חומר רקע
15
ינ ,ראו2024
הד"פשת ,טבש '
דובכל
חטפשמו קוח ,הקוחה תדעו ר"וי ,ןמטור החמש כ"
חתסנכה לש טפשמו קוח ,הקוחה תדעו ירב
לארשי תסנכ,םילשורי
א.,.נ
הנ :ןודהצ( תויטרפה תנגה קוח תעת ןוקי14
)תה ,ש
פ"ב – 2
202
–
בןוידל השק
חשירדב רזות
ה העדוה
ויב הקוח תדעוו ןויד תארקל
ם
.01.24
1
2
בד םייקתהש ןויבי םו09.01.24
דעווב
הקוחה ת, חו" :ןלהל( תסנכה לש טפשמו קההדעוו" וא
"
והקוח תדעו")
ת( תויטרפה תנגה קוח תעצהביק ןו14
), ב"פשתה –
2022
(לה" :ןלתי ןוק14
"),
א ףיעסל םיעצומה םינוקיתה ורשו11
תויטרפה תנגה קוחל, א"משתה–
1981
(להל" :ןח תנגה קו
התויטרפ")
.
ז םע
תא, םיעצומה םינוקיתהמש תא םירמ
סינהוח הק םייבח תא הנתמ רשא תויטרפה תנגה קו
ישיא עדימ תלבקל םדאל היינפ"ב העדוהה ןתמ תבוח לש המויק...
"
. הז חוסינמצ תבוח תא םצמ
העדוהה
אך עדימה אשונמ ףסאנ ישיאה עדימה םהב םירקמל קרו עצ וניא ןכ לעו תורישי ומת םאו
או תקפסמ הדימב דיתע ינפ הפוצ וניא ,םויה רבכ תומייקה ישיאה עדימה ףוסיא תויגולונכט תא וני
ותא תא ם
ימואלניבה ןידה.
כך, ה
תנגהל תויללכה תונקת מי" :ןלהל( יאפוריאה דוחיאה לש עדGDPR
")
קו תועבשע לב לע
הש( עדימב הטילController
) ב העדוה עדימה אשונל קפסלד ףוסיא תעב ודי לע עדימה ףוסיא רב
עדימה
כא רש
ומצע עדימה אשונמ ףסאנ ישיאה עדימה,
1 ותבוך ישיאה עדימה תלבקמ שדוח
או עדימה רשאכ עדימה אשונ תוד
עדימה אשונמ תורישי ףסאנ וניא.
2 ה-
GDPR
מ רפסמ טרפ
מ תוריש י ףסאנ אל עדימ ה רשא כ לשמ ל ,העד והה תבוח ל םיגיר חנ העדו הה ןתמ ו עדי מה אשו
כנ שרד
נ דו ביעה רשאכ ד וחי יב ,רי בס ית לב ץמ אמ שור די וא י רשפא יתלב או העש תו רטמל ה
1
Regulation (EU) 2016/679
General Data Protection
(להל" :ןGDPR
")
,
ס ףיע13
. ףיעסה ןושל
מוז ונבתכמל חפסנב העיפו.
2
Regulation (EU) 2016/679
General Data Protection
(להל" :ןGDPR
")
,
ס ףיע14
. ףיעסה ןושל
מוז ונבתכמל חפסנב העיפו.
ב שיש בוכריא
ירוביצ סרטניא ו, יטסיטטס וא ירוטסיה ,יעדמ רקחמ תורטמל וא לבו
בד םיטקננש
ה יעצמא
ב םישרדנה םירחא הנג-
GDPR
. םוצמצב הז גירח שרפל שיש עבקנ םלוא.
3
גם ח ו( הי נרופילקב םינכרצה תויטרפ קCalifornia Consumer Privacy Act
, לה" :ןלCCPA
")
מט לי
ב
בו קוחתק וחוכמ תונ
בוחת העדוה ודמה לע "
Business
",
4
בע ת
וינפל וא עדימה ףוסיא.
