Advertising Law Tool Kit - Tenth Edition | 2022

Venable / 57 These questions are critical for assessing your organization’s corporate privacy and security health. If you answer yes to any of the first ten questions or no to the last two, consider engaging experienced privacy and data security counsel to assist your organization in strengthening its policies. • Do you use information about customers for marketing or other purposes not related to the particular sale or transaction in which you collected the information? • Do you collect contact information from customers when they use their credit card to pay for purchases? • Do you ask visitors to your website to tell you their age? Do you market anything to children online? Do you knowingly collect personal information from children under the age of 13 (CCPA, VDCPA) or 16 (CPRA, CPA)? • Do you retain credit card information? • Do you have a privacy policy on your website and app? If so, are you doing what you tell your customers you are doing with personal information about them? Is it accurate and complete, or has it become outdated? • Do you provide the consumer rights in the CCPA, CPRA, VDCPA, and CPA, including Right of Access; Right of Rectification; Right of Deletion; Right of Restriction; Right of Portability; Right of Opt-Out; Right Against Automated Decision Making? • Do you abide by the requirements of the CCPA, CPRA, VDCPA, and CPA with respect to Opt-in requirements or age; Risk Assessments; Prohibition on Discrimination (exercising rights); and the Purpose/Processing Limitation? • Do you test your choice mechanisms, such as email opt-outs, regularly? • Do you conduct business with companies in the healthcare, financial services, video streaming, or telecommunications sectors? • Do you do what you tell your employees you will do with personal information about them? Do you tell your employees how you monitor them in the workplace? • Do you receive personal information (about customers, employees, vendors, or others) from Europe or other foreign jurisdictions? Do you “offshore” or otherwise transfer personal information to foreign jurisdictions? • Do you have an effective security program designed to safeguard personal information with adequate technical, administrative, and physical protections? Is it in writing? Do you conduct regular tests of your information security program? Do you then take steps to mitigate any vulnerabilities detected in such tests? • Do you have an effective mitigation plan for privacy or security breaches?