AI Summarize

Share

Responding to a data subject request (DSR) has become a routine obligation under privacy laws like the GDPR and the CCPA/CPRA. But when those requests come through third parties or privacy tools, it often raises questions about how to handle verification correctly.

While most privacy laws allow third parties to act as "authorized agents" on consumers' behalf, they also hold businesses fully responsible for verifying both the agent's authority and the consumer's identity before acting on any DSR.

This article discusses why DSRs received from third parties need careful consideration. You'll also find clear, practical steps your business can take to verify these requests and remain compliant.


A Quick Primer on Data Subject Requests (DSRs)

A Data Subject Request (DSR) is a formal appeal from an individual to exercise their privacy rights over the personal data your business holds about them. Personal data generally refers to details like names, phone numbers, home/email addresses, and similar information that can directly or indirectly identify a person.

Under laws like the General Data Protection Regulation (GDPR) in the EU/EEA/UK and the California Consumer Privacy Act (CCPA/CPRA), all applicable businesses are legally obligated to respond to people's formal requests to exercise their rights. While these rights vary by regulation, the most common are as follows:

  • Access: See what data your business holds and how it's used.
  • Correction/Rectification: Fix errors or incomplete records.
  • Deletion/Erasure: Delete data unless you have a lawful reason to keep it.
  • Restriction: Limit data processing to specific purposes.
  • Objection/Opt-out: Stop certain activities, such as direct marketing.
  • Data Portability: Provide a copy of personal data in a usable format.

Note: These rights differ by law. For example:

  • GDPR (EU/EEA/UK): Access, Rectification, Erasure, Restriction, Object, Portability.
  • CCPA/CPRA (California): Know (access), Delete, Correct, Opt-out of sale/sharing, Limit sensitive personal information, Non-discrimination.The CCPA/CPRA does not provide "Restriction" or a general "Object" right.

Violating DSRs can attract investigations and significant penalties. In 2020, for example, the Italian supervisory authority levied a €27.8 million fine against Telecom Italia (TIM) for repeatedly ignoring people's requests to opt out of marketing activities.

Beyond fines, mishandling DSRs can damage public trust and lead to lasting reputational harm that affects your business relationships.

What Are Third-Party Data Subject Requests (DSRs)?

A third-party DSR occurs when an individual uses a representative who submits requests on their behalf rather than contacting your business directly.

These intermediaries, often referred to as "authorized agents," can include privacy tools, data brokers, attorneys, or advocacy groups that act on behalf of data subjects.

Privacy tools are the most common authorized agents today. They market themselves as a simpler, one-stop solution for consumers who want to manage their data across dozens of companies simultaneously. Well-known examples include services like DeleteMe and Privacy Bee.

DSRs sent through these third parties are often more delicate due to the dual verification requirement. Unlike direct DSRs, where you only need to verify the data subject's identity, third-party requests require that you also confirm the agent's legal authority to act on behalf of a data subject.

Iconic Luxury Hotels does a great job of explaining this in its Data Subjects' Policy:

Iconic Luxury Hotels Data Subjects Policy: Requesting on an Individual's Behalf

For better clarity, let's briefly review the legal fine print for DSRs received via third parties under key privacy laws.

How Key Privacy Laws Treat Third-Party Data Subject Requests (DSRs)

Many global privacy laws allow some form of third-party representation for DSRs, but with important verification caveats. To illustrate, let's see how this scenario is addressed under two of the most influential privacy frameworks in force: the CCPA/CPRA and the GDPR.

The CCPA/CPRA was the first law that widely introduced the idea of "authorized agents." Section 1798.140(ak) defines a verifiable consumer request to include requests submitted by an authorized agent, provided the business can confirm both the consumer's identity and the agent's legitimacy.

CCPA/CPRA Section 1798.140(ak): Definition of Verifiable Consumer Request

On the other hand, the GDPR doesn't explicitly name the concept of authorized agents, but it doesn't forbid it either. Article 12(6) of the GDPR simply says you should request more information to verify a data subject's identity if you have reasonable doubts (a standard that ideally applies to all third-party requests).

GDPR Article 12(6): Verifying identity of data subjects

GDPR, Art. 12(6) confirms that where a controller has "reasonable doubts" about identity, it may request additional information, and the ICO clarifies that the response timeline does not begin until such information is received.

To back this up, the UK's Information Commissioner's Office (ICO) has clarified that as long as valid proof of authority is provided, organizations should respond appropriately to DSRs from properly appointed representatives.

UK ICO: Asking someone to act on your behalf

It's worth noting that not all privacy laws support third-party representation equally. For example, while the Colorado Privacy Act (CPA) recognizes authorized agents, it limits their scope only to opt-out rights for targeted advertising, profiling, and the sale of personal data. For rights like access, correction, and deletion, authorized agents aren't recognized, see Colorado Privacy Act §6-1-1306(1)(a)(I).

In contrast, the Virginia Consumer Data Protection Act (VCDPA) doesn't recognize authorized agents in any capacity within its provisions.

