Data Subject Rights and Opt-Out Mechanisms

What it is

Thomson Reuters allows users to request access to, correction of, deletion of, or restrictions on their personal data, and to opt out of data sales, depending on where they live and what laws apply.

Why it matters (compliance & governance perspective)

The availability and enforceability of these rights varies significantly by jurisdiction, meaning not all users have the same level of protection or ability to control their data.

Consumer impact (what this means for users)

You may be able to access, correct, delete, or restrict how Thomson Reuters uses your personal information, and in some jurisdictions opt out of data sales, but the specific rights available depend on your location and applicable law.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: Data subject rights engage GDPR Articles 15-22 (access, rectification, erasure, restriction, portability, objection, and automated decision-making rights), CCPA and CPRA (right to know, delete, correct, opt out of sale and sharing, and limit sensitive personal information use), UK GDPR, PIPEDA, and various other national frameworks. Rights under GDPR are generally more comprehensive and enforceable than those under U.S. state law. The right to opt out of sale under CCPA and CPRA is particularly relevant given Thomson Reuters' data broker operations. GOVERNANCE EXPOSURE: Medium. The breadth of rights asserted and the inclusion of non-customer individuals (whose data may appear in information products) creates significant operational complexity for rights fulfilment. The statement provides a centralised portal, which is good practice, but compliance teams should assess response time compliance (30 days under GDPR, 45 days under CCPA) and identity verification procedures. JURISDICTION FLAGS: EU and EEA users have the strongest rights under GDPR, including the right to lodge complaints with supervisory authorities. California users have CPRA rights including the right to opt out of sale and the right to limit sensitive personal information use. UK users have rights under UK GDPR. Users in jurisdictions without comprehensive privacy law may have limited enforceable rights under this statement. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers acting as data controllers must ensure Thomson Reuters, as a processor, has mechanisms to assist with data subject rights requests that originate from their own users and are passed through to Thomson Reuters for fulfilment. DPAs should specify response timelines and procedures for rights request forwarding. COMPLIANCE CONSIDERATIONS: Compliance teams should test Thomson Reuters' privacy portal to confirm it accepts and processes rights requests within legally required timeframes, assess identity verification procedures for sufficiency without being unnecessarily burdensome, and confirm that rights requests from non-customers (whose data appears in information products) are handled with equivalent rigour.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• AI and Machine Learning Training Use of Personal Data high
• Data Broker and Information Product Disclosure high
• Sensitive Personal Information Processing high
• Cross-Border Data Transfers medium
• Third-Party Data Sharing and Corporate Transactions medium
• Cookie and Tracking Technology Use medium

Related Analysis

• OpenAI Changed Its Privacy Policy 4 Times in One Week. Here Is What Actually Changed.

  Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.