Openli logo

Dictionary and explanation of compliance terminology

Audit trail

A series of electronic files or paper that show a chronological record or set of records, e.g. when a user first signed up to a service, at what time, from which IP address, what terms the user accepted and if e.g. later the user decides to opt-out, when did that event take place.

CCPA compliance

The California Consumer Privacy Act. An Act that concerns privacy rights and consumer protection for Californian residents.


A cookie is a file that is placed on a person’s computer or other IT equipment. It makes it possible to recognize the person’s computer and gather information about which pages and features are visited with the user’s browser.

Cookie banner

A cookie banner is a widget or other type of display on a website that informs users and visitors of how cookies are used and asks the visitors if they can accept the usage of non-necessary cookies like analytical cookies, marketing cookies and preference cookies.

Cookie policy

A cookie policy is a document where a company gives their users and visitors information about what cookies they use, what they are used for, also known as purposes, what information is collected, and when each cookie expires. The document is where in the world this data is sent. Many website owners choose to incorporate the cookie policy as a section of their privacy policy.

Data controller

A definition used in the GDPR. The data controller is the company that stores, collects and/or processes data about people and who determines the purposes of the data processing and the tools and ways that the data is processed/stored/deleted.

Data processor

A definition used in the GDPR. The data processor processes personal data on behalf of a data controller. The data processor does not determine the purposes for the data processing. The processor only acts in accordance with an instruction from the data controller, i.e processes the data on behalf of the controller.

Data Subject

A definition used in the GDPR. A data subject is a person who can be identified, either directly e.g. name, email, address, or indirectly e.g. by reference to an identifier, ID number, etc.


In the EU, a directive is a minimums law that must be incorporated into national law by every EU country individually. This is in contrast to a regulation that comes into effect as stated in the law.


Data Protection Officer. It's a definition used in the GDPR and a role companies in Europe is required to have if (a) the processing is carried out by a public authority; (b) the core activities of the controller or the processor relates to regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of sensitive data.

Explicit consent

Explicit consent is not defined in the GDPR. Explicit consent is a consent that must be a specific, informed and unambiguous expression of the person’s wishes and affirmed in a clear statement (whether oral or written).


The General Data Protection Regulation. A European Regulation concerning the protection of personal data.


Information Commissioner’s Office. It's the UK public authority who is responsible for upholding information rights, including the GDPR, PECR and the DPA. The ICO’s website is


A term especially used in connection with email marketing. It means that a person needs to opt in, i.e. actively say yes to receive email marketing, e.g. by ticking off the consent box “Yes, I want to receive email marketing from COMPANY A about…”. I.e no pre-ticked tick boxes or similar.


It means a company gives people the ability to choose not to receive email marketing. E.g. companies offer people an opt-out e.g. via an unsubscribe link. Opt-out also means that unticking a consent box will result in the user not receiving email marketing.


In the EU, a regulation is a law that becomes legally binding throughout the date that it comes into effect. This is in contrast to a directive that is a minimum law, that must be interpreted or incorporated by each country individually.

Right to Data Portability

It's a definition used in the GDPR. It's a right for people to get their personal data from e.g. a social media platform and upload it on another platform. I.e. the right for people to move, copy and/or transfer personal data easily from one IT environment to another.

Right to be forgotten

It's a definition used in the GDPR. It's also known as the “right to erasure” or the “right to be deleted”. It gives people a right to be forgotten, i.e. have their personal data erased. Companies must respond within 1 month after receiving a request from a person. It's important to remember that the right isn't absolute and that data doesn’t have to be deleted in all circumstances.

Right to information

It's a definition used in the GDPR. It's one of the most important rights in the GDPR; it gives people a right to be informed about the collection and use of their personal data. I.e. a data controller must tell people that they are processing data about the purposes for processing their personal data, the controller’s retention periods for that personal data, and who the data will be shared with.

Tracking cookies

Tracking cookies are small text files created to track user’s movements and interactions on a web browser.