The Protection of Consumers’ Online Privacy: A Revolution in Rights

The seven elements of the Consumer’s “Privacy Rights?”

In our last article, we discussed the revolutionary changes in privacy law that have occurred in the last few years stemming from the advent of the European Data Protection Regulation (“GDPR”) and the recent enactment of the California Consumer Privacy Act (“CCPA”). The main takeaway from that article was that all businesses should review and update their privacy policies. Not all businesses, of course, are equally affected as not all businesses are transacting business with California or European residents, but the trend is clear—protecting the privacy rights of consumers is an ever-expanding horizon. In the United States, California is leading the way, but the likelihood is that other states will be joining California over the next few years in enacting their own privacy rights legislation. In our last article, we defined what “Personal Identifying Information” (“PII”) is, which is, basically, any information that can theoretically identify a data subject or their families.  But given this definition, what “rights” are we talking about when we refer to “privacy rights?”

What are seven elements of the Consumer’s “Privacy Rights?”

Under both the GDPR and CCPA, there are seven basic rights consumers have concerning how businesses can use their PII:

1. The right to find out what specific PII a business has concerning them.
2. The right to find out what PII the business has shared with third parties.
3. The right to limit the use and disclosure of their PII.
4. The right to transfer their PII to a new service.
5. The right to have their PII corrected, updated, or deleted,
6. The right to opt-out of the sale and sharing of their PII, and
7. The right not to be discriminated against for exercising their privacy rights.

Additional insights on these rights are as follows:

1. Consumers are entitled to find out what PII a business has collected from them, including the categories of sources of such information, and the purpose behind the business’s collection of PII.
2. Consumers are entitled to know whether the business has shared their PII with third parties and who those vendors are.
3. Consumers are entitled to limit how a business can use their PII. For example, a consumer’s PII could be licensed to third parties or be used as part of a marketing campaign.
4. Consumers are entitled not only to know what PII of theirs a business has but can require it to be transferred to a third party.
5. Except where applicable law provides otherwise, Consumers can also request that a business (including its service providers and third parties with whom it may be sharing PII) delete their PII. Consumers may also have the right to correct their PII if there are errors, such as the misspelling of a name, birth date, geographical location, etc. Finally, consumers have the right to require a business to expunge their PII, so that they can, theoretically, be forgotten.
6. Consumers also have the right to opt out of marketing programs that would allow their PII to be shared with third parties.
7. Finally, Consumers have the right not to be discriminated against. Should they exercise any of their rights to protect their PII, a business is prohibited from taking any retaliatory action against them, such as limiting the services provided to them, delaying the processing of their orders, or otherwise taking any actions to inhibit or degrade their user experience.

For business owners updating their businesses’ websites, their privacy policies should contain a clear delineation of such rights, including an explanation of the type of information that is collected, the purpose for collecting such information, and the sources of such information. As explained in our last article, not only can information be collected from a customer via their filling in online forms to transmit account information or participating in surveys and promotional discount programs, but information can also be collected by way of cookies, which are small bits of information a website can download to a customer’s device when they visit the website. Businesses should clarify whether they collect information from their customers by way of cookies and the type of information collected.

The Privacy Policy Should include Contact Information that allows Consumers to Exercise their PII Rights.

An effective privacy policy should clearly indicate how consumers can contact the business in question if they want to exercise one or more of their privacy rights. Under the CCPA, it is required that a business have at least two ways for a consumer to contact it. Generally, this requirement can be met if the business provides consumers with both an online contact form and an email address. While different laws may have different requirements, the CCPA requires that in the event of consumers’ wanting to exercise their rights to delete, correct, or know, businesses must confirm receipt of a PII request within 10 business days of receipt and respond substantively within 45 calendar days, with the option of extending this period another 45 days upon customer notification.

Where a consumer’s request concerns opting out of a program involving the collection and sharing of their PII or limiting a business’s use of a consumer’s PII, the business in question is obliged under the CCPA to respond to such requests as soon as possible but not longer than 15 business days after receipt.

The Privacy Policies should provide Information to Consumers about how to Report Complaints to the Authorities

Under the CCPA, the regulatory authority is the California Privacy Protection Agency. Under the GDPR, it is the relevant Data Protection Authority. To the extent these authorities are known, a business’s privacy policy should link to their websites or, at least, provide reasonably clear instructions on how such authorities can be contacted. Where no such specific regulatory authorities exist, it is recommended that consumers be referred to their State’s Attorneys General Office.

In our next article, we will delve into other issues regarding the protection of PII and how a privacy policy should be implemented. Although posting a clearly written and comprehensive privacy policy is an important first step, it is meaningless if there is no one at the other end receiving and acting upon consumer-PII-related requests.

The key takeaways:

• Businesses should review and update their privacy policies in view of recent, dramatic changes in internet privacy.
• A privacy policy should contain a clear explanation of what PII a business collects, for what purpose, and the source of such information, including an explanation of what a “cookie” is and what information it collects.
• A privacy policy should also provide the reader with notice and an explanation of their rights and that with respect to certain information collection programs the reader can opt out and how.
• Finally, a privacy policy should clearly explain to consumers how to contact the business if a PII issue arises and how to lodge a complaint with the authorities if the business is non-responsive.

Related content:

Data Privacy Rights: An Evolving Area That Cannot Be Ignore

Does your Data Asset have an Ownership Certificate?

Who Owns Your Emails?

The post The Protection of Consumers’ Online Privacy: A Revolution in Rights appeared first on Latin Business Today.