Data Subject Rights Flashcards
Name four examples of privacy notice design strategies:
Layered approach, Just-in-Time notice, Icons/Symbols, Privacy Dashboard
What is a layered privacy notice? When should you use one?
Layered approach: when the notice has a lot of information
* Short notice with key information
* Links that expand topics or one link that leads to longer privacy notice
* Website search leads to the full notice
What is a Just in Time notice? When should you use one?
Just-in-time notice: when you do not have a lot of space for communicating the notice
* Type of layered approach
* Notice appears at time of data input
* More information available through link or by hovering
* Alerts/notifications on smart phone
The CPRA requires a just-in-time notice if a business “collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect.”
When should you use icons/symbols in a privacy notice?
Icons/symbols: when you need to provide clarity
* Type of layered approach
* Indicators of types of processing
* Hyperlinks or hover states may provide more information
* Clear design
* Icon/symbol key
What is a privacy dashboard?
Privacy dashboard: when you need to provide accessibility and a high-level overview
* Summary of privacy-related information and metrics
* Easy to access and navigate
What does a privacy notice explain?
o Who the organization is
o What information it collects
o How it will use the information
o With whom it will share the information
o Whether information is collected directly or indirectly
o What are likely future uses of the information
True or False: Providing a privacy notice implies consent
False. Privacy notices inform individuals of an organization’s privacy practices, but do not solicit or imply consent.
What is the difference between opting in and opting out?
Opting in involves an active, affirmative indication, whereas with opting out, a lack of action implies a choice
What are the main considerations when presenting privacy notices to children?
o Compliance: some laws specify rules for providing privacy notice to children and obtaining parental consent
o Language and delivery: present privacy in ways children can understand
o Age: laws and regulations may establish an age threshold for consent
o Purpose of processing: some purposes may trigger certain rules, like prohibiting the tracking of children for behavioral advertising
Name three EU-specific data subject rights:
-Data portability: personal data must be interoperable—transferrable from one organization to the individual, another controller or a third party designated by the individual in a format that is, according to Article 20 of the GDPR, “structured, commonly used and machine-readable,” and without hindrance.
-Erasure + Right to be Forgotten: Ceasing processing, deleting data, and taking steps to ensure data is deleted by third parties upon withdrawal of subject consent (if subject info was made public)
-Right to Object: With a valid objection, the controller is no longer allowed to process the data subject’s personal data unless it can demonstrate compelling, legitimate grounds for the processing.