5
בת ה לש וחוכמ תונקCCPA
מ הטילשל םילכ םינכרצל קפסל איה עודייה תבוח תרטמש רהבו
ה ידי לע השענה שומישה לע תיתועמשמ –
Business
ב.םהיתודוא ישיאה עדימ6
ה-
CCPA
אי ללכ סחייתמ ונלש םיכר דב ו א עדי מה אש ונמ ת ורישי ף סאנ יש יא עדי מ ם אה הלא
תורחא,
ש,עדימה אשונ לש עודייה תוכזמ קלח איה העדוהה תבוח ןכ7 ריהבמ ךא
שנ םשייל ןתי
יאה עדימ ה ףוסיא ינפ ל ו א תעב העדוה ה תבוח תאשי במ ה םהב םיר קBusiness
פו דצכ לע
עדימה ףוסיא לע טלושה ישילש
ב.תויטרפ תוינידמ םוסרפ תועצמא8
הת ה לש וחוכמ תונקCCPA
מס ןהב ת וביסנל ת ואמגוד ת וקפתי תועצ מאב ע ודייה ת בוח םשופרס ,ךכ .תויטרפ תוינידמ םו
למש ,לאם צד 'אמפ תודוא ישיאה עדימה ףוסיאב טולשל 'ב דצל רשפאמו טנרטניא רתא ליע
הג רתאב םישלו
ש טנרטניאהלו
ש ירה ,
ולש רתאב תויטרפ תוינידמ לולכל 'א דצ לע; ועל 'ב דצגם
כן לפ תויטרפ תוינידמ םסר
רתאבים תוינידמב שורדה עדימה תא לולכל וא ותולעבבש
הפ תויטר
א דצ לש'
. עדימ ירחוסהר תויטרפ תוינידמ םסרפל םישרדנ םניא עדימה ירחוס םשרמב םימוש
קבב םישורדה םיטרפה תא וללכ םא
רל ,םושירה תשבו שקבל םילוכי תוחוקל דציכ רבסה תopt-
out
ףותיש וא הריכממ עדימ לש יאש.םהיתודוא י9
הר תרגסמב העדוהה תבוחל לנויצשנ םיקוחה י- ה-
GDPR
הו-
CCPA
, ונ תוכז אוהשא ע דימה
ל ה( עדוי מ תויthe right to be informed
)
כשה ת בוחמ ק לח
ופיקת (transparency
)
שמ ולעפי עדימב הטילשה ילעבש חיטבהל התרטבה דוביעל רושקה לכב תויתו ירחאבו תוניג
םמעטמ וא םדי לע ישיא עדימ.
חו ,עדוימ תויהל עדימה אשונ תוכז תרזגנ החוכמש ,תופיקשה תב
מיו תא ריבגהל תדעאמ עדימה יאשונ ןו
לע עיפשמה עדימה דוביע ךילהתב
הים
על תרבגה ידי
ש הנבהה
ה תא םהל
ו ךילהת
וירגתא וילע רשקב םהיתויוכז תא שורדל םדיב םילכ ןתמו.
משו ,ךכ ם
3
ר ואcy under
elines on transparen
Guid
,
ion Working Party
29 Data Protect
Article
Regulation 2016/679 (Adopted on 29 Nov., 2017, as last Revised and Adopted on 11 April,
2018)
.
4
רא ו(CCPA)
f 2018
ia Consumer Privacy Act o
aliforn
C
בס ףיע(d)
1798.140
§
–
הג תרד
Business
.
5
רא ו(CCPA)
f 2018
nsumer Privacy Act o
ia Co
aliforn
C
בס ףיע)a(
00
1798.1
§.
6
רא וrivacy Act Regulations
umer P
California Cons
, הנקת(f)
-
7012(a)
.
7
ר ףיעס וא1798.110
ל-
CCPA
.
8
רא ו(CCPA)
f 2018
ia Consumer Privacy Act o
aliforn
C
בס ףיע)
b
(
00
1798.1
§.
9
רא וy Act Regulations
California Consumer Privac
, ףיעסב(i)
-
7012(g)
.
תו תוינידמ לש הנכ
הפ הנקתב טרופמ תויטר7011
.
