PIA & DPIA Assessment

Regional regulations associated with PIA & DPIA Automation.

GDPR Article 25: Data Protection by Design and Default

GDPR Article 35: Data Protection Impact Assessment
GDPR Article 36: Prior Consultation
CPRA 1798.100: Right to Know About Collection
LGPD Article 38: Recording of Processing Activities

GDPR Article 25: Data Protection by Design and Default

Article 25 (1)
An organization must “both at the time of the determination of the means of processing and at the time of
processing itself, implement appropriate technical and organisational measures” that are designed to
implement data-protection principles.
Article 25 (2)
An organization “shall implement appropriate technical and organisational measures for ensuring that, by
default, only personal data which are necessary for each specific purpose of the processing are
processed.”
Article 25(1) means that organizations have to make conscious and purposeful decisions that lead to
privacy measures being baked into all of their policies, workflows, projects, etc.

Article 25(2) makes it a necessity to ensure the organization is using the bare minimum amount of
personal data required to fulfill the processing need for which the data was collected.

GDPR Article 35: Data Protection Impact Assessment

Article 35 (3)
A Data Protection Impact Assessment (DPIA) is required when:
 A "systematic and extensive evaluation of personal aspects relating to natural persons which is
based on automated processing” is taking place
 "processing on a large scale of special categories of data" is taking place
 there is "systematic monitoring of a publicly accessible area on a large scale”

Article 35 (7)
The DPIA shall contain at least:
 "a systematic description” of processing operations and reasons for them
  “an assessment of the necessity and proportionality” of operations
 “an assessment of the risks” to data subjects
 “the measures envisaged to address the risks, including safeguards, security
measures, and mechanisms to ensure the protection of personal data”

Article 35 works towards applying privacy by design with a DPIA. These assessments are used to
determine the likelihood and severity of the risk involved in processing activity.

Article 35(3) lays out three (3) specific times when a DPIA is required -
 During automated processing of personal data
 When processing large amounts of special categories of data
 When public areas are monitored and that data processed regularly

Each EU member-state has its' own triggers, but the GDPR mandates that if any one of those three pieces
are involved, you have to conduct a DPIA.

Article 35(7) tells you what needs to be in the DPIA -

 Descriptions of data being collected and reasons for the collection

GDPR Article 36: Prior Consultation

Article 36(1)
The data controller "shall consult the supervisory authority prior to processing where a DPIA…
indicates that the processing would result in a high risk in the absence of measures”

Article 36(3)
When consulting the supervisory authority related to Article 36(1), the controller shall provide them with:
 “respective responsibilities of the controller, joint controllers, and processors”
 “purpose and means of the intended processing”
 “measures and safeguards provided”
 “contact details of the data protection officer”
 “data protection impact assessment”
 “any additional information requested”

Let’s say that a fitness company is trying to roll out a new calorie counter and conducts a DPIA, only to
find that this type of processing involves a high risk. This doesn’t mean the company has to scrap the
project, it just means that they would need to seek counsel before processing the information, per Article
36 section 1.

If that consult takes place, the company would need to provide what is listed in Article 36 section
2, which includes:
 responsibilities of the controller(s)
 responsibilities of the processor
 reason and method of data processing
 safety and security measures in place
 contact for the DPO
 a DPIA
 anything else the supervisory authority asks for
CPRA 1798.100: Right to Know About Collection

1798.100
A business that collects personal information about a consumer shall disclose…
 Categories of personal information it has collected
 Categories of sources
 The business or commercial purpose
 The categories of third parties with whom the business shares personal information
 The specific pieces of personal information
 The categories of personal information sold or shared
 The length of time the organization intends to retain each category of personal information
 Notice of Financial Incentive

CPRA covers sensitive information. Things like social security numbers, driver license numbers,
biometric information, precise geolocation, and racial/ethnic origin. Also, in CPRA 1798.00 data
minimization and storage limitation is introduced, similar to Design and Default principles in GDPR's
article 25.

LGPD Article 38 on Personal Data Processing Agents - Controller and Processor

"The national authority may determine that the controller must prepare a data protection impact
assessment"

"The report must contain at least:

 A description of the types of data collected
 The methodology used for collection and for ensuring the security of that information
 The analysis of the controller regarding:
o adopted measures
o safeguards
o mechanisms of risk mitigation"

In Brazil, similar to the EU with the GDPR, the LGPD includes language saying that a DPIA may be
required and/or types of data collected and the sources must be documented.
 TPRM – Third Party Risk Management

Article 4(7)
 ‘controller’ means the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the processing of personal
data; where the purposes and means of such processing are determined by Union or Member
State law, the controller or the specific criteria for its nomination may be provided for by Union
or Member State law;

Only the controller determines certain decisions like purpose and means of the processing of personal
data. In fact, according to the European Data Protection Board, “if a processor goes beyond the
controller’s instructions and starts to determine its own purposes and means of processing, the processor
will then be considered a controller in respect of that processing and may be subject to sanctions for going
beyond the controller’s instructions.”

Article 24(1)
 Taking into account the nature, scope, context and purposes of processing as well as the risks of
varying likelihood and severity for the rights and freedoms of natural persons, the controller shall
implement appropriate technical and organisational measures to ensure and to be able to
demonstrate that processing is performed in accordance with this Regulation.
 Those measures shall be reviewed and updated where necessary.

