Senior Content Marketing Manager II
March 6, 2024â˘6 min read
The topic of authorized agent requests is top of mind for many privacy professionals because of a recent investigative sweep by the California Attorney General aimed in part at businesses allegedly not honoring data subject requests submitted via authorized agents.
This updated post gives the context you need to understand authorized agent requests and outlines several methods for handling them that protect user security and privacy while reducing the time spent fulfilling them.
In addition, Transcend continues our work in partnership with Consumer Reports on the Data Rights Protocol which will help further power seamless privacy requests for end-users choosing to work with authorized agents while minimizing the burden for businesses responding to requests.
In the context of modern privacy laws like GDPR and CCPA, authorized agents are an organization or individual whoâs been given permission to submit data subject requests (DSRs), otherwise known as privacy requests, on behalf of a consumer.
For reference, a privacy request is when a consumer, often referred to as a data subject, requests access or erasure of their personal information from an organization who collects, stores, and/or processes it.
As a byproduct of modern privacy regulation, authorized agents are a fairly new conceptâso the specifics vary in terms of how these agents work.
However, the common thread is that authorized agents act as intermediaries between organizations who collect and process consumer data and the consumers looking to access or erase their personal information.
In this post, weâll cover what authorized agents do, the potential security risks they present, and considerations when responding to DSRs from authorized agents. Weâve also include a step-by-step guide at the end, covering how you can use Transcend to respond to authorized agent privacy requests.
According to the CCPA, authorized agents are defined as:
âa natural person or business entity that a consumer has authorized to act on their behalfâŚâ
In practice, this means consumers employing an authorized agent will give the agent permission to reach out, often en masse, to any organization believed to be processing the consumerâs data.
For example, some authorized agent services scrape a users email inbox, compile a list based on the communications found there, and then bulk send templated emails to each organization requesting data access or deletion.
Hereâs an example of the type of email sent by an authorized agent:
Dear Sir/Madam,
[Authorized agent], is contacting you on behalf of [name] (the âData Subjectâ), regarding whom personal data is processed by [company], in connection with the exercise of the Data Subject's rights under applicable privacy laws, including, but not limited to, the General Data Protection Regulation (âGDPRâ) and the California Consumer Privacy Act (âCCPAâ) (collectively, âApplicable Privacy Lawsâ).
Background
The Data Subject registered to [company] using the email address: xxxxxxxxxxx. Certain Personal Data concerning the Data Subject has been and is processed by [company], and regarding which the Data Subject is entitled and willing to exercise such rights granted under the Applicable Privacy Laws.
[Authorized agent] is a platform enabling users to exercise their rights in their Personal Data and facilitating the submission of Data Subject Requests (âDSRâ), on behalf of its users, and in accordance with applicable laws. [User name] has registered to [authorized agent], and has instructed [authorized agent] to submit the following DSR to [company]. Please note that any further communications with [user name], in connection with this request, shall be sent directly to [user name] email [x].
Data Subject Request
The Data Subject hereby requests that [company] erase any and all Personal Data about the Data Subject it processes, without exception.
Following the complete erasure of such Personal Data, please provide confirmation that the Personal Data have been erased, without the possibility to restore or reconstruct the data, by sending such confirmation to the Data Subject's email address at: [email], and copying [authorized agent], at request@authorizedagent.com
When submitting privacy requests on behalf of consumers, authorized agents are subject to two specifics mandates:
Businesses under the CCPA are required to treat privacy requests from authorized agents in essentially the same way they would if it came from a consumer. However, they do have guidelines and rights in regards to their response.
The CCPA states that businesses whoâve received a privacy request from an authorized agent may:
Essentially, when responding to a privacy request from an authorized agent, businesses have the right to verify the consumerâs identity and take steps to maintain the security of their data. They may not, however, charge an authorized agent for further identity verification.
The concept of helping users take control of their data is sound, and certainly one we support. However, the methods many authorized agents use in pursuit of data access and deletion pose considerable security risks.
As mentioned above, many authorized agents rely on crawling a userâs email inbox for relevant communications and then sending out templated emails in bulk. From a data security standpoint, the reliance on email and level of access to sensitive data opens a slew of potential risk factors.
Each manual step in a data access or deletion process creates a new opportunity for misunderstanding or simple human error. Opportunities for error include opening the wrong email, filing a ticket for the wrong request type, transferring inaccurate data to another teamâand the list goes on.
A single web form, connected to an automated privacy infrastructure, removes this point of failure by minimizing the number of manual steps.
