What is an “authorized agent” under the CCPA?
As new businesses conceived as an intermediary between privacy-conscious California consumers and the businesses that hold their personal data crop up, it’s worthwhile to examine how the CCPA contemplates authorized agents who make requests on behalf of consumers.
The original text of the CCPA mentions a consumer’s authorized agent only once, in the context of rulemaking. 1798.185(a)(7) directs the Attorney General to establish rules and procedures to facilitate a consumer’s or the consumer’s authorized agent’s ability to obtain information pursuant to 1798.130, which lays out operational details of a business’s obligations with respect to consumers’ rights to know and to delete personal information about them, and to know the categories of personal information collected and sold. The text is otherwise silent on who may qualify as an authorized agent, or how businesses are obliged to work with authorized agents.
The Attorney General’s regulations fill out these requirements.
Definition of an “authorized agent”:
Section 999.301(c) defines an authorized agent as “a natural person or business entity registered with the Secretary of State to conduct business in California that a consumer has authorized to act on their behalf subject to the requirements set forth in section 999.326.”
Basic mechanics for authorized agents — verification:
Section 999.326 lays out the basic mechanics of verifying requests from authorized agents and the obligations for authorized agents:
- Unless the consumer has provided the authorized agent with power of attorney, a business that receives a request to know or request to delete from an authorized agent may require the consumer or the authorized agent to take an action to help verify the request.
- The business may require the agent to provide signed permission from the consumer to make the request. Alternatively, the business may ask the consumer to verify their own identity with the business or directly confirm with the business that they provided the authorized agent with permission to submit the request.
- Section 999.323(d), in the regulations’ general rules regarding verification, specifies that a business shall not require an authorized agent to pay a fee for verification.
Requirements for authorized agents:
Authorized agents, in turn, have two requirements set out in §999.326:
- Authorized agents are required to implement and maintain reasonable security procedures and practices to protect the consumer’s information.
- Authorized agents may not use a consumer’s personal information for any purpose other than fulfilling the consumer’s requests, verification, and fraud prevention.
How authorized agents can be used:
In addition to requests to know and requests to delete, section 999.306(f) permits a consumer to use an authorized agent to submit a request to opt-out of the sale of personal information. In contrast to the verification methods that section 999.326 provides for requests to know and requests to delete, section 999.306(f) allows a business to deny a request if the agent cannot provide the consumer’s signed permission to submit the request on the consumer’s behalf.
How businesses under CCPA interact with authorized agents:
Businesses have one last obligation with respect to authorized agents; section 999.308(c)(5) requires the business to include instructions on how an authorized agent can make requests on a consumer’s behalf in the business’s privacy policy.
Additional resources:
- The new CCPA draft regulations: Identity verification IAPP article by Jennifer Elleman and Steven Stransky
- New CCPA regulatory provisions seek to clarify business requirements IAPP article by Steven Stransky
