Note.Origin	=	https: papers.ssrn.com/sol3/papers.cfm?abstract_id=3457563
THE BLACK LETTER OF THE	=
Ti	=	ALI Principles of Law, Data Protection
This Part presents the complete black letter for the Principles of Law, Data Protection. The entire Principles project is more than 100 pages and includes illustrations, commentary, and reporters’ notes. It can be obtained from the ALI at https://www.ali.org/.	=
Chapter 1: Purpose, Scope, and Definitions	=
Purpose-Scope	=
Def	=
Chapter 2: Data Privacy Principles	=
3.Ti	=	Transparency Statement
3.1.Ti	=	Requirement
3.1.sec	=	A data controller or data processor that engages in a personal-data activity shall provide a publicly accessible transparency statement about these activities.
3.2.Ti	=	Content
3.2.1.sec	=	The transparency statement shall clearly, conspicuously, and accurately explain the data controller or data processor’s current personal-data activities.
3.2.2.sec	=	When the law requires or permits a data controller or data processor to withhold certain information, such as trade secrets or confidential information, the transparency statement need not include this information.
3.2.	=	[G/Z/ol/s2]
3.3.Ti	=	Accessibility
3.3.sec	=	The transparency statement shall be reasonably accessible to any interested person. In the event that the transparency statement is changed, previous versions of the statement shall be retained and reasonably accessible.
3.4.Ti	=	Proportionality
3.4.sec	=	A transparency statement is required for both identified and identifiable personal data. The detail and sophistication of the transparency statement shall be proportionate to the magnitude of the privacy and security risks of the personal-data activities.
3.	=	[G/Z/ol-a/4]
4.Ti	=	Individual Notice
4.1.Ti	=	Requirements for individual notice
4.1.1.sec	=	A data controller that engages in a data activity involving identified personal data that implicates a data subject’s interests, as recognized by these Data Privacy Principles, shall provide notice individually to that data subject. This notice shall fulfill the requirements of subsection (d) below.
4.1.2.sec	=	The individual notice shall be distinct from the transparency statement required in § 3 and provided in addition to the transparency statement.
4.1.3.sec	=	All aspects of the notice should be provided as reasonably practicable. A data controller’s capabilities and resources are factors in determining whether providing certain aspects of notice is reasonably practicable.
4.1.4.sec	=	Individual notice need not be provided when personal data is only identifiable, but not yet identified.
4.1.	=	[G/Z/ol/s4]
4.2.Ti	=	Accessibility
4.2.sec	=	The notice shall be reasonably accessible to the data subject.
4.3.Ti	=	Timing of notice
4.3.sec	=	The notice shall be provided to the data subject at an appropriate time that will enable the data subject to exercise interests recognized by these Data Privacy Principles.
4.4.Ti	=	Content of notice
4.4.1.sec	=	The notice shall be clear and intelligible to a reasonable person.
4.4.2.sec	=	The notice shall inform the data subject of the nature of the data activity, the uses made of the data, the interests implicated, and how the data subject may exercise those interests.
4.4.3.sec	=	The notice shall inform the data subject of any rights provided by applicable law that are relevant to the data activities in which the data controller is engaging.
4.4.4.sec	=	The notice shall contain information enabling the data subject to contact the data controller with questions or complaints about the data controller’s data activities. When a data subject contacts the data controller in the described manner, the data controller shall respond as soon as reasonably practicable.
4.4.	=	[G/Z/ol/s4]
4.5.Ti	=	Heightened notice
4.5.1.sec	=	For any data activity that is significantly unexpected or that poses a significant risk of causing material harm to a data subject, the data controller should provide reasonable “heightened notice” to the data subject.
4.5.2.sec	=	A significantly unexpected data activity is one that a reasonable person would not expect based on the context of the personal-data activities.
4.5.3.sec	=	A significant risk may exist with a low likelihood of a highmagnitude injury or with a high likelihood of a low-magnitude injury. For a major potential injury, even a small likelihood may be a risk worthy of concern.
4.5.4.sec	=	Heightened notice shall follow all of the requirements of notice specified above, as well as additional requirements specified in this subsection.
4.5.5.sec	=	Activities regarding personal data are “significantly unexpected” when they are at substantial variance with the expectations of a reasonable person.