An authorized agent acting on behalf of one consumer is likely to be acting on behalf of others.
If a user submits their own request, and their email inbox was breached i.e. the password was exposed, that breach would only affect their own account. However, if an authorized agent was breached the consequences could be huge.
An attacker could potentially gain access to any email inbox to which the authorized agent has access, as well as issue DSRs for users who hadnât actually made any requests.
Another potential issue with initiating DSRs through email is that itâs difficult to determine whether the email sender is actually who they say they are. Weâve all received those emails that supposedly originate from someone we know, asking for further information or an immediate response.
Luckily, with interpersonal emails, itâs easier to tell if the sender isnât actually the person you know. However, with no personal relationship between a consumer and business, that form of subterfuge is more viable.
As noted above, authorized agents work as an intermediary between consumers and businesses. They help consumers get a picture of who might have their data, and then help to initiate the privacy request process.
In theory, authorized agents can provide a helpful service to consumers looking to exercise their data rights. In practice, however, they can prove somewhat problematic. Before responding to requests from an authorized agent, be sure to consider the following questions.
When it comes to data privacy, robust security is non-negotiable. One significant concern with the authorized agent model is that adding an additional layer between consumer and business makes it difficult to verify a userâs identity.
Imagine fulfilling a privacy request i.e. giving full access to or deleting an individualâs data (which can include social security numbers, credit card information, and sensitive health information)âonly to realize you released all of that data to the wrong person.
Identify verification is key to secure privacy request fulfillment, so asking this question and implementing security measures like two-factor authentication is absolutely crucial.
One common refrain voiced by privacy professionals is that they frequently receive authorized agent requests for consumers whose data they donât actually process.
As a one off event, this isnât necessarily a big problem. However, as a trend, repeatedly searching for consumer data thatâs nowhere to be found is frustrating and time consuming. Especially when thereâs an incoming stream of valid privacy requests in your queue.
Whether or not a consumer is actually covered by a privacy law in force today is another important consideration. Consumers covered by the GDPR and CCPA have clear rights when it comes to data subject access requests, but these laws only cover citizens of California and the EU.
And, as is clear in the example email above, authorized agents donât necessarily delineate between a user who is covered by law or not. (Remember, these are bulk email sends with blanket references to potentially-applicable privacy laws.)
Of course, upholding a userâs data rights doesnât need to stem purely from regulatory pressureâyour organization may choose to fulfill a privacy request whether or not the data subject is covered.
However, if your team receives hundreds of requests a month, there may not be bandwidth to fulfill requests outside of whatâs legally mandated.
Privacy requests from authorized agents often arrive outside the DSR workflows a company already has in place e.g. in an email.
Many privacy teams rely on automated privacy request platforms, which are already connected to all relevant data systems. Compared to manual workflows, this means quicker turnaround times, less mistakes due to human error, and greater security for sensitive data.
When receiving an authorized agent request, your privacy team should check whether a request for the same user has come through on other channels, or if itâs already been fulfilled by an automated privacy request process.
Manual DSR fulfillment is certainly possible and is made necessary when a request originates outside the automated channel. However, itâs not the ideal state for a scalable privacy program.
For Transcend customers, responding to privacy requests from authorized agents is actually quite simple. Here are two easy ways to handle these types of requests.
Directing the requester to use your self-serve Transcend Privacy Center to authenticate and submit their request ensures you have the authorization and all information needed to fully process the request.
You can have multiple Data Subject types in your privacy center, each with their own Authentication Method
For example, you may choose to use JWT Account Login to have customers verify their identity by logging directly into their account, but instead use Email Verification for Authorized Agent requests. This way authorized agents can input the email address and additional information they have on the data subject when submitting the request.
The user for whom the request was submitted will receive an email where theyâll be required to click a link and confirm the request before it can be completed. This can be configured to send as a two-factor authentication step in addition to account login.
Once the email is verified, Transcend will programmatically map the verified email to a User ID or other user identifiers that may be associated with that email address and move forward with fulfilling the request across connected systems. If you wish, you can also add a manual review step to approve all requests of this type before they begin processing.
If you prefer, you can enter the information from the authorized agent and easily kickoff a request in moments yourself.
Crucially, you can still require an email verification link be sent directly to the data subject before the request is processed.
Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.
Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, mitigate risk with smarter privacy Assessments, or discover and classify personal data and auto-generate reports with Data Mapping.
Senior Content Marketing Manager II