Data Subjects - those whose data is being identified
Privacy Notice -external statement directed to current or potential customers.
Privacy Policies - internal documents directed to employees or contractors.
Both describe how personal information will be collected, stored, and used.
What’s in a privacy notice
Your organization/organization contact info
What information is collected, directly or indirectly
How you will my organization use the information
Witrh whom your organization will share the info
How the behavior of website users is monitored
How data subjects may exercise their rights
Privacy notices should be living documents, maintained in a life cycle that includes
designing and developing, testing, releasing, and reviewing and updating where necessary.
A layered approach provides a high-level summary of the various sections of the privacy notice and allows the users to read more about that section by clicking a link to that section or scrolling below
Icons or symbols can also be used to communicate privacy practices to datavsubjects.
Privacy dashboard, which offers a summary of privacy-related information and metrics and is easy to access and navigate.
Re-Evaluation of the Fair Information Practice Principles
Privacy notices inform individuals of an organization’s privacy practices, but do not solicit or imply consent. If an individual has a choice about the use or disclosure of their information, consent is that person’s way of giving permission for the use or disclosure.
If consent is required by law or regulation, there must be a method for obtaining and recording it.
Under the GDPR, electronic consent requires an affirmative act from the individual establishing a freely given, specific, informed and unambiguous indication of the individual’s agreement to the processing.
There are two central concepts of choice: Data subjects can either give their
consent to processing by opting in, or withhold or revoke such consent by opting out.
The U.S. Children’s Online Privacy Protection Act (COPPA) and the GDPR set out specific rules regarding providing privacy notices to children and obtaining parental consent for processing their personal information.
Generally, privacy notices directed toward children should be presented in ways children can understand. For example, the Office of the Privacy Commissioner of Canada states, “Organizations should implement innovative ways of presenting privacy information to children and youth that take into account their cognitive and emotional development and life experience.
Laws and regulations may establish an age threshold for consent.
CCPA is 13
Many federal and state laws provide data subjects with rights of control over their personal information.
The Federal Credit Reporting Act (FCRA) grants several important rights to consumers with respect to how their data is used.24 Under FCRA, customers can obtain access to all the information a consumer reporting agency has on file about them.
The Health Insurance Portability and Accountability Act (HIPAA), along with its implementing regulations including the Privacy Rule, regulates the use and disclosure of protected health information (PHI) and provides individuals with rights relating to their PHI.
The FTC created the National Do Not Call (DNC) Registry as a part of revisions to its Telemarketing Sales Rule (TSR).
The FTC allows individuals to forward unwanted or deceptive messages to the FTC in order to report and in effect reduce the number of spam emails.
The Privacy Act of 1974 provides individuals with a right of access to their own records from each federal agency that maintains a system of records, upon receipt of a written request from an individual.
Under the Freedom of Information Act (FOIA), federal agencies are required to disclose any federal agency records or information upon request by the public, unless the request falls under one of the nine exemptions and three exclusions that protect national security interests, personal privacy and law enforcement interests, for example:
Information that is classified to protect national security
Information related solely to the internal personnel rules and practices of an agency
Information that is prohibited from disclosure by another federal law
Trade secrets or commercial or financial information that is confidential or privileged
Privileged communications within or between agencies
Information that, if disclosed, would invade another individual’s personal privacy
Information compiled for various law enforcement purposes
Information that concerns the supervision of financial institutions
Geological information on wells.
Increasingly, states have begun enacting laws that grant data subjects rights over their information. California has served as the national trendsetter in its enactment of various laws aimed at providing individuals with rights over how their information is processed.
California was the first state in the nation to require commercial website or online service operators to conspicuously post a privacy notice on their websites or online services.
The impact of the California Online Privacy Protection Act (CalOPPA) is wide-reaching, as the law applies to any website or online service operator in the United States and possibly the world whose website collects personally identifiable information (PII) from California consumers.
Separate but related to CalOPPA is California’s “Shine the Light” law, which is already in effect and gives California residents the right to request and be notified about how businesses use and share their personal information with other businesses for direct
California’s “Online Eraser” law, which is designed to protect individuals under the age of 18, requires operators of websites, online services, online applications and mobile applications to permit minors who are registered users of services to request and remove content a minor may have posted on the operator’s website or application marketing purposes.
On June 28, 2018, the governor of California signed into law a landmark privacybill. While lawmakers are discussing amending the law prior to its January 1, 2020, effective date, as the bill is currently written, the California Consumer Privacy Act of 2018 (CCPA)
Illinois, Washington and Texas have enacted biometric privacy laws that govern how biometric identifiers, or unique identifying characteristics, may be used.
European data protection law has always provided individuals with a range of rights enforceable against organizations processing their data.
Compared to the Data Protection Directive (“Directive”), the General Data Protection Regulation (GDPR, or “Regulation”) is considerably more complex and far-reaching in this respect, as it includes an extensive set of rights.
Article 12(2) of the Regulation requires organizations to facilitate the exercise of data subject rights. Whereas the Directive did not explicitly require organizations to confirm data subjects’ identities, the Regulation now requires the controller to use all reasonable efforts to verify the identity of data subjects.
Another operational aspect refers to the time frame to honor data subjects’ requests. Preliminarily, the controller should acknowledge receiving the request and confirm or clarify what is requested. Article 12(3) sets out the relevant time windows for responding: one month, starting with receipt of the request, should be the normal time frame, which can be extended by two further months for cases of specific situations and/or especially complex requests.
