Back

Include instructions on how to opt-out in the privacy policy.


CONTROL ID
00411
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define what is included in the privacy policy., CC ID: 00404

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The information commissioner may approve a privacy code only if the code establishes a procedure for an organization to cease to be bound by the code and when it takes effect. (§ 18BB(2)(d), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • Procedures for opting out of the data collection practice should be included in the privacy policy. (Pg 27, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • Any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates); (Section 7.A(7), Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • Form of opt out notice. If a licensee is required to provide an opt out notice under Section 12A, it shall provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out under that section. The notice shall state: (Section 8.A(1), Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • That the consumer has the right to opt out of that disclosure; and (Section 8.A(1)(b), Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • Same form as initial notice permitted. A licensee may provide the opt out notice together with or on the same written or electronic form as the initial notice the licensee provides in accordance with Section 5. (Section 8.B, Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • An explanation of the consumer's right under Section 12A to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time; (Section 7.A(6), Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • A reasonable means by which the consumer may exercise the opt out right. (Section 8.A(1)(c), Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • If two (2) or more consumers jointly obtain an insurance product or service from a licensee, the licensee may provide a single opt out notice. The licensee's opt out notice shall explain how the licensee will treat an opt out direction by a joint consumer (as explained in Paragraph (5) of this subse… (Section 8.D(1), Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • That the parent may refuse to permit further contact with the child and require the deletion of the parent's and child's online contact information, and how the parent can do so; (§ 312.4(c)(3)(iv), 16 CFR Part 312, Children's Online Privacy Protection Rule)
  • That the parent may refuse to permit the child's participation in the Web site or online service and may require the deletion of the parent's online contact information, and how the parent can do so; and (§ 312.4(c)(2)(iii), 16 CFR Part 312, Children's Online Privacy Protection Rule)
  • That the parent can review or have deleted the child's personal information, and refuse to permit further collection or use of the child's information, and state the procedures for doing so. (§ 312.4(d)(3), 16 CFR Part 312, Children's Online Privacy Protection Rule)
  • That the parent may refuse to permit the use, and require the deletion, of the information collected, and how the parent can do so; (§ 312.4(c)(4)(iii), 16 CFR Part 312, Children's Online Privacy Protection Rule)
  • The information practices notice must state that a parent can review and have the personal information deleted and refuse to allow any further collection or use of the information, along with the procedures for how to put these directions into effect. (§ 312.4(b)(2)(vi), 16 CFR Part 312, Children's Online Privacy Protection Rule)
  • The organization cannot disclose nonpublic personal information to a nonaffiliated third party, unless it has notified the customer that the nonpublic personal information may be disclosed; given the customer a chance to opt out of the disclosure; and given the customer directions on how to opt out. (§ 6802(b)(1), Gramm-Leach-Bliley Act (GLB), Deprecated)
  • An organization must offer individuals the opportunity to choose (i.e., opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authoriz… (II.2.a., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by … (§ II.2.a., EU-U.S. Privacy Shield Framework Principles)
  • An organization must offer individuals the opportunity to choose (i.e., opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authoriz… (ii.2.a., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • An organization must offer individuals the opportunity to choose (i.e., opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authoriz… (II.2.a., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • The organization must provide individuals with clear and conspicuous, readily available, and affordable ways to opt out. (CHOICE ¶ 1, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • Reasonable efforts must be made to ensure individuals who have opted out of receiving fundraising communications are not sent fundraising communications. (§ 164.514(f)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The organization must include clear instructions on how customers may opt-out of having their information disclosed. The organization may provide a toll-free number to call, a form with an address to send the opt-out notice to, or an electronic means via its website or e-mail. The customer opt-out c… (§ 313.7, 16 CFR Part 313, Privacy of Consumer Financial Information)
  • Its online privacy policy or policies if the business has an online privacy policy or policies. (§ 1798.135 (c)(2)(A), California Civil Code Division 3 Part 4 Title 1.81.5 California Consumer Privacy Act of 2018, Amended November 3, 2020)
  • Its online privacy policy or policies if the business has an online privacy policy or policies. (§ 1798.135 (a)(2)(A), California Civil Code Division 3 Part 4 Title 1.81.5 California Consumer Privacy Act of 2018, Assembly Bill No. 375)
  • If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing. (§ 6 (d), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • Not make use of a default setting, but, rather, require the consumer to make an affirmative, freely given and unambiguous choice to opt out of any processing of such consumer's personal data pursuant to sections 1 to 11, inclusive, of this act; (§ 6 (e)(1)(A)(ii)(II), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • An operator may satisfy the requirement of paragraph (b)(5) of this section by providing a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the user that… (§ 1205C(b)(7), Delaware Code, Title 6, Commerce and Trade, Subtitle II, Other Laws Relating to Commerce and Trade, Chapter 12C, Online and Personal Privacy Protection)
  • If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing. (§ 12D-106.(d), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process. (§ 501.711(4), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • may not make use of a default setting, but require the consumer to make an affirmative, freely given and unambiguous choice to opt out of any processing of a customer's personal data pursuant to [sections 1 through 12]; (§ Section 6. (3)(b)(ii), Montana Consumer Data Privacy Act 2023)
  • If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the processing, as well as the way a consumer may exercise the right to opt out of the processing (§ Section 7. (4), Montana Consumer Data Privacy Act 2023)
  • sale of the consumer's personal data; or (13-61-302 (1)(b)(i), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing. (§ 59.1-578.D., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)