How to Respond to Automated Data Subject Requests

The implementation of high-profile data laws such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have given consumers the ability to exercise previously-unheard-of rights. This paradigm shift has left businesses and financial organizations scrambling to keep up, perhaps most notably with data access and opt-out requests–when consumers submit a request to a company and the company is legally obligated to fulfill the request within a certain timeframe.

This aspect of data privacy law has spawned a whole new industry: data subject request services, also known as “privacy advocates.” In short, these services claim to operate on behalf of consumers exercising their data privacy rights. If your organization has been dealing with such requests, you’ve probably heard of some of these companies before.

While it’s not our place to say whether these companies are really the “future of data ownership” or just a means of profiting off an emerging legal trend, taking their requests at face value can create a compliance risk. Here’s what you need to do when you get one.

Make Sure the Cited Laws Actually Apply

Automated data subject request services often work by sending access and deletion (usually the latter) requests en masse–and by targeting companies with publicly available contact information. But that leads to many cases where these companies send requests without ensuring that the consumer has actually interacted with your company–or that the laws they cite actually apply in this case.

It’s natural to err on the side of caution and take all of these requests seriously. However, before you begin to process them consumer-by-consumer, make sure you have a firm understanding of what laws apply to your company and what exemptions exist for data rights requests. That way, you can ensure that these requests are worth prioritizing over other compliance concerns.

Additionally, make sure the laws they are citing have actually passed and are currently enforceable–and that they include the right to access the data in question. It is very common for emails from these companies to include an overwhelmingly-broad list of laws, so don’t be deterred when assessing which action you’re actually obligated to take.

Be Sure to Verify the Consumers’ Identities

Which leads to the next point: sometimes these companies make requests on behalf of consumers they’ve never interacted with or consumers that have never interacted with your organization.

Once you confirm that the laws being cited apply, be sure to formally verify the consumer’s identity (and check that you’re actually using their personal data) and that they have authorized the third-party to act on their behalf. Likewise, if regulations allow, you may consider requiring that the consumer directly confirm with your organization that they want to go through with the request.

California’s CCPA actually requires identity verification, with the exception of opt-out requests. Methods of verification can include linking the request to a specific account or matching two or three data points provided by the consumer to data points from the consumer maintained by the company. Of course, CCPA applies to California residents, so residents from other jurisdictions may not demand the same due diligence in verification.

Webinar: Operationalizing Data Privacy, One-Hour Continuing Education

Think Carefully Before Fulfilling These Requests Out of Courtesy or Convenience

While processing and storing as much data as possible has many business benefits, an effective approach to data privacy compliance must stem from a genuine interest in protecting consumer rights. By that logic, it would make sense to want to fulfill all of these requests, regardless of your organization’s legal obligation. It could even be much less time-consuming to mass-delete data instead of going out of your way to verify the identity of the thousands of consumers listed in the request.

However, the noble response might cause additional compliance concerns. For example, the aforementioned verification requirements for requests filed under CCPA are very specific and detailed, and are designed purposefully to protect consumers and businesses.

Not following these verification requirements may actually be a violation of CCPA. It’s possible that blindly following a request that wasn’t actually made by the data subject in question may result in an inability to fulfill the transaction the consumer requested of you. If you take the due diligence and follow the verification requirements, you will be able to defend yourself in the case of mistaken deletion or inadvertent disclosure of data.