What is the Right to be Informed?
The right to be informed is a right of data subjects i.e. ordinary people like you and I, to be able to access their personal data processed by businesses. The GDPR was the first law to guarantee this right for all data subjects in the E.U., and this principle has been upheld by other data privacy laws.
For example, the CPRA calls this principle the 'Right to Know' which essentially is the exact same thing as the Right to be Informed.
Both laws make it mandatory for businesses to reveal the personal information they have on you, including whether they've shared it with third parties, or used it in any other fashion. Data subjects can also ask for more details such as what specifically was shared, to whom, and where the business collected the data on you in the first place.
Can You Opt Out From Data Collection?
Yes, the GDPR & CCPA both allow users to request that businesses either delete their data or not share it with third-parties. For the GDPR, this is known as the 'Right to be Forgotten'. And for the CCPA it is referred to as the 'Right to Delete'. Additionally, under these laws, individuals can also demand that their personal information not be sold to other entities.
The 'Right to Know' and the option to opt out of data tracking is a mandatory requirement for businesses under both European and Californian law. If found wanting, they can be fined, such as how Sephora was docked $1.2 million by California Attorney General Rob Banta for failing to provide users with the option to opt out.
How can Businesses Comply With The Right to be Informed?
Typically, there are two ways to ensure compliance. The first is to display a privacy policy on your website that categorically states how you collect personal information, what you do with it, whether it is shared with third-parties, and ways of opting out. This is a fundamental step and we advise strongly not to overlook it.
The second step is to set up a Data Subject Access Request form on your site. DSARs allow businesses to set up processes that make it easy for consumers to request access to their data, or ask that it be deleted. Typically, a DSAR will integrate into your backend to identify the user and help you access their information.
