Default cookie settings can mean two things. Browser-level: what Chrome, Safari, and Brave allow out of the box — Chrome still permits third-party cookies in 2026, while Safari and Brave block them. Site-level: what a consent banner pre-selects before the user chooses. Under GDPR Recital 32, pre-ticked boxes don't count as consent — the EDPB requires non-essential cookies off by default until the user actively opts in. CNIL and the ICO have fined sites where "Reject All" is buried or analytics tags fire before consent. CCPA flips this: the default is allowed unless the user opts out, including via Global Privacy Control.

Third-party data is personal or behavioural data collected by an entity with no direct relationship to the individual, then sold or licensed for targeting, lookalikes, or B2B enrichment. Common sources include data brokers like Acxiom, Experian, and LiveRamp. It contrasts with first-party data (collected directly from your visitors) and zero-party data (explicitly shared by the user). The category has collapsed in 2024-2026 — Chrome's cookie deprecation, Apple ATT, and GDPR consent pushed brands toward first-party strategies and data clean rooms like Snowflake and InfoSum. Under GDPR, third-party data still needs a lawful basis; under CCPA, sharing it usually triggers opt-out rights.

Personalization cookies store behaviour, history, and inferred preferences to tailor the content, recommendations, or experience a visitor sees — recommended products, "people who watched this also liked," personalised homepage layouts. They're distinct from customization cookies: customization stores settings the user explicitly chose (language, theme), while personalization is derived from behaviour. Under GDPR and ePrivacy, personalization cookies are not strictly necessary and require opt-in consent before firing. The EDPB is clear: "improves UX" doesn't make behavioural profiling exempt. Under CCPA and CPRA, when personalization uses cross-context data, it can count as targeted advertising — meaning opt-out rights and honoring GPC signals.

A first-party cookie is set by the same domain shown in the browser's address bar — used for session management, authentication, preferences, shopping carts, and first-party analytics. Google Analytics' _ga is first-party — even though Google processes the data, the cookie itself is scoped to your domain. Third-party cookies are set by a different domain — an ad network or embed. First-party doesn't mean exempt from consent. Under GDPR and ePrivacy, a first-party analytics or marketing cookie still needs opt-in consent before firing — only "strictly necessary" cookies are exempt. Safari's ITP caps JavaScript-set first-party cookies at around 7 days, whatever the expiry.

Customization cookies store user-chosen preferences like language, region, currency, theme, font size, or accessibility settings, so the site remembers them across pages and visits. Common examples include lang, _locale, theme, and currency. Vocabulary varies: most CMPs treat customization as a sub-type of "functionality cookies," alongside "personalization cookies" (which involve broader behavioural data). Under GDPR and ePrivacy Article 5(3), customization cookies are exempt from consent if the preference was actively chosen by the user and the cookie only delivers that choice. If the preference is inferred or used for profiling, opt-in consent is required. CCPA treats them as opt-out, lower risk.

Unauthorised disclosure is when personal data is shared or made available to someone who has no lawful basis to receive it. Under GDPR Article 4(12), it's one form of personal data breach — alongside accidental loss, destruction, or unauthorised access. The most common cause isn't hackers; it's a misaddressed email, a reply-all to a mailing list, or an S3 bucket left on "anyone with the link." If the disclosure risks people's rights, Article 33 requires notifying the supervisory authority within 72 hours of becoming aware — not of when it happened — and Article 34 adds notification to affected individuals where the risk is high.

A Data Protection Authority (DPA) is an independent public body that enforces data protection law in a given jurisdiction — what GDPR Article 51 formally calls a "supervisory authority." Each EU member state has at least one: France's CNIL, Italy's Garante, Spain's AEPD, Ireland's DPC. Germany has 17. Major non-EU regulators include the UK's ICO, California's CPPA, Australia's OAIC, and Brazil's ANPD. DPAs investigate complaints, audit organisations, issue binding decisions, and fine up to €20 million or 4% of global turnover. One catch: "DPA" also stands for Data Processing Agreement — the Article 28 contract between controller and processor.

A disclaimer is a statement that limits a publisher's liability or warns visitors about how to rely on a website's content, products, or services. Common types include no-guarantee, professional advice (medical, legal, financial), affiliate, copyright and fair use, and — increasingly — AI-generated content disclaimers. Placement matters: clickwrap acceptance is strongest, a dedicated page or terms of service is solid, a footer link is weakest. Disclaimers can shield against ordinary negligence, but they can't disclaim fraud, gross negligence, or statutory consumer protections under the UK Consumer Rights Act or US FTC rules. A copy-paste boilerplate from a similar site rarely holds up.

A subject access request (SAR) is a request to see what personal data an organisation holds about you under UK GDPR Article 15. The response must include a copy of the data plus information on purposes, recipients, retention, and automated decisions. The ICO requires a reply within one calendar month, extendable by two for complex requests. The first copy is free; refusal or a fee is only allowed for manifestly unfounded or excessive requests — and the ICO sets that bar high. SARs are common in UK employment disputes. Failures can attract ICO fines up to £17.5 million or 4% of global turnover.

A data retention policy is the documented set of rules that defines how long an organisation keeps each category of personal data and what happens at the end — deletion, anonymisation, or archival. It's how organisations meet the GDPR Article 5(1)(e) storage limitation principle: personal data can't be kept longer than necessary for the purpose. A working policy covers categories separately: customer records, employee data, financial records tied to tax law, marketing data, and consent logs (CNIL benchmarks ~5–6 years for proof of consent). The common failure isn't writing the policy — it's enforcing it across legacy systems, backups, and third-party processors.

