Editor's Note: The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.
The recent wave of consumer privacy laws in the U.S. have granted important rights to consumers concerning business collection and use of their personal data — like opting out of its use for targeted advertising or requesting its deletion.
With consumers interacting with so many businesses online, laws in some states also address challenges consumers may face in exercising their rights by requiring businesses to honor certain consumer privacy requests submitted not just by consumers themselves but also by authorized agents designated by consumers to act on their behalf.
While empowering consumers to easily exercise their privacy rights is a laudable goal, the concept of authorized agents is being misused by a cottage industry of authorized agent providers that are misleading consumers, failing to effectively exercise consumers' rights and ultimately creating more privacy concerns than they address.
In short, these agents are turning the legal concept of an authorized agent into privacy snake oil they can sell to consumers who are concerned about their privacy online.
How are agents misleading consumers?
Many agents are overpromising to consumers and misleading them about their privacy rights.
First, agents market their services to everyone, including consumers who are not covered by a state privacy law. Less than half the states in the U.S. have consumer privacy laws. Many consumers, therefore, have none of the privacy rights necessary to support the requests agents make on their behalf.
Second, even for residents of states covered by a privacy law, agents are often making requests they are not legally authorized to. Numerous states empower consumers to opt out of targeted advertising using an authorized agent but do not enable authorized agents to request deletion of personal data on behalf of a consumer, likely due to heightened cybersecurity risks associated with the automation of those types of requests.
Currently, only 10 states with privacy laws in effect — California, Colorado, Connecticut, Delaware, Montana, Nebraska, New Hampshire, New Jersey, Oregon and Texas — enable authorized agent requests at all and only one — California — empowers agents to make deletion requests on behalf on consumers.
In both cases, agents are misleading consumers into paying them to make requests to exercise rights they don't have or that the agent is not authorized to make on their behalf.
How are agents failing to effectively act on real consumer rights?
At least some consumers paying for agents dohave rights under a state privacy law and the agent isauthorized to make the relevant requests for the consumer under the law.
In those cases, it is still incumbent on agents to obtain proper authorization from customers and act in an effective and responsible manner on behalf of those customers. All too often, agents fall short in this regard as well.
One common scenario businesses encounter is being contacted by an agent who requests deletion of personal information for a consumer. But in making that request, the agent includes excessive and unencrypted personal information about the consumer, such as full name, birth date, physical address and even photos of their driver's license.
However, many businesses to whom these requests are sent process only pseudonymousinformation like device IDs and IP addresses. In those cases, it is not possible for the business to act on the request because they cannot associate names and physical addresses provided by agents with device IDs and IP addresses in their databases.
This indiscriminate sharing of excessive personal information by agents with hundreds of businesses runs deeply counter to good data minimization and security practices. As a result, businesses that process only pseudonymous device IDs and IP addresses are forced to handle and dispose of potentially sensitive personal information they would not otherwise collect to mitigate privacy risks created by agents indiscriminately sharing that information.
These practices may also violate the very law agents are acting under, which may require authorized agents to "implement and maintain reasonable security procedures and practices to protect the consumer's information."
At the end of the day, none of this benefits consumers who are paying for agent services because the information provided cannot be matched by the businesses receiving the information, and the widespread and indiscriminate sharing of that information creates new privacy risks for consumers.
In addition to creating no — or negative — privacy benefits for consumers, these practices also put businesses responding to agents in a very difficult position. Businesses have a responsibility to properly authenticate and verify consumer requests sent by agents, and they should not participate in the unauthorized release of consumer personal information or delete that information without proper authorization from the consumer. Irresponsible agents are depleting business resources that should be allocated to implementing genuine privacy measures instead of responding to voluminous, spurious requests.
What needs to change for agents to benefit consumers?
Several things need to change for agents to fulfill the promise of successfully exercising consumer privacy rights at scale. Some are in the power of agents to do now, while others may require action from policymakers and regulators.
What can agents do now?
Agents genuinely seeking to help customers exercise their rights can take two simple steps now to improve their services.
First, they can avoid misleading consumers by using accurate language to describe their services, like the requests they can exercise on behalf of consumers and the effects of making those requests. This includes tailoring customer requests to the customers' state of residence. Authorized agents should not invoke laws that don't cover their customers or make requests they aren't empowered to under the law.
Second, agents can limit the amount of personal information they share with businesses. When agents indiscriminately share the maximum amount of personal information they have about their customers, they create privacy and security risks and often share information that does not facilitate business responses to their requests.
What can regulators and policymakers do?
Ideally, providers of authorized agent services can raise the bar on their own. But if they will not collectively improve services to avoid misleading customers and creating privacy and security risks for them, regulators and policymakers should step up.
Regulators can take enforcement action against agents selling privacy snake oil, particularly those engaged in deceptive marketing that misrepresents their services and those violating subscription cancellation rules. Regulators can also enforce reasonable security measures for agents to prevent indiscriminate sharing of their customers' personal data.
Policymakers can help, too. First, they can promote standards in the authorized agent market, such as standardized request forms and technical specifications. This would help ensure businesses have the information they need to act on a request and may help minimize the amount of information agents include in requests.
Additionally, they can promote a uniform, federal privacy law that addresses authorized agent requests. All U.S. residents should have a clear set of privacy rights they can easily exercise with businesses, which would also help avoid the confusion of agents invoking state laws that don't apply to their customers.
Consumers in the U.S. deserve privacy rights like opting out of targeted advertising and requesting deletion of their personal information. It's time for agents to start acting more responsibly for their customers when they seek to exercise those rights.
Tony Ficarrotta, CIPP/US, is vice president and general counsel at the Network Advertising Initiative.
