All consumers need to know their privacy rights to be able to exercise them effectively
Privacy policies, cookie consent pop-ups, and “do not sell my personal information” links are becoming a regular feature of many business websites. However, even as more privacy laws are proposed and enacted, consumers are still unsure as to what these tools are, what they do, and how they protect their personal data privacy. For example, a Consumer Reports study showed that over 500 California residents submitted requests to exercise their privacy rights under the California Consumer Privacy Act (CCPA) to over 214 businesses. In 62% of the cases, participants either did not know whether their request was successful or could not figure out how to make the request in the first place.
While passing laws that provide consumer data privacy rights is crucial, those laws become essentially useless if consumers do not understand what privacy rights they have or how to exercise those rights and pursue violations. All consumers can gain more control over their online data privacy through some simple steps:
- Determine what privacy rights you have;
- Easily locate how to exercise those rights; and
- Find whom to contact if a business has violated your privacy rights.
The overwhelming majority of American consumers prefer to buy from companies that guarantee them access to their personal information and offer a strong approach to their data management. Most people who responded to a survey indicated that data privacy is a human right. All consumers should care about privacy rights and learn how to exercise those rights.
Do you have privacy rights?
Before one can exercise privacy rights, it is essential to determine whether one actually has any right to data privacy. Some states, such as California, provide robust privacy rights to individuals, while others such as Nevada, have provided some privacy rights. Lastly, other states such as Florida, provide almost no rights for protecting personal information typically collected by business websites.
So, instead of spending hours reading privacy laws, how can a consumer determine what privacy rights they have? The following resources list the privacy laws by state and the rights provided by those laws:
- National Conference of State Legislatures – list of state laws related to Internet privacy;
- Varonis guide to privacy laws in the United States;
- International Association of Privacy Professionals – state privacy law comparison.
An Explanation of Privacy Rights
- The right to access: gives individuals the right to access their personal information. This right indicates what personal information a business holds about someone, how it uses that information, and why personal information has been collected by that business. This is a great way to determine whether personal information is collected for expected uses such as processing an order or for potentially unexpected uses such as the sale of personal information;
- The right to portability: gives individuals the right to obtain and reuse their personal information for their own purposes across different services. Exercising this right allows a consumer to receive their personal information in a structured, commonly used, and machine-readable format. Obtaining this personal information means a person can easily switch vendors or maintain their created content across different platforms;
- The right to rectification: gives individuals the right to have inaccurate personal information corrected, or completed if it’s not complete. This right allows ensures that the business holds accurate and up to date information about each of their contacts;
- The right to erasure: also called the “right to deletion”, or “the right to be forgotten”, this right allows a person to have their personal information erased. Exercising this right helps keep personal information safe from breaches by having companies erase that information once there is no longer a business reason to maintain it;
- The right to restrict processing: gives individuals the ability to allow companies to process their personal information for some purposes but not for others. For example, a person can direct the business to use their personal information to process an order but not to send marketing emails;
- The right to withdraw consent: if the processing of personal information is based on consent, a person may have the right to withdraw their consent, thereby stopping the processing or maintaining of their personal information;
- The right to opt-out: gives individuals the ability to opt-out of the processing of their personal information for certain purposes such as direct marketing or to opt-out of the sale of their personal information. A person may also have the right to opt-out of automated decision-making or profiling.
It is important to note that these rights are not absolute and that a business may decline a request to exercise data privacy rights in certain circumstances, such as when requests are manifestly unfounded or excessive.
How Can You Exercise Your Rights?
Some companies will require an email, while others have a specific web page or portal for privacy requests. It is very important to follow the directions very carefully since a request may be denied if the directions are not followed properly. Most requesters will be required to verify their identity to exercise data privacy rights. While it may seem counterintuitive to provide more personal information for a privacy request, this extra step is intended to prevent fraudulent access to personal information.
After submitting a request, expect a response within 30 to 45 days, depending on the privacy laws that apply to the company. While some companies respond much sooner than that, do not be alarmed if the company requests an extension of the response time.
Did Not Receive a Response or Not Satisfied with the Response?
Occasionally, a company will not respond to a privacy rights request or improperly deny such a request. Doing so may mean that the company is breaking the law and a consumer can report a violation to the proper authorities. Contacting the appropriate authorities depends on residence location:
- In the United States, contact your State’s Attorney General’s office or the Federal Trade Commission;
- In the European Union, contact the country’s Data Protection Authority;
- In the United Kingdom, contact the UK Information Commissioner’s Office; or
- In Canada, contact the Office of the Privacy Commissioner of Canada.
Otherwise, simply search Google for “(country name) privacy enforcement government entity” to find the right governmental body with which to file a complaint.