Privacy Operational Life Cycle: Chapter 9 Respond: Data Subject Rights

Question 1

Privacy Policy

Answer 1

Internal document directed at employees

Question 2

Privacy Notice

Answer 2

External document directed at data subjects

Question 3

Privacy Policy Common Elements

Answer 3

Who the org is and contact info (DPO)
What info is collected
How the org will use it
With whom the data is shared, and if sold
Applicable data subject rights, how to exercise
How info is protected and processed
When the org is a processor
How web visitors are monitored

Question 4

Privacy Notice and Consent

Answer 4

DO NOT solicit or imply consent
US: implied consent is ok
GDPR: express consent is required

Question 5

GDPR Lawful Basis

Answer 5

Consent
Contract
Legal obligation
Vital interest
Public Interest
Legitimate interest

Question 6

Obtaining consent

Answer 6

Record of consent

Prechecked box is not sufficient

Cookies
ICO: can’t emphasize agree over block for cookies
US: dark patterns are not sufficient

Consent for a single purpose

Consent must be revokable

Question 7

Consent from children

Answer 7

COPPA, GDPR: special privacy notice for children, parental consent

CCPA: selling requires parental consent

Question 8

Ages requiring parental consent

Answer 8

US: < 13
GDPR: < 16
UK: < 17
Aus: < 15

Question 9

DSR: Fair Credit Reporting Act

Answer 9

Customers can obtain copy of all info credit agencies have

Free of charge, 1x per year

Correct or delete incorrect info

30 days to examine disputed data

7-10 years of data

Notification rights

Written consent prior to background check

Question 10

DSR: HIPAA

Answer 10

Regulates use and disclosure of PHI

Revocable authorization by patient

Right to obtain info within 30 days

Changes within 60 days

Question 11

DSR: Do Not Call Registry

Answer 11

FCC enforces
Stop unwanted commercial solicitation calls

Question 12

DSR: CAN-SPAM

Answer 12

Can forward unwanted or deceptive messages to the FTC

Commercial messages

Question 13

DSR: Privacy Act of 1974

Answer 13

Written request to access own records of Fed agency

Question 14

DSR: Freedom of Info Act

Answer 14

Must disclose records except:
- Info is classified
- Info is related only to internal rules/practices
- Info is prohibited from disclosure
- Trade secrets/commercial/financial info that is confidential
- Privileged comms within agencies
- Info that would invade another individuals privacy
- info compiled for law enforcement purposes
- Info that concerns supervision of financial institutions
- Geological info on wells

Also
- Ongoing criminal investigation where individual is unaware
- Informant information
- FBI and foreign intelligence

Question 15

COPPA

Answer 15

PII on CA residents
Privacy notice reqs:
- Categories of PII
- How material changes to privacy notice are notified to consumers
- How Do Not Track requests are honored

Question 16

DOPPA

Answer 16

PII for Delaware residents
Much the same as COPPA
Users instead of consumers
Broader entities covered

Question 17

Nevada

Answer 17

Similar to other states but adds third party tracking over time

Question 18

CA Shine the Light

Answer 18

How businesses use or share data for direct marketing

Question 19

CA Online Erasure Law

Answer 19

Allows minors to erase data
Too many exceptions

Question 20

CCPA

Answer 20

CA residents can get info on:
- what the org has
- how the data is used
- right to erasure
- do not sell

Question 21

Virginia Consumer Data Protection Act

Answer 21

Confirm controller is processing data
Correct data
Delete data
Access portable format of data
Opt out of profiling, sales

Question 22

Biometric Privacy Law

Answer 22

IL, WA, TX

Question 23

GDPR

Answer 23

Article 12-14: Right of tranparent comms and info
Article 15: Right of Access
Article 16: Right of Rectification
Article 17: Right of Erasure (Recitals 42, 65, and Art 7 Right to withdraw consent)
Article 18: Right to restrict processing
Article 19: Obligations to notify recipients (downstream disclosure)
Article 20: Right to data portability
Article 21: Right to object
Article 22: Right to not be subject to auto decision making

Requires reasonable identity verification

30 days, with up to 60 day extension