Get fluent in GTMSec, privacy, and compliance with our glossary of key industry terms.
Data Accuracy is the principle that businesses must take every reasonable step to ensure that data is accurate, and where necessary, up-to-date.
Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) is the encryption standard for security-sensitive non-classified material in the United States.
A form of invalid malicious activity in which an affiliate marketers or network attempts to drive invalid traffic to their partner's site to inflate their commissions.
An Algorithm is a mathematical process or set of rules for equations applied to a block of data.
Data Anonymization is the process by which personally identifiable information (PII) is altered to render it anonymous so that it cannot be traced back to an individual. There are three primary techniques for achieving data anonymization: suppression, generalization, and noise addition.
Article 29 Working Party
The Article 29 Working Party (WP29) was a European Union organization made up of the data protection authorities of EU member states that acted as an independent advisory body on data protection and privacy. It was replaced by the European Data Protection Board (EDPB) when the General Data Protection Regulation (GDPR) went into effect.
A compliance audit is an audit performed to discover an organization's level of compliance with regulatory guidelines. The compliance audit evaluates the strength and completeness of security and privacy policies and risk management processes.
Decision-making without human involvement or interference.
Data processing that is performed without any human involvement.
A tool used to perform automatic activity repetitively, fast and at scale.
Data availability is the process of making data "available" when needed by an organization or by the data subject. The General Data Protection Regulation, and several other privacy regulations, require a business to ensure the availability of personal data upon request from a data subject.
Advertising that is targeted at individuals based on the tracking and observation of their behavior.
Abnormal actions performed by a user / visitor on digital assets, like excessive page hopping, refreshing, and non-human scrolling and browsing patterns.
Data concerning the physical characteristics of an individual, such as DNA, iris patterns, face patterns, or fingerprints. Article 9 of the General Data Protection Regulation as a special category of data for which processing is not allowed except in specific circumstances.
A computer script designed to act with agency or simulate human behavior.
The process of notifying officials, regulators, and/or the victims of data breaches that affect personal data. Data breach disclosure rules vary by jurisdiction. Under the GDPR, a data controller must notify regulators and/or victims of the data breach within 72 hours of discovery.
Brexit was the withdrawal of the United Kingdom from the European Union on January 31st, 2020. The UK is the only country to withdraw from the EU since its creation in 1993. Following Brexit, the GDPR was brought into UK law as the ‘UK GDPR’ and was retained as domestic law through a transition period in 2020. In 2021, UK lawmakers announced their intention to distance UK privacy law from the GDPR. However, any changes will need to be deemed adequate by the EU, to preserve data transfers between the EU and UK.
Caching is the process of saving local copies of content to reduce the need to repeatedly download content.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act, or CCPA, is a state-level data privacy law that regulates how businesses are allowed to gather, store and handle the personally identifiable information (PII) of California citizens. The CCPA went into effect on January 1st, 2020, and was the first state-level consumer privacy law passed in the United States. Key provisions of the CCPA include the consumer’s right to opt-out of the sale of their data, typically via a “Do not sell my data” button and the “private right of action” which gives private citizens the right to legal action against businesses that mishandle their PII. On January 1st, 2023, the CCPA will be replaced by the California Privacy Rights Act (CPRA), which will take its place as California’s presiding privacy legislation.
California Privacy Rights Act (CPRA)
The California Privacy Rights Act (CPRA) is a state-level privacy rights law in California, which significantly expands upon the CCPA by strengthening the data privacy rights of California citizens, increasing regulation of the use of PII, establishing a government enforcement agency, and more. The CPRA takes effect on January 1st, 2023.
A form of invalid malicious activity in which a cardholder makes a purchase and then contacts the cardholder to dispute the charge and claim a refund, while still holding on to the item.
Chief Privacy Officer
A c-level position in an organization or business that is responsible for managing privacy practices and compliance with privacy laws.
Children's Online Privacy Protection Act (COPPA) of 1998
A U.S. federal law aimed at protecting the online privacy and rights of children under the age of 13. COPPA applies to the operators of any commercial websites or online services directed at children under the age of 13 as well as any websites that have knowledge that they are collecting PII from children under the age of 13. Under COPPA, operators of such websites must post a privacy notice on their homepage, provide notice about data collection processes to children's parents, and must obtain parental consent before collecting personal information. Operators must also give parents a choice on whether or not their child's personal information will be disclosed to third parties, must provide an opt-out for data collection, and must provide the opportunity to have personal information deleted.
A Groups of workers available for hire that rapidly click on content or ads in order to inflate traffic, sign-ups or engagement.
A form of invalid malicious activity in which an attempt is made to generate large volumes of ad-clicks with the aim of depleting the advertisers budget.
Detection techniques that reside on the client side, applied after the request has already gone through the server. Common examples include TCP Techniques and STUN Techniques.
A consent banner is a notice on a website that informs visitors of the use of reaching technologies like cookies and web beacons and may ask them to take action by opting in or out of tracking. Consent banners are required by most data privacy regulations.
Consent management is a system or process by which an organization informal users of its data privacy and tracking practices, obtains their consent for tracking, and manages and enforces their privacy preferences. Consent management is a crucial factor in demonstrating compliance with privacy laws and regulations.
Consent Management Platform (CMP)
A consent management platform (CMP) is a tool or set of tools that helps organizations automate the consent management process. A robust CMP helps brands obtain user consent, manages user privacy preferences, and enforces those preferences in compliance with privacy regulations. CMPs help brands protect user and customer data privacy and stay compliant with regulations like the GDPR, CCPA, PIPL, and more.
Consumer Data Protection Act (CDPA)
The Consumer Data Protection Act (CDPA) is a state-level consumer privacy law in the US State of Virginia. The CDPA provides citizens of the Commonwealth of Virginia with six data privacy rights: the right to access, the right to collect, the right to deletion, the right to data portability, the right to opt-out, and the right to appeal. The CDPA was the second state-level privacy law to pass in the United States and took a less strict approach than its predecessor, the CCPA.
Cookies are small text files that carry information used to identify users as they browse the web. Cookies are typically used to improve the user's web browsing experience by helping websites remember things like logins, preferences, and shopping carts, but they can also be a privacy risk. For example, third party cookies can be used to track a user's web activity across domains without their consent. Because of these privacy implications, cookies are increasingly regulated by privacy legislation like the EU's GDPR and California's CCPA.
Cookie compliance is the process of adhering a website's cookie and tracking practices to the standards set forth by privacy laws and directives like the GDPR and CCPA. Depending on the jurisdiction, this could be as simple as notifying users that they are being tracked (notice only consent), or as complex as asking users for their permission to track their activity, storing, and enforcing those preferences, and offering them the option to change those preferences at any given time. Penalties for noncompliance vary but can reach as high as 4% of annual turnover, under the GDPR. For most organizations, a consent management platform is the easiest, most cost-effective approach to cookie compliance.
Cookie consent is the process of obtaining a user's consent to track their browsing activity with cookies.
The Cookie Directive is an amendment to the ePrivacy Directive that requires user consent before the placing of tracking cookies.
A form of invalid malicious activity in which an affiliate marketers or network attempts to plant a cookie on a visitor's browser without their knowledge and consent, usually via a 3rd party site. This is done so that when the visitors makes a purchase on an eCommerce site, the affiliate can claim credit for driving the visitor to that eCommerce site, winning them a commision.
A Cookie Wall, or a tracking wall, is very similar to notice-only consent but requires the users of a website to ‘agree’ or ‘accept’ cookies, tracking, and/or data processing in order to use the website. A cookie wall does not give the user an opportunity to reject tracking and data processing and is considered illegitimate consent under many regulations, such as the GDPR, under which cookie walls are a non-compliant approach to consent management.
An automated script designed to catalogue and index web pages.
Cross-Border Data Transfer
The transfer of personal information from one legal jurisdiction to another.
A cure period is an allotted time period following a notice of noncompliance during which an organization is given an opportunity to remediate, or "cure," non-compliant data practices to avoid penalties. For example, the CPA grants a 30-day cure period for violators
A company’s collective marketing efforts to acquire customers online.
Customer Acquisition Security (CAS)
A cybersecurity-driven business strategy aimed at preventing invalid traffic from interacting with assets throughout the online customer acquisition funnel.
A dark pattern is a user experience that is intentionally designed to frustrate, trick, or guide users towards actions and outcomes that may not be in their best interest such as signing up for recurring subscriptions or consenting to give away personal information.
Data Adequacy is a status granted by the European Commission to nations outside of Europe that it deems as providing a level of personal data protection comparable to that provided by the GDPR. Data adequacy is required to permit cross-border data transfers outside of the EU.
A data breach is any unauthorized access to or acquisition of data that compromises the security or confidentiality of personal information.
A Data Broker is an entity that collects and sells personal data.
Data Center Traffic
Traffic originating from large data storage facilities as opposed to personal networks. Often times can be used to generate malicious bot activity.
