Information, Articles, Tools, and Useful LinksCommittee Listings, Member Forums, and Find a CITPInformation on AICPA Tech. Conference, Seminars, Webcasts, and ConferencesIT Section Membership Information, CITP Credential Information, Members Only Tools and Communications, and MorePublications, CPE, Conferences, and Webcasts
 
Search
 

Search Options

Printer Friendly View

Infotech Home > Resources > Privacy > Generally Accepted Privacy Principles > Generally Accepted Privacy Principles > Principle 3: Choice and Consent
Principle 3: Choice and Consent

The third principle of the Generally Accepted Privacy Principles (GAPP), Choice and Consent, requires that the entity describe the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

 

This fair information practice acknowledges the right of individuals to be provided with clear, conspicuous, readily available, and affordable mechanisms to exercise choice. In this regard, an entity is obligated to inform and obtain permission from individuals before collecting or using their personal information for the purpose specified in the notice. It must also offer individuals the opportunity to voluntarily choose (opt-in or opt-out) whether their personal information will be disclosed to a third party or used for a different purpose.

 

Specifically, the criteria outlined in GAPP indicate that an entity should do the following:

 

·         Design privacy policies that address the choices available to individuals and the consent to be obtained (see Criterion 3.1.0)

 

·         Communicate to individuals the choices available to them regarding the collection, use, and disclosure of personal information (see Criterion 3.1.1)

 

·         Communicate to individuals whether implicit or explicit consent is required to collect, use, and disclose personal information (see Criterion 3.2.1)

 

·         Design procedures and controls to obtain consent for new purposes and uses (see Criterion 3.2.2)

 

·         Design procedures and controls to obtain implicit or explicit consent from the individual (see Criterion 3.2.3)

 

·         Communicate to individuals the consequences of denying or withdrawing consent (see Criterion 3.2.4)

 

For sensitive information (for example, information regarding medical conditions), individuals must be given an affirmative or explicit (opt-in) choice if their information is to be disclosed to a third party or used for a purpose other than that for which it was originally collected or subsequently authorized by the individual. In any case, an entity should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive.

 

Some exceptions exist, however.1 Special cases are set out in the next section with respect to situations where an entity may collect, use or disclose personal information without the knowledge or consent of an individual, such as when a specific law specifically requires otherwise.

 

Examples of related risks: An entity that fails to obtain consent from individuals before collecting, using, or disclosing their personal information may be subject to legal liability or sanctions when the obligation to seek consent is required by law or self-regulation. Furthermore, if consent is not obtained, or is obtained in ways inappropriate to the sensitivity of the personal information, the entity's reputation may suffer, customer trust may be eroded, and customers may withdraw consent for future use of their personal information.

 

Download the Choice and Consent Principle criteria table


1. In cases involving sensitive information for specific industries (for example, health, banking, and so on), users of the Generally Accepted Privacy Principles are encouraged to consult with counsel. Federal and state laws, which include court interpretations as well as industry-developed standards and best practices, change over time. These developments can alter expectations and thus affect major considerations, such as policies for opting in and out.

Copyright © 2006 by the American Institute of Certified Public Accountants, Inc., New York, New York.