Cookie consent is the explicit permission a website visitor gives before cookies andsimilar tracking technologies — pixels, fingerprinting scripts, tracking links — canstore or access information on their device. Under the GDPR, the ePrivacy Directive,and laws like the CPRA, that consent must be freely given, specific, informed, andunambiguous through a clear affirmative action.Pre-ticked boxes, scrolling, and "Accept All" walls don't count. A working cookieconsent setup does three things at once: blocks non-essential trackers until the visitorchooses, logs each decision as proof of compliance, and lets people withdraw consentas easily as they gave it.‍

‍

Google Analytics cookies like _ga, _gid, and _gat aren't GDPR-compliant by default.They count as personal data because the identifiers can single out users, and sincethey're not strictly necessary, GA needs opt-in consent before the script fires. A propersetup has three pieces: a consent tool that blocks GA until the visitor accepts, a DataProcessing Amendment signed with Google, and reliance on the EU-US Data PrivacyFramework for transfers to US servers. Google Consent Mode v2 helps by adjustingGA's behaviour when consent is denied, but it doesn't replace any of those threepieces.‍

‍

Cookies and pixels are the two most common website tracking technologies, oftentreated as interchangeable. A cookie is a small text file stored in the visitor's browser,like Google Analytics' _ga. A pixel is a 1x1 invisible image or HTML snippet that firesa server request on page load and often plants a cookie via the Set-Cookie header —like the Meta Pixel. Under ePrivacy Article 5(3) and EDPB 2023/2024 guidelines, bothrequire prior consent — pixels aren't exempt just because they don't store data on thedevice. Most cookie banners disclose cookies but ignore pixels — a gap CNIL hasstarted fining for.‍

‍

Persistent cookies stay on a visitor's device after the browser closes, with an explicitexpiry set through the Expires or Max-Age attribute. Lifespans range from days totwo years — Google Analytics' _ga defaults to two years; a "remember me" tokenmight last 30. Persistent doesn't mean tracking: a first-party cookie storing a languagepreference is fine; a third-party ad cookie following you across sites isn't. Under GDPRand ePrivacy, persistent cookies need opt-in consent unless strictly necessary, andCNIL caps consent validity at 13 months. Safari's ITP further caps first-party persistentcookies at 7 days, whatever expiry you set.‍

‍

Data minimisation is the GDPR Article 5(1)(c) principle that personal data must beadequate, relevant, and limited to what is necessary for the stated purpose. Everyfield a business collects has to pass that three-part test. Verifying a user is over 18?Ask for age confirmation, not a date of birth. Newsletter signup? Email is enough — aphone number is excess. Data minimisation pairs with purpose limitation and storagelimitation: collect for a defined reason, keep only what you need, delete when done.The 2026 EDPB AI guidelines apply the same logic to model training.‍

‍

A Data Protection Officer (DPO) is the independent expert who oversees anorganisation's GDPR compliance — advising on data practices, running DPIAs, andacting as the contact point for data subjects and regulators. Under GDPR Article 37, aDPO is mandatory only when an organisation is a public authority, conducts large-scale systematic monitoring, or processes special category or criminal data at scale.The DPO can be internal or outsourced but must report to top management; a CTO ormarketing head can't double up without a conflict of interest. Non-appointment risksfines up to €10 million or 2% of global turnover. CCPA and CPRA don't require one.‍

‍

A Data Subject Access Request (DSAR) is a formal request from an individual askingan organisation to confirm whether it's processing their personal data and, if so,provide a copy plus supplementary information — purposes, recipients, retention,source, and any automated decision-making. Under GDPR Article 15, organisationsmust verify identity and respond within one calendar month — free of charge unlessthe request is manifestly unfounded or excessive — with up to two months' extensionfor complex requests. Under CCPA, the parallel "right to know" has 45 days, twiceyearly. DSARs are distinct from deletion (Article 17) or portability (Article 20)requests.‍

‍

A No Guarantee Disclaimer is a notice on a website telling visitors that the publisherdoesn't promise the content is accurate, complete, or reliable, and that they use it attheir own risk. It usually appears in the footer, inside the terms of service, or at thetop of high-risk articles — things like health, finance, legal advice, or AI-generatedcontent. The disclaimer can protect against ordinary negligence claims, but it can'tshield against fraud, gross negligence, or statutory consumer protections. It worksbest when accepted through a clickwrap step; a quiet footer notice is the weakestversion.‍

‍

Consent withdrawal is the right to revoke previously given consent at any time, withno need to give a reason. It's set out in GDPR Article 7(3). The mechanism to withdrawhas to be as easy as the original opt-in — a one-click preference centre or a persistent"change preferences" button, not a buried link, email request, or login wall.Withdrawal only stops future processing; it doesn't cancel anything done lawfullybefore, and it doesn't automatically delete data — that's a separate right under Article17. Organisations also have to inform users of this right before collecting consent inthe first place.‍

‍

Analytics cookies record how visitors use a website — pages viewed, session length,click paths, traffic sources, device type — so site owners can measure performanceand improve UX.

Common examples include Google Analytics (_ga, _gid), Matomo, Hotjar, andMixpanel, with lifespans from a single session up to two years. Under the GDPR andePrivacy Directive, analytics cookies aren't strictly necessary, so they need opt-inconsent before firing — even first-party ones — unless they fall under the narrowCNIL/ICO exemption for fully anonymised, non-shared analytics. CCPA uses an opt-outmodel, and Google Consent Mode v2 keeps analytics_storage denied until thevisitor approves.‍

‍