Skip to content
Data Rights Protocol (DRP)

Data Rights Protocol

The Data Rights Protocol (opens in a new tab) (DRP) is a technical standard for exchanging data rights requests under regulations like the California Consumer Privacy Act (CCPA).

As a Privacy Infrastructure Provider (PIP), Fides conforms to the DRP standards to receive and process Data Rights Requests. The following endpoints and actions are available in Fides for working within the DRP specifications.

DRP Actions

A DRP action (opens in a new tab) may be defined when creating or editing a policy. These actions associate a Fides privacy request policy with a DRP-standardized protocol for receiving and processing Data Rights Requests.

A given action may only be associated to a single policy:

PATCH /api/v1/policy
        "name": "User Email Address",
        "key": "user_email_address_policy",
        "drp_action": "access"

Available actions

The following actions may be associated to a policy via the drp_action attribute, which correspond to the DRP's set of supported rights (opens in a new tab).

sale:opt_outRight to opt out of data sale
sale:opt_inReconsent, or opt-in to data sale
deletionRight to Delete
accessRight to Know
access:categoriesRight to Know
access:specificRight to Know


Once a policy is associated with an action, the following DRP-standardized endpoints are available.


The /exercise endpoint creates a new DRP privacy request. Fides will execute this request based on the policy associated to the DRP action specified in exercise.

All identity information should be encapsulated in the provided identity field using RFC7515-encoded JSON Web Tokens (opens in a new tab). More about identity ecapsulation can be found in the DRP standard (opens in a new tab).

POST /api/v1/drp/exercise
  "meta": {
    "version": "0.5"
  "exercise": [
  "identity": "jwt",
    "request_id": "c789ff35-7644-4ceb-9981-4b35c264aac3",
    "received_at": "20210902T152725.403-0700",
    "expected_by": "20211015T152725.403-0700",
    "status": "open",


The current status of an existing privacy request may be returned via the /status endpoint, which must be queried using a privacy request ID.

GET /api/v1/drp/status?request_id={privacy_request_id}
    "request_id": "c789ff35-7644-4ceb-9981-4b35c264aac3",
    "status": "open",

Data Rights

All data rights associated with existing policies may be returned via the /data-rights endpoint. Note that the v1 in the below URL does not correspond to DRP version, but instead corresponds to Fides version.

GET /api/v1/drp/data-rights
    "version": "0.5",
    "api_base": null,
    "actions": [
    "user_relationships": null


You can revoke a pending privacy request via the /revoke endpoint.

GET /api/v1/drp/revoke
    "request_id": "c789ff35-7644-4ceb-9981-4b35c264aac3", 
    "reason": "Accidentally submitted"