Overview:
For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity’s objectives related to privacy.
Action Items:
1) Create a privacy notice (externally facing) and privacy policy (internally facing) and publish on the company intranet for employees to access and review.
2) Inspect the privacy notice to determine that the privacy notice includes the choices available to individuals and the consent to be obtained.
3) Inspect the privacy notice to determine that the privacy notice communicates the reasons for which explicit consent would be obtained from the user.
4) Inspect the end-user account creation process to determine that the application is configured to require participants to review and accept the privacy notice upon account creation for the application.
Related Documents:
1) Privacy notice
2) Privacy policy
3) Sample of customer agreements and signed terms and conditions
4) Evidence that users are required to accept the privacy notice upon account creation
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Obtains Explicit Consent for Sensitive Information—Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise.
2) Documents Explicit Consent to Retain Information– Documentation of explicit consent for the collection, use, or disclosure of sensitive personal information is retained in accordance with objectives related to privacy.
Article ID: 262
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-consent-for-requesting-personal-information-p3-2-262.html