Legal Terms for Website Owners
Explained in Plain English

A ruling by the European Commission that a non-EU country provides an adequate level of data protection, allowing personal data to flow there from the EU without additional safeguards. Countries with adequacy decisions include Japan, South Korea, and the UK (post-Brexit). The US does not have a blanket adequacy decision, though the EU-US Data Privacy Framework covers participating companies.

A provision in Terms & Conditions requiring disputes to be resolved through private arbitration rather than a court trial. Arbitration is typically faster and cheaper than litigation, but waives the user's right to a jury trial and often prohibits class action lawsuits. In the US, arbitration clauses are broadly enforceable; in the EU, they are more restricted and cannot remove consumers' rights to bring claims in their local courts.

Internal privacy policies used by multinational companies to transfer personal data within their corporate group across borders in compliance with GDPR. BCRs must be approved by EU data protection authorities. They're an alternative to Standard Contractual Clauses for intra-group transfers.

A California state law that gives California residents the right to know what personal information is collected about them, the right to delete it, and the right to opt out of its sale. It applies to for-profit businesses that meet at least one of: annual gross revenue over $25 million, buying/selling personal information of 100,000+ consumers/households, or deriving 50%+ of annual revenues from selling personal information. Enhanced by CPRA (California Privacy Rights Act) in 2023.

A California law requiring any commercial website or online service that collects personally identifiable information from California residents to post a Privacy Policy. CalOPPA has a broader reach than CCPA — it applies to businesses of any size that collect PII from Californians, regardless of revenue. Given California's population, this effectively means most US consumer-facing websites need a Privacy Policy.

Under GDPR, a valid legal basis for processing personal data where the individual has given a clear, specific, informed, and unambiguous indication of agreement. Consent must be freely given (not bundled with service terms as a condition), specific (for each stated purpose), informed (the person must understand what they're agreeing to), and revocable (users must be able to withdraw at any time, as easily as they gave it). Pre-ticked boxes, vague "by using this service" language, and silence do not constitute valid GDPR consent.

A small text file placed on a user's device by a website. Cookies can be "first-party" (set by the site you're visiting) or "third-party" (set by external services like advertisers or analytics providers). "Session cookies" expire when you close the browser; "persistent cookies" remain until they expire or are deleted. Under GDPR and the ePrivacy Directive, non-essential cookies (analytics, advertising) generally require prior user consent before being placed.

A legal document (sometimes part of a Privacy Policy, sometimes separate) that explains what cookies a website uses, what each cookie does, which are essential vs. non-essential, and how users can manage or opt out of cookies. Required under the EU's ePrivacy Directive for websites that use non-essential cookies to serve EU visitors.

Under GDPR, the entity that determines the purposes and means of processing personal data. As a website or app operator, you are typically the data controller — you decide what data to collect, why, and how to use it. This is distinct from a data processor (which processes data on your behalf). Controllers bear the primary legal responsibility for compliance.

Under GDPR, a third party that processes personal data on behalf of a data controller, following the controller's instructions. Your cloud hosting provider, email marketing platform, analytics tool, and payment processor are typically data processors. Controllers must sign a Data Processing Agreement (DPA) with each processor, specifying what they can and cannot do with the data.

A role required under GDPR for certain types of organizations: public authorities, organizations that monitor individuals at large scale, or organizations that process special categories of sensitive data on a large scale. The DPO oversees data protection strategy and compliance. Most small businesses and websites are not required to appoint a DPO, but it's good practice to have a designated privacy contact person.

The identified or identifiable natural person to whom personal data relates. In the context of a website or app, your users are the data subjects. GDPR grants data subjects specific rights, including access to their data, correction, erasure, restriction of processing, data portability, and the right to object.

A statement that limits or denies your legal responsibilities for certain things — such as the accuracy of information on your site, the results of using your service, or liability for third-party content. Disclaimers are not a magic shield against all liability, but they help establish expectations and can reduce your exposure if users rely on your content in ways you didn't intend.

A contract between a software developer or publisher and the end user of that software, defining how the software may be used. EULAs are especially common for desktop apps, mobile apps, games, and SaaS products. They typically cover: license grant (what the user is allowed to do), restrictions (what they cannot do), intellectual property ownership, liability limits, and termination conditions.

