Third Party Disclosure Request Lifecycle
With the passage of Oregon Consumer Privacy Act and the Minnesota Consumer Data and Privacy Act, businesses in those states must provide consumers with a list of third parties with whom they share consumer data starting July 1st, 2024. When a Data Subject would like to request a list of these third parties, they will submit a Third Party Disclosure request.
Click here for more information on how to manage your third parties in DataGrail.
Request Submission
When a Privacy Request is created, its workflow is determined by the submission method and your automation configuration.
Requests submitted through API, Intake Form, and Request Queue will enter the Active: Initializing state if an Initialization automation is configured. From there, the request proceeds directly to Active: Pending Action when the automation completes.
Requests submitted through Email Forwarding and Toll-Free Number are not supported by the Initialization phase and will enter the Active: Wizard state directly.
If no Initialization automation is published, requests follow the standard workflow: Intake Form submissions enter Active: Pending Verification, and API, Toll-Free, and Email submissions enter Active: Wizard.
Active: Initializing
When an Initialization automation is configured, all requests submitted via API, Intake Form, and Request Queue enter this state immediately upon submission.
The Initialization phase runs your configured automation logic — which may include sending an identity verification email, sending a confirmation email, or extracting secondary identifiers — before the request enters processing. When the automation completes, the request moves directly to Active: Pending Action.
If identity verification is part of your Initialization automation, the request remains in Active: Initializing while waiting for the Data Subject to verify. It does not enter Active: Pending Verification.
For configuration details, see Automations.
Active: Pending Verification
If you have an Initialization automation configured, this state is bypassed. Verification is handled within Active: Initializing instead.
Once a request enters the verification state, an email will be sent to the Data Subject with a link to verify their identity. This ensures the Data Subject owns the email they are requesting information for.
The Data Subject has 7 days to verify their identity. If the verification is not completed within 7 days, the request will automatically move to Closed: Unverified. Verified requests will immediately move to the Active: Wizard state. A reminder email will be sent to Data Subjects who do not verify within 24 hours.
Email Templates: Email Verification, Email Verification Reminder
If you have verified the Data Subject Email outside of DataGrail, you can manually mark the request as verified in DataGrail.
Closed: Unverified
If the Data Subject fails to verify their email after 7 days, they will receive a confirmation that their Privacy Request was rejected, and the request will automatically move to closed.
Email Templates: Verification Rejected
Requests in the Closed: Unverified unverified state cannot be reopened. A new Privacy Request must be submitted if a Data Subject fails to verify their email.
Active: Wizard
If you have an Initialization automation configured, this state is bypassed. Requests submitted via API, Intake Form, and Request Queue proceed from Active: Initializing directly to Active: Pending Action.
The Request Wizard gives Privacy Managers an opportunity to review Data Subject information and confirm Privacy Requests are configured with the correct Legal Framework and other information.
At the end of the wizard, Privacy Managers are given the option to send Data Subjects a receipt of the request.
Additionally, Privacy Requests submitted via API, Toll-Free Number, and Email Forwarding are given an option to verify the Data Subject's email at the end of the wizard. If this option is selected, requests will move to Active: Pending Verification and directly to Active: Pending Action, if verified.
The Wizard State can be automatically skipped for verified requests by configuring your Wizard Automation settings.
Email Templates: Privacy Request Confirmation
DataGrail Notifications: Request Status - Pending Wizard
Active: Extracting Identifiers
If you have an Initialization automation configured with the Then Extract Identifiers action, identifier extraction is handled within Active: Initializing and this state is bypassed.
If your account is provisioned with Multiple Identifiers, configured integrations will begin to extract them in this state. Otherwise, the request will move immediately to Active: Pending Action.
Once extraction is complete, requests will move to Active: Pending Action.
Active: Pending Action
In this state, Privacy Managers have the opportunity to review the request details, before sending the Third Party Disclosures list to the Data Subject. Individual Third Parties cannot be added or deselected. The full Third Party Disclosures list will always be sent to the Data Subject.
Once the request has been reviewed, select Process Request to review the final confirmation email to the Data Subject. Third Party Disclosure requests will always move to the Closed: Responded state.
DataGrail Notifications: Request Status - Pending Action
Closed: Notifying Requester
In this state, the Data Subject will be only be notified of the relevant data categories you hold. The Data Subject will not receive any PII data files.
Email Templates: Third Party Disclosure Request Results
Closed: Responded
This state indicates the Data Subject has successfully received the Third Party Disclosure Request Results email.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.