How 'Authorized Agents' Plan to Make It Easier to Delete Your Online Data
These apps make privacy requests on your behalf, so you can remove your info from hundreds of data brokers and other companies at once
If you’ve ever Googled your name, you’ve probably run across a people-search site. These search engines charge for access to intimate details on just about anyone, including addresses, phone numbers and emails, and supposed criminal records. And if you’ve ever tried to scrub your information from one of these sites, maybe you’ve found it’s really hard to do, as CR has reported.
Even if you manage to remove your info from one site, there are always dozens more—plus hundreds of other data brokers and businesses that have your personal data but don’t make it publicly available. CR’s researchers estimate it can take the better part of a workweek to see through each individual removal request.
Companies Not Ready for Requests
It’s still early days for authorized agents, and CR research finds that companies receiving privacy requests from services like Incogni and Optery often have trouble dealing with them. “Companies generally aren’t ready for authorized agents yet,” says Maggie Oates, the CR researcher who led the new study, which is detailed on our Digital Lab site.
The research was powered by more than 100 volunteers who signed agreements late last year authorizing CR to contact data brokers on their behalf. Consumer Reports then submitted CCPA requests for them, asking a variety of companies to email the volunteers a copy of any of their personal data the companies were storing.
Of the 208 requests that CR sent on behalf of the volunteers, fewer than a quarter ended in success. Those were the cases where the consumer was given access to their data—or the company said it had none of their data to share. But much of the time, companies didn’t respond at all, and in 18 percent of cases they denied the request, for a variety of reasons.
Some businesses were particularly unprepared. One treated CR as if it were an individual, asking security questions like “What’s your maiden name?” and “What street did you grow up on?” Another wanted CR to send requests by mail, but when CR posted a written request, the company said it never received it.
For study participants, the experience was disorienting and exasperating. Companies “seem to have no particular interest in making it easy to exercise my rights,” said one study participant who chose to remain anonymous.
Tom Lowenthal, another volunteer, authorized CR to submit requests to two different companies. Then? “Complete crickets," they said.
“I didn’t get any emails from them, no phone calls or communications—nothing,” says Lowenthal, who is a product lead at Tall Poppy, a company that creates digital safety guides and tools for people who are being stalked or harassed.
Despite the difficulties, Lowenthal likes the idea of having a privacy helper on their side. A product focused on making large numbers of privacy requests for its customers will always be more effective than any one consumer acting on their own, they say. But ultimately, they would prefer to see regulation that requires data brokers to ask for consumers’ consent before using their information, rather than a system that requires consumers to seek out data brokers and ask them to stop selling the data.
Even though the new study revealed all sorts of problems, the outlook isn’t totally bleak, says CR’s Oates. “Throughout the course of the study, we saw changes happen,” she says. After CR got in touch, several companies improved their processes. Plus, the type of privacy requests in CR’s study are relatively complicated; simpler tasks like deletion or opt-out requests often go more smoothly.
Others are seeing improvements, too. “We’ve encountered many companies that are consciously and proactively trying to improve their practices,” says Darius Belejevas, product head for Incogni. Before Incogni adds a new broker to the list of companies it supports, it works with the broker to work out a process for making requests on behalf of customers.
But there are always laggards. Optery keeps track of about a dozen in a public list of what it calls “dishonorable data brokers." Companies cycle in and out of the list, says Optery CEO Lawrence Gentilello. Sometimes, a website bug will land a broker on the list until it’s fixed; other times, a data broker that had heeded requests for months will start rejecting new ones.
While authorized agents deal with the growing pains of a relatively untested legal right, some companies have tried other approaches. One of them, a product called Mine, asks for your permission to sift through subject lines in your email inbox, and uses that information to come up with a list of companies that are probably sitting on your private data. Then, it helps you send privacy request emails from your account to those companies. If you’re only concerned with people-search sites that surface your details publicly, several other companies offer deletion services without acting as authorized agents.
Optery and Incogni charge a monthly fee for some of their features, and Mine plans to charge for its service in the future. But the digitally savvy can try going it alone, for free. As my colleague Yael Grauer reported last year, a group of graduate students at UC Berkeley created a tool called PrivacyBot that users with technical chops can use to send hundreds of automated opt-out emails at once.
Despite increased competition among companies creating easy-to-use privacy helpers, many are working together to make it easier to send requests on behalf of consumers.
Consumer Reports has convened a group that includes several authorized agents, a data broker, and tech providers that help other companies comply with privacy requests, to draw up a “data rights protocol” that would standardize and simplify these requests for everyone involved. Its goal is to make privacy requests more reliable and efficient, so that requests from both consumers and authorized agents are more likely to yield results.
CR’s researchers are also asking regulators to make some changes that would smooth the way for authorized agents to submit requests on behalf of users. In CR’s study, one company sent an email that required a response from the consumer within a tiny half-hour window. Researchers would like rules giving consumers more time to respond to companies. They also want it to be easier for authorized agents to prove that they have permission to act on a user’s behalf.
Changes like these can help clear the way for privacy helpers that users find helpful and easy to use, CR researchers say. “Authorized agents can be a solution to a lot of data-rights problems,” says Oates. But for the process to work the way it should, she says, the industry “needs to clean up its act.”