Privacy Knowledge Base

"Privacy" is a word that is hard to define. Depending on context, culture, and legal statute it can mean different things to different people. This ambiguity often makes discussions of "privacy" as a general term unproductive.

We provide this privacy knowledge base as a way to focus on core concepts which often come up during litigation and compliance, which are contained in the glossary. Likewise, you will find an overview of prominent privacy laws as a quick reference.

You are using the demo version of the webXray search tool. This version shows IP address transmissions and cookies sent to Google on a sample of popular websites in the United States.

Access to over 2.4 million page loads, 700 companies and services, advanced privacy content classifications, and much more, is available if you upgrade.

Upgrade

Term Glossary

IP Address

Definition: A unique sequence of characters that identifies an address on the internet. An IP address is needed to transmit information across the internet and may allow businesses to identify specific users, especially when the IP address is combined with other data, such as a cookie.

Definition: The use of the word "cookie", or "magic cookie", in a computing context dates back to the late 1970s when it was used to mean a piece of information that allowed two computing systems to synchronize with each other.

A real-world example of a “cookie” may be seen at the dry cleaner: when dropping off their garment the customer gets a ticket with a unique number. The dry cleaner then cleans the garment, and the garment is exchanged back to the person who holds the matching ticket. (Note: this is the same example used by Google.)

Cookies on a computer are a digital form of such tickets, but instead of allowing you to pick up your freshly cleaned suit, they may allow you to read your email. Cookies can also function like tags placed on migratory birds by ornithologists: allowing you to be tracked as you navigate the digital world.

Cookies have a variety of uses in addition to allowing you to read your email and be tracked, and depending on the applicable laws, setting these cookies may require affirmative user consent. No cookies show in our database were set with consent, all of them are non-consented.

Definition: At the most abstract level the word "consent" means a user has been notified their data will be transferred and are given a choice to allow or deny such transfers. From a legal standpoint, consent is often defined as informed, unambiguous, specific, and freely given.

For example, in some jurisidictions, when a user clicks on a cookie banner, the boxes for items like analytics and advertising cookies cannot be preselected; the user must understand what they do and choose to allow or deny those cookies.

No cookies or IP address transmissions shown in our database were set with consent, all of them are non-consented.

Personally Identifiable Information

Definition: Personally Identifiable Information (PII) is any data that can be linked to a specific individual. Such data may include IP addresses, cookies, email addresses, telephone numbers, and more. Many laws have specific guidelines for what types of data may be considered PII.

Sensitive Data

Definition: Not all information about an individual is equal. Some forms of data, such as medical conditions, spiritual beliefs, and financial information may be used to unfairly discriminate against individuals who belong to protected groups.

For example, an employer may deny a job if they were to find out an applicant had a history of chronic illness. What is, or isn't, considered senstive is most often defined in specific laws, and may vary according to jurisidiction.

Applicable Laws and Regulations

US Federal Law


Children's Online Privacy Protection Act (COPPA)

Jurisdiction:

US, Federal

Definitions

Identifiable Information

Identifiable information about an individual collected online, including:

A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier

Protected Categories of Data

COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

References

Example Search Result

Health Insurance Portability and Accountability Act (HIPAA)

Jurisdiction:

US, Federal

Definitions

Identifiable Information

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

  • Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
  • That identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected Categories of Data

The HIPAA Privacy Rule applies to health plans, healthcare clearinghouses, and other healthcare providers, to cover protected health information. This includes individuals' medical records and other individually identifiable health information.

References

Example Search Result

United States State Law

California Consumer Privacy Act (CCPA)

Jurisdiction:

US, State, California

Definitions

Identifiable Information

Identifiable private information means private information for which the identity of the individual is or may readily be ascertained or associated with the information.

Protected Categories of Data

The CCPA protects the personal data of California residents, which is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes, but is not limited to, identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number, other similar identifiers, geolocation data, inferences made about the individual through a consumer profile (psychological trends, characteristics, behavior, attitudes, abilities), sensitive personal information (SSN, driver's license, state ID card, passport number, account login, financial information in combination with security or access code, precise geolocation data, race or ethnic origin, immigration or citizenship status, religious or philosophical believes, union membership, genetic data), internet or other electronic network activity information, and biometric information.

