What Else Must Controllers Do?
Controllers have obligations beyond meeting consumer requests. These obligations include minimizing data collection, limiting data processing to “purposes that are compatible with the disclosed purposes”, implementing reasonable security practices, not discriminating based on the exercise of rights in the law (except for certain exceptions such as loyalty clubs), and obtaining opt-in consent for processing sensitive data.
Controllers must also provide an accessible, clear, and meaningful privacy notice that includes information on the types of information processed, the purpose for processing, how consumers may exercise their rights, categories of data shared with third parties, and the categories of third parties the controller shares data with. The privacy notice must also include one or more secure means for consumers to submit the requests the law authorizes them to make.
Processors, defined under this law as any entity that processes personal data on behalf of a controller, have their own set of obligations, although the statute makes clear that controllers should include appropriate clauses in their contracts with processors to ensure compliance with the law. Should an existing contract not contemplate these obligations, then the law will still compel performance.
Finally, controllers must conduct and document data protection assessments for certain processing activities. These assessments must weigh the benefits from the processing against the potential risks to the rights of the consumer. To add some weight to this requirement, the Attorney General may use a civil investigative demand to request any data protection assessment relevant to an investigation. Versions of these assessments are required either explicitly or implicitly in other consumer privacy regimes, and although they seem similar to risk assessments, they do differ somewhat.