Under the GDPR, a Data Controller is defined as the person or entity that determines how and why data is collected and used by an organization. A data controller can be an individual person, a private company, or any other legal entity. Controllers are accountable to the strictest levels of GDPR compliance and are responsible for the GDPR compliance of any Data Processors they use to process data.
Data Loss Prevention (DLP
Data loss prevention (DLP) is a set of processes or tools that are used to prevent the loss, misuse, or unauthorized access to sensitive data.
Data minimization is the principle that a data controller should only collect and process personal data that is strictly necessary.
Data portability is the ability to move data easily between programs, files, computing environments, and applications. In many jurisdictions, data subjects have the right to request their personal data from a data controller, which they must receive in a structured, common, and machine-readable format.
Any operation or set of operations performed on data.
Under the GDPR, a data processor is defined as a legal entity or individual that processes personal data on behalf of a data controller, according to the controller's instructions.
Data Protection Authority (DPA)
Data Protection Authorities (DPAs) are the public authorities responsible for the application of data protection laws in EU member states. DPAs have extensive enforcement powers and can impose fines of up to 4% of a company’s global annual revenue.
Data Protection Policy
A policy that outlines the privacy and security measures a business or organization takes in the processing of personal data.
Data Protection Principles
The guiding principles of the GDPR, outlined under article 5 of the law. The data protection principles of the GDPR are lawfulness, fairness, and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Integrity and confidentiality.
Data Security Law (DSL) of the People's Republic of China
The Data Security Law (DSL) of the Peoples Republic of China is a Chinese law passed in 2021 for the purpose of protecting critical data for national security and public interest. The law introduced a "data classification system" by which the Chinese government can classify data based on importance and publish standards of data protection for each class.
A data subject is an individual to whom personal data relates.
EU-US Privacy Shield
The EU-US Privacy Shield is a data transfer agreement negotiated in 2016 by U.S. and EU authorities.
The erasure of personal data. Under Article 17(1) of the GDPR, data subjects have the right to request the erasure of their personal data if the data is no longer needed for its original purpose and no new lawful purpose exists, if the lawful basis for the processing is the data subject’s consent and the consent is withdrawn, or if the data has been processed unlawfully.
European Data Protection Board
The European Data Protection Board (EDPB) is the body responsible for ensuring consistent application of the GDPR. The EDPB is made up of the heads of the supervisory authorities of the EU member states, as well as the European Data Protection Supervisor and a delegate from the European Commission.
Excessive Rate Limit
A threshold designed to limit a site visitor's ability to repeatedly perform invalid actions like incorrect login attempts and incomplete form fills.
The Privacy and Electronic Communications Directive 2008/58/EC on Privacy and Electronic Communications, or ePrivacy Directive, is an EU law, passed in 2002, that is focused on protecting privacy and personal data in electronic communication. The ePrivacy Directive focused primarily on telecom companies, cell carriers, and ISPs. The ePrivacy Directive is widely regarded as the predecessor to the GDPR and the nascent ePrivacy Regulation.
The ePrivacy Regulation (ePR) is a proposed EU regulation that would repeal and expand upon the ePrivacy Directive, and would act in conjunction with the GDPR to strengthen privacy rights and enforcement in the EU.
Fair Credit Reporting Act (FCRA)
The Fair Credit Reporting Act (FCRA) is a U.S. federal law enacted in 1970 that governs data collection, consumer access, and correction, and permissible purposes of credit reporting.
Fair and Accurate Credit Transactions Act (FACTA) of 2003
The Fair and Accurate Credit Transactions Act (FACTA) is a 2003 expansion on the FCRA focused on identity theft prevention. The act allows consumers to obtain a free credit report once a year and lets consumers request alerts for suspected identity theft. FACTA also gave the Federal Trade Commission authority to promote rules regarding identity theft.
An attempt by a user or site visitor to obscure elements of their identity (device, operating system, browser, IP, location etc.).
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a U.S. federal law that establishes standards for the privacy protection of student educational records. FERPA applies to all academic institutions that receive funds from U.S. Department of Education programs.
Fingerprinting, or browser fingerprinting, is the process of differentiating between users based on the instance of the web browser they are using. Log files may also be used to identify visitors to a network or website.
First-party cookies are cookies that are directly set and stored by the website a user visits. First-party cookies are only available to the domain that created them, as opposed to third-party cookies, which are available to any domain that loads the third-party server's code.
