Reference · 42 terms defined

Privacy Glossary

Authoritative, plain-language definitions of the terms used in US and EU data-privacy law, data-broker opt-out processes, and personal-security practices. Updated April 2026.

A

Authorized Agent

A third party authorized by a consumer to make privacy requests on their behalf, as recognised under CCPA and similar state laws.

Under CCPA and many state privacy laws, consumers may designate an authorized agent to make privacy requests on their behalf. The agent must provide signed permission, and the business may verify the consumer's identity. Subscription data-removal services (DeleteMe, Incogni, OneRep) typically operate as authorized agents. First-party requests avoid the agent framework entirely.

Automated Decision-Making

Decisions made solely by algorithmic processing, without meaningful human involvement, that have significant effects on an individual.

Automated decision-making refers to decisions produced entirely by algorithms that materially affect an individual's employment, credit, insurance, housing, healthcare, or similar. Under GDPR Article 22, individuals have a right not to be subject to solely automated decisions (with exceptions). Minnesota's MCDPA allows a consumer to demand a human review of a solely automated decision. California is developing ADMT (Automated Decisionmaking Technology) regulations.

Address Confidentiality Program

A state-administered program that lets qualifying individuals use a substitute address for government records and mail.

An Address Confidentiality Program (ACP) lets qualifying individuals — typically survivors of domestic violence, sexual assault, stalking, trafficking, and in some states sexually exploited persons, reproductive-health providers, judges, and law enforcement — use a substitute address administered by the state. Mail is forwarded to the actual address confidentially. All 50 states have some form of ACP. Eligibility and coverage vary; ACP addresses are kept confidential in court records, motor-vehicle records, voter registration, and other government databases.

B

Biometric Data

Measurements of physiological or behavioural characteristics used to identify an individual, including fingerprints, face geometry, voiceprints, and retina scans.

Biometric data includes both physiological identifiers (fingerprints, face geometry, iris/retina, DNA, voiceprint) and behavioural identifiers (gait, keystroke dynamics). Illinois's BIPA treats biometric data as specifically protected with a private right of action and statutory damages ($1,000-$5,000 per violation). Texas, Washington, and several other states also regulate biometric data. GDPR treats biometrics as special category data (Article 9).

BIPA

Illinois Biometric Information Privacy Act — the most consequential US biometric-data law, featuring a private right of action with substantial statutory damages.

Illinois's Biometric Information Privacy Act (740 ILCS 14, 2008) requires written informed consent before collecting biometric identifiers and grants a private right of action for violations, with statutory damages of $1,000 per negligent violation or $5,000 per intentional violation. BIPA has produced nine-figure settlements including Facebook ($650M) and Clearview AI ($51.7M class settlement with Illinois residents).

C

CCPA

California Consumer Privacy Act — the first comprehensive US state privacy law, granting California residents rights to know, delete, and opt out of the sale of their personal information.

The California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), effective January 2020 and amended by the CPRA (effective January 2023), grants California residents the right to know what personal information businesses have collected, the right to delete that information, the right to opt out of the sale or sharing of personal information, and the right to correct inaccurate information. Data brokers must respond to verifiable deletion requests within 45 days, extendable once to 90 days. The California Privacy Protection Agency (CPPA) enforces CCPA alongside the AG.

Source: California Civil Code § 1798.100

CPRA

California Privacy Rights Act — the 2020 voter-approved amendment to CCPA that created the California Privacy Protection Agency and added new consumer rights.

The California Privacy Rights Act (Prop 24, 2020) amended the CCPA effective January 2023. It added the right to correct inaccurate information, the right to limit the use of sensitive personal information, expanded the definition of "sale" to include "sharing," and created the California Privacy Protection Agency (CPPA) as an independent enforcement body. "CCPA/CPRA" is the combined current-state citation used in most legal and regulatory contexts.

CCPA Delete Act

California SB 362 — requires the California Privacy Protection Agency to build a universal deletion mechanism that propagates one request to all registered data brokers.

