Frequently Asked Questions | Data Rights Protocol

The Data Rights Protocol was first conceived by Consumer Reports Innovation Lab (formerly Digital Lab) and launched at a virtual event hosted by MIT Media Lab in October 2021. The protocol has been driven by a consortium of companies since its genesis. Mozilla Data Futures Lab, Consumer Reports, and a private donor have contributed funding.

The protocol is developed openly on GitHub and is governed by the Apache 2.0 license.

All requests sent using the Data Rights Protocol are cryptographically signed by the Authorized Agent sending the requests. Additionally, each Authorized Agent has a unique API token for each business they communicate with and the businesses use this to ensure that messages can not be forged or used to send spurious data requests to other businesses implementing DRP.

The Data Rights Protocol is an efficient, cost-effective, and reliable solution for managing the ever-growing number of consumer data rights requests, especially for companies that must be responsive to multiple authorized agents. By specifying standard request and response patterns for shepherding privacy rights requests on behalf of consumers, the DPR enables smoother and more efficient delivery of privacy rights. You can read more about the benefits of DRP for businesses here.

Authorized Agents are responsible for verifying the identity of any user on whose behalf they send requests. Agents publish a document describing their identity verification protocols and businesses can use this document to decide whether they want to trust the identity attributes or whether they need to add additional consumer verification. Additional consumer verification can either be managed in-band by sending a message to the Authorized Agent containing a URL to a web form which the consumer will complete, or it can be handled in their existing out-of-band consumer verification systems.

The Data Rights Protocol was designed to be extensible to many different jurisdictions and privacy regimes. However, most research and development on the protocol to date has been in the context of California privacy laws (i.e. CCPA, CPRA). We chose to start with California since it was the first state to enact comprehensive data privacy legislation in the U.S. and the first to specify the role of the authorized agent. We have taken great care to ensure the protocol correctly supports and reflects the direct requirements and constraints applicable to data rights requests in California’s laws, and look forward to supporting new jurisdictions as they become available.

In addition to specifying regime, the protocol includes a "voluntary" designator that can be used in the jurisdiction field to indicate the consumer is not a California resident and therefore compliance with the CCPA is optional. Many companies choose to process such requests from outside of California and this designator helps to keep track of that legal status.

Data Rights Protocol (DRP) and Global Privacy Control (GPC) are complementary technologies that both strive for enhanced consumer control over personal data. GPC is a consumer-facing tool. It is a control available in several browsers or extensions that allows the consumer to broadcast a persistent preference to websites that their data not be sold or shared.

DRP is a solution for businesses and, in turn, for consumers sending requests to businesses. It is a solution that allows businesses to exchange data rights requests in a standardized format. DRP works “beneath the surface” of what a consumer can see by specifying an interface for businesses to talk to each other as they work to process consumers’ data rights requests. You can read more about the similarities and differences between DRP and GPC here.

The first step towards adopting the protocol is contacting the Data Rights Protocol consortium to register your interest, which you can do here. We also recommend reviewing the implementers' guide and the DRP open source reference implementation to get a better sense of the steps to implement and deploy the protocol.

Consortium partners participate in a series of conformance and interoperability tests before shipping Data Rights Protocol in their production systems. OSIRAA (Open Source Implementer’s Reference Authorized Agent) is our conformance testing tool, and it includes logging and reporting features so that implementers can refine their implementations on their own.

We also periodically conduct interoperability testing exercises with implementers and announce the results publicly as we mark new testing milestones.

Data Rights Protocol requests must be sent using industry-standard HTTPS secure connections to ensure that Agents are communicating with the business in a secure manner. Agents generate Ed25519 cryptographic signatures for their requests using a small public domain library called libsodium. Businesses and privacy infrastructure providers are able to download an index of verification/public keys and validate that the messages are being sent from the expected agent to the expected business.

Yes, the open source reference implementation of the Data Rights Protocol is OSIRAA (Open Source Implementer’s Reference Authorized Agent). A public-facing OSIRAA instance is available at https://osiraa.datarightsprotocol.org/ and serves as a record of end-to-end compliance among DRP participants; the code is publicly available on GitHub. Members of the DRP consortium can use OSIRAA to test and refine their implementations of the DRP.