The Role of 'Authorized Agents' Under Key U.S. State Privacy Laws

McKenzie Thomsen, Alex Krylov

2 min read

A number of U.S. state privacy laws starting with the California Consumer Privacy Act (CCPA) permit third parties authorized by the consumer to submit privacy requests on behalf of the consumer. These third parties are often referred to as “authorized agents”, or AAs to be brief. 

Navigating which state law permits AAs and to what extent organizations must work with such intermediaries can feel like a game of Minesweeper.

The below table and reminders should help.

Source: Lucid Privacy Group

When interacting with an AA, do not forget to:

  1. Verify they are in fact authorized to represent the consumer. The requirements for verifying an agent is authorized on behalf of a consumer vary by state, but generally, companies should respond to emails from supposed AAs requesting the agent provide the agreement wherein the consumer grants the agent the authorization to exercise their privacy rights.

    Note that opt-out preference signals like GPC are permitted and endorsed because they are, in effect, robo-agents.
     
  2. Send an acknowledging response. If the AAt provides proof of authorization, honor the valid request and respond to the AA to let them know the request is being honored and/or has been honored. 

    However, if no proof is forthcoming or is insufficient, respond to inform the AA the proxy request cannot be verified and that the consumer should exercise their rights directly, such as via a ‘Your Privacy Choices’ page or by privacy@ email. 
     
  3. Delete verification documentation. Data minimization is both a virtue and a requirement. After a request has been denied or effectuated, delete any information received that was provided in making the request. This would include the documentation the AA provided to show the agent is indeed authorized, and any consumer identification documentation that may have been passed along.

    Unless you need to retain such records to defend against legal claims (some requests can be pre-litigation fishing expeditions, case-level information and metadata is typically all that’s required to demonstrate timely, good faith compliance.

When verifying the AA, use reasonable efforts:

Source: Lucid Privacy Group

Sign up for more like this.