The California Data Broker Delete Act (SB 362, signed October 2023) requires the California Privacy Protection Agency to build and operate an accessible deletion mechanism. California consumers will be able to submit one request that automatically propagates to every broker on the state's Data Broker Registry. The mechanism launches in August 2026 per CPPA rulemaking. Once live, it dramatically reduces the per-broker work of California residents.

Source: California SB 362

Cure Period

A statutory grace period during which a business may remedy a privacy-law violation before enforcement action.

Most US state privacy laws originally included a 30-60 day cure period during which businesses could remedy alleged violations before the AG could fine them. Several states have now sunset these cure periods (California in 2023, Colorado and Connecticut in 2025). Texas and Indiana still have cure periods. The cure period affects how aggressively you should escalate a non-responsive broker — in cure-period states, expect the AG to require notice first.

Controller

The entity that determines the purposes and means of processing personal data, as defined in GDPR and adopted by most US state privacy laws.

Under GDPR and most US state privacy laws (VCDPA, CPA, CTDPA, OCPA, TDPSA, NJDPA, etc.), a "controller" is the entity that determines why and how personal data is processed. Controllers bear the primary compliance burden. The counterpart is a "processor" (GDPR) or "service provider" (CCPA), which processes data on behalf of the controller. A data broker is typically both controller and processor depending on which data streams are considered.

CPPA

California Privacy Protection Agency — the independent agency created by CPRA to enforce California privacy law and administer the Data Broker Registry.

The California Privacy Protection Agency (CPPA) is the independent US state privacy regulator. It enforces CCPA/CPRA alongside the AG, administers the California Data Broker Registry, and is building the statewide Delete Act universal deletion mechanism launching August 2026. Consumer complaints against specific data brokers should typically go to the CPPA rather than to the California AG.

Source: California Privacy Protection Agency

D

Data Broker

A company that collects personal information about consumers and sells, licenses, or shares that information with third parties.

A data broker aggregates personal information from public records, online activity, commercial transactions, and other sources, then sells, licenses, or shares that information. Major categories include people-search sites (Whitepages, Spokeo), background-check providers (BeenVerified, Intelius), B2B data providers (ZoomInfo, Apollo), and marketing-data aggregators (Acxiom, Epsilon). California, Vermont, Texas, and Oregon maintain public data-broker registries.

Source: California Data Broker Registry

Data Subject Request (DSR)

A formal request from a consumer to a business to access, correct, delete, or port their personal data.

A data subject request (DSR) is the formal mechanism by which a consumer exercises their rights under a privacy law. Under GDPR these are called "data subject access requests" (DSAR); under CCPA they are called "verifiable consumer requests." DSRs typically require the consumer to identify themselves and specify the request type (access, delete, correct, port, opt-out). Businesses must respond within mandated timeframes (45 days under most US state laws, 30 days under GDPR).

Daniel's Law

A category of state statutes requiring data brokers to expedite removal of home address information for judges, prosecutors, law enforcement officers, and related family members.

Daniel's Law refers to statutes modelled on New Jersey's original law (P.L. 2020, c. 125), passed after the 2020 murder of Daniel Anderl at the home of his mother, federal Judge Esther Salas. The statute requires data brokers to remove home address information within 10 business days upon request from a covered person. California, Colorado, Maryland, and a growing number of states have Daniel's Law-equivalents. The federal Daniel Anderl Judicial Security and Privacy Act (2022) covers federal judges and court staff nationally.

Data Broker Registry

A state-maintained public list of registered data brokers and their registration details.

Data broker registries exist in California (CPPA), Vermont (AG), Texas (SOS), and Oregon (AG). California's is the most comprehensive, with 500+ registered brokers. Registration requires brokers to disclose their identity, contact information, and whether they collect and sell specific categories of personal information. Failure to register carries per-day fines. California's registry feeds into the CCPA Delete Act universal deletion mechanism.

Source: California CPPA Data Broker Registry

Data Breach

An unauthorised acquisition of personal information, typically triggering statutory notification requirements.

