From The Consumer Reports Digital Lab Team (digitallab@cr.consumer.org).
Who should read this? This writing is aimed at California regulators, the CA Privacy Protection Agency, and other states with authorized representative provisions in their privacy laws. If you’re not that audience, you may be interested in an overview of this research or our recommendations for covered businesses.
Summary
In Fall 2021, Consumer Reports Digital Lab conducted a research project exploring the California Consumer Privacy Act (CCPA) right to access personal data via an authorized representative. As an authorized agent, we sent 204 CCPA access requests to 21 companies on behalf of 104 consumers, 15 with power of attorney (POA). While many challenges Consumer Reports encountered could be addressed by technical or process solutions, a few seem best if addressed by regulators.
The central challenge we encountered was that each business we studied implemented the data access process differently, making it difficult for consumers to exercise their rights. As first steps toward a standard access process that is straightforward for consumers and agents, and sufficiently flexible for covered businesses, we have outlined four specific recommendations.
Four recommendations for regulation of authorized agent access requests:
-
- Let consumers specify who receives the data (consumer vs agent)
-
- Allow consumers more time to verify identity
-
- Require public documentation of data formats
-
- Explore expanding the power of attorney authorization
In addition to our recommendations, we encountered a few cases of possible non-compliance. While we refrain from publishing the specifics, we are able to provide details and evidence with regulators or other relevant parties.
1. Let consumers specify who receives the data (consumer vs agent)
Across the 21 different businesses studied in our research, there was no consistency as to who received the data returned from authorized agent access requests. Some businesses provide data to the consumer by default, while others provide it to the agent. Some were reluctant to share data with an agent, while one identity management business refused to send data to the consumer, sharing it only directly to the agent.
In our work, we requested that data access be provided directly to the consumer, so we cannot speak to data access to agents. However, Consumer Reports recognizes that there are good reasons why a consumer would want either outcome. For example, a consumer might want to rely on an agent to do the work of managing and sending requests, but not want that agent to possess the personal data. In that case, data access should go directly to the consumer. In other cases, access should be given to the agent. A consumer might want an authorized agent to gather, manage, and analyze their data. They might want to directly contribute their data to a research project or a data union. An agent might be sending a request on behalf of a child or incapacitated individual.
Rather than specify the recipient in regulation, regulators should clarify that covered businesses must let consumers specify whether the agent or consumer receives communications and data related to the access request, and honor that choice. This might not be relevant in cases where a request is automatically denied or fulfilled; for example, when a covered business determines they have no data related to the consumer.
2. Allow consumers more time to verify identity
CCPA regulations allot businesses 45 days to respond to access requests, “regardless of time required to verify the request.” (1) We recommend that this guidance be updated to require businesses to allow the consumer five business days to complete verification actions.
Several businesses we studied require consumers to take verification action (e.g., email verification, a document upload) within a given timeframe. In some cases, the time frames were unreasonable or inaccessible for consumers. For example, one telecommunications company stated that consumers must verify their phone, email, and upload a copy of an ID “within 24 hours after receiving the notification email.” In another case, an information broker required that the consumer complete identity verification “within 30 minutes” after the agent submits the request. In most cases, if the consumer could not complete the action, the entire request was denied, requiring resubmission and further delay.
Particularly for authorized agent requests, short time frames are unreasonable for consumers. There is often a delay between when a consumer asks an agent to make a request and when the covered business accepts the agent request. In practice, this means that consumers sometimes received time-bound verification tasks at unexpected or impractical times. A shift nurse cannot monitor their inbox for weeks, waiting for an exploding 30-minute email in order to exercise their data rights.
We recommend that regulations include a minimum window of five days for the consumer to verify their requests. To minimize new burdens on covered businesses, this consumer action time could be designated as exempt from the 45-day window.
3. Require public documentation of data formats
When consumers successfully receive data access with specific pieces of information, the CCPA states that the data must be “in a portable and, to the extent technically feasible, readily usable format.” (2) (Amendments under the California Privacy Rights Act, which will go into effect in 2023, clarify that the data must be “in a format that is easily understandable to the average consumer” and machine-readable when feasible.) (3) We applaud covered businesses that provide properly extensive, machine-readable data files. However, sometimes those files contain data without sufficient context. Regulators should clarify that not only the format, but the content as a whole ought to be easily understandable. Data dumps should include a data dictionary or other explanation of how to interpret personal data. For example, a colleague from the Data Access Tracker project (4) requested data from a social media company and received a file of their data collected from third party websites. It included a list of “events” when the consumer interacted with a grocery store, but that event data had cryptic details, such as an event type of custom and an unknown numeric ID. This requirement is not unreasonable for covered businesses, as such dictionaries are often already used internally for software development. In illustration of this point, video streaming company Netflix already includes a dictionary for data access requests. (5)
4. Explore digital identity verification
Some covered businesses may reasonably prefer to reach out to the consumer directly to verify their identity, and to verify that the agent is authorized to submit requests on their behalf. However, under CCPA regulations, covered businesses may not require the consumer to verify their identity directly with the business “when a consumer has provided the authorized agent with power of attorney.” (6) For our research, Consumer Reports obtained a limited power of attorney (POA) from 15 consumers, who each signed with two adult witnesses, consistent with California law.
In theory, providing an agent with POA greatly reduces the burden on consumers wishing to exercise data rights. Rather than having to field dozens, if not hundreds, of requests from businesses to confirm their identity, a consumer can rely on an agent to do so efficiently with minimal consumer intervention. This practice can also support covered businesses by shifting some of the burden of consumer identity verification from the covered business to the agent. In practice, there was sometimes little difference between providing documentation of power of attorney and providing a simple affidavit.
At least two companies requested consumer verification even when we provided POA. One data broker asked a POA-granted consumer for email verification and an “authentication exam.” One genealogy company asked two POA-granted consumers to send in a copy of their California ID. (This business later seemed to walk back on that request after we reminded them of the relevant regulation.)
Especially during a pandemic, it could be burdensome for consumers to visit a notary or find two in-person witnesses. It was also difficult for agents to juggle and parse paper or pdf documents in the midst of what is a largely digital data process.
Because of these setbacks, we encourage regulators to explore identity verification through digital flows. Consumer Reports is working to develop digital identity verification modes that are equivalent, appropriate, and proportional to statutory POA.
Digital identity protocols can provide similar (or in some cases, improved) levels of identity assurance. (7) Digital identity flows have the added benefit of reducing costs for covered businesses, as the burden and liability of consumer identity verification can be passed entirely to agents. In turn, agents can collect identifiers from a consumer and pass along only the requested relevant identifiers to each covered business, improving response times and reducing load on covered businesses. Alongside industry partners, Consumer Reports is already developing a standard for exercising California data rights that is a simple extension of two widely-deployed identity protocols (OAuth2 and OpenIDConnect). (8) While stakeholders continue hammering out the details of such a data rights verification protocol, we ask regulators to explore the possibility of digital identity verification.
Written by Maggie Oates with support from Ginny Fahs, Maureen Mahoney, Johannes Ernst, and Dazza Greenwood.