חו העד והה תבח,עדי מב הטי לשה י לעב לכ לע הל ּונוש ל ןיאו
עב ןיב ת
מב הטילשה יל
כ עד יל
מ.לקש10
וצר ךותמ
ן מיאתה תא ריבגהלול תדי ושארבו ,ימואלניבה ן
ה-
GDPR
, ותינש דחוימה לקשמה חכונן
בת ןוקי14
לס( עדימ ירחוdata brokersחאכ םתרתוה םע )
גהמ דוםושיר תבוחב ושרדיש םימר;
מו
זו תופיקשה תובישחב הרכה ךותכעדימה אשונ לש עודייה תו –
ףיעסב העובקה העדוהה תבוח חוסינ תא תונשל ונתעדל שי11
כ רגאמב הטילש לעב לע לוחתש ך
אלו ,עדימ לצמ קר המצלפ הייניש הרילא לכב העדוהה תבוח לוחת ךכ .עדימ לבקל השקבב םד
מקר ,ישיא עדימ ףוסיא לש הגם םיימיטיגל םיסיסב יפל שי תנגה קוח לש ידיתע ןוקיתב וצמוא
הפ ןכו ,תו יטר
קדוהיות ושירדה
המ ירחוס יפלכ תונפו
מ
יא ןו חבל שי ליב קמב .ע דימו ץח םיגיר
מה ולאל המודב העדוהה תבוחלע ףיעסב םינגו14
ל-
GDPR
.
נש .הלאש לכב ךתושרל דומעל חמ
ר ר"ד
ודירא לחר ה ,ץיבוקשר
דת ר"
הירלושטלא ץרווש הל
ימה ןדיעב היטרקומדל תינכותה
עד
ה
ומדל ילארשיה ןוכמ
ק
היטר
ה:קתע
-
הממס דעלג ד"וע, תויטרפה תנגהל תושרה שאר.
-
נטואמ ןוריל ד"וע
ר יסגול, וביצ טפשמל הקלחמהרי – יתקוח, ץועי ףגא
ו,הקיקח
מ דרש
המ.םיטפש
10
cy under Regulation
elines on transparen
Guid
,
29 Data Protection Working Party
Article
2016/679 (Adopted on 29 Nov., 2017, as last Revised and Adopted on 11 April, 2018)
.
ר וא
גם ףיעס 1798.110
ל-
CCPA
.
נס חפ
יפיעסם 13
ו-
14
ל-
GDPR
:
Article 13 Information to be provided where personal data are collected from the
data subject
1. Where personal data relating to a data subject are collected from the data
subject, the controller shall, at the time when personal data are obtained, provide
the data subject with all of the following information:
(a) the identity and the contact details of the controller and, where applicable, of
the controller's representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well
as the legal basis for the processing;
(d) where the processing is based on point (f) of Article 6(1), the legitimate
interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data
to a third country or international organisation and the existence or absence of an
adequacy decision by the Commission, or in the case of transfers referred to in
Article 46 or 47, or the second subparagraph of Article 49(1), reference to the
appropriate or suitable safeguards and the means by which to obtain a copy of
them or where they have been made available.
2. In addition to the information referred to in paragraph 1, the controller shall, at
the time when personal data are obtained, provide the data subject with the
following further information necessary to ensure fair and transparent processing:
(a) the period for which the personal data will be stored, or if that is not possible,
the criteria used to determine that period;
(b) the existence of the right to request from the controller access to and
rectification or erasure of personal data or restriction of processing concerning the
data subject or to object to processing as well as the right to data portability;
(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article
9(2), the existence of the right to withdraw consent at any time, without affecting
the lawfulness of processing based on consent before its withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of personal data is a statutory or contractual
requirement, or a requirement necessary to enter into a contract, as well as
whether the data subject is obliged to provide the personal data and of the
possible consequences of failure to provide such data;
(f) the existence of automated decision-making, including profiling, referred to in
Article 22(1) and (4) and, at least in those cases, meaningful information about the
logic involved, as well as the significance and the envisaged consequences of such
processing for the data subject.
3. Where the controller intends to further process the personal data for a purpose
other than that for which the personal data were collected, the controller shall
provide the data subject prior to that further processing with information on that
other purpose and with any relevant further information as referred to in
paragraph 2.
4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject
already has the information.