This is saying that you're going to ensure that third parties processing personal data on your behalf of
whoever that personal data may relate to are implementing technical and organizational measures in order
to protect that personal information. These measures should be reviewed periodically.
Article 28 (1)
 Where processing is to be carried out on behalf of a controller, the controller shall use only
processors providing sufficient guarantees to implement appropriate technical and
organisational measures in such a manner that processing will meet the requirements of this
Regulation and ensure the protection of the rights of the data subject.
Article 28 (2)
 The processor shall not engage another processor without prior specific or general written
authorisation of the controller. 2In the case of general written authorisation, the processor shall
inform the controller of any intended changes concerning the addition or replacement of other
processors, thereby giving the controller the opportunity to object to such changes.
Article 28 (3)
 Processing by a processor shall be governed by a contract or other legal act under Union or
Member State law, that is binding on the processor with regard to the controller and that sets out
the subject-matter and duration of the processing, the nature and purpose of the processing, the
type of personal data and categories of data subjects and the obligations and rights of the
controller.
Article 28 (4)

 Where a processor engages another processor for carrying out specific processing activities on
behalf of the controller, the same data protection obligations as set out in the contract or
other legal act between the controller and the processor as referred to in paragraph 3 shall
be imposed on that other processor by way of a contract or other legal act under Union or
Member State law, in particular providing sufficient guarantees to implement appropriate
technical and organisational measures in such a manner that the processing will meet the
requirements of this Regulation. Where that other processor fails to fulfil its data protection
obligations, the initial processor shall remain fully liable to the controller for the performance of
that other processor’s obligations.

If you are a controller, this is making sure you are doing your due diligence in only using processors that
have the proper technical and organizational measures put in place that protect that personal data being
processed, and these measures that are being used are those controls that are part of security
standards/frameworks.

If there are sub processors involved, they too must have proper measures put in place to protect that
personal data and such sub-processors must only be appointed with the knowledge and prior authorization
of the controller.

The relationship between a controller and processor must be regulated and formalized by a written
contract which complies with the requirements of GDPR.

Article 29
 The processor and any person acting under the authority of the controller or of the processor,
who has access to personal data, shall not process those data except on instructions from the
controller, unless required to do so by Union or Member State law.

The controller has the only say in what and how the data is being processed. The processor is required to
only process in accordance with the instruction of the controller. This is also reiterated under Article 32 of
the GDPR. With respect to the processing of the data, the processor shall do no more and no less than
instructed by the controller.

CPRA 1798.110
 (a) A consumer shall have the right to request that a business that collects personal
information about the consumer disclose to the consumer the following:
1. The categories of personal information it has collected about that consumer.
2. The categories of sources from which the personal information is collected.
3. The business or commercial purpose for collecting, selling, or sharing personal information.
4. The categories of third parties to whom the business discloses personal information.
5. The specific pieces of personal information it has collected about that consumer.

 (b) A business that collects personal information about a consumer shall disclose to the consumer,
pursuant to subparagraph (B) of paragraph (3) of subdivision (a) of Section 1798.130, the
information specified in subdivision (a) upon receipt of a verifiable consumer request from the
consumer, provided that a business shall be deemed to be in compliance with paragraphs (1) to
(4), inclusive, of subdivision (a) to the extent that the categories of information and the business
or commercial purpose for collecting, selling, or sharing personal information it would be
required to disclose to the consumer pursuant to paragraphs (1) to (4), inclusive, of subdivision
(a) is the same as the information it has disclosed pursuant to paragraphs (1) to (4), inclusive, of
subdivision (c).
 (c) A business that collects personal information about consumers shall disclose, pursuant to
subparagraph (B) of paragraph (5) of subdivision (a) of Section 1798.130:

1. The categories of personal information it has collected about consumers.

2. The categories of sources from which the personal information is collected.
3. The business or commercial purpose for collecting, selling, or sharing personal information.
4. The categories of third parties to whom the business discloses personal information.
5. That a consumer has the right to request the specific pieces of personal information the business
has collected about that consumer.

In this section it states that "A consumer shall have the right to request that a business that collects
personal information about the consumer disclose to the consumer" and "The categories of third parties
with whom the business shares personal information.”

Now there’s starting to be this layer of obligation for the businesses to be able to identify what pieces of
personal information are shared and with whom they’re shared with. Both GDPR and CPRA are tiered
whereby the controller/business is ultimately responsible for disclosing the recipients with whom they
share information with. This means that a business must communicate to all of their third parties when a
consumer decides to exercise their rights of request or erasure. The implementation of third-party risk
management tool and data mapping tool can assist us in identifying how and to whom the organization is
sharing this particular information with.

CPRA 1798.115
  (a) A consumer shall have the right to request that a business that sells the consumer’s personal
information, or that discloses it for a business purpose, disclose to that consumer:
(1) The categories of personal information that the business collected about the consumer.

(2) The categories of personal information that the business sold about the consumer and the
categories of third parties to whom the personal information was sold, by category or categories of
personal information for each category of third parties to whom the personal information was sold.

(3) The categories of personal information that the business disclosed about the consumer for a business
purpose.
 (b) A business that sells personal information about a consumer, or that discloses a consumer’s
personal information for a business purpose, shall disclose, pursuant to paragraph (4) of
subdivision (a) of Section 1798.130, the information specified in subdivision (a) to the consumer
upon receipt of a verifiable consumer request from the consumer.
 (c) A business that sells consumers’ personal information, or that discloses consumers’ personal
information for a business purpose, shall disclose, pursuant to subparagraph (C) of paragraph (5)
of subdivision (a) of Section 1798.130:

(1) The category or categories of consumers’ personal information it has sold, or if the business has not
sold consumers’ personal information, it shall disclose that fact.

(2) The category or categories of consumers’ personal information it has disclosed for a business purpose,
or if the business has not disclosed the consumers’ personal information for a business purpose, it shall
disclose that fact.
 (d) A third party shall not sell personal information about a consumer that has been sold to
the third party by a business unless the consumer has received explicit notice and is
provided an opportunity to exercise the right to opt-out pursuant to Section 1798.120.

