termed as “personal data” which is considered “any information related to an identified or identifiable natural person.”

Generally, the types of data considered personal information include:

  • Names and contact details like personal emails, phone numbers, and home addresses
  • Device data like IP addresses and cookies
  • Location data and browsing activity
  • Photos, videos, and audio recordings of a person
  • Financial information like credit card details
  • Sensitive personal data such as information about one’s ethnic background, sexual orientation, political beliefs, and health-related data

The collection and use of people’s personal information is heavily regulated by these laws, which is why it’s important to understand and disclose the types of personal data processed by your business in your privacy policy.


A cookie is a text file that is automatically generated by your browser and stored on your computer when you visit a website. The purpose of cookies is to track and remember what your preferences are, such as the types of ads you clicked on or the language setting you chose for an international website.

To provide a more consistent and user-friendly browsing experience, cookies may collect a range of personal data about you. Check out our earlier blog post to learn more about the different types of cookies used today and how they impact on people’s privacy.

Informed consent

You know those annoying cookie pop-ups and email opt-in notifications that pile up in your inbox? These are all examples of websites trying to get your informed consent to collect and use your personal data.

In a data privacy context, “informed consent” is where consumers give their permission for an organisation to collect and use their personal data with full disclosure of the risks, benefits, rights and other options they have going forward.

For example, a typical cookie consent banner would explain the types of cookies a website uses; why they use them; and a checkbox for you to accept all or only certain types of cookies before proceeding deeper into the website.

Under the GDPR, there are six legal bases upon which you can process someone’s personal data – getting a consumer’s informed consent is one of them. If consent is a valid basis for the type of data processing your organisation is doing, then you must obtain and keep records of consumer consent prior to collecting and using their data.

User rights

In data privacy law, “user rights” refer to the rights that consumers have over their personal data.

In Chapter 3 of the GDPR, there are 8 “data subject rights” that businesses must uphold to achieve compliance with the law; for example, consumers have the right to request access to any data an organisation has collected about them.

Under the CCPA, consumers have the right to opt-out of the sale of their personal information to third parties, amongst other rights like those stipulated in the GDPR.

Third parties

The GDPR defines a third party as any person or organisation other than:

  • The data subject (the person whose data is being collected).
  • The data controller (the person or organisation who determines the purposes of and methods used for data processing).
  • The data processor (the person or organisation who processes data on behalf of the controller).
  • Others who have the controller or processor’s direct authorisation to process personal data.

It’s important to note that while your business may use an external third-party service provider as your data processor, they may not be considered a “third party” as described in the GDPR.

According to the CCPA, a third party is defined as any person or organisation other than:

  • The business that originally collected a consumer’s personal information.
  • A service provider who only receives personal information for a business purpose which is outlined in a written contract.

This contract should prohibit the service provider from selling this information and retaining, using, or disclosing it for any reasons outside of those stated in the contract or outside of the direct business relationship it has with the business. It should also contain a certification that the service provider understands and agrees to comply with the CCPA’s requirements.

Again, under the CCPA, some of the third-party service providers your business uses may or may not be considered a third party. To avoid violating the law, you will need to check which criteria they fall under and what compliance requirements may apply.

Now that you have a better understanding of these key privacy concepts, you may wish to review your own data protection and privacy practices.

While we can provide general information regarding privacy law, we recommend contacting a legal professional to interpret the relevant privacy legislation as it applies to your business.

Does your business have a privacy policy?

Create a free privacy policy with Generate your privacy policy now.