Back

North America > Minnesota State Legislature

Minnesota Statutes Chapter 325O, Minnesota Consumer Data Privacy Act



AD ID

0003951

AD STATUS

Minnesota Statutes Chapter 325O, Minnesota Consumer Data Privacy Act

ORIGINATOR

Minnesota State Legislature

TYPE

Statutes (Bills or Acts)

AVAILABILITY

Free

SYNONYMS

Minnesota Consumer Data Privacy Act

Minnesota Statutes Chapter 325O, Minnesota Consumer Data Privacy Act

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2024-08-09T00:00:00-0700.

AD ID

0003951

AD STATUS

Free

ORIGINATOR

Minnesota State Legislature

TYPE

Statutes (Bills or Acts)

AVAILABILITY

SYNONYMS

Minnesota Consumer Data Privacy Act

Minnesota Statutes Chapter 325O, Minnesota Consumer Data Privacy Act

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2024-08-09T00:00:00-0700.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Minnesota Statutes Chapter 325O, Minnesota Consumer Data Privacy Act that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Minnesota Statutes Chapter 325O, Minnesota Consumer Data Privacy Act are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
143 Mandated Controls - bold    
65 Implied Controls - italic     1116 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
1324 Total
  • Acquisition or sale of facilities, technology, and services
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Plan for selling facilities, technology, or services. CC ID 06893 Acquisition/Sale of Assets or Services Preventive
    Refrain from providing products and services, as necessary. CC ID 15580
    [{not require} A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: require a controller to provide a good or service that requires the consumer's personal data that the controller does not collect or maintain; or Section 8 Subdivision 3(b) (1)]
    Acquisition/Sale of Assets or Services Preventive
  • Audits and risk management
    15
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Include a description of the organization's privacy policy in the Statement of Compliance. CC ID 12362
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: Section 10(a) (2)]
    Establish/Maintain Documentation Preventive
    Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 Actionable Reports or Measurements Preventive
    Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk management program. CC ID 12051 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830
    [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of sensitive data; Section 10(b) (3)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: any processing activities involving personal data that present a heightened risk of harm to consumers; and Section 10(b) (4)
    {data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c)
    {data protection assessment} A data privacy and protection assessment must include the description of policies and procedures required by paragraph (a). Section 10(e)
    {be similar} A single data protection assessment may address multiple sets of comparable processing operations that include similar activities. Section 10(h)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: Section 10(b)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of targeted advertising; Section 10(b) (1)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the sale of personal data; Section 10(b) (2)]
    Process or Activity Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Establish/Maintain Documentation Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371
    [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Establish/Maintain Documentation Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674
    [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Establish/Maintain Documentation Preventive
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673
    [{data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c)
    {data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313
    [{make available} {data protection assessment} As part of a civil investigative demand, the attorney general may request, in writing, that a controller disclose any data privacy and protection assessment that is relevant to an investigation conducted by the attorney general. The controller must make a data privacy and protection assessment available to the attorney general upon a request made under this paragraph. The attorney general may evaluate the data privacy and protection assessments for compliance with this chapter. Data privacy and protection assessments are classified as nonpublic data, as defined by section 13.02, subdivision 9. The disclosure of a data privacy and protection assessment pursuant to a request from the attorney general under this paragraph does not constitute a waiver of the attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment. Section 10(f)]
    Communicate Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370
    [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Establish/Maintain Documentation Preventive
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635
    [{data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c)
    {data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Establish/Maintain Documentation Preventive
  • Human Resources management
    31
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources Management Preventive
    Identify and define all critical roles. CC ID 00777 Establish Roles Preventive
    Define and assign the data processor's roles and responsibilities. CC ID 12607
    [Controllers and processors are responsible for meeting the respective obligations established under this chapter. Section 5(a)
    {technical measures} taking into account the nature of the processing, the processor shall assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to section 325O.05; and Section 5(b) (1)
    {technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]
    Human Resources Management Preventive
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677
    [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)]
    Human Resources Management Preventive
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Communicate Preventive
    Define and assign the data controller's roles and responsibilities. CC ID 00471
    [Controllers and processors are responsible for meeting the respective obligations established under this chapter. Section 5(a)
    {technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]
    Establish Roles Preventive
    Establish, implement, and maintain a legal support program. CC ID 13710
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: investigate, establish, exercise, prepare for, or defend legal claims; Section 11(a) (4)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Establish/Maintain Documentation Preventive
    Provide security inspectors access to personnel files during site reviews. CC ID 12300 Audits and Risk Management Detective
    Establish, implement, and maintain an ethics program. CC ID 11496
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Human Resources Management Preventive
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 Communicate Preventive
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 Behavior Preventive
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Investigate Preventive
    Establish, implement, and maintain an ethical culture. CC ID 12781 Behavior Preventive
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Monitor and Evaluate Occurrences Preventive
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 Monitor and Evaluate Occurrences Preventive
    Refrain from practicing false advertising. CC ID 14253 Business Processes Preventive
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Business Processes Preventive
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Communicate Preventive
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Establish/Maintain Documentation Preventive
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Behavior Preventive
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Behavior Preventive
    Respond to ethics complaints of ethics violations. CC ID 11497 Business Processes Corrective
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Behavior Preventive
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Human Resources Management Preventive
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources Management Preventive
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources Management Preventive
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Establish Roles Preventive
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Behavior Preventive
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Behavior Preventive
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Behavior Preventive
  • Leadership and high level objectives
    12
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Establish/Maintain Documentation Preventive
    Include contact information in the organization's policies, standards, and procedures. CC ID 17167
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: the name and contact information for the controller's chief privacy individual with primary responsibility for directing the policies and procedures implemented to comply with the provisions of this chapter; and Section 10(a) (1)]
    Establish/Maintain Documentation Preventive
    Include the effective date on all organizational policies. CC ID 06820
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the date the privacy notice was last updated. Section 8 Subdivision 1(a) (8)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: Section 10(a)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628
    [The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication. Section 11(c)]
    Establish/Maintain Documentation Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Establish/Maintain Documentation Preventive
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements in paragraph (f). Section 11(g)]
    Establish/Maintain Documentation Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Establish/Maintain Documentation Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Establish/Maintain Documentation Preventive
    Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 Communicate Preventive
  • Monitoring and measurement
    53
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain monitoring and logging operations. CC ID 00637 Log Management Detective
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitor and Evaluate Occurrences Preventive
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Audits and Risk Management Preventive
    Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain a risk monitoring program. CC ID 00658 Establish/Maintain Documentation Preventive
    Implement a fraud detection system. CC ID 13081
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Business Processes Preventive
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Process or Activity Corrective
    Establish, implement, and maintain a system security plan. CC ID 01922
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Testing Preventive
    Include a system description in the system security plan. CC ID 16467 Establish/Maintain Documentation Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Establish/Maintain Documentation Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Establish/Maintain Documentation Preventive
    Include the information types in the system security plan. CC ID 14696 Establish/Maintain Documentation Preventive
    Include the security requirements in the system security plan. CC ID 14274 Establish/Maintain Documentation Preventive
    Include cryptographic key management procedures in the system security plan. CC ID 17029 Establish/Maintain Documentation Preventive
    Include threats in the system security plan. CC ID 14693 Establish/Maintain Documentation Preventive
    Include network diagrams in the system security plan. CC ID 14273 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Establish/Maintain Documentation Preventive
    Include backup and recovery procedures in the system security plan. CC ID 17043 Establish/Maintain Documentation Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Establish/Maintain Documentation Preventive
    Include remote access methods in the system security plan. CC ID 16441 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Communicate Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Establish/Maintain Documentation Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Establish/Maintain Documentation Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Establish/Maintain Documentation Preventive
    Align the enterprise architecture with the system security plan. CC ID 14255 Process or Activity Preventive
    Include security controls in the system security plan. CC ID 14239 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Establish/Maintain Documentation Preventive
    Include the assessment team in the test plan. CC ID 14297 Establish/Maintain Documentation Preventive
    Include the scope in the test plans. CC ID 14293 Establish/Maintain Documentation Preventive
    Include the assessment environment in the test plan. CC ID 14271 Establish/Maintain Documentation Preventive
    Approve the system security plan. CC ID 14241 Business Processes Preventive
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Establish/Maintain Documentation Preventive
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726
    [A controller that uses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data are subject, and must take appropriate steps to address any breaches of contractual commitments. Section 7(c)]
    Monitor and Evaluate Occurrences Detective
    Correct compliance violations. CC ID 13515
    [A controller that uses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data are subject, and must take appropriate steps to address any breaches of contractual commitments. Section 7(c)]
    Process or Activity Corrective
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Establish/Maintain Documentation Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Establish/Maintain Documentation Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Establish/Maintain Documentation Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Establish/Maintain Documentation Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Establish/Maintain Documentation Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Establish/Maintain Documentation Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Establish/Maintain Documentation Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Communicate Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Establish/Maintain Documentation Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Establish/Maintain Documentation Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Establish/Maintain Documentation Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Establish/Maintain Documentation Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Establish/Maintain Documentation Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Establish/Maintain Documentation Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Establish/Maintain Documentation Preventive
  • Operational management
    77
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Establish/Maintain Documentation Preventive
    Include physical safeguards in the information security program. CC ID 12375
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)
    {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]
    Establish/Maintain Documentation Preventive
    Include technical safeguards in the information security program. CC ID 12374
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)
    {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]
    Establish/Maintain Documentation Preventive
    Include administrative safeguards in the information security program. CC ID 12373
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)
    {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]
    Establish/Maintain Documentation Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Business Processes Preventive
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data; Section 11(a) (1)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the systems' integrity level. CC ID 01906
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Incident Management program. CC ID 00853
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Business Processes Preventive
    Establish, implement, and maintain an incident management policy. CC ID 16414 Establish/Maintain Documentation Preventive
    Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 Communicate Preventive
    Include the criteria for a data loss event in the Incident Management program. CC ID 12179 Establish/Maintain Documentation Preventive
    Include a definition of affected transactions in the incident criteria. CC ID 17180 Establish/Maintain Documentation Preventive
    Include a definition of affected parties in the incident criteria. CC ID 17179 Establish/Maintain Documentation Preventive
    Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an anti-money laundering program. CC ID 13675 Business Processes Detective
    Include incident monitoring procedures in the Incident Management program. CC ID 01207
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Establish/Maintain Documentation Preventive
    Determine the cost of the incident when assessing security incidents. CC ID 17188 Process or Activity Detective
    Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 Process or Activity Detective
    Determine the duration of the incident when assessing security incidents. CC ID 17181 Process or Activity Detective
    Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 Monitor and Evaluate Occurrences Detective
    Require personnel to monitor for and report suspicious account activity. CC ID 16462 Monitor and Evaluate Occurrences Detective
    Escalate incidents, as necessary. CC ID 14861 Monitor and Evaluate Occurrences Corrective
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Process or Activity Corrective
    Wipe data and memory after an incident has been detected. CC ID 16850 Technical Security Corrective
    Include the investigation methodology in the forensic investigation report. CC ID 17071 Establish/Maintain Documentation Preventive
    Include corrective actions in the forensic investigation report. CC ID 17070 Establish/Maintain Documentation Preventive
    Include the investigation results in the forensic investigation report. CC ID 17069 Establish/Maintain Documentation Preventive
    Redact restricted data before sharing incident information. CC ID 16994 Data and Information Management Preventive
    Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 Communicate Preventive
    Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 Communicate Preventive
    Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 Establish/Maintain Documentation Preventive
    Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 Communicate Preventive
    Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 Communicate Preventive
    Include required information in the written request to delay the notification to affected parties. CC ID 16785 Establish/Maintain Documentation Preventive
    Submit written requests to delay the notification of affected parties. CC ID 16783 Communicate Preventive
    Revoke the written request to delay the notification. CC ID 16843 Process or Activity Preventive
    Establish, implement, and maintain incident response notifications. CC ID 12975 Establish/Maintain Documentation Corrective
    Refrain from charging for providing incident response notifications. CC ID 13876 Business Processes Preventive
    Refrain from including restricted information in the incident response notification. CC ID 16806 Actionable Reports or Measurements Preventive
    Include the affected parties rights in the incident response notification. CC ID 16811 Establish/Maintain Documentation Preventive
    Include the incident classification criteria in incident response notifications. CC ID 17293 Establish/Maintain Documentation Preventive
    Include details of the investigation in incident response notifications. CC ID 12296 Establish/Maintain Documentation Preventive
    Include the issuer's name in incident response notifications. CC ID 12062 Establish/Maintain Documentation Preventive
    Include the incident reference code in incident response notifications. CC ID 17292 Establish/Maintain Documentation Preventive
    Include the identification of the data source in incident response notifications. CC ID 12305 Establish/Maintain Documentation Preventive
    Include activations of the business continuity plan in incident response notifications. CC ID 17295 Establish/Maintain Documentation Preventive
    Include costs associated with the incident in incident response notifications. CC ID 17300 Establish/Maintain Documentation Preventive
    Include the reporting individual's contact information in incident response notifications. CC ID 12297 Establish/Maintain Documentation Preventive
    Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 Communicate Corrective
    Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 Business Processes Corrective
    Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 Communicate Preventive
    Post the incident response notification on the organization's website. CC ID 16809 Process or Activity Preventive
    Document the determination for providing a substitute incident response notification. CC ID 16841 Process or Activity Preventive
    Include contact information in the substitute incident response notification. CC ID 16776 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 Communicate Corrective
    Establish, implement, and maintain a containment strategy. CC ID 13480 Establish/Maintain Documentation Preventive
    Include the containment approach in the containment strategy. CC ID 13486 Establish/Maintain Documentation Preventive
    Include response times in the containment strategy. CC ID 13485 Establish/Maintain Documentation Preventive
    Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 Data and Information Management Preventive
    Include a description of the restored data in the restoration log. CC ID 15462 Data and Information Management Preventive
    Test incident monitoring procedures. CC ID 13194 Testing Detective
    Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 Establish/Maintain Documentation Preventive
    Conduct incident investigations, as necessary. CC ID 13826 Process or Activity Detective
    Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 Investigate Detective
    Identify the affected parties during incident investigations. CC ID 16781 Investigate Detective
    Interview suspects during incident investigations, as necessary. CC ID 14041 Investigate Detective
    Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 Investigate Detective
    Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 Establish/Maintain Documentation Preventive
    Destroy investigative materials, as necessary. CC ID 17082 Data and Information Management Preventive
    Include who the incident was reported to in the incident management audit log. CC ID 16487 Log Management Preventive
    Include the information that was exchanged in the incident management audit log. CC ID 16995 Log Management Preventive
    Include corrective actions in the incident management audit log. CC ID 16466 Establish/Maintain Documentation Preventive
    Include incident reporting procedures in the Incident Management program. CC ID 11772
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788
    [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)]
    Communicate Corrective
    Establish, implement, and maintain incident response procedures. CC ID 01206
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Establish/Maintain Documentation Detective
  • Privacy protection for information and data
    1049
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850
    [{administrative data security practice} {technical data security practice} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item; Section 10(a) (2)(iii)]
    Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data transparency program. CC ID 00375 Data and Information Management Preventive
    Establish and maintain privacy notices, as necessary. CC ID 13443 Establish/Maintain Documentation Preventive
    Include the purpose of the privacy notice in the privacy notice. CC ID 13526 Establish/Maintain Documentation Preventive
    Include the processing purpose in the privacy notice. CC ID 16543
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the purposes for which the categories of personal data are processed; Section 8 Subdivision 1(a) (2)
    If a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request. Section 8 Subdivision 1(b)]
    Establish/Maintain Documentation Preventive
    Include the record types which may not be used or disclosed unless required by law in the privacy notice. CC ID 17258 Establish/Maintain Documentation Preventive
    Include contact information in the privacy notice. CC ID 14432
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the controller's contact information, including an active email address or other online mechanism that the consumer may use to contact the controller; Section 8 Subdivision 1(a) (6)]
    Establish/Maintain Documentation Preventive
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: an explanation of the rights contained in section 325O.05 and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request; Section 8 Subdivision 1(a) (3)]
    Establish/Maintain Documentation Preventive
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Establish/Maintain Documentation Preventive
    Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 Establish/Maintain Documentation Preventive
    Include the uses or disclosures that require authorizations in the privacy notice. CC ID 17257 Establish/Maintain Documentation Preventive
    Include prohibitions of use or disclosure in the privacy notice. CC ID 17252 Establish/Maintain Documentation Preventive
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of third parties, if any, with whom the controller sells or shares personal data; Section 8 Subdivision 1(a) (5)]
    Establish/Maintain Documentation Preventive
    Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: a description of the controller's retention policies for personal data; and Section 8 Subdivision 1(a) (7)]
    Establish/Maintain Documentation Preventive
    Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 Establish/Maintain Documentation Preventive
    Include the personal data collection categories in the privacy notice. CC ID 13457
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data processed by the controller; Section 8 Subdivision 1(a) (1)]
    Establish/Maintain Documentation Preventive
    Include disclosure exceptions in the privacy notice. CC ID 13447 Establish/Maintain Documentation Preventive
    Include the types of personal data disclosed in the privacy notice. CC ID 13446
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data that the controller sells to or shares with third parties, if any; Section 8 Subdivision 1(a) (4)]
    Establish/Maintain Documentation Preventive
    Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 Establish/Maintain Documentation Preventive
    Specify the time frame that notice will be given. CC ID 00385 Establish/Maintain Documentation Preventive
    Include the information about the appeal process in the privacy notice. CC ID 15312
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: an explanation of the rights contained in section 325O.05 and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request; Section 8 Subdivision 1(a) (3)]
    Establish/Maintain Documentation Preventive
    Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 Establish/Maintain Documentation Preventive
    Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445
    [{be specific} {state} A controller is not required to provide a separate Minnesota-specific privacy notice or section of a privacy notice if the controller's general privacy notice contains all the information required by this section. Section 8 Subdivision 1(f)]
    Communicate Preventive
    Deliver privacy notices to data subjects, as necessary. CC ID 13444
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: Section 8 Subdivision 1(a)
    {be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)
    The controller must provide the privacy notice in a manner that is reasonably accessible to and usable by individuals with disabilities. Section 8 Subdivision 1(d)]
    Communicate Preventive
    Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 Establish/Maintain Documentation Preventive
    Update privacy notices, as necessary. CC ID 13474 Communicate Preventive
    Redeliver privacy notices, as necessary. CC ID 14850 Communicate Preventive
    Deliver privacy notices to third parties, as necessary. CC ID 13473 Communicate Preventive
    Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 Communicate Preventive
    Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 Establish/Maintain Documentation Corrective
    Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 Establish/Maintain Documentation Preventive
    Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 Establish/Maintain Documentation Preventive
    Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 Establish/Maintain Documentation Preventive
    Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain opt-out notices. CC ID 13448 Establish/Maintain Documentation Preventive
    Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 Establish/Maintain Documentation Preventive
    Include the opt out method for data subjects in the opt-out notice. CC ID 13467 Establish/Maintain Documentation Preventive
    Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 Establish/Maintain Documentation Preventive
    Explain the right to opt out in the opt-out notice. CC ID 13462 Establish/Maintain Documentation Preventive
    Include the organization's right to share personal data in the opt-out notice. CC ID 13450 Establish/Maintain Documentation Preventive
    Deliver opt-out notices, as necessary. CC ID 13449 Communicate Preventive
    Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 Communicate Preventive
    Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 Communicate Preventive
    Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 Communicate Preventive
    Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 Communicate Preventive
    Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 Data and Information Management Preventive
    Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 Communicate Preventive
    Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 Communicate Preventive
    Provide the data subject with a notice of participation procedures. CC ID 06241 Establish/Maintain Documentation Preventive
    Deliver notices to the intended parties. CC ID 06240 Data and Information Management Preventive
    Notify data subjects about their privacy rights. CC ID 12989 Communicate Preventive
    Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 Communicate Preventive
    Require a data protection impact assessment when profiling the data subject. CC ID 12680
    [{data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: unfair or deceptive treatment of, or disparate impact on, consumers; Section 10(b) (5)(i)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: financial, physical, or reputational injury to consumers; Section 10(b) (5)(ii)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or Section 10(b) (5)(iii)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: other substantial injury to consumers. Section 10(b) (5)(iv)]
    Process or Activity Detective
    Establish, implement, and maintain adequate openness procedures. CC ID 00377
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: reflect the requirements of this chapter in the design of the controller's systems; Section 10(a) (2)(i)]
    Data and Information Management Preventive
    Provide public proof the organization participates in a privacy program. CC ID 12349 Communicate Preventive
    Publish a description of processing activities in an official register. CC ID 00379 Establish/Maintain Documentation Preventive
    Establish and maintain a records request manual. CC ID 00381 Establish/Maintain Documentation Preventive
    Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 Establish/Maintain Documentation Preventive
    Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 Behavior Preventive
    Define what is included in registration notices. CC ID 00386 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the registration notice. CC ID 16803 Establish Roles Preventive
    Include the verification method in the registration notice. CC ID 16798 Establish/Maintain Documentation Preventive
    Include the statutory authority in the registration notice. CC ID 16799 Establish/Maintain Documentation Preventive
    Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 Establish/Maintain Documentation Preventive
    Include a purpose specification description in the registration notice. CC ID 00388 Establish/Maintain Documentation Preventive
    Include information about the dispute resolution body in the registration notice. CC ID 16800 Establish/Maintain Documentation Preventive
    Include the data subject category being processed in the registration notice. CC ID 00389 Establish/Maintain Documentation Preventive
    Include the time period for data processing in the registration notice. CC ID 00390 Establish/Maintain Documentation Preventive
    Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 Establish/Maintain Documentation Preventive
    Provide legal authorities access to personal data, upon request. CC ID 06818 Data and Information Management Preventive
    Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609
    [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]
    Process or Activity Preventive
    Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618
    [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)
    {be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]
    Establish/Maintain Documentation Preventive
    Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 Establish/Maintain Documentation Preventive
    Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 Establish/Maintain Documentation Preventive
    Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 Process or Activity Preventive
    Document the countries where restricted data may be stored. CC ID 12750 Data and Information Management Preventive
    Protect the rights of students and their parents or legal representatives. CC ID 00222 Data and Information Management Preventive
    Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 Technical Security Preventive
    Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 Records Management Preventive
    Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 Records Management Preventive
    Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 Records Management Corrective
    Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 Records Management Corrective
    Define the criteria for waivers of data subjects' rights. CC ID 16858 Behavior Preventive
    Revoke waivers of data subject's rights, as necessary. CC ID 16859 Behavior Preventive
    Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 Establish/Maintain Documentation Preventive
    Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 Establish/Maintain Documentation Preventive
    Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 Establish/Maintain Documentation Preventive
    Disclose educational data, as necessary. CC ID 00223 Data and Information Management Preventive
    Grant access to education records in support of educational program audits. CC ID 13032 Records Management Preventive
    Grant access to education records in support of external requirements. CC ID 13033 Records Management Preventive
    Disclose statements added to education records, as necessary. CC ID 12990 Communicate Preventive
    Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 Data and Information Management Preventive
    Disclose education records when written consent is received. CC ID 00224 Data and Information Management Preventive
    Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 Establish/Maintain Documentation Preventive
    Specify the purpose of the disclosure in the written consent. CC ID 13001 Establish/Maintain Documentation Preventive
    Specify which education records may be disclosed in the written consent. CC ID 13000 Establish/Maintain Documentation Preventive
    Document the conditions when consent is not required to disclose educational data. CC ID 00225 Establish/Maintain Documentation Preventive
    Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 Communicate Preventive
    Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 Communicate Preventive
    Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 Communicate Preventive
    Disclose educational data absent consent to other school officials. CC ID 00226 Data and Information Management Preventive
    Disclose educational data absent consent to another institution's school officials. CC ID 00227 Data and Information Management Preventive
    Disclose educational data absent consent in connection with financial aid. CC ID 00229 Data and Information Management Preventive
    Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 Data and Information Management Preventive
    Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 Communicate Preventive
    Disclose educational data absent consent to accrediting organizations. CC ID 00231 Data and Information Management Preventive
    Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 Data and Information Management Preventive
    Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 Data and Information Management Preventive
    Disclose educational data absent consent for a health and safety emergency. CC ID 00234 Data and Information Management Preventive
    Disclose educational data absent consent when it is merely directory information. CC ID 00235 Data and Information Management Preventive
    Disclose educational data absent consent to a crime victim. CC ID 00236 Data and Information Management Preventive
    Record the health and safety threats of students when disclosing personal data. CC ID 12997 Establish/Maintain Documentation Preventive
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Communicate Preventive
    Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 Communicate Preventive
    Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 Communicate Preventive
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data; Section 7(a) (3)(i)]
    Communicate Preventive
    Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 Communicate Preventive
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393
    [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)
    A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and provide personal data to a consumer as required by this chapter; Section 10(a) (2)(ii)]
    Establish/Maintain Documentation Preventive
    Provide the data subject with the data retention period for personal data. CC ID 12587 Process or Activity Preventive
    Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 Process or Activity Preventive
    Provide the data subject with the adequacy decision. CC ID 12586 Process or Activity Preventive
    Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 Process or Activity Preventive
    Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 Process or Activity Preventive
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396
    [A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing. Section 6 Subdivision 1(b)]
    Data and Information Management Preventive
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780
    [A controller may not require a consumer to create a new account in order to exercise a right, but a controller may require a consumer to use an existing account to exercise the consumer's rights under this section. Section 6 Subdivision 4(c)]
    Business Processes Preventive
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Business Processes Preventive
    Notify the data subject of the right to data portability. CC ID 12603 Process or Activity Preventive
    Provide the data subject with information about the right to erasure. CC ID 12602 Process or Activity Preventive
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397
    [A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing. Section 6 Subdivision 1(b)]
    Establish/Maintain Documentation Preventive
    Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 Data and Information Management Preventive
    Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 Establish/Maintain Documentation Preventive
    Establish and maintain a disclosure accounting record. CC ID 13022 Establish/Maintain Documentation Preventive
    Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 Establish/Maintain Documentation Preventive
    Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 Establish/Maintain Documentation Preventive
    Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 Establish/Maintain Documentation Preventive
    Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 Establish/Maintain Documentation Preventive
    Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 Establish/Maintain Documentation Preventive
    Include the disclosure date in the disclosure accounting record. CC ID 07133 Establish/Maintain Documentation Preventive
    Include the disclosure recipient in the disclosure accounting record. CC ID 07134 Establish/Maintain Documentation Preventive
    Include the disclosure purpose in the disclosure accounting record. CC ID 07135 Establish/Maintain Documentation Preventive
    Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 Establish/Maintain Documentation Preventive
    Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 Establish/Maintain Documentation Preventive
    Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 Establish/Maintain Documentation Preventive
    Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 Establish/Maintain Documentation Preventive
    Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 Establish/Maintain Documentation Preventive
    Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 Establish/Maintain Documentation Preventive
    Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860
    [A consumer has a right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data may be provided instead. Section 6 Subdivision 1(h)]
    Data and Information Management Preventive
    Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 Communicate Preventive
    Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 Establish/Maintain Documentation Preventive
    Provide shareholders access to electronic messages via electronic means. CC ID 11855 Process or Activity Preventive
    Make telephone directory information available to the public. CC ID 08698 Establish/Maintain Documentation Preventive
    Display warning screens and confirmation screens for all payment transactions. CC ID 06409 Technical Security Preventive
    Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 Establish/Maintain Documentation Preventive
    Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 Process or Activity Preventive
    Establish, implement, and maintain a privacy policy. CC ID 06281 Establish/Maintain Documentation Preventive
    Include the data subject's rights in the privacy policy. CC ID 16355 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a privacy policy model document. CC ID 14720 Establish/Maintain Documentation Preventive
    Document privacy policies in clearly written and easily understood language. CC ID 00376 Establish/Maintain Documentation Detective
    Write privacy notices in the official languages required by law. CC ID 16529
    [The privacy notice must be made available to the public in each language in which the controller provides a product or service that is subject to the privacy notice or carries out activities related to the product or service. Section 8 Subdivision 1(c)]
    Establish/Maintain Documentation Preventive
    Define what is included in the privacy policy. CC ID 00404 Establish/Maintain Documentation Preventive
    Define the information being collected in the privacy policy. CC ID 13115 Establish/Maintain Documentation Preventive
    Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 Establish/Maintain Documentation Preventive
    Include the means by which information is collected in the privacy policy. CC ID 13114 Establish/Maintain Documentation Preventive
    Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 Establish/Maintain Documentation Corrective
    Include roles and responsibilities in the privacy policy. CC ID 14669 Establish/Maintain Documentation Preventive
    Include management commitment in the privacy policy. CC ID 14668 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the privacy policy. CC ID 14667 Establish/Maintain Documentation Preventive
    Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 Establish/Maintain Documentation Preventive
    Include compliance requirements in the privacy policy. CC ID 14666 Establish/Maintain Documentation Preventive
    Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 Establish/Maintain Documentation Preventive
    Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 Establish/Maintain Documentation Corrective
    Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 Establish/Maintain Documentation Preventive
    Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 Establish/Maintain Documentation Preventive
    Include a complaint form in the privacy policy. CC ID 12364 Establish/Maintain Documentation Preventive
    Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 Establish/Maintain Documentation Preventive
    Include the processing purpose in the privacy policy. CC ID 00406 Establish/Maintain Documentation Preventive
    Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 Establish/Maintain Documentation Preventive
    Include the data subject categories being processed in the privacy policy. CC ID 00407 Establish/Maintain Documentation Preventive
    Define the retention period for collected information in the privacy policy. CC ID 13116 Establish/Maintain Documentation Preventive
    Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 Establish/Maintain Documentation Preventive
    Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 Establish/Maintain Documentation Preventive
    Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 Establish/Maintain Documentation Preventive
    Include opt-out instructions in the privacy policy. CC ID 00411 Establish/Maintain Documentation Preventive
    Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363
    [{be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)]
    Establish/Maintain Documentation Preventive
    Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 Establish/Maintain Documentation Preventive
    Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 Establish/Maintain Documentation Preventive
    Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 Establish/Maintain Documentation Preventive
    Post the privacy policy in an easily seen location. CC ID 00401
    [{be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)]
    Establish/Maintain Documentation Preventive
    Define who will receive the privacy policy. CC ID 00402 Establish/Maintain Documentation Preventive
    Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 Communicate Preventive
    Establish, implement, and maintain privacy procedures. CC ID 14665 Establish/Maintain Documentation Preventive
    Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 Communicate Preventive
    Establish, implement, and maintain a privacy plan. CC ID 14672 Establish/Maintain Documentation Preventive
    Align the enterprise architecture with the privacy plan. CC ID 14705 Process or Activity Preventive
    Approve the privacy plan. CC ID 14700 Business Processes Preventive
    Include privacy requirements in the privacy plan. CC ID 14699 Establish/Maintain Documentation Preventive
    Include the information types in the privacy plan. CC ID 14695 Establish/Maintain Documentation Preventive
    Include threats in the privacy plan. CC ID 14694 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the privacy plan. CC ID 14702 Establish/Maintain Documentation Preventive
    Include a description of the operational context in the privacy plan. CC ID 14692 Establish/Maintain Documentation Preventive
    Include risk assessment results in the privacy plan. CC ID 14701 Establish/Maintain Documentation Preventive
    Include the security categorizations and rationale in the privacy plan. CC ID 14690 Establish/Maintain Documentation Preventive
    Include security controls in the privacy plan. CC ID 14681 Establish/Maintain Documentation Preventive
    Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 Communicate Preventive
    Include a description of the operational environment in the privacy plan. CC ID 14679 Establish/Maintain Documentation Preventive
    Include network diagrams in the privacy plan. CC ID 14678 Establish/Maintain Documentation Preventive
    Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943
    [Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)
    Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)]
    Behavior Preventive
    Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a privacy report. CC ID 14754 Establish/Maintain Documentation Preventive
    Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 Communicate Preventive
    Protect private communications in keeping with compliance requirements. CC ID 14334
    [A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)]
    Business Processes Preventive
    Disseminate private communications when required by law. CC ID 14335 Communicate Corrective
    Establish, implement, and maintain personal data choice and consent program. CC ID 12569 Establish/Maintain Documentation Preventive
    Provide a copy of the data subject's consent to the data subject. CC ID 17234 Communicate Preventive
    Date the data subject's consent. CC ID 17233 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data request procedures. CC ID 16546
    [A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)
    A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)]
    Establish/Maintain Documentation Preventive
    Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435
    [A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: Section 8 Subdivision 3(b)]
    Human Resources Management Preventive
    Refrain from charging a fee to implement an opt-out request. CC ID 13877 Business Processes Preventive
    Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 Establish/Maintain Documentation Preventive
    Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 Establish/Maintain Documentation Preventive
    Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 Establish/Maintain Documentation Preventive
    Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 Establish/Maintain Documentation Preventive
    Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 Establish/Maintain Documentation Preventive
    Include the identity of the data subject in the disclosure authorization form. CC ID 13436 Establish/Maintain Documentation Preventive
    Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 Establish/Maintain Documentation Preventive
    Include how personal data will be used in the disclosure authorization form. CC ID 13441 Establish/Maintain Documentation Preventive
    Include agreement termination information in the disclosure authorization form. CC ID 13437 Establish/Maintain Documentation Preventive
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781
    [{not prohibit} {be different} A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program. Section 8 Subdivision 3(b) (2)]
    Business Processes Preventive
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Business Processes Preventive
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391
    [A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. Section 6 Subdivision 1(f)
    A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: Section 6 Subdivision 3(a)
    If a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request. Section 8 Subdivision 1(b)
    {be easy} A controller shall provide an effective mechanism for a consumer, or, in the case of the processing of personal data concerning a known child, the child's parent or lawful guardian, to revoke previously given consent under this subdivision. The mechanism provided shall be at least as easy as the mechanism by which the consent was previously given. Upon revocation of consent, a controller shall cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request. Section 8 Subdivision 2(e)]
    Data and Information Management Preventive
    Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 Business Processes Preventive
    Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 Business Processes Preventive
    Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526
    [{refrain from disadvantaging} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: not unfairly disadvantage another controller; Section 6 Subdivision 3(a) (1)
    {refrain from using} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: not make use of a default setting, but require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of the processing of the consumer's personal data; Section 6 Subdivision 3(a) (2)
    {be easy to use} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: be consumer-friendly and easy to use by the average consumer; Section 6 Subdivision 3(a) (3)
    {be consistent} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and Section 6 Subdivision 3(a) (4)
    A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: enable the controller to accurately determine whether the consumer is a Minnesota resident and whether the consumer has made a legitimate request to opt out of any sale of the consumer's personal data or targeted advertising. For purposes of this paragraph, the use of an Internet protocol address to estimate the consumer's location is sufficient to determine the consumer's residence. Section 6 Subdivision 3(a) (5)
    {opt-out mechanism} The platform, technology, or mechanism required under paragraph (a) is subject to the requirements of subdivision 4. Section 6 Subdivision 3(c)
    Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)]
    Data and Information Management Preventive
    Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 Technical Security Preventive
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451
    [A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)
    {loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)
    {opt out} A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: opting the consumer out of the processing of personal data for any purpose except for the purposes exempted pursuant to the provisions of this chapter. Section 6 Subdivision 4(k) (2)
    {be easy} A controller shall provide an effective mechanism for a consumer, or, in the case of the processing of personal data concerning a known child, the child's parent or lawful guardian, to revoke previously given consent under this subdivision. The mechanism provided shall be at least as easy as the mechanism by which the consent was previously given. Upon revocation of consent, a controller shall cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request. Section 8 Subdivision 2(e)]
    Business Processes Preventive
    Confirm the individual's identity before granting an opt-out request. CC ID 16813 Process or Activity Preventive
    Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 Establish/Maintain Documentation Preventive
    Allow consent requests to be provided in any official languages. CC ID 16530 Business Processes Preventive
    Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537
    [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]
    Communicate Preventive
    Collect and retain disclosure authorizations for each data subject. CC ID 13434 Records Management Preventive
    Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 Data and Information Management Preventive
    Refrain from obtaining consent through deception. CC ID 13556 Data and Information Management Preventive
    Give individuals the ability to change the uses of their personal data. CC ID 00469
    [{loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)]
    Data and Information Management Preventive
    Notify data subjects of the implications of withdrawing consent. CC ID 13551
    [{loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)]
    Data and Information Management Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Establish/Maintain Documentation Preventive
    Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 Human Resources Management Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Establish Roles Preventive
    Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 Human Resources Management Preventive
    Notify the supervisory authority. CC ID 00472 Behavior Preventive
    Establish, implement, and maintain approval applications. CC ID 16778 Establish/Maintain Documentation Preventive
    Define the requirements for approving or denying approval applications. CC ID 16780 Business Processes Preventive
    Submit approval applications to the supervisory authority. CC ID 16627 Communicate Preventive
    Include required information in the approval application. CC ID 16628 Establish/Maintain Documentation Preventive
    Extend the time limit for approving or denying approval applications. CC ID 16779 Business Processes Preventive
    Approve the approval application unless applicant has been convicted. CC ID 16603 Process or Activity Preventive
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606
    [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]
    Process or Activity Preventive
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Communicate Preventive
    Respond to questions about submissions in a timely manner. CC ID 16930 Communicate Preventive
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 Communicate Corrective
    Cooperate with Data Protection Authorities. CC ID 06870
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined: Section 11(a) (9)]
    Data and Information Management Preventive
    Submit a safe harbor self-certification letter. CC ID 06871 Establish/Maintain Documentation Preventive
    Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 Human Resources Management Preventive
    Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 Establish/Maintain Documentation Preventive
    Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 Establish/Maintain Documentation Preventive
    Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 Establish/Maintain Documentation Preventive
    Include data subject's rights in the Binding Corporate Rules. CC ID 12596 Establish/Maintain Documentation Preventive
    Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 Establish/Maintain Documentation Preventive
    Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 Establish/Maintain Documentation Preventive
    Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 Establish/Maintain Documentation Preventive
    Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 Establish/Maintain Documentation Preventive
    Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 Establish/Maintain Documentation Preventive
    Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 Establish/Maintain Documentation Preventive
    Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 Establish/Maintain Documentation Preventive
    Include complaint procedures in the Binding Corporate Rules. CC ID 12613 Establish/Maintain Documentation Preventive
    Include the data transfers in the Binding Corporate Rules. CC ID 12590 Establish/Maintain Documentation Preventive
    Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 Establish/Maintain Documentation Preventive
    Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 Establish/Maintain Documentation Preventive
    Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 Establish/Maintain Documentation Preventive
    Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 Establish/Maintain Documentation Preventive
    Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 Establish/Maintain Documentation Preventive
    Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 Establish/Maintain Documentation Preventive
    Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 Establish/Maintain Documentation Preventive
    Notify the data controller of any changes in data processors. CC ID 12648 Communicate Preventive