If you are a business that sells personal information, consumers have the right to request the categories of
their personal info that are sold and the categories any third parties to whom you sell their personal
information.

Consumers also have the right to opt out of the sale of their personal information to third parties. A third
party can only sell personal information about a consumer only if and after the consumer has received
explicit notice and the consumer must be given the opportunity to opt out.

INCIDENT MANAGEMENT

Article 33 (1)
 In the case of a personal data breach, the controller shall without undue delay and, where
feasible, not later than 72 hours after having become aware of it, notify the personal data
breach to the supervisory authority competent in accordance with Article 55, unless the
personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Article 33 (2)
 The processor shall notify the controller without undue delay after becoming aware of a
personal data breach.
Article 33(3)
The notification referred to in paragraph 1 shall at least:
 describe the nature of the personal data breach including where possible, the categories and
approximate number of data subjects concerned and the categories and approximate number of
personal data records concerned;
 communicate the name and contact details of the data protection officer or other contact point
where more information can be obtained;
 describe the likely consequences of the personal data breach;
 describe the measures taken or proposed to be taken by the controller to address the
personal data breach, including, where appropriate, measures to mitigate its possible adverse
effects.

Per articles 33.1 and 33.2, if there’s a data breach, two things need to happen:
1. If the breach happened to a processor, the processor needs to inform the controller without undue
delay
2. If a breach, whether on a processor or controller, impacts personal data, the controller of that data
needs to reach out to the supervisory authority within 72 hours of becoming aware of it

When this supervisory authority communication is necessary, article 33.3 details what the notification
needs to include, which is:
 The nature of the personal data breach
 The name and contact details of the data protection officer, and
 Any mitigating measures that have been taken or has been proposed to take

As a processor, you must notify the controller of a data breach as soon as you become aware. Most
controllers will expect to be notified immediately, and may contractually require this, as they only have a
limited time in which to notify the supervisory authority, which is again, no later than 72 hours.

Article 34 (1)
 When the personal data breach is likely to result in a high risk to the rights and freedoms of
natural persons, the controller shall communicate the personal data breach to the data
subject without undue delay.

Article 34 focuses on communication to data subjects impacted by a data breach. It says that when there's
a high risk to the rights and freedoms of the data subject, the Controller must notify the data subject. It
does not go on to define "high risk", but
The European Data Protection Board does. They state that if there’s an irreversible consequence to the
data subject then it should be considered a high risk.

If there’s a larger breach where thousands or millions of data subjects were impacted, it may not be
feasible to contact everyone in 72 hours. In these circumstances, there are other measures that can be
taken, such as a public announcement of the breach.
It’s also important to note that the GDPR regulates on how we should be contacting the data subject if
there is a breach. It also includes some exceptions of when data subjects should be contacted, such as:
 When the breach is unlikely to result in risk to the Data Subjects, or
 If mitigation has already occurred and decreased the risk
However, always keep in mind that the supervisory authority may override these exceptions and can
actually order an organization to communicate (email, public broadcast, individually, etc.) with Data
Subjects about a breach.

CPRA 1798.150
(a) (1) Any consumer whose nonencrypted and nonredacted personal information, as defined in
subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address
in combination with a password or security question and answer that would permit access to the
account is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the
business’s violation of the duty to implement and maintain reasonable security procedures and
practices appropriate to the nature of the information to protect the personal information may
institute a civil action for any of the following:

(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater
than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is
greater.

(B) Injunctive or declaratory relief.

(C) Any other relief the court deems proper.

(2) In assessing the amount of statutory damages, the court shall consider any one or more of the relevant
circumstances presented by any of the parties to the case, including, but not limited to, the nature and
seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of
time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the
defendant’s assets, liabilities, and net worth.

(b) Actions pursuant to this section may be brought by a consumer if, prior to initiating any action
against a business for statutory damages on an individual or class-wide basis, a consumer provides
a business 30 days’ written notice identifying the specific provisions of this title the consumer
alleges have been or are being violated. In the event a cure is possible, if within the 30 days the
business actually cures the noticed violation and provides the consumer an express written
statement that the violations have been cured and that no further violations shall occur, no action
for individual statutory damages or class-wide statutory damages may be initiated against the
business. The implementation and maintenance of reasonable security procedures and practices pursuant
to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach. No notice
shall be required prior to an individual consumer initiating an action solely for actual pecuniary damages
suffered as a result of the alleged violations of this title. If a business continues to violate this title in
breach of the express written statement provided to the consumer under this section, the consumer may
initiate an action against the business to enforce the written statement and may pursue statutory damages
for each breach of the express written statement, as well as any other violation of the title that postdates
the written statement.

(c) The cause of action established by this section shall apply only to violations as defined in subdivision
(a) and shall not be based on violations of any other section of this title. Nothing in this title shall be
interpreted to serve as the basis for a private right of action under any other law. This shall not be
construed to relieve any party from any duties or obligations imposed under other law or the United States
or California Constitution.
In California, the CPRA has a similar protocol for businesses to the civil remedies data subjects have
during a breach. The CPRA defines when and who should be notified in this top section.
 “Any consumer whose non encrypted or nonredacted personal information is subject to an
unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of
the duty to implement and maintain reasonable security procedures…”
Penalties for Civil Actions involve fining businesses on the greater of the actual damages vs. per incident
fines which is detailed out here in this middle section.
A last important piece to note about the CPRA is that businesses are provided a 30-day cure period to
rectify damages from the breach.

