Authorized Agents

Authorized agents are organizations or individuals who can, under privacy laws like GDPR and CCPA, fulfill certain data rights on behalf of a consumer.

The CCPA defines authorized agents as:

“a natural person or business entity registered with the Secretary of State [...] in California that a consumer has authorized to act on their behalf…”

Authorized agents are a byproduct of modern privacy laws, so what they can do on behalf of consumers differs slightly depending on the law. Most commonly though, they are used to submit data subject access requests, sometimes known as privacy requests.

In practice, this means consumers will give the authorized agent permission to reach out to any company they believe is processing their data, often through bulk email sends.

Though largely unregulated in their methods, the GDPR does require that authorized agents:

  • Take steps to ensure data security
  • Use data obtained during the privacy request only for fulfilling the request itself

For the most part, businesses under the CCPA must treat privacy requests from authorized agents the same way they would if it came directly from a consumer. However, they are permitted to request further identity verification in order to ensure the request's validity.