The takeaway for businesses is that DSRs from third parties are legally permissible under most privacy laws. And when they are, your business (as the data controller) remains fully responsible for verifying both the data subject's identity and the third party's authority under applicable law before fulfilling any request.

Key Steps to Take When You Receive a Third-Party DSR

Your response to DSRs determines your compliance and defense against potential regulatory scrutiny. We recommend following these steps to handle third-party requests securely and legally:

Step 1: Acknowledge the Request and Assess Your Response Timeline

Your first step is to acknowledge receipt of the request, but don't start your compliance clock until you've verified legitimacy (only under the GDPR). This matters because response deadlines often vary across privacy laws and can create unnecessary pressure.

Keep in mind that acknowledging receipt doesn't mean accepting a request as valid. It only demonstrates professional responsiveness while you conduct proper due diligence.

Importantly, regulatory authorities like the UK ICO consider a request "not received" if you are unable to see the request without signing up for the third-party platform or paying a fee. In other words, your response timeline doesn't start until proper access is provided:

UK ICO Right of Access Guide: Requests made via a third-party online portal

Only when you can access a DSR does your compliance clock start. At that point, you should act fast. Failing to meet the deadlines is a violation in itself, even if you eventually fulfill the request. Here's a quick breakdown of the response deadlines under the GDPR and CCPA/CPRA:

  • GDPR: The standard response window is one calendar month from the date of receipt. However, you can extend this period by up to two additional months for complex or high-volume requests. You must inform the data subject (or the agent) of the extension and the reasons for it within the initial one-month period.
  • CCPA/CPRA: You must confirm receipt within 10 business days. A 45-day response window is set for verifiable consumer requests. You can also extend once for an additional 45 days, but you must again notify the consumer and provide a reason within the initial 45-day window. Note that the right to opt out of the sale or sharing of data has a much shorter deadline of just 15 business days with no possibility of extension.

Remember to document your attempts to access the request and any barriers you come across. This helps create a compliance trail that shows good faith efforts while protecting against premature deadline pressure.

Step 2: Demand Proof of Authority from the Agent

Before you even attempt to verify the data subject's identity, you must confirm that the authorized agent has the legal authority to submit requests under applicable law. Remember that not all laws allow authorized agents to begin with.

If the law does allow agents, you must formally request documented proof that the agent is authorized to act on the specific individual's behalf.

The gold standard proof is a signed authorization document where the data subject explicitly names your company and appoints the third party as their authorized agent for the specific request. Here's an example of how this might look in practice:

Legal Templates: Agent Authorization Letter

A formal, notarized power of attorney is also considered irrefutable proof of authority, especially for requests involving sensitive personal data. Be wary of generic Terms of Service agreements from the agent's platform, as these are often insufficient.

The documentation must also clearly confirm the scope of the agent's authority. Is the agent only allowed to submit a request, or are they also authorized to receive the data itself? You must ensure you are not disclosing private data to an agent who only had permission to send the request.

If you consider the authorization documentation to be insufficient, contact the data subject directly to confirm their intent and the third party's authority. This helps protect against fraudulent requests while ensuring legitimate requests receive proper attention.

California regulations explicitly require businesses to verify both the consumer and the agent, and allow businesses to reject a request if proof of authorization is insufficient (see CPPA Regs §7063).

Step 3: Verify the Data Subject's Identity

Next, carefully verify the identity of the data subject using reasonable methods. Once an authorized agent provides the necessary documentation, you must confirm that the individual behind the request is who they say they are. This is a critical security measure to prevent data breaches.

While the GDPR doesn't explicitly provide identity verification steps, the CCPA/CPRA regulations do offer some helpful guidance here:

CCPA/CPRA Regulations

Put simply, start by matching the provided information against existing records like names, email addresses, account credentials, customer IDs, or contact details. And if your standards checks raise doubts or fail, you're legally allowed (even required) to ask for proportionate additional information.

Note that most privacy laws have a data minimization principle, so only collect what's truly necessary to confirm identity. This could be some pieces of non-sensitive information you have on file, such as the last four digits of a credit card used or the unique identifier tied to their account. Once the request is fulfilled, delete any new verification data you collect.

Be particularly cautious with high-risk requests like deletion or data portability. These irreversible actions warrant stronger verification standards. In these cases, consider getting direct confirmation from the data subject, especially if the third party's authorization documentation looks generic or overly broad.

And as always, remember to document your verification process thoroughly, including which information you requested, what you received, and how you reached your verification decision.

Step 4: Clarify the Scope of the Request (If Necessary)

A third-party request can sometimes be vague or overly broad. Before processing, ensure you fully understand what the data subject is asking for, as different rights have different legal requirements and business implications.

For example, access requests often need comprehensive data gathering, while deletion requests need legal basis reviews to identify retention requirements. Data subjects cannot authorize the deletion of information you're legally required to retain (e.g., tax records).