Functional cookies are cookies that perform tasks related to the function of a website, such as remembering a user's login details or location. Without these cookies, the user would have to log in upon each visit to the website and would not receive personalized information.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a regulation in EU law that provides a single set of data privacy and protection rules for every member state in the European Union. Made up of 173 recitals and 99 articles, the GDPR is widely regarded as the toughest privacy and security law in the world. The GDPR applies to any organization that processes or collects the personal data of EU citizens, regardless of whether or not the organization is based in the EU. The GDPR created several new rights for EU citizens including the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, and the right to data portability. Under the GDPR, businesses must obtain a data subject's valid consent before tracking them or processing their information, and must give subjects the opportunity to withdraw consent at any given time. Penalties for violating the GDPR are very high. There are two tiers of penalties, which top out at €20 million or 4% of global revenue (whichever is higher). Data subjects also have the right to seek compensation for damages.
Data Governance is the process of managing the integrity and security of the data in an organization's systems. Governance practices are based on internal standards and policies as well as regional regulations.
Health Insurance Accountability and Portability Act (HIPAA)
The Health Insurance Accountability and Portability Act, commonly known as HIPAA is a federal law that regulates the flow of healthcare information and how medical PII is protected from fraud and theft.
Heath Information Technology for Economic and Clinical Health Act (HITECH)
The Health Information Technology for Economic and Clinical Health Act, or HITECH is a U.S. federal law aimed at addressing privacy and security issues involving PHI.
The ISO (International Organization for Standardization) 27001 standard is a standard of practice and certification for implementing an information security management system.
Implied consent or implicit consent is consent that is assumed without the explicit permission of the user. For example, a website that forces the user to accept tracking cookies to access content, or which opts a user in when the user navigates away from the consent banner without accepting or denying cookies.
Interactive Advertising Bureau (IAB)
The Interactive Advertising Bureau is a trade association that represents advertising businesses. The IAB develops industry standards such as the Transparency and Consent Framework.
Invalid Malicious Activity
Activity that comes from mal intentioned human users and should typically be blocked from your customer acquisition funnel.
Invalid Suspicious Activity
Activity generated by users who are displaying potentially malicious or non-human attributes or behaviors, but are not definitively malicious or non-human.
Invalid Traffic (IVT)
Users / visitors who have no chance of converting to real paying customers. These include bots, fake accounts, proxy users, competitors, click farms, JS disabled browsers, automation tools and more.
The act of an invalid user arriving on a landing page or website, via paid marketing, organic search or direct.
One of the requirements established by the GDPR for processing personal data, along with fairness and transparency. For data processing to be considered lawful, data subjects must be aware of the processing, storage, and use of the data, and must give informed consent to said processing. The GDPR outlines six bases for the lawful processing of personal data: consent, necessity, contract requirement, legal obligation, protection of data subject, public interest, or legitimate interest of the controller.
Any data that describes other data.
Irregular browsing patterns (hours, volume, location) or user attributes (IP, UA, OS) often indicative of malicious activity.
An opt-in consent banner informs your visitors of the tracking technologies in use by your website and gives them distinct options to either reject all non-essential cookies or accept all cookies. The user is opted-out by default and must take explicit action to consent to tracking or data processing. This consent model is compliant with the GDPR.
An opt-out consent banner informs visitors of the cookies and tracking technologies your website uses and gives them an option to opt-out of either all or some tracking and data processing. Typically, the user is opted in by default and has to take manual action to opt-out. For example, they may need to uncheck several boxes to opt-out of different cookies and trackers. Opt-out consent banners are not compliant with the GDPR but are allowed under the CCPA and LGPD.
Performance cookies, or statistics cookies, are cookies that are used to monitor the performance of a website as a user interacts with it. For example, performance cookies may track the pages most frequently visited by users, the path a user takes through a website, or which links result in errors. Performance cookies do not collect any identifiable information on users and exist for the sole purpose of performance cookies is to improve website functionality.
Persistent cookies are cookies that are stored on a user's device and persist until they are deleted by the user or by their browser. Persistent cookies help websites remember user's settings, preferences, and information like sign-on credentials. All persistent cookies have an expiration date and will be destroyed when they reach that date. The ePrivacy Directive dictates that persistent cookies should not last more than 12 months.
The synonym for PII used in the EU's privacy legislation. Under the GDPR, personal data is defined as "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Personal Data Protection Act (PDPA) of Thailand
The Personal Data Protection Act B.E. 2562 (2019) (PDPA) is a Thai law that governs the digital rights of Thai citizens, and the data protection standards that businesses operating in Thailand must uphold. The PDPA affects not only Thai businesses, but also businesses based outside of Thailand that offer products and services to Thai citizens, or monitor their behavior online. The PDPA is largely based on the GDPR and appropriates several concepts and definitions from the EU law, such as data “controllers” and “processors." Under the PDPA, organizations must prove a legal basis for the collection and use of personal information, and consent is required in certain situations.