LGPD Article 48
The controller shall report to the national authority and to the holder the occurrence of a safety
incident that may lead to significant risk or damage to the holders.
 1. The communication shall be made within a reasonable period of time, as defined by the
national authority, and shall mention, as a minimum:
o I - description of the nature of the affected personal data;
o II - information about the holders involved;
o III - indication of the technical and security measures used for data protection, observing
the trade and industrial secrets;
o IV - the risks related to the incident;
o V - the reasons for the delay, in case the communication was not immediate; and
o VI - the measures that have been or will be taken to reverse or mitigate the effects of the
impairment.
 2. The national authority shall verify the seriousness of the incident and may, if necessary to
safeguard the rights of the holders, order the controller to adopt measures such as:
o I - wide dissemination of the fact in the media; and
o II - measures to reverse or mitigate the effects of the incident.
 3. In the judgment of the severity of the incident, any evidence that adequate technical measures
have been taken to render the affected personal data unintelligible within the scope and within the
technical limits of its services to third parties not authorized to access them shall be assessed.

While looking at Article 48, the controller must communicate to the national authority and to the data
subject the occurrence of the security incident that may create risk or relevant damage to the data
subjects. It goes on to state that this communication shall be done in a reasonable time period, as defined
by the national authority.

According to the gravity of the situation, the ANPD may order the controller to make a broad disclosure
of the breach in the media.

POPIA Section 22
 1. Where there are reasonable grounds to believe that the personal information of a data
subject has been accessed or acquired by any unauthorised person, the responsible party
must notify—
1. the Regulator; and
2. subject to subsection (3), the data subject, unless the identity of such data subject
cannot be established.
2. The notification referred to in subsection (1) must be made as soon as reasonably possible
after the discovery of the compromise, taking into account the legitimate needs of law
enforcement or any measures reasonably necessary to determine the scope of the compromise and
to restore the integrity of the responsible party’s information system.
3. The responsible party may only delay notification of the data subject if a public body responsible
for the prevention, detection or investigation of offences or the Regulator determines that
notification will impede a criminal investigation by the public body concerned.
4. The notification to a data subject referred to in subsection (1) must be in writing and
communicated to the data subject in at least one of the following ways:
1. Mailed to the data subject’s last known physical or postal address;
2. sent by e-mail to the data subject’s last known e-mail address;
3. placed in a prominent position on the website of the responsible party;
4. published in the news media; or
5. as may be directed by the Regulator.
5. The notification referred to in subsection (1) must provide sufficient information to allow the data
subject to take protective measures against the potential consequences of the compromise,
including—
1. a description of the possible consequences of the security compromise;
2. a description of the measures that the responsible party intends to take or has taken to
address the security compromise;
3. a recommendation with regard to the measures to be taken by the data subject to mitigate
the possible adverse effects of the security compromise; and
4. if known to the responsible party, the identity of the unauthorised person who may have
accessed or acquired the personal information.
6. The Regulator may direct a responsible party to publicise, in any manner specified, the fact of
any compromise to the integrity or confidentiality of personal information, if the Regulator has
reasonable grounds to believe that such publicity would protect a data subject who may be
affected by the compromise.

The Republic of South Africa has taken significant steps to implement laws and regulations relating to the
protection of data and personal information. The Protection of Personal Information Act (POPIA), sets
out security requirements and stipulates that data breach notifications be submitted to regulatory
authorities and data subjects.
POPIA also provides exceptions to these notification requirements. There are some exceptions:
 One exception, documented under Section 22, is where the identity of the data subject cannot be
established.
 Another exception is that the notification can be delayed if such notification impedes on a
criminal investigation.

POPIA provides guidance on how data breaches should be communicated to data subjects which are
listed above.
A responsible party may be directed by the Information Regulator to publicize the breach where the
Information Regulator has reasonable grounds to believe that such publicity would protect the data
subject

Data Mapping Automation

GDPR Article 30: Records of Processing Activities

Article 30 (1)
Each controller and, where applicable, the controller’s representative, shall maintain a record of
processing activities under its responsibility. 2That record shall contain all of the following information:
 the name and contact details of the controller and, where applicable, the joint controller, the
controller’s representative and the data protection officer;
 the purposes of the processing;
 a description of the categories of data subjects and of the categories of personal data;
 the categories of recipients to whom the personal data have been or will be disclosed
including recipients in third countries or international organisations;
 where applicable, transfers of personal data to a third country or an international
organisation, including the identification of that third country or international organisation and,
in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation
of suitable safeguards;
 where possible, the envisaged time limits for erasure of the different categories of data;
 where possible, a general description of the technical and organisational security
measures referred to in Article 32(1).

Article 30 (2)
Each processor and, where applicable, the processor’s representative shall maintain a record of all
categories of processing activities carried out on behalf of a controller, containing:
1. the name and contact details of the processor or processors and of each controller on behalf of
which the processor is acting, and, where applicable, of the controller’s or the processor’s
representative, and the data protection officer;
2. the categories of processing carried out on behalf of each controller;
3. where applicable, transfers of personal data to a third country or an international organisation,
including the identification of that third country or international organisation and, in the case of
transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable
safeguards;
4. where possible, a general description of the technical and organisational security measures
referred to in Article 32(1).

Article 30(4)
 The controller or the processor and, where applicable, the controller’s or the processor’s
representative, shall make the record available to the supervisory authority on request.
 Whether you are the controller or processor, you must maintain ROPAs (Records of Processing Activities)
to maintain compliance with the GDPR, and these records must be kept accurate and up-to-date since the
supervisory authority can request these at any time.