The clearest and safest path is to confirm the scope directly with the individual. A brief, direct communication prevents misunderstandings and ensures you fulfill the request accurately. For example, you might email the verified customer:

"We have received a request from [Third-Party Agent] on your behalf for data deletion. Please confirm that you wish us to proceed with deleting all your personal data."

This simple step protects you from acting on an incorrect or misinterpreted instruction from the agent.

Step 5: Process and Fulfill the Request

With verification complete, you can now process the request. Use your data discovery tools to search all relevant systems (CRMs, marketing platforms, databases, etc.) for the individual's data. Under the GDPR, ensure you include any data shared with data processors.

As you compile the information, carefully redact any personal data belonging to other individuals to prevent a secondary privacy breach.

Your response should be delivered securely (e.g., via an encrypted email or a secure portal), preferably directly to the data subject rather than the authorized agent, unless instructed otherwise in the verified authorization document.

Deliver the response to the data subject directly, unless the verified authorization explicitly permits the agent to receive the data.

For access requests, provide the data in a structured, commonly used format. For deletions, maintain a record of what was deleted and when, along with the legal basis for any data retained. Meticulous documentation of this entire process is the only way to demonstrate compliance during an audit.

Frequently Asked Questions for Third-Party Data Subject Requests (DSRs)

What if the third-party platform claims it has already verified the consumer's identity?

Don't take their word for it. You are the data controller, and the legal burden for preventing an unauthorized data release rests solely with you. You must conduct your own independent verification of the consumer's identity, even if it uses the same data points (like email verification or existing account credentials) provided by the authorized agent.

What if the request is for data older than the statutory 12-month period?

While the Right to Know/Access under the CCPA only legally mandates a 12-month lookback period, the CPRA has now extended this timeline, as long as it is "reasonably possible" and not "unduly burdensome" for your business.

The CPRA extends the look back beyond 12 months "unless impossible or disproportionate effort.", see Cal. Civ. Code §1798.130(a)(2)(B).

The GDPR, however, doesn't include any 12-month lookback provision. If the agent's request covers a broader timeframe, ask the consumer to clarify. If they insist on all data, fulfill what is reasonable based on your data map and explain the statutory limits in your response, while still providing all data you can reasonably locate.

What if the consumer says they never authorized the agent?

Immediately deny the request and document the consumer's statement. This is a clear case of attempted unauthorized access. Inform the third party that the request has been denied due to a lack of authorization and maintain thorough documentation of this conflict.

Not necessarily. Under the GDPR, the legal clock can be paused while you await necessary identity verification or clarification.

Under the CCPA, however, the 45-day deadline is not paused for verification. You can either deny the request due to insufficient identity verification or, if reasonably necessary, extend the timeline once by another 45 days (90 total). Note that you must inform the consumer within the first 45 days and explain why.

What if the agent requests our specific data retention policies?

Provide public information. Authorized agents can sometimes request your data retention schedules or third-party sharing policies. Only provide information that is already legally required to be disclosed in your public Privacy Policy.

Do not disclose internal, proprietary business processes or specific legal contracts unless absolutely required by law.

Should we ever use the third-party portal to respond?

Only after thorough due diligence on the platform's security, business model, and regulatory compliance. Even then, a direct response to the data subject often provides better security control. If you choose to use their portal, ensure it meets your data protection standards and document your assessment process for audit purposes.

Can we charge a fee for processing a complex third-party request?

Under laws like the GDPR and CCPA/CPRA, you can charge a reasonable fee or refuse to act if a request is "manifestly unfounded or excessive". However, the bar for this is high. You must be able to demonstrate the excessive nature of the request and should seek legal counsel before denying a request on this basis.

Under GDPR Art. 12(5) and CCPA/CPRA Cal. Civ. Code §1798.145(i)(3), you may charge a reasonable fee or refuse if a request is "manifestly unfounded or excessive." The bar is high, and you must document your reasoning.

Do universal opt-out signals count as third-party requests?

Yes. Under the CCPA/CPRA and Colorado Privacy Act, businesses must honor valid browser-based or technical opt-out signals (e.g., Global Privacy Control) without requiring a signed agent authorization.

Summary

Third-party data subject requests (DSRs) add complexity because they insert an intermediary between you and the individual whose data you hold. Most privacy laws allow these "authorized agents," but they never shift accountability away from businesses.

You, as the data controller, remain responsible for verifying identity, confirming authority, and ensuring the request is legitimate before acting. To handle these requests safely:

  • Acknowledge promptly and carefully consider your legal timelines
  • Verify agents' authority with signed documentation or powers of attorney.
  • Confirm consumers' identity using data you already hold and request proportionate proof if needed.
  • Clarify the scope directly with the consumer to avoid over- or under-compliance.
  • Process requests securely, redacting third-party data and applying exemptions where applicable.
  • Deliver responses carefully, through secure channels, and keep a detailed log of every step.

Remember that you're not required to use third-party platforms, pay access fees, or create accounts to view requests. When in doubt, respond directly to the data subject while documenting your decision-making process.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy