The third principle of the Generally Accepted Privacy Principles (GAPP), Choice and Consent, requires that the entity describe the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
This fair information practice acknowledges the right of individuals to be provided with clear, conspicuous, readily available, and affordable mechanisms to exercise choice. In this regard, an entity is obligated to inform and obtain permission from individuals before collecting or using their personal information for the purpose specified in the notice. It must also offer individuals the opportunity to voluntarily choose (opt-in or opt-out) whether their personal information will be disclosed to a third party or used for a different purpose.
Specifically, the criteria outlined in GAPP indicate that an entity should do the following:
· Design privacy policies that address the choices available to individuals and the consent to be obtained (see Criterion 3.1.0)
· Communicate to individuals the choices available to them regarding the collection, use, and disclosure of personal information (see Criterion 3.1.1)
· Communicate to individuals the consequences of refusing to provide personal information or of denying or withdrawing consent to use personal information (see Criterion 3.1.2)
· Design procedures and controls to ensure implicit or explicit consent obtained from the individual is confirmed and implemented (see Criterion 3.2.1)
· Design procedures and controls to obtain consent for new purposes and uses (see Criterion 3.2.2)
· Design procedures and controls to obtain explicit consent from the individual for sensitive information (see Criterion 3.2.3); and
· Design procedures and controls to ensure consent is obtained before personal information is transferred to or from an individual’s computer or other similar device (see Criterion 3.2.4).
For sensitive information (for example, information regarding medical conditions), individuals must be given an affirmative or explicit (opt-in) choice if their information is to be disclosed to a third party or used for a purpose other than that for which it was originally collected or subsequently authorized by the individual. In any case, an entity should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive.
Some exceptions exist, however. [1]Special cases are set out in the next section with respect to situations where an entity may collect, use or disclose personal information without the knowledge or consent of an individual, such as when a specific law specifically requires otherwise.
Examples of related risks: An entity that fails to obtain consent from individuals before collecting, using, or disclosing their personal information may be subject to legal liability or sanctions when the obligation to seek consent is required by law or self-regulation. Furthermore, if consent is not obtained, or is obtained in ways inappropriate to the sensitivity of the personal information, the entity's reputation may suffer, customer trust may be eroded, and customers may withdraw consent for future use of their personal information.