Permission Slip submits thousands of requests to companies as an authorized agent every week. For many of these requests, we leverage company privacy portals. The format and content of forms on these portals can have a huge bearing on how effectively we’re able to transmit data requests on behalf of consumers. As we near almost 100,000 processed data requests, here are our 10 feature recommendations for data privacy forms that will make processing more streamlined and efficient for all involved.
1. Form fields should always specify the submitting party.
Often the same form can be submitted by either a consumer or an agent representing them. Good forms ask the submitter to specify their identity, and distinguish “Agent Name” from “Consumer Name”.
2. If authorization letters or other documents are required, there should be a way to securely attach or transfer files directly.
Previously many companies didn’t have a way to attach forms. We’re excited by the growing number of companies that do offer attachments.
3. Multiple pieces of PII should NOT be required for every type of data request.
Unless absolutely necessary for identification, multiple pieces of PII should be optional fields on the form. For example, if DOB is sometimes necessary in addition to Name/Email to identify specific consumer records, that field should be optional.
4. Ability to submit alternate email addresses and names.
We encourage the ability to submit alternate email addresses or names on a single request, as name and email changes are common among consumers.
5. Keep authorized agents in the communication loop when appropriate.
We encourage businesses to ask whether communications should be directed to the agent or consumer. At minimum, we encourage that businesses include the agent on communications to consumers. We understand this might not be appropriate for final data files sent from RTK requests.
6. Free text boxes should have explicit and sufficiently large character limits.
We recommend at least enough characters for a two page document (~7000 chars).
7. Forms and portals should not have an unreasonably short time-out window.
These timeout windows are configured by companies, so they vary. For example, one Permission Slip company used to have a form timeout every 3 minutes, and requiring the agent to login again and start form submission from scratch. We believe 10 minutes to be a more reasonable timeout for privacy forms.
8. Confirmation or reference numbers should be made available as soon as they are generated.
Some companies send a confirmation email after the form has been filled out, rather than showing the reference number immediately once the form has been submitted. The confirmation email approach doesn’t typically include any user PII, which makes it challenging for agents to know which consumer should be associated with this reference number. The more immediate the appearance of the reference number, the easier for agents.
9. If relevant, we encourage the ability to submit multiple types of requests at once, in the same form submission.
Specifying multiple request types (e.g., opt-out and access) in a single form submission eases processing for agents.
10. Allow Authorized Agents to submit multiple different requests via a form at one time.
We appreciate the need to be cautious against potential mass spam request bots. That said, when a form limits the number of submissions it can receive from one or a handful of IP addresses, many agents are blocked from submitting requests on behalf of all consumers who rely on them.
Acknowledgements to Margaret Oates who led the research that produced these recommendations.