The seven elements of the Consumer’s “Privacy Rights?”
In our last article, we discussed the revolutionary changes in privacy law that have occurred in the last few years stemming from the advent of the European Data Protection Regulation (“GDPR”) and the recent enactment of the California Consumer Privacy Act (“CCPA”). The main takeaway from that article was that all businesses should review and update their privacy policies. Not all businesses, of course, are equally affected as not all businesses are transacting business with California or European residents, but the trend is clear—protecting the privacy rights of consumers is an ever-expanding horizon. In the United States, California is leading the way, but the likelihood is that other states will be joining California over the next few years in enacting their own privacy rights legislation. In our last article, we defined what “Personal Identifying Information” (“PII”) is, which is, basically, any information that can theoretically identify a data subject or their families. But given this definition, what “rights” are we talking about when we refer to “privacy rights?”
What are seven elements of the Consumer’s “Privacy Rights?”
Under both the GDPR and CCPA, there are seven basic rights consumers have concerning how businesses can use their PII:
- The right to find out what specific PII a business has concerning them.
- The right to find out what PII the business has shared with third parties.
- The right to limit the use and disclosure of their PII.
- The right to transfer their PII to a new service.
- The right to have their PII corrected, updated, or deleted,
- The right to opt-out of the sale and sharing of their PII, and
- The right not to be discriminated against for exercising their privacy rights.
Additional insights on these rights are as follows:
- Consumers are entitled to find out what PII a business has collected from them, including the categories of sources of such information, and the purpose behind the business’s collection of PII.
- Consumers are entitled to know whether the business has shared their PII with third parties and who those vendors are.
- Consumers are entitled to limit how a business can use their PII. For example, a consumer’s PII could be licensed to third parties or be used as part of a marketing campaign.
- Consumers are entitled not only to know what PII of theirs a business has but can require it to be transferred to a third party.
- Except where applicable law provides otherwise, Consumers can also request that a business (including its service providers and third parties with whom it may be sharing PII) delete their PII. Consumers may also have the right to correct their PII if there are errors, such as the misspelling of a name, birth date, geographical location, etc. Finally, consumers have the right to require a business to expunge their PII, so that they can, theoretically, be forgotten.
- Consumers also have the right to opt out of marketing programs that would allow their PII to be shared with third parties.
- Finally, Consumers have the right not to be discriminated against. Should they exercise any of their rights to protect their PII, a business is prohibited from taking any retaliatory action against them, such as limiting the services provided to them, delaying the processing of their orders, or otherwise taking any actions to inhibit or degrade their user experience.
For business owners updating their businesses’ websites, their privacy policies should contain a clear delineation of such rights, including an explanation of the type of information that is collected, the purpose for collecting such information, and the sources of such information. As explained in our last article, not only can information be collected from a customer via their filling in online forms to transmit account information or participating in surveys and promotional discount programs, but information can also be collected by way of cookies, which are small bits of information a website can download to a customer’s device when they visit the website. Businesses should clarify whether they collect information from their customers by way of cookies and the type of information collected.
Where a consumer’s request concerns opting out of a program involving the collection and sharing of their PII or limiting a business’s use of a consumer’s PII, the business in question is obliged under the CCPA to respond to such requests as soon as possible but not longer than 15 business days after receipt.
The Privacy Policies should provide Information to Consumers about how to Report Complaints to the Authorities
The key takeaways:
- Businesses should review and update their privacy policies in view of recent, dramatic changes in internet privacy.