    Establish, implement, and maintain Data Processing Contracts. CC ID 12650
    [Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet the controller's obligations under this chapter. Assistance under this paragraph shall include the following: Section 5(b)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Establish/Maintain Documentation Preventive
    Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 Establish/Maintain Documentation Preventive
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and Section 5(c) (1)]
    Establish/Maintain Documentation Preventive
    Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Establish/Maintain Documentation Preventive
    Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Establish/Maintain Documentation Preventive
    Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Establish/Maintain Documentation Preventive
    Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Establish/Maintain Documentation Preventive
    Include the duration of processing in the Data Processing Contract. CC ID 14935
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Establish/Maintain Documentation Preventive
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Establish/Maintain Documentation Preventive
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679
    [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)]
    Establish/Maintain Documentation Preventive
    Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678
    [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: upon a reasonable request from the controller, the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this chapter; and Section 5(e) (2)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)]
    Establish/Maintain Documentation Preventive
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676
    [Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet the controller's obligations under this chapter. Assistance under this paragraph shall include the following: Section 5(b)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)
    Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's rights under this chapter is contrary to public policy and is void and unenforceable. Section 8 Subdivision 4 ¶ 1
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: assist another controller, processor, or third party with any of the obligations under this paragraph; Section 11(a) (8)]
    Establish/Maintain Documentation Preventive
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: engage a subcontractor only (i) after providing the controller with an opportunity to object, and (ii) pursuant to a written contract in accordance with paragraph (e) that requires the subcontractor to meet the obligations of the processor with respect to the personal data. Section 5(c) (2)]
    Human Resources Management Preventive
    Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670
    [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: at the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; Section 5(e) (1)
    {no longer necessary} A controller may not retain personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09. Section 8 Subdivision 2(g)]
    Establish/Maintain Documentation Preventive
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Establish/Maintain Documentation Preventive
    Display or print the least amount of personal data necessary. CC ID 04643 Data and Information Management Preventive
    Redact confidential information from public information, as necessary. CC ID 06872 Data and Information Management Preventive
    Notify the data subject of the collection purpose. CC ID 00095 Behavior Preventive
    Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 Data and Information Management Preventive
    Document the law that requires restricted data to be collected. CC ID 00103 Establish/Maintain Documentation Preventive
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Behavior Preventive
    Notify the data subject of changes to personal data use. CC ID 00105 Behavior Preventive
    Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 Establish/Maintain Documentation Preventive
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Establish/Maintain Documentation Preventive
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115
    [{not be necessary} Except as provided in this chapter, a controller may not process personal data for purposes that are not reasonably necessary to, or compatible with, the purposes for which the personal data are processed, as disclosed to the consumer, unless the controller obtains the consumer's consent. Section 8 Subdivision 2(b)]
    Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Establish/Maintain Documentation Preventive
    Document personal data use as an acceptable secondary purpose when required by law. CC ID 00119 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; Section 11(a) (6)]
    Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 Establish/Maintain Documentation Preventive
    Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 Establish/Maintain Documentation Preventive
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Behavior Preventive
    Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 Establish/Maintain Documentation Preventive
    Dispose of media and restricted data in a timely manner. CC ID 00125 Data and Information Management Preventive
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Records Management Preventive
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Communicate Preventive
    Establish, implement, and maintain data access procedures. CC ID 00414
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]
    Establish/Maintain Documentation Preventive
    Allow data subjects to submit data requests. CC ID 16545
    [A consumer may exercise the rights set forth in this section by submitting a request, at any time, to a controller specifying which rights the consumer wishes to exercise. Section 6 Subdivision 2(a)]
    Process or Activity Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Data and Information Management Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416
    [{be adequate} {be relevant} {be necessary} A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer. Section 8 Subdivision 2(a)]
    Data and Information Management Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Data and Information Management Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Data and Information Management Preventive
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Data and Information Management Preventive
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Establish/Maintain Documentation Preventive
    Define what is to be included in a data access request. CC ID 08699 Establish/Maintain Documentation Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Business Processes Preventive
    Respond to data access requests in a timely manner. CC ID 00421
    [Except as provided in this chapter, a controller must comply with a request to exercise the consumer rights provided in this subdivision. Section 6 Subdivision 1(a)
    Except as provided in this chapter, a controller must comply with a request to exercise the rights pursuant to subdivision 1. Section 6 Subdivision 4(a)
    A controller must comply with a request to exercise the right in subdivision 1, paragraph (f), as soon as feasibly possible, but no later than 45 days of receipt of the request. Section 6 Subdivision 4(d)
    A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)]
    Behavior Preventive
    Respond to data access requests in an official language. CC ID 17176 Communicate Preventive
    Delay responding to data access requests, as necessary. CC ID 15504
    [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)
    Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Data and Information Management Preventive
    Expedite the processing of data access requests, as necessary. CC ID 15496 Data and Information Management Preventive
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422
    [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)
    Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Behavior Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Behavior Detective
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Business Processes Preventive
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Process or Activity Preventive
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Establish/Maintain Documentation Preventive
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Data and Information Management Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Data and Information Management Preventive
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Establish/Maintain Documentation Preventive
    Submit personal data removal requests in writing. CC ID 11973 Records Management Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Establish/Maintain Documentation Preventive
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Records Management Corrective
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Establish/Maintain Documentation Preventive
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Process or Activity Preventive
    Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 Establish/Maintain Documentation Preventive
    Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 Data and Information Management Preventive
    Disclose de-identified data, as necessary. CC ID 13034 Communicate Preventive
    Notify the data subject after personal data is used or disclosed. CC ID 06247
    [Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Behavior Preventive
    Refrain from processing restricted data, as necessary. CC ID 12551 Records Management Preventive
    Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 Process or Activity Preventive
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data; Section 7(a) (3)(i)]
    Process or Activity Preventive
    Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 Business Processes Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 Process or Activity Detective
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 Process or Activity Preventive
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197
    [A controller shall not process personal data on the basis of a consumer's or a class of consumers' actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the consumer or class of consumers with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation. Section 8 Subdivision 3(a)]
    Data and Information Management Preventive
    Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 Data and Information Management Preventive
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Business Processes Preventive
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Business Processes Preventive
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Business Processes Preventive
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Business Processes Preventive
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Business Processes Preventive
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Business Processes Preventive
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Business Processes Preventive
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Business Processes Preventive
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Business Processes Preventive
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Business Processes Preventive
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Process or Activity Preventive
    Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 Establish/Maintain Documentation Preventive
    Include the data protection officer's contact information in the record of processing activities. CC ID 12640 Records Management Preventive
    Include the data processor's contact information in the record of processing activities. CC ID 12657 Records Management Preventive
    Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 Records Management Preventive
    Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 Records Management Preventive
    Include a description of the data subject categories in the record of processing activities. CC ID 12659 Records Management Preventive
    Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 Records Management Preventive
    Include the personal data processing categories in the record of processing activities. CC ID 12661 Records Management Preventive
    Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 Records Management Preventive
    Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 Records Management Preventive
    Include a description of the personal data categories in the record of processing activities. CC ID 12660 Records Management Preventive
    Include the joint data controller's contact information in the record of processing activities. CC ID 12639 Records Management Preventive
    Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 Records Management Preventive
    Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 Records Management Preventive
    Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 Records Management Preventive
    Include the data controller's contact information in the record of processing activities. CC ID 12637 Records Management Preventive
    Process restricted data lawfully and carefully. CC ID 00086
    [Except as otherwise provided in this act, a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the requirement of the Children's Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and its implementing regulations, rules, and exemptions. Section 8 Subdivision 2(d)]
    Establish Roles Preventive
    Analyze requirements for processing personal data in contracts. CC ID 12550
    [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Investigate Detective
    Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 Technical Security Preventive
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Data and Information Management Preventive
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Communicate Corrective
    Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 Records Management Preventive
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Establish/Maintain Documentation Preventive
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Data and Information Management Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 Records Management Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Process or Activity Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 Records Management Preventive
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Data and Information Management Preventive
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Establish/Maintain Documentation Preventive
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Establish/Maintain Documentation Preventive
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Data and Information Management Preventive
    Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 Business Processes Preventive
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Establish/Maintain Documentation Preventive
    Define and implement valid authorization control requirements. CC ID 06258 Establish/Maintain Documentation Preventive
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Data and Information Management Preventive
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Data and Information Management Preventive
    Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 Business Processes Preventive
    Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 Business Processes Preventive
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Data and Information Management Preventive
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Data and Information Management Preventive
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Data and Information Management Preventive
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Data and Information Management Preventive
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Data and Information Management Preventive
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Data and Information Management Preventive
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Data and Information Management Preventive
    Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is: subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and Section 11(a) (10)(i)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is: under the responsibility of a professional individual who is subject to confidentiality obligations under federal, state, or local law. Section 11(a) (10)(ii)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)
    {not adversely affect} Obligations imposed on controllers and processors under this chapter shall not: adversely affect the rights or freedoms of any persons, including exercising the right of free speech pursuant to the First Amendment of the United States Constitution; or Section 11(e) (1)]
    Data and Information Management Preventive
    Process traffic data in a controlled manner. CC ID 00130 Data and Information Management Preventive
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Data and Information Management Preventive
    Process personal data when it is publicly accessible. CC ID 00187 Data and Information Management Preventive
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Data and Information Management Preventive
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010
    [{refrain from selling} {absent consent} {minor} A controller may not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data, without the consumer's consent, under circumstances where the controller knows that the consumer is between the ages of 13 and 16. Section 8 Subdivision 2(f)]
    Business Processes Preventive
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Communicate Corrective
    Process personal data for the purposes of employment. CC ID 16527 Data and Information Management Preventive
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Data and Information Management Preventive
    Process personal data for debt collection or benefit payments. CC ID 00190 Data and Information Management Preventive
    Process personal data in order to advance the public interest. CC ID 00191 Data and Information Management Preventive
    Process personal data for surveys, archives, or scientific research. CC ID 00192
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined: Section 11(a) (9)]
    Data and Information Management Preventive
    Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 Data and Information Management Preventive
    Process personal data for academic purposes or religious purposes. CC ID 00194 Data and Information Management Preventive
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Data and Information Management Preventive
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Data and Information Management Preventive
    Follow legal obligations while processing personal data. CC ID 04794 Data and Information Management Preventive
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Data and Information Management Preventive
    Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537 Data and Information Management Preventive
    Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 Process or Activity Preventive
    Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 Data and Information Management Preventive
    Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 Data and Information Management Preventive
    Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 Data and Information Management Preventive
    Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 Data and Information Management Preventive
    Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 Data and Information Management Preventive
    Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 Data and Information Management Preventive
    Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 Data and Information Management Preventive
    Process personal data absent consent in order to perform a contract. CC ID 13586 Data and Information Management Preventive
    Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 Data and Information Management Preventive
    Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 Data and Information Management Preventive
    Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 Data and Information Management Preventive
    Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 Data and Information Management Preventive
    Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 Data and Information Management Preventive
    Process personal data absent consent when it is needed by law. CC ID 13577 Data and Information Management Preventive
    Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 Data and Information Management Preventive
    Process personal data absent consent when it is from publicly available information. CC ID 13576 Data and Information Management Preventive
    Process personal data absent consent to create a credit report. CC ID 15288 Data and Information Management Preventive
    Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 Data and Information Management Preventive
    Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 Data and Information Management Preventive
    Process personal data absent consent when produced for business purposes. CC ID 13563 Data and Information Management Preventive
    Process personal data absent consent for handling insurance claims. CC ID 13561 Data and Information Management Preventive
    Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 Data and Information Management Preventive
    Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 Data and Information Management Preventive
    Process personal data absent consent for life-threatening emergencies. CC ID 13558 Data and Information Management Preventive
    Process personal data absent consent for reasonable investigative purposes. CC ID 13557 Data and Information Management Preventive
    Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132
    [In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: Social Security number; Section 6 Subdivision 4(i) (1)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: driver's license number or other government-issued identification number; Section 6 Subdivision 4(i) (2)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: financial account number; Section 6 Subdivision 4(i) (3)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: health insurance account number or medical identification number; Section 6 Subdivision 4(i) (4)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: account password, security questions, or answers; or Section 6 Subdivision 4(i) (5)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: biometric data. Section 6 Subdivision 4(i) (6)]
    Behavior Preventive
    Define security breach notification requirement exceptions. CC ID 04797 Establish/Maintain Documentation Preventive
    Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 Communicate Corrective
    Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967
    [In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: Social Security number; Section 6 Subdivision 4(i) (1)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: driver's license number or other government-issued identification number; Section 6 Subdivision 4(i) (2)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: financial account number; Section 6 Subdivision 4(i) (3)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: health insurance account number or medical identification number; Section 6 Subdivision 4(i) (4)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: account password, security questions, or answers; or Section 6 Subdivision 4(i) (5)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: biometric data. Section 6 Subdivision 4(i) (6)]
    Records Management Preventive
    Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 Communicate Corrective
    Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 Data and Information Management Preventive
    Define what restricted data is not required to be disclosed absent consent. CC ID 00134 Establish/Maintain Documentation Preventive
    Define the exceptions to disclosure absent consent. CC ID 00135 Establish/Maintain Documentation Preventive
    Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 Data and Information Management Detective
    Define opt-out exceptions for disclosing restricted data. CC ID 00159
    [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]
    Establish/Maintain Documentation Preventive
    Define how a data subject may give consent. CC ID 00160 Establish/Maintain Documentation Preventive
    Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 Data and Information Management Preventive
    Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 Communicate Preventive
    Disclose restricted data absent consent when the law does not require consent. CC ID 00136 Data and Information Management Preventive
    Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 Data and Information Management Preventive
    Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 Data and Information Management Preventive
    Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 Data and Information Management Preventive
    Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 Data and Information Management Preventive
    Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 Data and Information Management Preventive
    Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 Data and Information Management Preventive
    Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 Data and Information Management Preventive
    Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 Data and Information Management Preventive
    Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 Data and Information Management Preventive
    Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 Data and Information Management Preventive
    Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 Data and Information Management Preventive
    Disclose personal data absent consent to create a credit report. CC ID 15297 Data and Information Management Preventive
    Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 Data and Information Management Preventive
    Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 Data and Information Management Preventive
    Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 Data and Information Management Preventive
    Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 Data and Information Management Preventive
    Disclose personal data absent consent for handling insurance claims. CC ID 13585 Data and Information Management Preventive
    Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 Data and Information Management Preventive
    Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 Data and Information Management Preventive
    Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 Data and Information Management Preventive
    Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 Data and Information Management Preventive
    Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 Data and Information Management Preventive
    Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 Data and Information Management Preventive
    Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 Data and Information Management Preventive
    Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 Data and Information Management Preventive
    Disclose restricted data absent consent in order to perform a contract. CC ID 00139 Data and Information Management Preventive
    Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 Data and Information Management Preventive
    Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 Data and Information Management Preventive
    Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 Data and Information Management Preventive
    Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 Data and Information Management Preventive
    Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 Data and Information Management Preventive
    Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 Data and Information Management Preventive
    Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 Data and Information Management Preventive
    Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 Data and Information Management Preventive
    Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 Data and Information Management Preventive
    Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 Data and Information Management Preventive
    Disclose restricted data absent consent for public economic interests. CC ID 00148 Data and Information Management Preventive
    Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 Data and Information Management Preventive
    Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 Data and Information Management Preventive
    Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 Data and Information Management Preventive
    Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 Data and Information Management Preventive
    Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 Data and Information Management Preventive
    Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 Data and Information Management Preventive
    Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 Data and Information Management Preventive
    Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 Data and Information Management Preventive
    Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 Establish/Maintain Documentation Detective
    Disclose restricted data absent consent when it is needed by law. CC ID 00163 Data and Information Management Preventive
    Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 Data and Information Management Preventive
    Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 Data and Information Management Preventive
    Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 Data and Information Management Preventive
    Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 Data and Information Management Preventive
    Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 Data and Information Management Preventive
    Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 Communicate Preventive
    Establish, implement, and maintain restricted data retention procedures. CC ID 00167
    [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1)
    This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)
    {no longer necessary} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: prevent the retention of personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09; and Section 10(a) (2)(v)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data; Section 11(a) (1)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Establish/Maintain Documentation Preventive
    Capture personal data removal requests. CC ID 13507
    [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1)]
    Communicate Preventive
    Remove personal data from records after receiving a personal data removal request. CC ID 11972
    [A consumer has the right to delete personal data concerning the consumer. Section 6 Subdivision 1(d)]
    Records Management Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 Process or Activity Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 Process or Activity Preventive
    Dispose of personal data removal requests, as necessary. CC ID 13512 Business Processes Preventive
    Refrain from selling restricted data, as necessary. CC ID 17165
    [{absent consent} A small business, as defined by the United States Small Business Administration under Code of Federal Regulations, title 13, part 121, that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota, must not sell a consumer's sensitive data without the consumer's prior consent. Section 9(a)]
    Data and Information Management Preventive
    Limit the redisclosure and reuse of restricted data. CC ID 00168 Data and Information Management Preventive
    Refrain from redisclosing or reusing restricted data. CC ID 00169 Data and Information Management Preventive
    Document the redisclosing restricted data exceptions. CC ID 00170 Establish/Maintain Documentation Preventive
    Redisclose restricted data when the data subject consents. CC ID 00171 Data and Information Management Preventive
    Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 Data and Information Management Preventive
    Redisclose restricted data in order to protect public revenue. CC ID 00173 Data and Information Management Preventive
    Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 Data and Information Management Preventive
    Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 Data and Information Management Preventive
    Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 Data and Information Management Preventive
    Redisclose restricted data in order to preserve human life at sea. CC ID 00177 Data and Information Management Preventive
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178
    [Except as otherwise provided in this act, a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the requirement of the Children's Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and its implementing regulations, rules, and exemptions. Section 8 Subdivision 2(d)]
    Data and Information Management Preventive
    Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 Data and Information Management Preventive
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Data and Information Management Preventive
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Data and Information Management Preventive
    Process Personal Identification Numbers with consent. CC ID 00239 Data and Information Management Preventive
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Behavior Preventive
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Data and Information Management Preventive
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Data and Information Management Preventive
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Data and Information Management Preventive
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Data and Information Management Preventive
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Establish/Maintain Documentation Preventive
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Data and Information Management Preventive
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Data and Information Management Preventive
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Data and Information Management Preventive
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Data and Information Management Preventive
    Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 Data and Information Management Preventive
    Establish, implement, and maintain data disclosure procedures. CC ID 00133 Establish/Maintain Documentation Preventive
    Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 Communicate Preventive
    Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 Data and Information Management Preventive
    Review personal data disclosure requests. CC ID 07129 Data and Information Management Preventive
    Notify the data subject of the disclosure purpose. CC ID 15268 Communicate Preventive
    Establish, implement, and maintain data request denial procedures. CC ID 00434
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and Section 7(a) (3)(ii)
    This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. Section 7(a) (3)(iii)
    If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)
    A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]
    Establish/Maintain Documentation Preventive
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435
    [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)]
    Data and Information Management Preventive
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Data and Information Management Preventive
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Data and Information Management Preventive
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Data and Information Management Preventive
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Data and Information Management Preventive
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Data and Information Management Preventive
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441
    [In response to a consumer request under subdivision 1, a controller is not required to reveal any trade secret. Section 6 Subdivision 4(j)]
    Data and Information Management Preventive
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Data and Information Management Preventive
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Data and Information Management Preventive
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Process or Activity Preventive
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Data and Information Management Preventive
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Data and Information Management Preventive
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Data and Information Management Preventive
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Data and Information Management Detective
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Data and Information Management Preventive
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Data and Information Management Preventive
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Data and Information Management Preventive
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Data and Information Management Preventive
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Data and Information Management Preventive
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Data and Information Management Preventive
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Data and Information Management Preventive
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Data and Information Management Preventive
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453
    [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)
    If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)]
    Data and Information Management Preventive
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Communicate Preventive
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Data and Information Management Preventive
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Process or Activity Preventive
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428
    [The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication. Section 11(c)]
    Data and Information Management Preventive
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Data and Information Management Preventive
    Notify that data subject of any exclusions to requested personal data. CC ID 15271 Communicate Preventive
    Provide data or records in a reasonable time frame. CC ID 00429 Data and Information Management Preventive
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599
    [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)
    Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Communicate Preventive
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Data and Information Management Preventive
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Data and Information Management Preventive
    Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 Data and Information Management Preventive
    Provide data at a cost that is not excessive. CC ID 00430
    [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)
    {be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)]
    Data and Information Management Preventive
    Provide records or data in a reasonable manner. CC ID 00431
    [A consumer has the right to obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. Section 6 Subdivision 1(e)]
    Data and Information Management Preventive
    Provide personal data in a form that is intelligible. CC ID 00432 Data and Information Management Preventive
    Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Data and Information Management Preventive
    Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Data and Information Management Preventive
    Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 Data and Information Management Preventive
    Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 Establish/Maintain Documentation Preventive
    Include cookie management in the privacy framework. CC ID 13809 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain cookie management procedures. CC ID 13810 Establish/Maintain Documentation Preventive
    Refrain from using cookies unless legitimate reasons have been defined. CC ID 16953 Data and Information Management Preventive
    Include the acceptable uses of cookies in the cookie management procedures. CC ID 16952 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data collection program. CC ID 06487 Establish/Maintain Documentation Preventive
    Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 Data and Information Management Preventive
    Refrain from collecting personal data, as necessary. CC ID 15269
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]
    Data and Information Management Preventive
    Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 Business Processes Detective
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507
    [{be relevant} {be necessary} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed; Section 10(a) (2)(iv)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Establish/Maintain Documentation Preventive
    Use personal data for specified purposes. CC ID 11831
    [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1)
    {be necessary} {be reasonable} {be proportionate} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: necessary, reasonable, and proportionate to the purposes listed in this section; Section 11(f) (1)
    {be adequate} {be relevant} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: adequate, relevant, and limited to what is necessary in relation to the specific purpose or purposes listed in this section; and Section 11(f) (2)
    {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]
    Data and Information Management Preventive
    Post the collection purpose. CC ID 00101 Establish/Maintain Documentation Preventive
    Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 Data and Information Management Preventive
    Document each individual's personal data collection consent preferences. CC ID 06945 Establish/Maintain Documentation Preventive
    Provide explicit consent that is clear and unambiguous. CC ID 00181 Data and Information Management Preventive
    Allow individuals to change their personal data collection consent preferences. CC ID 06946 Data and Information Management Preventive
    Adhere to each individual's personal data collection consent preferences. CC ID 06947 Data and Information Management Preventive
    Notify the data subject of the source of collected personal data. CC ID 00083 Behavior Preventive
    Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 Data and Information Management Preventive
    Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 Data and Information Management Preventive
    Establish and maintain a personal data definition. CC ID 00028 Establish/Maintain Documentation Preventive
    Include an individual's name in the personal data definition. CC ID 04710 Data and Information Management Preventive
    Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 Data and Information Management Preventive
    Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 Data and Information Management Preventive
    Include an individual's signature in the personal data definition. CC ID 04711 Data and Information Management Preventive
    Include an individual's date of birth in the personal data definition. CC ID 04770 Data and Information Management Preventive
    Include the number of children in the personal data definition. CC ID 13759 Establish/Maintain Documentation Preventive
    Include the individual's religion in the personal data definition. CC ID 13765 Establish/Maintain Documentation Preventive
    Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 Data and Information Management Preventive
    Include an individual's biometric data in the personal data definition. CC ID 04698 Data and Information Management Preventive
    Include an individual's photographic image in the personal data definition. CC ID 04779 Data and Information Management Preventive
    Include an individual's fingerprints in the personal data definition. CC ID 04689 Data and Information Management Preventive
    Include an individual's address in the personal data definition. CC ID 04687 Data and Information Management Preventive
    Include an individual's telephone number in the personal data definition. CC ID 04688 Data and Information Management Preventive
    Include an individual's fax number in the personal data definition. CC ID 07120 Data and Information Management Preventive
    Include an individual's political party affiliation in the personal data definition. CC ID 13764 Establish/Maintain Documentation Preventive
    Include an individual's license plate number in the personal data definition. CC ID 13763 Establish/Maintain Documentation Preventive
    Include an individual's financial account number in the personal data definition. CC ID 04692 Data and Information Management Preventive
    Include an individual's account balances in the personal data definition. CC ID 13770 Establish/Maintain Documentation Preventive
    Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 Data and Information Management Preventive
    Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 Data and Information Management Preventive
    Include an individual's logon credentials in the personal data definition. CC ID 13771 Establish/Maintain Documentation Preventive
    Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 Data and Information Management Preventive
    Include an individual's passport number in the personal data definition. CC ID 04713 Data and Information Management Preventive
    Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 Data and Information Management Preventive
    Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 Data and Information Management Preventive
    Include an individual's military identification number in the personal data definition. CC ID 13083 Establish/Maintain Documentation Preventive
    Include an individual's e-mail address in the personal data definition. CC ID 04696 Data and Information Management Preventive
    Include electronic signatures in the personal data definition. CC ID 04697 Data and Information Management Preventive
    Include an individual's payment card information in the personal data definition. CC ID 04751 Data and Information Management Preventive
    Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 Data and Information Management Preventive
    Include an individual's payment card service code in the personal data definition. CC ID 04753 Data and Information Management Preventive
    Include an individual's payment card expiration date in the personal data definition. CC ID 04755 Data and Information Management Preventive
    Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 Data and Information Management Preventive
    Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 Data and Information Management Preventive
    Include an individual's medical history in the personal data definition. CC ID 04701 Data and Information Management Preventive
    Include an individual's medical treatment in the personal data definition. CC ID 04702 Data and Information Management Preventive
    Include an individual's medical diagnosis in the personal data definition. CC ID 04703 Data and Information Management Preventive
    Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 Data and Information Management Preventive
    Include an individual's medical record numbers in the personal data definition. CC ID 07121 Data and Information Management Preventive
    Include an individual's health insurance information in the personal data definition. CC ID 04705 Data and Information Management Preventive
    Include an individual's health insurance policy number in the personal data definition. CC ID 04706 Data and Information Management Preventive
    Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 Data and Information Management Preventive
    Include an individual's education information in the personal data definition. CC ID 04714 Data and Information Management Preventive
    Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 Data and Information Management Preventive
    Include an individual's employment information in the personal data definition. CC ID 04715 Data and Information Management Preventive
    Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 Data and Information Management Preventive
    Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 Data and Information Management Preventive
    Include an individual's employment history in the personal data definition. CC ID 04716 Data and Information Management Preventive
    Include an individual's place of employment in the personal data definition. CC ID 04765 Data and Information Management Preventive
    Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 Data and Information Management Preventive
    Include an individual's property information in the personal data definition. CC ID 04780 Data and Information Management Preventive
    Include an individual's property title in the personal data definition. CC ID 04781 Data and Information Management Preventive
    Include an individual's vehicle registration in the personal data definition. CC ID 04782 Data and Information Management Preventive
    Include hardware asset identification information in the personal data definition. CC ID 07123 Data and Information Management Preventive
    Include MAC addresses in the personal data definition. CC ID 04778 Data and Information Management Preventive
    Include Internet Protocol addresses in the personal data definition. CC ID 04777 Data and Information Management Preventive
    Include asset serial numbers in the personal data definition. CC ID 07124 Data and Information Management Preventive
    Include Uniform Resource Locators in the personal data definition. CC ID 07125 Data and Information Management Preventive
    Refrain from including publicly available information in the personal data definition. CC ID 13084 Establish/Maintain Documentation Preventive
    Define specially restricted data. CC ID 00037 Data and Information Management Preventive
    Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 Data and Information Management Preventive
    Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 Data and Information Management Preventive
    Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 Data and Information Management Preventive
    Implement a nondiscrimination principle. CC ID 00081 Data and Information Management Preventive
    Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 Data and Information Management Preventive
    Preserve each individual's right to human dignity. CC ID 00082 Data and Information Management Preventive
    Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 Data and Information Management Preventive
    Employ a random number generator to create authenticators. CC ID 13782 Technical Security Preventive
    Collect Personal Identification Numbers with the individual's consent. CC ID 00059 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 Data and Information Management Preventive
    Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 Behavior Preventive
    Manage health data collection. CC ID 00050 Data and Information Management Preventive
    Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 Data and Information Management Preventive
    Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 Data and Information Management Preventive
    Collect Individually Identifiable Health Information for research. CC ID 00054 Data and Information Management Preventive
    Remove personal data before disclosing health data. CC ID 00055 Data and Information Management Preventive
    Give special attention to collecting children's data. CC ID 00038 Data and Information Management Preventive
    Use simple understandable language to collect information from children. CC ID 00039 Behavior Preventive
    Notify parents or legal representatives of what information is collected from children. CC ID 00040 Establish/Maintain Documentation Preventive
    Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 Data and Information Management Preventive
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Establish/Maintain Documentation Preventive
    Collect personal data directly from the data subject. CC ID 00011 Data and Information Management Preventive
    Create and manage user account aliases to maintain pseudonymity. CC ID 04549 Data and Information Management Preventive
    Provide unlinkability for users and resources. CC ID 04550 Data and Information Management Preventive
    Provide unobservability of users and resources. CC ID 04551 Technical Security Preventive
    Confirm the data quality of personal data collected from third parties. CC ID 13510 Investigate Detective
    Collect restricted data in a fair and lawful manner. CC ID 00010 Data and Information Management Preventive
    Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 Data and Information Management Preventive
    Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 Data and Information Management Preventive
    Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 Data and Information Management Preventive
    Collect personal data absent consent in order to make a disclosure. CC ID 13550 Data and Information Management Preventive
    Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 Data and Information Management Preventive
    Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 Data and Information Management Preventive
    Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 Data and Information Management Preventive
    Collect personal data absent consent for handling insurance claims. CC ID 13543 Data and Information Management Preventive
    Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 Data and Information Management Preventive
    Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 Data and Information Management Preventive
    Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 Data and Information Management Preventive
    Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 Data and Information Management Preventive
    Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 Data and Information Management Preventive
    Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 Data and Information Management Preventive
    Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 Data and Information Management Preventive
    Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 Data and Information Management Preventive
    Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 Data and Information Management Preventive
    Collect restricted data absent consent from publicly available information. CC ID 00019 Data and Information Management Preventive
    Collect restricted data absent consent when needed by law. CC ID 00020 Data and Information Management Preventive
    Collect personal data absent consent to create a credit report. CC ID 15287 Data and Information Management Preventive
    Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 Data and Information Management Preventive
    Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 Data and Information Management Preventive
    Collect the minimum amount of restricted data necessary. CC ID 00078
    [{be adequate} {be relevant} {be necessary} A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer. Section 8 Subdivision 2(a)]
    Data and Information Management Preventive
    Collect restricted data in a proper information framework. CC ID 00009 Data and Information Management Preventive
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)]
    Data and Information Management Preventive
    Collect restricted data when required by law. CC ID 00031 Data and Information Management Preventive
    Collect restricted data to prevent life-threatening emergencies. CC ID 00032 Data and Information Management Preventive
    Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 Data and Information Management Preventive
    Collect restricted data for legal purposes. CC ID 00036 Data and Information Management Preventive
    Validate the business need for maintaining collected restricted data. CC ID 17090 Data and Information Management Preventive
    Review the methods for collecting personal data, as necessary. CC ID 13511 Investigate Detective
    Provide the data subject with information about the data controller during the collection process. CC ID 00023 Establish/Maintain Documentation Preventive
    Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 Communicate Preventive
    Provide the data subject with the data collector's name and contact information. CC ID 00024 Establish/Maintain Documentation Preventive
    Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 Establish/Maintain Documentation Preventive
    Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 Establish/Maintain Documentation Preventive
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Data and Information Management Preventive
    Protect electronic messaging information. CC ID 12022 Technical Security Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Data and Information Management Preventive
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Configuration Preventive
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Testing Detective
    Store payment card data in secure chips, if possible. CC ID 13065 Configuration Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Configuration Preventive
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Technical Security Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Data and Information Management Preventive
    Log the disclosure of personal data. CC ID 06628 Log Management Preventive
    Log the modification of personal data. CC ID 11844 Log Management Preventive
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Technical Security Preventive
    Implement security measures to protect personal data. CC ID 13606
    [{technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]
    Technical Security Preventive
    Implement physical controls to protect personal data. CC ID 00355 Testing Preventive
    Limit data leakage. CC ID 00356 Data and Information Management Preventive
    Conduct personal data risk assessments. CC ID 00357 Testing Detective
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Business Processes Preventive
    Establish, implement, and maintain suspicious document procedures. CC ID 04852 Establish/Maintain Documentation Detective
    Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 Data and Information Management Detective
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Data and Information Management Detective
    Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 Monitor and Evaluate Occurrences Detective
    Perform an identity check prior to approving an account change request. CC ID 13670 Investigate Detective
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Behavior Detective
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Data and Information Management Detective
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Log Management Detective
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Monitor and Evaluate Occurrences Corrective
    Log dates for account name changes or address changes. CC ID 04876 Log Management Detective
    Review accounts that are changed for additional user requests. CC ID 11846 Monitor and Evaluate Occurrences Detective
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Data and Information Management Detective
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Acquisition/Sale of Assets or Services Preventive
    Search the Internet for evidence of data leakage. CC ID 10419 Process or Activity Detective
    Alert appropriate personnel when data leakage is detected. CC ID 14715 Process or Activity Preventive
    Review monitored websites for data leakage. CC ID 10593 Monitor and Evaluate Occurrences Detective
    Take appropriate action when a data leakage is discovered. CC ID 14716 Process or Activity Corrective
    Include text about data ownership in the data handling policy. CC ID 15720 Data and Information Management Preventive
    Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain call metadata controls. CC ID 04790 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: reidentify deidentified data; Section 7(a) (1)
    A processor or third party must not attempt to identify the subjects of deidentified or pseudonymous data without the express authority of the controller that caused the data to be deidentified or pseudonymized. Section 7(d)
