On Operating a Do Not Sell Authorized Agent Under CCPA

Ginny Fahs
3 min readFeb 4, 2021

--

Consumer Reports became an authorized agent, submitted opt-out requests on behalf of California consumers — and learned a lot.

Image courtesy of Bronney Hui and OpenIDEO’s Cybersecurity Visuals Challenge

The California Consumer Privacy Act (CCPA) is the nation’s first comprehensive commercial privacy law and it extends important new data rights to consumers. That said, it can take people an extraordinary amount of time to act on these new rights considering just how many companies have our data — many of which we’ve never even heard of. Who has the time and motivation to reach out to companies one by one?

Thankfully the CCPA says that an authorized agent can make data-related requests on behalf of consumers. Authorized agents make the CCPA practical for people by allowing us to outsource our data requests.

In October, the Digital Lab announced our plan to pilot an authorized agent. We recruited over a hundred volunteers in California and asked them to sign a simple permission letter designating CR to take data actions for them as their authorized agent. Then we sent “Do Not Sell” or “opt-out” requests — requests that a company stop selling a consumer’s data — to 21 companies.

Our objective was to understand the technical and practical considerations for operating an authorized agent, and to gauge what authorized agent adoption looks like in industry. Though we conducted the study on a small scale, our experience serves as an important snapshot of the authorized agent ecosystem today.

This report illuminates our findings. We sent it to the Attorney General of California and others to shed light on the status of opt-out agent adoption and offer recommendations for strengthening compliance. Here’s what we noticed:

Agent opt-out handling by companies is not standardized

We saw significant variation in the way companies handled agent opt-outs. Some companies claimed that the opt-out did not apply, others required extra steps for opt-out processing; many companies processed opt-outs only partially, and still others made it impossible to submit opt-outs in the first place.

Communication and design are crucial to agent effectiveness

Our requests often met confusing web forms and ambiguous communications from companies, which posed challenges in submitting opt-outs and gauging their effectiveness. Many companies did not confirm that the opt-out was received, in process, or completed. Without certainty about whether requests had been received and acted upon, it was hard to keep consumers informed on the status of the request.

Consumers are ready for agents

Consumers were enthusiastic about getting to use an authorized agent by CR. The pilot was oversubscribed after a single email announcement, no consumers dropped out once onboarded, and those participating reported they were highly likely to recommend CR’s authorized agent services to a friend. We are encouraged by our volunteers’ energy and grateful to all who participated in the pilot!

The opt-out agent was the first in a series of experiments CR Digital Lab plans to launch to explore what emergent, consumer-facing services are possible under the CCPA. If you’re a California resident and would like to participate in our upcoming CCPA experiments, you can sign up here.

We will be launching more data rights experiments in 2021 and welcome any questions about the pilot or ideas for future privacy products you’d like the Digital Lab to explore. Let us know what you think by commenting here or dropping us a note at datarightsstudy@cr.org.

--

--

Ginny Fahs
Ginny Fahs

Written by Ginny Fahs

Tech Fellow @AspenPolicyHub & #MovingForward Executive Director. Ex- @UberEngineering .

No responses yet