What are your Privacy Consumer rights?

$46.5 Billion, have been paid in corporate fines by Businesses, for non-compliance with one Privacy Law (GDPR). There are 162 Privacy Laws, designed to give average consumers like you and me, more control over our personal information & reinforce privacy as a fundamental human right.

It's time to get to know your privacy consumer rights, a little bit better. This insightful article is presented by PrivacyOS.ai. We are dedicated to empowering businesses to safeguard privacy as a human right for their consumers.

Sign up for our Privacy Champions program here and paid pilot here.

Download our first free Product - Privacy Firewall for Chatgpt prompts, here.

P.S. this is not legal advice & drafted for educational purposes.

"Right to Know":

What falls under this right

You have the right to request that businesses disclose what personal information have been collected about you & why, how it is used, processed, retained and shared/sold (and to whom).

Exercising your rights

Read privacy policies and privacy notices from companies you interact with, to stay informed about your personal data. Often found on their websites, typically in the footer section, or provided when you sign up for a service. If the information isn't clear, contact the company directly and ask for clarity about their data practices.

"Right to Access, Correct/Rectification & Deletion (Right to be Forgotten)":

What falls under this right -?

• Access - Ask companies to show you all personal data they have on you. The process of filing a request with companies to access personal data and supplementary information is called Data subject access request (DSAR).
• Right to Data Portability - Further move, copy or transfer personal data from one service to another, in a safe and secure way, without affecting its usability. For example, if you want to change from one social media platform to another, you can take your data (like your posts and friends list) with you.
• Correct/Rectify - Request businesses to correct, complete & update inaccurate or incomplete your personal data, held by them.
• Delete - Ask companies to delete your data when it's no longer needed or have no good reason to keep your data.

Exercising your rights - Submitting these Data Subject Requests (DSRs):

Where to look :?

• Look for company’s privacy center/portal or privacy policy on their website. It will contain email, online forms or designated portals, to file these written requests. Examples -?Linkedin Privacy Portal (Privacy Center) or Email embedded in Robinhood's Privacy Policy to request DSRs.
• Otherwise, email their Customer service?& Privacy/Security team (Data Protection Officers or similar authorities)

What you might need:?

• Proof of identity for verification, might be required
• For correction/rectify - Provide identified incorrect data, alongside correct info. Some online services allow you to update your info directly in your user account settings.
• For Access/delete - Remember, certain data could be under legal hold/business needs and may not satisfy the deletion standards, let businesses assess & notify you accordingly.
• For Data portability - Request a copy of your data in a portable & accessible format.
• Response Time: Businesses are required to respond to consumer requests within specific timeframes (usually within 45 days of receiving a request).

"Right to Opt-Out of Data Sale, Object, Consent & Limit Use" :

What is covered:?

If you're uncomfortable with how a company is using your data, or if you think they don't really need the data, you can ask businesses to stop using them.? Some examples include -

• Processing for direct marketing or sending you marketing emails.
• Selling your personal information
• Processing for purposes of scientific/historical research and statistics

Businesses that sell personal information must provide a clear and conspicuous link on their website titled “Do Not Sell My Personal Information,” allowing consumers to opt-out.

Consent should be collected, before a company can process their personal data & should be informed and specific to the purpose for which the personal data is being collected.?You can further request correction, completion, updating, or erasure of your personal data for consenting.?You can withdraw consent at any time, and upon such withdrawal, the business must stop processing your personal data within a reasonable time.

Exercising your rights

• When cookie banners pop up on a site, asking for consent, with options like “Accept all cookies”, “Accept essential cookies” or “Reject all cookies” - Feel free to hit “Reject all cookies” if you don't want the website to track you.
• Where applicable, Opt Out and Withdraw Consent - Including on your phone on how various apps have access to your data & phone settings.
• Option to Hit unsubscribe in emails, texts or account settings & sign up for do not call list.
• Contact companies via email (customer service or privacy teams), online forms, or designated privacy portals. Proof of identity for verification might be needed.

"Rights in relation to Automated Decision Making and not to be Profiled by Machines"

• What is covered : You have the right to not be judged by automated systems or computer programs, protecting you against the risk that a potentially damaging decision is made without human intervention, in cases which can produce a legal or significant effect like getting a loan or a job.
• Exercising your right : Contact the company and state that you want to opt-out of decisions made solely by automated processes. You can ask for a human review if you have been affected by an automated decision.

"Special Protections for Minors":?

What is covered :

Parental consent is required for children's data handling.

• CCPA requires parents or guardians to provide affirmative consent to opt in collection of personal data from a child under the age of 13. For consumers who are minors (under 16 years of age), businesses must obtain opt-in consent to sell their personal information.?
• India bill provides protection for Minors and Individuals with Disabilities: Parental or guardian consent is required for processing the data of children under 18 and individuals with disabilities. Additionally, behavioral monitoring or targeted advertising directed at children is prohibited. The Act protects against the processing of personal data that is likely to cause harm or detrimental effects, particularly in the case of children.

In all the above cases, companies must provide clear instructions on how to exercise your rights. If a company fails to respond or you are not satisfied with their response, you can escalate your concern to relevant data protection authority in your country. In all cases, you reserve the right to non-discrimination, which ensures companies wouldn’t treat you unfairly or discriminate for exercising your privacy rights. This includes denying goods or services, charging different prices, providing a different level or quality of goods or services, or suggesting that the consumer will receive a different price or rate for goods or services.

If a Company Does Not Comply

Follow-Up and Internal Complaint:

• If you haven't received a response within a reasonable timeframe (usually one month), follow up with the company. It's possible your request was overlooked or not properly processed.
• Contact the company’s privacy officer or file a formal complaint if your request is ignored.?

Contact Data Protection Authorities:

• Escalating Non-Compliance: If rights are not respected or companies refuse to comply with your request, you can escalate the issue with the national Data Protection Authority (DPA) or regulatory bodies in your region. The DPA has the power to investigate and enforce compliance.

Legal Action:

• In extreme cases, where the DPA's intervention doesn't resolve the issue, you might consider taking legal action. It's advisable to seek legal advice before proceeding with this step.

Repercussions for Companies

• Fines and Penalties:Non-compliance can lead to significant financial penalties (up to €20 million or 4% of annual global turnover for GDPR, $2,500 to $7,500 per violation for CCPA, up to 2.5 billion rupees for India's Act).
• Reputational Damage:Non-compliance can harm a company’s reputation and customer trust.
• Legal and Regulatory Actions:Companies may face legal proceedings and increased scrutiny from regulatory bodies.

Using Legal Rights Proactively: Consumers can proactively use their rights to access, rectify, or delete data, and to understand data processing practices.?

The list above is a small portion. To learn about the exhaustive list of your consumer privacy rights, sign up for our Privacy Champions program here.

Interested in how your company can uphold privacy rights of your customers through technical privacy compliance, get in touch with us here - Link

Download our first free Product - Privacy Firewall for Chatgpt prompts, here.

Sign up for our paid pilot here.

Engage with our NIST Study here.