    A controller, processor, or third party must not attempt to identify the subjects of data that has been collected with only pseudonymous identifiers. Section 7(e)
    This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]
    Data and Information Management Preventive
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Data and Information Management Preventive
    Store de-identifying code and re-identifying code separately. CC ID 16535
    [The rights contained in section 325O.05, subdivision 1, paragraphs (b) to (e) and (h), do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. Section 7(b)]
    Data and Information Management Preventive
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Data and Information Management Preventive
    Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 Communicate Preventive
    Establish, implement, and maintain data handling procedures. CC ID 11756 Establish/Maintain Documentation Preventive
    Define personal data that falls under breach notification rules. CC ID 00800 Establish/Maintain Documentation Preventive
    Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 Data and Information Management Preventive
    Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 Data and Information Management Preventive
    Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 Data and Information Management Preventive
    Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 Data and Information Management Preventive
    Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 Data and Information Management Preventive
    Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 Data and Information Management Preventive
    Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 Data and Information Management Preventive
    Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 Data and Information Management Preventive
    Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 Data and Information Management Preventive
    Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 Data and Information Management Preventive
    Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 Data and Information Management Preventive
    Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 Data and Information Management Preventive
    Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 Data and Information Management Preventive
    Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 Data and Information Management Preventive
    Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 Data and Information Management Preventive
    Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 Data and Information Management Preventive
    Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 Data and Information Management Preventive
    Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 Data and Information Management Preventive
    Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 Data and Information Management Preventive
    Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 Data and Information Management Preventive
    Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 Data and Information Management Preventive
    Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 Data and Information Management Preventive
    Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 Data and Information Management Preventive
    Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 Data and Information Management Preventive
    Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 Data and Information Management Preventive
    Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 Data and Information Management Preventive
    Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 Data and Information Management Preventive
    Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 Data and Information Management Preventive
    Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 Data and Information Management Preventive
    Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 Data and Information Management Preventive
    Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 Data and Information Management Preventive
    Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 Data and Information Management Preventive
    Define an out of scope privacy breach. CC ID 04677 Establish/Maintain Documentation Preventive
    Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 Business Processes Preventive
    Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 Monitor and Evaluate Occurrences Preventive
    Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 Monitor and Evaluate Occurrences Preventive
    Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 Monitor and Evaluate Occurrences Preventive
    Conduct internal data processing audits. CC ID 00374 Testing Detective
    Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 Communicate Preventive
    Establish, implement, and maintain a personal data transfer program. CC ID 00307 Establish/Maintain Documentation Preventive
    Obtain consent from an individual prior to transferring personal data. CC ID 06948 Data and Information Management Preventive
    Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 Establish/Maintain Documentation Preventive
    Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 Business Processes Preventive
    Notify data subjects when their personal data is transferred. CC ID 00352 Behavior Preventive
    Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 Establish/Maintain Documentation Preventive
    Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 Communicate Preventive
    Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 Data and Information Management Preventive
    Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 Data and Information Management Preventive
    Prohibit personal data transfers when security is inadequate. CC ID 00345 Data and Information Management Preventive
    Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 Data and Information Management Preventive
    Refrain from transferring past the first transfer. CC ID 00347 Data and Information Management Preventive
    Document transfer disagreements by the data subject in writing. CC ID 00348 Establish/Maintain Documentation Preventive
    Allow the data subject the right to object to the personal data transfer. CC ID 00349 Data and Information Management Preventive
    Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 Records Management Preventive
    Follow the instructions of the data transferrer. CC ID 00334 Behavior Preventive
    Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 Establish/Maintain Documentation Preventive
    Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 Data and Information Management Preventive
    Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 Data and Information Management Preventive
    Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 Data and Information Management Preventive
    Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 Data and Information Management Preventive
    Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 Data and Information Management Preventive
    Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 Data and Information Management Preventive
    Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 Data and Information Management Preventive
    Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 Data and Information Management Preventive
    Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 Data and Information Management Preventive
    Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 Data and Information Management Preventive
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 Data and Information Management Preventive
    Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 Data and Information Management Preventive
    Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 Business Processes Preventive
    Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 Establish/Maintain Documentation Preventive
    Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 Data and Information Management Preventive
    Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 Data and Information Management Preventive
    Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 Data and Information Management Preventive
    Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 Data and Information Management Preventive
    Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 Data and Information Management Preventive
    Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 Data and Information Management Preventive
    Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 Data and Information Management Preventive
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 Data and Information Management Preventive
    Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 Communicate Preventive
    Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 Behavior Preventive
    Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 Establish/Maintain Documentation Preventive
    Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 Data and Information Management Preventive
    Obtain consent prior to downloading software to an individual's computer. CC ID 06951 Data and Information Management Preventive
    Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 Process or Activity Preventive
    Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 Process or Activity Preventive
    Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 Process or Activity Preventive
    Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 Data and Information Management Preventive
    Establish, implement, and maintain a privacy impact assessment. CC ID 13712 Establish/Maintain Documentation Preventive
    Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 Establish/Maintain Documentation Preventive
    Include how to grant consent in the privacy impact assessment. CC ID 15519 Establish/Maintain Documentation Preventive
    Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 Establish/Maintain Documentation Preventive
    Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 Establish/Maintain Documentation Preventive
    Include data handling procedures in the privacy impact assessment. CC ID 15516 Establish/Maintain Documentation Preventive
    Include the intended use of information in the privacy impact assessment. CC ID 15515 Establish/Maintain Documentation Preventive
    Include the reason information is being collected in the privacy impact assessment. CC ID 15514 Establish/Maintain Documentation Preventive
    Include the type of information to be collected in the privacy impact assessment. CC ID 15513 Business Processes Preventive
    Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 Communicate Preventive
    Review compliance with the organization's privacy objectives. CC ID 13490
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)]
    Human Resources Management Detective
    Develop remedies and sanctions for privacy policy violations. CC ID 00474
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and remediate violations of this chapter. Section 10(a) (2)(vi)]
    Data and Information Management Preventive
    Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 Behavior Preventive
    Implement procedures to file privacy rights violation complaints. CC ID 00476 Data and Information Management Corrective
    File privacy rights violation complaints in writing. CC ID 00477 Establish/Maintain Documentation Corrective
    Include supporting documentation in the privacy rights violation complaint. CC ID 16997 Establish/Maintain Documentation Preventive
    Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 Establish/Maintain Documentation Corrective
    Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 Establish/Maintain Documentation Preventive
    Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 Behavior Corrective
    Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 Business Processes Preventive
    File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 Behavior Corrective
    Change or destroy any personal data that is incorrect. CC ID 00462
    [{be inaccurate} A consumer has the right to correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data. Section 6 Subdivision 1(c)]
    Data and Information Management Corrective
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Behavior Corrective
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Data and Information Management Preventive
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Data and Information Management Corrective
    Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 Establish/Maintain Documentation Preventive
    Include potential remedies in the privacy dispute resolution program. CC ID 12531 Establish/Maintain Documentation Preventive
    Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 Establish/Maintain Documentation Preventive
    Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 Establish/Maintain Documentation Preventive
    Document unresolved challenges. CC ID 13568 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 Establish/Maintain Documentation Preventive
    Notify individuals of their right to challenge personal data. CC ID 00457
    [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]
    Data and Information Management Preventive
    Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 Data and Information Management Preventive
    Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 Configuration Preventive
    Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 Human Resources Management Preventive
    Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 Data and Information Management Preventive
    Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 Communicate Preventive
    Investigate the disputed accuracy of personal data. CC ID 00461 Data and Information Management Preventive
    Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 Behavior Corrective
    Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 Behavior Corrective
    Notify third parties of unresolved challenges. CC ID 13559 Communicate Preventive
    Document disagreements as to whether personal data is complete and accurate. CC ID 06952 Establish/Maintain Documentation Preventive
    Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 Establish/Maintain Documentation Preventive
    Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 Data and Information Management Corrective
    Investigate privacy rights violation complaints. CC ID 00480 Behavior Detective
    Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; Section 11(a) (2)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; Section 11(a) (3)]
    Business Processes Corrective
    Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 Behavior Detective
    Include the allegations against the organization in the notice of investigation. CC ID 13031 Establish/Maintain Documentation Preventive
    Investigate privacy rights violation complaints in private. CC ID 00492 Behavior Detective
    Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 Behavior Detective
    Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 Behavior Detective
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481
    [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]
    Behavior Preventive
    Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 Behavior Preventive
    Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 Behavior Preventive
    Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 Behavior Preventive
    Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 Behavior Preventive
    Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 Communicate Corrective
    Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 Establish/Maintain Documentation Corrective
    Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 Behavior Corrective
    Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 Establish/Maintain Documentation Detective
    Order the organization to change to be in compliance with applicable law. CC ID 00499 Behavior Corrective
    Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 Behavior Corrective
    Award damages based on applicable law. CC ID 00501 Behavior Corrective
    Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 Data and Information Management Corrective
    Define the organization's liability based on the applicable law. CC ID 00504
    [{not relieve} In no event shall any contract relieve a controller or a processor from the liabilities imposed on a controller or processor by virtue of the controller's or processor's roles in the processing relationship under this chapter. Section 5(f)
    A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this chapter is not in violation of this chapter if the recipient processes the personal data in violation of this chapter, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is not in violation of this chapter for the obligations of the controller or processor from which the third-party controller or processor receives the personal data. Section 11(d)
    {is liable} Any controller or processor that violates this chapter is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation. Section 12(c)]
    Establish/Maintain Documentation Preventive
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Establish/Maintain Documentation Preventive
    Define the appeal process based on the applicable law. CC ID 00506
    [A controller must establish an internal process whereby a consumer may appeal a refusal to take action on a request to exercise any of the rights under subdivision 1 within a reasonable period of time after the consumer's receipt of the notice sent by the controller under subdivision 4, paragraph (f). Section 6 Subdivision 5(a)
    The appeal process must be conspicuously available. The process must include the ease of use provisions in subdivision 3 applicable to submitting requests. Section 6 Subdivision 5(b)
    The appeal process must be conspicuously available. The process must include the ease of use provisions in subdivision 3 applicable to submitting requests. Section 6 Subdivision 5(b)]
    Establish/Maintain Documentation Preventive
    Define the fee structure for the appeal process. CC ID 16532 Process or Activity Preventive
    Define the time requirements for the appeal process. CC ID 16531 Process or Activity Preventive
    Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544
    [If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)]
    Communicate Preventive
    Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542
    [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)
    Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Communicate Preventive
    Provide notice of proposed penalties. CC ID 06216 Establish/Maintain Documentation Preventive
    Notify the public and other agencies after a penalty becomes final. CC ID 06217 Behavior Preventive
    Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 Testing Detective
    Establish, implement, and maintain a Customer Information Management program. CC ID 00084 Data and Information Management Preventive
    Establish, implement, and maintain customer data authentication procedures. CC ID 13187
    [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)
    A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]
    Establish/Maintain Documentation Preventive
    Check the accuracy of restricted data. CC ID 00088 Data and Information Management Preventive
    Record restricted data correctly. CC ID 00089 Testing Detective
    Check the data accuracy of new accounts. CC ID 04859 Data and Information Management Preventive
    Use documents for identification that do not appear altered or forged. CC ID 04860 Establish/Maintain Documentation Preventive
    Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 Testing Detective
    Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 Data and Information Management Preventive
    Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 Data and Information Management Preventive
    Correlate the applicant's social security number with their date of birth. CC ID 04864 Data and Information Management Preventive
    Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 Data and Information Management Preventive
    Compare the applicant's personal data against known fraudulent activities. CC ID 04865 Data and Information Management Preventive
    Compare the applicant's address against known suspicious addresses. CC ID 04866 Data and Information Management Preventive
    Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 Data and Information Management Preventive
    Provide additional personal data when the application is incomplete. CC ID 04869 Data and Information Management Preventive
    Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 Data and Information Management Detective
    Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 Behavior Detective
    Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 Data and Information Management Detective
    Interview appropriate parties to validate consumer information. CC ID 16902 Process or Activity Preventive
    Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 Business Processes Detective
    Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 Business Processes Preventive
    Use contact methods specified by the consumer for identity verification. CC ID 16878 Process or Activity Preventive
  • Records management
    24
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Capture the records required by organizational compliance requirements. CC ID 00912
    [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]
    Records Management Detective
    Establish, implement, and maintain authorization records. CC ID 14367 Establish/Maintain Documentation Preventive
    Include the reasons for granting the authorization in the authorization records. CC ID 14371 Establish/Maintain Documentation Preventive
    Include the date and time the authorization was granted in the authorization records. CC ID 14370 Establish/Maintain Documentation Preventive
    Include the person's name who approved the authorization in the authorization records. CC ID 14369 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain electronic health records. CC ID 14436 Data and Information Management Preventive
    Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 Data and Information Management Preventive
    Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 Records Management Preventive
    Display required information automatically in electronic health records. CC ID 14442 Process or Activity Preventive
    Create summary of care records in accordance with applicable standards. CC ID 14440 Establish/Maintain Documentation Preventive
    Provide the patient with a summary of care record, as necessary. CC ID 14441 Actionable Reports or Measurements Preventive
    Create export summaries, as necessary. CC ID 14446 Process or Activity Preventive
    Import data files into a patient's electronic health record. CC ID 14448 Data and Information Management Preventive
    Export requested sections of the electronic health record. CC ID 14447 Data and Information Management Preventive
    Identify patient-specific education resources. CC ID 14439 Process or Activity Detective
    Establish and maintain an implantable device list. CC ID 14444 Records Management Preventive
    Display the implantable device list to authorized users. CC ID 14445 Data and Information Management Preventive
    Establish, implement, and maintain decision support interventions. CC ID 14443 Business Processes Preventive
    Include attributes in the decision support intervention. CC ID 16766 Data and Information Management Preventive
    Establish, implement, and maintain a recordkeeping system. CC ID 15709 Records Management Preventive
    Log the termination date in the recordkeeping system. CC ID 16181 Records Management Preventive
    Log the name of the requestor in the recordkeeping system. CC ID 15712 Records Management Preventive
    Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 Records Management Preventive
    Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 Log Management Preventive
  • Technical security
    50
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Technical security CC ID 00508 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a digital identity management program. CC ID 13713 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an authorized representatives policy. CC ID 13798
    [In the case of processing personal data concerning a known child, the parent or legal guardian of the known child may exercise the rights of this chapter on the child's behalf. Section 6 Subdivision 2(b)
    In the case of processing personal data concerning a consumer legally subject to guardianship or conservatorship under sections 524.5-101 to 524.5-502, the guardian or the conservator of the consumer may exercise the rights of this chapter on the consumer's behalf. Section 6 Subdivision 2(c)
    A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)
    A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)
    A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)]
    Establish/Maintain Documentation Preventive
    Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 Establish/Maintain Documentation Preventive
    Include termination procedures in the authorized representatives policy. CC ID 17226 Establish/Maintain Documentation Preventive
    Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 Establish/Maintain Documentation Preventive
    Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 Establish/Maintain Documentation Preventive
    Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain digital identification procedures. CC ID 13714 Establish/Maintain Documentation Preventive
    Implement digital identification processes. CC ID 13731 Process or Activity Preventive
    Implement identity proofing processes. CC ID 13719
    [A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)]
    Process or Activity Preventive
    Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 Process or Activity Preventive
    Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 Process or Activity Preventive
    Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 Process or Activity Detective
    Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 Process or Activity Preventive
    Establish, implement, and maintain remote proofing procedures. CC ID 13796 Establish/Maintain Documentation Preventive
    Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 Configuration Preventive
    Interact with the data subject when performing remote proofing. CC ID 13777 Process or Activity Detective
    Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 Process or Activity Preventive
    View all applicant actions when performing remote proofing. CC ID 13804 Process or Activity Detective
    Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 Process or Activity Preventive
    Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 Process or Activity Detective
    Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 Process or Activity Detective
    Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 Process or Activity Preventive
    Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 Process or Activity Preventive
    Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 Process or Activity Detective
    Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 Process or Activity Preventive
    Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 Configuration Preventive
    Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 Configuration Preventive
    Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 Configuration Preventive
    Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 Process or Activity Preventive
    Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 Process or Activity Detective
    Validate proof of identity during the identity proofing process. CC ID 13756 Process or Activity Detective
    Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 Business Processes Detective
    Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 Process or Activity Detective
    Verify proof of identity records. CC ID 13761 Investigate Detective
    Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 Process or Activity Detective
    Allow records that relate to the data subject as proof of identity. CC ID 13772 Process or Activity Preventive
    Conduct in-person proofing with physical interactions. CC ID 13775 Process or Activity Detective
    Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 Process or Activity Preventive
    Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 Process or Activity Preventive
    Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 Process or Activity Preventive
    Refrain from approving attributes in the identity proofing process. CC ID 13716 Process or Activity Preventive
    Establish, implement, and maintain an access control program. CC ID 11702 Establish/Maintain Documentation Preventive
    Enforce access restrictions for restricted data. CC ID 01921
    [The rights contained in section 325O.05, subdivision 1, paragraphs (b) to (e) and (h), do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. Section 7(b)]
    Data and Information Management Preventive
    Establish, implement, and maintain an identification and authentication policy. CC ID 14033 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain identification and authentication procedures. CC ID 14053
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and provide personal data to a consumer as required by this chapter; Section 10(a) (2)(ii)]
    Establish/Maintain Documentation Preventive
    Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 Technical Security Preventive
    Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 Communicate Preventive
    Establish, implement, and maintain a sensitive information inventory. CC ID 13736
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)
    {administrative data security practice} {technical data security practice} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item; Section 10(a) (2)(iii)]
    Establish/Maintain Documentation Detective
  • Third Party and supply chain oversight
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: provide a product or service specifically requested by a consumer; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer prior to entering into a contract; Section 11(a) (5)]
    Establish/Maintain Documentation Preventive
    Assess third parties' compliance environment during due diligence. CC ID 13134 Process or Activity Detective
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888
    [A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this chapter is not in violation of this chapter if the recipient processes the personal data in violation of this chapter, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is not in violation of this chapter for the obligations of the controller or processor from which the third-party controller or processor receives the personal data. Section 11(d)]
    Establish/Maintain Documentation Detective
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Communicate Preventive
    Include the audit scope in the third party external audit report. CC ID 13138 Establish/Maintain Documentation Preventive
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Establish/Maintain Documentation Detective
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Business Processes Preventive
    Provide products or services per customer requests. CC ID 08893
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: provide a product or service specifically requested by a consumer; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer prior to entering into a contract; Section 11(a) (5)]
    Business Processes Preventive
Common Controls and
mandates by Type
143 Mandated Controls - bold    
65 Implied Controls - italic     1116 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
1324 Total
  • Acquisition/Sale of Assets or Services
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 Monitoring and measurement Preventive
    Plan for selling facilities, technology, or services. CC ID 06893 Acquisition or sale of facilities, technology, and services Preventive
    Refrain from providing products and services, as necessary. CC ID 15580
    [{not require} A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: require a controller to provide a good or service that requires the consumer's personal data that the controller does not collect or maintain; or Section 8 Subdivision 3(b) (1)]
    Acquisition or sale of facilities, technology, and services Preventive
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Privacy protection for information and data Preventive
  • Actionable Reports or Measurements
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 Audits and risk management Preventive
    Refrain from including restricted information in the incident response notification. CC ID 16806 Operational management Preventive
    Provide the patient with a summary of care record, as necessary. CC ID 14441 Records management Preventive
  • Audits and Risk Management
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Monitoring and measurement Preventive
    Provide security inspectors access to personnel files during site reviews. CC ID 12300 Human Resources management Detective
  • Behavior
    56
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 Human Resources management Preventive
    Establish, implement, and maintain an ethical culture. CC ID 12781 Human Resources management Preventive
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Human Resources management Preventive
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Human Resources management Preventive
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Human Resources management Preventive
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Human Resources management Preventive
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Human Resources management Preventive
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Human Resources management Preventive
    Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 Privacy protection for information and data Preventive
    Define the criteria for waivers of data subjects' rights. CC ID 16858 Privacy protection for information and data Preventive
    Revoke waivers of data subject's rights, as necessary. CC ID 16859 Privacy protection for information and data Preventive
    Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943
    [Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)
    Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)]
    Privacy protection for information and data Preventive
    Notify the supervisory authority. CC ID 00472 Privacy protection for information and data Preventive
    Notify the data subject of the collection purpose. CC ID 00095 Privacy protection for information and data Preventive
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Privacy protection for information and data Preventive
    Notify the data subject of changes to personal data use. CC ID 00105 Privacy protection for information and data Preventive
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Privacy protection for information and data Preventive
    Respond to data access requests in a timely manner. CC ID 00421
    [Except as provided in this chapter, a controller must comply with a request to exercise the consumer rights provided in this subdivision. Section 6 Subdivision 1(a)
    Except as provided in this chapter, a controller must comply with a request to exercise the rights pursuant to subdivision 1. Section 6 Subdivision 4(a)
    A controller must comply with a request to exercise the right in subdivision 1, paragraph (f), as soon as feasibly possible, but no later than 45 days of receipt of the request. Section 6 Subdivision 4(d)
    A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)]
    Privacy protection for information and data Preventive
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422
    [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)
    Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Privacy protection for information and data Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Privacy protection for information and data Detective
    Notify the data subject after personal data is used or disclosed. CC ID 06247
    [Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Privacy protection for information and data Preventive
    Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132
    [In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: Social Security number; Section 6 Subdivision 4(i) (1)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: driver's license number or other government-issued identification number; Section 6 Subdivision 4(i) (2)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: financial account number; Section 6 Subdivision 4(i) (3)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: health insurance account number or medical identification number; Section 6 Subdivision 4(i) (4)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: account password, security questions, or answers; or Section 6 Subdivision 4(i) (5)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: biometric data. Section 6 Subdivision 4(i) (6)]
    Privacy protection for information and data Preventive
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Privacy protection for information and data Preventive
    Notify the data subject of the source of collected personal data. CC ID 00083 Privacy protection for information and data Preventive
    Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 Privacy protection for information and data Preventive
    Use simple understandable language to collect information from children. CC ID 00039 Privacy protection for information and data Preventive
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Privacy protection for information and data Detective
    Notify data subjects when their personal data is transferred. CC ID 00352 Privacy protection for information and data Preventive
    Follow the instructions of the data transferrer. CC ID 00334 Privacy protection for information and data Preventive
    Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 Privacy protection for information and data Preventive
    Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 Privacy protection for information and data Preventive
    Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 Privacy protection for information and data Corrective
    File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 Privacy protection for information and data Corrective
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Privacy protection for information and data Corrective
    Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 Privacy protection for information and data Corrective
    Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 Privacy protection for information and data Corrective
    Investigate privacy rights violation complaints. CC ID 00480 Privacy protection for information and data Detective
    Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 Privacy protection for information and data Detective
    Investigate privacy rights violation complaints in private. CC ID 00492 Privacy protection for information and data Detective
    Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 Privacy protection for information and data Detective
    Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 Privacy protection for information and data Detective
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481
    [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]
    Privacy protection for information and data Preventive
    Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 Privacy protection for information and data Preventive
    Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 Privacy protection for information and data Preventive
    Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 Privacy protection for information and data Preventive
    Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 Privacy protection for information and data Preventive
    Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 Privacy protection for information and data Preventive
    Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 Privacy protection for information and data Preventive
    Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 Privacy protection for information and data Preventive
    Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 Privacy protection for information and data Preventive
    Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 Privacy protection for information and data Corrective
    Order the organization to change to be in compliance with applicable law. CC ID 00499 Privacy protection for information and data Corrective
    Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 Privacy protection for information and data Corrective
    Award damages based on applicable law. CC ID 00501 Privacy protection for information and data Corrective
    Notify the public and other agencies after a penalty becomes final. CC ID 06217 Privacy protection for information and data Preventive
    Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 Privacy protection for information and data Detective
  • Business Processes
    55
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Implement a fraud detection system. CC ID 13081
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Monitoring and measurement Preventive
    Approve the system security plan. CC ID 14241 Monitoring and measurement Preventive
    Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 Technical security Detective
    Refrain from practicing false advertising. CC ID 14253 Human Resources management Preventive
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Human Resources management Preventive
    Respond to ethics complaints of ethics violations. CC ID 11497 Human Resources management Corrective
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Preventive
    Establish, implement, and maintain an Incident Management program. CC ID 00853
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Operational management Preventive
    Establish, implement, and maintain an anti-money laundering program. CC ID 13675 Operational management Detective
    Refrain from charging for providing incident response notifications. CC ID 13876 Operational management Preventive
    Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 Operational management Corrective
    Establish, implement, and maintain decision support interventions. CC ID 14443 Records management Preventive
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780
    [A controller may not require a consumer to create a new account in order to exercise a right, but a controller may require a consumer to use an existing account to exercise the consumer's rights under this section. Section 6 Subdivision 4(c)]
    Privacy protection for information and data Preventive
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Privacy protection for information and data Preventive
    Approve the privacy plan. CC ID 14700 Privacy protection for information and data Preventive
    Protect private communications in keeping with compliance requirements. CC ID 14334
    [A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)]
    Privacy protection for information and data Preventive
    Refrain from charging a fee to implement an opt-out request. CC ID 13877 Privacy protection for information and data Preventive
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781
    [{not prohibit} {be different} A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program. Section 8 Subdivision 3(b) (2)]
    Privacy protection for information and data Preventive
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Privacy protection for information and data Preventive
    Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 Privacy protection for information and data Preventive
    Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 Privacy protection for information and data Preventive
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451
    [A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)
    {loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)
    {opt out} A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: opting the consumer out of the processing of personal data for any purpose except for the purposes exempted pursuant to the provisions of this chapter. Section 6 Subdivision 4(k) (2)
    {be easy} A controller shall provide an effective mechanism for a consumer, or, in the case of the processing of personal data concerning a known child, the child's parent or lawful guardian, to revoke previously given consent under this subdivision. The mechanism provided shall be at least as easy as the mechanism by which the consent was previously given. Upon revocation of consent, a controller shall cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request. Section 8 Subdivision 2(e)]
    Privacy protection for information and data Preventive
    Allow consent requests to be provided in any official languages. CC ID 16530 Privacy protection for information and data Preventive
    Define the requirements for approving or denying approval applications. CC ID 16780 Privacy protection for information and data Preventive
    Extend the time limit for approving or denying approval applications. CC ID 16779 Privacy protection for information and data Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Privacy protection for information and data Preventive
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Privacy protection for information and data Preventive
    Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Privacy protection for information and data Preventive
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Privacy protection for information and data Preventive
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Privacy protection for information and data Preventive
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Privacy protection for information and data Preventive
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Privacy protection for information and data Preventive
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Privacy protection for information and data Preventive
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Privacy protection for information and data Preventive
    Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 Privacy protection for information and data Preventive
    Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 Privacy protection for information and data Preventive
    Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 Privacy protection for information and data Preventive
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010
    [{refrain from selling} {absent consent} {minor} A controller may not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data, without the consumer's consent, under circumstances where the controller knows that the consumer is between the ages of 13 and 16. Section 8 Subdivision 2(f)]
    Privacy protection for information and data Preventive
    Dispose of personal data removal requests, as necessary. CC ID 13512 Privacy protection for information and data Preventive
    Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 Privacy protection for information and data Detective
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Privacy protection for information and data Preventive
    Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 Privacy protection for information and data Preventive
    Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 Privacy protection for information and data Preventive
    Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 Privacy protection for information and data Preventive
    Include the type of information to be collected in the privacy impact assessment. CC ID 15513 Privacy protection for information and data Preventive
    Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 Privacy protection for information and data Preventive
    Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; Section 11(a) (2)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; Section 11(a) (3)]
    Privacy protection for information and data Corrective
    Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 Privacy protection for information and data Detective
    Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 Privacy protection for information and data Preventive
    Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Third Party and supply chain oversight Preventive
    Provide products or services per customer requests. CC ID 08893
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: provide a product or service specifically requested by a consumer; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer prior to entering into a contract; Section 11(a) (5)]
    Third Party and supply chain oversight Preventive
  • Communicate
    88
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 Leadership and high level objectives Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Monitoring and measurement Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313
    [{make available} {data protection assessment} As part of a civil investigative demand, the attorney general may request, in writing, that a controller disclose any data privacy and protection assessment that is relevant to an investigation conducted by the attorney general. The controller must make a data privacy and protection assessment available to the attorney general upon a request made under this paragraph. The attorney general may evaluate the data privacy and protection assessments for compliance with this chapter. Data privacy and protection assessments are classified as nonpublic data, as defined by section 13.02, subdivision 9. The disclosure of a data privacy and protection assessment pursuant to a request from the attorney general under this paragraph does not constitute a waiver of the attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment. Section 10(f)]
    Audits and risk management Preventive
    Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 Technical security Preventive
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Human Resources management Preventive
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 Human Resources management Preventive
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Human Resources management Preventive
    Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 Operational management Preventive
    Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 Operational management Preventive
    Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 Operational management Preventive
    Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 Operational management Preventive
    Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 Operational management Preventive
    Submit written requests to delay the notification of affected parties. CC ID 16783 Operational management Preventive
    Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 Operational management Corrective
    Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 Operational management Preventive
    Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 Operational management Corrective
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788
    [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)]
    Operational management Corrective
    Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445
    [{be specific} {state} A controller is not required to provide a separate Minnesota-specific privacy notice or section of a privacy notice if the controller's general privacy notice contains all the information required by this section. Section 8 Subdivision 1(f)]
    Privacy protection for information and data Preventive
    Deliver privacy notices to data subjects, as necessary. CC ID 13444
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: Section 8 Subdivision 1(a)
    {be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)
    The controller must provide the privacy notice in a manner that is reasonably accessible to and usable by individuals with disabilities. Section 8 Subdivision 1(d)]
    Privacy protection for information and data Preventive
    Update privacy notices, as necessary. CC ID 13474 Privacy protection for information and data Preventive
    Redeliver privacy notices, as necessary. CC ID 14850 Privacy protection for information and data Preventive
    Deliver privacy notices to third parties, as necessary. CC ID 13473 Privacy protection for information and data Preventive
    Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 Privacy protection for information and data Preventive
    Deliver opt-out notices, as necessary. CC ID 13449 Privacy protection for information and data Preventive
    Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 Privacy protection for information and data Preventive
    Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 Privacy protection for information and data Preventive
    Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 Privacy protection for information and data Preventive
    Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 Privacy protection for information and data Preventive
    Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 Privacy protection for information and data Preventive
    Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 Privacy protection for information and data Preventive
    Notify data subjects about their privacy rights. CC ID 12989 Privacy protection for information and data Preventive
    Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 Privacy protection for information and data Preventive
    Provide public proof the organization participates in a privacy program. CC ID 12349 Privacy protection for information and data Preventive
    Disclose statements added to education records, as necessary. CC ID 12990 Privacy protection for information and data Preventive
    Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 Privacy protection for information and data Preventive
    Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 Privacy protection for information and data Preventive
    Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 Privacy protection for information and data Preventive
    Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 Privacy protection for information and data Preventive
    Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data; Section 7(a) (3)(i)]
    Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 Privacy protection for information and data Preventive
    Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 Privacy protection for information and data Preventive
    Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 Privacy protection for information and data Preventive
    Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 Privacy protection for information and data Preventive
    Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 Privacy protection for information and data Preventive
    Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 Privacy protection for information and data Preventive
    Disseminate private communications when required by law. CC ID 14335 Privacy protection for information and data Corrective
    Provide a copy of the data subject's consent to the data subject. CC ID 17234 Privacy protection for information and data Preventive
    Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537
    [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]
    Privacy protection for information and data Preventive
    Submit approval applications to the supervisory authority. CC ID 16627 Privacy protection for information and data Preventive
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Privacy protection for information and data Preventive
    Respond to questions about submissions in a timely manner. CC ID 16930 Privacy protection for information and data Preventive
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 Privacy protection for information and data Corrective
    Notify the data controller of any changes in data processors. CC ID 12648 Privacy protection for information and data Preventive
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Privacy protection for information and data Preventive
    Respond to data access requests in an official language. CC ID 17176 Privacy protection for information and data Preventive
    Disclose de-identified data, as necessary. CC ID 13034 Privacy protection for information and data Preventive
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Privacy protection for information and data Corrective
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Privacy protection for information and data Corrective
    Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 Privacy protection for information and data Corrective
    Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 Privacy protection for information and data Corrective
    Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 Privacy protection for information and data Preventive
    Capture personal data removal requests. CC ID 13507
    [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1)]
    Privacy protection for information and data Preventive
    Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 Privacy protection for information and data Preventive
    Notify the data subject of the disclosure purpose. CC ID 15268 Privacy protection for information and data Preventive
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Privacy protection for information and data Preventive
    Notify that data subject of any exclusions to requested personal data. CC ID 15271 Privacy protection for information and data Preventive
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599
    [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)
    Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Privacy protection for information and data Preventive
    Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 Privacy protection for information and data Preventive
    Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 Privacy protection for information and data Preventive
    Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 Privacy protection for information and data Preventive
    Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 Privacy protection for information and data Preventive
    Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 Privacy protection for information and data Preventive
    Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 Privacy protection for information and data Preventive
    Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 Privacy protection for information and data Preventive
    Notify third parties of unresolved challenges. CC ID 13559 Privacy protection for information and data Preventive
    Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 Privacy protection for information and data Corrective
    Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544
    [If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)]
    Privacy protection for information and data Preventive
    Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542
    [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)
    Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Privacy protection for information and data Preventive
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Third Party and supply chain oversight Preventive
  • Configuration
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 Technical security Preventive
    Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 Technical security Preventive
    Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 Technical security Preventive
    Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 Technical security Preventive
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Privacy protection for information and data Preventive
    Store payment card data in secure chips, if possible. CC ID 13065 Privacy protection for information and data Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Privacy protection for information and data Preventive
    Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 Privacy protection for information and data Preventive
  • Data and Information Management
    472
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Enforce access restrictions for restricted data. CC ID 01921
    [The rights contained in section 325O.05, subdivision 1, paragraphs (b) to (e) and (h), do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. Section 7(b)]
    Technical security Preventive
    Redact restricted data before sharing incident information. CC ID 16994 Operational management Preventive
    Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 Operational management Preventive
    Include a description of the restored data in the restoration log. CC ID 15462 Operational management Preventive
    Destroy investigative materials, as necessary. CC ID 17082 Operational management Preventive
    Establish, implement, and maintain electronic health records. CC ID 14436 Records management Preventive
    Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 Records management Preventive
    Import data files into a patient's electronic health record. CC ID 14448 Records management Preventive
    Export requested sections of the electronic health record. CC ID 14447 Records management Preventive
    Display the implantable device list to authorized users. CC ID 14445 Records management Preventive
    Include attributes in the decision support intervention. CC ID 16766 Records management Preventive
    Establish, implement, and maintain a personal data transparency program. CC ID 00375 Privacy protection for information and data Preventive
    Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 Privacy protection for information and data Preventive
    Deliver notices to the intended parties. CC ID 06240 Privacy protection for information and data Preventive
    Establish, implement, and maintain adequate openness procedures. CC ID 00377
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: reflect the requirements of this chapter in the design of the controller's systems; Section 10(a) (2)(i)]
    Privacy protection for information and data Preventive
    Provide legal authorities access to personal data, upon request. CC ID 06818 Privacy protection for information and data Preventive
    Document the countries where restricted data may be stored. CC ID 12750 Privacy protection for information and data Preventive
    Protect the rights of students and their parents or legal representatives. CC ID 00222 Privacy protection for information and data Preventive
    Disclose educational data, as necessary. CC ID 00223 Privacy protection for information and data Preventive
    Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 Privacy protection for information and data Preventive
    Disclose education records when written consent is received. CC ID 00224 Privacy protection for information and data Preventive
    Disclose educational data absent consent to other school officials. CC ID 00226 Privacy protection for information and data Preventive
    Disclose educational data absent consent to another institution's school officials. CC ID 00227 Privacy protection for information and data Preventive
    Disclose educational data absent consent in connection with financial aid. CC ID 00229 Privacy protection for information and data Preventive
    Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 Privacy protection for information and data Preventive
    Disclose educational data absent consent to accrediting organizations. CC ID 00231 Privacy protection for information and data Preventive
    Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 Privacy protection for information and data Preventive
    Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 Privacy protection for information and data Preventive
    Disclose educational data absent consent for a health and safety emergency. CC ID 00234 Privacy protection for information and data Preventive
    Disclose educational data absent consent when it is merely directory information. CC ID 00235 Privacy protection for information and data Preventive
    Disclose educational data absent consent to a crime victim. CC ID 00236 Privacy protection for information and data Preventive
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396
    [A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing. Section 6 Subdivision 1(b)]
    Privacy protection for information and data Preventive
    Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 Privacy protection for information and data Preventive
    Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860
    [A consumer has a right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data may be provided instead. Section 6 Subdivision 1(h)]
    Privacy protection for information and data Preventive
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391
    [A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. Section 6 Subdivision 1(f)
    A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: Section 6 Subdivision 3(a)
    If a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request. Section 8 Subdivision 1(b)
    {be easy} A controller shall provide an effective mechanism for a consumer, or, in the case of the processing of personal data concerning a known child, the child's parent or lawful guardian, to revoke previously given consent under this subdivision. The mechanism provided shall be at least as easy as the mechanism by which the consent was previously given. Upon revocation of consent, a controller shall cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request. Section 8 Subdivision 2(e)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526
    [{refrain from disadvantaging} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: not unfairly disadvantage another controller; Section 6 Subdivision 3(a) (1)
    {refrain from using} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: not make use of a default setting, but require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of the processing of the consumer's personal data; Section 6 Subdivision 3(a) (2)
    {be easy to use} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: be consumer-friendly and easy to use by the average consumer; Section 6 Subdivision 3(a) (3)
    {be consistent} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and Section 6 Subdivision 3(a) (4)
    A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: enable the controller to accurately determine whether the consumer is a Minnesota resident and whether the consumer has made a legitimate request to opt out of any sale of the consumer's personal data or targeted advertising. For purposes of this paragraph, the use of an Internet protocol address to estimate the consumer's location is sufficient to determine the consumer's residence. Section 6 Subdivision 3(a) (5)
    {opt-out mechanism} The platform, technology, or mechanism required under paragraph (a) is subject to the requirements of subdivision 4. Section 6 Subdivision 3(c)
    Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)]
    Privacy protection for information and data Preventive
    Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 Privacy protection for information and data Preventive
    Refrain from obtaining consent through deception. CC ID 13556 Privacy protection for information and data Preventive
    Give individuals the ability to change the uses of their personal data. CC ID 00469
    [{loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)]
    Privacy protection for information and data Preventive
    Notify data subjects of the implications of withdrawing consent. CC ID 13551
    [{loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)]
    Privacy protection for information and data Preventive
    Cooperate with Data Protection Authorities. CC ID 06870
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined: Section 11(a) (9)]
    Privacy protection for information and data Preventive
    Display or print the least amount of personal data necessary. CC ID 04643 Privacy protection for information and data Preventive
    Redact confidential information from public information, as necessary. CC ID 06872 Privacy protection for information and data Preventive
    Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 Privacy protection for information and data Preventive
    Dispose of media and restricted data in a timely manner. CC ID 00125 Privacy protection for information and data Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Privacy protection for information and data Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416
    [{be adequate} {be relevant} {be necessary} A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer. Section 8 Subdivision 2(a)]
    Privacy protection for information and data Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Privacy protection for information and data Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Privacy protection for information and data Preventive
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Privacy protection for information and data Preventive
    Delay responding to data access requests, as necessary. CC ID 15504
    [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)
    Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Privacy protection for information and data Preventive
    Expedite the processing of data access requests, as necessary. CC ID 15496 Privacy protection for information and data Preventive
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Privacy protection for information and data Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Privacy protection for information and data Preventive
    Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 Privacy protection for information and data Preventive
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197
    [A controller shall not process personal data on the basis of a consumer's or a class of consumers' actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the consumer or class of consumers with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation. Section 8 Subdivision 3(a)]
    Privacy protection for information and data Preventive
    Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 Privacy protection for information and data Preventive
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Privacy protection for information and data Preventive
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Privacy protection for information and data Preventive
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Privacy protection for information and data Preventive
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Privacy protection for information and data Preventive
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Privacy protection for information and data Preventive
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Privacy protection for information and data Preventive
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Privacy protection for information and data Preventive
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Privacy protection for information and data Preventive
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Privacy protection for information and data Preventive
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Privacy protection for information and data Preventive
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Privacy protection for information and data Preventive
    Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is: subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and Section 11(a) (10)(i)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is: under the responsibility of a professional individual who is subject to confidentiality obligations under federal, state, or local law. Section 11(a) (10)(ii)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)
    {not adversely affect} Obligations imposed on controllers and processors under this chapter shall not: adversely affect the rights or freedoms of any persons, including exercising the right of free speech pursuant to the First Amendment of the United States Constitution; or Section 11(e) (1)]
    Privacy protection for information and data Preventive
    Process traffic data in a controlled manner. CC ID 00130 Privacy protection for information and data Preventive
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Privacy protection for information and data Preventive
    Process personal data when it is publicly accessible. CC ID 00187 Privacy protection for information and data Preventive
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Privacy protection for information and data Preventive
    Process personal data for the purposes of employment. CC ID 16527 Privacy protection for information and data Preventive
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Privacy protection for information and data Preventive
    Process personal data for debt collection or benefit payments. CC ID 00190 Privacy protection for information and data Preventive
    Process personal data in order to advance the public interest. CC ID 00191 Privacy protection for information and data Preventive
    Process personal data for surveys, archives, or scientific research. CC ID 00192
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined: Section 11(a) (9)]
    Privacy protection for information and data Preventive
    Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 Privacy protection for information and data Preventive
    Process personal data for academic purposes or religious purposes. CC ID 00194 Privacy protection for information and data Preventive
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Privacy protection for information and data Preventive
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Privacy protection for information and data Preventive
    Follow legal obligations while processing personal data. CC ID 04794 Privacy protection for information and data Preventive
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Privacy protection for information and data Preventive
    Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537 Privacy protection for information and data Preventive
    Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 Privacy protection for information and data Preventive
    Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 Privacy protection for information and data Preventive
    Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 Privacy protection for information and data Preventive
    Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 Privacy protection for information and data Preventive
    Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 Privacy protection for information and data Preventive
    Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 Privacy protection for information and data Preventive
    Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 Privacy protection for information and data Preventive
    Process personal data absent consent in order to perform a contract. CC ID 13586 Privacy protection for information and data Preventive
    Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 Privacy protection for information and data Preventive
    Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 Privacy protection for information and data Preventive
    Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 Privacy protection for information and data Preventive
    Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 Privacy protection for information and data Preventive
    Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 Privacy protection for information and data Preventive
    Process personal data absent consent when it is needed by law. CC ID 13577 Privacy protection for information and data Preventive
    Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 Privacy protection for information and data Preventive
    Process personal data absent consent when it is from publicly available information. CC ID 13576 Privacy protection for information and data Preventive
    Process personal data absent consent to create a credit report. CC ID 15288 Privacy protection for information and data Preventive
    Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 Privacy protection for information and data Preventive
    Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 Privacy protection for information and data Preventive
    Process personal data absent consent when produced for business purposes. CC ID 13563 Privacy protection for information and data Preventive
    Process personal data absent consent for handling insurance claims. CC ID 13561 Privacy protection for information and data Preventive
    Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 Privacy protection for information and data Preventive
    Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 Privacy protection for information and data Preventive
    Process personal data absent consent for life-threatening emergencies. CC ID 13558 Privacy protection for information and data Preventive
    Process personal data absent consent for reasonable investigative purposes. CC ID 13557 Privacy protection for information and data Preventive
    Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 Privacy protection for information and data Preventive
    Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 Privacy protection for information and data Detective
    Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when the law does not require consent. CC ID 00136 Privacy protection for information and data Preventive
    Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 Privacy protection for information and data Preventive
    Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 Privacy protection for information and data Preventive
    Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 Privacy protection for information and data Preventive
    Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 Privacy protection for information and data Preventive
    Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 Privacy protection for information and data Preventive
    Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 Privacy protection for information and data Preventive
    Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 Privacy protection for information and data Preventive
    Disclose personal data absent consent to create a credit report. CC ID 15297 Privacy protection for information and data Preventive
    Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 Privacy protection for information and data Preventive
    Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 Privacy protection for information and data Preventive
    Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 Privacy protection for information and data Preventive
    Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 Privacy protection for information and data Preventive
    Disclose personal data absent consent for handling insurance claims. CC ID 13585 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 Privacy protection for information and data Preventive
    Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 Privacy protection for information and data Preventive
    Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 Privacy protection for information and data Preventive
    Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 Privacy protection for information and data Preventive
    Disclose restricted data absent consent in order to perform a contract. CC ID 00139 Privacy protection for information and data Preventive
    Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 Privacy protection for information and data Preventive
    Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 Privacy protection for information and data Preventive
    Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 Privacy protection for information and data Preventive
    Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 Privacy protection for information and data Preventive
    Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 Privacy protection for information and data Preventive
    Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 Privacy protection for information and data Preventive
    Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 Privacy protection for information and data Preventive
    Disclose restricted data absent consent for public economic interests. CC ID 00148 Privacy protection for information and data Preventive
    Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 Privacy protection for information and data Preventive
    Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 Privacy protection for information and data Preventive
    Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 Privacy protection for information and data Preventive
    Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 Privacy protection for information and data Preventive
    Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when it is needed by law. CC ID 00163 Privacy protection for information and data Preventive
    Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 Privacy protection for information and data Preventive
    Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 Privacy protection for information and data Preventive
    Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 Privacy protection for information and data Preventive
    Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 Privacy protection for information and data Preventive
    Refrain from selling restricted data, as necessary. CC ID 17165
    [{absent consent} A small business, as defined by the United States Small Business Administration under Code of Federal Regulations, title 13, part 121, that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota, must not sell a consumer's sensitive data without the consumer's prior consent. Section 9(a)]
    Privacy protection for information and data Preventive
    Limit the redisclosure and reuse of restricted data. CC ID 00168 Privacy protection for information and data Preventive
    Refrain from redisclosing or reusing restricted data. CC ID 00169 Privacy protection for information and data Preventive
    Redisclose restricted data when the data subject consents. CC ID 00171 Privacy protection for information and data Preventive
    Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 Privacy protection for information and data Preventive
    Redisclose restricted data in order to protect public revenue. CC ID 00173 Privacy protection for information and data Preventive
    Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 Privacy protection for information and data Preventive
    Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 Privacy protection for information and data Preventive
    Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 Privacy protection for information and data Preventive
    Redisclose restricted data in order to preserve human life at sea. CC ID 00177 Privacy protection for information and data Preventive
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178
    [Except as otherwise provided in this act, a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the requirement of the Children's Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and its implementing regulations, rules, and exemptions. Section 8 Subdivision 2(d)]
    Privacy protection for information and data Preventive
    Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 Privacy protection for information and data Preventive
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Privacy protection for information and data Preventive
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Privacy protection for information and data Preventive
    Process Personal Identification Numbers with consent. CC ID 00239 Privacy protection for information and data Preventive
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Privacy protection for information and data Preventive
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Privacy protection for information and data Preventive
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Privacy protection for information and data Preventive
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Privacy protection for information and data Preventive
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Privacy protection for information and data Preventive
    Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 Privacy protection for information and data Preventive
    Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 Privacy protection for information and data Preventive
    Review personal data disclosure requests. CC ID 07129 Privacy protection for information and data Preventive
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435
    [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)]
    Privacy protection for information and data Preventive
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Privacy protection for information and data Preventive
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Privacy protection for information and data Preventive
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Privacy protection for information and data Preventive
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Privacy protection for information and data Preventive
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Privacy protection for information and data Preventive
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441
    [In response to a consumer request under subdivision 1, a controller is not required to reveal any trade secret. Section 6 Subdivision 4(j)]
    Privacy protection for information and data Preventive
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Privacy protection for information and data Preventive
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Privacy protection for information and data Preventive
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Privacy protection for information and data Preventive
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Privacy protection for information and data Preventive
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Privacy protection for information and data Preventive
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Privacy protection for information and data Detective
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Privacy protection for information and data Preventive
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Privacy protection for information and data Preventive
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Privacy protection for information and data Preventive
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Privacy protection for information and data Preventive
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Privacy protection for information and data Preventive
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Privacy protection for information and data Preventive
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Privacy protection for information and data Preventive
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Privacy protection for information and data Preventive
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453
    [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)
    If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)]
    Privacy protection for information and data Preventive
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Privacy protection for information and data Preventive
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428
    [The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication. Section 11(c)]
    Privacy protection for information and data Preventive
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Privacy protection for information and data Preventive
    Provide data or records in a reasonable time frame. CC ID 00429 Privacy protection for information and data Preventive
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Privacy protection for information and data Preventive
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Privacy protection for information and data Preventive
    Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 Privacy protection for information and data Preventive
    Provide data at a cost that is not excessive. CC ID 00430
    [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)
    {be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)]
    Privacy protection for information and data Preventive
    Provide records or data in a reasonable manner. CC ID 00431
    [A consumer has the right to obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. Section 6 Subdivision 1(e)]
    Privacy protection for information and data Preventive
    Provide personal data in a form that is intelligible. CC ID 00432 Privacy protection for information and data Preventive
    Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Privacy protection for information and data Preventive
    Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Privacy protection for information and data Preventive
    Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 Privacy protection for information and data Preventive
    Refrain from using cookies unless legitimate reasons have been defined. CC ID 16953 Privacy protection for information and data Preventive
    Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 Privacy protection for information and data Preventive
    Refrain from collecting personal data, as necessary. CC ID 15269
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]
    Privacy protection for information and data Preventive
    Use personal data for specified purposes. CC ID 11831
    [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1)
    {be necessary} {be reasonable} {be proportionate} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: necessary, reasonable, and proportionate to the purposes listed in this section; Section 11(f) (1)
    {be adequate} {be relevant} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: adequate, relevant, and limited to what is necessary in relation to the specific purpose or purposes listed in this section; and Section 11(f) (2)
    {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]
    Privacy protection for information and data Preventive
    Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 Privacy protection for information and data Preventive
    Provide explicit consent that is clear and unambiguous. CC ID 00181 Privacy protection for information and data Preventive
    Allow individuals to change their personal data collection consent preferences. CC ID 06946 Privacy protection for information and data Preventive
    Adhere to each individual's personal data collection consent preferences. CC ID 06947 Privacy protection for information and data Preventive
    Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 Privacy protection for information and data Preventive
    Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 Privacy protection for information and data Preventive
    Include an individual's name in the personal data definition. CC ID 04710 Privacy protection for information and data Preventive
    Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 Privacy protection for information and data Preventive
    Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 Privacy protection for information and data Preventive
    Include an individual's signature in the personal data definition. CC ID 04711 Privacy protection for information and data Preventive
    Include an individual's date of birth in the personal data definition. CC ID 04770 Privacy protection for information and data Preventive
    Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 Privacy protection for information and data Preventive
    Include an individual's biometric data in the personal data definition. CC ID 04698 Privacy protection for information and data Preventive
    Include an individual's photographic image in the personal data definition. CC ID 04779 Privacy protection for information and data Preventive
    Include an individual's fingerprints in the personal data definition. CC ID 04689 Privacy protection for information and data Preventive
    Include an individual's address in the personal data definition. CC ID 04687 Privacy protection for information and data Preventive
    Include an individual's telephone number in the personal data definition. CC ID 04688 Privacy protection for information and data Preventive
    Include an individual's fax number in the personal data definition. CC ID 07120 Privacy protection for information and data Preventive
    Include an individual's financial account number in the personal data definition. CC ID 04692 Privacy protection for information and data Preventive
    Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 Privacy protection for information and data Preventive
    Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 Privacy protection for information and data Preventive
    Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 Privacy protection for information and data Preventive
    Include an individual's passport number in the personal data definition. CC ID 04713 Privacy protection for information and data Preventive
    Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 Privacy protection for information and data Preventive
    Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 Privacy protection for information and data Preventive
    Include an individual's e-mail address in the personal data definition. CC ID 04696 Privacy protection for information and data Preventive
    Include electronic signatures in the personal data definition. CC ID 04697 Privacy protection for information and data Preventive
    Include an individual's payment card information in the personal data definition. CC ID 04751 Privacy protection for information and data Preventive
    Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 Privacy protection for information and data Preventive
    Include an individual's payment card service code in the personal data definition. CC ID 04753 Privacy protection for information and data Preventive
    Include an individual's payment card expiration date in the personal data definition. CC ID 04755 Privacy protection for information and data Preventive
    Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 Privacy protection for information and data Preventive
    Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 Privacy protection for information and data Preventive
    Include an individual's medical history in the personal data definition. CC ID 04701 Privacy protection for information and data Preventive
    Include an individual's medical treatment in the personal data definition. CC ID 04702 Privacy protection for information and data Preventive
    Include an individual's medical diagnosis in the personal data definition. CC ID 04703 Privacy protection for information and data Preventive
    Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 Privacy protection for information and data Preventive
    Include an individual's medical record numbers in the personal data definition. CC ID 07121 Privacy protection for information and data Preventive
    Include an individual's health insurance information in the personal data definition. CC ID 04705 Privacy protection for information and data Preventive
    Include an individual's health insurance policy number in the personal data definition. CC ID 04706 Privacy protection for information and data Preventive
    Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 Privacy protection for information and data Preventive
    Include an individual's education information in the personal data definition. CC ID 04714 Privacy protection for information and data Preventive
    Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 Privacy protection for information and data Preventive
    Include an individual's employment information in the personal data definition. CC ID 04715 Privacy protection for information and data Preventive
    Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 Privacy protection for information and data Preventive
    Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 Privacy protection for information and data Preventive
    Include an individual's employment history in the personal data definition. CC ID 04716 Privacy protection for information and data Preventive
    Include an individual's place of employment in the personal data definition. CC ID 04765 Privacy protection for information and data Preventive
    Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 Privacy protection for information and data Preventive
    Include an individual's property information in the personal data definition. CC ID 04780 Privacy protection for information and data Preventive
    Include an individual's property title in the personal data definition. CC ID 04781 Privacy protection for information and data Preventive
    Include an individual's vehicle registration in the personal data definition. CC ID 04782 Privacy protection for information and data Preventive
    Include hardware asset identification information in the personal data definition. CC ID 07123 Privacy protection for information and data Preventive
    Include MAC addresses in the personal data definition. CC ID 04778 Privacy protection for information and data Preventive
    Include Internet Protocol addresses in the personal data definition. CC ID 04777 Privacy protection for information and data Preventive
    Include asset serial numbers in the personal data definition. CC ID 07124 Privacy protection for information and data Preventive
    Include Uniform Resource Locators in the personal data definition. CC ID 07125 Privacy protection for information and data Preventive
    Define specially restricted data. CC ID 00037 Privacy protection for information and data Preventive
    Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 Privacy protection for information and data Preventive
    Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 Privacy protection for information and data Preventive
    Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 Privacy protection for information and data Preventive
    Implement a nondiscrimination principle. CC ID 00081 Privacy protection for information and data Preventive
    Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 Privacy protection for information and data Preventive
    Preserve each individual's right to human dignity. CC ID 00082 Privacy protection for information and data Preventive
    Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers with the individual's consent. CC ID 00059 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 Privacy protection for information and data Preventive
    Manage health data collection. CC ID 00050 Privacy protection for information and data Preventive
    Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 Privacy protection for information and data Preventive
    Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 Privacy protection for information and data Preventive
    Collect Individually Identifiable Health Information for research. CC ID 00054 Privacy protection for information and data Preventive
    Remove personal data before disclosing health data. CC ID 00055 Privacy protection for information and data Preventive
    Give special attention to collecting children's data. CC ID 00038 Privacy protection for information and data Preventive
    Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 Privacy protection for information and data Preventive
    Collect personal data directly from the data subject. CC ID 00011 Privacy protection for information and data Preventive
    Create and manage user account aliases to maintain pseudonymity. CC ID 04549 Privacy protection for information and data Preventive
    Provide unlinkability for users and resources. CC ID 04550 Privacy protection for information and data Preventive
    Collect restricted data in a fair and lawful manner. CC ID 00010 Privacy protection for information and data Preventive
    Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 Privacy protection for information and data Preventive
    Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 Privacy protection for information and data Preventive
    Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 Privacy protection for information and data Preventive
    Collect personal data absent consent in order to make a disclosure. CC ID 13550 Privacy protection for information and data Preventive
    Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 Privacy protection for information and data Preventive
    Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 Privacy protection for information and data Preventive
    Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 Privacy protection for information and data Preventive
    Collect personal data absent consent for handling insurance claims. CC ID 13543 Privacy protection for information and data Preventive
    Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 Privacy protection for information and data Preventive
    Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 Privacy protection for information and data Preventive
    Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 Privacy protection for information and data Preventive
    Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 Privacy protection for information and data Preventive
    Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 Privacy protection for information and data Preventive
    Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 Privacy protection for information and data Preventive
    Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 Privacy protection for information and data Preventive
    Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 Privacy protection for information and data Preventive
    Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 Privacy protection for information and data Preventive
    Collect restricted data absent consent from publicly available information. CC ID 00019 Privacy protection for information and data Preventive
    Collect restricted data absent consent when needed by law. CC ID 00020 Privacy protection for information and data Preventive
    Collect personal data absent consent to create a credit report. CC ID 15287 Privacy protection for information and data Preventive
    Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 Privacy protection for information and data Preventive
    Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 Privacy protection for information and data Preventive
    Collect the minimum amount of restricted data necessary. CC ID 00078
    [{be adequate} {be relevant} {be necessary} A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer. Section 8 Subdivision 2(a)]
    Privacy protection for information and data Preventive
    Collect restricted data in a proper information framework. CC ID 00009 Privacy protection for information and data Preventive
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)]
    Privacy protection for information and data Preventive
    Collect restricted data when required by law. CC ID 00031 Privacy protection for information and data Preventive
    Collect restricted data to prevent life-threatening emergencies. CC ID 00032 Privacy protection for information and data Preventive
    Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 Privacy protection for information and data Preventive
    Collect restricted data for legal purposes. CC ID 00036 Privacy protection for information and data Preventive
    Validate the business need for maintaining collected restricted data. CC ID 17090 Privacy protection for information and data Preventive
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Privacy protection for information and data Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Privacy protection for information and data Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Privacy protection for information and data Preventive
    Limit data leakage. CC ID 00356 Privacy protection for information and data Preventive
    Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 Privacy protection for information and data Detective
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Privacy protection for information and data Detective
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Privacy protection for information and data Detective
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Privacy protection for information and data Detective
    Include text about data ownership in the data handling policy. CC ID 15720 Privacy protection for information and data Preventive
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: reidentify deidentified data; Section 7(a) (1)
    A processor or third party must not attempt to identify the subjects of deidentified or pseudonymous data without the express authority of the controller that caused the data to be deidentified or pseudonymized. Section 7(d)
    A controller, processor, or third party must not attempt to identify the subjects of data that has been collected with only pseudonymous identifiers. Section 7(e)
    This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]
    Privacy protection for information and data Preventive
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Privacy protection for information and data Preventive
    Store de-identifying code and re-identifying code separately. CC ID 16535
    [The rights contained in section 325O.05, subdivision 1, paragraphs (b) to (e) and (h), do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. Section 7(b)]
    Privacy protection for information and data Preventive
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Privacy protection for information and data Preventive
    Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 Privacy protection for information and data Preventive
    Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 Privacy protection for information and data Preventive
    Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 Privacy protection for information and data Preventive
    Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 Privacy protection for information and data Preventive
    Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 Privacy protection for information and data Preventive
    Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 Privacy protection for information and data Preventive
    Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 Privacy protection for information and data Preventive
    Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 Privacy protection for information and data Preventive
    Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 Privacy protection for information and data Preventive
    Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 Privacy protection for information and data Preventive
    Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 Privacy protection for information and data Preventive
    Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 Privacy protection for information and data Preventive
    Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 Privacy protection for information and data Preventive
    Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 Privacy protection for information and data Preventive
    Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 Privacy protection for information and data Preventive
    Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 Privacy protection for information and data Preventive
    Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 Privacy protection for information and data Preventive
    Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 Privacy protection for information and data Preventive
    Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 Privacy protection for information and data Preventive
    Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 Privacy protection for information and data Preventive
    Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 Privacy protection for information and data Preventive
    Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 Privacy protection for information and data Preventive
    Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 Privacy protection for information and data Preventive
    Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 Privacy protection for information and data Preventive
    Obtain consent from an individual prior to transferring personal data. CC ID 06948 Privacy protection for information and data Preventive
    Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 Privacy protection for information and data Preventive
    Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 Privacy protection for information and data Preventive
    Prohibit personal data transfers when security is inadequate. CC ID 00345 Privacy protection for information and data Preventive
    Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 Privacy protection for information and data Preventive
    Refrain from transferring past the first transfer. CC ID 00347 Privacy protection for information and data Preventive
    Allow the data subject the right to object to the personal data transfer. CC ID 00349 Privacy protection for information and data Preventive
    Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 Privacy protection for information and data Preventive
    Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 Privacy protection for information and data Preventive
    Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 Privacy protection for information and data Preventive
    Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 Privacy protection for information and data Preventive
    Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 Privacy protection for information and data Preventive
    Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 Privacy protection for information and data Preventive
    Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 Privacy protection for information and data Preventive
    Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 Privacy protection for information and data Preventive
    Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 Privacy protection for information and data Preventive
    Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 Privacy protection for information and data Preventive
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 Privacy protection for information and data Preventive
    Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 Privacy protection for information and data Preventive
    Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 Privacy protection for information and data Preventive
    Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 Privacy protection for information and data Preventive
    Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 Privacy protection for information and data Preventive
    Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 Privacy protection for information and data Preventive
    Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 Privacy protection for information and data Preventive
    Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 Privacy protection for information and data Preventive
    Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 Privacy protection for information and data Preventive
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 Privacy protection for information and data Preventive
    Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 Privacy protection for information and data Preventive
    Obtain consent prior to downloading software to an individual's computer. CC ID 06951 Privacy protection for information and data Preventive
    Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 Privacy protection for information and data Preventive
    Develop remedies and sanctions for privacy policy violations. CC ID 00474
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and remediate violations of this chapter. Section 10(a) (2)(vi)]
    Privacy protection for information and data Preventive
    Implement procedures to file privacy rights violation complaints. CC ID 00476 Privacy protection for information and data Corrective
    Change or destroy any personal data that is incorrect. CC ID 00462
    [{be inaccurate} A consumer has the right to correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data. Section 6 Subdivision 1(c)]
    Privacy protection for information and data Corrective
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Privacy protection for information and data Preventive
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Privacy protection for information and data Corrective
    Notify individuals of their right to challenge personal data. CC ID 00457
    [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]
    Privacy protection for information and data Preventive
    Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 Privacy protection for information and data Preventive
    Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 Privacy protection for information and data Preventive
    Investigate the disputed accuracy of personal data. CC ID 00461 Privacy protection for information and data Preventive
    Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 Privacy protection for information and data Corrective
    Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 Privacy protection for information and data Corrective
    Establish, implement, and maintain a Customer Information Management program. CC ID 00084 Privacy protection for information and data Preventive
    Check the accuracy of restricted data. CC ID 00088 Privacy protection for information and data Preventive
    Check the data accuracy of new accounts. CC ID 04859 Privacy protection for information and data Preventive
    Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 Privacy protection for information and data Preventive
    Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 Privacy protection for information and data Preventive
    Correlate the applicant's social security number with their date of birth. CC ID 04864 Privacy protection for information and data Preventive
    Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 Privacy protection for information and data Preventive
    Compare the applicant's personal data against known fraudulent activities. CC ID 04865 Privacy protection for information and data Preventive
    Compare the applicant's address against known suspicious addresses. CC ID 04866 Privacy protection for information and data Preventive
    Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 Privacy protection for information and data Preventive
    Provide additional personal data when the application is incomplete. CC ID 04869 Privacy protection for information and data Preventive
    Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 Privacy protection for information and data Detective
    Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 Privacy protection for information and data Detective
  • Establish Roles
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Identify and define all critical roles. CC ID 00777 Human Resources management Preventive
    Define and assign the data controller's roles and responsibilities. CC ID 00471
    [Controllers and processors are responsible for meeting the respective obligations established under this chapter. Section 5(a)
    {technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]
    Human Resources management Preventive
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Human Resources management Preventive
    Include roles and responsibilities in the registration notice. CC ID 16803 Privacy protection for information and data Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Privacy protection for information and data Preventive
    Process restricted data lawfully and carefully. CC ID 00086
    [Except as otherwise provided in this act, a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the requirement of the Children's Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and its implementing regulations, rules, and exemptions. Section 8 Subdivision 2(d)]
    Privacy protection for information and data Preventive
  • Establish/Maintain Documentation
    422
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Leadership and high level objectives Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Leadership and high level objectives Preventive
    Include contact information in the organization's policies, standards, and procedures. CC ID 17167
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: the name and contact information for the controller's chief privacy individual with primary responsibility for directing the policies and procedures implemented to comply with the provisions of this chapter; and Section 10(a) (1)]
    Leadership and high level objectives Preventive
    Include the effective date on all organizational policies. CC ID 06820
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the date the privacy notice was last updated. Section 8 Subdivision 1(a) (8)]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: Section 10(a)]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628
    [The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication. Section 11(c)]
    Leadership and high level objectives Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Leadership and high level objectives Preventive
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements in paragraph (f). Section 11(g)]
    Leadership and high level objectives Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Leadership and high level objectives Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Leadership and high level objectives Preventive
    Establish, implement, and maintain a risk monitoring program. CC ID 00658 Monitoring and measurement Preventive
    Include a system description in the system security plan. CC ID 16467 Monitoring and measurement Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Monitoring and measurement Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Monitoring and measurement Preventive
    Include the information types in the system security plan. CC ID 14696 Monitoring and measurement Preventive
    Include the security requirements in the system security plan. CC ID 14274 Monitoring and measurement Preventive
    Include cryptographic key management procedures in the system security plan. CC ID 17029 Monitoring and measurement Preventive
    Include threats in the system security plan. CC ID 14693 Monitoring and measurement Preventive
    Include network diagrams in the system security plan. CC ID 14273 Monitoring and measurement Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Monitoring and measurement Preventive
    Include backup and recovery procedures in the system security plan. CC ID 17043 Monitoring and measurement Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Monitoring and measurement Preventive
    Include remote access methods in the system security plan. CC ID 16441 Monitoring and measurement Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Monitoring and measurement Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Monitoring and measurement Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Monitoring and measurement Preventive
    Include security controls in the system security plan. CC ID 14239 Monitoring and measurement Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Monitoring and measurement Preventive
    Include the assessment team in the test plan. CC ID 14297 Monitoring and measurement Preventive
    Include the scope in the test plans. CC ID 14293 Monitoring and measurement Preventive
    Include the assessment environment in the test plan. CC ID 14271 Monitoring and measurement Preventive
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Monitoring and measurement Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Monitoring and measurement Preventive
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Monitoring and measurement Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Monitoring and measurement Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Monitoring and measurement Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Monitoring and measurement Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Monitoring and measurement Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Monitoring and measurement Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Monitoring and measurement Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Monitoring and measurement Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Monitoring and measurement Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Monitoring and measurement Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Monitoring and measurement Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Monitoring and measurement Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Monitoring and measurement Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Monitoring and measurement Preventive
    Include a description of the organization's privacy policy in the Statement of Compliance. CC ID 12362
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: Section 10(a) (2)]
    Audits and risk management Preventive
    Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175 Audits and risk management Preventive
    Establish, implement, and maintain a risk management program. CC ID 12051 Audits and risk management Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Audits and risk management Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Audits and risk management Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371
