Verifying Consumer Privacy Requests
Responding to consumer requests in a timely manner is a major component of CCPA compliance, but the law also states that certain requests must be “verifiable.” Here we’ll cover general guidance for verification, the rules for different types of consumer requests, and common issues that can arise.
General Rules for Verifying CCPA Requests
The California Attorney General has issued regulations clarifying how businesses should verify privacy requests under the CCPA. These general rules apply to all request verifications.
- Businesses should avoid collecting any new personal information from the consumer, especially sensitive information, unless necessary for purposes of verification. Sensitive information includes social security numbers, driver’s license numbers, account numbers in combination with access codes, medical information, and health insurance information. Any additional information collected for verification purposes should be deleted immediately after the request has been processed.
- The level of verification required may vary, depending on the situation. Businesses should consider the following factors:
- Type, sensitivity, and value of the personal information. Sensitive or valuable information warrants a more stringent verification process
- Risk of harm presented by unauthorized access or deletion
- Likelihood that fraudulent or malicious actors would seek the information
- Whether the personal information requested from the consumer for verification is sufficiently robust to protect against fraud
- Manner in which the business interacts with the consumer (e.g., if interactions are typically online, in person, etc.)
- Available technology for verification
- Businesses may not charge a fee for verifying the identity of the consumer
- The verification process does not extend the deadline for complying with the consumer request
Requests to Know
Requests to know specific pieces of personal information require a business to verify the consumer’s identity to a reasonably high degree of certainty. This may include matching three data points provided by the consumer to data points maintained by the business and requiring a signed declaration under penalty of perjury verifying the requestor’s identity.
If a business cannot verify a request to know, the business must deny the request and inform the requestor why the request was denied.
Requests to Delete
Requests to delete must also be verifiable. The level of verification required will depend on the nature of the personal information the requestor wants deleted. For example, a request to delete the consumer’s browsing history may require a lower reasonable degree of certainty than a request to delete family photos or unique documents.
If a business cannot verify the requestor’s identity, it may deny the request and then inform the requestor why it has done so.
Verification by Account Login
If a consumer already has a password-protected account with a business, the business may verify the consumer’s identity through its existing account-authentication practices. This verification must still follow the general rules outlined above, and the business must require the account holder to re-authenticate themselves before the data is deleted or transferred. However, businesses cannot require a consumer to create an account in order to process a CCPA privacy request.
Authorized Agents
Consumers may submit CCPA privacy requests through an authorized agent. If it is a request to know or request to delete, the business may require the agent to prove it has signed permission to make the request. It may also require the consumer to:
- Verify their own identity directly with the business, or
- Directly confirm with the business that they provided the authorized agent permission to submit the request on the consumer’s behalf
These requirements would not apply when the consumer has provided the agent with power of attorney.