In fall 2021, Consumer Reports Digital Lab launched a study to understand more about the data rights provided to consumers under the California Consumer Privacy Act. As an authorized agent, we learned a lot about how to send data access requests on behalf of consumers.
Our team and our fearless volunteers saw success and challenges during this process. Lots of emails back-and-forth with customer service representatives, lots of confusion, and even some missing postal mail. At the same time, there were many moments where companies and privacy teams did a smashing job. Many gave clear instructions, had reliable and simple technical tools, or even adjusted their process after feedback. Consumer Reports salutes the many companies and privacy associates who are putting in the work to make sure consumers can exercise their data rights quickly and easily.
After sending over 200 access requests to 20 different companies (and counting!), we have opinions on how to do authorized agent requests well. This post outlines some of the qualities that we’d like to see from the authorized agent process of our dreams.
Who should read this? Companies, privacy and compliance teams, privacy researchers, data regulators, DSARs, and anyone who plans to send authorized agent requests under the CCPA. If you’re a consumer looking to understand your data rights, you might like this post instead.
Here are some of the process improvements regarding authorized agents we’d like to see:
1. Add information for agents in your privacy policy
In privacy policies, most companies acknowledge that Californians can authorize an agent to represent them. However, too often the information stops there. In your privacy policy or other public documentation, please include clear instructions for an agent.
- What documentation do you require from an agent?
- Where should agents send written authorizations or other request documentation?
- How can an agent initiate an opt-out-of-sale request?
- What kind of identity verification should consumers expect?
- What kinds of documents do they need to upload?
- How long does a consumer have to verify their identity?
- Can potential agents outside California access policy information? (Is it geofenced?)
Providing this kind of information up-front can prevent a back-and-forth between agents and companies, minimizing wasted resources for companies and agents alike.
2. Make sure online request forms work for agents
If you want agents to submit information and requests through web forms, consider whether your e-form is compatible with an authorized agent process. Here are some questions to consider:
- If there’s a field called “First name,” does it specify whether that is the consumer’s name or agent’s name?
- Are there at least two email address fields, one for an agent and one for a consumer?
- Is the agent able to upload at least two attachments directly on the form? (This will save you time emailing later)
- Is there a free-text box with a sufficient character limit, where an agent could include details for the request?
3. Give consumers time to respond
There is often a substantial delay between (1) when a consumer asks an agent to submit a request; (2) when the agent submits that request; and (3) when a company reaches out to a consumer for request confirmation and identity verification. It’s unreasonable to expect consumers to wait at the ready, constantly monitoring their email for updates on their request. Consumers participating in our study were sometimes unable to confirm a request or collect documentation to verify their identity within the allotted time window. In addition, sometimes consumers thought verification emails were fake, or the emails got caught by spam filters and slipped by unnoticed.
In one case, a company’s policies stated they allowed only a 30 minute window for consumers to verify their identity. Even a 24-hour window to confirm their identity is not an ideal or usable process for many consumers. Give consumers at minimum 3 days to respond to requests. We hope and believe that a short identity verification window is not strictly necessary, but if it truly is for your company, it’s best to send a courtesy note to the consumer beforehand to let them know to look out for this time-sensitive action.
4. Don’t ask agents for their mother’s maiden name
Many organizations make the mistake of assuming that agents are individual people. In fact, consumers can also authorize a business or organization to represent them as their agent. Please make sure your process allows for agents that are not individuals. For example, instead of requiring “First name” and “Last name” for agents, allow the option of adding a company name instead.
During our research, one company even tried to verify us by asking security questions about Consumer Reports, questions like, “What year was Consumer Reports born?” or “Which street has Consumer Reports lived on?”
5. Ask whether data access goes to the consumer or the agent
For access requests (such as “Right to Know” or “Categories” requests), there is widespread disagreement about whether data access should be shared with the consumer or with the agent.
We believe there are good arguments for both outcomes, depending on why a consumer has engaged an agent. For example, some consumers use an authorized agent because they cannot or do not want to expend the cognitive effort or time of filling dozens of forms. They use the agent to help send and manage their requests, but the agent does not need to actually access sensitive data. In other cases, a consumer might want to use an authorized agent to help collect and analyze their data, or as a means to donate their data to an academic research project, both of which require the agent to have data access.
Because consumers have valid diverse needs for exercising data access rights with an authorized agent, companies should allow the agent to specify who should receive access to data in the initial request. This reduces risk and liability for both companies worried about sending sensitive information to third-party agents, and agents who do not need access to sensitive information.
6. Allow consumers to provide alternate emails
We all know how tricky it can be to match a data subject to a database entry. Addresses, names, emails, and devices all change with time. If your consumer matching process requires exact matches for email, name, or other identifiers, please provide an opportunity for a consumer or agent to offer additional information.
One company in our research, Neustar, went above and beyond on this front. When they noticed close database matches, the Neustar team asked the consumer if they’d like to provide any additional names or email addresses they use in order to locate their data. Even more than that, the Neustar team took the additional step of care to ask whether they should direct these questions to the agent or to the consumer. We applaud Neustar for their thoughtful and consumer-centric approach!
7. Use reference numbers
Agents often send multiple requests on behalf of a consumer, or multiple requests across many consumers. To avoid mixing up requests and avoid superfluous use of the data subject’s PII, use a reference number system when discussing requests with consumers and agents. This might seem obvious to some, but at least two companies we’ve interacted with asked for documentation but did not provide reference numbers, which made it harder to trace and follow up on requests later.
In addition, that reference number should be provided as early as possible in the request process, ideally upon form submission or in an email verification message saying the request has been received.
8. Spill the tea! What was the outcome of the request?
Some companies didn’t keep us or the consumer in the loop about what was happening. We wasted time when we had to actively follow up with companies and consumers to understand whether a request had been fulfilled after 15 or 45 days. And the company privacy teams also wasted time when they had to respond to us!
Some companies never directly confirmed whether the opt-out requests were honored. While it may not always be a regulatory requirement, it’s a courtesy to both the consumer and agent to communicate the status of a request to all the parties involved.
9. Consider implementing the Data Rights Protocol
Wouldn’t it be peachy if more of this process were automated and standardized? And just the bee’s knees if each compliance team or agent didn’t have to go through the pain of figuring out how data request processes should work? Consumer Reports is part of a consortium working on the Data Rights Protocol, a technical standard to support everyday people in exercising their data rights and support companies in doing it efficiently and cheaply at scale. If you’re curious about what data companies, DSAR providers, consumer advocates, and academics can think up together, you can leave feedback on the current version of DRP or drop in on a working group sometime.
-Meant to be: company, agent, consumer ????
At the end of the day, companies, agents, and consumers all want the same thing. We all want respectful, useful, and lawful use of data. We all want data subjects to be able to exercise their rights in a timely manner without overburdening the employees on the front lines of privacy work. In this post we outlined a few suggestions for how to make authorized agent requests easier, faster, and more effective for companies, agents, and consumers alike.
Anything we missed? Have you met an authorized agent process that already checked all your boxes and captured your heart? Let us know!
Thanks to Ginny Fahs for feedback on this post.