4.5.6.sec	=	Material harm exists when a reasonable person would recognize that a data subject may suffer financial loss, reputational damage, embarrassment, emotional distress, chilling of activities protected under federal or state constitutional law, or from revelations of personal data that the data subject wants to conceal.
4.5.7.sec	=	Heightened notice shall be made more prominently than ordinary notice and closer in time to the particular data activity.
4.5.	=	[G/Z/ol/s7]
4.6.Ti	=	Material changes in policies and practices
4.6.sec	=	Additional notice shall be provided to a data subject when a data controller makes any material change in its policies and practices with respect to personal data.
4.7.Ti	=	Exceptions to individual notice
4.7.sec	=	A data controller may refrain from providing notice if there is no reasonably practicable way to inform the data subject. The data controller shall document why providing notice is not reasonably practicable and include this information in the transparency statement in § 3. This statement should also be publicized on the data controller’s website home page or through other reasonable means.
4.	=	[G/Z/ol-a/7]
5.Ti	=	Consent
5.1.sec	=	Consent means the willingness of the data subject to permit the personal data activity in question.
5.2.sec	=	A data subject shall be given understandable and easy-to-use means to permit exercise of meaningful choice in relation to personal-data activities regarding the data subject’s personal data.
5.3.sec	=	When the law requires consent of the data subject for personal data activities, or a data controller relies on the consent of the data subject as the justification for personal data activities, these principles apply in the absence of a valid exception.
5.4.sec	=	The data controller is responsible for obtaining consent. A data controller may contract with another entity to obtain the consent of data subjects.
5.5.sec	=	Consent is invalid unless the data subject is provided reasonable notice that satisfies the standards of Principle 4.
5.6.sec	=	Consent is invalid if it is obtained in a misleading or deceptive fashion.
5.7.0.sec	=	Form of consent
5.7.1.sec	=	The form by which consent is obtained must be reasonable under the circumstances, based on the type of personal data involved, the nature of the personal-data activity, and the understandings of a reasonable data subject.
5.7.2.sec	=	In situations in which heightened notice is required pursuant to Principle 4(e), only clear and affirmative consent shall suffice for valid consent. Clear and affirmative consent cannot be inferred from inaction.
5.7.3.sec	=	Except for paragraph (2) above, consent can be an apparent one whenever it can reasonably be understood that the individual consents to a particular use of personal data. Apparent consent occurs when words or conduct are reasonable understood by another to be intended as consent.
5.7.	=	[G/Z/ol/s3]
5.8.Ti	=	Withdrawal of consent
5.8.sec	=	An individual shall be permitted to withdraw consent, subject to legal or otherwise reasonable restrictions, and reasonable notice to the entity that collected the personal data.
5.9.Ti	=	Exceptions to the consent requirement
5.9.0.sec	=	Personal data activities may be conducted without consent if:
5.9.1.sec	=	the personal data activity is required by law;
5.9.2.sec	=	obtaining consent would be impermissible under law; or
5.9.3.0.sec	=	obtaining consent would be impractical, or too costly or difficult and the use satisfies one or more of the following criteria:
5.9.3.1.sec	=	the personal data activity is necessary in the performance of a contract to which the data subject is a party;
5.9.3.2.sec	=	the personal data activity significantly advances the protection of the health or safety of the data subject or other people;
5.9.3.3.sec	=	the personal data activity significantly advances protection against criminal or tortious activity by a data subject;
5.9.3.4.sec	=	the personal data activity significantly advances the public interest, and it would not pose a significant risk of material harm sufficient to trigger heightened notice pursuant to Principle 4(e); or
5.9.3.5.sec	=	the personal data activity serves a significant legitimate interest, and it neither poses a significant risk of material harm to the data subject or others, nor is significantly unexpected, as is defined in § 4(e)(1).
5.9.3.	=	[G/Z/ol-AA/s5]
5.9.	=	[G/Z/ol/s3]
5.	=	[G/Z/ol-a/9]
6.Ti	=	Confidentiality
6.1.Ti	=	Duty of confidentiality
6.1.0.sec	=	A data controller or data processor shall maintain the confidentiality of personal data when:
6.1.1.sec	=	confidentiality is required by law
6.1.2.sec	=	confidentiality is required by ethical standards (such as professional rules of conduct); or
6.1.3.sec	=	when the personal data is collected under an express or implied promise of confidentiality.
