Consumer Reports' Data Rights Protocol Aims to Standardize Agent Requests

The DRP provides a standardized, machine-readable format for authorized agent requests, with the goal of making them easier to process, said Ginny Fahs, CR director of product research and development, in an interview. CR developed the DRP with a consortium of privacy companies after the California Consumer Privacy Act (CCPA) let individuals authorize agents to submit CCPA requests on their behalf, she said. DRP is “extensible to cover lots of different states,” said Fahs, adding that CR has briefed multiple states regulators, including those in California, about the protocol.

The protocol will be largely invisible to consumers. “This is magic that’s happening in the middleware layer,” Fahs said. “But the result for the consumer is that they should have a faster and more reliable return on their request when using the data rights protocol, because it's a structured way to transmit these requests.” DRP may be most helpful for large companies and data brokers that field sizeable volumes of requests from consumers, she said.

CR considers Tuesday’s DRP release as version 1.0 because “this technology is at a state of readiness where we believe it can live and work in production systems at scale,” said Fahs. “There will still be a little bit of testing with the various partners before companies start rolling this out,” but she hopes “we’ll have something in production by the end of the calendar year.” In addition, Fahs predicted DRP updates as technology develops, the privacy law landscape evolves, and the consortium sees how its protocol works in practice.

DRP was developed with a variety of privacy companies, including those that act as authorized agents, like Yorba, lncogni and Mine, as well as B2B companies involved in the exchange and processing of data rights requests, such as OneTrust, Transcend and DataGrail.

OneTrust has built the infrastructure to facilitate DRP and is working with CR to test it in production, Ryan Edge, OneTrust director-strategy, privacy and data governance, told us. While the timing of DRP isn’t fully in OneTrust’s control, “we’re ready to go [and] we feel pretty confident it’s going to happen this year,” he said. OneTrust provides privacy compliance software for about 14,000 businesses globally across different industries.

Other consortium members applauded the protocol’s release. "The launch of DRP 1.0 is a significant step toward improving privacy rights and making it easier than ever for people to declutter their online lives,” Yorba CEO Chris Zeunstrom said in a statement. “This protocol empowers individuals to take control of their data while giving businesses the tools to handle privacy responsibly.”

Transcend CEO Ben Brook said, “We believe that privacy remains a fundamentally unsolved problem inside companies.” Brook continued, “Most have neither a clear view of their data, nor effective privacy controls embedded directly into their systems.” Companies need “a way to navigate the complexities of data rights requests.”

Developing a Common Protocol

Consumer Reports envisioned the DRP after publishing a report in February 2021 about the CCPA’s authorized agent provisions. Seeking to better understand how that would work in practice, CR “recruited about 100 consumers [and] went out to about 20 companies representing them,” Fahs said. “We found that there were significant barriers to submitting these requests as authorized agents,” including poor interface designs and inadequate communication with businesses receiving the requests.

There were also problems for the companies getting requests, since they were “receiving them from lots of different kinds of agents, and the agents [were] sending along different information about the consumers,” often in unstructured formats like emails and phone calls, said Fahs: “As a company, you need to figure out how to accommodate lots of different kinds of requests,” but it’s tough to create standard workflows and processes. Seeking to address those issues, CR formed a consortium of companies to develop a “common protocol that would help transmit and standardize the consumer privacy requests that involve an authorization.”

Fahs noted some challenges during DRP’s four years of development, including finding consensus among competitors within the group. “A lot of this project has been about navigating the consortium and making sure that we have appropriate buy-in from the various companies.” One technical challenge was determining how to adequately verify agents. Is the agent who he says he is and is truly representing a specific consumer? Ensuring appropriate security was another big task, she said.

OneTrust’s Edge said the biggest development challenge was agreeing on what the standardized request should include. Various businesses might require different information to fulfill requests, he said. “The other big thing” was “identity verification” for confirming the authenticity of requests.

Edge thinks DRP’s biggest impact on day one will be standardizing data rights requests and ensuring companies have “the right information upfront” to answer them. Large business-to-consumer brands that have struggled most from a recent spike in authorized agent requests stand to benefit most, he added.

The number of requests through authorized agents has exploded since the CCPA, said Edge. Those agents “allow people to more easily send out a wide variety of requests to all the companies that have their data instead of going one by one.” That increased scale intensifies previous challenges of fulfilling requests, including determining how to verify requestors’ identities, finding their personal data and securely communicating information back to them, he said.

Having the requests arrive in different formats further complicates the challenge, said Edge: “Without a protocol, it creates a lot of work" for businesses, which must create a system to parse requests or “manually key in” the queries.