Skip to content

Data Rights Protocol

The Data Rights Protocol (DRP) is a technical standard for exchanging data rights requests under regulations like the California Consumer Privacy Act (CCPA).

As a Privacy Infrastructure Provider (PIP), fidesops conforms to the DRP standards to receive and process Data Rights Requests. The following endpoints and actions are available in fidesops for working within the DRP specifications.

DRP Actions

A DRP action may be defined when creating or editing a policy. These actions associate a fidesops policy with a DRP-standardized protocol for receiving and processing Data Rights Requests.

A given action may only be associated to a single policy:

PATCH /api/v1/policy
1
2
3
4
5
6
7
[
    {
        "name": "User Email Address",
        "key": "user_email_address_policy",
        "drp_action": "access"
    }
]

Available actions

The following actions may be associated to a policy via the drp_action attribute, which correspond to the DRP's set of supported rights.

Action Use
sale:opt_out Right to opt out of data sale
sale:opt_in Reconsent, or opt-in to data sale
deletion Right to Delete
access Right to Know
access:categories Right to Know
access:specific Right to Know

Endpoints

Once a policy is associated with an action, the following DRP-standardized endpoints are available.

Exercise

The /exercise endpoint creates a new DRP privacy request. Fidesops will execute this request based on the policy associated to the DRP action specified in exercise.

All identity information should be encapsulated in the provided identity field using RFC7515-encoded JSON Web Tokens. More about identity ecapsulation can be found in the DRP standard.

POST /api/v1/drp/exercise
1
2
3
4
5
6
7
8
9
{
  "meta": {
    "version": "0.5"
  },
  "exercise": [
    "sale:opt-out"
  ],
  "identity": "jwt",
}
Response
1
2
3
4
5
6
{
    "request_id": "c789ff35-7644-4ceb-9981-4b35c264aac3",
    "received_at": "20210902T152725.403-0700",
    "expected_by": "20211015T152725.403-0700",
    "status": "open",
}

Status

The current status of an existing privacy request may be returned via the /status endpoint, which must be queried using a privacy request ID.

GET /api/v1/drp/status?request_id={privacy_request_id}
1
2
3
4
{
    "request_id": "c789ff35-7644-4ceb-9981-4b35c264aac3",
    "status": "open",
}

Data Rights

All data rights associated with existing policies may be returned via the /data-rights endpoint. Note that the v1 in the below URL does not correspond to DRP version, but instead corresponds to fidesops version.

GET /api/v1/drp/data-rights
1
2
3
4
5
6
7
8
{
    "version": "0.5",
    "api_base": null,
    "actions": [
        "access"
    ],
    "user_relationships": null
}

Revoke

You can revoke a pending privacy request via the /revoke endpoint.

GET /api/v1/drp/revoke
1
2
3
4
{
    "request_id": "c789ff35-7644-4ceb-9981-4b35c264aac3", 
    "reason": "Accidentally submitted"
}
Back to top