Article 14 Information to be provided where personal data have not been
obtained from the data subject
1. Where personal data have not been obtained from the data subject, the
controller shall provide the data subject with the following information:
(a) the identity and the contact details of the controller and, if any, of the
controller's representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well
as the legal basis for the processing;
(d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal data, where applicable;
(f) where applicable, that the controller intends to transfer personal data to a
recipient in a third country or international organisation and the existence or
absence of an adequacy decision by the Commission, or in the case of transfers
referred to in Article 46 or 47, or the second subparagraph of Article 49(1),
reference to the appropriate or suitable safeguards and the means to obtain a copy
of them or where they have been made available.
2. In addition to the information referred to in paragraph 1, the controller shall
provide the data subject with the following information necessary to ensure fair
and transparent processing in respect of the data subject:
(a) the period for which the personal data will be stored, or if that is not possible,
the criteria used to determine that period;
(b) where the processing is based on point (f) of Article 6(1), the legitimate
interests pursued by the controller or by a third party;
(c) the existence of the right to request from the controller access to and
rectification or erasure of personal data or restriction of processing concerning the
data subject and to object to processing as well as the right to data portability;
(d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2),
the existence of the right to withdraw consent at any time, without affecting the
lawfulness of processing based on consent before its withdrawal;
(e) the right to lodge a complaint with a supervisory authority;
(f) from which source the personal data originate, and if applicable, whether it
came from publicly accessible sources;
(g) the existence of automated decision-making, including profiling, referred to in
Article 22(1) and (4) and, at least in those cases, meaningful information about the
logic involved, as well as the significance and the envisaged consequences of such
processing for the data subject.
3. The controller shall provide the information referred to in paragraphs 1 and 2:
(a) within a reasonable period after obtaining the personal data, but at the latest
within one month, having regard to the specific circumstances in which the
personal data are processed;
(b) if the personal data are to be used for communication with the data subject, at
the latest at the time of the first communication to that data subject; or
(c) if a disclosure to another recipient is envisaged, at the latest when the personal
data are first disclosed.
4. Where the controller intends to further process the personal data for a purpose
other than that for which the personal data were obtained, the controller shall
provide the data subject prior to that further processing with information on that
other purpose and with any relevant further information as referred to in
paragraph 2.
5. Paragraphs 1 to 4 shall not apply where and insofar as:
(a) the data subject already has the information;
(b) the provision of such information proves impossible or would involve a
disproportionate effort, in particular for processing for archiving purposes in the
public interest, scientific or historical research purposes or statistical purposes,
subject to the conditions and safeguards referred to in Article 89(1) or in so far as
the obligation referred to in paragraph 1 of this Article is likely to render impossible
or seriously impair the achievement of the objectives of that processing. In such
cases the controller shall take appropriate measures to protect the data subject's
rights and freedoms and legitimate interests, including making the information
publicly available;
(c) obtaining or disclosure is expressly laid down by Union or Member State law to
which the controller is subject and which provides appropriate measures to protect
the data subject's legitimate interests; or
(d) where the personal data must remain confidential subject to an obligation of
professional secrecy regulated by Union or Member State law, including a statutory
obligation of secrecy.
California Consumer Protection Act of 2018
:
דגהרת Business
בס ףיע1798.140
:
(d) “Business” means:
(1) A sole proprietorship, partnership, limited liability company, corporation,
association, or other legal entity that is organized or operated for the profit or
financial benefit of its shareholders or other owners, that collects consumers’
personal information, or on the behalf of which such information is collected
and that alone, or jointly with others, determines the purposes and means of the
processing of consumers’ personal information, that does business in the State
of California, and that satisfies one or more of the following thresholds:
(A) As of January 1 of the calendar year, had annual gross revenues in excess
of twenty-five million dollars ($25,000,000) in the preceding calendar year,
as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, sells, or shares the personal
information of 100,000 or more consumers or households.
(C) Derives 50 percent or more of its annual revenues from selling or sharing
consumers’ personal information.
(2) Any entity that controls or is controlled by a business, as defined in
paragraph (1), and that shares common branding with the business and with
whom the business shares consumers’ personal information. “Control” or
“controlled” means ownership of, or the power to vote, more than 50 percent of
the outstanding shares of any class of voting security of a business; control in
any manner over the election of a majority of the directors, or of individuals
exercising similar functions; or the power to exercise a controlling influence over
the management of a company. “Common branding” means a shared name,
servicemark, or trademark that the average consumer would understand that
two or more entities are commonly owned.
