CR Innovation Initiative

Data Rights Protocol

Standardizing the technical interchange of data rights requests
Data Rights Protocol


While new privacy laws, such as the California Consumer Privacy Act (CCPA), give users privacy rights to opt out, access, or delete their data, these rights can be difficult to exercise and fulfill in practice. Burdens exist for consumers, but they also exist for companies who need to honor the rights of large numbers of consumers. . The processing of rights requests is often manual and, thus, time-consuming and costly. In short, privacy rights are increasingly provided, but they are difficult for consumers to exercise and for companies to process. One of the main reasons is the lack of usable privacy rights technologies.

Consumers need to contact companies one by one to manage their data, which is as time-consuming as it is frustrating. Companies crave standard tools and solutions to receive and ingest data rights requests, but no one company is incentivized to solve for this missing piece in today’s privacy stack.

Our Approach

We believe a standard protocol that streamlines and formalizes the components of a data rights request would allow for more consistency and efficiency for both consumers submitting requests and companies processing them. That’s why CR Digital Lab started work on a data rights protocol in 2021 with DataGrail, Ethyca, Mine, OneTrust, Spokeo, Surfshark, Transcend, and WireWheel.

The “Data Rights Protocol” (DRP) seeks to standardize the technical interchange of data rights requests and provide a standard method for consumers to exercise their data rights under the California Consumer Privacy Act and beyond. At its core, the DRP is a communication workflow that receives, processes, and completes data rights requests in an interoperable fashion.

In addition to being a valuable contribution to the privacy tech ecosystem, this protocol is beneficial for our Permission Slip product strategy, another initiative of CR. Companies that conform with DRP will be able integrate programmatically with Permission Slip, rather than requiring CR to conduct bespoke manual processes for each company receiving our data requests.

The main implementers of the DRP are likely to be privacy compliance tech companies, which provide software solutions to consumer brands and other businesses looking to comply with CCPA etc. It is also in these companies’ interest to align on a technical standard for the exchange of data rights requests because standardization will enable them to better serve their clients and scale their services. We therefore prioritized engagements with these companies.

At a glance information

The Data Rights Protocol (DRP) is a technical standard for exchanging data rights requests under CCPA. The project began at Consumer Reports Digital Lab in summer 2021, and was announced at a virtual event hosted by MIT Media Lab in October 2021. The protocol is co-developed by a consortium of implementing companies who serve in the role of authorized agent, privacy infrastructure provider, and/or covered business. You can explore the Data Rights Protocol on GitHub and let us know your feedback here.

Milestones Ahead

In 2022, CR launched OSIRRA, a new testing app for the Data Rights Protocol. OSIRAA stands for Open Source Implementers’ Reference of an Authorized Agent. Members of the DRP consortium can use this app to test their implementation of the Data Rights Protocol, an open standard for exchanging data rights requests backed by Consumer Reports and a consortium of industry partners. Find out more.

For Ginny to add milestones ahead

  • Complete end-to-end test with implementing partners (1x1x1)
  • Complete interoperability test with implementing partners (2×2)
  • Complete full lifecycle test with implementing partners (2x2x2 or 2x2x1)
Back to all initiatives