Guidelines on Addressing Authorized Agent Privacy Requests [2023 Update]

The topic of authorized agent requests is top of mind for many privacy professionals because of a recent investigative sweep by the California Attorney General aimed in part at businesses allegedly not honoring data subject requests submitted via authorized agents.

This updated post gives the context you need to understand authorized agent requests and outlines several methods for handling them that protect user security and privacy while reducing the time spent fulfilling them.

In addition, Transcend continues our work in partnership with Consumer Reports on the Data Rights Protocol which will help further power seamless privacy requests for end-users choosing to work with authorized agents while minimizing the burden for businesses responding to requests.

In the context of modern privacy laws like GDPR and CCPA, authorized agents are an organization or individual who’s been given permission to submit data subject requests (DSRs), otherwise known as privacy requests, on behalf of a consumer.

For reference, a privacy request is when a consumer, often referred to as a data subject, requests access or erasure of their personal information from an organization who collects, stores, and/or processes it.

As a byproduct of modern privacy regulation, authorized agents are a fairly new concept–so the specifics vary in terms of how these agents work.

However, the common thread is that authorized agents act as intermediaries between organizations who collect and process consumer data and the consumers looking to access or erase their personal information.

In this post, we’ll cover what authorized agents do, the potential security risks they present, and considerations when responding to DSRs from authorized agents. We’ve also include a step-by-step guide at the end, covering how you can use Transcend to respond to authorized agent privacy requests.

• What do authorized agents do?

• Why authorized agents pose a security risk

• Questions to ask when responding to DSARs from authorized agents

• Using Transcend to respond to authorized agents

According to the CCPA, authorized agents are defined as:

“a natural person or business entity that a consumer has authorized to act on their behalf…”

In practice, this means consumers employing an authorized agent will give the agent permission to reach out, often en masse, to any organization believed to be processing the consumer’s data.

For example, some authorized agent services scrape a users email inbox, compile a list based on the communications found there, and then bulk send templated emails to each organization requesting data access or deletion.

Here’s an example of the type of email sent by an authorized agent:

Dear Sir/Madam,
[Authorized agent], is contacting you on behalf of [name] (the “Data Subject”), regarding whom personal data is processed by [company], in connection with the exercise of the Data Subject's rights under applicable privacy laws, including, but not limited to, the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) (collectively, “Applicable Privacy Laws”).

Background
The Data Subject registered to [company] using the email address: xxxxxxxxxxx. Certain Personal Data concerning the Data Subject has been and is processed by [company], and regarding which the Data Subject is entitled and willing to exercise such rights granted under the Applicable Privacy Laws.

[Authorized agent] is a platform enabling users to exercise their rights in their Personal Data and facilitating the submission of Data Subject Requests (“DSR”), on behalf of its users, and in accordance with applicable laws. [User name] has registered to [authorized agent], and has instructed [authorized agent] to submit the following DSR to [company]. Please note that any further communications with [user name], in connection with this request, shall be sent directly to [user name] email [x].

Data Subject Request
The Data Subject hereby requests that [company] erase any and all Personal Data about the Data Subject it processes, without exception.

Following the complete erasure of such Personal Data, please provide confirmation that the Personal Data have been erased, without the possibility to restore or reconstruct the data, by sending such confirmation to the Data Subject's email address at: [email], and copying [authorized agent], at request@authorizedagent.com

When submitting privacy requests on behalf of consumers, authorized agents are subject to two specifics mandates:

1. They must take reasonable security precautions to protect user information

2. Data obtained during the privacy request process may not be used for anything other than fulfilling the request itself

Businesses under the CCPA are required to treat privacy requests from authorized agents in essentially the same way they would if it came from a consumer. However, they do have guidelines and rights in regards to their response.

The CCPA states that businesses who’ve received a privacy request from an authorized agent may:

• Verify the request itself ie. request further verification from the consumer or authorized agent to ensure the request was valid and intentional

• Require the authorized agent to provide signed permission from the consumer before fulfilling the request

• Further verify the consumer’s identity with either the consumer themselves or the authorized agent

Essentially, when responding to a privacy request from an authorized agent, businesses have the right to verify the consumer’s identity and take steps to maintain the security of their data. They may not, however, charge an authorized agent for further identity verification.

The concept of helping users take control of their data is sound, and certainly one we support. However, the methods many authorized agents use in pursuit of data access and deletion pose considerable security risks.

As mentioned above, many authorized agents rely on crawling a user’s email inbox for relevant communications and then sending out templated emails in bulk. From a data security standpoint, the reliance on email and level of access to sensitive data opens a slew of potential risk factors.

