Privacy Operational Life Cycle: Chapter 9 Respond: Data Subject Rights Flashcards
Privacy Policy
Internal document directed at employees
Privacy Notice
External document directed at data subjects
Privacy Policy Common Elements
Who the org is and contact info (DPO)
What info is collected
How the org will use it
With whom the data is shared, and if sold
Applicable data subject rights, how to exercise
How info is protected and processed
When the org is a processor
How web visitors are monitored
Privacy Notice and Consent
DO NOT solicit or imply consent
US: implied consent is ok
GDPR: express consent is required
GDPR Lawful Basis
Consent
Contract
Legal obligation
Vital interest
Public Interest
Legitimate interest
Obtaining consent
Record of consent
Prechecked box is not sufficient
Cookies
ICO: can’t emphasize agree over block for cookies
US: dark patterns are not sufficient
Consent for a single purpose
Consent must be revokable
Consent from children
COPPA, GDPR: special privacy notice for children, parental consent
CCPA: selling requires parental consent
Ages requiring parental consent
US: < 13
GDPR: < 16
UK: < 17
Aus: < 15
DSR: Fair Credit Reporting Act
Customers can obtain copy of all info credit agencies have
Free of charge, 1x per year
Correct or delete incorrect info
30 days to examine disputed data
7-10 years of data
Notification rights
Written consent prior to background check
DSR: HIPAA
Regulates use and disclosure of PHI
Revocable authorization by patient
Right to obtain info within 30 days
Changes within 60 days
DSR: Do Not Call Registry
FCC enforces
Stop unwanted commercial solicitation calls
DSR: CAN-SPAM
Can forward unwanted or deceptive messages to the FTC
Commercial messages
DSR: Privacy Act of 1974
Written request to access own records of Fed agency
DSR: Freedom of Info Act
Must disclose records except:
- Info is classified
- Info is related only to internal rules/practices
- Info is prohibited from disclosure
- Trade secrets/commercial/financial info that is confidential
- Privileged comms within agencies
- Info that would invade another individuals privacy
- info compiled for law enforcement purposes
- Info that concerns supervision of financial institutions
- Geological info on wells
Also
- Ongoing criminal investigation where individual is unaware
- Informant information
- FBI and foreign intelligence
COPPA
PII on CA residents
Privacy notice reqs:
- Categories of PII
- How material changes to privacy notice are notified to consumers
- How Do Not Track requests are honored
DOPPA
PII for Delaware residents
Much the same as COPPA
Users instead of consumers
Broader entities covered
Nevada
Similar to other states but adds third party tracking over time
CA Shine the Light
How businesses use or share data for direct marketing
CA Online Erasure Law
Allows minors to erase data
Too many exceptions
CCPA
CA residents can get info on:
- what the org has
- how the data is used
- right to erasure
- do not sell
Virginia Consumer Data Protection Act
Confirm controller is processing data
Correct data
Delete data
Access portable format of data
Opt out of profiling, sales
Biometric Privacy Law
IL, WA, TX
GDPR
Article 12-14: Right of tranparent comms and info
Article 15: Right of Access
Article 16: Right of Rectification
Article 17: Right of Erasure (Recitals 42, 65, and Art 7 Right to withdraw consent)
Article 18: Right to restrict processing
Article 19: Obligations to notify recipients (downstream disclosure)
Article 20: Right to data portability
Article 21: Right to object
Article 22: Right to not be subject to auto decision making
Requires reasonable identity verification
30 days, with up to 60 day extension
