Is Your Business Ready for Consumer Data Privacy Requests?

Oct 13, 2021 by Cobun Zweifel-Keegan, Deputy Director of Privacy Initiatives, BBB National Programs

One common element of data privacy laws is the obligation they place on organizations to respond to certain requests from people whose personal data is held by that organization. Rooted in the goal of providing individuals with choice and control over their data, such rules are an important part of data privacy laws around the world—from Europe’s GDPR to California’s CCPA and CPRA to Brazil’s LGPD

These requests are often framed as “rights” of the individuals relating to their personal data. They may be referred to as “data rights,” “data subject rights” (DSRs), or “data subject access rights” (DSARs). Here we’re calling them “consumer privacy rights.” No matter what they are called, there are consistent themes in the best practices and pitfalls inherent in these essential elements of any privacy program. 

 

Though navigating the nuances of consumer privacy obligations in different jurisdictions may be difficult, independent insight from a certification or dispute resolution program helps organizations rest assured that they are following recognized best practices. Our Global Privacy Division can help.

 

There are three general types of obligations that may be triggered when a consumer makes a privacy request. Subject to exceptions, your business may be required to:

  1. Provide information to the consumer. The most straightforward type of request seeks confirmation of whether your organization has, uses, or processes the individual’s personal data. Other requests may seek access to such data or a copy in a usable format.
  2. Make changes to personal data in your systems (and your vendors’ systems). Most data privacy laws include a right to correct personal data and, at least in certain circumstances, a right to request that data be deleted or removed from public view. (The obligation to respect such requests generally extends to vendors and other entities with whom your organization may have shared the data.)
  3. Restrict how you use or share the personal data. This obligation most commonly takes the form of respecting the opt-out choices of your customers, such as the choice to opt-out of certain types of uses or sharing of data (e.g., for marketing or ad-serving purposes). Other more limited rights in this category include requests to restrict processing or automated decision making.

 

Businesses face many common pitfalls as they prepare to handle consumer privacy requests. For starters, diverging requirements and exemptions among jurisdictions mean that organizations cannot readily apply a single set of policies across their global operations without careful consideration. For example, the GDPR allows organizations to deny certain requests to stop processing personal data if the organization can demonstrate a compelling legitimate interest in continuing the processing. California law provides no such exemption for a request to opt out of the “sale” of personal information.

On the operations front, before a business responds to consumer privacy requests, it must have a good understanding of where personal data is stored, how it is used, and with whom it may have been shared. It also, of course, must have processes in place to receive requests; to record details about the submission of each request (e.g., the date and whether submitted through a privacy policy link or while chatting with a customer service representative); and to authenticate the identity of the requester.

All these challenges show that the most important step in preparing for consumer privacy requests is to establish clear and consistent internal policies and procedures. When doing so, it is vitally important to consider more than just the internal systems and personnel involved in effectively complying with consumer privacy request obligations, but also the perspective of the customers who will be making requests about their data. 

The way a business interacts with customers when they exercise their privacy rights is part of its overall branding strategy. Therefore, it is important to consider the entire request journey. At every contact point, are you helping customers to understand their options? The more a business helps to educate its customers about how and why they may exercise privacy rights, the easier it will be for the business to fulfill its privacy obligations and the more likely it will be to result in a positive experience for the customer.

But how do you know whether your internal policies and procedures for consumer privacy requests meet requirements across jurisdictions? You don’t have to go it alone. One common way to check your practices against recognized requirements is to seek independent review. 

In pursuing a privacy program certification, such as the Cross-Border Privacy Rules certification, you submit your policies and procedures for review against the internationally recognized standards built into the certification. This process also includes an independent test of the privacy choices you provide, verifying that your request handling processes are set up to be properly accessible and responsive to consumer privacy requests.

Businesses with a privacy certification also benefit from an ongoing second layer of review, through dispute resolution procedures that ensure consumer inquiries are heard and resolved before the consumer turns to regulators with a complaint. Establishing such a backstop mechanism further enhances the value of consumer privacy request handling as an opportunity to maintain a trustworthy brand by remaining responsive to customer needs. 

For this reason, all BBB National Programs’ Global Privacy Division certifications include built-in dispute resolution mechanisms. (Even without a privacy certification, your business can create a dispute resolution path for customers through a program such as Privacy Shield.)

Although consumer data privacy requests may seem daunting, there are clearly established interoperable privacy practices that are proven to be achievable for any business, while still helping consumers feel heard. 

Suggested Articles

Blog

American Privacy Rights Act: A Primer for Business

Was it the recent series of natural phenomena that prompted Congress to move on a bipartisan, bicameral federal privacy bill? We can’t say with certainty, but we can outline for you what we believe to be, at first glance, the most compelling elements of the American Privacy Rights Act of 2024 (APRA).
Read more
Blog

Take Care of Your “Health-Lite” Claims

Some advertisers believe they can avoid scrutiny when making health-related claims by making their claim “softer.” But context is key. Health benefit claims must comply with the FTC’s Health Products Compliance Guidance. The substantiation bar is not lowered by changing the approach to the health-related claim.
Read more
Blog

Bullish but Cautionary: A Balanced Way to Approach the Impact of AI

Business and nonprofit leaders in the U.S. may not feel so weighty a responsibility in assessing the global impact of AI, but we must realize AI’s power to impact our organizations, our local economies, our sectors, and our nation.
Read more
Blog

New Rules of the Road Can Sustain US Leadership on Interoperable Digital Data Flows

President Biden closed February 2024 with an EO that signaled an important development for how the U.S. plans to position and guard itself from global adversaries, and speaks volumes about how the U.S. views the next-generation impacts of data flows on the digital economy and how our nation can be better equipped as a global leader. Read our takeaways and future considerations.
Read more