6.1.	=	[G/Z/ol/s3]
6.2.Ti	=	Relationships of trust
6.2.sec	=	A data controller or data processor shall also maintain confidentiality when it (i) holds itself out to be privacy-respecting to gain the trust of data subjects who use its product or service, and (ii) cause data subjects to reasonably believe that the it will not disclose their personal data based on reasonable social expectations. Such reasonable belief can be based on privacy norms, or established practices.
6.3.Ti	=	Service providers and onward transfers
6.3.sec	=	An onward transfer of personal data by a data controller or data processor’s to another data processor is not a breach of confidentiality if authorized by Principle 12 (onward transfer).
6.4.Ti	=	Breach of confidentiality
6.4.0.sec	=	A duty of confidentiality is not breached under the following circumstances:
6.4.1.sec	=	the data subject consents to the disclosure of personal data;
6.4.2.sec	=	disclosure is required by law, such as judicial process or a statute requiring disclosure; or
6.4.3.sec	=	disclosure is necessary for the health or safety of the data subject or other people.
6.4.00.sec	=	Any such disclosures under these circumstances should involve only the minimum necessary personal data related to the disclosure purpose and be released only to individuals or entities that are best suited for such purpose.
6.4.	=	[G/Z/ol/s3]
6.	=	[G/Z/ol-a/4]
7.Ti	=	Use Limitation
7.1.Ti	=	Secondary uses
7.1.sec	=	Personal data shall not be used in secondary data activities unrelated to those stated in the notice required by Principle 4 without a data subject’s consent. Secondary data activities are those unrelated to those stated in the notice to the individual as required by Principle 4.
7.2.Ti	=	Exceptions
7.2.sec	=	Personal data may be used in secondary data activities based on the exceptions to consent set out in Principle 5(i).
7.3.Ti	=	Transparency and notice
7.3.1.sec	=	Notice of the specific justification for using data under subsections (b)(2)(D) and (E) shall be conveyed to the data subject as soon as practicable.
7.3.2.sec	=	When it is reasonably foreseeable that personal data will be used in the future in a way authorized by subsection (b), the transparency statement (Principle 3) and individual notice to data subjects (Principle 4) shall be updated to state this fact. Such additional notice shall be provided in a fashion consistent with Principle 4(f).
7.3.	=	[G/Z/ol/s2]
7.	=	[G/Z/ol-a/3]
8.Ti	=	Access and Correction
8.1.Ti	=	Information about storage of identified personal data
8.1.sec	=	A data controller must inform a data subject whether the data controller or data processor acting on behalf of the data controller stores identified personal data about the data subject. This information shall be communicated in a reasonably timely fashion after a request by a data subject who provides reasonable proof of identity.
8.2.Ti	=	Information about storage of identifiable personal data
8.2.sec	=	Access and correction interests do not extend to identifiable personal data.
8.3.Ti	=	Access
8.3.sec	=	Unless access can be refused under subsection (e) or (f), a data subject is entitled on request to access personal data about the data subject stored by a data controller or data processor acting on behalf of the data controller. A data controller must provide access or a reason for denying access within a reasonable period of time after the request is made.
8.4.Ti	=	Verification of identity
8.4.sec	=	When access to personal data is requested by a data subject or a person acting on behalf of a data subject, a data controller shall use reasonable means to verify the identity of the data subject or the validity of the legal authority of the person acting on behalf of the data subject before providing such access.
Note	=	Something odd in the numbering (in the original). There are _two_ subsection (e)s, The cross-reference in 8.C above makes apparent reference to the second (e) and (f).
8.5.Ti	=	Correction
8.5.1.sec	=	A data controller shall provide a data subject with a reasonable process to challenge the accuracy of the data subject’s personal data.
8.5.2.sec	=	When a data subject provides a reasonable basis in proof to demonstrate that the data subject’s personal data is incorrect, the data controller shall correct the data by amending or deleting it, or by other means. The data controller shall take reasonable steps to ensure that the errors are corrected in any copies of the personal data stored by data processors that have received it from the data controller.
8.5.3.sec	=	A data controller that rejects a data subject’s contention of error shall provide a timely explanation. When reasonably practicable, the data subject may add a statement of disagreement to the record where the data is stored. This statement shall be included when the personal data is shared with another person or entity.
8.5.	=	[G/Z/ol/s3]
8.6.Ti	=	Exceptions
8.6.0.sec	=	Access and an opportunity for correction need not be provided when:
8.6.1.sec	=	disclosure of the data subject’s personal data is prohibited or restricted by law, or a duty to protect proprietary information or trade secrets;
8.6.2.sec	=	disclosure would violate the privacy of persons other than the data subject; or
8.6.3.sec	=	the balance of interests between the data controller and the data subject weighs against access and an opportunity for correction. Factors in assessing this balance include whether the burden, expense, or security risks of access and correction would be unreasonable or disproportionate to the harms to the data subject’s privacy.
8.6.	=	[G/Z/ol/s3]
8.7.sec	=	A data controller may not provide access and opportunity for correction to a data subject when the law prohibits these interests.
8.	=	[G/Z/ol-a/7]
9.Ti	=	Data Portability
9.1.Ti	=	Data portability request and a usable format
9.1.sec	=	When a data subject makes a data portability request and when required by law, or when appropriate, reasonable, and practicable, a data controller shall provide to the data subject a copy of the data subject’s personal data in a usable format. A usable format is one that is structured, commonly used, and machine-readable in a way that permits a reasonable data subject to use this information in other platforms or situations without undue burden.
9.2.Ti	=	Scope of portable personal data
9.2.sec	=	Portable personal data is personal data that the data subject provided to the data controller or that the data subject generated while using the data controller’s services or products and that was stored by the data controller or by a data processor on its behalf.
9.3.Ti	=	Verification of identity and authority
9.3.sec	=	Before providing the personal data in response to a data portability request, a data controller shall use reasonable means to verify that the requestor is the data subject or a person who has legal authority to make the request.
9.4.Ti	=	Redaction of personal data of others
9.4.sec	=	A response to a data portability request shall redact identified and identifiable personal data about other data subjects when providing such data would violate these Principles.
9.5.Ti	=	When appropriate, a data controller may require a reasonable fee for responding to a data portability request.
9.5.sec	=	If only identifiable personal data is maintained about a data subject and if complying with a data portability request would require identifying this personal data, then the data controller does not have to comply with the data portability request.
9.	=	[G/Z/ol-a/5]
10.Ti	=	Data Retention and Destruction
10.1.Ti	=	Scope of retention of personal data
10.1.sec	=	A data controller may retain personal data only for legitimate purposes that are consistent with the scope and purposes of notice provided to the data subject. A data processor shall retain personal data only as justified by its contract with the data controller or the data processor that provided the personal data and when consistent with these Data Privacy Principles
10.2.Ti	=	Data retention for archival or research purposes
10.2.sec	=	When personal data is stored for archival or research purposes, reasonable access limitations shall be set to protect privacy.
10.3.Ti	=	Destruction of personal data
10.3.sec	=	When retention of personal data is no longer permitted under subsection (a), it shall be destroyed within a reasonable time by reasonable means that make it unreadable or otherwise indecipherable. A data controller that has provided personal data to a data processor shall take reasonable steps to ensure that the data processor properly destroys the data.
10.4.Ti	=	Exceptions to data destruction
10.4.0.sec	=	Exceptions to the data-destruction requirement include:
10.4.1.sec	=	a legal obligation to retain the personal data;
10.4.2.sec	=	retaining the personal data is required to protect the data controller’s or data processor’s legitimate interests, or legal needs, including possible litigation; or
10.4.3.sec	=	for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
10.4.	=	[G/Z/ol/s3]
10.5.Ti	=	Duty to destroy personal data
10.5.sec	=	If a data controller or data processor obtains or stores personal data in violation of these Data Privacy Principles, it shall destroy the personal data unless an exception in subsection (d) above applies.
10.6.Ti	=	Policies and procedures
10.6.sec	=	A data controller and data processor shall develop written policies and procedures for the storage and destruction of personal data when developing policies and procedures is reasonable given the entity’s size and the amount and sensitivity of the personal data that it stores. These procedures shall permit it to meet its obligations under this Section. A data controller or data processor shall also implement reasonable means for data destruction as part of its system design. These steps for data destruction shall take into account the cost of implementation and nature of risks to a data subject.
10.	=	[G/Z/ol-a/6]
11.Ti	=	Data Security and Data Breach Notification
11.1.Ti	=	Reasonable security safeguards
11.1.1.sec	=	A data controller shall adopt reasonable security safeguards to protect against foreseeable risks, including unauthorized access, acquisition, use, modification, sharing, or destruction of personal data.
11.1.2.sec	=	Reasonable security safeguards are proportionate to the risk of harm in the event that the personal data is compromised. Proportionality is to be assessed in light of the type and nature of personal data used, the likely severity of harm to data subjects, the number of data subjects affected, and the cost of security safeguards.
11.1.3.sec	=	Reasonable security safeguards include administrative, physical, and technical measures that include training of employees.
11.1.	=	[G/Z/ol/s3]
11.2.Ti	=	Personal-data-breach notification
11.2.1.sec	=	A personal-data breach is the unauthorized access, acquisition, use, modification, disclosure, or loss of personal data that compromises the privacy or security of the personal data.
11.2.2.sec	=	When a personal-data breach creates more than a low probability that personal data will be compromised, the data controller must notify affected data subjects without unreasonable delay, and must notify public authorities to the extent required by law.
11.2.3.sec	=	A data controller must provide a public notice for a personal-data breach that involves more than 500 data subjects.
11.2.4.sec	=	A data processor that has a personal-data breach shall notify the data controller as soon as reasonably possible. The data controller shall provide notice of a personal-data breach of its data processor as set forth in paragraphs (1), (2), and (3) above.
11.2.5.0.sec	=	The factors to be considered in determining whether there is a low probability that personal data will be compromised include:
11.2.5.1.sec	=	the nature and extent of the personal data involved, including the types of identifiers and the likelihood of reidentification;
11.2.5.2.sec	=	the identity of the unauthorized person to whom the personal data was disclosed or who used it;
11.2.5.3.sec	=	whether the personal data was actually acquired or accessed; and
11.2.5.4.sec	=	the extent to which the risk of compromise of the personal data has been mitigated.
11.2.5.	=	[G/Z/ol-AA/s4]
11.2.6.sec	=	Notification is not required when the personal data was properly encrypted, and encryption keys are not compromised or breached.
11.2.	=	[G/Z/ol/s6]
11.	=	[G/Z/ol/2]
12.Ti	=	Onward Transfer
12.1.Ti	=	Limits on onward transfers
12.1.0.sec	=	A data controller or data processor that has personal data may make an onward transfers of this information to a data processor for personal-data activities only if:
12.1.1.sec	=	the data subject has received notice of the activities;
12.1.2.sec	=	the transfer is required by law; or
12.1.3.sec	=	the transfer is for uses specified in Principle 7(b) (exceptions to use limitation) and the requirements of Principle 7(b) and (c) are met.
12.1.	=	[G/Z/ol/s3]
12.2.Ti	=	Due diligence review of recipients of personal data
12.2.sec	=	Before making an onward transfer, a data controller or data processor shall exercise due diligence to ensure that the recipient will protect the personal data under these Principles.
12.3.Ti	=	Contracts with data processors
12.3.0.sec	=	Before making an onward transfer to a data processor, a data controller or data processor must enter into a binding contract with the recipient of the personal data. The contract shall include remedies for failing to comply with its terms, such as termination of the contract, and require the personal-data recipient to:
12.3.1.sec	=	protect the personal data according to these Principles;
12.3.2.sec	=	protect the personal data according to the transparency statement and individual notice;
12.3.3.sec	=	carry out only the personal-data activities that are necessary to comply with the contract or that are expressly authorized by the data controller or data processor that transferred the data; and
12.3.4.0.sec	=	take the following steps when transferring data to another data recipient:
12.3.4.1.sec	=	exercise due diligence;
12.3.4.2.sec	=	transfer data only to a recipient that will provide the required protection under (c)(1);
12.3.4.3.sec	=	enter into a contract that includes the same or greater protections as in its contract with the data controller and that requires the other data recipient to comply with the obligations of a data processor under this subsection;
12.3.4.4.sec	=	require that any subsequent data recipients do the same if they transfer the personal data to other downstream data recipients;
12.3.4.	=	[G/Z/ol-AA/s4]
12.3.5.sec	=	notify the data controller of any onward transfer before it is made and allow the data controller to approve or reject the transfer;
12.3.6.sec	=	return or destroy the data at the data controller’s request when the recipient no longer has a legal or contractual need to retain it;
12.3.7.sec	=	train its employees who have access to the personal data about their obligations under the Principles and their requirements under the transparency statements and individual notice from the data controller or data processor;
12.3.8.sec	=	devote appropriate resources, including sufficient personnel, to the protection of the personal data;
12.3.9.sec	=	facilitate the data controller’s compliance with the Principles by cooperating with the data controller’s oversight activities. The means of cooperation shall include providing information to the recipient that is required for compliance, and assisting the data controller when responding to a data subject’s exercise of rights under these Principles. When necessary for the data controller’s compliance with these Principles, cooperation shall extend even after the contract ends or is terminated.;
12.3.10.sec	=	develop and maintain a reasonable comprehensive privacy program as specified in Principle 13(c);
12.3.11.sec	=	make available information necessary for the data controller or data processor to evaluate the recipient’s compliance with these Principles;
12.3.12.sec	=	notify the data controller promptly upon discovery of a personal-data breach or any noncompliance with the contract or this Principle, and cooperate fully with the data controller’s efforts to address the matter; and
12.3.	=	[G/Z/ol/s12]
12.4.Ti	=	Reasonable oversight
12.4.sec	=	A data controller or data processor that transfers personal data shall engage in reasonable oversight of the recipient. If it finds that the recipient of the personal data is deficient in performing any of its contractual obligations related to this Principle, the data controller or data processor shall invoke appropriate measures under the contract to promptly resolve the deficiency, and also shall demand reasonable assurances from the personal-data recipient that the deficiency will not recur in the future.
12.5.Ti	=	Downstream onward transfers
12.5.sec	=	A data recipient that transfers personal data to a downstream data recipient shall follow the requirements of this Principle. Unless prohibited by law, every recipient of personal data, is covered by these Principles.
12.	=	[G/Z/ol-a/5]
Chapter 3: Accountability and Enforcement	=
13.Ti	=	Accountability
13.1.Ti	=	Data controllers and data processors are accountable for complying with these Principles
13.1.sec	=	Accountability by regularly assessing privacy and security risks associated with their data activities and maintaining a reasonable comprehensive privacy program of oversight and governance mechanisms.
13.2.Ti	=	Reasonable comprehensive privacy program
13.2.sec	=	A comprehensive privacy program is reasonable when it is appropriate to the entity’s size, complexity, and resources; the amount and type of personal data used; and the risks that the entity’s activities pose to the data subjects’ privacy and security.
13.3.Ti	=	Components of a reasonable comprehensive privacy program
13.3.0.sec	=	A reasonable comprehensive privacy program shall include at least these components:
13.3.1.sec	=	written privacy and security policies and procedures with respect to all personal-data activities.
13.3.2.0.sec	=	a regular inventory of personal data collected, received, stored, or used that includes examination of:
13.3.2.1.sec	=	the types of data;
13.3.2.2.sec	=	the location of this personal data;
13.3.2.3.sec	=	the need to retain it;
13.3.2.4.sec	=	the protections that secure it;
13.3.2.5.sec	=	the individuals who have access to it; and
13.3.2.6.sec	=	the individuals responsible for overseeing its proper use and protection.
13.3.2.	=	[G/Z/ol-AA/s6]
13.3.3.sec	=	a risk assignment conducted before a system goes live and at reasonable periodic intervals afterwards to identify and to fix, improve, and remedy within a reasonable period of time:
13.3.3.1.0.sec	=	any noncompliance or nontrivial risks of noncompliance with:
13.3.3.1.1.sec	=	these Data Privacy Principles;
13.3.3.1.2.sec	=	applicable privacy or data-security laws;
13.3.3.1.3.sec	=	its policies and procedures;
13.3.3.1.	=	[G/Z/ol-i/s3]
13.3.3.2.sec	=	the effectiveness of its policies and procedures and practices in light of the evolution of risks and the law; and
13.3.3.3.sec	=	the efficacy of its training of its workforce.
13.3.3.	=	[G/Z/ol-AA/s3]
13.3.4.sec	=	a training program that reaches all employees or contractors who have access to or handle personal data, and employees or contractors whose actions materially affect the data that can be accessed or handled by others. This training shall be reasonably designed to permit the employee or contractor to understand the entity’s policies and procedures and to be aware of and minimize any reasonably anticipated risks to personal data. At a minimum, training shall be conducted upon hiring or contracting and on an annual basis.
