Is Your Business Ready for Consumer Data Privacy Requests?

Oct 13, 2021 by Cobun Zweifel-Keegan, Deputy Director of Privacy Initiatives, BBB National Programs

One common element of data privacy laws is the obligation they place on organizations to respond to certain requests from people whose personal data is held by that organization. Rooted in the goal of providing individuals with choice and control over their data, such rules are an important part of data privacy laws around the world—from Europe’s GDPR to California’s CCPA and CPRA to Brazil’s LGPD

These requests are often framed as “rights” of the individuals relating to their personal data. They may be referred to as “data rights,” “data subject rights” (DSRs), or “data subject access rights” (DSARs). Here we’re calling them “consumer privacy rights.” No matter what they are called, there are consistent themes in the best practices and pitfalls inherent in these essential elements of any privacy program. 

 

Though navigating the nuances of consumer privacy obligations in different jurisdictions may be difficult, independent insight from a certification or dispute resolution program helps organizations rest assured that they are following recognized best practices. Our Global Privacy Division can help.

 

There are three general types of obligations that may be triggered when a consumer makes a privacy request. Subject to exceptions, your business may be required to:

  1. Provide information to the consumer. The most straightforward type of request seeks confirmation of whether your organization has, uses, or processes the individual’s personal data. Other requests may seek access to such data or a copy in a usable format.
  2. Make changes to personal data in your systems (and your vendors’ systems). Most data privacy laws include a right to correct personal data and, at least in certain circumstances, a right to request that data be deleted or removed from public view. (The obligation to respect such requests generally extends to vendors and other entities with whom your organization may have shared the data.)
  3. Restrict how you use or share the personal data. This obligation most commonly takes the form of respecting the opt-out choices of your customers, such as the choice to opt-out of certain types of uses or sharing of data (e.g., for marketing or ad-serving purposes). Other more limited rights in this category include requests to restrict processing or automated decision making.

 

Businesses face many common pitfalls as they prepare to handle consumer privacy requests. For starters, diverging requirements and exemptions among jurisdictions mean that organizations cannot readily apply a single set of policies across their global operations without careful consideration. For example, the GDPR allows organizations to deny certain requests to stop processing personal data if the organization can demonstrate a compelling legitimate interest in continuing the processing. California law provides no such exemption for a request to opt out of the “sale” of personal information.

On the operations front, before a business responds to consumer privacy requests, it must have a good understanding of where personal data is stored, how it is used, and with whom it may have been shared. It also, of course, must have processes in place to receive requests; to record details about the submission of each request (e.g., the date and whether submitted through a privacy policy link or while chatting with a customer service representative); and to authenticate the identity of the requester.

All these challenges show that the most important step in preparing for consumer privacy requests is to establish clear and consistent internal policies and procedures. When doing so, it is vitally important to consider more than just the internal systems and personnel involved in effectively complying with consumer privacy request obligations, but also the perspective of the customers who will be making requests about their data. 

The way a business interacts with customers when they exercise their privacy rights is part of its overall branding strategy. Therefore, it is important to consider the entire request journey. At every contact point, are you helping customers to understand their options? The more a business helps to educate its customers about how and why they may exercise privacy rights, the easier it will be for the business to fulfill its privacy obligations and the more likely it will be to result in a positive experience for the customer.

But how do you know whether your internal policies and procedures for consumer privacy requests meet requirements across jurisdictions? You don’t have to go it alone. One common way to check your practices against recognized requirements is to seek independent review. 

In pursuing a privacy program certification, such as the Cross-Border Privacy Rules certification, you submit your policies and procedures for review against the internationally recognized standards built into the certification. This process also includes an independent test of the privacy choices you provide, verifying that your request handling processes are set up to be properly accessible and responsive to consumer privacy requests.

Businesses with a privacy certification also benefit from an ongoing second layer of review, through dispute resolution procedures that ensure consumer inquiries are heard and resolved before the consumer turns to regulators with a complaint. Establishing such a backstop mechanism further enhances the value of consumer privacy request handling as an opportunity to maintain a trustworthy brand by remaining responsive to customer needs. 

For this reason, all BBB National Programs’ Global Privacy Division certifications include built-in dispute resolution mechanisms. (Even without a privacy certification, your business can create a dispute resolution path for customers through a program such as Privacy Shield.)

Although consumer data privacy requests may seem daunting, there are clearly established interoperable privacy practices that are proven to be achievable for any business, while still helping consumers feel heard. 

Suggested Articles

Blog

A globalized CBPR framework: Peering into the future of data transfers

Last month, at the IAPP’s Privacy. Security. Risk. 2021 conference, an important moment occurred that may have been easy to miss. During a panel discussion titled “The Evolution of International Privacy Policymaking in the U.S. Government," discussing data flow issues around the world, the DOC International Trade Administration's Christopher Hoff, Deputy Assistant Secretary for Services, dropped the clearest signals about the future of ITA’s work.
Read more
Blog

When Organizations Market To Children, They Should Do So Responsibly

Today's generation of digital natives might be more comfortable navigating gaming and content platforms, but they face the same cognitive limitations — and vulnerabilities — that children always have. The gap between a child’s needs online and the safeguards in place to protect them in digital spaces has grown to the point where big players like Google and Facebook are making more of an effort to address these gaps.
Read more
Blog

What Is Arbitration and What Should You Expect from It?

Arbitration is a form of dispute resolution and is an alternative to litigation (going to court). In some cases, a process called mediation will precede arbitration. In fact, more than 60% of claims that come through AUTO LINE are resolved in mediation. But, if a dispute cannot be resolved in mediation, the claim will proceed to arbitration.
Read more
Blog

The Potential Cost of Misleading Income Claims

The FTC recently put direct sellers, and other companies offering money-making opportunities, on notice: false promises about earnings potential and other aspects of a company’s business opportunity could subject the company to civil penalties. DSSRC published the Guidance on Earnings Claim for the Direct Selling Industry to reinforce fundamental tenets regarding the dissemination of earnings claims by direct selling companies and their independent salesforce members.
Read more