Is Your Business Ready for Consumer Data Privacy Requests?

Oct 13, 2021 by Cobun Zweifel-Keegan, Deputy Director of Privacy Initiatives, BBB National Programs

One common element of data privacy laws is the obligation they place on organizations to respond to certain requests from people whose personal data is held by that organization. Rooted in the goal of providing individuals with choice and control over their data, such rules are an important part of data privacy laws around the world—from Europe’s GDPR to California’s CCPA and CPRA to Brazil’s LGPD

These requests are often framed as “rights” of the individuals relating to their personal data. They may be referred to as “data rights,” “data subject rights” (DSRs), or “data subject access rights” (DSARs). Here we’re calling them “consumer privacy rights.” No matter what they are called, there are consistent themes in the best practices and pitfalls inherent in these essential elements of any privacy program. 

 

Though navigating the nuances of consumer privacy obligations in different jurisdictions may be difficult, independent insight from a certification or dispute resolution program helps organizations rest assured that they are following recognized best practices. Our Global Privacy Division can help.

 

There are three general types of obligations that may be triggered when a consumer makes a privacy request. Subject to exceptions, your business may be required to:

  1. Provide information to the consumer. The most straightforward type of request seeks confirmation of whether your organization has, uses, or processes the individual’s personal data. Other requests may seek access to such data or a copy in a usable format.
  2. Make changes to personal data in your systems (and your vendors’ systems). Most data privacy laws include a right to correct personal data and, at least in certain circumstances, a right to request that data be deleted or removed from public view. (The obligation to respect such requests generally extends to vendors and other entities with whom your organization may have shared the data.)
  3. Restrict how you use or share the personal data. This obligation most commonly takes the form of respecting the opt-out choices of your customers, such as the choice to opt-out of certain types of uses or sharing of data (e.g., for marketing or ad-serving purposes). Other more limited rights in this category include requests to restrict processing or automated decision making.

 

Businesses face many common pitfalls as they prepare to handle consumer privacy requests. For starters, diverging requirements and exemptions among jurisdictions mean that organizations cannot readily apply a single set of policies across their global operations without careful consideration. For example, the GDPR allows organizations to deny certain requests to stop processing personal data if the organization can demonstrate a compelling legitimate interest in continuing the processing. California law provides no such exemption for a request to opt out of the “sale” of personal information.

On the operations front, before a business responds to consumer privacy requests, it must have a good understanding of where personal data is stored, how it is used, and with whom it may have been shared. It also, of course, must have processes in place to receive requests; to record details about the submission of each request (e.g., the date and whether submitted through a privacy policy link or while chatting with a customer service representative); and to authenticate the identity of the requester.

All these challenges show that the most important step in preparing for consumer privacy requests is to establish clear and consistent internal policies and procedures. When doing so, it is vitally important to consider more than just the internal systems and personnel involved in effectively complying with consumer privacy request obligations, but also the perspective of the customers who will be making requests about their data. 

The way a business interacts with customers when they exercise their privacy rights is part of its overall branding strategy. Therefore, it is important to consider the entire request journey. At every contact point, are you helping customers to understand their options? The more a business helps to educate its customers about how and why they may exercise privacy rights, the easier it will be for the business to fulfill its privacy obligations and the more likely it will be to result in a positive experience for the customer.

But how do you know whether your internal policies and procedures for consumer privacy requests meet requirements across jurisdictions? You don’t have to go it alone. One common way to check your practices against recognized requirements is to seek independent review. 

In pursuing a privacy program certification, such as the Cross-Border Privacy Rules certification, you submit your policies and procedures for review against the internationally recognized standards built into the certification. This process also includes an independent test of the privacy choices you provide, verifying that your request handling processes are set up to be properly accessible and responsive to consumer privacy requests.

Businesses with a privacy certification also benefit from an ongoing second layer of review, through dispute resolution procedures that ensure consumer inquiries are heard and resolved before the consumer turns to regulators with a complaint. Establishing such a backstop mechanism further enhances the value of consumer privacy request handling as an opportunity to maintain a trustworthy brand by remaining responsive to customer needs. 

For this reason, all BBB National Programs’ Global Privacy Division certifications include built-in dispute resolution mechanisms. (Even without a privacy certification, your business can create a dispute resolution path for customers through a program such as Privacy Shield.)

Although consumer data privacy requests may seem daunting, there are clearly established interoperable privacy practices that are proven to be achievable for any business, while still helping consumers feel heard. 

Suggested Articles

Blog

Old MacDonald Had an Engagement Farm: Lessons Learned from FTC v. NGL

Capturing user engagement is the foundation of internet commerce. And while the incentives to prompt greater engagement are certainly understandable, the recent NGL Labs case from the FTC raises important questions about the ethical and legal ramifications when companies try to artificially generate engagement among their userbase.
Read more
Blog

Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more
Blog

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more
Blog

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more