Consents & opt-outs

Consent must be obtained before processing the consumer’s personal information. Prior to processing the data of a known child, businesses must adhere to the parental consent requirements outlined in the Children’s Online Privacy and Protection Act (COPPA).

Consumers must be able to opt out of targeted advertising, the sale of personal information, profiling, and data collection through the operation of a voice recognition or facial recognition feature.

Policies & notices

Provide consumers with a clear, accessible, and annually updated privacy notice that outlines the categories of personal and sensitive personal information processed and shared with third parties, the purposes of data processing, the categories of third parties with whom data is shared, and instructions on how consumers can submit data subject requests. If a business engages in the sale of any of the following data, the equivalent notice must be provided to consumers in the same manner as the privacy notice and include the following links on the website homepage:

• Sensitive personal information
  “NOTICE: This website may sell your sensitive personal data.”

• Biometric data
  “NOTICE: This website may sell your biometric personal data.”

Data subject rights & requests

Consumers have the right to access, correct, delete, opt out of processing, and exercise data portability rights concerning their personal information. Businesses must be able to fulfill and address these requests without undue delay and within 45 days of receiving the request. Businesses are required to furnish consumers with notice within 60 days after receiving the request, confirming compliance with the consumer’s request.

Vendor management

Businesses must conduct vendor assessments and establish vendor contracts to ensure compliance concerning the data processing conducted on their behalf.