Bench & Bar May/June 2025

• Approval of Request to Opt Out of Sale • Approval of Request to Opt Out of Targeted Advertising • Approval of Request to Opt Out of Processing of Data for Profiling in Furtherance of Legal or Other Sim ilarly Significant Decision • Notice of Request Denial (Kentucky) • Notice of Request Denial (Indiana) PROVIDE A PRIVACY NOTICE. 14 Privacy Notices are not aspirational. They must accurately communicate a company’s actual data practices. In fact, the Federal Trade Commission (“FTC”) has made clear through enforcement actions that an inac curate privacy notice constitutes an “unfair or deceptive” trade practice within mean ing of Section 5 of the FTC Act. Covered businesses must post a privacy notice that includes: • The purposes for processing per sonal data. • How consumers may exercise their consumer rights, specifically in cluding the right to appeal. • The categories of personal data the business shares with third parties. • The categories of third parties with whom the business shares person al data. • A clear and conspicuous disclo sure of whether the business sells personal data to third parties or processes personal data for target ed advertising. The KDCPA defines “third parties” as a “natural or legal person … other than the consumer, controller, processor, or an affiliate of the processor or the controller.” Therefore, a covered business does not need to disclose the categories of third-party ser vice providers who qualify as a “processor,” although they may. Also, be aware that your business may have additional legal responsibilities for its pri vacy notice. Unlike the KCDPA and ICDPA, the California Online Privacy Act, (Cal.

Bus. & Prof. Code 22575) (“CalOPPA”), Cal. Civ. Code 1798.83 (the “California Shine the Light Law”), Delaware Online Privacy and Protection Act, (Del. Code tit. 6 1205C) Nevada’s SB220 (Nev. Rev. Stat. §603A.340), and the Utah Notice of Intent to Sell Non-public Personal Information Act (Utah Code Ann. §13-37-101) do not have jurisdictional thresholds, and there fore impose additional obligations your business may be subject to if it operates in those jurisdictions. ADOPT THE FOLLOWING PROCESSING PRINCIPLES: 15 • COLLECTION LIMITATION: Lim it data collection to what is adequate, relevant, and reasonably necessary to the disclosed processing purpose. • PROCESSING LIMITATION: Lim it data processing to what is reason ably necessary and relevant to the dis closed processing purpose. • SECURITY: Establish, implement, and maintain reasonable and admin istrative, technical, and physical data security practices to protect the con fidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data. • NON-DISCRIMINATION: Do not deny a good or service or charge a difference price or rate for a good or service if a consumer exercises one of their rights. Also note that both the KCDPA and ICDPA require the covered business to obtain the consumer’s affirmative “opt-in” consent prior to processing their “sensitive data.” EXECUTE CONTRACTS WITH PROCESSORS AND THIRD PARTIES RECEIVING “DE-IDENTIFIED” DATA CONTAINING REQUIRED LANGUAGE. 16 Both the KCDPA and ICDPA require spe cific terms in contracts with processors. Most often, these terms are fashioned into an addendum to the overarching agreement

called a data processing addendum (“DPA”). The agreement must: 17 • Contain a clear expression of the nature and purpose of processing. • Clearly identify the type of data subjects whose data is being pro cessed. • Expressly delimit the duration of the processing. • Impose a duty of confidentiality on each person processing the data. • Contain a requirement that the processor, at the controller’s direc tion, delete or return all personal data to the controller as requested at the end of the term, unless re tention of the personal data is re quired by law. • Obligate the processor to make available to the controller all infor mation in its possession necessary to demonstrate the processor’s compliance with the law, upon rea sonable request. • Either: Permit the controller to con duct, and contain a warranty the processor will cooperate with, a reasonable assessment by the controller or the controller’s des ignated assessor; or Require the processor to arrange for a qualified independent asses sor to conduct an assessment of the processor’s policies and tech nical and organizational measures in support of its obligations under the law using “an appropriate and accepted control standard or framework and assessment proce dure for assessments, which shall be provided to the controller upon request.” • Obligate the processor to only en gage a subcontractor pursuant to a written contract in accordance with the law that requires the sub contractor to meet the obligations of the processor.

23 bench & bar