Controllers, Article 30 (1) Processors, Article 30 (2)

Records of What Processing Activities Categories of Processing Activities
Name and contact details of:
Name and contact details of:
 The processor(s)
 Controller  Each controller on behalf of which
Contact Information  Where applicable, the joint controller processor is acting
 Controller's representative  Controller and processors
 Data protection officer (DPO) representatives
 Data protection officer (DPO)Cell 8

Purpose of Processing Purposes of the processing N/A

Data Subjects Categories of data subjects N/A
Personal Data Categories of personal data N/A
Categories of recipients to whom the personal
data have been or will be disclosed including
Recipients N/A
recipients in third countries or international
organizations
Transfers of personal data to a third country or an Transfers of personal data to a third country
international organization or an international organization
Cross-Border Transfers
Safeguards on the transfer from list in Article 49 Safeguards on the transfer from list in
(1) Article 49 (1)
Envisaged time limits for erasure of the different
Retention N/A
categories of data
Technical and organizational security measures Technical and organizational security
Security
[Article 32 (1)] measures [Article 32 (1)]

LGPD Article 37
Article 37
 The controller and the processor shall keep records of personal data processing operations carried
out by them, especially when based on legitimate interest.

We can also see here that other regulations like the LGPD call for a similar, yet different protocol with
regards to record keeping obligations for data controllers and processors. The Controller and the
processor shall keep records of personal data processing operations carried out by them, especially when
based on legitimate interest.
Based on the regulations we’ve referenced, whether you are a controller or a processor of personal data,
there is going to be a need to keep records of certain aspects of your processing activities.
 Cookie Consent

ePrivacy Directive Article 5.3

 “storing of information, or the gaining of access to information already stored, in the terminal
equipment of a…user is only allowed on condition that the subscriber or the user concerned has
given his or her consent”
 “[Except where]…strictly necessary in order…to provide the service

The ePrivacy Directive, born in 2002, is based on the Confidentiality of Communications.

This regulation doesn't use the word “cookie,” but we do see “stored in terminal equipment” referenced.
With regard to confidentiality of communications, terminal equipment is the end point of that
communication. This is how we know that the regulation is referring to a cookie.

If you are going to use a cookie, then you must have consent to do so unless it’s a technical requirement
for your service to be provided.

GDPR Article 7
Article 7(2)
1. If the data subject’s consent is given in the context of a written declaration which also concerns
other matters, the request for consent shall be presented in a manner which is clearly
distinguishable from the other matters, in an intelligible and easily accessible form, using clear
and plain language.
2. Any part of such a declaration which constitutes an infringement of this Regulation shall not be
binding.

Article 7(3)
1. The data subject shall have the right to withdraw his or her consent at any time.
2. The withdrawal of consent shall not affect the lawfulness of processing based on consent before
its withdrawal.
3. Prior to giving consent, the data subject shall be informed thereof.
4. It shall be as easy to withdraw as to give consent.

Tricky or manipulative language is not permitted to be used to try to gain consent from a data subject as
well as withdrawal of consent needs to be just as easy as giving consent. So if a data subject checks a box
to give consent, unchecking a box to withdraw consent would be appropriate. Having to make a phone
call would not.
GDPR Article 21
Article 21(2)
  Where personal data are processed for direct marketing purposes, the data subject shall
have the right to object at any time to processing of personal data concerning him or her for
such marketing, which includes profiling to the extent that it is related to such direct marketing.
Article 21(3)
 Where the data subject objects to processing for direct marketing purposes, the personal
data shall no longer be processed for such purposes.

Text files that store information on a device, cookies, can be used for marketing. If a company is
processing personal data for the purpose of direct marketing, the data subject must have the right to object
at any time. If and when they object, the organization must discontinue processing that personal data.

CPRA 1798.115
(a) A consumer shall have the right to request that a business that sells or shares the consumer’s
personal information, or that discloses it for a business purpose, disclose to that consumer:

(1) The categories of personal information that the business collected about the consumer.

(2) The categories of personal information that the business sold or shared about the consumer and
the categories of third parties to whom the personal information was sold or shared, by category or
categories of personal information for each category of third parties to whom the personal information
was sold or shared.

(3) The categories of personal information that the business disclosed about the consumer for a
business purpose and the categories of persons to whom it was disclosed for a business purpose.

Cookies can be used to gather information from consumers that has monetary value.

If a business were to sell that information or disclose that information for a business purpose, the business
will be required to disclose to them the following pieces of information on request:
 The categories of personal information that the business collected about the consumer.
 The categories of personal information that the business sold or shared about the consumer and
the categories of third parties to whom the personal information was sold or shared
 The categories of personal information that the business disclosed about the consumer for a
business purpose and the categories of persons to whom it was disclosed for a business purpose.

Upon request, these must be disclosed to the consumer.

CPRA 1798.135
(1) Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell
My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by
the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not
require a consumer to create an account in order to direct the business not to sell the consumer’s personal
information.
(2) Include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate
link to the “Do Not Sell My Personal Information” Internet Web page in:
 (A) Its online privacy policy or policies if the business has an online privacy policy or policies.
 (B) Any California-specific description of consumers’ privacy rights.

(3) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy
practices or the business’s compliance with this title are informed of all requirements in Section 1798.120
and this section and how to direct consumers to exercise their rights under those sections.

(4) For consumers who exercise their right to opt-out of the sale of their personal information, refrain
from selling personal information collected by the business about the consumer.

(5) For a consumer who has opted-out of the sale of the consumer’s personal information, respect the
consumer’s decision to opt-out for at least 12 months before requesting that the consumer authorize the
sale of the consumer’s personal information.

(6) Use any personal information collected from the consumer in connection with the submission of the
consumer’s opt-out request solely for the purposes of complying with the opt-out request.

The other CPRA regulation we’ll address is compliance obligations with regards to right to opt out.

California Consumers have the right to opt out of having their data sold.

If, as a business, you’re gathering information from California Consumers that you’ll be selling, you must
have a “do not sell my personal information” opt out button on your website.

Privacy Rights Automation

Article 12 (2)
1. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22.
2. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of
the data subject for exercising his or her rights under Articles 15 to 22, unless the controller
demonstrates that it is not in a position to identify the data subject.

Article 12 (3)
1. The controller shall provide information on action taken on a request under Articles 15 to 22 to
the data subject without undue delay and in any event within one month of receipt of the
request.
2. That period may be extended by two further months where necessary, taking into account the
complexity and number of the requests.
3. The controller shall inform the data subject of any such extension within one month of receipt of
the request, together with the reasons for the delay.
4. Where the data subject makes the request by electronic form means, the information shall be
provided by electronic means where possible, unless otherwise requested by the data subject.

Article 12 (4)
1. If the controller does not take action on the request of the data subject, the controller shall inform
the data subject without delay and at the latest within one month of receipt of the request of
 the reasons for not taking action and on the possibility of lodging a complaint with a
supervisory authority and seeking a judicial remedy.

Article 12 provides the requirements for what must be done to remain compliant while managing data
subject requests under the jurisdiction of the GDPR.

These requirements include:

 respond to requests made electronically
o this should not be limited to electronic request, but when request are made electronically,
they must be filed electronically, unless requested otherwise by the data subject
 securely transmit responses
 respond within one (1) month from when the request was made
 inform data subject about request extensions
 verify identity prior to responding
 deliver free of charge unless an exception applies

Nine (9) Data Subject Rights under the GDPR

Right to be Informed
Article 13, 14
Recitals 60-62
Right of Access by the Data Subject
Article 15
Recitals 63 & 64

Right to Rectification
Article 16, 19

Right to Erasure
Article 17 & 19
Recitals 65 & 6

Right to Restriction of Processing

Article 18 & 19
Recital 67
Right to Data Portability
Article 20
Recital 68

Right to Object
Article 21
Recital 69 & 70

Automated Individual Decision Making

Article 22
Recital 72 & 72

Right to Withdraw Consent

Article 7
Recital 32, 33, 41, & 43

CPRA 1798.130:
(a) In order to comply with Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and
1798.125, a business shall, in a form that is reasonably accessible to consumers:

(1) (A) Make available to consumers two or more designated methods for submitting requests for
information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or requests for
deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively, including, at a
minimum, a toll-free telephone number. A business that operates exclusively online and has a direct
relationship with a consumer from whom it collects personal information shall only be required to provide
an email address for submitting requests for information required to be disclosed pursuant to Sections
1798.110 and 1798.115, or for requests for deletion or correction pursuant to Sections 1798.105 and
1798.106, respectively.

(B) If the business maintains an internet website, make the internet website available to consumers to
submit requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or
requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively.

(2) (A) Disclose and deliver the required information to a consumer free of charge, correct
inaccurate personal information, or delete a consumer’s personal information, based on the
consumer’s request, within 45 days of receiving a verifiable consumer request from the
consumer. The business shall promptly take steps to determine whether the request is a verifiable
consumer request, but this shall not extend the business’s duty to disclose and deliver the information, to
correct inaccurate personal information, or to delete personal information within 45 days of receipt of the
consumer’s request. The time period to provide the required information, to correct inaccurate
personal information, or to delete personal information may be extended once by an additional 45
days when reasonably necessary, provided the consumer is provided notice of the extension within
the first 45-day period. The disclosure of the required information shall be made in writing and
delivered through the consumer’s account with the business, if the consumer maintains an account with
the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an
account with the business, in a readily useable format that allows the consumer to transmit this
information from one entity to another entity without hindrance. The business may require authentication
of the consumer that is reasonable in light of the nature of the personal information requested, but shall
not require the consumer to create an account with the business in order to make a verifiable consumer
request provided that if the consumer, has an account with the business, the business may require the
consumer to use that account to submit a verifiable consumer request.

(B) The disclosure of the required information shall cover the 12-month period preceding the
business’ receipt of the verifiable consumer request provided that, upon the adoption of a
regulation pursuant to paragraph (9) of subdivision (a) of Section 1798.185, a consumer may
request that the business disclose the required information beyond the 12-month period, and the
business shall be required to provide that information unless doing so proves impossible or would
involve a disproportionate effort. A consumer’s right to request required information beyond the 12-
month period, and a business’s obligation to provide that information, shall only apply to personal
information collected on or after January 1, 2022. Nothing in this subparagraph shall require a business to
keep personal information for any length of time.

(3) (A) A business that receives a verifiable consumer request pursuant to Section 1798.110 or 1798.115
shall disclose any personal information it has collected about a consumer, directly or indirectly, including
through or by a service provider or contractor, to the consumer. A service provider or contractor shall not
be required to comply with a verifiable consumer request received directly from a consumer or a
consumer’s authorized agent, pursuant to Section 1798.110 or 1798.115, to the extent that the service
provider or contractor has collected personal information about the consumer in its role as a service
provider or contractor. A service provider or contractor shall provide assistance to a business with which
it has a contractual relationship with respect to the business’ response to a verifiable consumer request,
including, but not limited to, by providing to the business the consumer’s personal information in the
service provider or contractor’s possession, which the service provider or contractor obtained as a result
of providing services to the business, and by correcting inaccurate information or by enabling the
business to do the same. A service provider or contractor that collects personal information pursuant to a
written contract with a business shall be required to assist the business through appropriate technical and
organizational measures in complying with the requirements of subdivisions (d) to (f), inclusive, of
Section 1798.100, taking into account the nature of the processing.

(B) For purposes of subdivision (b) of Section 1798.110:

(i) To identify the consumer, associate the information provided by the consumer in the verifiable
consumer request to any personal information previously collected by the business about the consumer.

