Controller Responsibilities

What is a Controller?

A controller is any person or entity, that alone or jointly with others, determines the purpose and means of processing personal data. 

Controller’s Responsibility to Respond to Consumer Requests:

As of January 1^st, 2025, controllers are required to take certain steps to help consumers maintain control over their personal data. Controllers have the responsibility of responding to a consumer’s request to:

• Confirm whether the controller is processing the consumer’s personal data
• Correct any inaccuracies in the consumer’s personal data
• Allow consumers to delete personal data obtained by the controller
• Allow the consumer to obtain their personal data from the controller and allow the consumer to transmit the data to another controller
• Allow consumers to opt out of having their personal data used for targeted advertising
• Allow consumers to opt out of having their personal data sold
• Allow consumers to opt out of their personal data being used in a manner that produces a legal effect on the consumer 

Controllers have a duty to establish ways for a consumer to submit a request. A Controller’s request submission process:

• Must provide two or more ways for a consumer to submit a request
• Must consider how consumers interact with the controller
• Must consider how to provide secure and reliable communications in response to those requests
• Must consider the ability of the controller to determine the identity of the consumer making the request
• Cannot require a consumer to create a new account to make a request

Controllers finally have the duty of establishing a process where the consumer can appeal the controller’s refusal to comply with a request. A controller’s appeal process must be:

• Clearly available to the consumer
• Follow a similar process to how the consumer submits a request
• Provide a response to the consumer’s appeal within 60 days of the consumer’s appeal 

How long does a Controller have to respond to a Request: 

Controllers has 45 days to respond to a consumer request. A controller may receive an additional 45 days to respond depending on the scope of the request. A controller MUST inform the consumer within the first 45 days of the need for additional time and the reason for the request. 

Does a Controller have a Responsibility to Process Every Request?

Generally yes, but there are some exceptions:

• It is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data
• Does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate with the personal data with other personal data about the same specific consumer, OR
• Does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor except as otherwise permitted 

What Happens if a Controller declines to comply with a Consumer’s Request?

A controller has to inform a consumer within the initial 45-day period that it is declining to comply and must provide instructions on how to appeal the decision to the Attorney General’s Office. 

Can a Controller charge a fee for processing these requests?

Controllers must provide two free responses to a consumer request annually. 

When a controller determines they could process request, a controller may charge a consumer a reasonable fee if the request is manifestly unfounded, excessive, or repetitive.

What happens if a Controller continues to decline to honor a Consumer Request After the Consumer appeals?

Same as if a controller denies a request, a controller must provide the consumer with instructions on how to appeal the decision to the Attorney General’s Office. 

Controller’s Responsibilities relating to the Use of Personal Data

Controllers also have the responsibility of limiting the use of a consumer’s personal data. Controllers are responsible for:

• Limiting the collection of personal data to what is adequate, relevant, and reasonably necessary to the purpose that the information is processed as disclosed to the consumer.
• Establishing, implementing, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue. 

Controllers are prohibited from:

• Processing personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose without the consumer’s consent.
• Processing personal information in violation of state and federal laws against unlawful discrimination. 
• Discriminating against a consumer for exercising any of the consumer rights contained in the Data Privacy Act, including by denying a good or service charging a different price or rate for a good or service, or providing a different level for quality of a good or service to the consumer
• Process the sensitive data of a consumer without obtaining the consumer’s consent, or, in the case of processing sensitive data of known child without following the federal Children’s Online Privacy Protection Act. 

Controller’s Responsibilities relating to Notifying the Consumer:

Controller’s Notice to Consumers:

Controllers have a responsibility of providing consumers with reasonably accessible and clear privacy notice. The privacy notice shall disclose:

• The categories of personal data processed by the controller;
• The purpose of processing this information;
• How a consumer may exercise a consumer’s rights under the Data Privacy Act
• Any category of personal data that the controller shares with any third party
• Any category of third party with whom the controller shares personal data; AND
• A description of how they may submit a data request

If a controller sells personal data to a third party or processes personal data for targeted advertising, the controller shall clearly disclose that process and how a consumer may exercise the right to opt out of that process.

Controller’s Responsibilities for Data Protection Assessments

A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data:

• The processing of personal data for purposes of targeted advertising;
• The sale of personal data;
• The processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk:
  
  • Unfair or deceptive treatment on a consumer
  • Unlawful disparate impact on a consumer
  • Financial, physical, or reputational injury on a consumer
  • A physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of any consumer if the intrusion would be offensive to a reasonable person
  • Other substantial injury to any consumer
• The processing of sensitive data
• Any processing activity that involves personal data that presents a heightened risk of harm to any consumer

Controllers are required to make these plans accessible to the Attorney General upon request. 

What is a Data Protection Assessment?

A data protection assessment weighs the benefits and costs of processing a consumer’s personal data. The data protection assessment will factor in:

• Mitigating safeguards implemented to prevent violating the consumer’s rights under the Data Privacy Act
• The use of deidentified data
• The reasonable expectation of consumers
• The context of the processing; and
• The relationship between the controller and the consumer

Controllers of Deidentified Data Only

Controllers with deidentified data still have duties under the law. Controllers shall:

• Take reasonable steps to ensure that data can’t be associated with an individually.
• Publicly commit to maintaining and using deidentified data without attempting to reidentify the data; AND
• Contractually obligate any recipient of the deidentified data to comply with the Data Privacy Act.