As mentioned earlier in this chapter, transparency is fundamental to any data protection system, as individuals’ right to privacy cannot be assured if they are not properly informed about the data controllers’ activities.
Under Article 13 of the Regulation, data subjects have the right to be provided with certain pieces of information that describe their relationship with the controller.
This includes the controller’s identity and contact details, the reasons or ppurposes for processing their personal data, the legal basis for doing so, recipients of that data (especially if those reside in third countries), and other relevant information necessary to ensure the fair and transparent processing of the data.
The Regulation’s right of access set out in Article 15 is in some ways a counterpart to the more passive right of information in Articles 13 and 14. Any data subject who exercises his or right to know must be told about the personal data the organization holds about him or her and, more specifically, why and how it does so.
The scope of this right under the Regulation is largely unchanged from the Directive. In a nutshell, data subjects have the right to rectification of inaccurate personal data, and controllers must ensure that inaccurate or incomplete data is erased, amended or rectified. This right can generate a considerable amount of effort operationally.
The so-called right to be forgotten (RTBF) is probably one of the most actively scrutinized aspects of the original proposal by the Commission.74
Article 17(1) establishes that data subjects obtain the right to have their personal data erased if:
the data is no longer needed for its original purpose and no new lawful purpose exists;
the lawful basis for the processing is the data subject’s consent, the data subject withdraws that consent, and no other lawful ground exists;
the data subject exercises the right to object, and the controller has no
overriding grounds for continuing the processing;
the data has been processed unlawfully; or
erasure is necessary for compliance with EU law or the national law of the
relevant member state
Exemptions to the right of erasure are listed in Article 17(3), which allows organizations to decline data subjects’ requests to the extent that processing is necessary:
for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by
Union or member state law to which the controller is subject or for the performance of a task carried out in the public interest, like public health, archiving and scientific, historical research or statistical purposes; or
for the establishment of, exercise of or defense against legal claims.
Article 18 of the Regulation establishes something similar to a prior right under the Directive that allowed the “blocking” of data. Data subjects have the right to restrict the processing of their personal data if:
the accuracy of the data is contested (and only for as long as it takes to verify that accuracy);
the processing is unlawful, and the data subject requests restriction (as opposed to exercising the right to erasure);
the controller no longer needs the data for their original purpose, but the data is still required by the data subject to establish, exercise or defend legal rights; or
verification of overriding grounds is pending in the context of an erasure request.
Data portability is an entirely new term in European data protection law.75 Article
20 of the Regulation states that data subjects have the right to receive their own personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format.
In accordance with Article 21(1), whenever a controller justifies the data processing on the basis of its legitimate interests, data subjects can object to such processing. As a consequence, the controller is no longer allowed to process the data subject’s personal data unless it can demonstrate compelling, legitimate grounds for the processing.
The right not to be evaluated on the basis of automated processing is closely connected with the aforementioned right to object. It is important to take into consideration, though, that Article 22 has a narrow application. The right not to be subject to automated decision-making applies only if such a decision is based solely on automated processing and produces legal effects concerning the data subject or similarly significantly affects them.
In spite of the Regulation’s prescriptive nature, controllers must also be prepared to comply with additional EU and member state law that could further impose obligations and provide rights in addition to those provided for in Articles 12 to 22.
For consent to be freely given, it must also be freely revocable. Therefore, it is important to have a process and policy in place for enabling data subjects to withdraw their consents.
Choice and control should be offered to individuals even after the opt-in stage. If an organization relies on consent to process personal data, it may want to—or be required to—state in the privacy notice that the individual can withdraw consent.
An organization’s procedures around withdrawal of consent may address:
When and how consent may be withdrawn
Rules for communicating with individuals
Methods for withdrawing consent
Documentation of requests and actions taken
Under certain circumstances, laws and regulations may require an organization to provide individuals, upon request, with access to their personal information—and information about the processing performed on it—and allow them to correct their information.
The information must be provided:
Completely
In a timely manner
Without charge to the individual
In the same form that the request was made
Complaints about how the organization manages data subject rights may come from both internal sources, such as employees, and from external sources, such as customers, consumers, competitors, patients, the public, regulators and vendors. Individuals handling complaints or requests for an organization must be trained to identify these requests, because they may be submitted in a variety of ways such as by email, phone or social media
Internal procedures should define and enable mechanisms for:
Differentiating between sources and types of complaints
Designating proper recipients
Implementing a centralized intake process
Tracking the process
Reporting and documenting resolutions
Redressing
Clearly there is a trend toward strengthening privacy and cybersecurity-related laws globally. Many countries in Latin America, for example, have either adopted or are in the process of adopting GDPR-like laws. Canada has also recently strengthened its privacy laws with recent changes in its Personal Information Protection and Electronic Documents Act (PIPEDA) relating to breach notification.81 Canada is also exploring additional changes to its Anti-Spam Legislation (CASL)
The trend in global privacy is to endow data subjects with greater control over their personal data and require increased transparency regarding how organizations communicate to data subjects about the ways they process the data subjects’ personal data.
It will be critical for your organization’s brand to handle data subject access requests in a way that engenders trust in your organization and does noinstead lead the dissatisfied data subject to complain to the regulator or on social media.
Organizations that are responsive and have sound processes will come to view each interaction with a data subject as a trust-building exercise and an opportunity to improve how their organization.