(3) A joint venture or partnership composed of businesses in which each
business has at least a 40 percent interest. For purposes of this title, the joint
venture or partnership and each business that composes the joint venture or
partnership shall separately be considered a single business, except that
personal information in the possession of each business and disclosed to the
joint venture or partnership shall not be shared with the other business.
(4) A person that does business in California, that is not covered by paragraph
(1), (2), or (3), and that voluntarily certifies to the California Privacy Protection
Agency that it is in compliance with, and agrees to be bound by, this title.
עדימה ףוסיא ינפל וא תעב עודייה תבוח –
ס ףיע1798.100
:
(a) A business that controls the collection of a consumer’s personal information
shall, at or before the point of collection, inform consumers of the following:
(1) The categories of personal information to be collected and the purposes for
which the categories of personal information are collected or used and whether
that information is sold or shared. A business shall not collect additional
categories of personal information or use personal information collected for
additional purposes that are incompatible with the disclosed purpose for which
the personal information was collected without providing the consumer with
notice consistent with this section.
(2) If the business collects sensitive personal information, the categories of
sensitive personal information to be collected and the purposes for which the
categories of sensitive personal information are collected or used, and whether
that information is sold or shared. A business shall not collect additional
categories of sensitive personal information or use sensitive personal
information collected for additional purposes that are incompatible with the
disclosed purpose for which the sensitive personal information was collected
without providing the consumer with notice consistent with this section.
(3) The length of time the business intends to retain each category of personal
information, including sensitive personal information, or if that is not possible,
the criteria used to determine that period provided that a business shall not
retain a consumer’s personal information or sensitive personal information for
each disclosed purpose for which the personal information was collected for
longer than is reasonably necessary for that disclosed purpose.
תבוח
פר תויטרפ תוינידמ םוס–
ס ףיע1798.100(b)
:
(b) A business that, acting as a third party, controls the collection of personal
information about a consumer may satisfy its obligation under subdivision (a) by
providing the required information prominently and conspicuously on the
homepage of its internet website. In addition, if a business acting as a third party
controls the collection of personal information about a consumer on its premises,
including in a vehicle, then the business shall, at or before the point of collection,
inform consumers as to the categories of personal information to be collected and
the purposes for which the categories of personal information are used, and
whether that personal information is sold, in a clear and conspicuous manner at
the location.
ח תונקתב עודייה תבו–
mer Privacy Act Regulations
u
alifornia Cons
C
ס
עי ף7012
:
§ 7012. Notice at Collection of Personal Information.
(a) The purpose of the Notice at Collection is to provide consumers with timely
notice, at or before the point of collection, about the categories of personal
information to be collected from them, the purposes for which the personal
information is collected or used, and whether that information is sold or shared, so
that consumers have a tool to exercise meaningful control over the business’s use
of their personal information. For example, upon receiving the Notice at Collection,
the consumer can use the information in the notice as a tool to choose whether to
engage with the business, or to direct the business not to sell or share their
personal information and to limit the use and disclosure of their sensitive personal
information.
(b) The Notice at Collection shall comply with section 7003, subsections (a) and (b).
(c) The Notice at Collection shall be made readily available where consumers will
encounter it at or before the point of collection of any personal information.
Illustrative examples follow.
(1) When a business collects consumers’ personal information online, it may post a
conspicuous link to the notice on the introductory page of the business’s website
and on all webpages where personal information is collected.
(2) When a business collects consumers’ personal information through a webform,
it may post a conspicuous link to the notice in close proximity to the fields in which
the consumer inputs their personal information, or in close proximity to the button
by which the consumer submits their personal information to the business.
(3) When a business collects personal information through a mobile application, it
may provide a link to the notice on the mobile application’s download page and
within the application, such as through the application’s settings menu.
(4) When a business collects consumers’ personal information offline, it may
include the notice on printed forms that collect personal information, provide the
consumer with a paper version of the notice, or post prominent signage directing
consumers to where the notice can be found online.
