DRPV-03

Do you describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information?

Explanation

This question is asking whether your organization provides clear information to individuals about how their personal information will be collected, used, and shared, and whether you obtain their consent before doing so. What this means: - You need to inform users about what personal data you collect - You need to explain how that data will be used - You need to disclose who that data might be shared with - You need to provide choices about this data collection/use/sharing - You need to obtain either implicit consent (e.g., continued use after notification) or explicit consent (e.g., clicking 'I agree') Why it's asked in security assessments: This question addresses compliance with data privacy regulations like GDPR, CCPA, and others that require transparency and user control over personal data. Organizations evaluating your service want to ensure you follow privacy best practices and won't expose them to regulatory risks. Poor privacy practices could lead to legal issues, fines, and reputational damage. How to best answer: 1. Describe your privacy notice/policy and how it's presented to users 2. Explain the specific choices users have regarding their data 3. Detail how consent is obtained (opt-in checkboxes, click-through agreements, etc.) 4. Mention how you handle consent for different types of data processing 5. Include information about how users can change their preferences later Be specific about your actual practices rather than making general statements. If you have different consent mechanisms for different types of data or user groups, explain those distinctions.

Example Responses

Example Response 1

Yes, our application provides comprehensive privacy choices and obtains appropriate consent During account creation, users are presented with our Privacy Policy in clear, accessible language This policy details what personal information we collect (name, email, usage data), how we use it (service provision, improvement, communication), and who we share it with (service providers, partners) Users must explicitly opt-in via checkboxes for non-essential data processing like marketing communications For essential processing, we obtain consent through a mandatory 'I agree' checkbox linked to our Terms of Service Our Privacy Center allows users to review and modify their consent choices at any time We maintain consent records in our compliance database, and our consent flows were reviewed by our legal team to ensure compliance with GDPR, CCPA, and other applicable regulations.

Example Response 2

Yes, we implement a layered consent approach Our application first presents users with a concise privacy notice during onboarding that explains our data practices in simple terms This notice includes links to our comprehensive Privacy Policy for those seeking more details Users can make granular choices about data collection through our Privacy Dashboard, including toggles for: analytics collection, personalization features, third-party data sharing, and marketing communications For sensitive data (health information, precise location), we implement just-in-time explicit consent prompts when the feature is first accessed All consent records are timestamped and stored securely We conduct quarterly reviews of our consent mechanisms and update them as regulations evolve Our approach has been validated through a third-party privacy assessment conducted in Q2 2023.

Example Response 3

No, we currently have a basic privacy policy accessible through our website footer, but we don't actively present privacy choices during user onboarding or obtain explicit consent for data collection Users are considered to have implicitly consented to our data practices by using our service While our privacy policy outlines what data we collect and how we use it, we don't provide granular controls for users to opt out of specific types of data processing beyond unsubscribing from marketing emails We recognize this is an area for improvement in our privacy program, and we're developing an enhanced consent management platform to be deployed next quarter that will provide users with more transparent choices and explicit consent options for different data processing activities.

Context

Tab
Privacy
Category
Data Privacy

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron