Quick view: Key data privacy and data security terms (USA)

Introduction

This Quick view will assist in-house counsel, private practice lawyers, and human resource departments with understanding data privacy and data security terms in the workplace.

This Quick view covers:

Overview of the legal framework relating to data privacy
Key data privacy and security terms

This Quick view can be used in conjunction with the IT and Data Protection Practical Resources.

1. Overview of the legal framework relating to data privacy

There is no single source of privacy law in the United States. Privacy laws and practices stem from an array of sources including federal laws, state laws, common law privacy claims, and even pressure from the public to undertake certain privacy protections (eg, public pressure to apply enhanced protections for credit card information). US privacy law is an evolving patchwork of federal and state laws that often overlap with data security law.

At the federal level, the primary privacy laws tend to be sector specific. However, privacy standards may also be woven into other laws and regulations. The following are some of the key federal privacy laws: US Privacy Act of 1974 which governs federal agencies, including those under contract with federal agencies; the Health Insurance Portability and Accountability Act (HIPAA) and the privacy rules adopted under that Act which govern entities, such as hospitals, medical services providers, and third-party collections agencies; the Gramm-Leach Bliley Act (GLBA) which governs businesses engaged in finance; and the Children’s Online Privacy Protection Act (COPPA) which governs website operations or those operating online services directed at children under the age of 13. This is not presented as an exhaustive list and organizations must research which federal laws apply to their organization.

For further information, see How-to guide: How to determine and apply relevant US privacy laws to your organization and Checklist: Understanding privacy laws in the US.

As of April 2025, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have all enacted comprehensive consumer privacy laws. State privacy laws govern a consumer’s right to access or delete their personal information, to opt out of the collection or sale of their information, and to be notified about the collection and their rights related to the collection.

For further information, see US Data Protection and Privacy (state-by-state).

2. Key data privacy and security terms

A variety of different terms are used in the area of data privacy and security. These terms are often defined by a statute or regulation, and apply in a particular context. The patchwork of applicable legislation at federal level and the possibility of jurisdictional variations makes the precise definition of some terms difficult. In addition, some terms are terms of art developed and used by those working in a particular area. As a result, it is difficult to provide universally accepted and agreed upon definitions of many data privacy and security terms in the United States. Recognizing these difficulties, this Quick view attempts to provide a non-exhaustive but practical and easily accessible glossary of key terms that will aid in understanding US data privacy laws and other Practical Resources. Always check the precise legal definition of a term within a particular context.

At the federal level, the primary privacy laws in the United States tend to be sector specific. There are federal laws in the health care/medical sector and in financial services. Therefore, for ease of reference, the terms below are split into three sections:

generally applicable terms;
terms applicable in the health care/medical sector; and
terms applicable in the financial services sector.

2.1 Generally applicable terms

The following terms are those terms which are not used specifically within a particular sector.

2.1.1 Anonymized data

This is data that has had all identifying information removed, so that it can never be associated with a particular person again. See the definition of ‘anonymize’ at Merriam-Webster.com.

2.1.2 Biometric identifier

The examples listed below are state law definitions of the term ‘biometric identifier.’

A retina or iris scan, fingerprint, voiceprint, or scan or record of hand or face geometry. See, 740 ILCS 14/10 and Tex Bus & Com Code 503.001.
Data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. See, Washington State's RCW 19.375.010.
An individual’s physiological, biological, or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that is used or is intended to be used singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information. See, Cal Civ Code 1798.140.

2.1.3 Breach of the security of a system (data breach)

This term is defined in state laws requiring notification of a breach as: the unauthorized acquisition or access of computerized data that results in a compromise of the security, confidentiality, or integrity of computerized data. Good faith acquisition of data by certain delineated parties (eg, an employee or agent of the business that collects the data) is not regarded as a breach, provided that the personal information is not used for, or is not subject to, unauthorized disclosure. See, for example, La Rev Stat 51:3073; Minn Stat 325E.61; NY Gen Bus Law 899-aa and SDCL 22-40-19. The NIST defines data breach as ‘[a]n incident that involves sensitive, protected, or confidential information being copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. Exposed information may include credit card numbers, personal health information, customer data, company trade secrets, or matters of national security, for example.’ US Department of Commerce National Institute of Standards and Technology (NIST) Glossary.

2.1.4 Data broker

This is a business that knowingly collects and sells to third parties the personal information of a consumer with whom the third-party business does not have a direct relationship. See, Cal Civil Code section 1798.99.80 and 9 VSA section 2430(4).

2.1.5 Data privacy

There is no legal, formal or universally accepted definition of data privacy, but this term is generally used to describe a subset of data protection that is focused on the handling and sharing of an individual’s personal data (eg, health information) combined with information that could identify a particular individual (eg, their address, phone number, email address, and credit card number).

2.1.6 Data security

There is no specific legal or universally accepted definition of data security, but this term is generally used to describe the practice of safeguarding information from unrestricted access that could lead to theft or corruption of the data.