    [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Audits and risk management Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674
    [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Audits and risk management Preventive
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673
    [{data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c)
    {data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Audits and risk management Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370
    [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Audits and risk management Preventive
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635
    [{data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c)
    {data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Audits and risk management Preventive
    Establish, implement, and maintain a digital identity management program. CC ID 13713 Technical security Preventive
    Establish, implement, and maintain an authorized representatives policy. CC ID 13798
    [In the case of processing personal data concerning a known child, the parent or legal guardian of the known child may exercise the rights of this chapter on the child's behalf. Section 6 Subdivision 2(b)
    In the case of processing personal data concerning a consumer legally subject to guardianship or conservatorship under sections 524.5-101 to 524.5-502, the guardian or the conservator of the consumer may exercise the rights of this chapter on the consumer's behalf. Section 6 Subdivision 2(c)
    A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)
    A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)
    A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)]
    Technical security Preventive
    Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 Technical security Preventive
    Include termination procedures in the authorized representatives policy. CC ID 17226 Technical security Preventive
    Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 Technical security Preventive
    Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 Technical security Preventive
    Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 Technical security Preventive
    Establish, implement, and maintain digital identification procedures. CC ID 13714 Technical security Preventive
    Establish, implement, and maintain remote proofing procedures. CC ID 13796 Technical security Preventive
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Preventive
    Establish, implement, and maintain an identification and authentication policy. CC ID 14033 Technical security Preventive
    Establish, implement, and maintain identification and authentication procedures. CC ID 14053
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and provide personal data to a consumer as required by this chapter; Section 10(a) (2)(ii)]
    Technical security Preventive
    Establish, implement, and maintain a sensitive information inventory. CC ID 13736
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)
    {administrative data security practice} {technical data security practice} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item; Section 10(a) (2)(iii)]
    Technical security Detective
    Establish, implement, and maintain a legal support program. CC ID 13710
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: investigate, establish, exercise, prepare for, or defend legal claims; Section 11(a) (4)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Human Resources management Preventive
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Human Resources management Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Preventive
    Include physical safeguards in the information security program. CC ID 12375
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)
    {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]
    Operational management Preventive
    Include technical safeguards in the information security program. CC ID 12374
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)
    {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]
    Operational management Preventive
    Include administrative safeguards in the information security program. CC ID 12373
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)
    {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]
    Operational management Preventive
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data; Section 11(a) (1)]
    Operational management Preventive
    Establish, implement, and maintain the systems' integrity level. CC ID 01906
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Operational management Preventive
    Establish, implement, and maintain an incident management policy. CC ID 16414 Operational management Preventive
    Include the criteria for a data loss event in the Incident Management program. CC ID 12179 Operational management Preventive
    Include a definition of affected transactions in the incident criteria. CC ID 17180 Operational management Preventive
    Include a definition of affected parties in the incident criteria. CC ID 17179 Operational management Preventive
    Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 Operational management Preventive
    Include incident monitoring procedures in the Incident Management program. CC ID 01207
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Operational management Preventive
    Include the investigation methodology in the forensic investigation report. CC ID 17071 Operational management Preventive
    Include corrective actions in the forensic investigation report. CC ID 17070 Operational management Preventive
    Include the investigation results in the forensic investigation report. CC ID 17069 Operational management Preventive
    Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 Operational management Preventive
    Include required information in the written request to delay the notification to affected parties. CC ID 16785 Operational management Preventive
    Establish, implement, and maintain incident response notifications. CC ID 12975 Operational management Corrective
    Include the affected parties rights in the incident response notification. CC ID 16811 Operational management Preventive
    Include the incident classification criteria in incident response notifications. CC ID 17293 Operational management Preventive
    Include details of the investigation in incident response notifications. CC ID 12296 Operational management Preventive
    Include the issuer's name in incident response notifications. CC ID 12062 Operational management Preventive
    Include the incident reference code in incident response notifications. CC ID 17292 Operational management Preventive
    Include the identification of the data source in incident response notifications. CC ID 12305 Operational management Preventive
    Include activations of the business continuity plan in incident response notifications. CC ID 17295 Operational management Preventive
    Include costs associated with the incident in incident response notifications. CC ID 17300 Operational management Preventive
    Include the reporting individual's contact information in incident response notifications. CC ID 12297 Operational management Preventive
    Include contact information in the substitute incident response notification. CC ID 16776 Operational management Preventive
    Establish, implement, and maintain a containment strategy. CC ID 13480 Operational management Preventive
    Include the containment approach in the containment strategy. CC ID 13486 Operational management Preventive
    Include response times in the containment strategy. CC ID 13485 Operational management Preventive
    Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 Operational management Preventive
    Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 Operational management Preventive
    Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 Operational management Preventive
    Include corrective actions in the incident management audit log. CC ID 16466 Operational management Preventive
    Include incident reporting procedures in the Incident Management program. CC ID 11772
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Operational management Preventive
    Establish, implement, and maintain incident response procedures. CC ID 01206
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Operational management Detective
    Establish, implement, and maintain authorization records. CC ID 14367 Records management Preventive
    Include the reasons for granting the authorization in the authorization records. CC ID 14371 Records management Preventive
    Include the date and time the authorization was granted in the authorization records. CC ID 14370 Records management Preventive
    Include the person's name who approved the authorization in the authorization records. CC ID 14369 Records management Preventive
    Create summary of care records in accordance with applicable standards. CC ID 14440 Records management Preventive
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850
    [{administrative data security practice} {technical data security practice} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item; Section 10(a) (2)(iii)]
    Privacy protection for information and data Preventive
    Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 Privacy protection for information and data Preventive
    Establish and maintain privacy notices, as necessary. CC ID 13443 Privacy protection for information and data Preventive
    Include the purpose of the privacy notice in the privacy notice. CC ID 13526 Privacy protection for information and data Preventive
    Include the processing purpose in the privacy notice. CC ID 16543
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the purposes for which the categories of personal data are processed; Section 8 Subdivision 1(a) (2)
    If a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request. Section 8 Subdivision 1(b)]
    Privacy protection for information and data Preventive
    Include the record types which may not be used or disclosed unless required by law in the privacy notice. CC ID 17258 Privacy protection for information and data Preventive
    Include contact information in the privacy notice. CC ID 14432
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the controller's contact information, including an active email address or other online mechanism that the consumer may use to contact the controller; Section 8 Subdivision 1(a) (6)]
    Privacy protection for information and data Preventive
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: an explanation of the rights contained in section 325O.05 and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request; Section 8 Subdivision 1(a) (3)]
    Privacy protection for information and data Preventive
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Privacy protection for information and data Preventive
    Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 Privacy protection for information and data Preventive
    Include the uses or disclosures that require authorizations in the privacy notice. CC ID 17257 Privacy protection for information and data Preventive
    Include prohibitions of use or disclosure in the privacy notice. CC ID 17252 Privacy protection for information and data Preventive
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of third parties, if any, with whom the controller sells or shares personal data; Section 8 Subdivision 1(a) (5)]
    Privacy protection for information and data Preventive
    Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: a description of the controller's retention policies for personal data; and Section 8 Subdivision 1(a) (7)]
    Privacy protection for information and data Preventive
    Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 Privacy protection for information and data Preventive
    Include the personal data collection categories in the privacy notice. CC ID 13457
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data processed by the controller; Section 8 Subdivision 1(a) (1)]
    Privacy protection for information and data Preventive
    Include disclosure exceptions in the privacy notice. CC ID 13447 Privacy protection for information and data Preventive
    Include the types of personal data disclosed in the privacy notice. CC ID 13446
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data that the controller sells to or shares with third parties, if any; Section 8 Subdivision 1(a) (4)]
    Privacy protection for information and data Preventive
    Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 Privacy protection for information and data Preventive
    Specify the time frame that notice will be given. CC ID 00385 Privacy protection for information and data Preventive
    Include the information about the appeal process in the privacy notice. CC ID 15312
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: an explanation of the rights contained in section 325O.05 and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request; Section 8 Subdivision 1(a) (3)]
    Privacy protection for information and data Preventive
    Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 Privacy protection for information and data Preventive
    Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 Privacy protection for information and data Preventive
    Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 Privacy protection for information and data Corrective
    Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 Privacy protection for information and data Preventive
    Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 Privacy protection for information and data Preventive
    Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 Privacy protection for information and data Preventive
    Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 Privacy protection for information and data Preventive
    Establish, implement, and maintain opt-out notices. CC ID 13448 Privacy protection for information and data Preventive
    Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 Privacy protection for information and data Preventive
    Include the opt out method for data subjects in the opt-out notice. CC ID 13467 Privacy protection for information and data Preventive
    Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 Privacy protection for information and data Preventive
    Explain the right to opt out in the opt-out notice. CC ID 13462 Privacy protection for information and data Preventive
    Include the organization's right to share personal data in the opt-out notice. CC ID 13450 Privacy protection for information and data Preventive
    Provide the data subject with a notice of participation procedures. CC ID 06241 Privacy protection for information and data Preventive
    Publish a description of processing activities in an official register. CC ID 00379 Privacy protection for information and data Preventive
    Establish and maintain a records request manual. CC ID 00381 Privacy protection for information and data Preventive
    Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 Privacy protection for information and data Preventive
    Define what is included in registration notices. CC ID 00386 Privacy protection for information and data Preventive
    Include the verification method in the registration notice. CC ID 16798 Privacy protection for information and data Preventive
    Include the statutory authority in the registration notice. CC ID 16799 Privacy protection for information and data Preventive
    Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 Privacy protection for information and data Preventive
    Include a purpose specification description in the registration notice. CC ID 00388 Privacy protection for information and data Preventive
    Include information about the dispute resolution body in the registration notice. CC ID 16800 Privacy protection for information and data Preventive
    Include the data subject category being processed in the registration notice. CC ID 00389 Privacy protection for information and data Preventive
    Include the time period for data processing in the registration notice. CC ID 00390 Privacy protection for information and data Preventive
    Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 Privacy protection for information and data Preventive
    Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618
    [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)
    {be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]
    Privacy protection for information and data Preventive
    Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 Privacy protection for information and data Preventive
    Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 Privacy protection for information and data Preventive
    Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 Privacy protection for information and data Preventive
    Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 Privacy protection for information and data Preventive
    Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 Privacy protection for information and data Preventive
    Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 Privacy protection for information and data Preventive
    Specify the purpose of the disclosure in the written consent. CC ID 13001 Privacy protection for information and data Preventive
    Specify which education records may be disclosed in the written consent. CC ID 13000 Privacy protection for information and data Preventive
    Document the conditions when consent is not required to disclose educational data. CC ID 00225 Privacy protection for information and data Preventive
    Record the health and safety threats of students when disclosing personal data. CC ID 12997 Privacy protection for information and data Preventive
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393
    [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)
    A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and provide personal data to a consumer as required by this chapter; Section 10(a) (2)(ii)]
    Privacy protection for information and data Preventive
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397
    [A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing. Section 6 Subdivision 1(b)]
    Privacy protection for information and data Preventive
    Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 Privacy protection for information and data Preventive
    Establish and maintain a disclosure accounting record. CC ID 13022 Privacy protection for information and data Preventive
    Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 Privacy protection for information and data Preventive
    Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 Privacy protection for information and data Preventive
    Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 Privacy protection for information and data Preventive
    Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 Privacy protection for information and data Preventive
    Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 Privacy protection for information and data Preventive
    Include the disclosure date in the disclosure accounting record. CC ID 07133 Privacy protection for information and data Preventive
    Include the disclosure recipient in the disclosure accounting record. CC ID 07134 Privacy protection for information and data Preventive
    Include the disclosure purpose in the disclosure accounting record. CC ID 07135 Privacy protection for information and data Preventive
    Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 Privacy protection for information and data Preventive
    Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 Privacy protection for information and data Preventive
    Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 Privacy protection for information and data Preventive
    Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 Privacy protection for information and data Preventive
    Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 Privacy protection for information and data Preventive
    Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 Privacy protection for information and data Preventive
    Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 Privacy protection for information and data Preventive
    Make telephone directory information available to the public. CC ID 08698 Privacy protection for information and data Preventive
    Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 Privacy protection for information and data Preventive
    Establish, implement, and maintain a privacy policy. CC ID 06281 Privacy protection for information and data Preventive
    Include the data subject's rights in the privacy policy. CC ID 16355 Privacy protection for information and data Preventive
    Establish, implement, and maintain a privacy policy model document. CC ID 14720 Privacy protection for information and data Preventive
    Document privacy policies in clearly written and easily understood language. CC ID 00376 Privacy protection for information and data Detective
    Write privacy notices in the official languages required by law. CC ID 16529
    [The privacy notice must be made available to the public in each language in which the controller provides a product or service that is subject to the privacy notice or carries out activities related to the product or service. Section 8 Subdivision 1(c)]
    Privacy protection for information and data Preventive
    Define what is included in the privacy policy. CC ID 00404 Privacy protection for information and data Preventive
    Define the information being collected in the privacy policy. CC ID 13115 Privacy protection for information and data Preventive
    Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 Privacy protection for information and data Preventive
    Include the means by which information is collected in the privacy policy. CC ID 13114 Privacy protection for information and data Preventive
    Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 Privacy protection for information and data Corrective
    Include roles and responsibilities in the privacy policy. CC ID 14669 Privacy protection for information and data Preventive
    Include management commitment in the privacy policy. CC ID 14668 Privacy protection for information and data Preventive
    Include coordination amongst entities in the privacy policy. CC ID 14667 Privacy protection for information and data Preventive
    Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 Privacy protection for information and data Preventive
    Include compliance requirements in the privacy policy. CC ID 14666 Privacy protection for information and data Preventive
    Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 Privacy protection for information and data Preventive
    Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 Privacy protection for information and data Corrective
    Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 Privacy protection for information and data Preventive
    Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 Privacy protection for information and data Preventive
    Include a complaint form in the privacy policy. CC ID 12364 Privacy protection for information and data Preventive
    Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 Privacy protection for information and data Preventive
    Include the processing purpose in the privacy policy. CC ID 00406 Privacy protection for information and data Preventive
    Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 Privacy protection for information and data Preventive
    Include the data subject categories being processed in the privacy policy. CC ID 00407 Privacy protection for information and data Preventive
    Define the retention period for collected information in the privacy policy. CC ID 13116 Privacy protection for information and data Preventive
    Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 Privacy protection for information and data Preventive
    Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 Privacy protection for information and data Preventive
    Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 Privacy protection for information and data Preventive
    Include opt-out instructions in the privacy policy. CC ID 00411 Privacy protection for information and data Preventive
    Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363
    [{be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)]
    Privacy protection for information and data Preventive
    Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 Privacy protection for information and data Preventive
    Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 Privacy protection for information and data Preventive
    Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 Privacy protection for information and data Preventive
    Post the privacy policy in an easily seen location. CC ID 00401
    [{be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)]
    Privacy protection for information and data Preventive
    Define who will receive the privacy policy. CC ID 00402 Privacy protection for information and data Preventive
    Establish, implement, and maintain privacy procedures. CC ID 14665 Privacy protection for information and data Preventive
    Establish, implement, and maintain a privacy plan. CC ID 14672 Privacy protection for information and data Preventive
    Include privacy requirements in the privacy plan. CC ID 14699 Privacy protection for information and data Preventive
    Include the information types in the privacy plan. CC ID 14695 Privacy protection for information and data Preventive
    Include threats in the privacy plan. CC ID 14694 Privacy protection for information and data Preventive
    Include roles and responsibilities in the privacy plan. CC ID 14702 Privacy protection for information and data Preventive
    Include a description of the operational context in the privacy plan. CC ID 14692 Privacy protection for information and data Preventive
    Include risk assessment results in the privacy plan. CC ID 14701 Privacy protection for information and data Preventive
    Include the security categorizations and rationale in the privacy plan. CC ID 14690 Privacy protection for information and data Preventive
    Include security controls in the privacy plan. CC ID 14681 Privacy protection for information and data Preventive
    Include a description of the operational environment in the privacy plan. CC ID 14679 Privacy protection for information and data Preventive
    Include network diagrams in the privacy plan. CC ID 14678 Privacy protection for information and data Preventive
    Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 Privacy protection for information and data Preventive
    Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 Privacy protection for information and data Preventive
    Establish, implement, and maintain a privacy report. CC ID 14754 Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data choice and consent program. CC ID 12569 Privacy protection for information and data Preventive
    Date the data subject's consent. CC ID 17233 Privacy protection for information and data Preventive
    Establish, implement, and maintain data request procedures. CC ID 16546
    [A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)
    A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)]
    Privacy protection for information and data Preventive
    Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 Privacy protection for information and data Preventive
    Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 Privacy protection for information and data Preventive
    Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 Privacy protection for information and data Preventive
    Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 Privacy protection for information and data Preventive
    Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 Privacy protection for information and data Preventive
    Include the identity of the data subject in the disclosure authorization form. CC ID 13436 Privacy protection for information and data Preventive
    Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 Privacy protection for information and data Preventive
    Include how personal data will be used in the disclosure authorization form. CC ID 13441 Privacy protection for information and data Preventive
    Include agreement termination information in the disclosure authorization form. CC ID 13437 Privacy protection for information and data Preventive
    Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Privacy protection for information and data Preventive
    Establish, implement, and maintain approval applications. CC ID 16778 Privacy protection for information and data Preventive
    Include required information in the approval application. CC ID 16628 Privacy protection for information and data Preventive
    Submit a safe harbor self-certification letter. CC ID 06871 Privacy protection for information and data Preventive
    Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 Privacy protection for information and data Preventive
    Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 Privacy protection for information and data Preventive
    Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 Privacy protection for information and data Preventive
    Include data subject's rights in the Binding Corporate Rules. CC ID 12596 Privacy protection for information and data Preventive
    Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 Privacy protection for information and data Preventive
    Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 Privacy protection for information and data Preventive
    Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 Privacy protection for information and data Preventive
    Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 Privacy protection for information and data Preventive
    Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 Privacy protection for information and data Preventive
    Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 Privacy protection for information and data Preventive
    Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 Privacy protection for information and data Preventive
    Include complaint procedures in the Binding Corporate Rules. CC ID 12613 Privacy protection for information and data Preventive
    Include the data transfers in the Binding Corporate Rules. CC ID 12590 Privacy protection for information and data Preventive
    Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 Privacy protection for information and data Preventive
    Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 Privacy protection for information and data Preventive
    Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 Privacy protection for information and data Preventive
    Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 Privacy protection for information and data Preventive
    Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 Privacy protection for information and data Preventive
    Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 Privacy protection for information and data Preventive
    Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 Privacy protection for information and data Preventive
    Establish, implement, and maintain Data Processing Contracts. CC ID 12650
    [Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet the controller's obligations under this chapter. Assistance under this paragraph shall include the following: Section 5(b)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Privacy protection for information and data Preventive
    Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 Privacy protection for information and data Preventive
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and Section 5(c) (1)]
    Privacy protection for information and data Preventive
    Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Privacy protection for information and data Preventive
    Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Privacy protection for information and data Preventive
    Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Privacy protection for information and data Preventive
    Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Privacy protection for information and data Preventive
    Include the duration of processing in the Data Processing Contract. CC ID 14935
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Privacy protection for information and data Preventive
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Privacy protection for information and data Preventive
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679
    [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)]
    Privacy protection for information and data Preventive
    Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678
    [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: upon a reasonable request from the controller, the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this chapter; and Section 5(e) (2)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)]
    Privacy protection for information and data Preventive
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676
    [Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet the controller's obligations under this chapter. Assistance under this paragraph shall include the following: Section 5(b)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)
    Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's rights under this chapter is contrary to public policy and is void and unenforceable. Section 8 Subdivision 4 ¶ 1
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: assist another controller, processor, or third party with any of the obligations under this paragraph; Section 11(a) (8)]
    Privacy protection for information and data Preventive
    Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670
    [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: at the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; Section 5(e) (1)
    {no longer necessary} A controller may not retain personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09. Section 8 Subdivision 2(g)]
    Privacy protection for information and data Preventive
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Privacy protection for information and data Preventive
    Document the law that requires restricted data to be collected. CC ID 00103 Privacy protection for information and data Preventive
    Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 Privacy protection for information and data Preventive
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Privacy protection for information and data Preventive
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115
    [{not be necessary} Except as provided in this chapter, a controller may not process personal data for purposes that are not reasonably necessary to, or compatible with, the purposes for which the personal data are processed, as disclosed to the consumer, unless the controller obtains the consumer's consent. Section 8 Subdivision 2(b)]
    Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Privacy protection for information and data Preventive
    Document personal data use as an acceptable secondary purpose when required by law. CC ID 00119 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; Section 11(a) (6)]
    Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 Privacy protection for information and data Preventive
    Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 Privacy protection for information and data Preventive
    Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 Privacy protection for information and data Preventive
    Establish, implement, and maintain data access procedures. CC ID 00414
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]
    Privacy protection for information and data Preventive
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Privacy protection for information and data Preventive
    Define what is to be included in a data access request. CC ID 08699 Privacy protection for information and data Preventive
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Privacy protection for information and data Preventive
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Privacy protection for information and data Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Privacy protection for information and data Preventive
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Privacy protection for information and data Preventive
    Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 Privacy protection for information and data Preventive
    Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 Privacy protection for information and data Preventive
    Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 Privacy protection for information and data Preventive
    Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 Privacy protection for information and data Preventive
    Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 Privacy protection for information and data Preventive
    Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 Privacy protection for information and data Preventive
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Privacy protection for information and data Preventive
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Privacy protection for information and data Preventive
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Privacy protection for information and data Preventive
    Define and implement valid authorization control requirements. CC ID 06258 Privacy protection for information and data Preventive
    Define security breach notification requirement exceptions. CC ID 04797 Privacy protection for information and data Preventive
    Define what restricted data is not required to be disclosed absent consent. CC ID 00134 Privacy protection for information and data Preventive
    Define the exceptions to disclosure absent consent. CC ID 00135 Privacy protection for information and data Preventive
    Define opt-out exceptions for disclosing restricted data. CC ID 00159
    [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]
    Privacy protection for information and data Preventive
    Define how a data subject may give consent. CC ID 00160 Privacy protection for information and data Preventive
    Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 Privacy protection for information and data Detective
    Establish, implement, and maintain restricted data retention procedures. CC ID 00167
    [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1)
    This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)
    {no longer necessary} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: prevent the retention of personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09; and Section 10(a) (2)(v)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data; Section 11(a) (1)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Privacy protection for information and data Preventive
    Document the redisclosing restricted data exceptions. CC ID 00170 Privacy protection for information and data Preventive
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Privacy protection for information and data Preventive
    Establish, implement, and maintain data disclosure procedures. CC ID 00133 Privacy protection for information and data Preventive
    Establish, implement, and maintain data request denial procedures. CC ID 00434
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and Section 7(a) (3)(ii)
    This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. Section 7(a) (3)(iii)
    If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)
    A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]
    Privacy protection for information and data Preventive
    Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 Privacy protection for information and data Preventive
    Include cookie management in the privacy framework. CC ID 13809 Privacy protection for information and data Preventive
    Establish, implement, and maintain cookie management procedures. CC ID 13810 Privacy protection for information and data Preventive
    Include the acceptable uses of cookies in the cookie management procedures. CC ID 16952 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data collection program. CC ID 06487 Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507
    [{be relevant} {be necessary} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed; Section 10(a) (2)(iv)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Privacy protection for information and data Preventive
    Post the collection purpose. CC ID 00101 Privacy protection for information and data Preventive
    Document each individual's personal data collection consent preferences. CC ID 06945 Privacy protection for information and data Preventive
    Establish and maintain a personal data definition. CC ID 00028 Privacy protection for information and data Preventive
    Include the number of children in the personal data definition. CC ID 13759 Privacy protection for information and data Preventive
    Include the individual's religion in the personal data definition. CC ID 13765 Privacy protection for information and data Preventive
    Include an individual's political party affiliation in the personal data definition. CC ID 13764 Privacy protection for information and data Preventive
    Include an individual's license plate number in the personal data definition. CC ID 13763 Privacy protection for information and data Preventive
    Include an individual's account balances in the personal data definition. CC ID 13770 Privacy protection for information and data Preventive
    Include an individual's logon credentials in the personal data definition. CC ID 13771 Privacy protection for information and data Preventive
    Include an individual's military identification number in the personal data definition. CC ID 13083 Privacy protection for information and data Preventive
    Refrain from including publicly available information in the personal data definition. CC ID 13084 Privacy protection for information and data Preventive
    Notify parents or legal representatives of what information is collected from children. CC ID 00040 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Privacy protection for information and data Preventive
    Provide the data subject with information about the data controller during the collection process. CC ID 00023 Privacy protection for information and data Preventive
    Provide the data subject with the data collector's name and contact information. CC ID 00024 Privacy protection for information and data Preventive
    Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 Privacy protection for information and data Preventive
    Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 Privacy protection for information and data Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427 Privacy protection for information and data Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Preventive
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 Privacy protection for information and data Preventive
    Establish, implement, and maintain suspicious document procedures. CC ID 04852 Privacy protection for information and data Detective
    Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 Privacy protection for information and data Preventive
    Establish, implement, and maintain call metadata controls. CC ID 04790 Privacy protection for information and data Preventive
    Establish, implement, and maintain data handling procedures. CC ID 11756 Privacy protection for information and data Preventive
    Define personal data that falls under breach notification rules. CC ID 00800 Privacy protection for information and data Preventive
    Define an out of scope privacy breach. CC ID 04677 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data transfer program. CC ID 00307 Privacy protection for information and data Preventive
    Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 Privacy protection for information and data Preventive
    Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 Privacy protection for information and data Preventive
    Document transfer disagreements by the data subject in writing. CC ID 00348 Privacy protection for information and data Preventive
    Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 Privacy protection for information and data Preventive
    Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 Privacy protection for information and data Preventive
    Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 Privacy protection for information and data Preventive
    Establish, implement, and maintain a privacy impact assessment. CC ID 13712 Privacy protection for information and data Preventive
    Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 Privacy protection for information and data Preventive
    Include how to grant consent in the privacy impact assessment. CC ID 15519 Privacy protection for information and data Preventive
    Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 Privacy protection for information and data Preventive
    Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 Privacy protection for information and data Preventive
    Include data handling procedures in the privacy impact assessment. CC ID 15516 Privacy protection for information and data Preventive
    Include the intended use of information in the privacy impact assessment. CC ID 15515 Privacy protection for information and data Preventive
    Include the reason information is being collected in the privacy impact assessment. CC ID 15514 Privacy protection for information and data Preventive
    File privacy rights violation complaints in writing. CC ID 00477 Privacy protection for information and data Corrective
    Include supporting documentation in the privacy rights violation complaint. CC ID 16997 Privacy protection for information and data Preventive
    Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 Privacy protection for information and data Corrective
    Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 Privacy protection for information and data Preventive
    Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 Privacy protection for information and data Preventive
    Include potential remedies in the privacy dispute resolution program. CC ID 12531 Privacy protection for information and data Preventive
    Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 Privacy protection for information and data Preventive
    Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 Privacy protection for information and data Preventive
    Document unresolved challenges. CC ID 13568 Privacy protection for information and data Preventive
    Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 Privacy protection for information and data Preventive
    Document disagreements as to whether personal data is complete and accurate. CC ID 06952 Privacy protection for information and data Preventive
    Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 Privacy protection for information and data Preventive
    Include the allegations against the organization in the notice of investigation. CC ID 13031 Privacy protection for information and data Preventive
    Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 Privacy protection for information and data Corrective
    Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 Privacy protection for information and data Detective
    Define the organization's liability based on the applicable law. CC ID 00504
    [{not relieve} In no event shall any contract relieve a controller or a processor from the liabilities imposed on a controller or processor by virtue of the controller's or processor's roles in the processing relationship under this chapter. Section 5(f)
    A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this chapter is not in violation of this chapter if the recipient processes the personal data in violation of this chapter, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is not in violation of this chapter for the obligations of the controller or processor from which the third-party controller or processor receives the personal data. Section 11(d)
    {is liable} Any controller or processor that violates this chapter is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation. Section 12(c)]
    Privacy protection for information and data Preventive
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Privacy protection for information and data Preventive
    Define the appeal process based on the applicable law. CC ID 00506
    [A controller must establish an internal process whereby a consumer may appeal a refusal to take action on a request to exercise any of the rights under subdivision 1 within a reasonable period of time after the consumer's receipt of the notice sent by the controller under subdivision 4, paragraph (f). Section 6 Subdivision 5(a)
    The appeal process must be conspicuously available. The process must include the ease of use provisions in subdivision 3 applicable to submitting requests. Section 6 Subdivision 5(b)
    The appeal process must be conspicuously available. The process must include the ease of use provisions in subdivision 3 applicable to submitting requests. Section 6 Subdivision 5(b)]
    Privacy protection for information and data Preventive
    Provide notice of proposed penalties. CC ID 06216 Privacy protection for information and data Preventive
    Establish, implement, and maintain customer data authentication procedures. CC ID 13187
    [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)
    A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]
    Privacy protection for information and data Preventive
    Use documents for identification that do not appear altered or forged. CC ID 04860 Privacy protection for information and data Preventive
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: provide a product or service specifically requested by a consumer; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer prior to entering into a contract; Section 11(a) (5)]
    Third Party and supply chain oversight Preventive
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888
    [A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this chapter is not in violation of this chapter if the recipient processes the personal data in violation of this chapter, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is not in violation of this chapter for the obligations of the controller or processor from which the third-party controller or processor receives the personal data. Section 11(d)]
    Third Party and supply chain oversight Detective
    Include the audit scope in the third party external audit report. CC ID 13138 Third Party and supply chain oversight Preventive
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Third Party and supply chain oversight Detective
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 Third Party and supply chain oversight Detective
  • Human Resources Management
    14
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources management Preventive
    Define and assign the data processor's roles and responsibilities. CC ID 12607
    [Controllers and processors are responsible for meeting the respective obligations established under this chapter. Section 5(a)
    {technical measures} taking into account the nature of the processing, the processor shall assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to section 325O.05; and Section 5(b) (1)
    {technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]
    Human Resources management Preventive
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677
    [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)]
    Human Resources management Preventive
    Establish, implement, and maintain an ethics program. CC ID 11496
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Human Resources management Preventive
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Human Resources management Preventive
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources management Preventive
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources management Preventive
    Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435
    [A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: Section 8 Subdivision 3(b)]
    Privacy protection for information and data Preventive
    Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 Privacy protection for information and data Preventive
    Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 Privacy protection for information and data Preventive
    Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 Privacy protection for information and data Preventive
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: engage a subcontractor only (i) after providing the controller with an opportunity to object, and (ii) pursuant to a written contract in accordance with paragraph (e) that requires the subcontractor to meet the obligations of the processor with respect to the personal data. Section 5(c) (2)]
    Privacy protection for information and data Preventive
    Review compliance with the organization's privacy objectives. CC ID 13490
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)]
    Privacy protection for information and data Detective
    Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 Privacy protection for information and data Preventive
  • IT Impact Zone
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Investigate
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Verify proof of identity records. CC ID 13761 Technical security Detective
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Human Resources management Preventive
    Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 Operational management Detective
    Identify the affected parties during incident investigations. CC ID 16781 Operational management Detective
    Interview suspects during incident investigations, as necessary. CC ID 14041 Operational management Detective
    Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 Operational management Detective
    Analyze requirements for processing personal data in contracts. CC ID 12550
    [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Privacy protection for information and data Detective
    Confirm the data quality of personal data collected from third parties. CC ID 13510 Privacy protection for information and data Detective
    Review the methods for collecting personal data, as necessary. CC ID 13511 Privacy protection for information and data Detective
    Perform an identity check prior to approving an account change request. CC ID 13670 Privacy protection for information and data Detective
  • Log Management
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain monitoring and logging operations. CC ID 00637 Monitoring and measurement Detective
    Include who the incident was reported to in the incident management audit log. CC ID 16487 Operational management Preventive
    Include the information that was exchanged in the incident management audit log. CC ID 16995 Operational management Preventive
    Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 Records management Preventive
    Log the disclosure of personal data. CC ID 06628 Privacy protection for information and data Preventive
    Log the modification of personal data. CC ID 11844 Privacy protection for information and data Preventive
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Privacy protection for information and data Detective
    Log dates for account name changes or address changes. CC ID 04876 Privacy protection for information and data Detective
  • Monitor and Evaluate Occurrences
    16
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitoring and measurement Preventive
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitoring and measurement Detective
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726
    [A controller that uses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data are subject, and must take appropriate steps to address any breaches of contractual commitments. Section 7(c)]
    Monitoring and measurement Detective
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Human Resources management Preventive
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 Human Resources management Preventive
    Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 Operational management Detective
    Require personnel to monitor for and report suspicious account activity. CC ID 16462 Operational management Detective
    Escalate incidents, as necessary. CC ID 14861 Operational management Corrective
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Privacy protection for information and data Preventive
    Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 Privacy protection for information and data Detective
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Privacy protection for information and data Corrective
    Review accounts that are changed for additional user requests. CC ID 11846 Privacy protection for information and data Detective
    Review monitored websites for data leakage. CC ID 10593 Privacy protection for information and data Detective
    Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 Privacy protection for information and data Preventive
    Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 Privacy protection for information and data Preventive
    Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 Privacy protection for information and data Preventive
  • Process or Activity
    91
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Monitoring and measurement Corrective
    Align the enterprise architecture with the system security plan. CC ID 14255 Monitoring and measurement Preventive
    Correct compliance violations. CC ID 13515
    [A controller that uses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data are subject, and must take appropriate steps to address any breaches of contractual commitments. Section 7(c)]
    Monitoring and measurement Corrective
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830
    [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of sensitive data; Section 10(b) (3)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: any processing activities involving personal data that present a heightened risk of harm to consumers; and Section 10(b) (4)
    {data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c)
    {data protection assessment} A data privacy and protection assessment must include the description of policies and procedures required by paragraph (a). Section 10(e)
    {be similar} A single data protection assessment may address multiple sets of comparable processing operations that include similar activities. Section 10(h)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: Section 10(b)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of targeted advertising; Section 10(b) (1)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the sale of personal data; Section 10(b) (2)]
    Audits and risk management Preventive
    Implement digital identification processes. CC ID 13731 Technical security Preventive
    Implement identity proofing processes. CC ID 13719
    [A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)]
    Technical security Preventive
    Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 Technical security Preventive
    Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 Technical security Preventive
    Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 Technical security Detective
    Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 Technical security Preventive
    Interact with the data subject when performing remote proofing. CC ID 13777 Technical security Detective
    Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 Technical security Preventive
    View all applicant actions when performing remote proofing. CC ID 13804 Technical security Detective
    Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 Technical security Preventive
    Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 Technical security Detective
    Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 Technical security Detective
    Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 Technical security Preventive
    Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 Technical security Preventive
    Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 Technical security Detective
    Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 Technical security Preventive
    Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 Technical security Preventive
    Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 Technical security Detective
    Validate proof of identity during the identity proofing process. CC ID 13756 Technical security Detective
    Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 Technical security Detective
    Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 Technical security Detective
