Laws and regulations are violated due to an organization failing to provide notices on usage of customer data.
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change.
(1) PRIVACY NOTICE | REAL-TIME OR LAYERED NOTICE
The organization provides real-time and/or layered notice when it collects PII.
Supplemental Guidance: Real-time notice is defined as notice at the point of collection. A layered notice approach involves providing individuals with a summary of key points in the organization’s privacy policy. A second notice provides more detailed/specific information.
System banners (internal) and/or website notification (public) are in place to address the notification and usage of PII, where applicable.
No statewide control
Obtain data privacy policy and procedures; other relevant documents or records and ascertain if:
(I) the organization provides effective notice to the public and to individuals regarding:
(a) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII);
(b) authority for collecting PII;
(c) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and
(d) the ability to access and have PII amended or corrected if necessary;
(ii) the organization describes:
(a) the PII the organization collects and the purpose(s) for which it collects that information;
(b) how the organization uses PII internally;
(c) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing;
(d) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent;
(e) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
(iii) the organization revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change.
(iv) the organization provides real-time and/or layered notice when it collects PII.
