Step Four Operationalize Privacy Rights
Today, more individuals than ever can submit so-called data subject requests (DSRs). They can ask to access, correct, port, and, in some cases, erase their data. They can also knowingly permit, object to, and, in some cases, restrict how a business uses their data, all the while being protected by law from unfair treatment and retaliation.
- From our Privacy Trends 2024 report, we saw a 72% increase in total DSR volume per 1M identities from 2021 to 2022. More are on the way.
- Data also shows people from states without privacy protections are requesting en masse: 52% of requests in the U.S. are made by people in unprotected states.
While the U.S.’s rules for handling privacy requests notably diverge from the GDPR in several ways, there’s common ground. Above all else, the process should be easy, safe, and effective, for both sides:
- Formalize and socialize: Individuals need to be informed about their privacy rights and how to exercise them. Common intake methods include secure submission forms and designated email inboxes. Emerging methods include default browser/device settings and browser-mediated opt-out preference signals like GPC. Whichever combination of methods you choose, the process should be as intuitive and user-friendly as possible.
- Request validation: Organizations must take reasonable steps to protect themselves and consumers from personal data breaches. DSR intake and fulfillment must be secure. This includes validating the person making the request and their right to the data in question. The security adage, “trust but verify” applies.
- Data minimization: While caution is important, so is restraint. When validating requests, organizations should ask for only the essential information needed to verify someone’s identity and match them to known records. Do you really need to see someone’s driver’s license? Knowledge-based (smart) identity verification is a viable alternative.
- Mutual trust: Just as it is unlawful for organizations to arbitrarily ignore or deny valid DSRs, individuals can’t submit requests in bad faith. Privacy rights aren’t absolute and organizations have the right to deny “unverifiable”, “manifestly unfounded”, or “manifestly excessive” requests (GDPR, CCPA/CPRA).
Bottom Line:
Privacy request management can be exploited by bad-faith actors, and stress-tested by privacy advocates and regulators. Be sure to adhere to ease of use, validation, strict turnaround, and other substantive requirements. It’s worthwhile to remember the end goal here isn’t to check a compliance box but to establish trust throughout a public-facing process.
Request Manager supports CAPTCHA to protect against bot spam and fraud in the privacy request process.
In addition, Smart Verification helps users meet minimization goals.
Request a demo to learn more about partnering with us to manage aspects of your privacy program or to customize Smart Verification challenge questions.
Connect with other pros (free) to optimize your DSR process. Join the Privacy Basecamp Community.