Provide mechanism to modify or withdraw consent

The organization should provide a mechanism for PII principals to modify or withdraw their consent. ... - Licensed content not shown -

GDPR (EU)

7.3: Article(7)(3): The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

13.2.c: Article(13)(2)(c): In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: (c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

14.2.d: Article(14)(2)(d): In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject: (d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

18.1.a: Article(18)(1)(a): The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: (a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

18.1.b: Article(18)(1)(b): The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead

18.1.c: Article(18)(1)(c): The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims

18.1.d: Article(18)(1)(d): The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: (d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

LGPD (BRA)

Art.8: The consent outlined in item I of Article 7 of this Law must be provided in writing or by another demonstrable mean that shows data subject’s expression of intention. § 1 If the consent is provided in writing, it must be contemplated in a clause separated from the other contractual clauses. § 2 The burden of proof demonstrating that the consent was obtained according to the provisions of this Law lies on the controller. § 3 The processing of personal data based on an irregular consent is prohibited. § 4 The consent must refer to determined purposes, and generic authorizations for personal data processing will be void. § 5 Consent may be revoked at any time through an express manifestation of the data subject, through an easy and free-of-charge process; it is ratified the processing performed under the consent previously given while there is no request for elimination, under the terms of item VI of this head provision of Article 8 of this Law. § 6 In case of changes to the information referred to in items I, II, III, or V of Article 9 of this Law, the controller must inform, in a specific and highlighted manner, the content of the referred amendment to the data subjects, whom, in cases in which their consent is requested, may revoke it if they disagree with the change.

Art.15: The termination of processing of personal data will occur in the following scenarios: I – Verification that the purpose was achieved or that the data has ceased to be necessary or pertinent for achieving the specific purpose sought; II – End of the processing period; III – Communication from the data subject, including in the exercise of the right to revoke consent, according to the provisions of § 5 of Article 8 of this Law, except in public interest cases; or IV – Determination of the National Data Protection Authority, when there is a violation of the provisions of this Law.

Art.18: The data subject has the right to obtain from the controller, relating to the data subject’s data that is processed by the controller, at any time, and upon request: I – Confirmation of the existence of the processing; II – Access to the data; III – Rectification of incomplete, inaccurate, or outdated data; IV – Anonymization, blocking, or elimination of data that is unnecessary, excessive, or processed noncompliant with the provisions of this Law; V – Portability of the data to other providers of services or goods, through express request, in accordance with the regulations of the national authority, observing trade and industrial secrets; (New wording included by Law No. 13,853 of 2019) VI – Elimination of data processed with the data subject’s consent, except in the scenarios outlined in Article 16 of this Law; VII – Information regarding public and private legal entities with which the controller has performed shared use of data; VIII – Information on the possibility of not providing consent and on the effects of consent denial; IX – Withdrawal of consent under the terms of § 5 of Article 8 of this Law. § 1 The data subjects has the right to petition to the National Data Protection Authority against the controller in connection their data. § 2 The data subject may object to the processing performed on the basis of one of the consent waiver scenarios, in case of violation of the provisions of this Law. § 3 The rights outlined in this Article will be exercised through express request by the data subject or their legally-empowered representative, to the processing agent. § 4 If the immediate adoption of the measures referred to in § 3 of this Article is impossible, the controller will send to the data subject a response in which it may: I – Inform that it is not the processing agent and specify, whenever possible, the processing agent; or II – Specify the factual and legal reasons that prevent the adoption of immediate measures. § 5 Requests referred to in § 3 of this Article will be fulfilled without costs for the data subject, within the terms established in regulations. § 6 The responsible must immediately inform processing agents with which it shared use of data regarding the rectification, elimination, anonymization, and blocking of such data, so that processing agents may repeat the same proceeding. (New wording included by Law No. 13,853 of 2019) § 7 The portability of personal data mentioned in item V of the head provision of this Article does not include data that have already been anonymized by the controller. § 8 The right mentioned in § 1 of this Article may also be exercised before consumer protection agencies.

CCPA (US, CA)

S.1798.130: (a) In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, in a form that is reasonably accessible to consumers, a business shall: (1) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address. (2) Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable request, but this shall not extend the business’s duty to disclose and deliver the information within 45 days of receipt of the consumer’s request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. The disclosure shall cover the 12-month period preceding the business’s receipt of the verifiable request and shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business shall not require the consumer to create an account with the business in order to make a verifiable request. (3) For purposes of subdivision (b) of Section 1798.110: (A) To identify the consumer, associate the information provided by the consumer in the verifiable request to any personal information previously collected by the business about the consumer. (B) Identify by category or categories the personal information collected about the consumer in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information collected. (4) For purposes of subdivision (b) of Section 1798.115: (A) Identify the consumer and associate the information provided by the consumer in the verifiable request to any personal information previously collected by the business about the consumer. (B) Identify by category or categories the personal information of the consumer that the business sold in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was sold in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information sold. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (C). (C) Identify by category or categories the personal information of the consumer that the business disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information disclosed. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (B). (5) Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its Internet Web site, and update that information at least once every 12 months: (A) A description of a consumer’s rights pursuant to Sections 1798.110, 1798.115, and 1798.125 and one or more designated methods for submitting requests. (B) For purposes of subdivision (c) of Section 1798.110, a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information collected. (C) For purposes of paragraphs (1) and (2) of subdivision (c) of Section 1798.115, two separate lists: (i) A list of the categories of personal information it has sold about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information sold, or if the business has not sold consumers’ personal information in the preceding 12 months, the business shall disclose that fact. (ii) A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describe the personal information disclosed, or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact. (6) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Sections 1798.110, 1798.115, 1798.125, and this section, and how to direct consumers to exercise their rights under those sections. (7) Use any personal information collected from the consumer in connection with the business’s verification of the consumer’s request solely for the purposes of verification. (b) A business is not obligated to provide the information required by Sections 1798.110 and 1798.115 to the same consumer more than twice in a 12-month period. (c) The categories of personal information required to be disclosed pursuant to Sections 1798.110 and 1798.115 shall follow the definition of personal information in Section 1798.140.

APP (Australian Privacy Principles)

APP.3.3: Must not collect sensitive information unless consent is given and unless it is reasonably necessary for, or directly related to, the entity's functions or activities...

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

4.3.8: Individuals may withdraw consent at any time (4.3.8)

Personal Data (Privacy) Ordinance - Hong Kong

S.35G: Must cease using personal data for direct marketing when the data subject requests (S.35G)

Personal Data Protection Act - Singapore

S.16: On reasonable notice an individual may withdraw any consent given or deemed to be given (S.16)

Personal Information Protection Act - South Korea

A.4: Data subjects have specified rights in relation to the process of his/her personal data (A.4)

Turkish Data Protection Law numbered 6698

A.13: The data subject may lodge his/her demands under and object regarding implementation of the law with the controller who must act on them in the shortest time possible