SOC 2 Communicating Use of Personal Information (P2.1)

Overview:
The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented.

Action Items:
1) Create a privacy notice (externally facing) and privacy policy (internally facing) and publish on the company intranet for employees to access and review.
2) Inspect the privacy notice to determine that the privacy notice includes choice and consent related to the collection, use, and disclosure of personal information.
3) Inspect the privacy notice to determine that the privacy notice includes the consequences of refusing to provide personal information.
4) Inspect the end-user account creation process to determine that the application is configured to require participants to review and accept the privacy notice upon account creation for the application.
5) Inspect an example consent form to determine that a clear and conspicuous opt-in checkbox is presented to data subjects where personal information is gathered and must be selected for personal information to be collected, used, or disclosed to third parties.

Related Documents:
1) Privacy notice
2) Privacy policy
3) Sample of customer agreements and signed terms and conditions
4) Evidence that users are required to accept the privacy notice upon account creation

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Communicates to Data Subjects—Data subjects are informed (a) about the choices available to them with respect to the collection, use, and disclosure of personal information and (b) that implicit or explicit consent is required to collect, use, and disclose personal information, unless a law or regulation specifically requires or allows otherwise.
2) Communicates Consequences of Denying or Withdrawing Consent—When personal information is collected, data subjects are informed of the consequences of refusing to provide personal information or denying or withdrawing consent to use personal information for purposes identified in the notice.
3) Obtains Implicit or Explicit Consent—Implicit or explicit consent is obtained from data subjects at or before the time personal information is collected or soon thereafter. The individual's preferences expressed in his or her consent are confirmed and implemented.
4) Documents and Obtains Consent for New Purposes and Uses—If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose.
5) Obtains Explicit Consent for Sensitive Information—Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise.
6) Obtains Consent for Data Transfers—Consent is obtained before personal information is transferred to or from an individual's computer or other similar device.