“Cyber Specialists” by Khahn Tran is licensed under CC BY 4.0
Companies collect and store a lot of data about us. Aren’t you curious about what they know? Seeing the data that companies have about us can help us make better choices about our privacy, discover and correct errors that impact our experience or identity, make sense of our experiences online, identify weak spots in our online security, and leverage data for our own purposes.
In recent years, data access has become a new consumer right under state privacy laws like the California Consumer Privacy Act (CCPA). Consumer Reports believes in the power of data access, so in September 2021 we launched a research pilot in which we served as an “authorized agent” and helped 100 volunteers in California exercise their right to access the personal data companies have about them.
We learned a lot about the state of data access requests sent by authorized agents: how companies respond to them, and what consumers can learn from them.
California privacy law, data access, and authorized agents
The CCPA is a new privacy law in California that, among other rights, allows consumers to access the personal data companies have about them. Under this law consumers can also designate an “authorized agent” to help exercise their rights.
Exercising your data rights on your own can be tough. Based on prior Consumer Reports research on the right to opt out of the sale of your data, we estimate it would take approximately 30 hours of work (almost an entire work week) for a consumer to manage their data with all the companies that have it. But with an authorized agent (essentially a privacy helper), Californians can enlist an assistant to help exercise their data rights. Consumer Reports decided to use this “authorized agent” provision in the law to help 100 volunteers access the data companies have about them.
Lifecycle of a data access request
When you request data, businesses are required to make sure that they’re sending it to the rightful recipient. After you send a data request, companies often ask you to verify your email, answer security questions, or upload documentation like a copy of your ID to confirm your identity.
Authorized agents can step in by helping consumers open requests, providing some of the request documentation, keeping track of requests, and troubleshooting issues. In an ideal world, authorized agents are privacy travel guides.
To test out serving as an agent authorized to help with data access, the CR team had to send requests to many different businesses. We recruited 104 California consumers who volunteered to work with us to access their online data. Each volunteer verified their phone, confirmed their email address, and signed a legal document to make Consumer Reports their authorized agent under California law.
We picked 21 diverse companies to receive our data access requests, including retail giants, data brokers, and a fast food chain. As a courtesy, we let each business know ahead of time about this research and ask for details about what to expect. Most of the time, we didn’t hear back. We sent two requests for each participating volunteer, which resulted in 208 total requests sent.
On September 29, 2021, we sent out the first requests. Companies legally have around 45 days to resolve each request, but they’re also allowed to file an extension. Around two and four weeks after sending requests, we surveyed our volunteers online to learn about what challenges they faced and if they’d received their data yet. During the months that followed, we carefully logged and monitored communications for the 208 requests.
Sending 208 data access requests on behalf of consumers showed us that accessing consumer data as an authorized agent can be hard. Hard for us as agents, hard for consumers, and even hard for businesses at times. While consumers did sometimes get access to data that helped them understand their online lives, many encountered challenges with verifying their identity, getting requests returned successfully, and interpreting the data when they did receive it.
Finding #1: Verifying identity was difficult and confusing
Our consumer volunteers consistently said that verifying their identity with companies was challenging. Sometimes it was confusing, impractical, or time-consuming. That said, identity verification is also critical for ensuring safe handling of data rights requests. Companies need to put in the due diligence to ensure that they are sharing personal information with the correct person. At the same time, identity verification flows need to be intuitive enough that consumers can complete them successfully.
A few companies successfully balanced the tension between verifying identity with confidence and making the process simple for consumers. One people-search data broker asked consumers to verify their email address and allowed time to provide alternative names and addresses if the ones provided didn’t match those in their database. A telecommunication company required SMS verification and an upload of a government-issued ID, but provided seven days to complete the process.
In stark contrast, a different data broker business required consumers to verify a link in their email within just 30 minutes of receiving it, without any warning as to when the email would be sent. A car company asked a laundry list of identity questions, including VIN numbers, dates of vehicles purchased or sold, along with a copy of the consumer’s driver’s license. That kind of documentation is burdensome to track down, but sometimes it can also be impossible. For example, requiring a California ID is a barrier to the many US residents who do not have a state ID, including one of the volunteers in our research.
Sometimes consumers were unsure about whether the emails they received about identity verification were legitimate or not. A handful of consumers emailed our team to check whether the legitimate email they received was a phishing scam.
Anthony, volunteer #319 of California, sums up the experience with identity verification: “This is way too much effort.” Identity verification is an extremely important part of data access, but businesses also need to consider whether their process is usable and reasonable for consumers.
Finding #2: Some data seemed fishy to consumers
For the two dozen volunteers that did get meaningful access to their data, as they explored their data they reported a variety of feelings including emotions like surprise, curiosity, boredom, happiness, and frustration.
Many consumers were surprised or suspicious when the data reports they received were empty or contained little meaningful information. After receiving a mostly empty report from a telecommunications company he’d been a customer of, Juan (Volunteer #253, California) felt “confused. Surely, they [have] hidden my data from me.” Another volunteer felt the same about a large retail store, saying, “They told me they checked but had nothing – which is odd because I shop there, I even have their [store] credit card,” (Henry, California, Volunteer #226).
