The challenge of semantics in privacy

By Emily Leach

Business. Controller. Data fiduciary. All of these terms mean roughly the same thing in privacy parlance: An organization (in most cases) that collects information about a person (often directly from that person) and that has control over what’s done with that information.

Processor and service provider. These terms also mean roughly the same thing. Then of course, there’s sensitive personal information v. special categories of personal information; personal information v. personally identifiable information v. personal data; data subject v. consumer v. data principal; privacy policy v. privacy notice v. privacy statement; access v. disclosure. Similar terms that mean almost the same thing, but not quite. Identical terms that mean different things from one jurisdiction to the next. The list of these is long.

For anyone who’s been working in privacy for any length of time, this lack of consistent terminology and definitions is not news, and most of us have coping mechanisms. But when you’re talking to clients who have been doing other work for the past 10+ years and are thrust (often begrudgingly) into this new world of privacy, it can be very confusing and very frustrating.

On top of that, there are terms that have an intuitive meaning outside privacy that privacy laws define in a less than intuitive way.

Take “publicly available information” for example. Publicly available information is exempt from the California Consumer Privacy Act. Being a logical person of the world, you might think: “Twitter posts are publicly available, so obviously they’re out of scope of CCPA.” But that’s not true. The CCPA defines publicly available information as information made public by government bodies, putting Twitter posts out of the running. “But,” you may say, “Posting to Twitter is like shouting into a public square!” Totally true. Alas, it is not publicly available information under CCPA.

Similarly, it would be nice to be able to rely on intuition and general knowledge to understand what constitutes personal information or sensitive information, but the fact is you can’t. And let’s be honest, while it’s nice to see state legislatures picking up the ball where the U.S. government refuses to, it’s not making the problem any better. As more states pass privacy laws, we will only get more variations on these definitions and more nuances that businesses, which already can’t keep up, will have to know and comply with.

One advance in this effort would be a federal privacy law that preempts state laws; one set of rules and definitions for the whole country. While there are still significant differences in perspective on what the rules should be, maybe a good initial step would be to have no rules at all. Bear with me here. What I mean is that if a federal law could just preempt the definitions and then leave the rule making to the states we would still be significantly better off. And when I say significantly, we would all have a single definition of what that meant!

Even with these improvements, understanding your privacy obligations requires a knowledgeable team that has the appropriate resources and leadership. But the current word salad increases the likelihood of getting the fundamentals wrong and opening yourself up to significant risk. Regulatory risk, yes. But getting privacy wrong also comes with the risk of losing the trust you’ve worked hard to build with your customers.

If your company doesn’t have the resources for an in-house privacy team, bringing in a privacy consultant may be the perfect solution for you. At Sentinel, we have decades of privacy experience working with companies ranging from large multi-national tech firms to smaller U.S.-based retailers.

Get started today

Ensuring digital security and compliance for your future.