Digital Identity: A digital identity is an online or networked identity adopted or claimed in cyberspace by an individual, organization, or electronic device. With each upload, each click, and every second you spend online, you leave behind some traces of your identity in cyberspace which in totality forms your digital identity.
Personally Identifiable Information (PII): Personally identifiable information represents any sensitive information connected to an individual that can identify or pinpoint their location. While PII has several formal definitions, generally speaking, it is information that can be used by organizations on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
Personally Protected Information (PPI): PPI refers to information that is non-public and protected by the government. This includes a person’s social security number, home address, date of birth, and home phone number.
Anonymization: Anonymization is a data processing technique that removes or modifies personally identifiable information to create data sets that inform but do not reveal the identities of the people represented.
Pseudonymization: Data processing under pseudonymization creates a separation between the data subject and the personal data. A person cannot be identified without additional data that is stored separately. Compliance laws like the GDPR advise organizations to pseudonymize and/or encrypt all personal data. This encryption may not stop malicious actors accessing the information altogether, but it does make it much harder for them.
Consent: An independently offered indication of a person’s interest through a statement or affirmative action, qualifies as consent around personal data so long as there is an option to withdraw consent (for instance via an ‘unsubscribe’ button at the bottom of marketing emails)
Explicit consent: Some data compliance laws require a consent with a written statement or a digital note, the key being that it must be able to be verified, something that would be difficult to do with an oral form of consent. This type of consent is called explicit consent.
Unambiguous consent: Unambiguous consent involves knowingly checking a box or agreeing to technical terms which clearly indicate in this context the data subject’s acceptance of the proposed processing of his or her personal data.
Opt-in consent: An opt-in consent requires organizations to obtain explicit consent from the user before collecting and processing their personal data. Explicit consent is sought by asking for affirmative action for indicating your consent to allow the processing of your personal data. For eg. Whenever you visit a website, you can manually opt in to retain your online activity for various purposes.
Opt-out consent: Opt-out means that the recipient has to withdraw consent after your initial outreach. There are two main ways through which opt-out options are offered to the consumer:
a) Pre-emptive opt-out in which you can untick/uncheck a pre-selected checkbox
b) Consent withdrawal where you are provided a clear option to withdraw your permission or change your preferences through an unsubscribe button in your mail or newsletter.
Legitimate interest: An unspoken agreement (though enforced by laws like GDPR) that allows a user to trust that companies will use the data they collect for things of use or importance to the individual. It depends on purpose, necessity, and balance. As a company requesting data from your customer, you must ensure you have a legitimate interest in asking for the information and that legitimate interest is not overridden by the individual’s interests, rights, or freedoms.
First-party data: The data you collect directly from your audience or customers are called first-party data. This data may include intent data from behaviors, actions or interests demonstrated across your website(s) or app(s), your CRM data, Subscription data, or Data from your social media accounts.
Second-party data: This is the data you get from another organization’s first-party data. Second-party data is similar to first-party data, but it comes from a source other than your own audience.
Third-party data: Third-party data is data that you buy from outside sources who generally do not hold data but source it on demand. A third-party data aggregator collects and organizes this data for you in compliance with data protection laws. A good example of this is FHG’s data processing as a service (DPaaS).
Walled gardens: A walled garden is a data approach where all information sought from customers is kept in a closed ecosystem with all operations managed by the ecosystem controller.
Dark patterns: Dark patterns are actions that nudge users into making uninformed choices about their personal data which they do not intend, typically to their own detriment and to the benefit of the organization. These may be tactics or practices intended to trick people on the internet into purchasing, committing to, or signing up for things without clearly understanding that they are doing it.
Now that we have gone through some common aspects of data compliance, we come to a differentiating factor, the location. Data compliance is worldwide but the laws are different, depending on where you are or who you sell to.
In the following section, I will go into detail into different region-specific B2B data compliance laws.