POINT OF CONTACT FOR DATA USE IN MARKETING COMMUNICATIONS
Entities should provide Consumers with a point of contact where the Consumers may:
- Express preferences about Marketing communications from the entity.
The point of contact (such as a website, email, telephone number, or valid physical postal address*) should appear on or within each Marketing offer or upon request by the Consumer. The point of contact should be easy for the Consumer to find, read, understand, and act upon.
* A requirement for email marketing communications.
Placement. Entities should make their data practices available to Consumers in a prominent place on their website’s or application’s home page or in a place that is easily accessible from the home page or the functional equivalent.
Content. Entities that collect Personally Identifiable Data about Consumers should include the following content in their privacy policies:
- The scope of data practices covered by the notice.
- Data Collection
- The type and categories of the data collected.
- How such data is collected, such as with cookies or by other means.
- Whether third parties may collect Personally Identifiable Data about a Consumer’s activities over time and across different websites or the functional equivalent when a Consumer uses the entity’s service.
- Data Use
- The types of uses the entity makes of such data.
- Data Sharing
- The entity’s policy concerning the rental, sale, exchange, sharing, or access to Consumer data.
- Whether the entity shares data with, and/or allows access to, third parties for Marketing.
- Combination of Marketing Data and Digital Identifiers
- Whether the entity collects Consumer data for combination with Digital Identifiers for Marketing purposes and/or combines data with Digital Identifiers for Marketing purposes.
- Connected Devices
- Whether the entity collects Marketing data for Marketing purposes via a Connected Device.
- The means by which Consumers can exercise choice, if provided, not to have data shared and/or accessed.
- If Non-Affiliated third parties may collect Personally Identifiable Data about a Consumer’s activities over time and across different websites or the functional equivalent when a Consumer uses the entity’s service, link to a mechanism by which a Consumer can exercise choice not to have such data used by these types of entities if they provide such choice.
- Service Providers
- Whether Personally Identifiable Data is collected by, used by, or shared with service providers.
- The policies, procedures, and compliance mechanisms the entity has put in place to ensure adherence to these Standards.
- That the entity maintains physical, electronic, and administrative safeguards to protect data collected.
- If an entity provides Consumers access to the data the entity maintains about them, the entity should indicate how Consumers may obtain such access.
- Consumer Correction
- If the entity maintains a process for a Consumer to request changes to data about the Consumer, the entity should describe that process.
- Material Changes
- Effective Date
MATERIAL CHANGES TO EXISTING POLICIES
An entity should have a meaningful, timely, and effective procedure through which it can demonstrate its adherence to its stated data practices. Such a procedure should include self or third-party verification and monitoring. Such verification and monitoring can be accomplished by:
- An independent auditor;
- Public assertion of compliance;
- A third-party privacy seal program;
- A licensing program; or
- Membership in a trade, professional, or other association with a self-regulatory program.
Additionally, an entity may elect to provide complaint resolution, internal education, and external outreach. Such education and outreach can be accomplished by:
- Mechanisms to put privacy policies into effect, including tools, training, and education;
- Systems for internal education and ongoing oversight and assurance reviews;
- Transparency and mechanisms for individual participation; and/or
- Means for remediation of Consumer complaints.
Where appropriate, and upon reasonable request by a Consumer, an entity should disclose the nature and types of sources from which it obtained Personally Identifiable Data about that Consumer.