Data Rights Protocol

While new privacy laws, such as the California Consumer Privacy Act (CCPA), give users privacy rights to opt out, access, or delete their data, these rights can be difficult to exercise and fulfill in practice. Burdens exist for consumers, but they also exist for companies who need to honor the rights of large numbers of consumers.

Consumers contact companies one by one to manage their data, which is as time-consuming as it is frustrating. Companies face a similar burden as processing data requests is often manual and, thus, time-consuming and costly too. Companies crave standard tools and solutions to receive and ingest data rights requests, but no one company is incentivized to solve for this missing piece in today’s privacy stack

We believe a standard protocol that streamlines and formalizes the components of a data rights request would allow for more consistency and efficiency for both consumers submitting requests and companies processing them. That’s why CR’s Innovation Lab started work on a data rights protocol in 2021 with DataGrail, Ethyca, Incogni, Mine, OneTrust, Spokeo, Surfshark, Transcend, WireWheel, and Yorba. 

The “Data Rights Protocol” (DRP) seeks to standardize the technical interchange of data rights requests and provide a standard method for consumers to exercise their data rights under the California Consumer Privacy Act and beyond. At its core, the DRP is a communication workflow that receives, processes, and completes data rights requests in an interoperable fashion.

In addition to being a valuable contribution to the privacy tech ecosystem, this protocol is beneficial for our Permission Slip product strategy, another initiative of CR. Companies that conform with DRP will be able integrate programmatically with Permission Slip, rather than requiring CR to conduct bespoke manual processes for each company receiving our data requests.

The Data Rights Protocol is an efficient, cost-effective, and reliable solution for managing the ever-growing number of consumer data rights requests. By specifying standard request and response patterns for shepherding privacy rights requests on behalf of consumers, the DPR enables smoother and more efficient delivery of privacy rights. DRP:

• Sets a standard to make it easier for companies to honor consumer data rights requests
• Offers seamless, secure exchanges between consumers and businesses
• Turns data rights into reality with simplicity for businesses

The protocol is co-developed by a consortium of implementing companies who serve in the role of authorized agent, privacy infrastructure provider, and/or covered business.