(ii) Identify by category or categories the personal information collected about the consumer for the
applicable period of time by reference to the enumerated category or categories in subdivision (c) that
most closely describes the personal information collected; the categories of sources from which the
consumer’s personal information was collected; the business or commercial purpose for collecting,
selling, or sharing the consumer’s personal information; and the categories of third parties to whom the
business discloses the consumer’s personal information.
(iii) Provide the specific pieces of personal information obtained from the consumer in a format that is
easily understandable to the average consumer, and to the extent technically feasible, in a structured,
commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s
request without hindrance. “Specific pieces of information” do not include data generated to help ensure
security and integrity or as prescribed by regulation. Personal information is not considered to have been
disclosed by a business when a consumer instructs a business to transfer the consumer’s personal
information from one business to another in the context of switching services.

(4) For purposes of subdivision (b) of Section 1798.115:

(A) Identify the consumer and associate the information provided by the consumer in the verifiable
consumer request to any personal information previously collected by the business about the consumer.

(B) Identify by category or categories the personal information of the consumer that the business sold or
shared during the applicable period of time by reference to the enumerated category in subdivision (c)
that most closely describes the personal information, and provide the categories of third parties to whom
the consumer’s personal information was sold or shared during the applicable period of time by reference
to the enumerated category or categories in subdivision (c) that most closely describes the personal
information sold or shared. The business shall disclose the information in a list that is separate from a list
generated for the purposes of subparagraph (C).

(C) Identify by category or categories the personal information of the consumer that the business
disclosed for a business purpose during the applicable period of time by reference to the enumerated
category or categories in subdivision (c) that most closely describes the personal information, and provide
the categories of persons to whom the consumer’s personal information was disclosed for a business
purpose during the applicable period of time by reference to the enumerated category or categories in
subdivision (c) that most closely describes the personal information disclosed. The business shall disclose
the information in a list that is separate from a list generated for the purposes of subparagraph (B).

(5) Disclose the following information in its online privacy policy or policies if the business has an online
privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the
business does not maintain those policies, on its internet website, and update that information at least
once every 12 months:

(A) A description of a consumer’s rights pursuant to Sections 1798.100, 1798.105, 1798.106, 1798.110,
1798.115, and 1798.125 and two or more designated methods for submitting requests, except as provided
in subparagraph (A) of paragraph (1) of subdivision (a).

(B) For purposes of subdivision (c) of Section 1798.110:

(i) A list of the categories of personal information it has collected about consumers in the preceding 12
months by reference to the enumerated category or categories in subdivision (c) that most closely describe
the personal information collected.

(ii) The categories of sources from which consumers’ personal information is collected.

(iii) The business or commercial purpose for collecting, selling, or sharing consumers’ personal
information.

(iv) The categories of third parties to whom the business discloses consumers’ personal information.
(C) For purposes of paragraphs (1) and (2) of subdivision (c) of Section 1798.115, two separate lists:

(i) A list of the categories of personal information it has sold or shared about consumers in the preceding
12 months by reference to the enumerated category or categories in subdivision (c) that most closely
describe the personal information sold or shared, or if the business has not sold or shared consumers’
personal information in the preceding 12 months, the business shall prominently disclose that fact in its
privacy policy.

(ii) A list of the categories of personal information it has disclosed about consumers for a business
purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most
closely describes the personal information disclosed, or if the business has not disclosed consumers’
personal information for a business purpose in the preceding 12 months, the business shall disclose that
fact.

(6) Ensure that all individuals responsible for handling consumer inquiries about the business’ privacy
practices or the business’ compliance with this title are informed of all requirements in Sections
1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.125, and this section, and how to direct
consumers to exercise their rights under those sections.

(7) Use any personal information collected from the consumer in connection with the business’
verification of the consumer’s request solely for the purposes of verification and shall not further disclose
the personal information, retain it longer than necessary for purposes of verification, or use it for
unrelated purposes.

(b) A business is not obligated to provide the information required by Sections 1798.110 and 1798.115 to
the same consumer more than twice in a 12-month period.

(c) The categories of personal information required to be disclosed pursuant to Sections 1798.100,
1798.110, and 1798.115 shall follow the definitions of personal information and sensitive personal
information in Section 1798.140 by describing the categories of personal information using the specific
terms set forth in subparagraphs (A) to (K), inclusive, of paragraph (1) of subdivision (v) of Section
1798.140 and by describing the categories of sensitive personal information using the specific terms set
forth in paragraphs (1) to (9), inclusive, of subdivision (ae) of Section 1798.140.

A business shall, in a form that is reasonably accessible to consumers:

 Make available to consumers two or more designated methods for submitting requests for
information required to be disclosed
 Disclose and deliver the required information to a consumer free of charge within 45 days

CPRA 1798.135:
(a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably
accessible to consumers:

(1) Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My
Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the
consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a
consumer to create an account in order to direct the business not to sell the consumer’s personal
information.
(2) Include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link
to the “Do Not Sell My Personal Information” Internet Web page in:
 (A) Its online privacy policy or policies if the business has an online privacy policy or policies.
 (B) Any California-specific description of consumers’ privacy rights.

(3) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy
practices or the business’s compliance with this title are informed of all requirements in Section 1798.120
and this section and how to direct consumers to exercise their rights under those sections.

(4) For consumers who exercise their right to opt-out of the sale of their personal information,
refrain from selling personal information collected by the business about the consumer.

(5) For a consumer who has opted-out of the sale of the consumer’s personal information, respect
the consumer’s decision to opt-out for at least 12 months before requesting that the consumer
authorize the sale of the consumer’s personal information.

(6) Use any personal information collected from the consumer in connection with the submission of
the consumer’s opt-out request solely for the purposes of complying with the opt-out request.