Each manual step in a data access or deletion process creates a new opportunity for misunderstanding or simple human error. Opportunities for error include opening the wrong email, filing a ticket for the wrong request type, transferring inaccurate data to another team–and the list goes on.

A single web form, connected to an automated privacy infrastructure, removes this point of failure by minimizing the number of manual steps.

An authorized agent acting on behalf of one consumer is likely to be acting on behalf of others.

If a user submits their own request, and their email inbox was breached i.e. the password was exposed, that breach would only affect their own account. However, if an authorized agent was breached the consequences could be huge.

An attacker could potentially gain access to any email inbox to which the authorized agent has access, as well as issue DSRs for users who hadn’t actually made any requests.

Another potential issue with initiating DSRs through email is that it’s difficult to determine whether the email sender is actually who they say they are. We’ve all received those emails that supposedly originate from someone we know, asking for further information or an immediate response.

Luckily, with interpersonal emails, it’s easier to tell if the sender isn’t actually the person you know. However, with no personal relationship between a consumer and business, that form of subterfuge is more viable.

As noted above, authorized agents work as an intermediary between consumers and businesses. They help consumers get a picture of who might have their data, and then help to initiate the privacy request process.

In theory, authorized agents can provide a helpful service to consumers looking to exercise their data rights. In practice, however, they can prove somewhat problematic. Before responding to requests from an authorized agent, be sure to consider the following questions.

When it comes to data privacy, robust security is non-negotiable. One significant concern with the authorized agent model is that adding an additional layer between consumer and business makes it difficult to verify a user’s identity.

Imagine fulfilling a privacy request i.e. giving full access to or deleting an individual’s data (which can include social security numbers, credit card information, and sensitive health information)–only to realize you released all of that data to the wrong person.

Identify verification is key to secure privacy request fulfillment, so asking this question and implementing security measures like two-factor authentication is absolutely crucial.

One common refrain voiced by privacy professionals is that they frequently receive authorized agent requests for consumers whose data they don’t actually process.

As a one off event, this isn’t necessarily a big problem. However, as a trend, repeatedly searching for consumer data that’s nowhere to be found is frustrating and time consuming. Especially when there’s an incoming stream of valid privacy requests in your queue.

Whether or not a consumer is actually covered by a privacy law in force today is another important consideration. Consumers covered by the GDPR and CCPA have clear rights when it comes to data subject access requests, but these laws only cover citizens of California and the EU.

And, as is clear in the example email above, authorized agents don’t necessarily delineate between a user who is covered by law or not. (Remember, these are bulk email sends with blanket references to potentially-applicable privacy laws.)

Of course, upholding a user’s data rights doesn’t need to stem purely from regulatory pressure–your organization may choose to fulfill a privacy request whether or not the data subject is covered.

However, if your team receives hundreds of requests a month, there may not be bandwidth to fulfill requests outside of what’s legally mandated.

Privacy requests from authorized agents often arrive outside the DSR workflows a company already has in place e.g. in an email.

Many privacy teams rely on automated privacy request platforms, which are already connected to all relevant data systems. Compared to manual workflows, this means quicker turnaround times, less mistakes due to human error, and greater security for sensitive data.

When receiving an authorized agent request, your privacy team should check whether a request for the same user has come through on other channels, or if it’s already been fulfilled by an automated privacy request process.

Manual DSR fulfillment is certainly possible and is made necessary when a request originates outside the automated channel. However, it’s not the ideal state for a scalable privacy program.

For Transcend customers, responding to privacy requests from authorized agents is actually quite simple. Here are two easy ways to handle these types of requests.

Directing the requester to use your self-serve Transcend Privacy Center to authenticate and submit their request ensures you have the authorization and all information needed to fully process the request.

You can have multiple Data Subject types in your privacy center, each with their own Authentication Method

For example, you may choose to use JWT Account Login to have customers verify their identity by logging directly into their account, but instead use Email Verification for Authorized Agent requests. This way authorized agents can input the email address and additional information they have on the data subject when submitting the request.

The user for whom the request was submitted will receive an email where they’ll be required to click a link and confirm the request before it can be completed. This can be configured to send as a two-factor authentication step in addition to account login.

Once the email is verified, Transcend will programmatically map the verified email to a User ID or other user identifiers that may be associated with that email address and move forward with fulfilling the request across connected systems. If you wish, you can also add a manual review step to approve all requests of this type before they begin processing.

If you prefer, you can enter the information from the authorized agent and easily kickoff a request in moments yourself.

Crucially, you can still require an email verification link be sent directly to the data subject before the request is processed.

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, mitigate risk with smarter privacy Assessments, or discover and classify personal data and auto-generate reports with Data Mapping.