(5) When a business collects personal information over the telephone or in person,
it may provide the notice orally.
(d) If a business does not give the Notice at Collection to the consumer at or before
the point of collection of their personal information, the business shall not collect
personal information from the consumer.
(e) A business shall include the following in its Notice at Collection:
(1) A list of the categories of personal information about consumers, including
categories of sensitive personal information, to be collected. Each category of
personal information shall be written in a manner that provides consumers a
meaningful understanding of the information being collected.
(2) The purpose(s) for which the categories of personal information, including
categories of sensitive personal information, are collected and used.
(3) Whether each category of personal information identified in subsection (e)(1) is
sold or shared.
(4) The length of time the business intends to retain each category of personal
information identified in subsection (e)(1), or if that is not possible, the criteria
used to determine the period of time it will be retained.
(5) If the business sells or shares personal information, the link to the Notice of
Right to Opt-out of Sale/Sharing, or in the case of offline notices, where the
webpage can be found online.
(6) A link to the business’s privacy policy, or in the case of offline notices, where the
privacy policy can be found online.
(f) If a business collects personal information from a consumer online, the Notice at
Collection may be given to the consumer by providing a link that takes the
consumer directly to the specific section of the business’s privacy policy that
contains the information required in subsection (e)(1) through (6). Directing the
consumer to the beginning of the privacy policy, or to another section of the
privacy policy that does not contain the required information, so that the consumer
is required to scroll through other information in order to determine the categories
of personal information to be collected and/or whether the business sells or shares
the personal information collected, does not satisfy this standard.
(g) Third Parties that Control the Collection of Personal Information. This
subsection shall not affect the first party’s obligations under the CCPA to comply
with a consumer’s request to opt-out of sale/sharing.
(1) For purposes of giving Notice at Collection, more than one business may control
the collection of a consumer’s personal information, and thus, have an obligation
to provide a Notice at Collection in accordance with the CCPA and these
regulations. For example, a first party may allow another business, acting as a third
party, to control the collection of personal information from consumers browsing
the first party’s website. Both the first party that allows the third parties to collect
personal information via its website, as well as the third party controlling the
collection of personal information, shall provide a Notice at Collection. The first
party and third parties may provide a single Notice at Collection that includes the
required information about their collective information practices.
(2) A business that, acting as a third party, controls the collection of personal
information on another business’s physical premises, such as in a retail store or in a
vehicle, shall provide a Notice at Collection in a conspicuous manner at the physical
location(s) where it is collecting the personal information.
(3) Illustrative examples follow.
(A) Business F allows Business G, a third party ad network, to collect consumers’
personal information through Business F’s website. Business F may post a
conspicuous link to its Notice at Collection on its homepage(s). Business G shall
provide a Notice at Collection on its homepage(s) or include the required
information about its information practices in Business F’s Notice at Collection.
(B) Business H, a coffee shop, allows Business I, a business providing Wi-Fi services,
to collect personal information from consumers using Business I’s services on
Business H’s premises. Business H may post conspicuous signage at the entrance of
the store or at the point-of-sale directing consumers to where the Notice at
Collection for Business H can be found online. In addition, Business I shall post its
own Notice at Collection on the first webpage or other interface consumers see
before connecting to the Wi-Fi services offered.
(C) Business J, a car rental business, allows Business K to collect personal
information from consumers within the vehicles Business J rents to consumers.
Business J may give its Notice at Collection to the consumer at the point of sale
(i.e., at the rental counter) either in writing or orally. Business K may provide its
own Notice at Collection within the vehicle, such as through signage on the
vehicle’s dashboard directing consumers to where the notice can be found online.
(h) A business that neither collects nor controls the collection of personal
information directly from the consumer does not need to provide a Notice at
Collection to the consumer if it neither sells nor shares the consumer’s personal
information.
(i) A data broker registered with the Attorney General pursuant to Civil Code
section 1798.99.80 et seq. that collects personal information from a source other
than directly from the consumer does not need to provide a Notice at Collection to
the consumer if it has included in its registration submission a link to its online
privacy policy that includes instructions on how a consumer can submit a request
to opt-out of sale/sharing.