Consumer Reports introduces groundbreaking consumer data rights protocol

Yonkers, NY – Consumer Reports and a consortium of partners announced today the completion of a new iteration of the Data Rights Protocol. This protocol will enable companies to more easily process consumer data rights requests and comply with privacy laws. This latest version of the protocol, which includes full-bodied security and identity features, is now ready to operate in production systems across the U.S.

CR has led the effort to improve the operations and implementation of privacy laws such as the landmark California Consumer Privacy Act (CCPA) to ensure the data of consumers are being protected. The CCPA and other state privacy laws provide millions of consumers with new privacy rights that allow them to access, control, and delete their data and opt out of its sale. However, fulfilling consumer data rights requests is a challenging problem for companies, especially at scale. As a result, many companies are seeking solutions to better streamline and standardize these highly technical workflows.

The CCPA anticipated these challenges and built in a provision for “authorized agents” that could help consumers exercise their data rights by serving as an intermediary between consumers and companies. Many people have chosen to enroll an intermediary to help manage their data, and many companies have been seeking guidance on how to process requests that come in from intermediary agents. To address this, CR has been proactively working with partners in industry to incubate a new open standard.

“Consumer Reports is dedicated to securing digital rights by leading the way on technical solutions,” said Marta L. Tellado, Consumer Reports president and CEO. “The Data Rights Protocol is the latest example of our work combining innovation and collaboration to improve the marketplace. By creating this standard, we are making it easier for companies to process data requests and for consumers to successfully exercise their digital rights.”

The Data Rights Protocol articulates a pattern for processing data rights requests with authorized agents; it combines technical APIs with governance practices and a set of operating agreements. The protocol is being co-developed by a consortium led by Consumer Reports and ten other organizations across marketplace roles: consumer agents, B2B privacy infrastructure provider companies, and businesses that need to comply with CCPA and other state laws. The consortium’s goal for the protocol is to make processing consumer privacy requests more efficient.

Privacy infrastructure companies can test their Data Rights Protocol implementations to demonstrate conformance using CR’s open source implementers’ reference for authorized agents, or OSIRAA. OneTrust, Transcend, Ethyca, and Incogni by Surfshark have all tested their implementations of the protocol successfully and are on-track to deploy the protocol in their production systems.

In parallel, CR has also started to develop its own authorized agent — Permission Slip, a free mobile app on iOS that aims to make it easy for consumers to take control of the personal data companies have about them. The protocol and the app are the latest efforts by CR to elevate digital rights. 

Additionally, the Data Rights Protocol consortium has launched a new website that companies can visit for more information and regular updates.