California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
The California Consumer Privacy Act (CCPA) grants California residents (“consumers”) the right to submit privacy requests to the businesses that collect and use their personal information. Responding to these consumer requests in a timely manner is a major component of CCPA compliance, but the law also states that certain requests must be “verifiable.”
How do you verify a CCPA request? It should come as no surprise that the verification process has its own set of rules. Here we’ll cover general guidance for verification, the rules for different types of verifiable consumer requests, and common issues that can arise.
The California Attorney General has issued regulations clarifying how businesses should verify privacy requests under the CCPA. These general rules apply to all request verifications.
The two most important points here are that businesses should avoid collecting new personal information, and that the level of verification required will depend on the information that is the subject of the request.
All CCPA requests to know must be verifiable, but the verification requirements depend on the type of request.
Requests to know categories of personal information that have been collected from a consumer require a less stringent verification procedure. A business must verify the consumer’s identity to a reasonable degree of certainty. This may include matching two data points provided by the consumer to data points maintained by the business, such as a known email address.
Requests to know specific pieces of personal information require a business to verify the consumer’s identity to a reasonably high degree of certainty. This may include matching three data points provided by the consumer to data points maintained by the business and requiring a signed declaration under penalty of perjury verifying the requestor’s identity.
If a business is unable to verify a request to know categories of personal information, it may deny the request. If they cannot verify a request to know specific pieces of personal information, the business must deny the request. In both cases, the business must inform the requestor why the request was denied.
Learn more about responding to requests to know.
Requests to delete must also be verifiable. The level of verification required will depend on the nature of the personal information the requestor wants deleted. For example, a request to delete the consumer’s browsing history may only require a reasonable degree of certainty, while a request to delete family photos may require a reasonably high degree of certainty, as defined above.
If a business cannot verify the requestor’s identity, it may deny the request and then inform the requestor why it has done so. However, if that business also sells or shares personal information, it must ask the consumer if they would like to make a request to opt out, and provide them with information on how to make that request.
Learn more about responding to requests to delete.
Consumer requests to opt out of the sale or sharing of their personal information do not need to be verifiable. In fact, a business cannot make verification a requirement. However, if the business has a good-faith, reasonable, and documented belief that a request to opt out is fraudulent, it may deny the request. In this case, the business must explain to the requestor why it believes the request is fraudulent.
Learn more about responding to requests to opt out.
Similar to requests to opt out, businesses cannot require verification for a request to limit use and disclosure of sensitive personal information. However, if the business has a good-faith, reasonable, and documented belief that a request to opt out is fraudulent, it may deny the request. In this case, the business must explain to the requestor why it believes the request is fraudulent.
Learn more about responding to requests to limit.
With regard to a request to correct inaccurate personal information, may require the consumer to verify their identity. If their identity cannot be confirmed, businesses have the discretion to choose whether or not to deny the request.
Learn more about responding to requests to correct.
If a consumer already has a password-protected account with a business, the business may verify the consumer’s identity through its existing account-authentication practices. This verification must still follow the general rules outlined above, and the business must require the account holder to re-authenticate themselves before the data is deleted or transferred. However, businesses cannot require a consumer to create an account in order to process a CCPA privacy request.
If the business suspects fraudulent activity from the password-protected account, the business must not comply with the request until further verification procedures authenticate the requestor’s identity.
There are special rules for verifying requests for specific pieces of personal information about a household or the deletion of household information. A household means a group of people who (1) reside at the same address, (2) share a common device or service provided by the business, and (3) are identified by the business as sharing the same group account or unique identifier.
If the household has a password-protected account, the business may use its normal authentication procedures to verify the request, as described above. If not, the business must make sure all of these conditions are met:
Consumers may submit CCPA privacy requests through an authorized agent. If it is a request to know or request to delete, the business may require the agent to prove it has signed permission to make the request. It may also require the consumer to:
These requirements would not apply when the consumer has provided the agent with power of attorney.
Businesses can use third-party verification services to verify CCPA consumer requests. These services must still abide by the same rules, but they offer a few benefits to businesses. First, they offer convenience—businesses don’t need to keep their own staff trained and up to date with all the rules listed above. Second, by using an outside vendor, businesses can avoid collecting any new personal information from the consumer during the verification process.
For example, a third-party verification service may ask consumers to submit a photo of themselves holding up their driver’s license. The service verifies that the person is who they say they are, and sends a confirmation token to the business. In this way, the business did not collect the consumer’s biometric data (a faceprint, in this case) or their ID information.
Establishing the right identity verification procedures in advance will make it much easier to respond to privacy requests as they come in.
The first step in verification should be determining whether the consumer has a password-protected account. If so, then requests can be verified using existing account-authentication procedures, as described above.
If they do not have a password-protected account, the verification method depends on the type of request and sensitivity of the personal information involved. It helps to divide requests into two groups:
Requests Requiring a Reasonable Degree of Certainty
Requests Requiring a Reasonably High Degree of Certainty
The first group of requests can generally be verified using email verification or email verification plus matching one additional data point. The second group may be verified by using email plus two additional data points and a signed declaration. Refer to the general rules outlined above when deciding what is appropriate.
The two types of requests to know—categories vs. specific pieces of information—are easy to distinguish from each other. Requests to delete require a bit more nuance. When creating their CCPA data map, a business should examine each category of personal information they collect and determine if it warrants a higher degree of verification with regard to deletion requests. Consider what harm an unauthorized deletion could cause to the consumer. Is the information unique? Is it likely to be important to the consumer?
Finally, is the personal information shared by a household? If so, the business must verify all household members’ identities and confirm that they are all joining in the request.
With these questions answered, businesses can quickly and reliably determine what level of verification is needed for a specific request.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.