How to respond to privacy requests from authorized agents

Privacy
Morgan Sullivan
March 18th, 2022 · 6 min read

What are authorized agents?

In the context of modern privacy laws like GDPR and CCPA, authorized agents are an organization or individual who’s been given permission to submit data subject requests (DSRs), otherwise known as privacy requests, on behalf of a consumer.

For reference, a privacy request is when a consumer, often referred to as a data subject, requests access or erasure of their personal information from an organization who collects, stores, and/or processes it.

As a byproduct of modern privacy regulation, authorized agents are a fairly new concept–so the specifics vary in terms of how these agents work.

However, the common thread is that authorized agents act as intermediaries between organizations who collect and process consumer data and the consumers looking to access or erase their personal information.

In this post, we’ll cover what authorized agents do, the potential security risks they present, and considerations when responding to DSRs from authorized agents. We’ve also include a step-by-step guide at the end, covering how you can use Transcend to respond to authorized agent privacy requests.

Table of contents

What do authorized agents do?

According to the CCPA, authorized agents are defined as:

“a natural person or business entity registered with the Secretary of State to conduct business in California that a consumer has authorized to act on their behalf…”

In practice, this means consumers employing an authorized agent will give the agent permission to reach out, often en masse, to any organization believed to be processing the consumer’s data.

For example, one notable authorized agent service scrapes a users email inbox, compiles a list based on the communications found there, and then bulk sends templated emails to each organization requesting data access or deletion.

Here’s an example of the type of email sent by an authorized agent:

Dear Sir/Madam,
[Authorized agent], is contacting you on behalf of [name] (the “Data Subject”), regarding whom personal data is processed by [company], in connection with the exercise of the Data Subject's rights under applicable privacy laws, including, but not limited to, the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) (collectively, “Applicable Privacy Laws”).

Background
The Data Subject registered to [company] using the email address: xxxxxxxxxxx. Certain Personal Data concerning the Data Subject has been and is processed by [company], and regarding which the Data Subject is entitled and willing to exercise such rights granted under the Applicable Privacy Laws.

[Authorized agent] is a platform enabling users to exercise their rights in their Personal Data and facilitating the submission of Data Subject Requests (“DSR”), on behalf of its users, and in accordance with applicable laws. [User name] has registered to [authorized agent], and has instructed [authorized agent] to submit the following DSR to [company]. Please note that any further communications with [user name], in connection with this request, shall be sent directly to [user name] email [x].

Data Subject Request
The Data Subject hereby requests that [company] erase any and all Personal Data about the Data Subject it processes, without exception.

Following the complete erasure of such Personal Data, please provide confirmation that the Personal Data have been erased, without the possibility to restore or reconstruct the data, by sending such confirmation to the Data Subject's email address at: [email], and copying [authorized agent], at request@authorizedagent.com

When submitting privacy requests on behalf of consumers, authorized agents are subject to two specifics mandates:

  1. They must take all reasonable precautions to protect user data security

  2. Data obtained during the privacy request process may not be used for anything other than fulfilling the request itself

Businesses under the CCPA are required to treat privacy requests from authorized agents in essentially the same way they would if it came from a consumer. However, they do have guidelines and rights in regards to their response.

The CCPA states that businesses who’ve received a privacy request from an authorized agent may:

  • Verify the request itself ie. request further verification from the consumer or authorized agent to ensure the request was valid and intentional

  • Require signed permission from the consumer to release and/or delete their data before fulfilling the request

  • Further verify the consumer’s identity with either the consumer themselves or the authorized agent

Essentially, when responding to a privacy request from an authorized agent, businesses have the right to verify the consumer’s identity and take steps to maintain the security of their data. They may not, however, charge an authorized agent for further identity verification.

Why authorized agents pose a security risk

The concept of helping users take control of their data is sound, and certainly one we support. However, the methods many authorized agents use in pursuit of data access and deletion pose considerable security risks.

As mentioned above, many authorized agents rely on crawling a user’s email inbox for relevant communications and then sending out templated emails in bulk. From a data security standpoint, the reliance on email and level of access to sensitive data opens a slew of potentianal risk factors.

Human error

Each manual step in a data access or deletion process creates a new opportunity for misunderstanding or simple human error. Opportunities for error include opening the wrong email, filing a ticket for the wrong request type, transferring inaccurate data to another team–and the list goes on.

A single web form, connected to an automated privacy infrastructure, removes this point of failure by minimizing the number of manual steps.

Breach potential

An authorized agent acting on behalf of one consumer is likely to be acting on behalf of others.

If a user submits their own request, and their email inbox was breached i.e. the password was exposed, that breach would only affect their own account. However, if an authorized agent was breached the consequences would be huge.

An attacker could potentially gain access to any email inbox to which the authorized agent has access, as well as issue DSRs for users who hadn’t actually made any requests.

