Is Your Business Ready for Consumer Data Privacy Requests?
Oct 13, 2021, 09:00 AM by Cobun Zweifel-Keegan, Deputy Director of Privacy Initiatives, BBB National Programs
One common element of data privacy laws is the obligation they place on organizations to respond to certain requests from people whose personal data is held by that organization. Rooted in the goal of providing individuals with choice and control over their data, such rules are an important part of data privacy laws around the world—from Europe’s GDPR to California’s CCPA and CPRA to Brazil’s LGPD.
These requests are often framed as “rights” of the individuals relating to their personal data. They may be referred to as “data rights,” “data subject rights” (DSRs), or “data subject access rights” (DSARs). Here we’re calling them “consumer privacy rights.” No matter what they are called, there are consistent themes in the best practices and pitfalls inherent in these essential elements of any privacy program.
There are three general types of obligations that may be triggered when a consumer makes a privacy request. Subject to exceptions, your business may be required to:
- Provide information to the consumer. The most straightforward type of request seeks confirmation of whether your organization has, uses, or processes the individual’s personal data. Other requests may seek access to such data or a copy in a usable format.
- Make changes to personal data in your systems (and your vendors’ systems). Most data privacy laws include a right to correct personal data and, at least in certain circumstances, a right to request that data be deleted or removed from public view. (The obligation to respect such requests generally extends to vendors and other entities with whom your organization may have shared the data.)
- Restrict how you use or share the personal data. This obligation most commonly takes the form of respecting the opt-out choices of your customers, such as the choice to opt-out of certain types of uses or sharing of data (e.g., for marketing or ad-serving purposes). Other more limited rights in this category include requests to restrict processing or automated decision making.
Businesses face many common pitfalls as they prepare to handle consumer privacy requests. For starters, diverging requirements and exemptions among jurisdictions mean that organizations cannot readily apply a single set of policies across their global operations without careful consideration. For example, the GDPR allows organizations to deny certain requests to stop processing personal data if the organization can demonstrate a compelling legitimate interest in continuing the processing. California law provides no such exemption for a request to opt out of the “sale” of personal information.
All these challenges show that the most important step in preparing for consumer privacy requests is to establish clear and consistent internal policies and procedures. When doing so, it is vitally important to consider more than just the internal systems and personnel involved in effectively complying with consumer privacy request obligations, but also the perspective of the customers who will be making requests about their data.
The way a business interacts with customers when they exercise their privacy rights is part of its overall branding strategy. Therefore, it is important to consider the entire request journey. At every contact point, are you helping customers to understand their options? The more a business helps to educate its customers about how and why they may exercise privacy rights, the easier it will be for the business to fulfill its privacy obligations and the more likely it will be to result in a positive experience for the customer.
But how do you know whether your internal policies and procedures for consumer privacy requests meet requirements across jurisdictions? You don’t have to go it alone. One common way to check your practices against recognized requirements is to seek independent review.
In pursuing a privacy program certification, such as the Cross-Border Privacy Rules certification, you submit your policies and procedures for review against the internationally recognized standards built into the certification. This process also includes an independent test of the privacy choices you provide, verifying that your request handling processes are set up to be properly accessible and responsive to consumer privacy requests.
Businesses with a privacy certification also benefit from an ongoing second layer of review, through dispute resolution procedures that ensure consumer inquiries are heard and resolved before the consumer turns to regulators with a complaint. Establishing such a backstop mechanism further enhances the value of consumer privacy request handling as an opportunity to maintain a trustworthy brand by remaining responsive to customer needs.
For this reason, all BBB National Programs’ Global Privacy Division certifications include built-in dispute resolution mechanisms. (Even without a privacy certification, your business can create a dispute resolution path for customers through a program such as Privacy Shield.)
Although consumer data privacy requests may seem daunting, there are clearly established interoperable privacy practices that are proven to be achievable for any business, while still helping consumers feel heard.