Personal Information Privacy Law (PIPL) of China
The Personal Information Privacy Law (PIPL) is China’s first comprehensive data privacy law, The PIPL was passed on August 20th, 2021, and went into effect on November 1st, 2021. Similar in size and scope to the EU’s General Data Protection Regulation (GDPR), the PIPL Imposes serious restrictions on how personal data can be collected, used, and managed. Along with China’s Data Security Law, the PIPL will form a framework that will give China’s government broad enforcement capabilities and create a strict compliance environment for the nation’s Big Tech companies—and international businesses operating in China—for years to come. According to the language of the law, the goals of the PIPL are to “protect the rights and interests of individuals” and facilitate the “reasonable use” of personal information through the regulation of personal information processing activities.
Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada is a federal privacy law that applies to private-sector organizations in Canada. The law is intended to "govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
Personally Identifiable Information (PII)
Personally Identifiable Information (PII) is any information from which the identity of a person can be inferred, directly or indirectly. Social security numbers, phone numbers, addresses, and biometric data are all commonly considered PII, and IP address, geolocation, and behavioral data may also be considered PII.
Prior Consent consent granted by a user prior to placing any cookies on their device except for strictly necessary cookies. Prior consent is required by the GDPR.
Privacy by Design
Privacy by Design is the philosophy that application and web design should promote privacy proactively by embedding privacy best practices in the design and development processes.
A middle-man tool that masks a user’s identity and location.
The act of an invalid user returning for at least a second time to a website or landing page.
Real-time bidding is the process of buying and selling online ad impressions in real-time auctions that occur in the time it takes a webpage to load. When a bid is won, the buyer's ad is instantly displayed on the publisher's site.
Remarketing is a marketing strategy that uses information learned from prior interactions to market to the same consumer multiple times in a digital environment.
A roach motel is a dark pattern that provides an easy or straightforward user experience to sign up for or consent to something, but a much more difficult user experience path to cancel a service or revoke consent. One example is a subscription that can be started with the click of a button but must be canceled via a phone call or chat-bot
An automated script designed to scrape your site for data.
Detection techniques that reside on the server side, applied before the request has gone through to the client. Common examples include DNS Techniques and HTTP techniques.
A session cookie, also known as a temporary cookie or a non-persistent cookie, is a cookie that is stored temporarily on the browser and is destroyed as soon as the user logs off of the browser.
A situation where Business or Marketing Intelligence data is skewed by the presence of invalid traffic in an the funnel, audiences, campaigns or pipeline.
A situation where automated optimization pixels on major buying platforms (like Google / FB) are skewed by conversions coming from invalid traffic sources.
A soft opt-in is a consent management practice in which consent is assumed when a user navigates away from a consent banner without rejecting or denying consent. A soft opt-in is not considered valid consent under the GDPR.
A bot that actively sends out large quantities of messages to users, typically through email.
Strictly Necessary Cookies
Strictly necessary cookies are cookies that are necessary for the function and navigation of a website. Cookies that remember what items are in a user's shopping cart, or allow a user access to certain sections of a website are considered strictly necessary cookies. Under the GDPR, strictly necessary cookies are the only cookies that are exempt from requiring user consent.
Targeting cookies are cookies that are designed to gather information about the user and track their online activity to help marketers and advertisers display relevant advertisements and build visitor profiles and statistics for insights into advertising performance. Targeting cookies are almost always third-party, persistent cookies.
Third-party cookies are cookies that are created not by the domain you are visiting, but by third parties such as advertisers or analytics systems. Third-party cookies are usually added to a website via tags or scripts and are accessible to any website that loads the third-party server's code.
Transparency and Consent Framework (TCF)
The Transparency and Consent Framework (TCF) is an open-source framework developed by the Interactive Advertising Bureau (IAB) Europe and the IAB Tech Lab to standardize the process of obtaining user consent and communicating consent information to parties on the advertising supply chain.
The current iteration of the framework, TCF 2.0, was introduced in August 2019.
Valid consent is consent that is informed, unambiguous, and given freely. In other words, the user must be informed exactly what they are consenting to and must be presented with a clear choice to opt-in or out of tracking and data processing, without coercion. Equally important, a user who had previously consented must be allowed to withdraw consent at a later time without penalty.
Virtual Private Network (VPN)
A common type of proxy used to mask a user’s / visitor’s location.
A web beacon, or a pixel tag, is clear image that operates as a tag on website and records an end user’s visit to the site.