Email verification

Another potential issue with initiating DSRs through email is that it’s difficult to determine whether the email sender is actually who they say they are. We’ve all received those emails that supposedly originate from someone we know, asking for further information or an immediate response.

Luckily, with interpersonal emails, it’s easier to tell if the sender isn’t actually the person you know. However, with no personal relationship between a consumer and business, that form of subterfuge is more viable.

Questions to ask when responding to DSRs from authorized agents

As noted above, authorized agents work as an intermediary between consumers and businesses. They help consumers get a picture of who might have their data, and then help to initiate the privacy request process.

In theory, authorized agents can provide a helpful service to consumers looking to exercise their data rights. In practice, however, they can prove somewhat problematic. Before responding to requests from an authorized agent, be sure to consider the following questions.

Has the data subject’s identity been verified?

When it comes to data privacy, robust security is non-negotiable. One significant concern with the authorized agent model is that adding an additional layer between consumer and business makes it difficult to verify a user’s identity.

Imagine fulfilling a privacy request i.e. giving full access to or deleting an individual’s data (which can include social security numbers, credit card information, and sensitive health information)–only to realize you released all of that data to the wrong person.

Identify verification is key to secure privacy request fulfillment, so asking this question and implementing security measures like two-factor authentication is absolutely crucial.

Does your organization process their data?

One common refrain voiced by privacy professionals is that they frequently receive authorized agent requests for consumers whose data they don’t actually process.

As a one off event, this isn’t necessarily a big problem. However, as a trend, repeatedly searching for consumer data that’s nowhere to be found is frustrating and time consuming. Especially when there’s an incoming stream of valid privacy requests in your queue.

Is the data subject covered by law?

Whether or not a consumer is actually covered by a privacy law in force today is another important consideration. Consumers covered by the GDPR and CCPA have clear rights when it comes to data subject access requests, but these laws only cover citizens of California and the EU.

And, as is clear in the example email above, authorized agents don’t necessarily delineate between a user who is covered by law or not. (Remember, these are bulk email sends with blanket references to applicable privacy laws.)

Of course, upholding a user’s data rights doesn’t need to stem purely from regulatory pressure–your organization may choose to fulfill a privacy request whether or not the data subject is covered.

However, if your team receives hundreds of requests a month, there may not be bandwidth to fulfill requests outside of what’s legally mandated.

Is this the only privacy request in queue for this user?

Privacy requests from authorized agents often arrive outside the DSR workflows a company already has in place e.g. in an email.

So, your privacy team should check whether a request for the same user has come through on other channels, or if it’s already been fulfilled by an automated privacy request process.

The fact that authorized agent requests come through off piste channels means two things:

  • Privacy teams must first check to ensure they’re avoiding duplicative requests

  • If the request is not duplicative, it must then be fulfilled manually

Many privacy teams rely on automated privacy request platforms, which are already connected to all relevant data systems. Compared to manual workflows, this means quicker turnaround times, less mistakes due to human error, and greater security for sensitive data.

Manual DSR fulfillment is certainly possible and is made necessary when a request originates outside the automated channel. However, it’s not the ideal state for a scalable privacy program.

How to respond to authorized agent privacy requests with Transcend

For Transcend customers, responding to privacy requests from authorized agents is actually quite simple. Just follow the steps below.

1) Navigate to your Transcend Privacy Center and select “Take Control.”

2) Select either Customer or Authorized Agent.

3) Select the request type.

4) If you already have an account, you’ll be redirected to authenticate your identity by logging in.

5) If you don’t have an account, or are an Authorized Agent, you can submit the email address/additional metadata for the individual making the request.

6) The user for whom the request was submitted will receive an email where they’ll be required to click a link and confirm the request before it can be completed. This can be configured to send as a two-factor authentication step in addition to account login.

7) Once the email is verified, Transcend will programmatically map the verified email to a User ID or other user identifiers that may be associated with that email address.


About Transcend

Our mission is to make it simple for companies to give their users control of their data by encoding privacy across their tech stack.

Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent with Transcend Consent, or seamlessly generate Records of Processing Activity (ROPA) for GDPR compliance with Data Mapping.

Looking to evaluate your current privacy program and discover any hidden costs? Explore our privacy request cost calculator.

More articles from Transcend

Building the integrations ecosystem for comprehensive data rights

Transcend offers the largest catalog of over 1,300 integrations and data connections.

March 3rd, 2022 · 2 min read

Life at Transcend: Phyllis Fang, Senior Product Marketing Manager

Transcend's own Phyllis Fang shares how she started her career in tech and the day-to-day of a Senior PMM.

March 1st, 2022 · 2 min read

Privacy XFN

Sign up for Transcend's weekly privacy newsletter.

San Francisco, California Copyright © 2022 Transcend, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Link to $https://twitter.com/transcend_ioLink to $https://www.linkedin.com/company/transcend-io/Link to $https://github.com/transcend-io