    Allow records that relate to the data subject as proof of identity. CC ID 13772 Technical security Preventive
    Conduct in-person proofing with physical interactions. CC ID 13775 Technical security Detective
    Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 Technical security Preventive
    Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 Technical security Preventive
    Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 Technical security Preventive
    Refrain from approving attributes in the identity proofing process. CC ID 13716 Technical security Preventive
    Determine the cost of the incident when assessing security incidents. CC ID 17188 Operational management Detective
    Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 Operational management Detective
    Determine the duration of the incident when assessing security incidents. CC ID 17181 Operational management Detective
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Operational management Corrective
    Revoke the written request to delay the notification. CC ID 16843 Operational management Preventive
    Post the incident response notification on the organization's website. CC ID 16809 Operational management Preventive
    Document the determination for providing a substitute incident response notification. CC ID 16841 Operational management Preventive
    Conduct incident investigations, as necessary. CC ID 13826 Operational management Detective
    Display required information automatically in electronic health records. CC ID 14442 Records management Preventive
    Create export summaries, as necessary. CC ID 14446 Records management Preventive
    Identify patient-specific education resources. CC ID 14439 Records management Detective
    Require a data protection impact assessment when profiling the data subject. CC ID 12680
    [{data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: unfair or deceptive treatment of, or disparate impact on, consumers; Section 10(b) (5)(i)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: financial, physical, or reputational injury to consumers; Section 10(b) (5)(ii)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or Section 10(b) (5)(iii)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: other substantial injury to consumers. Section 10(b) (5)(iv)]
    Privacy protection for information and data Detective
    Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609
    [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]
    Privacy protection for information and data Preventive
    Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 Privacy protection for information and data Preventive
    Provide the data subject with the data retention period for personal data. CC ID 12587 Privacy protection for information and data Preventive
    Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 Privacy protection for information and data Preventive
    Provide the data subject with the adequacy decision. CC ID 12586 Privacy protection for information and data Preventive
    Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 Privacy protection for information and data Preventive
    Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 Privacy protection for information and data Preventive
    Notify the data subject of the right to data portability. CC ID 12603 Privacy protection for information and data Preventive
    Provide the data subject with information about the right to erasure. CC ID 12602 Privacy protection for information and data Preventive
    Provide shareholders access to electronic messages via electronic means. CC ID 11855 Privacy protection for information and data Preventive
    Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 Privacy protection for information and data Preventive
    Align the enterprise architecture with the privacy plan. CC ID 14705 Privacy protection for information and data Preventive
    Confirm the individual's identity before granting an opt-out request. CC ID 16813 Privacy protection for information and data Preventive
    Approve the approval application unless applicant has been convicted. CC ID 16603 Privacy protection for information and data Preventive
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606
    [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]
    Privacy protection for information and data Preventive
    Allow data subjects to submit data requests. CC ID 16545
    [A consumer may exercise the rights set forth in this section by submitting a request, at any time, to a controller specifying which rights the consumer wishes to exercise. Section 6 Subdivision 2(a)]
    Privacy protection for information and data Preventive
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Privacy protection for information and data Preventive
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Privacy protection for information and data Preventive
    Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data; Section 7(a) (3)(i)]
    Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 Privacy protection for information and data Detective
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 Privacy protection for information and data Preventive
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Privacy protection for information and data Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Privacy protection for information and data Preventive
    Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 Privacy protection for information and data Preventive
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Privacy protection for information and data Preventive
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Privacy protection for information and data Preventive
    Search the Internet for evidence of data leakage. CC ID 10419 Privacy protection for information and data Detective
    Alert appropriate personnel when data leakage is detected. CC ID 14715 Privacy protection for information and data Preventive
    Take appropriate action when a data leakage is discovered. CC ID 14716 Privacy protection for information and data Corrective
    Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 Privacy protection for information and data Preventive
    Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 Privacy protection for information and data Preventive
    Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 Privacy protection for information and data Preventive
    Define the fee structure for the appeal process. CC ID 16532 Privacy protection for information and data Preventive
    Define the time requirements for the appeal process. CC ID 16531 Privacy protection for information and data Preventive
    Interview appropriate parties to validate consumer information. CC ID 16902 Privacy protection for information and data Preventive
    Use contact methods specified by the consumer for identity verification. CC ID 16878 Privacy protection for information and data Preventive
    Assess third parties' compliance environment during due diligence. CC ID 13134 Third Party and supply chain oversight Detective
  • Records Management
    39
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Capture the records required by organizational compliance requirements. CC ID 00912
    [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]
    Records management Detective
    Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 Records management Preventive
    Establish and maintain an implantable device list. CC ID 14444 Records management Preventive
    Establish, implement, and maintain a recordkeeping system. CC ID 15709 Records management Preventive
    Log the termination date in the recordkeeping system. CC ID 16181 Records management Preventive
    Log the name of the requestor in the recordkeeping system. CC ID 15712 Records management Preventive
    Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 Records management Preventive
    Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 Privacy protection for information and data Preventive
    Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 Privacy protection for information and data Preventive
    Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 Privacy protection for information and data Corrective
    Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 Privacy protection for information and data Corrective
    Grant access to education records in support of educational program audits. CC ID 13032 Privacy protection for information and data Preventive
    Grant access to education records in support of external requirements. CC ID 13033 Privacy protection for information and data Preventive
    Collect and retain disclosure authorizations for each data subject. CC ID 13434 Privacy protection for information and data Preventive
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Privacy protection for information and data Preventive
    Submit personal data removal requests in writing. CC ID 11973 Privacy protection for information and data Preventive
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Privacy protection for information and data Corrective
    Refrain from processing restricted data, as necessary. CC ID 12551 Privacy protection for information and data Preventive
    Include the data protection officer's contact information in the record of processing activities. CC ID 12640 Privacy protection for information and data Preventive
    Include the data processor's contact information in the record of processing activities. CC ID 12657 Privacy protection for information and data Preventive
    Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 Privacy protection for information and data Preventive
    Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 Privacy protection for information and data Preventive
    Include a description of the data subject categories in the record of processing activities. CC ID 12659 Privacy protection for information and data Preventive
    Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 Privacy protection for information and data Preventive
    Include the personal data processing categories in the record of processing activities. CC ID 12661 Privacy protection for information and data Preventive
    Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 Privacy protection for information and data Preventive
    Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 Privacy protection for information and data Preventive
    Include a description of the personal data categories in the record of processing activities. CC ID 12660 Privacy protection for information and data Preventive
    Include the joint data controller's contact information in the record of processing activities. CC ID 12639 Privacy protection for information and data Preventive
    Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 Privacy protection for information and data Preventive
    Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 Privacy protection for information and data Preventive
    Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 Privacy protection for information and data Preventive
    Include the data controller's contact information in the record of processing activities. CC ID 12637 Privacy protection for information and data Preventive
    Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 Privacy protection for information and data Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 Privacy protection for information and data Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 Privacy protection for information and data Preventive
    Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967
    [In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: Social Security number; Section 6 Subdivision 4(i) (1)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: driver's license number or other government-issued identification number; Section 6 Subdivision 4(i) (2)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: financial account number; Section 6 Subdivision 4(i) (3)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: health insurance account number or medical identification number; Section 6 Subdivision 4(i) (4)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: account password, security questions, or answers; or Section 6 Subdivision 4(i) (5)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: biometric data. Section 6 Subdivision 4(i) (6)]
    Privacy protection for information and data Preventive
    Remove personal data from records after receiving a personal data removal request. CC ID 11972
    [A consumer has the right to delete personal data concerning the consumer. Section 6 Subdivision 1(d)]
    Privacy protection for information and data Preventive
    Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 Privacy protection for information and data Preventive
  • Technical Security
    12
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 Technical security Preventive
    Wipe data and memory after an incident has been detected. CC ID 16850 Operational management Corrective
    Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 Privacy protection for information and data Preventive
    Display warning screens and confirmation screens for all payment transactions. CC ID 06409 Privacy protection for information and data Preventive
    Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 Privacy protection for information and data Preventive
    Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 Privacy protection for information and data Preventive
    Employ a random number generator to create authenticators. CC ID 13782 Privacy protection for information and data Preventive
    Provide unobservability of users and resources. CC ID 04551 Privacy protection for information and data Preventive
    Protect electronic messaging information. CC ID 12022 Privacy protection for information and data Preventive
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Privacy protection for information and data Preventive
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Privacy protection for information and data Preventive
    Implement security measures to protect personal data. CC ID 13606
    [{technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]
    Privacy protection for information and data Preventive
  • Testing
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a system security plan. CC ID 01922
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Monitoring and measurement Preventive
    Test incident monitoring procedures. CC ID 13194 Operational management Detective
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Privacy protection for information and data Detective
    Implement physical controls to protect personal data. CC ID 00355 Privacy protection for information and data Preventive
    Conduct personal data risk assessments. CC ID 00357 Privacy protection for information and data Detective
    Conduct internal data processing audits. CC ID 00374 Privacy protection for information and data Detective
    Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 Privacy protection for information and data Detective
    Record restricted data correctly. CC ID 00089 Privacy protection for information and data Detective
    Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 Privacy protection for information and data Detective
Common Controls and
mandates by Classification
143 Mandated Controls - bold    
65 Implied Controls - italic     1116 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
1324 Total
  • Corrective
    44
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Monitoring and measurement Process or Activity
    Correct compliance violations. CC ID 13515
    [A controller that uses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data are subject, and must take appropriate steps to address any breaches of contractual commitments. Section 7(c)]
    Monitoring and measurement Process or Activity
    Respond to ethics complaints of ethics violations. CC ID 11497 Human Resources management Business Processes
    Escalate incidents, as necessary. CC ID 14861 Operational management Monitor and Evaluate Occurrences
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Operational management Process or Activity
    Wipe data and memory after an incident has been detected. CC ID 16850 Operational management Technical Security
    Establish, implement, and maintain incident response notifications. CC ID 12975 Operational management Establish/Maintain Documentation
    Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 Operational management Communicate
    Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 Operational management Business Processes
    Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 Operational management Communicate
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788
    [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)]
    Operational management Communicate
    Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 Privacy protection for information and data Establish/Maintain Documentation
    Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 Privacy protection for information and data Records Management
    Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 Privacy protection for information and data Records Management
    Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 Privacy protection for information and data Establish/Maintain Documentation
    Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate private communications when required by law. CC ID 14335 Privacy protection for information and data Communicate
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 Privacy protection for information and data Communicate
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Privacy protection for information and data Records Management
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Privacy protection for information and data Communicate
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Privacy protection for information and data Communicate
    Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 Privacy protection for information and data Communicate
    Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 Privacy protection for information and data Communicate
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Privacy protection for information and data Monitor and Evaluate Occurrences
    Take appropriate action when a data leakage is discovered. CC ID 14716 Privacy protection for information and data Process or Activity
    Implement procedures to file privacy rights violation complaints. CC ID 00476 Privacy protection for information and data Data and Information Management
    File privacy rights violation complaints in writing. CC ID 00477 Privacy protection for information and data Establish/Maintain Documentation
    Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 Privacy protection for information and data Establish/Maintain Documentation
    Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 Privacy protection for information and data Behavior
    File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 Privacy protection for information and data Behavior
    Change or destroy any personal data that is incorrect. CC ID 00462
    [{be inaccurate} A consumer has the right to correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data. Section 6 Subdivision 1(c)]
    Privacy protection for information and data Data and Information Management
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Privacy protection for information and data Behavior
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Privacy protection for information and data Data and Information Management
    Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 Privacy protection for information and data Behavior
    Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 Privacy protection for information and data Behavior
    Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 Privacy protection for information and data Data and Information Management
    Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; Section 11(a) (2)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; Section 11(a) (3)]
    Privacy protection for information and data Business Processes
    Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 Privacy protection for information and data Communicate
    Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 Privacy protection for information and data Establish/Maintain Documentation
    Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 Privacy protection for information and data Behavior
    Order the organization to change to be in compliance with applicable law. CC ID 00499 Privacy protection for information and data Behavior
    Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 Privacy protection for information and data Behavior
    Award damages based on applicable law. CC ID 00501 Privacy protection for information and data Behavior
    Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 Privacy protection for information and data Data and Information Management
  • Detective
    79
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Establish, implement, and maintain monitoring and logging operations. CC ID 00637 Monitoring and measurement Log Management
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726
    [A controller that uses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data are subject, and must take appropriate steps to address any breaches of contractual commitments. Section 7(c)]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 Technical security Process or Activity
    Interact with the data subject when performing remote proofing. CC ID 13777 Technical security Process or Activity
    View all applicant actions when performing remote proofing. CC ID 13804 Technical security Process or Activity
    Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 Technical security Process or Activity
    Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 Technical security Process or Activity
    Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 Technical security Process or Activity
    Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 Technical security Process or Activity
    Validate proof of identity during the identity proofing process. CC ID 13756 Technical security Process or Activity
    Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 Technical security Business Processes
    Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 Technical security Process or Activity
    Verify proof of identity records. CC ID 13761 Technical security Investigate
    Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 Technical security Process or Activity
    Conduct in-person proofing with physical interactions. CC ID 13775 Technical security Process or Activity
    Establish, implement, and maintain a sensitive information inventory. CC ID 13736
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)
    {administrative data security practice} {technical data security practice} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item; Section 10(a) (2)(iii)]
    Technical security Establish/Maintain Documentation
    Provide security inspectors access to personnel files during site reviews. CC ID 12300 Human Resources management Audits and Risk Management
    Establish, implement, and maintain an anti-money laundering program. CC ID 13675 Operational management Business Processes
    Determine the cost of the incident when assessing security incidents. CC ID 17188 Operational management Process or Activity
    Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 Operational management Process or Activity
    Determine the duration of the incident when assessing security incidents. CC ID 17181 Operational management Process or Activity
    Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 Operational management Monitor and Evaluate Occurrences
    Require personnel to monitor for and report suspicious account activity. CC ID 16462 Operational management Monitor and Evaluate Occurrences
    Test incident monitoring procedures. CC ID 13194 Operational management Testing
    Conduct incident investigations, as necessary. CC ID 13826 Operational management Process or Activity
    Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 Operational management Investigate
    Identify the affected parties during incident investigations. CC ID 16781 Operational management Investigate
    Interview suspects during incident investigations, as necessary. CC ID 14041 Operational management Investigate
    Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 Operational management Investigate
    Establish, implement, and maintain incident response procedures. CC ID 01206
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Operational management Establish/Maintain Documentation
    Capture the records required by organizational compliance requirements. CC ID 00912
    [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]
    Records management Records Management
    Identify patient-specific education resources. CC ID 14439 Records management Process or Activity
    Require a data protection impact assessment when profiling the data subject. CC ID 12680
    [{data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: unfair or deceptive treatment of, or disparate impact on, consumers; Section 10(b) (5)(i)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: financial, physical, or reputational injury to consumers; Section 10(b) (5)(ii)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or Section 10(b) (5)(iii)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: other substantial injury to consumers. Section 10(b) (5)(iv)]
    Privacy protection for information and data Process or Activity
    Document privacy policies in clearly written and easily understood language. CC ID 00376 Privacy protection for information and data Establish/Maintain Documentation
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422
    [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)
    Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Privacy protection for information and data Behavior
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Privacy protection for information and data Behavior
    Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 Privacy protection for information and data Process or Activity
    Analyze requirements for processing personal data in contracts. CC ID 12550
    [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Privacy protection for information and data Investigate
    Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 Privacy protection for information and data Data and Information Management
    Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 Privacy protection for information and data Establish/Maintain Documentation
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Privacy protection for information and data Data and Information Management
    Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 Privacy protection for information and data Business Processes
    Confirm the data quality of personal data collected from third parties. CC ID 13510 Privacy protection for information and data Investigate
    Review the methods for collecting personal data, as necessary. CC ID 13511 Privacy protection for information and data Investigate
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Privacy protection for information and data Testing
    Conduct personal data risk assessments. CC ID 00357 Privacy protection for information and data Testing
    Establish, implement, and maintain suspicious document procedures. CC ID 04852 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 Privacy protection for information and data Data and Information Management
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 Privacy protection for information and data Monitor and Evaluate Occurrences
    Perform an identity check prior to approving an account change request. CC ID 13670 Privacy protection for information and data Investigate
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Privacy protection for information and data Behavior
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Privacy protection for information and data Data and Information Management
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Privacy protection for information and data Log Management
    Log dates for account name changes or address changes. CC ID 04876 Privacy protection for information and data Log Management
    Review accounts that are changed for additional user requests. CC ID 11846 Privacy protection for information and data Monitor and Evaluate Occurrences
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Privacy protection for information and data Data and Information Management
    Search the Internet for evidence of data leakage. CC ID 10419 Privacy protection for information and data Process or Activity
    Review monitored websites for data leakage. CC ID 10593 Privacy protection for information and data Monitor and Evaluate Occurrences
    Conduct internal data processing audits. CC ID 00374 Privacy protection for information and data Testing
    Review compliance with the organization's privacy objectives. CC ID 13490
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)]
    Privacy protection for information and data Human Resources Management
    Investigate privacy rights violation complaints. CC ID 00480 Privacy protection for information and data Behavior
    Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 Privacy protection for information and data Behavior
    Investigate privacy rights violation complaints in private. CC ID 00492 Privacy protection for information and data Behavior
    Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 Privacy protection for information and data Behavior
    Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 Privacy protection for information and data Behavior
    Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 Privacy protection for information and data Testing
    Record restricted data correctly. CC ID 00089 Privacy protection for information and data Testing
    Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 Privacy protection for information and data Testing
    Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 Privacy protection for information and data Data and Information Management
    Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 Privacy protection for information and data Behavior
    Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 Privacy protection for information and data Data and Information Management
    Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 Privacy protection for information and data Business Processes
    Assess third parties' compliance environment during due diligence. CC ID 13134 Third Party and supply chain oversight Process or Activity
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888
    [A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this chapter is not in violation of this chapter if the recipient processes the personal data in violation of this chapter, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is not in violation of this chapter for the obligations of the controller or processor from which the third-party controller or processor receives the personal data. Section 11(d)]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Third Party and supply chain oversight Establish/Maintain Documentation
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 Third Party and supply chain oversight Establish/Maintain Documentation
  • IT Impact Zone
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Preventive
    1192
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Leadership and high level objectives Establish/Maintain Documentation
    Include contact information in the organization's policies, standards, and procedures. CC ID 17167
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: the name and contact information for the controller's chief privacy individual with primary responsibility for directing the policies and procedures implemented to comply with the provisions of this chapter; and Section 10(a) (1)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include the effective date on all organizational policies. CC ID 06820
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the date the privacy notice was last updated. Section 8 Subdivision 1(a) (8)]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: Section 10(a)]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a compliance exception standard. CC ID 01628
    [The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication. Section 11(c)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Leadership and high level objectives Establish/Maintain Documentation
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements in paragraph (f). Section 11(g)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Leadership and high level objectives Establish/Maintain Documentation
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 Leadership and high level objectives Communicate
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Monitoring and measurement Audits and Risk Management
    Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 Monitoring and measurement Acquisition/Sale of Assets or Services
    Establish, implement, and maintain a risk monitoring program. CC ID 00658 Monitoring and measurement Establish/Maintain Documentation
    Implement a fraud detection system. CC ID 13081
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Monitoring and measurement Business Processes
    Establish, implement, and maintain a system security plan. CC ID 01922
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Monitoring and measurement Testing
    Include a system description in the system security plan. CC ID 16467 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the operational context in the system security plan. CC ID 14301 Monitoring and measurement Establish/Maintain Documentation
    Include the results of the security categorization in the system security plan. CC ID 14281 Monitoring and measurement Establish/Maintain Documentation
    Include the information types in the system security plan. CC ID 14696 Monitoring and measurement Establish/Maintain Documentation
    Include the security requirements in the system security plan. CC ID 14274 Monitoring and measurement Establish/Maintain Documentation
    Include cryptographic key management procedures in the system security plan. CC ID 17029 Monitoring and measurement Establish/Maintain Documentation
    Include threats in the system security plan. CC ID 14693 Monitoring and measurement Establish/Maintain Documentation
    Include network diagrams in the system security plan. CC ID 14273 Monitoring and measurement Establish/Maintain Documentation
    Include roles and responsibilities in the system security plan. CC ID 14682 Monitoring and measurement Establish/Maintain Documentation
    Include backup and recovery procedures in the system security plan. CC ID 17043 Monitoring and measurement Establish/Maintain Documentation
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Monitoring and measurement Establish/Maintain Documentation
    Include remote access methods in the system security plan. CC ID 16441 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Communicate
    Include a description of the operational environment in the system security plan. CC ID 14272 Monitoring and measurement Establish/Maintain Documentation
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Monitoring and measurement Establish/Maintain Documentation
    Include the authorization boundary in the system security plan. CC ID 14257 Monitoring and measurement Establish/Maintain Documentation
    Align the enterprise architecture with the system security plan. CC ID 14255 Monitoring and measurement Process or Activity
    Include security controls in the system security plan. CC ID 14239 Monitoring and measurement Establish/Maintain Documentation
    Include the roles and responsibilities in the test plan. CC ID 14299 Monitoring and measurement Establish/Maintain Documentation
    Include the assessment team in the test plan. CC ID 14297 Monitoring and measurement Establish/Maintain Documentation
    Include the scope in the test plans. CC ID 14293 Monitoring and measurement Establish/Maintain Documentation
    Include the assessment environment in the test plan. CC ID 14271 Monitoring and measurement Establish/Maintain Documentation
    Approve the system security plan. CC ID 14241 Monitoring and measurement Business Processes
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a metrics policy. CC ID 01654 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Monitoring and measurement Establish/Maintain Documentation
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Monitoring and measurement Establish/Maintain Documentation
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Monitoring and measurement Establish/Maintain Documentation
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Monitoring and measurement Establish/Maintain Documentation
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Monitoring and measurement Establish/Maintain Documentation
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Monitoring and measurement Establish/Maintain Documentation
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Monitoring and measurement Communicate
    Include required information in the disciplinary action notice. CC ID 16584 Monitoring and measurement Establish/Maintain Documentation
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Monitoring and measurement Establish/Maintain Documentation
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Monitoring and measurement Establish/Maintain Documentation
    Include the investigation results in the disciplinary action notice. CC ID 16581 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Monitoring and measurement Establish/Maintain Documentation
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Monitoring and measurement Establish/Maintain Documentation
    Include contact information in the disciplinary action notice. CC ID 16578 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the organization's privacy policy in the Statement of Compliance. CC ID 12362
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: Section 10(a) (2)]
    Audits and risk management Establish/Maintain Documentation
    Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 Audits and risk management Actionable Reports or Measurements
    Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a risk management program. CC ID 12051 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830
    [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of sensitive data; Section 10(b) (3)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: any processing activities involving personal data that present a heightened risk of harm to consumers; and Section 10(b) (4)
    {data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c)
    {data protection assessment} A data privacy and protection assessment must include the description of policies and procedures required by paragraph (a). Section 10(e)
    {be similar} A single data protection assessment may address multiple sets of comparable processing operations that include similar activities. Section 10(h)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: Section 10(b)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the processing of personal data for purposes of targeted advertising; Section 10(b) (1)
    {data protection assessment} A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data: the sale of personal data; Section 10(b) (2)]
    Audits and risk management Process or Activity
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Audits and risk management Establish/Maintain Documentation
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371
    [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Audits and risk management Establish/Maintain Documentation
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674
    [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Audits and risk management Establish/Maintain Documentation
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673
    [{data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c)
    {data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313
    [{make available} {data protection assessment} As part of a civil investigative demand, the attorney general may request, in writing, that a controller disclose any data privacy and protection assessment that is relevant to an investigation conducted by the attorney general. The controller must make a data privacy and protection assessment available to the attorney general upon a request made under this paragraph. The attorney general may evaluate the data privacy and protection assessments for compliance with this chapter. Data privacy and protection assessments are classified as nonpublic data, as defined by section 13.02, subdivision 9. The disclosure of a data privacy and protection assessment pursuant to a request from the attorney general under this paragraph does not constitute a waiver of the attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment. Section 10(f)]
    Audits and risk management Communicate
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370
    [{data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Audits and risk management Establish/Maintain Documentation
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635
    [{data protection assessment} A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed. Section 10(c)
    {data protection assessment} A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller. Section 10(d)]
    Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a digital identity management program. CC ID 13713 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain an authorized representatives policy. CC ID 13798
    [In the case of processing personal data concerning a known child, the parent or legal guardian of the known child may exercise the rights of this chapter on the child's behalf. Section 6 Subdivision 2(b)
    In the case of processing personal data concerning a consumer legally subject to guardianship or conservatorship under sections 524.5-101 to 524.5-502, the guardian or the conservator of the consumer may exercise the rights of this chapter on the consumer's behalf. Section 6 Subdivision 2(c)
    A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)
    A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)
    A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)]
    Technical security Establish/Maintain Documentation
    Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 Technical security Establish/Maintain Documentation
    Include termination procedures in the authorized representatives policy. CC ID 17226 Technical security Establish/Maintain Documentation
    Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 Technical security Establish/Maintain Documentation
    Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 Technical security Establish/Maintain Documentation
    Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain digital identification procedures. CC ID 13714 Technical security Establish/Maintain Documentation
    Implement digital identification processes. CC ID 13731 Technical security Process or Activity
    Implement identity proofing processes. CC ID 13719
    [A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)]
    Technical security Process or Activity
    Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 Technical security Process or Activity
    Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 Technical security Process or Activity
    Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 Technical security Process or Activity
    Establish, implement, and maintain remote proofing procedures. CC ID 13796 Technical security Establish/Maintain Documentation
    Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 Technical security Configuration
    Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 Technical security Process or Activity
    Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 Technical security Process or Activity
    Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 Technical security Process or Activity
    Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 Technical security Process or Activity
    Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 Technical security Process or Activity
    Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 Technical security Configuration
    Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 Technical security Configuration
    Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 Technical security Configuration
    Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 Technical security Process or Activity
    Allow records that relate to the data subject as proof of identity. CC ID 13772 Technical security Process or Activity
    Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 Technical security Process or Activity
    Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 Technical security Process or Activity
    Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 Technical security Process or Activity
    Refrain from approving attributes in the identity proofing process. CC ID 13716 Technical security Process or Activity
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Establish/Maintain Documentation
    Enforce access restrictions for restricted data. CC ID 01921
    [The rights contained in section 325O.05, subdivision 1, paragraphs (b) to (e) and (h), do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. Section 7(b)]
    Technical security Data and Information Management
    Establish, implement, and maintain an identification and authentication policy. CC ID 14033 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain identification and authentication procedures. CC ID 14053
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and provide personal data to a consumer as required by this chapter; Section 10(a) (2)(ii)]
    Technical security Establish/Maintain Documentation
    Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 Technical security Technical Security
    Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 Technical security Communicate
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources management Human Resources Management
    Identify and define all critical roles. CC ID 00777 Human Resources management Establish Roles
    Define and assign the data processor's roles and responsibilities. CC ID 12607
    [Controllers and processors are responsible for meeting the respective obligations established under this chapter. Section 5(a)
    {technical measures} taking into account the nature of the processing, the processor shall assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to section 325O.05; and Section 5(b) (1)
    {technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]
    Human Resources management Human Resources Management
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677
    [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)]
    Human Resources management Human Resources Management
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Human Resources management Communicate
    Define and assign the data controller's roles and responsibilities. CC ID 00471
    [Controllers and processors are responsible for meeting the respective obligations established under this chapter. Section 5(a)
    {technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]
    Human Resources management Establish Roles
    Establish, implement, and maintain a legal support program. CC ID 13710
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: investigate, establish, exercise, prepare for, or defend legal claims; Section 11(a) (4)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain an ethics program. CC ID 11496
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Human Resources management Human Resources Management
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 Human Resources management Communicate
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 Human Resources management Behavior
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Human Resources management Investigate
    Establish, implement, and maintain an ethical culture. CC ID 12781 Human Resources management Behavior
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Human Resources management Monitor and Evaluate Occurrences
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 Human Resources management Monitor and Evaluate Occurrences
    Refrain from practicing false advertising. CC ID 14253 Human Resources management Business Processes
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Human Resources management Business Processes
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Human Resources management Communicate
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Human Resources management Establish/Maintain Documentation
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Human Resources management Behavior
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Human Resources management Behavior
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Human Resources management Behavior
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Human Resources management Human Resources Management
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources management Human Resources Management
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources management Human Resources Management
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Human Resources management Establish Roles
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Human Resources management Behavior
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Human Resources management Behavior
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Human Resources management Behavior
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Establish/Maintain Documentation
    Include physical safeguards in the information security program. CC ID 12375
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)
    {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]
    Operational management Establish/Maintain Documentation
    Include technical safeguards in the information security program. CC ID 12374
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)
    {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]
    Operational management Establish/Maintain Documentation
    Include administrative safeguards in the information security program. CC ID 12373
    [{administrative data security practice} {technical data security practice} A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue. Section 8 Subdivision 2(c)
    {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]
    Operational management Establish/Maintain Documentation
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Business Processes
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data; Section 11(a) (1)]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the systems' integrity level. CC ID 01906
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Incident Management program. CC ID 00853
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Operational management Business Processes
    Establish, implement, and maintain an incident management policy. CC ID 16414 Operational management Establish/Maintain Documentation
    Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 Operational management Communicate
    Include the criteria for a data loss event in the Incident Management program. CC ID 12179 Operational management Establish/Maintain Documentation
    Include a definition of affected transactions in the incident criteria. CC ID 17180 Operational management Establish/Maintain Documentation
    Include a definition of affected parties in the incident criteria. CC ID 17179 Operational management Establish/Maintain Documentation
    Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 Operational management Establish/Maintain Documentation
    Include incident monitoring procedures in the Incident Management program. CC ID 01207
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Operational management Establish/Maintain Documentation
    Include the investigation methodology in the forensic investigation report. CC ID 17071 Operational management Establish/Maintain Documentation
    Include corrective actions in the forensic investigation report. CC ID 17070 Operational management Establish/Maintain Documentation
    Include the investigation results in the forensic investigation report. CC ID 17069 Operational management Establish/Maintain Documentation
    Redact restricted data before sharing incident information. CC ID 16994 Operational management Data and Information Management
    Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 Operational management Communicate
    Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 Operational management Communicate
    Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 Operational management Establish/Maintain Documentation
    Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 Operational management Communicate
    Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 Operational management Communicate
    Include required information in the written request to delay the notification to affected parties. CC ID 16785 Operational management Establish/Maintain Documentation
    Submit written requests to delay the notification of affected parties. CC ID 16783 Operational management Communicate
    Revoke the written request to delay the notification. CC ID 16843 Operational management Process or Activity
    Refrain from charging for providing incident response notifications. CC ID 13876 Operational management Business Processes
    Refrain from including restricted information in the incident response notification. CC ID 16806 Operational management Actionable Reports or Measurements
    Include the affected parties rights in the incident response notification. CC ID 16811 Operational management Establish/Maintain Documentation
    Include the incident classification criteria in incident response notifications. CC ID 17293 Operational management Establish/Maintain Documentation
    Include details of the investigation in incident response notifications. CC ID 12296 Operational management Establish/Maintain Documentation
    Include the issuer's name in incident response notifications. CC ID 12062 Operational management Establish/Maintain Documentation
    Include the incident reference code in incident response notifications. CC ID 17292 Operational management Establish/Maintain Documentation
    Include the identification of the data source in incident response notifications. CC ID 12305 Operational management Establish/Maintain Documentation
    Include activations of the business continuity plan in incident response notifications. CC ID 17295 Operational management Establish/Maintain Documentation
    Include costs associated with the incident in incident response notifications. CC ID 17300 Operational management Establish/Maintain Documentation
    Include the reporting individual's contact information in incident response notifications. CC ID 12297 Operational management Establish/Maintain Documentation
    Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 Operational management Communicate
    Post the incident response notification on the organization's website. CC ID 16809 Operational management Process or Activity
    Document the determination for providing a substitute incident response notification. CC ID 16841 Operational management Process or Activity
    Include contact information in the substitute incident response notification. CC ID 16776 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a containment strategy. CC ID 13480 Operational management Establish/Maintain Documentation
    Include the containment approach in the containment strategy. CC ID 13486 Operational management Establish/Maintain Documentation
    Include response times in the containment strategy. CC ID 13485 Operational management Establish/Maintain Documentation
    Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 Operational management Data and Information Management
    Include a description of the restored data in the restoration log. CC ID 15462 Operational management Data and Information Management
    Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 Operational management Establish/Maintain Documentation
    Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 Operational management Establish/Maintain Documentation
    Destroy investigative materials, as necessary. CC ID 17082 Operational management Data and Information Management
    Include who the incident was reported to in the incident management audit log. CC ID 16487 Operational management Log Management
    Include the information that was exchanged in the incident management audit log. CC ID 16995 Operational management Log Management
    Include corrective actions in the incident management audit log. CC ID 16466 Operational management Establish/Maintain Documentation
    Include incident reporting procedures in the Incident Management program. CC ID 11772
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; Section 11(a) (7)]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain authorization records. CC ID 14367 Records management Establish/Maintain Documentation
    Include the reasons for granting the authorization in the authorization records. CC ID 14371 Records management Establish/Maintain Documentation
    Include the date and time the authorization was granted in the authorization records. CC ID 14370 Records management Establish/Maintain Documentation
    Include the person's name who approved the authorization in the authorization records. CC ID 14369 Records management Establish/Maintain Documentation
    Establish, implement, and maintain electronic health records. CC ID 14436 Records management Data and Information Management
    Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 Records management Data and Information Management
    Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 Records management Records Management
    Display required information automatically in electronic health records. CC ID 14442 Records management Process or Activity
    Create summary of care records in accordance with applicable standards. CC ID 14440 Records management Establish/Maintain Documentation
    Provide the patient with a summary of care record, as necessary. CC ID 14441 Records management Actionable Reports or Measurements
    Create export summaries, as necessary. CC ID 14446 Records management Process or Activity
    Import data files into a patient's electronic health record. CC ID 14448 Records management Data and Information Management
    Export requested sections of the electronic health record. CC ID 14447 Records management Data and Information Management
    Establish and maintain an implantable device list. CC ID 14444 Records management Records Management
    Display the implantable device list to authorized users. CC ID 14445 Records management Data and Information Management
    Establish, implement, and maintain decision support interventions. CC ID 14443 Records management Business Processes
    Include attributes in the decision support intervention. CC ID 16766 Records management Data and Information Management
    Establish, implement, and maintain a recordkeeping system. CC ID 15709 Records management Records Management
    Log the termination date in the recordkeeping system. CC ID 16181 Records management Records Management
    Log the name of the requestor in the recordkeeping system. CC ID 15712 Records management Records Management
    Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 Records management Records Management
    Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 Records management Log Management
    Plan for selling facilities, technology, or services. CC ID 06893 Acquisition or sale of facilities, technology, and services Acquisition/Sale of Assets or Services
    Refrain from providing products and services, as necessary. CC ID 15580
    [{not require} A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: require a controller to provide a good or service that requires the consumer's personal data that the controller does not collect or maintain; or Section 8 Subdivision 3(b) (1)]
    Acquisition or sale of facilities, technology, and services Acquisition/Sale of Assets or Services
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850
    [{administrative data security practice} {technical data security practice} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item; Section 10(a) (2)(iii)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data transparency program. CC ID 00375 Privacy protection for information and data Data and Information Management
    Establish and maintain privacy notices, as necessary. CC ID 13443 Privacy protection for information and data Establish/Maintain Documentation