2.1.7 Encryption

There isn't a uniform definition of encryption. The federal definition of 'encryption' is the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material. See, 16 CFR 314.2. Alternatively, one state says ‘encryption’ means the disguising of data using generally accepted practices. See, Me Rev Stat tit 12, sec 1347.

2.1.8 Personal data or personal information

The NIST defines the term as ‘[i]nformation that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.’ See, NIST Special Publication 800-37, rev 2.

Other federal laws governing the use and protection of personal data or information may apply more narrowly tailored definitions based upon the type of information afforded protection. For example, the Children’s Online Privacy Protection Act (COPPA) defines the term ‘personal information’ as the individually identifiable information about an individual collected online, including:

a first and last name;
a home or other physical address including street name and name of a city or town;
an email address;
a telephone number;
a Social Security number;
any other identifier that the Federal Trade Commission determines permits the physical or online contacting of a specific individual; or
information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier listed above.

State laws typically define the term to include an individual’s first name or first initial and last name, in conjunction with the individual’s Social Security number, driver’s license or state-issued identification card number, or financial account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. In some jurisdictions, an individual’s medical or health insurance information, or biometric data, is included in the definition. The term does not include publicly available information (eg, information in unredacted court records). See, for example, Ark Code 4-110-103, Me Rev Stat tit 12, sec 1347, 73 PS 2302, and 9 Vt Stat Ann 2430.

2.1.9 Personal identifiable information (PII)

This is any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. The term includes information that directly identifies an individual (eg, name, address, Social Security number or other identifying number or code, telephone number, email address, etc) or information by which an agency intends to identify specific individuals, in conjunction with other data elements – such as a combination of gender, race, birth date, geographic indicator, and other descriptors – ie, indirect identification. Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. See, the ‘Guidance on the Protection of Personal Identifiable Information’ on the US Department of Labor website.

2.1.10 Pseudonymized data

This is data that has been de-identified through the replacement of an identifier (or identifiers) with a pseudonym in order to hide the identity of that data. Other information can be combined with the pseudonymized data so that the data subject can once again be identified. See the definition of pseudonymization on the US Department of Commerce National Institute of Standards and Technology website.

2.1.11 Sensitive personally identifiable information

This is PII which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Examples of sensitive PII include an individual’s Social Security number, alien registration number, or biometric identifier (eg, fingerprint). See, US Department of Homeland Security’s website, ‘How to Safeguard Personally Identifiable Information’.

2.2 Terms applicable in the health care/medical sector

The following terms are those that are relevant to data privacy and security for those organizations operating within or with those in the health care/medical sector and, generally, subject to HIPAA.

2.2.1 Business associate

A person who:

on behalf of a covered entity or an organized health care arrangement (see the definition at 45 CFR 160.103), but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing; or
provides, other than in the capacity of a member of the workforce of the covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the covered entity, where the provision of the service involves the disclosure of protected health information to the person. See, 45 CFR 160.103.

2.2.2 Covered entity

A ‘covered entity’ is defined as a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form. See, 45 CFR 160.103.

2.2.3 Electronic protected health information (ePHI)

Individually identifiable health information that is transmitted by electronic media or maintained in electronic media. See, 45 CFR 160.103.

2.2.4 Health information

Any information, including genetic information, whether oral or recorded in any form or medium, that:

is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. See, 45 CFR 160.103.

2.2.5 Individually identifiable health information

Health information (as defined at 2.2.4) that is collected from an individual and which either identifies or can be used to identify the individual to which the information belongs. This includes demographic information. See, 45 CFR 160.103.

2.2.6 Protected health information (PHI)

This encompasses individually identifiable health information that is transmitted by, or maintained in, electronic media, or transmitted or maintained in any other form or medium. See, 45 CFR 160.103.

2.3 Terms applicable in the financial services sector

The following terms are relevant to data privacy and security for those organizations operating within or with those in financial services.

2.3.1 Creditor

This is an entity that regularly extends, renews, or continues credit; or regularly arranges for the extension, renewal, or continuation of credit; or is an assignee of an original creditor who participates in the decision to extend, renew, or continue credit. See, 15 USC section 1681m.

2.3.2 Financial institution

A bank, savings and loan association, federal credit union, or a person that holds a transaction account belonging to a consumer. See, 15 USC 1681a.

2.3.3 Identity theft

This is a fraud committed or attempted without authority using the identifying information of another person. See, 12 CFR 1022.3.

2.3.4 Personally identifiable financial information

This is any information:

a consumer provides to obtain a financial product or service;
about a consumer resulting from any transaction involving a financial product or service; or
otherwise obtained about a consumer in connection with providing a financial product or service to that consumer. See, 16 CFR 313.3.

2.3.5 Non-public personal information

Any ‘personally identifiable financial information’ and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. See, 16 CFR 313.3

2.3.6 Privacy by design

‘Privacy by design’ is a process for embedding good privacy practices into the design specifications of technologies, business practices and physical infrastructures. Although this idea is not directly embedded into US law, its principles influence many upcoming data privacy and incident response plans.

See further How-to guide: How to implement privacy by design within your organization.

2.3.7 Red flag

A pattern, practice, or specific activity that indicates the possible existence of identity theft. See, 16 CFR 681.1.