• Obtain a list of the specific third parties to whom the controller disclosed the consumer’s personal data or, if not available, a list of the specific third parties to whom the controller has disclosed any consumers’ personal data. How is MCPA Different? Profiling The law includes new consumer rights and business obligations around profiling practices. Consumers can request information regarding a profiling decision carried out against them, including the reasoning behind a particular profiling decision and access to the data used to reach the decision. A profiled consumer “has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future.” A consumer also has the “right to review the consumer’s personal data used in the profiling” and, if “the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data.” Data Inventory The controller may need to maintain a data inventory and document its policies and procedures used for data security and to comply with the law. Minnesota is the first state to require businesses to maintain such data inventories. The law states that a “controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices
83
Made with FlippingBook - Online Brochure Maker