    Include the purpose of the privacy notice in the privacy notice. CC ID 13526 Privacy protection for information and data Establish/Maintain Documentation
    Include the processing purpose in the privacy notice. CC ID 16543
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the purposes for which the categories of personal data are processed; Section 8 Subdivision 1(a) (2)
    If a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request. Section 8 Subdivision 1(b)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the record types which may not be used or disclosed unless required by law in the privacy notice. CC ID 17258 Privacy protection for information and data Establish/Maintain Documentation
    Include contact information in the privacy notice. CC ID 14432
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the controller's contact information, including an active email address or other online mechanism that the consumer may use to contact the controller; Section 8 Subdivision 1(a) (6)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: an explanation of the rights contained in section 325O.05 and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request; Section 8 Subdivision 1(a) (3)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Privacy protection for information and data Establish/Maintain Documentation
    Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 Privacy protection for information and data Establish/Maintain Documentation
    Include the uses or disclosures that require authorizations in the privacy notice. CC ID 17257 Privacy protection for information and data Establish/Maintain Documentation
    Include prohibitions of use or disclosure in the privacy notice. CC ID 17252 Privacy protection for information and data Establish/Maintain Documentation
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of third parties, if any, with whom the controller sells or shares personal data; Section 8 Subdivision 1(a) (5)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: a description of the controller's retention policies for personal data; and Section 8 Subdivision 1(a) (7)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 Privacy protection for information and data Establish/Maintain Documentation
    Include the personal data collection categories in the privacy notice. CC ID 13457
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data processed by the controller; Section 8 Subdivision 1(a) (1)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include disclosure exceptions in the privacy notice. CC ID 13447 Privacy protection for information and data Establish/Maintain Documentation
    Include the types of personal data disclosed in the privacy notice. CC ID 13446
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data that the controller sells to or shares with third parties, if any; Section 8 Subdivision 1(a) (4)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 Privacy protection for information and data Establish/Maintain Documentation
    Specify the time frame that notice will be given. CC ID 00385 Privacy protection for information and data Establish/Maintain Documentation
    Include the information about the appeal process in the privacy notice. CC ID 15312
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: an explanation of the rights contained in section 325O.05 and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request; Section 8 Subdivision 1(a) (3)]
    Privacy protection for information and data Establish/Maintain Documentation
    Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445
    [{be specific} {state} A controller is not required to provide a separate Minnesota-specific privacy notice or section of a privacy notice if the controller's general privacy notice contains all the information required by this section. Section 8 Subdivision 1(f)]
    Privacy protection for information and data Communicate
    Deliver privacy notices to data subjects, as necessary. CC ID 13444
    [Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: Section 8 Subdivision 1(a)
    {be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)
    The controller must provide the privacy notice in a manner that is reasonably accessible to and usable by individuals with disabilities. Section 8 Subdivision 1(d)]
    Privacy protection for information and data Communicate
    Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 Privacy protection for information and data Establish/Maintain Documentation
    Update privacy notices, as necessary. CC ID 13474 Privacy protection for information and data Communicate
    Redeliver privacy notices, as necessary. CC ID 14850 Privacy protection for information and data Communicate
    Deliver privacy notices to third parties, as necessary. CC ID 13473 Privacy protection for information and data Communicate
    Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 Privacy protection for information and data Communicate
    Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 Privacy protection for information and data Establish/Maintain Documentation
    Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 Privacy protection for information and data Establish/Maintain Documentation
    Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 Privacy protection for information and data Establish/Maintain Documentation
    Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain opt-out notices. CC ID 13448 Privacy protection for information and data Establish/Maintain Documentation
    Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 Privacy protection for information and data Establish/Maintain Documentation
    Include the opt out method for data subjects in the opt-out notice. CC ID 13467 Privacy protection for information and data Establish/Maintain Documentation
    Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 Privacy protection for information and data Establish/Maintain Documentation
    Explain the right to opt out in the opt-out notice. CC ID 13462 Privacy protection for information and data Establish/Maintain Documentation
    Include the organization's right to share personal data in the opt-out notice. CC ID 13450 Privacy protection for information and data Establish/Maintain Documentation
    Deliver opt-out notices, as necessary. CC ID 13449 Privacy protection for information and data Communicate
    Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 Privacy protection for information and data Communicate
    Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 Privacy protection for information and data Communicate
    Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 Privacy protection for information and data Communicate
    Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 Privacy protection for information and data Communicate
    Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 Privacy protection for information and data Data and Information Management
    Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 Privacy protection for information and data Communicate
    Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 Privacy protection for information and data Communicate
    Provide the data subject with a notice of participation procedures. CC ID 06241 Privacy protection for information and data Establish/Maintain Documentation
    Deliver notices to the intended parties. CC ID 06240 Privacy protection for information and data Data and Information Management
    Notify data subjects about their privacy rights. CC ID 12989 Privacy protection for information and data Communicate
    Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 Privacy protection for information and data Communicate
    Establish, implement, and maintain adequate openness procedures. CC ID 00377
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: reflect the requirements of this chapter in the design of the controller's systems; Section 10(a) (2)(i)]
    Privacy protection for information and data Data and Information Management
    Provide public proof the organization participates in a privacy program. CC ID 12349 Privacy protection for information and data Communicate
    Publish a description of processing activities in an official register. CC ID 00379 Privacy protection for information and data Establish/Maintain Documentation
    Establish and maintain a records request manual. CC ID 00381 Privacy protection for information and data Establish/Maintain Documentation
    Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 Privacy protection for information and data Establish/Maintain Documentation
    Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 Privacy protection for information and data Behavior
    Define what is included in registration notices. CC ID 00386 Privacy protection for information and data Establish/Maintain Documentation
    Include roles and responsibilities in the registration notice. CC ID 16803 Privacy protection for information and data Establish Roles
    Include the verification method in the registration notice. CC ID 16798 Privacy protection for information and data Establish/Maintain Documentation
    Include the statutory authority in the registration notice. CC ID 16799 Privacy protection for information and data Establish/Maintain Documentation
    Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 Privacy protection for information and data Establish/Maintain Documentation
    Include a purpose specification description in the registration notice. CC ID 00388 Privacy protection for information and data Establish/Maintain Documentation
    Include information about the dispute resolution body in the registration notice. CC ID 16800 Privacy protection for information and data Establish/Maintain Documentation
    Include the data subject category being processed in the registration notice. CC ID 00389 Privacy protection for information and data Establish/Maintain Documentation
    Include the time period for data processing in the registration notice. CC ID 00390 Privacy protection for information and data Establish/Maintain Documentation
    Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 Privacy protection for information and data Establish/Maintain Documentation
    Provide legal authorities access to personal data, upon request. CC ID 06818 Privacy protection for information and data Data and Information Management
    Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609
    [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]
    Privacy protection for information and data Process or Activity
    Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618
    [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)
    {be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]
    Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 Privacy protection for information and data Process or Activity
    Document the countries where restricted data may be stored. CC ID 12750 Privacy protection for information and data Data and Information Management
    Protect the rights of students and their parents or legal representatives. CC ID 00222 Privacy protection for information and data Data and Information Management
    Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 Privacy protection for information and data Technical Security
    Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 Privacy protection for information and data Records Management
    Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 Privacy protection for information and data Records Management
    Define the criteria for waivers of data subjects' rights. CC ID 16858 Privacy protection for information and data Behavior
    Revoke waivers of data subject's rights, as necessary. CC ID 16859 Privacy protection for information and data Behavior
    Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 Privacy protection for information and data Establish/Maintain Documentation
    Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 Privacy protection for information and data Establish/Maintain Documentation
    Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 Privacy protection for information and data Establish/Maintain Documentation
    Disclose educational data, as necessary. CC ID 00223 Privacy protection for information and data Data and Information Management
    Grant access to education records in support of educational program audits. CC ID 13032 Privacy protection for information and data Records Management
    Grant access to education records in support of external requirements. CC ID 13033 Privacy protection for information and data Records Management
    Disclose statements added to education records, as necessary. CC ID 12990 Privacy protection for information and data Communicate
    Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 Privacy protection for information and data Data and Information Management
    Disclose education records when written consent is received. CC ID 00224 Privacy protection for information and data Data and Information Management
    Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 Privacy protection for information and data Establish/Maintain Documentation
    Specify the purpose of the disclosure in the written consent. CC ID 13001 Privacy protection for information and data Establish/Maintain Documentation
    Specify which education records may be disclosed in the written consent. CC ID 13000 Privacy protection for information and data Establish/Maintain Documentation
    Document the conditions when consent is not required to disclose educational data. CC ID 00225 Privacy protection for information and data Establish/Maintain Documentation
    Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 Privacy protection for information and data Communicate
    Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 Privacy protection for information and data Communicate
    Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 Privacy protection for information and data Communicate
    Disclose educational data absent consent to other school officials. CC ID 00226 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent to another institution's school officials. CC ID 00227 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent in connection with financial aid. CC ID 00229 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 Privacy protection for information and data Communicate
    Disclose educational data absent consent to accrediting organizations. CC ID 00231 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent for a health and safety emergency. CC ID 00234 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent when it is merely directory information. CC ID 00235 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent to a crime victim. CC ID 00236 Privacy protection for information and data Data and Information Management
    Record the health and safety threats of students when disclosing personal data. CC ID 12997 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 Privacy protection for information and data Communicate
    Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data; Section 7(a) (3)(i)]
    Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 Privacy protection for information and data Communicate
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393
    [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)
    A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and provide personal data to a consumer as required by this chapter; Section 10(a) (2)(ii)]
    Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with the data retention period for personal data. CC ID 12587 Privacy protection for information and data Process or Activity
    Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 Privacy protection for information and data Process or Activity
    Provide the data subject with the adequacy decision. CC ID 12586 Privacy protection for information and data Process or Activity
    Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 Privacy protection for information and data Process or Activity
    Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 Privacy protection for information and data Process or Activity
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396
    [A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing. Section 6 Subdivision 1(b)]
    Privacy protection for information and data Data and Information Management
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780
    [A controller may not require a consumer to create a new account in order to exercise a right, but a controller may require a consumer to use an existing account to exercise the consumer's rights under this section. Section 6 Subdivision 4(c)]
    Privacy protection for information and data Business Processes
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Privacy protection for information and data Business Processes
    Notify the data subject of the right to data portability. CC ID 12603 Privacy protection for information and data Process or Activity
    Provide the data subject with information about the right to erasure. CC ID 12602 Privacy protection for information and data Process or Activity
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397
    [A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing. Section 6 Subdivision 1(b)]
    Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 Privacy protection for information and data Data and Information Management
    Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 Privacy protection for information and data Establish/Maintain Documentation
    Establish and maintain a disclosure accounting record. CC ID 13022 Privacy protection for information and data Establish/Maintain Documentation
    Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 Privacy protection for information and data Establish/Maintain Documentation
    Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 Privacy protection for information and data Establish/Maintain Documentation
    Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 Privacy protection for information and data Establish/Maintain Documentation
    Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 Privacy protection for information and data Establish/Maintain Documentation
    Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 Privacy protection for information and data Establish/Maintain Documentation
    Include the disclosure date in the disclosure accounting record. CC ID 07133 Privacy protection for information and data Establish/Maintain Documentation
    Include the disclosure recipient in the disclosure accounting record. CC ID 07134 Privacy protection for information and data Establish/Maintain Documentation
    Include the disclosure purpose in the disclosure accounting record. CC ID 07135 Privacy protection for information and data Establish/Maintain Documentation
    Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 Privacy protection for information and data Establish/Maintain Documentation
    Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 Privacy protection for information and data Establish/Maintain Documentation
    Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 Privacy protection for information and data Establish/Maintain Documentation
    Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 Privacy protection for information and data Establish/Maintain Documentation
    Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 Privacy protection for information and data Establish/Maintain Documentation
    Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 Privacy protection for information and data Establish/Maintain Documentation
    Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860
    [A consumer has a right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data may be provided instead. Section 6 Subdivision 1(h)]
    Privacy protection for information and data Data and Information Management
    Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 Privacy protection for information and data Communicate
    Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 Privacy protection for information and data Establish/Maintain Documentation
    Provide shareholders access to electronic messages via electronic means. CC ID 11855 Privacy protection for information and data Process or Activity
    Make telephone directory information available to the public. CC ID 08698 Privacy protection for information and data Establish/Maintain Documentation
    Display warning screens and confirmation screens for all payment transactions. CC ID 06409 Privacy protection for information and data Technical Security
    Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 Privacy protection for information and data Process or Activity
    Establish, implement, and maintain a privacy policy. CC ID 06281 Privacy protection for information and data Establish/Maintain Documentation
    Include the data subject's rights in the privacy policy. CC ID 16355 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a privacy policy model document. CC ID 14720 Privacy protection for information and data Establish/Maintain Documentation
    Write privacy notices in the official languages required by law. CC ID 16529
    [The privacy notice must be made available to the public in each language in which the controller provides a product or service that is subject to the privacy notice or carries out activities related to the product or service. Section 8 Subdivision 1(c)]
    Privacy protection for information and data Establish/Maintain Documentation
    Define what is included in the privacy policy. CC ID 00404 Privacy protection for information and data Establish/Maintain Documentation
    Define the information being collected in the privacy policy. CC ID 13115 Privacy protection for information and data Establish/Maintain Documentation
    Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 Privacy protection for information and data Establish/Maintain Documentation
    Include the means by which information is collected in the privacy policy. CC ID 13114 Privacy protection for information and data Establish/Maintain Documentation
    Include roles and responsibilities in the privacy policy. CC ID 14669 Privacy protection for information and data Establish/Maintain Documentation
    Include management commitment in the privacy policy. CC ID 14668 Privacy protection for information and data Establish/Maintain Documentation
    Include coordination amongst entities in the privacy policy. CC ID 14667 Privacy protection for information and data Establish/Maintain Documentation
    Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 Privacy protection for information and data Establish/Maintain Documentation
    Include compliance requirements in the privacy policy. CC ID 14666 Privacy protection for information and data Establish/Maintain Documentation
    Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 Privacy protection for information and data Establish/Maintain Documentation
    Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 Privacy protection for information and data Establish/Maintain Documentation
    Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 Privacy protection for information and data Establish/Maintain Documentation
    Include a complaint form in the privacy policy. CC ID 12364 Privacy protection for information and data Establish/Maintain Documentation
    Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 Privacy protection for information and data Establish/Maintain Documentation
    Include the processing purpose in the privacy policy. CC ID 00406 Privacy protection for information and data Establish/Maintain Documentation
    Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 Privacy protection for information and data Establish/Maintain Documentation
    Include the data subject categories being processed in the privacy policy. CC ID 00407 Privacy protection for information and data Establish/Maintain Documentation
    Define the retention period for collected information in the privacy policy. CC ID 13116 Privacy protection for information and data Establish/Maintain Documentation
    Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 Privacy protection for information and data Establish/Maintain Documentation
    Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 Privacy protection for information and data Establish/Maintain Documentation
    Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 Privacy protection for information and data Establish/Maintain Documentation
    Include opt-out instructions in the privacy policy. CC ID 00411 Privacy protection for information and data Establish/Maintain Documentation
    Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363
    [{be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 Privacy protection for information and data Establish/Maintain Documentation
    Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 Privacy protection for information and data Establish/Maintain Documentation
    Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 Privacy protection for information and data Establish/Maintain Documentation
    Post the privacy policy in an easily seen location. CC ID 00401
    [{be conspicuous} {be accessible} The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail. Section 8 Subdivision 1(g)]
    Privacy protection for information and data Establish/Maintain Documentation
    Define who will receive the privacy policy. CC ID 00402 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 Privacy protection for information and data Communicate
    Establish, implement, and maintain privacy procedures. CC ID 14665 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 Privacy protection for information and data Communicate
    Establish, implement, and maintain a privacy plan. CC ID 14672 Privacy protection for information and data Establish/Maintain Documentation
    Align the enterprise architecture with the privacy plan. CC ID 14705 Privacy protection for information and data Process or Activity
    Approve the privacy plan. CC ID 14700 Privacy protection for information and data Business Processes
    Include privacy requirements in the privacy plan. CC ID 14699 Privacy protection for information and data Establish/Maintain Documentation
    Include the information types in the privacy plan. CC ID 14695 Privacy protection for information and data Establish/Maintain Documentation
    Include threats in the privacy plan. CC ID 14694 Privacy protection for information and data Establish/Maintain Documentation
    Include roles and responsibilities in the privacy plan. CC ID 14702 Privacy protection for information and data Establish/Maintain Documentation
    Include a description of the operational context in the privacy plan. CC ID 14692 Privacy protection for information and data Establish/Maintain Documentation
    Include risk assessment results in the privacy plan. CC ID 14701 Privacy protection for information and data Establish/Maintain Documentation
    Include the security categorizations and rationale in the privacy plan. CC ID 14690 Privacy protection for information and data Establish/Maintain Documentation
    Include security controls in the privacy plan. CC ID 14681 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 Privacy protection for information and data Communicate
    Include a description of the operational environment in the privacy plan. CC ID 14679 Privacy protection for information and data Establish/Maintain Documentation
    Include network diagrams in the privacy plan. CC ID 14678 Privacy protection for information and data Establish/Maintain Documentation
    Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 Privacy protection for information and data Establish/Maintain Documentation
    Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943
    [Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)
    Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)]
    Privacy protection for information and data Behavior
    Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a privacy report. CC ID 14754 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 Privacy protection for information and data Communicate
    Protect private communications in keeping with compliance requirements. CC ID 14334
    [A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)]
    Privacy protection for information and data Business Processes
    Establish, implement, and maintain personal data choice and consent program. CC ID 12569 Privacy protection for information and data Establish/Maintain Documentation
    Provide a copy of the data subject's consent to the data subject. CC ID 17234 Privacy protection for information and data Communicate
    Date the data subject's consent. CC ID 17233 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data request procedures. CC ID 16546
    [A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)
    A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests. Section 6 Subdivision 4(b)]
    Privacy protection for information and data Establish/Maintain Documentation
    Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435
    [A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: Section 8 Subdivision 3(b)]
    Privacy protection for information and data Human Resources Management
    Refrain from charging a fee to implement an opt-out request. CC ID 13877 Privacy protection for information and data Business Processes
    Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 Privacy protection for information and data Establish/Maintain Documentation
    Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 Privacy protection for information and data Establish/Maintain Documentation
    Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 Privacy protection for information and data Establish/Maintain Documentation
    Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 Privacy protection for information and data Establish/Maintain Documentation
    Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 Privacy protection for information and data Establish/Maintain Documentation
    Include the identity of the data subject in the disclosure authorization form. CC ID 13436 Privacy protection for information and data Establish/Maintain Documentation
    Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 Privacy protection for information and data Establish/Maintain Documentation
    Include how personal data will be used in the disclosure authorization form. CC ID 13441 Privacy protection for information and data Establish/Maintain Documentation
    Include agreement termination information in the disclosure authorization form. CC ID 13437 Privacy protection for information and data Establish/Maintain Documentation
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781
    [{not prohibit} {be different} A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program. Section 8 Subdivision 3(b) (2)]
    Privacy protection for information and data Business Processes
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Privacy protection for information and data Business Processes
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391
    [A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. Section 6 Subdivision 1(f)
    A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: Section 6 Subdivision 3(a)
    If a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request. Section 8 Subdivision 1(b)
    {be easy} A controller shall provide an effective mechanism for a consumer, or, in the case of the processing of personal data concerning a known child, the child's parent or lawful guardian, to revoke previously given consent under this subdivision. The mechanism provided shall be at least as easy as the mechanism by which the consent was previously given. Upon revocation of consent, a controller shall cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request. Section 8 Subdivision 2(e)]
    Privacy protection for information and data Data and Information Management
    Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 Privacy protection for information and data Business Processes
    Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 Privacy protection for information and data Business Processes
    Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526
    [{refrain from disadvantaging} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: not unfairly disadvantage another controller; Section 6 Subdivision 3(a) (1)
    {refrain from using} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: not make use of a default setting, but require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of the processing of the consumer's personal data; Section 6 Subdivision 3(a) (2)
    {be easy to use} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: be consumer-friendly and easy to use by the average consumer; Section 6 Subdivision 3(a) (3)
    {be consistent} A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and Section 6 Subdivision 3(a) (4)
    A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must: enable the controller to accurately determine whether the consumer is a Minnesota resident and whether the consumer has made a legitimate request to opt out of any sale of the consumer's personal data or targeted advertising. For purposes of this paragraph, the use of an Internet protocol address to estimate the consumer's location is sufficient to determine the consumer's residence. Section 6 Subdivision 3(a) (5)
    {opt-out mechanism} The platform, technology, or mechanism required under paragraph (a) is subject to the requirements of subdivision 4. Section 6 Subdivision 3(c)
    Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship. Section 8 Subdivision 1(e)]
    Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 Privacy protection for information and data Technical Security
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451
    [A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. Section 6 Subdivision 2(d)
    {loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)
    {opt out} A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: opting the consumer out of the processing of personal data for any purpose except for the purposes exempted pursuant to the provisions of this chapter. Section 6 Subdivision 4(k) (2)
    {be easy} A controller shall provide an effective mechanism for a consumer, or, in the case of the processing of personal data concerning a known child, the child's parent or lawful guardian, to revoke previously given consent under this subdivision. The mechanism provided shall be at least as easy as the mechanism by which the consent was previously given. Upon revocation of consent, a controller shall cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request. Section 8 Subdivision 2(e)]
    Privacy protection for information and data Business Processes
    Confirm the individual's identity before granting an opt-out request. CC ID 16813 Privacy protection for information and data Process or Activity
    Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 Privacy protection for information and data Establish/Maintain Documentation
    Allow consent requests to be provided in any official languages. CC ID 16530 Privacy protection for information and data Business Processes
    Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537
    [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]
    Privacy protection for information and data Communicate
    Collect and retain disclosure authorizations for each data subject. CC ID 13434 Privacy protection for information and data Records Management
    Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 Privacy protection for information and data Data and Information Management
    Refrain from obtaining consent through deception. CC ID 13556 Privacy protection for information and data Data and Information Management
    Give individuals the ability to change the uses of their personal data. CC ID 00469
    [{loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)]
    Privacy protection for information and data Data and Information Management
    Notify data subjects of the implications of withdrawing consent. CC ID 13551
    [{loyalty program} If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program. Section 6 Subdivision 3(b)]
    Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Privacy protection for information and data Establish/Maintain Documentation
    Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 Privacy protection for information and data Human Resources Management
    Require data controllers to be accountable for their actions. CC ID 00470 Privacy protection for information and data Establish Roles
    Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 Privacy protection for information and data Human Resources Management
    Notify the supervisory authority. CC ID 00472 Privacy protection for information and data Behavior
    Establish, implement, and maintain approval applications. CC ID 16778 Privacy protection for information and data Establish/Maintain Documentation
    Define the requirements for approving or denying approval applications. CC ID 16780 Privacy protection for information and data Business Processes
    Submit approval applications to the supervisory authority. CC ID 16627 Privacy protection for information and data Communicate
    Include required information in the approval application. CC ID 16628 Privacy protection for information and data Establish/Maintain Documentation
    Extend the time limit for approving or denying approval applications. CC ID 16779 Privacy protection for information and data Business Processes
    Approve the approval application unless applicant has been convicted. CC ID 16603 Privacy protection for information and data Process or Activity
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606
    [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]
    Privacy protection for information and data Process or Activity
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Privacy protection for information and data Communicate
    Respond to questions about submissions in a timely manner. CC ID 16930 Privacy protection for information and data Communicate
    Cooperate with Data Protection Authorities. CC ID 06870
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined: Section 11(a) (9)]
    Privacy protection for information and data Data and Information Management
    Submit a safe harbor self-certification letter. CC ID 06871 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 Privacy protection for information and data Human Resources Management
    Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 Privacy protection for information and data Establish/Maintain Documentation
    Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 Privacy protection for information and data Establish/Maintain Documentation
    Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 Privacy protection for information and data Establish/Maintain Documentation
    Include data subject's rights in the Binding Corporate Rules. CC ID 12596 Privacy protection for information and data Establish/Maintain Documentation
    Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 Privacy protection for information and data Establish/Maintain Documentation
    Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 Privacy protection for information and data Establish/Maintain Documentation
    Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 Privacy protection for information and data Establish/Maintain Documentation
    Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 Privacy protection for information and data Establish/Maintain Documentation
    Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 Privacy protection for information and data Establish/Maintain Documentation
    Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 Privacy protection for information and data Establish/Maintain Documentation
    Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 Privacy protection for information and data Establish/Maintain Documentation
    Include complaint procedures in the Binding Corporate Rules. CC ID 12613 Privacy protection for information and data Establish/Maintain Documentation
    Include the data transfers in the Binding Corporate Rules. CC ID 12590 Privacy protection for information and data Establish/Maintain Documentation
    Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 Privacy protection for information and data Establish/Maintain Documentation
    Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 Privacy protection for information and data Establish/Maintain Documentation
    Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 Privacy protection for information and data Establish/Maintain Documentation
    Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 Privacy protection for information and data Establish/Maintain Documentation
    Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 Privacy protection for information and data Establish/Maintain Documentation
    Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 Privacy protection for information and data Establish/Maintain Documentation
    Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 Privacy protection for information and data Establish/Maintain Documentation
    Notify the data controller of any changes in data processors. CC ID 12648 Privacy protection for information and data Communicate
    Establish, implement, and maintain Data Processing Contracts. CC ID 12650
    [Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet the controller's obligations under this chapter. Assistance under this paragraph shall include the following: Section 5(b)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 Privacy protection for information and data Establish/Maintain Documentation
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and Section 5(c) (1)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Privacy protection for information and data Establish/Maintain Documentation
    Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the duration of processing in the Data Processing Contract. CC ID 14935
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679
    [{privacy assessment} {data protection impact assessment} taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08. Section 5(b) (2)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678
    [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: upon a reasonable request from the controller, the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this chapter; and Section 5(e) (2)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request. Section 5(e) (3)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676
    [Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet the controller's obligations under this chapter. Assistance under this paragraph shall include the following: Section 5(b)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: Section 5(c)
    {data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: Section 5(e)
    Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's rights under this chapter is contrary to public policy and is void and unenforceable. Section 8 Subdivision 4 ¶ 1
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: assist another controller, processor, or third party with any of the obligations under this paragraph; Section 11(a) (8)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: engage a subcontractor only (i) after providing the controller with an opportunity to object, and (ii) pursuant to a written contract in accordance with paragraph (e) that requires the subcontractor to meet the obligations of the processor with respect to the personal data. Section 5(c) (2)]
    Privacy protection for information and data Human Resources Management
    Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670
    [{data processing contract} Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: at the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; Section 5(e) (1)
    {no longer necessary} A controller may not retain personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09. Section 8 Subdivision 2(g)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Privacy protection for information and data Establish/Maintain Documentation
    Display or print the least amount of personal data necessary. CC ID 04643 Privacy protection for information and data Data and Information Management
    Redact confidential information from public information, as necessary. CC ID 06872 Privacy protection for information and data Data and Information Management
    Notify the data subject of the collection purpose. CC ID 00095 Privacy protection for information and data Behavior
    Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 Privacy protection for information and data Data and Information Management
    Document the law that requires restricted data to be collected. CC ID 00103 Privacy protection for information and data Establish/Maintain Documentation
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Privacy protection for information and data Behavior
    Notify the data subject of changes to personal data use. CC ID 00105 Privacy protection for information and data Behavior
    Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115
    [{not be necessary} Except as provided in this chapter, a controller may not process personal data for purposes that are not reasonably necessary to, or compatible with, the purposes for which the personal data are processed, as disclosed to the consumer, unless the controller obtains the consumer's consent. Section 8 Subdivision 2(b)]
    Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Privacy protection for information and data Establish/Maintain Documentation
    Document personal data use as an acceptable secondary purpose when required by law. CC ID 00119 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; Section 11(a) (6)]
    Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 Privacy protection for information and data Establish/Maintain Documentation
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Privacy protection for information and data Behavior
    Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 Privacy protection for information and data Establish/Maintain Documentation
    Dispose of media and restricted data in a timely manner. CC ID 00125 Privacy protection for information and data Data and Information Management
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Privacy protection for information and data Records Management
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Privacy protection for information and data Communicate
    Establish, implement, and maintain data access procedures. CC ID 00414
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]
    Privacy protection for information and data Establish/Maintain Documentation
    Allow data subjects to submit data requests. CC ID 16545
    [A consumer may exercise the rights set forth in this section by submitting a request, at any time, to a controller specifying which rights the consumer wishes to exercise. Section 6 Subdivision 2(a)]
    Privacy protection for information and data Process or Activity
    Provide individuals with information about where their personal data was processed. CC ID 00415 Privacy protection for information and data Data and Information Management
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416
    [{be adequate} {be relevant} {be necessary} A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer. Section 8 Subdivision 2(a)]
    Privacy protection for information and data Data and Information Management
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Privacy protection for information and data Data and Information Management
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Privacy protection for information and data Data and Information Management
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Privacy protection for information and data Data and Information Management
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Privacy protection for information and data Establish/Maintain Documentation
    Define what is to be included in a data access request. CC ID 08699 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Privacy protection for information and data Business Processes
    Respond to data access requests in a timely manner. CC ID 00421
    [Except as provided in this chapter, a controller must comply with a request to exercise the consumer rights provided in this subdivision. Section 6 Subdivision 1(a)
    Except as provided in this chapter, a controller must comply with a request to exercise the rights pursuant to subdivision 1. Section 6 Subdivision 4(a)
    A controller must comply with a request to exercise the right in subdivision 1, paragraph (f), as soon as feasibly possible, but no later than 45 days of receipt of the request. Section 6 Subdivision 4(d)
    A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)]
    Privacy protection for information and data Behavior
    Respond to data access requests in an official language. CC ID 17176 Privacy protection for information and data Communicate
    Delay responding to data access requests, as necessary. CC ID 15504
    [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)
    Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Privacy protection for information and data Data and Information Management
    Expedite the processing of data access requests, as necessary. CC ID 15496 Privacy protection for information and data Data and Information Management
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Privacy protection for information and data Business Processes
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Privacy protection for information and data Process or Activity
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Privacy protection for information and data Establish/Maintain Documentation
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Privacy protection for information and data Data and Information Management
    Document the outcome of the personal data access request review procedure. CC ID 00455 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Privacy protection for information and data Establish/Maintain Documentation
    Submit personal data removal requests in writing. CC ID 11973 Privacy protection for information and data Records Management
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Privacy protection for information and data Establish/Maintain Documentation
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Privacy protection for information and data Establish/Maintain Documentation
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Privacy protection for information and data Process or Activity
    Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 Privacy protection for information and data Establish/Maintain Documentation
    Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 Privacy protection for information and data Data and Information Management
    Disclose de-identified data, as necessary. CC ID 13034 Privacy protection for information and data Communicate
    Notify the data subject after personal data is used or disclosed. CC ID 06247
    [Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Privacy protection for information and data Behavior
    Refrain from processing restricted data, as necessary. CC ID 12551 Privacy protection for information and data Records Management
    Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 Privacy protection for information and data Process or Activity
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data; Section 7(a) (3)(i)]
    Privacy protection for information and data Process or Activity
    Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 Privacy protection for information and data Business Processes
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 Privacy protection for information and data Process or Activity
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197
    [A controller shall not process personal data on the basis of a consumer's or a class of consumers' actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the consumer or class of consumers with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation. Section 8 Subdivision 3(a)]
    Privacy protection for information and data Data and Information Management
    Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 Privacy protection for information and data Data and Information Management
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Privacy protection for information and data Business Processes
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Privacy protection for information and data Business Processes
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Privacy protection for information and data Business Processes
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Privacy protection for information and data Business Processes
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Privacy protection for information and data Process or Activity
    Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 Privacy protection for information and data Establish/Maintain Documentation
    Include the data protection officer's contact information in the record of processing activities. CC ID 12640 Privacy protection for information and data Records Management
    Include the data processor's contact information in the record of processing activities. CC ID 12657 Privacy protection for information and data Records Management
    Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 Privacy protection for information and data Records Management
    Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 Privacy protection for information and data Records Management
    Include a description of the data subject categories in the record of processing activities. CC ID 12659 Privacy protection for information and data Records Management
    Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 Privacy protection for information and data Records Management
    Include the personal data processing categories in the record of processing activities. CC ID 12661 Privacy protection for information and data Records Management
    Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 Privacy protection for information and data Records Management
    Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 Privacy protection for information and data Records Management
    Include a description of the personal data categories in the record of processing activities. CC ID 12660 Privacy protection for information and data Records Management
    Include the joint data controller's contact information in the record of processing activities. CC ID 12639 Privacy protection for information and data Records Management
    Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 Privacy protection for information and data Records Management
    Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 Privacy protection for information and data Records Management
    Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 Privacy protection for information and data Records Management
    Include the data controller's contact information in the record of processing activities. CC ID 12637 Privacy protection for information and data Records Management
    Process restricted data lawfully and carefully. CC ID 00086
    [Except as otherwise provided in this act, a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the requirement of the Children's Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and its implementing regulations, rules, and exemptions. Section 8 Subdivision 2(d)]
    Privacy protection for information and data Establish Roles
    Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 Privacy protection for information and data Technical Security
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Privacy protection for information and data Data and Information Management
    Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 Privacy protection for information and data Records Management
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Privacy protection for information and data Establish/Maintain Documentation
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Privacy protection for information and data Data and Information Management
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 Privacy protection for information and data Records Management
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Privacy protection for information and data Process or Activity
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 Privacy protection for information and data Records Management
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Privacy protection for information and data Data and Information Management
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Privacy protection for information and data Establish/Maintain Documentation
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Privacy protection for information and data Establish/Maintain Documentation
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Privacy protection for information and data Data and Information Management
    Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 Privacy protection for information and data Business Processes
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Privacy protection for information and data Establish/Maintain Documentation
    Define and implement valid authorization control requirements. CC ID 06258 Privacy protection for information and data Establish/Maintain Documentation
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Privacy protection for information and data Data and Information Management
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Privacy protection for information and data Data and Information Management
    Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 Privacy protection for information and data Business Processes
    Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 Privacy protection for information and data Business Processes
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Privacy protection for information and data Data and Information Management
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Privacy protection for information and data Data and Information Management
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Privacy protection for information and data Data and Information Management
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Privacy protection for information and data Data and Information Management
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Privacy protection for information and data Data and Information Management
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Privacy protection for information and data Data and Information Management
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Privacy protection for information and data Data and Information Management
    Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is: subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and Section 11(a) (10)(i)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is: under the responsibility of a professional individual who is subject to confidentiality obligations under federal, state, or local law. Section 11(a) (10)(ii)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)
    {not adversely affect} Obligations imposed on controllers and processors under this chapter shall not: adversely affect the rights or freedoms of any persons, including exercising the right of free speech pursuant to the First Amendment of the United States Constitution; or Section 11(e) (1)]
    Privacy protection for information and data Data and Information Management
    Process traffic data in a controlled manner. CC ID 00130 Privacy protection for information and data Data and Information Management
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Privacy protection for information and data Data and Information Management
    Process personal data when it is publicly accessible. CC ID 00187 Privacy protection for information and data Data and Information Management
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Privacy protection for information and data Data and Information Management
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010
    [{refrain from selling} {absent consent} {minor} A controller may not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data, without the consumer's consent, under circumstances where the controller knows that the consumer is between the ages of 13 and 16. Section 8 Subdivision 2(f)]
    Privacy protection for information and data Business Processes
    Process personal data for the purposes of employment. CC ID 16527 Privacy protection for information and data Data and Information Management
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Privacy protection for information and data Data and Information Management
    Process personal data for debt collection or benefit payments. CC ID 00190 Privacy protection for information and data Data and Information Management
