Skip to content

Some modern data privacy statutes mandate that organizations allow third parties – who are authorized by a data subject – to submit access, deletion, correction, or other requests on behalf of a consumer. Such third parties are sometimes referred to as “authorized agents” – a term created by the regulations implementing the CCPA. The following chart compares whether authorized agents are recognized under each of the modern state privacy statutes:

Authorized Agents

California 2022

CCPA

California 2023

CPRA

Colorado 2023

CPA

Conn. 2023

CTDPA

Utah 2023

UCPA

Virginia 2023

VCDPA

Access requests. Does the statute mandate that organizations accept authorized agent requests for access to information? [1] [2]
Deletion requests. Does the statute mandate that organizations accept authorized agent requests for the deletion of information? [3] [4]
Correction requests. Does the statute mandate that organizations accept authorized agent requests for the correction of information? [5] [6]
Opt-out of sale. Does the statute mandate that organizations accept authorized agent requests to opt-out of the sale of information? [7] [8] [9] [10]
Opt-out of targeted advertising. Does the statute mandate that organizations accept authorized agent requests to opt-out of targeted advertising? N/A ?[11] [12] [13]
Opt-out of profiling/
automated decision making
. Does the statute mandate that organizations accept authorized agent requests to opt-out of automated decision making?
N/A N/A[14] [15] [16]
Registration. Must an authorized agent be registered with the state? [17] [18]
Respond to consumer (instead of authorized agent). Is an organization permitted to respond directly to the consumer after intaking an authorized agent request? [19] [20] ?[21] ?[22]
Utilizing authorized agent’s platform. Is an organization required to utilize an authorized agents platform or technology?

[1] Cal. Code Reg. § 999.326(a).

[2] Cal. Code Reg. § 999.326(a).

[3] Cal. Code Reg. § 999.326(a).

[4] Cal. Code Reg. § 999.326(a).

[5] Cal. Code Reg. § 999.326(a).

[6] Cal. Code Reg. § 999.326(a).

[7] Cal. Code Reg. § 999.315(f).

[8] Cal. Code Reg. § 999.315(f).

[9] C.R.S. § 6-1-1306(1)(a)(II) (2022).

[10] Conn. Sub. Bill No. 6, § 5 (applying authorized agents to opt-out requests referenced in § 4(a)(5)).

[11] The CPRA does not specify whether an authorized agent should be permitted to submit a do not share request.  As of the writing of this article, regulations implementing the CPRA had not been adopted.

[12] C.R.S. § 6-1-1306(1)(a)(II) (2022).

[13] Conn. Sub. Bill No. 6, § 5 (applying authorized agents to opt-out requests referenced in § 4(a)(5)).

[14] As of the writing of this article, regulations implementing the automated decision making sections of the CPRA had not been adopted.

[15] C.R.S. § 6-1-1306(1)(a)(II) (2022).

[16] Conn. Sub. Bill No. 6, § 5 (applying authorized agents to opt-out requests referenced in § 4(a)(5)).

[17] Cal. Code Reg. § 999.301(c).

[18] Cal. Civ. Code § 1798.140(ak) (West 2022).

[19] Cal. Code Reg. § 999.326(a).  The business is only required to allow the authorized agent to submit a request.  The business is permitted to directly confirm with the consumer that the consumer granted agency.  The statute and implementing regulations do not require that the business communicate with the authorized agent other than to intake the request.

[20] Cal. Code Reg. § 999.326(a).  The business is only required to allow the authorized agent to submit a request.  The business is permitted to directly confirm with the consumer that the consumer granted agency.  The statute and implementing regulations do not require that the business communicate with the authorized agent other than to intake the request.

[21] Statute does not address this issue.

[22]  Statute does not address this issue.