NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
PT-5(1) — Just-in-time Notice
Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or {{ insert: param, pt-05.01_odp }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Just-in-time notices inform individuals of how organizations process their personally identifiable information at a time when such notices may be most useful to the individuals. Individual assumptions about how personally identifiable information will be processed might not be accurate or reliable if time has passed since the organization last presented notice or the circumstances under which the individual was last provided notice have changed. A just-in-time notice can explain data actions that organizations have identified as potentially giving rise to greater privacy risk for individuals. Organizations can use a just-in-time notice to update or remind individuals about specific data actions as they occur or highlight specific changes that occurred since last presenting notice. A just-in-time notice can be used in conjunction with just-in-time consent to explain what will occur if consent is declined. Organizations use discretion to determine when to use a just-in-time notice and may use supporting information on user demographics, focus groups, or surveys to learn about users’ privacy interests and concerns.
Practitioner Notes
Just-in-time notices are brief privacy notifications presented at the exact point of data collection, giving people the information they need right when they need it.
Example 1: When a user reaches a contact form on your website, display a brief notice directly on the form: 'We will use your email to respond to your inquiry. See our Privacy Policy for details.' This is faster to read than referring them to a full privacy policy they will probably skip.
Example 2: In a mobile app, before the first feature that collects location data, show a brief modal: 'This feature uses your location to find nearby services. We do not sell or share your location data. Tap here for full privacy details.' The notice appears in context, when it is relevant.