    Process personal data in order to advance the public interest. CC ID 00191 Privacy protection for information and data Data and Information Management
    Process personal data for surveys, archives, or scientific research. CC ID 00192
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined: Section 11(a) (9)]
    Privacy protection for information and data Data and Information Management
    Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 Privacy protection for information and data Data and Information Management
    Process personal data for academic purposes or religious purposes. CC ID 00194 Privacy protection for information and data Data and Information Management
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Privacy protection for information and data Data and Information Management
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Privacy protection for information and data Data and Information Management
    Follow legal obligations while processing personal data. CC ID 04794 Privacy protection for information and data Data and Information Management
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Privacy protection for information and data Data and Information Management
    Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537 Privacy protection for information and data Data and Information Management
    Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 Privacy protection for information and data Process or Activity
    Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 Privacy protection for information and data Data and Information Management
    Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 Privacy protection for information and data Data and Information Management
    Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 Privacy protection for information and data Data and Information Management
    Process personal data absent consent in order to perform a contract. CC ID 13586 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 Privacy protection for information and data Data and Information Management
    Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 Privacy protection for information and data Data and Information Management
    Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when it is needed by law. CC ID 13577 Privacy protection for information and data Data and Information Management
    Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when it is from publicly available information. CC ID 13576 Privacy protection for information and data Data and Information Management
    Process personal data absent consent to create a credit report. CC ID 15288 Privacy protection for information and data Data and Information Management
    Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 Privacy protection for information and data Data and Information Management
    Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when produced for business purposes. CC ID 13563 Privacy protection for information and data Data and Information Management
    Process personal data absent consent for handling insurance claims. CC ID 13561 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 Privacy protection for information and data Data and Information Management
    Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 Privacy protection for information and data Data and Information Management
    Process personal data absent consent for life-threatening emergencies. CC ID 13558 Privacy protection for information and data Data and Information Management
    Process personal data absent consent for reasonable investigative purposes. CC ID 13557 Privacy protection for information and data Data and Information Management
    Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132
    [In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: Social Security number; Section 6 Subdivision 4(i) (1)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: driver's license number or other government-issued identification number; Section 6 Subdivision 4(i) (2)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: financial account number; Section 6 Subdivision 4(i) (3)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: health insurance account number or medical identification number; Section 6 Subdivision 4(i) (4)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: account password, security questions, or answers; or Section 6 Subdivision 4(i) (5)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: biometric data. Section 6 Subdivision 4(i) (6)]
    Privacy protection for information and data Behavior
    Define security breach notification requirement exceptions. CC ID 04797 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967
    [In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: Social Security number; Section 6 Subdivision 4(i) (1)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: driver's license number or other government-issued identification number; Section 6 Subdivision 4(i) (2)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: financial account number; Section 6 Subdivision 4(i) (3)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: health insurance account number or medical identification number; Section 6 Subdivision 4(i) (4)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: account password, security questions, or answers; or Section 6 Subdivision 4(i) (5)
    In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information: biometric data. Section 6 Subdivision 4(i) (6)]
    Privacy protection for information and data Records Management
    Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 Privacy protection for information and data Data and Information Management
    Define what restricted data is not required to be disclosed absent consent. CC ID 00134 Privacy protection for information and data Establish/Maintain Documentation
    Define the exceptions to disclosure absent consent. CC ID 00135 Privacy protection for information and data Establish/Maintain Documentation
    Define opt-out exceptions for disclosing restricted data. CC ID 00159
    [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]
    Privacy protection for information and data Establish/Maintain Documentation
    Define how a data subject may give consent. CC ID 00160 Privacy protection for information and data Establish/Maintain Documentation
    Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 Privacy protection for information and data Communicate
    Disclose restricted data absent consent when the law does not require consent. CC ID 00136 Privacy protection for information and data Data and Information Management
    Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 Privacy protection for information and data Data and Information Management
    Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent to create a credit report. CC ID 15297 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent for handling insurance claims. CC ID 13585 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent in order to perform a contract. CC ID 00139 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 Privacy protection for information and data Data and Information Management
    Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 Privacy protection for information and data Data and Information Management
    Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 Privacy protection for information and data Data and Information Management
    Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent for public economic interests. CC ID 00148 Privacy protection for information and data Data and Information Management
    Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 Privacy protection for information and data Data and Information Management
    Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when it is needed by law. CC ID 00163 Privacy protection for information and data Data and Information Management
    Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 Privacy protection for information and data Communicate
    Establish, implement, and maintain restricted data retention procedures. CC ID 00167
    [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1)
    This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)
    {no longer necessary} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: prevent the retention of personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09; and Section 10(a) (2)(v)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data; Section 11(a) (1)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)]
    Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Privacy protection for information and data Establish/Maintain Documentation
    Capture personal data removal requests. CC ID 13507
    [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1)]
    Privacy protection for information and data Communicate
    Remove personal data from records after receiving a personal data removal request. CC ID 11972
    [A consumer has the right to delete personal data concerning the consumer. Section 6 Subdivision 1(d)]
    Privacy protection for information and data Records Management
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 Privacy protection for information and data Process or Activity
    Dispose of personal data removal requests, as necessary. CC ID 13512 Privacy protection for information and data Business Processes
    Refrain from selling restricted data, as necessary. CC ID 17165
    [{absent consent} A small business, as defined by the United States Small Business Administration under Code of Federal Regulations, title 13, part 121, that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota, must not sell a consumer's sensitive data without the consumer's prior consent. Section 9(a)]
    Privacy protection for information and data Data and Information Management
    Limit the redisclosure and reuse of restricted data. CC ID 00168 Privacy protection for information and data Data and Information Management
    Refrain from redisclosing or reusing restricted data. CC ID 00169 Privacy protection for information and data Data and Information Management
    Document the redisclosing restricted data exceptions. CC ID 00170 Privacy protection for information and data Establish/Maintain Documentation
    Redisclose restricted data when the data subject consents. CC ID 00171 Privacy protection for information and data Data and Information Management
    Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 Privacy protection for information and data Data and Information Management
    Redisclose restricted data in order to protect public revenue. CC ID 00173 Privacy protection for information and data Data and Information Management
    Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 Privacy protection for information and data Data and Information Management
    Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 Privacy protection for information and data Data and Information Management
    Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 Privacy protection for information and data Data and Information Management
    Redisclose restricted data in order to preserve human life at sea. CC ID 00177 Privacy protection for information and data Data and Information Management
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178
    [Except as otherwise provided in this act, a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the requirement of the Children's Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and its implementing regulations, rules, and exemptions. Section 8 Subdivision 2(d)]
    Privacy protection for information and data Data and Information Management
    Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 Privacy protection for information and data Data and Information Management
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Privacy protection for information and data Data and Information Management
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Privacy protection for information and data Data and Information Management
    Process Personal Identification Numbers with consent. CC ID 00239 Privacy protection for information and data Data and Information Management
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Privacy protection for information and data Behavior
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Privacy protection for information and data Data and Information Management
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Privacy protection for information and data Data and Information Management
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Privacy protection for information and data Data and Information Management
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Privacy protection for information and data Data and Information Management
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Privacy protection for information and data Establish/Maintain Documentation
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Privacy protection for information and data Data and Information Management
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Privacy protection for information and data Data and Information Management
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Privacy protection for information and data Data and Information Management
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Privacy protection for information and data Data and Information Management
    Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain data disclosure procedures. CC ID 00133 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 Privacy protection for information and data Communicate
    Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 Privacy protection for information and data Data and Information Management
    Review personal data disclosure requests. CC ID 07129 Privacy protection for information and data Data and Information Management
    Notify the data subject of the disclosure purpose. CC ID 15268 Privacy protection for information and data Communicate
    Establish, implement, and maintain data request denial procedures. CC ID 00434
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and Section 7(a) (3)(ii)
    This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true: the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. Section 7(a) (3)(iii)
    If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)
    A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435
    [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)]
    Privacy protection for information and data Data and Information Management
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Privacy protection for information and data Data and Information Management
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Privacy protection for information and data Data and Information Management
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441
    [In response to a consumer request under subdivision 1, a controller is not required to reveal any trade secret. Section 6 Subdivision 4(j)]
    Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Privacy protection for information and data Process or Activity
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Privacy protection for information and data Data and Information Management
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Privacy protection for information and data Data and Information Management
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Privacy protection for information and data Data and Information Management
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Privacy protection for information and data Data and Information Management
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Privacy protection for information and data Data and Information Management
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Privacy protection for information and data Data and Information Management
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453
    [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)
    If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)]
    Privacy protection for information and data Data and Information Management
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Privacy protection for information and data Communicate
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Privacy protection for information and data Data and Information Management
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Privacy protection for information and data Process or Activity
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428
    [The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication. Section 11(c)]
    Privacy protection for information and data Data and Information Management
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Privacy protection for information and data Data and Information Management
    Notify that data subject of any exclusions to requested personal data. CC ID 15271 Privacy protection for information and data Communicate
    Provide data or records in a reasonable time frame. CC ID 00429 Privacy protection for information and data Data and Information Management
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599
    [A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay. Section 6 Subdivision 4(e)
    Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Privacy protection for information and data Communicate
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Privacy protection for information and data Data and Information Management
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Privacy protection for information and data Data and Information Management
    Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 Privacy protection for information and data Data and Information Management
    Provide data at a cost that is not excessive. CC ID 00430
    [{be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)
    {be unfounded} {be excessive} Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. Section 6 Subdivision 4(g)]
    Privacy protection for information and data Data and Information Management
    Provide records or data in a reasonable manner. CC ID 00431
    [A consumer has the right to obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. Section 6 Subdivision 1(e)]
    Privacy protection for information and data Data and Information Management
    Provide personal data in a form that is intelligible. CC ID 00432 Privacy protection for information and data Data and Information Management
    Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Privacy protection for information and data Data and Information Management
    Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Privacy protection for information and data Data and Information Management
    Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 Privacy protection for information and data Data and Information Management
    Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 Privacy protection for information and data Establish/Maintain Documentation
    Include cookie management in the privacy framework. CC ID 13809 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain cookie management procedures. CC ID 13810 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from using cookies unless legitimate reasons have been defined. CC ID 16953 Privacy protection for information and data Data and Information Management
    Include the acceptable uses of cookies in the cookie management procedures. CC ID 16952 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data collection program. CC ID 06487 Privacy protection for information and data Establish/Maintain Documentation
    Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 Privacy protection for information and data Data and Information Management
    Refrain from collecting personal data, as necessary. CC ID 15269
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]
    Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507
    [{be relevant} {be necessary} A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed; Section 10(a) (2)(iv)]
    Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Privacy protection for information and data Establish/Maintain Documentation
    Use personal data for specified purposes. CC ID 11831
    [A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either: retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or Section 6 Subdivision 4(k) (1)
    {be necessary} {be reasonable} {be proportionate} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: necessary, reasonable, and proportionate to the purposes listed in this section; Section 11(f) (1)
    {be adequate} {be relevant} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: adequate, relevant, and limited to what is necessary in relation to the specific purpose or purposes listed in this section; and Section 11(f) (2)
    {administrative measure} {technical measure} Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is: insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. Section 11(f) (3)]
    Privacy protection for information and data Data and Information Management
    Post the collection purpose. CC ID 00101 Privacy protection for information and data Establish/Maintain Documentation
    Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 Privacy protection for information and data Data and Information Management
    Document each individual's personal data collection consent preferences. CC ID 06945 Privacy protection for information and data Establish/Maintain Documentation
    Provide explicit consent that is clear and unambiguous. CC ID 00181 Privacy protection for information and data Data and Information Management
    Allow individuals to change their personal data collection consent preferences. CC ID 06946 Privacy protection for information and data Data and Information Management
    Adhere to each individual's personal data collection consent preferences. CC ID 06947 Privacy protection for information and data Data and Information Management
    Notify the data subject of the source of collected personal data. CC ID 00083 Privacy protection for information and data Behavior
    Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 Privacy protection for information and data Data and Information Management
    Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 Privacy protection for information and data Data and Information Management
    Establish and maintain a personal data definition. CC ID 00028 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's name in the personal data definition. CC ID 04710 Privacy protection for information and data Data and Information Management
    Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 Privacy protection for information and data Data and Information Management
    Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 Privacy protection for information and data Data and Information Management
    Include an individual's signature in the personal data definition. CC ID 04711 Privacy protection for information and data Data and Information Management
    Include an individual's date of birth in the personal data definition. CC ID 04770 Privacy protection for information and data Data and Information Management
    Include the number of children in the personal data definition. CC ID 13759 Privacy protection for information and data Establish/Maintain Documentation
    Include the individual's religion in the personal data definition. CC ID 13765 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 Privacy protection for information and data Data and Information Management
    Include an individual's biometric data in the personal data definition. CC ID 04698 Privacy protection for information and data Data and Information Management
    Include an individual's photographic image in the personal data definition. CC ID 04779 Privacy protection for information and data Data and Information Management
    Include an individual's fingerprints in the personal data definition. CC ID 04689 Privacy protection for information and data Data and Information Management
    Include an individual's address in the personal data definition. CC ID 04687 Privacy protection for information and data Data and Information Management
    Include an individual's telephone number in the personal data definition. CC ID 04688 Privacy protection for information and data Data and Information Management
    Include an individual's fax number in the personal data definition. CC ID 07120 Privacy protection for information and data Data and Information Management
    Include an individual's political party affiliation in the personal data definition. CC ID 13764 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's license plate number in the personal data definition. CC ID 13763 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's financial account number in the personal data definition. CC ID 04692 Privacy protection for information and data Data and Information Management
    Include an individual's account balances in the personal data definition. CC ID 13770 Privacy protection for information and data Establish/Maintain Documentation
    Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 Privacy protection for information and data Data and Information Management
    Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 Privacy protection for information and data Data and Information Management
    Include an individual's logon credentials in the personal data definition. CC ID 13771 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 Privacy protection for information and data Data and Information Management
    Include an individual's passport number in the personal data definition. CC ID 04713 Privacy protection for information and data Data and Information Management
    Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 Privacy protection for information and data Data and Information Management
    Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 Privacy protection for information and data Data and Information Management
    Include an individual's military identification number in the personal data definition. CC ID 13083 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's e-mail address in the personal data definition. CC ID 04696 Privacy protection for information and data Data and Information Management
    Include electronic signatures in the personal data definition. CC ID 04697 Privacy protection for information and data Data and Information Management
    Include an individual's payment card information in the personal data definition. CC ID 04751 Privacy protection for information and data Data and Information Management
    Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 Privacy protection for information and data Data and Information Management
    Include an individual's payment card service code in the personal data definition. CC ID 04753 Privacy protection for information and data Data and Information Management
    Include an individual's payment card expiration date in the personal data definition. CC ID 04755 Privacy protection for information and data Data and Information Management
    Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 Privacy protection for information and data Data and Information Management
    Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 Privacy protection for information and data Data and Information Management
    Include an individual's medical history in the personal data definition. CC ID 04701 Privacy protection for information and data Data and Information Management
    Include an individual's medical treatment in the personal data definition. CC ID 04702 Privacy protection for information and data Data and Information Management
    Include an individual's medical diagnosis in the personal data definition. CC ID 04703 Privacy protection for information and data Data and Information Management
    Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 Privacy protection for information and data Data and Information Management
    Include an individual's medical record numbers in the personal data definition. CC ID 07121 Privacy protection for information and data Data and Information Management
    Include an individual's health insurance information in the personal data definition. CC ID 04705 Privacy protection for information and data Data and Information Management
    Include an individual's health insurance policy number in the personal data definition. CC ID 04706 Privacy protection for information and data Data and Information Management
    Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 Privacy protection for information and data Data and Information Management
    Include an individual's education information in the personal data definition. CC ID 04714 Privacy protection for information and data Data and Information Management
    Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 Privacy protection for information and data Data and Information Management
    Include an individual's employment information in the personal data definition. CC ID 04715 Privacy protection for information and data Data and Information Management
    Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 Privacy protection for information and data Data and Information Management
    Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 Privacy protection for information and data Data and Information Management
    Include an individual's employment history in the personal data definition. CC ID 04716 Privacy protection for information and data Data and Information Management
    Include an individual's place of employment in the personal data definition. CC ID 04765 Privacy protection for information and data Data and Information Management
    Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 Privacy protection for information and data Data and Information Management
    Include an individual's property information in the personal data definition. CC ID 04780 Privacy protection for information and data Data and Information Management
    Include an individual's property title in the personal data definition. CC ID 04781 Privacy protection for information and data Data and Information Management
    Include an individual's vehicle registration in the personal data definition. CC ID 04782 Privacy protection for information and data Data and Information Management
    Include hardware asset identification information in the personal data definition. CC ID 07123 Privacy protection for information and data Data and Information Management
    Include MAC addresses in the personal data definition. CC ID 04778 Privacy protection for information and data Data and Information Management
    Include Internet Protocol addresses in the personal data definition. CC ID 04777 Privacy protection for information and data Data and Information Management
    Include asset serial numbers in the personal data definition. CC ID 07124 Privacy protection for information and data Data and Information Management
    Include Uniform Resource Locators in the personal data definition. CC ID 07125 Privacy protection for information and data Data and Information Management
    Refrain from including publicly available information in the personal data definition. CC ID 13084 Privacy protection for information and data Establish/Maintain Documentation
    Define specially restricted data. CC ID 00037 Privacy protection for information and data Data and Information Management
    Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 Privacy protection for information and data Data and Information Management
    Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 Privacy protection for information and data Data and Information Management
    Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 Privacy protection for information and data Data and Information Management
    Implement a nondiscrimination principle. CC ID 00081 Privacy protection for information and data Data and Information Management
    Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 Privacy protection for information and data Data and Information Management
    Preserve each individual's right to human dignity. CC ID 00082 Privacy protection for information and data Data and Information Management
    Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 Privacy protection for information and data Data and Information Management
    Employ a random number generator to create authenticators. CC ID 13782 Privacy protection for information and data Technical Security
    Collect Personal Identification Numbers with the individual's consent. CC ID 00059 Privacy protection for information and data Data and Information Management
    Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 Privacy protection for information and data Data and Information Management
    Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 Privacy protection for information and data Data and Information Management
    Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 Privacy protection for information and data Data and Information Management
    Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 Privacy protection for information and data Behavior
    Manage health data collection. CC ID 00050 Privacy protection for information and data Data and Information Management
    Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 Privacy protection for information and data Data and Information Management
    Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 Privacy protection for information and data Data and Information Management
    Collect Individually Identifiable Health Information for research. CC ID 00054 Privacy protection for information and data Data and Information Management
    Remove personal data before disclosing health data. CC ID 00055 Privacy protection for information and data Data and Information Management
    Give special attention to collecting children's data. CC ID 00038 Privacy protection for information and data Data and Information Management
    Use simple understandable language to collect information from children. CC ID 00039 Privacy protection for information and data Behavior
    Notify parents or legal representatives of what information is collected from children. CC ID 00040 Privacy protection for information and data Establish/Maintain Documentation
    Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Privacy protection for information and data Establish/Maintain Documentation
    Collect personal data directly from the data subject. CC ID 00011 Privacy protection for information and data Data and Information Management
    Create and manage user account aliases to maintain pseudonymity. CC ID 04549 Privacy protection for information and data Data and Information Management
    Provide unlinkability for users and resources. CC ID 04550 Privacy protection for information and data Data and Information Management
    Provide unobservability of users and resources. CC ID 04551 Privacy protection for information and data Technical Security
    Collect restricted data in a fair and lawful manner. CC ID 00010 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent in order to make a disclosure. CC ID 13550 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent for handling insurance claims. CC ID 13543 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 Privacy protection for information and data Data and Information Management
    Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent from publicly available information. CC ID 00019 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent when needed by law. CC ID 00020 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent to create a credit report. CC ID 15287 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 Privacy protection for information and data Data and Information Management
    Collect the minimum amount of restricted data necessary. CC ID 00078
    [{be adequate} {be relevant} {be necessary} A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer. Section 8 Subdivision 2(a)]
    Privacy protection for information and data Data and Information Management
    Collect restricted data in a proper information framework. CC ID 00009 Privacy protection for information and data Data and Information Management
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or Section 11(b) (2)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: conduct internal research to develop, improve, or repair products, services, or technology. Section 11(b) (3)
    The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to: effectuate a product recall or identify and repair technical errors that impair existing or intended functionality; Section 11(b) (1)]
    Privacy protection for information and data Data and Information Management
    Collect restricted data when required by law. CC ID 00031 Privacy protection for information and data Data and Information Management
    Collect restricted data to prevent life-threatening emergencies. CC ID 00032 Privacy protection for information and data Data and Information Management
    Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 Privacy protection for information and data Data and Information Management
    Collect restricted data for legal purposes. CC ID 00036 Privacy protection for information and data Data and Information Management
    Validate the business need for maintaining collected restricted data. CC ID 17090 Privacy protection for information and data Data and Information Management
    Provide the data subject with information about the data controller during the collection process. CC ID 00023 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 Privacy protection for information and data Communicate
    Provide the data subject with the data collector's name and contact information. CC ID 00024 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a data handling program. CC ID 13427 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 Privacy protection for information and data Establish/Maintain Documentation
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Privacy protection for information and data Data and Information Management
    Protect electronic messaging information. CC ID 12022 Privacy protection for information and data Technical Security
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Privacy protection for information and data Data and Information Management
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Privacy protection for information and data Configuration
    Store payment card data in secure chips, if possible. CC ID 13065 Privacy protection for information and data Configuration
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Privacy protection for information and data Configuration
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Privacy protection for information and data Technical Security
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Privacy protection for information and data Data and Information Management
    Log the disclosure of personal data. CC ID 06628 Privacy protection for information and data Log Management
    Log the modification of personal data. CC ID 11844 Privacy protection for information and data Log Management
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Privacy protection for information and data Technical Security
    Implement security measures to protect personal data. CC ID 13606
    [{technical measure} {be appropriate} Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures. Section 5(d)]
    Privacy protection for information and data Technical Security
    Implement physical controls to protect personal data. CC ID 00355 Privacy protection for information and data Testing
    Limit data leakage. CC ID 00356 Privacy protection for information and data Data and Information Management
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Privacy protection for information and data Monitor and Evaluate Occurrences
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Privacy protection for information and data Business Processes
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Privacy protection for information and data Acquisition/Sale of Assets or Services
    Alert appropriate personnel when data leakage is detected. CC ID 14715 Privacy protection for information and data Process or Activity
    Include text about data ownership in the data handling policy. CC ID 15720 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain call metadata controls. CC ID 04790 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126
    [This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: reidentify deidentified data; Section 7(a) (1)
    A processor or third party must not attempt to identify the subjects of deidentified or pseudonymous data without the express authority of the controller that caused the data to be deidentified or pseudonymized. Section 7(d)
    A controller, processor, or third party must not attempt to identify the subjects of data that has been collected with only pseudonymous identifiers. Section 7(e)
    This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter: maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or Section 7(a) (2)]
    Privacy protection for information and data Data and Information Management
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Privacy protection for information and data Data and Information Management
    Store de-identifying code and re-identifying code separately. CC ID 16535
    [The rights contained in section 325O.05, subdivision 1, paragraphs (b) to (e) and (h), do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. Section 7(b)]
    Privacy protection for information and data Data and Information Management
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Privacy protection for information and data Data and Information Management
    Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 Privacy protection for information and data Communicate
    Establish, implement, and maintain data handling procedures. CC ID 11756 Privacy protection for information and data Establish/Maintain Documentation
    Define personal data that falls under breach notification rules. CC ID 00800 Privacy protection for information and data Establish/Maintain Documentation
    Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 Privacy protection for information and data Data and Information Management
    Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 Privacy protection for information and data Data and Information Management
    Define an out of scope privacy breach. CC ID 04677 Privacy protection for information and data Establish/Maintain Documentation
    Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 Privacy protection for information and data Business Processes
    Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 Privacy protection for information and data Monitor and Evaluate Occurrences
    Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 Privacy protection for information and data Monitor and Evaluate Occurrences
    Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 Privacy protection for information and data Monitor and Evaluate Occurrences
    Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 Privacy protection for information and data Communicate
    Establish, implement, and maintain a personal data transfer program. CC ID 00307 Privacy protection for information and data Establish/Maintain Documentation
    Obtain consent from an individual prior to transferring personal data. CC ID 06948 Privacy protection for information and data Data and Information Management
    Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 Privacy protection for information and data Business Processes
    Notify data subjects when their personal data is transferred. CC ID 00352 Privacy protection for information and data Behavior
    Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 Privacy protection for information and data Establish/Maintain Documentation
    Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 Privacy protection for information and data Communicate
    Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 Privacy protection for information and data Data and Information Management
    Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 Privacy protection for information and data Data and Information Management
    Prohibit personal data transfers when security is inadequate. CC ID 00345 Privacy protection for information and data Data and Information Management
    Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 Privacy protection for information and data Data and Information Management
    Refrain from transferring past the first transfer. CC ID 00347 Privacy protection for information and data Data and Information Management
    Document transfer disagreements by the data subject in writing. CC ID 00348 Privacy protection for information and data Establish/Maintain Documentation
    Allow the data subject the right to object to the personal data transfer. CC ID 00349 Privacy protection for information and data Data and Information Management
    Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 Privacy protection for information and data Records Management
    Follow the instructions of the data transferrer. CC ID 00334 Privacy protection for information and data Behavior
    Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 Privacy protection for information and data Establish/Maintain Documentation
    Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 Privacy protection for information and data Data and Information Management
    Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 Privacy protection for information and data Data and Information Management
    Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 Privacy protection for information and data Data and Information Management
    Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 Privacy protection for information and data Data and Information Management
    Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 Privacy protection for information and data Data and Information Management
    Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 Privacy protection for information and data Data and Information Management
    Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 Privacy protection for information and data Data and Information Management
    Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 Privacy protection for information and data Data and Information Management
    Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 Privacy protection for information and data Data and Information Management
    Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 Privacy protection for information and data Data and Information Management
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 Privacy protection for information and data Data and Information Management
    Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 Privacy protection for information and data Data and Information Management
    Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 Privacy protection for information and data Business Processes
    Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 Privacy protection for information and data Establish/Maintain Documentation
    Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 Privacy protection for information and data Data and Information Management
    Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 Privacy protection for information and data Data and Information Management
    Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 Privacy protection for information and data Data and Information Management
    Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 Privacy protection for information and data Data and Information Management
    Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 Privacy protection for information and data Data and Information Management
    Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 Privacy protection for information and data Data and Information Management
    Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 Privacy protection for information and data Data and Information Management
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 Privacy protection for information and data Data and Information Management
    Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 Privacy protection for information and data Communicate
    Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 Privacy protection for information and data Behavior
    Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 Privacy protection for information and data Establish/Maintain Documentation
    Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 Privacy protection for information and data Data and Information Management
    Obtain consent prior to downloading software to an individual's computer. CC ID 06951 Privacy protection for information and data Data and Information Management
    Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 Privacy protection for information and data Process or Activity
    Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 Privacy protection for information and data Process or Activity
    Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 Privacy protection for information and data Process or Activity
    Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a privacy impact assessment. CC ID 13712 Privacy protection for information and data Establish/Maintain Documentation
    Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 Privacy protection for information and data Establish/Maintain Documentation
    Include how to grant consent in the privacy impact assessment. CC ID 15519 Privacy protection for information and data Establish/Maintain Documentation
    Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 Privacy protection for information and data Establish/Maintain Documentation
    Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 Privacy protection for information and data Establish/Maintain Documentation
    Include data handling procedures in the privacy impact assessment. CC ID 15516 Privacy protection for information and data Establish/Maintain Documentation
    Include the intended use of information in the privacy impact assessment. CC ID 15515 Privacy protection for information and data Establish/Maintain Documentation
    Include the reason information is being collected in the privacy impact assessment. CC ID 15514 Privacy protection for information and data Establish/Maintain Documentation
    Include the type of information to be collected in the privacy impact assessment. CC ID 15513 Privacy protection for information and data Business Processes
    Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 Privacy protection for information and data Communicate
    Develop remedies and sanctions for privacy policy violations. CC ID 00474
    [A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable: a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to: identify and remediate violations of this chapter. Section 10(a) (2)(vi)]
    Privacy protection for information and data Data and Information Management
    Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 Privacy protection for information and data Behavior
    Include supporting documentation in the privacy rights violation complaint. CC ID 16997 Privacy protection for information and data Establish/Maintain Documentation
    Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 Privacy protection for information and data Business Processes
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 Privacy protection for information and data Establish/Maintain Documentation
    Include potential remedies in the privacy dispute resolution program. CC ID 12531 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 Privacy protection for information and data Establish/Maintain Documentation
    Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 Privacy protection for information and data Establish/Maintain Documentation
    Document unresolved challenges. CC ID 13568 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 Privacy protection for information and data Establish/Maintain Documentation
    Notify individuals of their right to challenge personal data. CC ID 00457
    [{be different} If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Section 6 Subdivision 1(g)]
    Privacy protection for information and data Data and Information Management
    Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 Privacy protection for information and data Data and Information Management
    Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 Privacy protection for information and data Configuration
    Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 Privacy protection for information and data Human Resources Management
    Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 Privacy protection for information and data Data and Information Management
    Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 Privacy protection for information and data Communicate
    Investigate the disputed accuracy of personal data. CC ID 00461 Privacy protection for information and data Data and Information Management
    Notify third parties of unresolved challenges. CC ID 13559 Privacy protection for information and data Communicate
    Document disagreements as to whether personal data is complete and accurate. CC ID 06952 Privacy protection for information and data Establish/Maintain Documentation
    Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 Privacy protection for information and data Establish/Maintain Documentation
    Include the allegations against the organization in the notice of investigation. CC ID 13031 Privacy protection for information and data Establish/Maintain Documentation
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481
    [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)]
    Privacy protection for information and data Behavior
    Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 Privacy protection for information and data Behavior
    Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 Privacy protection for information and data Behavior
    Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 Privacy protection for information and data Behavior
    Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 Privacy protection for information and data Behavior
    Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 Privacy protection for information and data Behavior
    Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 Privacy protection for information and data Behavior
    Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 Privacy protection for information and data Behavior
    Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 Privacy protection for information and data Behavior
    Define the organization's liability based on the applicable law. CC ID 00504
    [{not relieve} In no event shall any contract relieve a controller or a processor from the liabilities imposed on a controller or processor by virtue of the controller's or processor's roles in the processing relationship under this chapter. Section 5(f)
    A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this chapter is not in violation of this chapter if the recipient processes the personal data in violation of this chapter, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is not in violation of this chapter for the obligations of the controller or processor from which the third-party controller or processor receives the personal data. Section 11(d)
    {is liable} Any controller or processor that violates this chapter is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation. Section 12(c)]
    Privacy protection for information and data Establish/Maintain Documentation
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Privacy protection for information and data Establish/Maintain Documentation
    Define the appeal process based on the applicable law. CC ID 00506
    [A controller must establish an internal process whereby a consumer may appeal a refusal to take action on a request to exercise any of the rights under subdivision 1 within a reasonable period of time after the consumer's receipt of the notice sent by the controller under subdivision 4, paragraph (f). Section 6 Subdivision 5(a)
    The appeal process must be conspicuously available. The process must include the ease of use provisions in subdivision 3 applicable to submitting requests. Section 6 Subdivision 5(b)
    The appeal process must be conspicuously available. The process must include the ease of use provisions in subdivision 3 applicable to submitting requests. Section 6 Subdivision 5(b)]
    Privacy protection for information and data Establish/Maintain Documentation
    Define the fee structure for the appeal process. CC ID 16532 Privacy protection for information and data Process or Activity
    Define the time requirements for the appeal process. CC ID 16531 Privacy protection for information and data Process or Activity
    Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544
    [If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5. Section 6 Subdivision 4(f)]
    Privacy protection for information and data Communicate
    Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542
    [When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general. Section 6 Subdivision 5(d)
    Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay. Section 6 Subdivision 5(c)]
    Privacy protection for information and data Communicate
    Provide notice of proposed penalties. CC ID 06216 Privacy protection for information and data Establish/Maintain Documentation
    Notify the public and other agencies after a penalty becomes final. CC ID 06217 Privacy protection for information and data Behavior
    Establish, implement, and maintain a Customer Information Management program. CC ID 00084 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain customer data authentication procedures. CC ID 13187
    [A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)
    A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief. Section 6 Subdivision 4(h)]
    Privacy protection for information and data Establish/Maintain Documentation
    Check the accuracy of restricted data. CC ID 00088 Privacy protection for information and data Data and Information Management
    Check the data accuracy of new accounts. CC ID 04859 Privacy protection for information and data Data and Information Management
    Use documents for identification that do not appear altered or forged. CC ID 04860 Privacy protection for information and data Establish/Maintain Documentation
    Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 Privacy protection for information and data Data and Information Management
    Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 Privacy protection for information and data Data and Information Management
    Correlate the applicant's social security number with their date of birth. CC ID 04864 Privacy protection for information and data Data and Information Management
    Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 Privacy protection for information and data Data and Information Management
    Compare the applicant's personal data against known fraudulent activities. CC ID 04865 Privacy protection for information and data Data and Information Management
    Compare the applicant's address against known suspicious addresses. CC ID 04866 Privacy protection for information and data Data and Information Management
    Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 Privacy protection for information and data Data and Information Management
    Provide additional personal data when the application is incomplete. CC ID 04869 Privacy protection for information and data Data and Information Management
    Interview appropriate parties to validate consumer information. CC ID 16902 Privacy protection for information and data Process or Activity
    Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 Privacy protection for information and data Business Processes
    Use contact methods specified by the consumer for identity verification. CC ID 16878 Privacy protection for information and data Process or Activity
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: provide a product or service specifically requested by a consumer; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer prior to entering into a contract; Section 11(a) (5)]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Third Party and supply chain oversight Communicate
    Include the audit scope in the third party external audit report. CC ID 13138 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Third Party and supply chain oversight Business Processes
    Provide products or services per customer requests. CC ID 08893
    [The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to: provide a product or service specifically requested by a consumer; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer prior to entering into a contract; Section 11(a) (5)]
    Third Party and supply chain oversight Business Processes