Sometimes the data was surprising or upsetting. After receiving a detailed report from a data broker, Anthony (Volunteer #245) felt surprised “that they knew all my siblings, where they lived and all my neighbors.” In other cases, the data seemed incorrect. While reading the same data broker report, Dennis (Volunteer #298) noted they “had a lot of info about me, even my Mom, Dad, brother, sons. Also, some incorrect info, i.e. people listed that I have no connection with.”
Finding #3: Some companies weren’t fully prepared to serve consumer data rights
In a perfect world, all 104 consumers would have received access to two reports of the data that was theirs to begin with. Here’s what happened in reality:
|Outcomes of data access requests we sent on behalf of consumers (counts)|
(Includes responses like, “we have no data on this consumer,” “here is your data,” and “please log in to your account to download data”)
(Includes responses like “Our business is not covered under CCPA” and “ The consumer did not complete their verification”)
|Not Fulfilled (Includes requests that were not fulfilled meaningfully, or because consumers faced technical issues that prevented them from verifying or accessing their data.)||8|
(Includes requests where we received confirmation from neither the business nor the consumer about their request, or when communications were unclear.)
|Total Data Requests||208|
Why do so many requests have Unknown status? For most requests, we don’t know the outcome because businesses chose not to communicate with us, the agent. A few businesses were proactive about keeping us in the loop, but some did not reliably respond to our communications.
Why were requests Fulfilled? Requests were fulfilled when the consumer verified their identity and the business provided a data report to the consumer. In many cases, these reports were empty. In some cases, they were rightfully blank because the business had not stored identifiable data. In other cases, the business might have the data, but required an exact match of email or mailing address in order to find a person in their database.
Why were requests Denied? One business claimed they were not covered by California law, denying all the requests we sent in. In some cases, the company denied the request because they claimed they’d never collected data on that person. In many cases, requests were denied because the consumer was not able to complete the identity verification process (more on that below).
Why were requests Not Fulfilled? In a handful of cases, the consumers were motivated to complete the process, but were blocked by technical issues. For example, two consumers said they received reports, but were unable to open them due to technical errors or device compatibility issues. To be true data access, that “access” needs to be meaningfully accessible to consumers.
Overall, most volunteers in our research did not receive meaningful access to their data. Consumers often felt confused about how to achieve their privacy goals. Even our team at Consumer Reports, an organization with extensive legal and privacy expertise, was at times confused about the processes companies used. One volunteer said, “They [companies] seem to have no particular interest in making it easy to exercise my rights and invest the appropriate amount of money, attention, and user experience talent to make it easy,” (Anonymous Volunteer #212, California,).
Unfortunately, most companies are not yet fully prepared to handle authorized agent requests to help consumers get access to their own data.
Some of the issues with data access requests sent by authorized agents are simple fixes; others are more complex. For example, some companies’ online privacy forms did not have boxes for us to input an email address for both the agent and the consumer. One company that clearly wasn’t set up for authorized agents even asked us security questions along the lines of, “What year was Consumer Reports born?” and “What streets has Consumer Reports lived on?” in an attempt to verify the agent’s identity. Many companies declined to communicate with the agent about requests, leaving the agent out of the loop. (We won’t be “naming names” in this summary, but we do plan to surface our findings to regulators so they are informed about which companies showed lackluster behavior.)
Despite the obstacles we encountered in this research, we’re optimistic that the landscape of data requests sent by authorized agents will improve. Several companies listened to our questions and improved their process for authorized agents based on our experience submitting requests in this research: one business decided to stop requiring forms sent via postal mail, and another adapted their process to keep both us and the consumer in the loop. In a separate post, we’ve put together detailed recommendations for businesses and privacy teams to improve request workflows for both authorized agents and consumers.
As consumers, we will never know the complete behind-the-scenes of how each company collects and retains our data, but getting our hands on our data can teach us a lot. Overall, volunteers appreciated having an authorized agent privacy helper on their side. “I appreciated that CR could help me figure out how to obtain data and to obtain for me,” said Aldric (Volunteer #309). Most companies are not yet prepared to handle data access requests from authorized agents, but we have faith that this will change with time; it’s already started to.
This research was one piece in the puzzle of securing usable privacy tools for all consumers. We’ll be sharing our detailed research findings with companies and regulators. You can join our privacy advocacy with hundreds of others who are involved in the Digital Lab’s fight for consumer privacy.
Want to use an authorized agent to manage your own data? You can sign up for CR’s Permission Slip app, which is coming soon to iOS. We’ve channeled our learnings from sending data requests for consumers into this new offering that will help you take control of the data companies have about you.
Thanks to the hundreds of volunteers who signed up to be part of our CCPA data rights research, which began mid-2020 and is still going strong. You are the ones propelling data rights forward in this country.
Arushi Saxena started the work of this year-long research project that Maggie had the pleasure of finishing. Erika Mikkelsen Halford and Maureen Mahoney answered dozens of questions on privacy law and regulations. Ginny Fahs led this project and kept us all together. Thanks to Yael Grauer and Ginny for their feedback on this piece.
Thanks to the fearless team at Bocoup that pieced together our verification onboarding, Jes Daigle, Mike Pennisi, Alexander Flenniken, Sheila Moussavi, and Boaz Sender.