References

Colorado Privacy Act

Jurisdiction:

US, State

Definitions

Identifiable Information

An identified or identifiable individual is one who can readily be identified, directly or indirectly, in particular by reference to an identifier like a name, identification number, specific geolocation data, or online identifier.

Protected Categories of Data

This law protects the personal data of Colorado residents, which is information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information.

References

Connecticut Data Privacy Act

Jurisdiction:

US, State

Definitions

Identifiable Information

An identified or identifiable individual means an individual who can be readily identified, directly or indirectly.

Protected Categories of Data

This law protects the personal data of Connecticut residents, which is any information that is linked or reasonably linkable to an identified or identifiable individual. Personal data does not include de-identified data or publicly available information. It does include sensitive data, which is data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, the personal data collected from a known child, or precise geolocation data.

References

Delaware Personal Data Privacy Act

Jurisdiction:

US, State

Definitions

Identifiable Information

An identified or identifiable individual means an individual who can be readily identified, directly or indirectly.

Protected Categories of Data

This law protects the personal data of Delaware residents, which is any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information. It does include sensitive data, which is data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status, genetic or biometric data, personal data of a known child, and precise geolocation data.

References

Indiana Consumer Data Protection Act

Jurisdiction:

US, State

Definitions

Identifiable Information

An identified or identifiable individual means an individual who can be readily identified, directly or indirectly.

Protected Categories of Data

This law protects the personal data of Indiana residents, which is information that is linked or reasonably linkable to an identified or identifiable individual. Personal data does not include de-identified data, aggregate data, or publicly available information. It does include sensitive data, which is personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a health care provider, sexual orientation, citizenship or immigration status, genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual, personal data collected from a known child, and precise geolocation data.

References

Iowa Consumer Data Protection Act

Jurisdiction:

US, State

Definitions

Identifiable Information

An identified or identifiable individual means an individual who can be readily identified, directly or indirectly.

Protected Categories of Data

This law protects the personal data of Iowa residents, which is any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data, aggregate data, or publicly available information. It does include sensitive data, which is personal data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status (except as used to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law), genetic or biometric data that is processed for the purpose of uniquely identifying a natural person, personal data collected from a known child, and precise geolocation data.

References

Kentucky Consumer Data Protection Act

Jurisdiction:

US, State

Definitions

Identifiable Information

An identified or identifiable individual means an individual who can be readily identified, directly or indirectly.

Protected Categories of Data

[This law protects the personal data of Kentucky residents, which is any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information, but does include sensitive data, which is personal data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; the processing of genetic or biometric data that is processed for the purpose of uniquely identifying a specific natural person; the personal data collected from a known child, and precise geolocation data.

References

Maryland Online Data Privacy Act

Jurisdiction:

US, State

Definitions

Identifiable Information

An identified or identifiable consumer means a consumer who can readily be identified, either directly or indirectly.

Protected Categories of Data

This law protects the personal data of Maryland residents, which is any information that is linked or reasonably linkable to an identified or identifiable consumer. It does not include de-identified data or publicly available information. It does include sensitive data, which is data revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, or citizen or immigration status, genetic or biometric data, personal data of a consumer that the controller knows or has reason to know is a child, and precise geolocation data.

References

Minnesota Consumer Data Privacy Act

Jurisdiction:

US, State

Definitions

Identifiable Information

An identified or identifiable individual means an individual who can be readily identified, directly or indirectly.

Protected Categories of Data

This law protects the personal data of Minnesota residents, which is any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information. It does include sensitive data, which is personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, citizenship or immigration status, the processing of biometric data or genetic information for the purpose of uniquely identifying an individual, the personal data of a known child, and specific geolocation data.

References

Montana Consumer Data Privacy Act

Jurisdiction:

US, State

Definitions

Identifiable Information

An identified or identifiable individual means an individual who can be readily identified, directly or indirectly.