The European Union's comprehensive data protection law, in force since May 25, 2018. GDPR applies to any organization processing personal data of people in the EU, regardless of where that organization is located. It establishes rights for data subjects, obligations for controllers and processors, requirements for Privacy Policies, rules on data transfers, and significant penalties for non-compliance (up to €20 million or 4% of global annual turnover, whichever is higher).

A contractual obligation by which one party agrees to compensate the other for losses or legal expenses arising from specified events. In Terms & Conditions, you typically include an indemnification clause requiring users to indemnify you against claims arising from their misuse of your platform — for example, if a user posts infringing content and a copyright holder sues you.

Internet Protocol address — a numerical label assigned to each device on a network. IP addresses qualify as personal data under GDPR because they can potentially be used to identify individuals. This means that if your website logs IP addresses (which most web servers do automatically), you are collecting personal data and your Privacy Policy should disclose this.

One of the six legal bases for processing personal data under GDPR. You may process personal data if it's necessary for your legitimate business interests, provided those interests are not overridden by the individual's rights and interests. A balancing test is required: you must consider whether the individual would reasonably expect the processing and whether it could harm them. Commonly used for fraud prevention, network security, analytics, and direct marketing to existing customers.

A clause in Terms & Conditions that caps or excludes your legal responsibility for certain types of losses. For example: "In no event shall we be liable for any indirect, incidental, or consequential damages." Some limitations of liability are enforceable; others are not — particularly consumer protection laws in the EU often prevent you from excluding liability for your own negligence or from limiting statutory consumer rights.

Two models for obtaining consent. Opt-in requires users to take an affirmative action to agree to something (e.g., checking a box to subscribe to marketing emails) — the default is no. Opt-out assumes agreement unless the user takes action to disagree (e.g., a pre-checked box). GDPR requires opt-in consent for marketing communications and non-essential cookies. CCPA gives consumers the right to opt out of the sale of their personal information.

Any information that relates to an identified or identifiable natural person. Under GDPR, "personal data" is defined very broadly — it includes not just obvious identifiers like name, address, and email, but also IP addresses, cookie identifiers, location data, device IDs, and any other data that could be linked to an individual. The US term "Personally Identifiable Information" (PII) is narrower but conceptually similar.

The principle that data protection should be built into systems and processes from the start, rather than added as an afterthought. GDPR requires data controllers to implement privacy by design as a legal obligation — meaning you should consider privacy implications when designing your product, minimize data collection, default to privacy-protective settings, and build in technical controls. A practical example: if you don't need a user's date of birth, don't collect it at all.

A legal document that discloses how an organization collects, uses, stores, shares, and protects personal data. Required by law in most countries for any website or app that collects personal information. Must be written in clear, plain language, be easily accessible, and cover specific topics mandated by applicable laws (GDPR, CCPA, CalOPPA, etc.).

A GDPR right allowing individuals to request that their personal data be deleted. The right applies in specific circumstances — such as when the data is no longer necessary, consent is withdrawn, or the processing is unlawful. It is not absolute: organizations may retain data when necessary to comply with a legal obligation, exercise or defend legal claims, or for archiving in the public interest. When you receive a valid erasure request, you generally have 30 days to respond.

Pre-approved contract provisions issued by the European Commission for transferring personal data from the EU to non-adequate third countries. Using SCCs is one of the main mechanisms for legally transferring EU personal data to countries like the US that don't have an adequacy decision. If you use a US-based cloud service, email platform, or analytics tool to process EU user data, SCCs are typically in place through that provider's data processing agreement.

Under GDPR, certain types of personal data that are considered particularly sensitive and receive extra protection. These include: racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for unique identification, health data, sex life or sexual orientation data. Processing these categories requires specific legal grounds (typically explicit consent or specific exceptions) and extra care.

A legal agreement between a service provider and users that governs the use of a website, app, or platform. Terms & Conditions typically cover: acceptable use rules, intellectual property ownership, payment terms (if applicable), warranties and disclaimers, limitation of liability, dispute resolution (arbitration or jurisdiction), and termination conditions. Unlike a Privacy Policy (which is legally required for data collection), T&C are not legally mandatory — but they are strongly recommended for any commercial service.

An external company that processes personal data on your behalf — your email marketing platform, cloud hosting provider, payment gateway, analytics tool, CRM, etc. Under GDPR, you must sign a Data Processing Agreement (DPA) with each processor, specifying the scope of processing, security obligations, and restrictions on what they can do with the data. Most major SaaS providers offer standard DPAs — check their privacy or legal documentation.