Why Some Data Subject Request Services Create Compliance Concerns
International Association of Privacy Professionals (IAPP)
If you are responsible for handling data subject requests made pursuant to the EU General Data Protection Regulation or verified consumer requests made pursuant to the California Consumer Privacy Act, chances are you have come across one or more of the myriad companies that purport to be advocating for consumers in making requests on their behalf.
These companies include Mine, Privacy Bee, DeleteMe and Revoke. While these services take different approaches, their core service attempts to automate requests on behalf of consumers. However, in some cases, these companies have never interacted with the consumer and often reference inapplicable laws or proposed bills. While many companies' first inclination may be to "give the benefit of the doubt" to these requests and treat them all as if they were valid DSRs or VCRs made by data subjects that have those rights, doing so can be problematic.
At present, these requests are focused mainly on deletion or right-to-be-forgotten requests, i.e., a request that the company deletes information relating to the consumer. Before examining some specifics of these requests, companies need to consider which privacy regulations they are subject to and the mechanisms those regulations have to protect both the company and consumer. In particular, companies must consider the mechanisms relating to the submission of requests, any exemptions for personal data not subject to the right, verification of the consumer's identity, and verifying that a consumer has authorized an agent to act on their behalf.
These legal mechanisms, specifically addressed in the privacy regulations, provide protections that benefit consumers and companies against fraud or mistakes. Therefore, although these mass request disseminators purport to be consumer advocates, at least some of their practices can have the exact opposite effect by ignoring or attempting to sidestep regulations that protect consumers. Further, by sending out large volumes of these requests without regard to whether the consumer interacted with the company in the past, these disseminators add confusion that exacerbates this problem.
These requests continue to evolve, but they are predominantly directed at sites with a public email address for contact. Some of these requests are being sent to correspondence email addresses not designated for privacy requests at all. One company, Privacy Bee, has been sending out a significant number of these, taking a broad shotgun approach to sending requests. Although it is difficult to discern their precise methodology, it appears they are building a database of email addresses for companies and sending bulk requests on behalf of their users without regard to whether the user ever interacted with the company.
Further, their requests are absurdly broad and purport to be made "pursuant to Section 1798.105 of CCPA (SB-1121), Article 17 of GDPR, Nevada SB-220, New Hampshire HB 1680-FN, Washington Privacy SB-5376, Illinois DTPA SB2330, New York S5462, Hawaii SB 418, North Dakota HB 1485, Massachusetts S-120, Maryland SB 613, Texas Privacy Protection Act HB 4390, or other applicable right-to-be-forgotten legislation."
Many of those acts and bills cited are not "applicable right-to-be-forgotten legislation," for reasons including that some were never passed and are not laws at all. Aside from citing inapplicable non-laws, the email has a few other problematic features. Privacy Bee sends the email and provides in the body only a name and email address of the user that is the subject of the request. The request includes a link to what purports to be a power of attorney, which appears to have been signed using DocuSign. It contains the individual's name and the date and purports to appoint Privacy Bee as an authorized agent, specifically mentioning CCPA, GDPR and Australia's Privacy Act. The emailed request also contains an arbitrary countdown timer for a response, which from the analysis of one request was set for 33 calendar days or 25 business days, and a link to a portal that allows the aforementioned power of attorney to be viewed. The portal also allows the company to "[t]ake action on the Privacy Request" with buttons that read "I agree" or "I refuse."
How should you handle these requests if you're in the US and not subject to GDPR?
Here are some suggestions for approaching this new "privacy advocate" industry.
- Draw clear lines and only provide rights to those who have them by law: As it currently stands, companies only really have to consider CCPA requests for California residents, and while a tendency may be to extend the rights as a courtesy or for operational convenience, companies should carefully consider that approach. The CCPA regulations contain a significant amount of detail around verification requirements designed to protect consumers, which, when companies follow those procedures, also protects them. If companies get in the habit of responding to requests to delete or requests to know for individuals in other jurisdictions, they have no guidance on what constitutes reasonable diligence in verification. For a California resident, if the information is mistakenly deleted or inadvertently disclosed after following the regulations, the company can point to having followed that guidance to defend their actions. But for a resident of any other state, that diligence might not carry any weight. Therefore, companies should carefully balance the risks of expanding or limiting rights to the individuals, specifically considering the risks imposed by expanding these rights to jurisdictions that have not provided guidance on how to accommodate those rights and minimize risk to the consumer.
- Rely on the regulations and provide specified methods to submit CCPA requests:The CCPA regulations make it clear that a company can specify methods of submitting requests and can direct anyone making a request otherwise to use those methods:
999.312 (e) If a consumer submits a request in a manner that is not one of the designated methods of submission, or is deficient in some manner unrelated to the verification process, the business shall either:
(1) Treat the request as if it had been submitted in accordance with the business's designated manner, or
(2) Provide the consumer with information on how to submit the request or remedy any deficiencies with it, if applicable.
Given the influx of these requests by email, companies should consider utilizing a webform to specify the specific fields needed for a valid request. A second method can be a toll-free number where the agents ask for similar information. With these in place, companies can respond to these emailed requests instructing the sender to submit a request one of the approved ways.
- Invoke other elements of the statute and regulations: Although the CCPA is largely silent on how an individual can identify themselves as a California resident, it is clear that only California residents get rights under the CCPA. Although companies should be careful not to burden actual California residents with onerous requirements, it should be acceptable for companies to screen for California residency particularly when it is readily apparent that these "privacy advocates" are making no attempt to limit their requests to those that individuals have rights to make. Other aspects of the statute and regulations can help mitigate the shotgun approach, such as (1) requiring a signed declaration submitted under penalty of perjury for requests to know specific pieces of information and requests to delete if warranted; (2) requiring the individual to confirm they want their information deleted; (3) requiring the individual to "[d]irectly confirm with the business that they provided the authorized agent permission to submit the request" as allowed by Section 999.326 (in situations where there is not a power of attorney that meets California Probate Code 4121 to 4130).
Although some of these requests have been around for a while, they seem to have exploded in frequency recently. Given some of the practices outlined above, one can only expect them to continue to increase for any company with public-facing privacy-related email addresses on their site. Implementing some of the strategies outlined herein can help mitigate the disruptive effect of these mass requests.
For more information on this issue and other updates and alerts regarding privacy law developments, subscribe to Bradley's privacy blog Online and On Point.
Republished with permission. This article, "Why Some Data Subject Request Services Create Compliance Concerns," was published in The Privacy Advisor by the International Association of Privacy Professionals on March 23, 2021.