This year’s Data Privacy Day on January 28^th must have inspired Attorney General Rob Bonta as he made an announcement emphasizing his expectation for organizations to step up their privacy compliance. AG Bonta’s statement included notice of a widespread investigation into mobile apps that are not meeting the requirements of the California Consumer Privacy Act. We knew further enforcement action was inevitable once the Sephora settlement occurred, but this is yet another example of Attorney General Bonta’s strict approach and no-nonsense outlook towards companies with gaps in their privacy compliance.

“I urge the tech industry to innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data,” AG Bonta said which seemingly emphasizes one of the problems with Sephora’s recent non-compliance.

The GPC focus of AG Bonta’s announcement further confirmed how imperative it is to comply with CCPA immediately and take meaningful steps towards CPRA compliance now as we wait for further information from the California Privacy Protection Agency. What I found unexpected was AG Bonta’s deliberate call out of authorized agents saying, “In California, consumers have the right to stop the sale of their personal information, and my office is working tirelessly to make sure that businesses recognize and process consumers’ opt-out requests. On this Data Privacy Day and every day, businesses must honor Californians’ right to opt-out and delete personal information, including when those requests are made through an authorized agent.”

The New Generation of Authorized Agents is Here

Why is AG Bonta bringing up agents now? If you’ve attended any of our webinars in the last year you’ve heard me discuss the new generation of authorized agents that were coming. I discussed that until recently, most agents missed the mark on request items such as authorization and proof of identity, allowing organizations to ignore those requests without risk of repercussions. Those days are behind us now as agents have filled those gaps and developed a system for compliant requests on behalf of consumers that simply cannot be ignored without putting your compliance in jeopardy.

We’ve seen a slew of agents be released and Consumer Report announced their own branded agent called Permission Slip. By way of a mobile app, consumers can enable Permission Slip to send right to know, deletion, and do not sell requests in mass quantities. On the website, it’s touted that consumers simply “Set it and forget it. We’ll keep reaching out to data brokers on your behalf and tell them to stop selling your personal information.” Essentially, consumers don’t have to do the legwork to submit requests so there’s no reason for them not to exercise their data rights.

Could Your Organization Handle a Substantial Increase in DSAR Volume?

It’s only a matter of time before the general public, increasingly concerned about their privacy every day, gets their hands on this app and requests become abundant for companies across the country. That begs the question: Are you ready to handle mass amounts of requests? Now’s the time to evaluate your Data Subject Access Request process and automate as much as possible and generate a comprehensive and accurate data map to inform how those requests are handled and in which systems. We would not advise a “wait and see” approach that could leave your privacy department ill-equipped for an influx of requests. To be frank, a manual response process is setting your privacy department up for chaos if you receive a large number of requests from agents or due to a data incident/trickledown from a parent company.

As always, Truyo will keep you apprised of further information on this generation of agents. If you’d like to see how Truyo can automate your DSAR process, or simply have a discussion on where your organization is in the journey to CPRA compliance, please reach out to hello@truyo.com.