Under the CCPA and CPRA, consumers have the right to designate an authorized agent to exercise their privacy rights, including requests to know, delete, or opt out of the sale of personal information. The agent must have written permission from the consumer or, for certain request types, hold power of attorney.
Businesses receiving requests from authorized agents must verify both the agent's identity and their authorization from the consumer before fulfilling the request. This verification requirement exists to protect consumers from unauthorized parties submitting fraudulent requests.
Handling authorized agent requests requires the same processing infrastructure as direct consumer requests, with an added verification layer. As consumer privacy tools and third-party services increasingly submit requests programmatically on behalf of large consumer populations, organizations need workflows that can reliably distinguish and process authorized agent requests at scale.