(b) Nothing in this title shall be construed to require a business to comply with the title by including the
required links and text on the homepage that the business makes available to the public generally, if the
business maintains a separate and additional homepage that is dedicated to California consumers and that
includes the required links and text, and the business takes reasonable steps to ensure that California
consumers are directed to the homepage for California consumers and not the homepage made available
to the public generally.

(c) A consumer may authorize another person solely to opt-out of the sale of the consumer’s personal
information on the consumer’s behalf, and a business shall comply with an opt-out request received from
a person authorized by the consumer to act on the consumer’s behalf, pursuant to regulations adopted by
the Attorney General.

And according to CPRA's section 135, Compliance obligations with regards to the right to opt out,
businesses must
 Refrain from selling personal information collected by the business about the consumer.
 Respect the consumer's decision to opt-out for at least 12 months before requesting that the
consumer authorize the sale of the consumer's personal information.
 Use any personal information collected solely for the purposes of complying with the opt-out
request.

Consent

GDPR Article 4
Article 4 (11)
 ‘consent’ of the data subject means any freely given, specific, informed and unambiguous
indication of the data subject’s wishes by which he or she, by a statement or by a
 clear affirmative action, signifies agreement to the processing of personal data relating to him or
her;

When we talk about affirmative action, we are talking about someone signing a document or someone
ticking a box in a form.
As an example of this, if a box is already ticked, that is not an affirmative action, so that would not be a
valid form of consent.
CPRA 1798.125
(a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the
consumer’s rights under this title, including, but not limited to, by:

(A) Denying goods or services to the consumer.

(B) Charging different prices or rates for goods or services, including through the use of discounts or
other benefits or imposing penalties.

(C) Providing a different level or quality of goods or services to the consumer.

(D) Suggesting that the consumer will receive a different price or rate for goods or services or a different
level or quality of goods or services.

(2) Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or
from providing a different level or quality of goods or services to the consumer, if that difference is
reasonably related to the value provided to the business by the consumer’s data.

(b) (1) A business may offer financial incentives, including payments to consumers as compensation, for
the collection of personal information, the sale of personal information, or the deletion of personal
information. A business may also offer a different price, rate, level, or quality of goods or services to
the consumer if that price or difference is directly related to the value provided to the business by
the consumer’s data.

(2) A business that offers any financial incentives pursuant to this subdivision shall notify
consumers of the financial incentives pursuant to Section 1798.130.

(3) A business may enter a consumer into a financial incentive program only if the consumer gives the
business prior opt-in consent pursuant to Section 1798.130 that clearly describes the material terms
of the financial incentive program, and which may be revoked by the consumer at any time.

(4) A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or
usurious in nature.

If a business provides a financial incentive for the handling of your personal data they must inform you of
that.
For example, some businesses will say, if you provide your email address you can receive a discount
code. You have to agree for them to email you.
The company has to inform you that they’re doing that, and they must gain your consent, otherwise they
cannot offer it to you.

An important note:
Consent can be revoked by the consumer at any time.
Additionally, if you have not opted in and given consent, they are not allowed to contact you offering you
the specified discounts.

With the CPRA, businesses must:

 Obtain permission before collecting data from consumers who are younger than 16
 Obtain permission from a parent or guardian before collecting data from consumers who are
younger than 13

PIPEDA Principle 4.3

4.3.1
Consent is required for the collection of personal information and the subsequent use or disclosure
of this information. Typically, an organization will seek consent for the use or disclosure of the
information at the time of collection. In certain circumstances, consent with respect to use or disclosure
may be sought after the information has been collected but before use (for example, when an organization
wants to use information for a purpose not previously identified).

4.3.2
The principle requires “knowledge and consent”. Organizations shall make a reasonable effort to ensure
that the individual is advised of the purposes for which the information will be used. To make the
consent meaningful, the purposes must be stated in such a manner that the individual can
reasonably understand how the information will be used or disclosed.

4.3.5
In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an
individual buying a subscription to a magazine should reasonably expect that the organization, in addition
to using the individual’s name and address for mailing and billing purposes, would also contact the person
to solicit the renewal of the subscription. In this case, the organization can assume that the individual’s
request constitutes consent for specific purposes. On the other hand, an individual would not reasonably
expect that personal information given to a health-care professional would be given to a company selling
health-care products, unless consent were obtained. Consent shall not be obtained through deception.

4.3.6
The way in which an organization seeks consent may vary, depending on the circumstances and the type
of information collected. An organization should generally seek express consent when the
information is likely to be considered sensitive. Implied consent would generally be appropriate
when the information is less sensitive. Consent can also be given by an authorized representative (such
as a legal guardian or a person having power of attorney).

Consent is at the center of Canada's major privacy law, the Personal Information Protection and
Electronic Documents Act (PIPEDA). PIPEDA requires consent prior to the collection, use or disclosure
of personal information, unless an exception applies.
Exceptions include:
 If the collection and use are clearly in the interests of the individual and consent cannot be
obtained in a timely manner or a province or if required by law.
Looking at the third bullet point from above you will see something similar to the GDPR's "legitimate
interest" concept. This just means that you can use someone's personal data for a reason you didn't specify
if a reasonable person would expect you to do so.

It is important for organizations to consider the appropriate form of consent to use (express or implied)
for any collection, use or disclosure of personal information for which consent is required. While consent
should generally be express, it can be implied in strictly defined circumstances. Organizations need to
consider the sensitivity of the information and the reasonable expectations of the individual, both of
which will depend on context.

An important note:
The GPDR provides that data controllers are required to make reasonable efforts to verify that children’s
consent is given or authorized by a parent or guardian.
PIPEDA does not require organizations to make efforts to verify that parents or guardians have provided
consent on behalf of children.