The California Consumer Privacy Act (CCPA) grants California residents (“consumers”) the right to submit privacy requests to the businesses that collect and use their personal information. Responding to these consumer requests in a timely manner is a major component of CCPA compliance, but the law also states that certain requests must be “verifiable.”
How do you verify a CCPA request? It should come as no surprise that the verification process has its own set of rules. Here we’ll cover general guidance for verification, the rules for different types of verifiable consumer requests, and common issues that can arise.
The California Attorney General has issued regulations clarifying how businesses should verify privacy requests under the CCPA. These general rules apply to all request verifications.
The two most important points here are that businesses should avoid collecting new personal information, and that the level of verification required will depend on the information that is the subject of the request.
All CCPA requests to know must be verifiable, but the verification requirements depend on the type of request.
Requests to know categories of personal information that have been collected from a consumer require a less stringent verification procedure. A business must verify the consumer’s identity to a reasonable degree of certainty. This may include matching two data points provided by the consumer to data points maintained by the business, such as a known email address.
Requests to know specific pieces of personal information require a business to verify the consumer’s identity to a reasonably high degree of certainty. This may include matching three data points provided by the consumer to data points maintained by the business and requiring a signed declaration under penalty of perjury verifying the requestor’s identity.
If a business is unable to verify a request to know categories of personal information, it may deny the request. If they cannot verify a request to know specific pieces of personal information, the business must deny the request. In both cases, the business must inform the requestor why the request was denied.
Requests to delete must also be verifiable. The level of verification required will depend on the nature of the personal information the requestor wants deleted. For example, a request to delete the consumer’s browsing history may only require a reasonable degree of certainty, while a request to delete family photos may require a reasonably high degree of certainty, as defined above.
If a business cannot verify the requestor’s identity, it may deny the request and then inform the requestor why it has done so.
Consumer requests to opt out of the sale of their personal information do not need to be verifiable. However, if the business has a good-faith, reasonable, and documented belief that a request to opt out is fraudulent, it may deny the request. In this case, the business must explain to the requestor why it believes the request is fraudulent.
If a consumer already has a password-protected account with a business, the business may verify the consumer’s identity through its existing account-authentication practices. This verification must still follow the general rules outlined above, and the business must require the account holder to re-authenticate themselves before the data is deleted or transferred. However, businesses cannot require a consumer to create an account in order to process a CCPA privacy request.
If the business suspects fraudulent activity from the password-protected account, the business must not comply with the request until further verification procedures authenticate the requestor’s identity.
There are special rules for verifying requests for specific pieces of personal information about a household or the deletion of household information. A household means a group of people who (1) reside at the same address, (2) share a common device or service provided by the business, and (3) are identified by the business as sharing the same group account or unique identifier.
If the household has a password-protected account, the business may use its normal authentication procedures to verify the request, as described above. If not, the business must make sure all of these conditions are met:
Consumers may submit CCPA privacy requests through an authorized agent. If it is a request to know or request to delete, the business may require the agent to prove it has signed permission to make the request. It may also require the consumer to:
These requirements would not apply when the consumer has provided the agent with power of attorney.
Businesses can use third-party verification services to verify CCPA consumer requests. These services must still abide by the same rules, but they offer a few benefits to businesses. First, they offer convenience—businesses don’t need to keep their own staff trained and up to date with all the rules listed above. Second, by using an outside vendor, businesses can avoid collecting any new personal information from the consumer during the verification process.
For example, a third-party verification service may ask consumers to submit a photo of themselves holding up their driver’s license. The service verifies that the person is who they say they are, and sends a confirmation token to the business. In this way, the business did not collect the consumer’s biometric data (a faceprint, in this case) or their ID information.
Establishing the right identity verification procedures in advance will make it much easier to respond to privacy requests as they come in.
The first step in verification should be determining whether the consumer has a password-protected account. If so, then requests can be verified using existing account-authentication procedures, as described above.
If they do not have a password-protected account, the verification method depends on the type of request and sensitivity of the personal information involved. It helps to divide requests into two groups:
Requests Requiring a Reasonable Degree of Certainty
Requests Requiring a Reasonably High Degree of Certainty
The first group of requests can generally be verified using email verification or email verification plus matching one additional data point. The second group may be verified by using email plus two additional data points and a signed declaration. Refer to the general rules outlined above when deciding what is appropriate.
The two types of requests to know—categories vs. specific pieces of information—are easy to distinguish from each other. Requests to delete require a bit more nuance. When creating their CCPA data map, a business should examine each category of personal information they collect and determine if it warrants a higher degree of verification with regard to deletion requests. Consider what harm an unauthorized deletion could cause to the consumer. Is the information unique? Is it likely to be important to the consumer?
Finally, is the personal information shared by a household? If so, the business must verify all household members’ identities and confirm that they are all joining in the request.
With these questions answered, businesses can quickly and reliably determine what level of verification is needed for a specific request.
Verification of consumer requests is just one component of a larger system of CCPA compliance. TrueVault Polaris is an automation tool that guides businesses step-by-step through the entire process of becoming CCPA compliant, including defining the proper verification procedures. Contact us today to get started.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.