Protected Categories of Data

This law protects the personal data of Montana residents, which is any information that is linked or reasonably linkable to an identified or identifiable individual, excluding de-identified or publicly available information. It includes sensitive data, which is personal data that includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person's sex life, sexual orientation, citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, and precise geolocation data.

References

Nebraska Data Privacy Act

Jurisdiction:

US, State

Definitions

Identifiable Information

An identified or identifiable individual means a consumer who can be readily identified, directly or indirectly.

Protected Categories of Data

This law protects the personal data of Nebraska residents, which any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, and includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. It does not include de-identified or publicly available information, and does include the sensitive data categories of data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person's sex life, sexual orientation, citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, and precise geolocation data.

References

New Hampshire Data Protection Act

Jurisdiction:

US, State

Definitions

Identifiable Information

An identified or identifiable individual means an individual who can be readily identified, directly or indirectly.

Protected Categories of Data

This law protects the personal data of New Hampshire residents, which is any information that is linked or reasonably linkable to an identified or identifiable individual, excluding de-identified or publicly available information. It includes sensitive data, which includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, and precise geolocation data.

References

New Jersey Data Protection Act

Jurisdiction:

US, State, New Jersey

Definitions

Identifiable Information

"Information that is linked or reasonably linkable to an identified or identifiable person."

Protected Categories of Data

"Personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data."

References

Oregon Consumer Privacy Act

Jurisdiction:

US, State

Definitions

Identifiable Information

[update]

Protected Categories of Data

This law protects the personal data of Oregon residents, which is data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household. It does not include de-identified data or data that is lawfully available through federal, state, or local government records or through widely distributed media, or data that a controller reasonably has understood to have been lawfully made available to the public by a consumer.

It does include sensitive data, which is data that reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status; is a child’s personal data; accurately identifies within a radius of 1,750 feet a consumer’s present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a GPS that provides latitude and longitude coordinates; or is genetic or biometric data.

References

Tennessee Information Protection Act

Jurisdiction:

US, State

Definitions

Identifiable Information

Identified or identifiable natural person means a human being who can be readily identified, whether directly or indirectly.

Protected Categories of Data

This law protects the personal data of Tennessee residents, which is information that is linked or reasonably linkable to an identified or identifiable natural person; and does not include information that is publicly available information, de-identified information, or aggregate consumer information. It does include sensitive data, which is data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person, the personal information collected from a known child, or precise geolocation data.

References

Texas Data Privacy and Security Act

Jurisdiction:

US, State

Definitions

Identifiable Information

An identified or identifiable individual means an individual who can be readily identified, directly or indirectly.

Protected Categories of Data

This law protects the personal data of Texas residents, which is any information that is linked or reasonably linkable to an identified or identifiable individual. It includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual, and does not include de-identified data or publicly available information. It does include sensitive data, which is personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status, genetic or biometric data that is processed for the purpose of uniquely identifying an individual, personal data collected from a known child, and precise geolocation data.

References

Utah Consumer Privacy Act

Jurisdiction:

US, State

Definitions

Identifiable Information

An identified or identifiable individual means an individual who can be readily identified, directly or indirectly.

Protected Categories of Data

This law protects the personal data of Utah residents, which is any information that is linked or reasonably linkable to an identified or identifiable individual and excludes de-identified data, aggregated data, or publicly available information. It includes sensitive data, which is personal data that reveals an individual's racial or ethnic origin, an individual's religious beliefs, an individual's sexual orientation, an individual's citizenship or immigration status, information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional, the processing of genetic personal data or biometric data if the processing is for the purpose of identifying a specific individual, or specific geolocation data (accurate within a radius of up to 1750 feet).

References

Virginia Consumer Data Protection Act

Jurisdiction:

US, State

Definitions

Identifiable Information

An identified or identifiable individual means an individual who can be readily identified, directly or indirectly.

Protected Categories of Data

This law protects the personal data of Virginia residents, which is any information that is linked or reasonably linkable to an identified or identifiable natural person. It does not include de-identified data or publicly available information, and does include sensitive data, which is data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying a natural person, the personal data collected from a known child, precise geolocation data.

References