Organizations should recognize and facilitate the following individual rights of consumers with regard to personal data.[2] Facilitation of these rights may be limited where required by law,[3] and should be informed by the legitimate interests of the organization, which may include protecting the health and safety of individuals, preventing fraud and addressing security risks, supporting legitimate scientific and research purposes, and satisfying business (including contractual) obligations.
- Transparency: Consumers should have reasonable access to clear, understandable statements about the organization’s practices and policies with respect to personal data, including: information on the types of personal data collected; the purposes for which the personal data will be used; whether and for what purposes personal data may be disclosed or transferred to non-affiliated third parties; the choices and means for exercising individual rights with respect to personal data; and the contact details of persons in the organization who can respond to questions regarding personal data. Statements should be in a format that is reasonable and appropriate for the point of collection and is accessible through new and emerging technologies.
- Consumer Control: Consumers should have opportunities to exert reasonable control with regard to the collection, use, and sharing of personal data. No one specific mechanism for consumer control is suitable in all instances, and organizations should be permitted flexibility in how these controls may reasonably be exercised in light of the sensitivity of the personal data, as well as the risks and context of the specific data processing and sharing with non-affiliated third parties. Where organizations rely upon “consent” to collect and use personal data, the type of consent required should be contextual, taking into account the nature of both the personal data and its proposed uses.[4]
- Consumers should also have the opportunity to make choices with respect to the sale of personal data to non-affiliated third parties.
- Consumers should understand under what circumstances their decision to opt-out (or not opt-in) may result in the organization no longer providing them certain goods and services (for example, free content).
- Organizations should be obligated to inform its service providers of the choices made by consumers with respect to the processing of personal data. The service provider would be responsible for protecting the personal data from improper processing throughout the data life-cycle, but should not be expected to provide transparency or control directly to consumers.
- Access and Correction: Consumers should have a reasonable right to access and correct any inaccuracies in personal data collected about them by an organization, taking into account security and operational considerations.
- Deletion: Consumers should be able to require an organization to delete their personal data collected by an organization, when such data is no longer required to be maintained under applicable law or is no longer necessary for legitimate business purposes of the organization. Organizations may limit a consumer’s right to delete in circumstances where the rights of other individuals outweigh deletion, or the data is required for freedom of expression and information. Deletion should not be required where disposal is not reasonably feasible due to the manner in which the personal data is maintained and alternatives such as placing the data beyond practical use are available.
[2] For example, opt-in consent may be required as part of a risk-based privacy practice for data processing that presents higher risks to the rights and interests of individuals. In addition, where not previously disclosed, organizations should provide consumers with clear mechanisms to control whether an organization can use or further share the personal data they have already collected from them if they intend to use that personal data for a new purpose that is not compatible with the purpose described in the previous disclosure.
[3] In addition to these rights, special protections should be applied to personal data of children.
[4] Such legal obligations may include, for example, adherence to Know Your Customer (KYC) and Anti-Money Laundering (AML) laws.