13.3.	=	[G/Z/ol/s4]
13.4.Ti	=	Privacy and security by design
13.4.1.sec	=	A data controller or data processor shall analyze the privacy and security implications early on in the development of any new product, service, or process. This analysis shall be conducted in a reasonable manner, at a reasonable time, and with a reasonable thoroughness. This analysis shall be documented.
13.4.2.sec	=	A data controller or data processor shall examine how the product, service, or process should be designed to address the privacy or security issues identified in the analysis. The outcome of this examination shall be reflected in the final design of the product, service, or process. Reasonable design choices shall be made. Design choices and the reasoning that supports them shall be documented.
13.4.	=	[G/Z/ol/s2]
13.5.Ti	=	Privacy and security by default
13.5.1.sec	=	A data controller or data processor shall analyze the default settings of any existing or new product or service and how such settings implicate privacy and security. This analysis shall be conducted in a reasonable manner, at a reasonable time, and with a reasonable thoroughness. This analysis shall be documented and repeated at reasonable intervals.
13.5.2.sec	=	A data controller or data processor shall draw on the outcome of this examination in the final default-setting choices that are made. Reasonable default-setting choices shall be made. Default-setting choices and the reasoning that supports them shall be documented.
13.5.	=	[G/Z/ol/s2]
13.	=	[G/Z/ol-a/5]
14.Ti	=	Enforcement
14.1.Sec	=	To the extent that the law recognizes any remedies for these Principles, these remedies shall be effective, proportionate, and dissuasive.
14.2.Ti	=	Enforcement mechanisms
14.2.sec	=	Enforcement, if any, of these Principles can be through various mechanisms, including through individual redress and collective means of enforcement. Enforcement proceedings to enforce these Principles can include actions by the Federal Trade Commission, other governmental agencies, and state Attorneys General, as well as class-action lawsuits and other civil proceedings involving the pursuit of civil remedies. Remedies can include compensation to injured parties, fines paid to the government, injunctions or administrative directives ordering future compliance, orders to comply, restitution of unjust enrichment, and other measures. Governmental decisionmakers may consider factors and elements that are not available to private parties claiming infringement.
14.3.Ti	=	Factors for deciding whether to provide remedies
14.3.0.sec	=	Factors to be considered in deciding on the remedies, if any, for the violation of a Principle include:
14.3.1.sec	=	the duty owed by one party to another, if any;
14.3.2.sec	=	the gravity of the infringement; any past infringements; mitigation and preventive actions taken by the data controller or data processor, including adherence to approved codes of conduct or safe harbors;
14.3.3.sec	=	the intentional or negligent character of the infringement;
14.3.4.sec	=	the unjust enrichment of a party by the use of personal data;
14.3.5.sec	=	the need for general deterrence of violations to effectuate a Principle.
14.3.	=	[G/Z/ol/s5]
14.4.Ti	=	Assessing the extent of the infringement
14.4.sec	=	The extent of the infringement may be determined by assessing the magnitude and likelihood of financial, reputational, or emotional harm, including the risk of such harm and the chilling effect on a data subject. The magnitude and likelihood of harm fall along a sliding scale. A significant risk may exist with a low likelihood of a highmagnitude injury or with a high likelihood of a low-magnitude injury. For a major potential injury, even a small likelihood may be a risk worthy of concern.
14.5.Ti	=	Future injury
14.5.sec	=	The magnitude and likelihood of future injury can be assessed by examining different factors. These include the types of personal data involved in a violation of a Principle, the means and methods used to exploit these types of data, their ability to be combined with other available data, and the types of harm and injury reasonably expected to result. A source of information to be drawn upon in evaluating these factors is the known injury, if any, to similarly situated victims.
14.6.Ti	=	The role of statutory law
14.6.0.sec	=	Statutory law can express these general principles by raising or lowering the thresholds for finding harm and specifying the kinds of harms that are remediable in different contexts.
14.6.1.sec	=	In some instances, a statute may deem certain legal violations of privacy interests as harmful per se with a designated minimum amount of statutory damages.
14.6.2.sec	=	Under some circumstances, the risk of future harm from a dataprivacy violation may cause anxiety or emotional distress. Such harms may be compensable pursuant to statute or if recognized by courts.
14.6.3.sec	=	In some instances, a statute may use the unjust enrichment of a data controller through violation of these principles as a factor in assessing the extent of the infringement.
14.6.	=	[G/Z/ol/s3]
14.	=	[G/Z/ol-a/6]
	=	[G/Z/ol/14]