A data breach is an unauthorised acquisition, access, use, or disclosure of personal information. All 50 US states have breach-notification statutes with varying thresholds and deadlines (typically 30-90 days from discovery). Under GDPR, controllers must notify the supervisory authority within 72 hours. Some breaches trigger a private right of action — CCPA, for instance, allows individuals to sue for breaches of non-encrypted personal information.

Digital Footprint

The trail of data an individual generates through online activity, public records, and commercial transactions.

A digital footprint is the aggregate of data that identifies, locates, or profiles an individual — collected through browsing, purchases, social media, court filings, property records, employment records, and other sources. Reducing your digital footprint is the practical goal of data-broker opt-out, social-media hygiene, and cautious use of online services.

Doxxing

The act of publicly revealing personally identifying information about an individual, typically without consent and often as part of a harassment campaign.

Doxxing (sometimes spelled "doxing") is the public release of personally identifying information — home address, phone number, employer, family members — typically as a prelude to harassment, intimidation, or physical confrontation. Several states (California AB 1950, Texas, and others) have anti-doxxing statutes. Data-broker cleanup reduces the raw material available for doxxing campaigns.

Data Minimization

The principle that a business should collect, process, and retain only the personal data necessary for its specified purpose.

Data minimization is enshrined in GDPR Article 5(1)(c) and adopted in varying strength across US state privacy laws. Maryland's MODPA has the strongest US articulation: controllers must not collect or process personal data beyond what is "reasonably necessary and proportionate" to the specified purpose. Minimization reduces breach risk and compliance burden; lack of minimization is a common basis for enforcement action.

Data Broker Registration

A statutory requirement that data brokers register with the state, disclosing identity, data categories, and contact information.

California, Texas, Vermont, and Oregon require data brokers to register annually. California's CPPA maintains the most public and comprehensive registry, including over 500 brokers. Registration details include business name, contact information, data categories collected, whether the broker collects children's data, and (in some states) gross revenue from data sales. Failure to register triggers civil penalties per day of non-compliance.

F

First-Party Request

A deletion or access request sent directly by the consumer from their own email or identity, not through an intermediary.

A first-party request is one in which the consumer directly contacts the data broker or controller using their own email and identity, rather than using an agent or intermediary service. First-party requests avoid the verification overhead and possible rejection that third-party authorized agents sometimes face, and carry the strongest legal standing under CCPA and state laws. Tools like OfflistMe generate first-party request emails that the consumer sends from their own inbox.

G

Global Privacy Control (GPC)

A browser and extension signal that communicates a user's intent to opt out of the sale or sharing of their personal information.

Global Privacy Control is an open standard browser signal that conveys opt-out preferences under CCPA and compliant state laws. Supported by Firefox, Brave, DuckDuckGo, and extensions for Chrome and Safari. Several states (CA, CO, CT, OR, NH, NJ) legally require businesses to honor GPC. Enabling GPC provides a passive, always-on opt-out layer that complements manual deletion requests.

I

ID Verification

The process by which a data broker or controller confirms the identity of a consumer making a privacy request.

ID verification is how a business confirms the requester is the consumer whose data is at issue. CCPA requires verification to be proportionate to the sensitivity of the request — a deletion of publicly available name/address should not require a government ID. Some brokers request full ID uploads, which creates breach risk. OfflistMe's approach avoids ID upload by generating first-party requests the consumer sends from their own verified inbox.

O

Opt-Out

A request that a business stop a specified processing activity, such as selling personal information or using it for targeted advertising.

Under CCPA, "opt-out" refers specifically to the right to direct a business to stop selling or sharing personal information. Under most newer state laws, separate opt-outs exist for sale, targeted advertising, and profiling. Opt-out is narrower than deletion: the business may retain data but must stop the specified activity. Universal opt-out mechanisms like Global Privacy Control (GPC) signal opt-out at the browser level.

Opt-In

Consent given before a specific processing activity occurs, required under GDPR and stricter state laws like Washington's MHMDA.

Opt-in consent means the consumer must affirmatively agree before a business may process or sell their personal data. GDPR requires opt-in consent for most processing involving sensitive data. Washington's MHMDA requires opt-in for the sale of consumer health data. Most US state privacy laws use an opt-out model by default — the business may process or sell data unless the consumer actively opts out.

P

People-Search Site

A subtype of data broker that offers public-facing search of individuals by name, phone, address, or email.

People-search sites let anyone look up an individual by name or other identifier, returning aggregated records from public sources. Examples include Whitepages, Spokeo, TruePeopleSearch, FastPeopleSearch, BeenVerified, Nuwber, and Radaris. Unlike background-check providers, people-search results are typically free to view (with paid upsells for full reports). Each site is required under major US state privacy laws to honor deletion requests.

Profiling

Automated processing of personal data to evaluate, analyse, or predict characteristics of a person.

Profiling under GDPR (Article 22) and most US state privacy laws means automated processing that analyses or predicts an individual's work performance, economic situation, health, preferences, location, reliability, or behaviour. Several state laws (CO, CT, OR, NJ, MN) grant consumers an opt-out from profiling that produces legal or similarly significant effects. Minnesota's MCDPA has the strongest profiling rights, including a right to question automated decisions.

Private Right of Action

The legal ability for a private individual (not just a government agency) to sue a business for a privacy violation.

A private right of action (PRA) lets individuals file lawsuits for statutory damages, rather than depending on government enforcement. In US privacy law, PRA exists in Illinois BIPA (biometric data), California CCPA (security breaches only), and Washington MHMDA (health data). Most comprehensive state laws (VCDPA, CPA, CTDPA, UCPA, OCPA, TDPSA, etc.) lack a PRA — enforcement is exclusively by the AG.

Processor

An entity that processes personal data on behalf of a controller, as defined under GDPR.

Under GDPR, a processor processes personal data on behalf of a controller pursuant to a data-processing agreement. Processors have narrower obligations than controllers but are directly liable for security and breach notification. Under CCPA the equivalent role is "service provider." Most US state privacy laws adopt the controller/processor distinction.

Public Records

Government-maintained records that are open to public inspection by statute, including property records, court filings, voter rolls, and business registrations.

Public records are documents or information that governments must make available to the public by law. Examples include property assessor records, court filings (state and federal), voter registration data (varies by state), business entity filings, and driver's license records (redacted under federal DPPA). Data brokers scrape public records at scale to build individual profiles. Removal from data brokers does not remove the underlying government record — only the broker's aggregated copy.

People Search Engine

Synonymous with people-search site — an online service that returns personal information about an individual based on name or other identifier.

Used interchangeably with "people-search site." Examples: Whitepages, Spokeo, TruePeopleSearch, FastPeopleSearch, BeenVerified, Nuwber, Radaris, Intelius, PeekYou. All are categorised as data brokers under US state privacy laws and are subject to deletion requests.

Purpose Limitation

The principle that personal data collected for one specified purpose should not be further processed for incompatible purposes.

Purpose limitation (GDPR Article 5(1)(b)) requires that personal data be collected for specified, explicit, and legitimate purposes and not further processed incompatibly. This restricts the common data-broker practice of acquiring data for one context and selling it into different contexts without renewed consent. Most US state privacy laws codify purpose limitation through data-use consent requirements.

R

Right to be Forgotten

A right, rooted in GDPR Article 17, allowing individuals to request deletion of their personal data under specified conditions.

Under GDPR Article 17, the right to erasure ("right to be forgotten") lets EU/EEA residents demand that a controller erase personal data when, among other grounds, the data is no longer necessary, consent is withdrawn, or processing is unlawful. Similar rights exist in US state laws (CCPA right to delete, VCDPA, CPA, etc.) though worded differently. The term originates from EU caselaw (Google Spain v. AEPD, 2014).

Right of Access

The right of a consumer to obtain a copy of the personal information a business holds about them.

The right of access (also "right to know") lets consumers obtain a copy of the personal information a business holds about them, plus the source, purpose, and third parties with whom it is shared. Granted under CCPA, GDPR, and most comprehensive state privacy laws. Typical response window: 45 days (most US states), 30 days (GDPR). The right is distinct from the right to delete — you may exercise one without the other.

Right to Delete

The right of a consumer to demand that a business delete personal information it has collected about them.

The right to delete (also "right to erasure" under GDPR) lets consumers demand that a business delete their personal information. Granted under CCPA and every comprehensive US state privacy law. Certain exceptions apply — businesses may retain data necessary to complete a transaction, comply with legal obligations, detect security incidents, or exercise free speech. Data brokers typically must comply within 45 days under US state laws.

S

Sensitive Personal Information

A category of data under CCPA/CPRA that carries heightened protection, including SSN, precise geolocation, biometric data, and more.

Under CPRA, "sensitive personal information" includes government IDs (SSN, driver's license, passport), financial account credentials, precise geolocation, race, ethnicity, religion, union membership, contents of non-business communications, genetic data, biometric identifiers, health data, and sex-life or sexual orientation data. Consumers have a separate right to limit the use of SPI. Maryland's MODPA outright bans the sale of sensitive personal data.

SWATting

A harassment tactic in which a false emergency report is made to draw armed police response to a target's home address.

SWATting is the practice of placing a hoax emergency call — typically reporting an active shooter, hostage situation, or similar — to trigger a heavily armed police response at a victim's home. The tactic depends on the attacker knowing the victim's home address, typically obtained through data brokers or public records. Several states now classify SWATting as a felony. Removing home-address information from data brokers is a primary defensive measure.

T

Targeted Advertising

Displaying ads to a consumer based on personal data obtained from activity across other businesses, websites, or contexts.

Targeted advertising (also called "cross-context behavioral advertising" in CPRA) is advertising delivered based on data tracked across other businesses or contexts — as opposed to contextual advertising on a single site. CCPA/CPRA, VCDPA, CPA, CTDPA, OCPA, and most peer state laws grant consumers a separate opt-out from targeted advertising, typically honorable via GPC.

U

Universal Opt-Out Mechanism

A browser-level signal recognised as a legal opt-out of sale, sharing, and targeted advertising.

Universal opt-out mechanisms (UOOMs) let users express opt-out preferences once, at the browser level, rather than contacting each business individually. Global Privacy Control (GPC) is the most widely implemented UOOM. California, Colorado, Connecticut, Oregon, New Hampshire, New Jersey, and several other states legally require controllers to honor GPC as an opt-out signal.

Source: Global Privacy Control

V

Verifiable Consumer Request

Under CCPA, a consumer request accompanied by information that allows the business to reasonably verify the consumer's identity.

A verifiable consumer request is required before a business must honor a deletion, access, or correction request under CCPA. Verification should be proportionate to the sensitivity of the request — for a deletion of publicly available data, minimal verification (email, zip code) is sufficient; for access to sensitive health data, stronger verification is expected. Businesses cannot require more verification than the original data collection involved.

Z

Zero-Data Architecture

A service design in which no user personally identifiable information is stored on the service provider's servers.

Zero-data architecture is a design pattern in which personally identifiable information (PII) is processed only in the user's browser or device, never transmitted to the service provider's servers. Applied to data-removal services, this means the provider does not hold names, addresses, or IDs of the users it serves. Advantages: no breach risk (nothing to breach), no account surface area, no subject-access complexity. OfflistMe is built on zero-data architecture.

Opt out of 200+ brokers for $2

Now that you know the terms — exercise your rights. OfflistMe drafts CCPA/GDPR-compliant deletion emails you send from your own inbox.

Start for $2 →

What is a data broker? (full)Dedicated deep-dive explainer What is CCPA? (full)California Consumer Privacy Act explained What is GDPR? (full)EU data protection framework explained What is Daniel's Law? (full)Judge and LEO removal statutes US privacy laws matrixAll state laws compared Privacy Quick Answers25 direct Q&A on data privacy Data removal by state50 state-law-specific guides Data removal by professionThreat-model guides 200+ broker directoryComplete removal list

A