Hello, U.S. Digest readers!

Happy Friday from southern Maine, where we’re immersed in stunning fall foliage. October is my absolute favorite month of the year here in New England. The bright reds, oranges and yellows, the sounds of leaves rustling along the ground, mums and pumpkins dotting porches, and the crisp, cool air are all starting to emerge. That fall air may just be arriving a little too quickly for my taste, though, as overnight temperatures here have hit the upper 30s. On my early morning trips outside with the dogs this week, I’ve felt a tiny pang of jealousy for my colleagues who enjoyed some warmer temperatures in sunny San Diego during the IAPP’s Privacy. Security. Risk. 2021.

It’s our first U.S.-based in-person conference since 2019, and I know our team is so thrilled to be back in the action. Given PSR’s location, it’s fitting the California Privacy Rights Act was among the first topics to take center stage and that my colleague Joe Duball, who has been deep into state privacy share privacy professionals’ insights on what to expect when the CPRA takes effect Jan. 1, 2023, and how to best prepare for compliance.

Laws like California's and the EU General Data Protection Regulation have established new data rights for consumers, but Consumer Reports Digital Lab Director Ben Moskowitz said this week research has shown it is difficult for consumers to know how to exercise these rights. So the organization is working to create a Data Rights Protocol, a workflow to receive, process and complete data rights requests in a standardized way. A draft of the protocol was previewed this week and the formal version is expected to launch in mid-2022.

“We don’t have a standard agreement or a definition or a specification for what are the necessary components of every single data rights request, might they be able to be generated in a standard way, could they be exchanged in a standard way,” Consumer Reports Digital Lab Product Lead Ginny Fahs said. “And that’s the question that we’re excited to try to work our way towards answering with this Data Rights Protocol project.”

Consumer Reports is working with vendors DataGrail, Ethyca, Mine, OneTrust, Spokeo, Surfshark, Transcend and WireWheel in developing the protocol. Surfshark's Chief Business Development Officer Darius Belejevas said when the company started researching the practical applications of privacy laws, “we realized that the situation is quite terrible for everyone involved.”

“From a user perspective, it’s close to impossible to exercise your rights to privacy at scale, and on the flipside, it can be quite a lot for businesses as well because complying with requests can be expensive and difficult,” he said. “We see the Data Rights Protocol as sort of the first step in bridging the gap between what privacy laws strive to accomplish and the situation we have right now.”

The plan is still in the early stages and Consumer Reports is seeking input as it progresses. You can visit datarightsprotocol.org to learn more.