Last review date: 31 December 2024
☒ the identity and the contact details of the controller and, where applicable, of the controller's representative
☒ the purposes of the processing for which the personal data is intended
☒ the categories of personal data concerned
☒ the source from which the personal data originates and, if applicable, whether it came from publicly accessible sources
☒ the recipients or categories of recipients of the personal data, if any
☒ the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
☒ the existence of data subjects' rights, such as the right to access, rectification, erasure, data portability, etc.
☒ the existence of the right to withdraw consent if processing is based on consent
☒ the security provided to the data
☒ the right to lodge a complaint with a supervisory authority.
☒ whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
☒ if applicable, information regarding automated decision making, including profiling (Note: the CCPA, CPA, CTDPA, and VCDPA, for example, include a right to opt-out of profiling; the UCPA does not).
☒ other.
Each law contains different requirements regarding the format, content and organization of privacy notices. The CCPA contains particularly prescriptive and detailed requirements, including the obligation for companies to notify consumers about their rights. It also details the types of disclosures of personal data, including disclosures that qualify as a "sale" or "share" under the CCPA, and the types of third parties to whom such disclosures are made. In other examples, the Washington My Health My Data Act uniquely requires regulated entities to disclose in their online privacy disclosures by name every affiliate not acting as a data processor that consumer health data is disclosed to. COPPA requires that a separate privacy notice be issued directly to parents of children from whom a covered operator collects personal information.
Last review date: 31 December 2024
Yes. Data subjects have the following data privacy rights, although the specifics of the scope and conditions for each of these vary depending on the circumstances and local law:
☒ right to access the data subject's own personal data
☒ right to rectify/correct the data subject's own personal data where inaccurate or incomplete
☒ right to erasure of personal data
☒ right to restrict data processing
☒ right to data portability
☒ right to object to the processing of personal data
☒ right to withdraw consent
☒ other
CCPA offers California residents, e.g., data access, deletion, and portability rights, as well as the right to opt-out of the sale of their personal data. Additionally, from 1 January 2023, California residents also have the right to correct personal information and limit the use of sensitive personal information. HIPAA offers access rights to patients.
Last review date: 31 December 2024
Yes. There are accountability and governance requirements to:
☒ take privacy by default and design measures for all processing of personal data
☒ perform and document data protection impact assessments (DPIAs) for high-risk processing:
☒ implement appropriate measures to comply with data privacy and security
☒ demonstrate compliance with data privacy and security
☒ identify a specific individual as the data privacy contact for data subject or data protection authority inquiries
☒ provide training to employees
☒ audit or supervise data processors