Understanding How Companies Handle Data-Rights Requests with Consumer Reports

The Challenge of Exercising Data Rights

For many years, the online consumer data ecosystem was a digital wild west: Consumers had almost no way to protect their online data, especially once it was already collected by companies.

Fortunately, recent consumer privacy regulations have since created safeguards for consumers’ online data. Laws like the California Consumer Privacy Act (CCPA) or General Data Protection Regulation (GDPR) have empowered users with new online data rights. Under CCPA, for instance, California residents can send requests to companies asking to access, delete, or opt-out of the sale of their personal data.

So what do consumers need to do to exercise these data rights? Current regulations tend to give companies leeway in determining how to receive and process requests. Some companies require mail or phone requests, while others accept them via email or an online form. Some companies require proof of ID, while others just need an email address.

The diversity of request processes coupled with the sheer volume of companies that maintain data on individuals means it is extremely challenging for consumers to send requests to different companies in a streamlined way. Consumer Reports has developed one user-facing solution to this problem: an app called Permission Slip, now in private beta. Permission Slip leverages the “authorized agent” provision of CCPA that allows a consumer to grant a third-party the ability to send requests on their behalf. Consumer Reports can therefore act as an authorized agent for Permission Slip users, allowing them to send requests to a multitude of different companies through the app.

Still, the diversity of company CCPA processes remains a challenge for authorized agents looking to send requests from more consumers to more companies. As a Siegel PiTech PhD Impact Fellow at the Consumer Reports Digital Lab this summer, my goal was to analyze data from previous Permission Slip CCPA requests and look for common patterns in these flows. What kinds of action did companies require to complete requests, and who needed to provide that information — the consumer, or the agent?

Our Analysis of the Digital Rights Ecosystem

The goal of the analysis was ultimately to develop resource allocation, product, and regulatory recommendations to the Consumer Reports digital team, as well as to authorized agents more broadly. We analyzed hundreds of CCPA requests sent via Permission Slip, which led us to find five categories of company processes:

1. Straightforward: Companies that handled CCPA requests without any additional information provided.

2. Unknown: Companies that did not respond to our CCPA requests, so it is unclear whether or not they were being handled.

3. Switching: Companies who switched their processes during the Permission Slip private beta, typically from email requests to a form.

4. Authorized-agent-action: Companies that required some additional action or information that the authorized agent could provide.

5. Consumer-action: Companies that required some additional action or information that the authorized agent could not provide, and instead had to request from the consumer. 

You can read more about the methods, findings, and implications of my analysis in this post on the CR Digital Lab blog.

Building the Future of Digital Rights

Each of the CCPA process categories we identified has unique implications for both authorized agents and regulators. For instance, regulators may want to understand why certain companies, such as those in the “unknown” category, aren’t responding to agents’ requests in a timely fashion. Authorized agents may want to partner with companies to standardize processes that require sensitive personal information — like “consumer-action” flows — through projects like Consumer Report’s Data Rights Protocol.

Being able to understand and adapt to the changing digital rights ecosystem is important because consumers’ rights are rapidly expanding: In 2023, four more states will have consumer data laws go into effect, and legislatures in many other states are currently considering similar bills. Earlier this summer, Congressional leaders introduced a long-awaited bipartisan federal privacy law. As more and more consumers are able to control the flow of their data, authorized agents and policymakers alike can benefit from understanding what common CCPA company processes exist today in order to help build a future Internet where consumers can easily and efficiently control their online data.