How to Verify a CCPA Consumer Request

TrueVault-How-to-Verify-a-CCPA-Consumer-Request-1

The California Consumer Privacy Act (CCPA) grants California residents (“consumers”) the right to submit privacy requests to the businesses that collect and use their personal information. Responding to these consumer requests in a timely manner is a major component of CCPA compliance, but the law also states that certain requests must be “verifiable.”

How do you verify a CCPA request? It should come as no surprise that the verification process has its own set of rules. Here we’ll cover general guidance for verification, the rules for different types of verifiable consumer requests, and common issues that can arise.

General Rules for Verifying CCPA Requests

The California Attorney General has issued regulations clarifying how businesses should verify privacy requests under the CCPA. These general rules apply to all request verifications.

  • Whenever feasible, businesses should match the identifying information provided by the requestor to the personal information of the consumer already maintained by the business.
  • Businesses should avoid collecting any new personal information from the consumer, especially sensitive information, unless necessary for purposes of verification. Sensitive information includes social security numbers, driver’s license numbers, account numbers in combination with access codes, medical information, and health insurance information. Any additional information collected for verification purposes should be deleted immediately after the request has been processed.
  • Businesses should consider the following factors:
    • Type, sensitivity, and value of the personal information. Sensitive or valuable information warrants a more stringent verification process
    • Risk of harm presented by unauthorized access or deletion
    • Likelihood that fraudulent or malicious actors would seek the information
    • Whether the personal information requested from the consumer for verification is sufficiently robust to protect against fraud
    • Manner in which the business interacts with the consumer (e.g., if interactions are typically online, in person, etc.)
    • Available technology for verification
  • Businesses should implement reasonable security measures for detecting fraudulent activity.
  • Businesses may not charge a fee for verifying the identity of the consumer.
  • The verification process does not extend the deadline for complying with the consumer request.

The two most important points here are that businesses should avoid collecting new personal information, and that the level of verification required will depend on the information that is the subject of the request.

Requests to Know

All CCPA requests to know must be verifiable, but the verification requirements depend on the type of request.

Requests to know categories of personal information that have been collected from a consumer require a less stringent verification procedure. A business must verify the consumer’s identity to a reasonable degree of certainty. This may include matching two data points provided by the consumer to data points maintained by the business, such as a known email address.

Requests to know specific pieces of personal information require a business to verify the consumer’s identity to a reasonably high degree of certainty. This may include matching three data points provided by the consumer to data points maintained by the business and requiring a signed declaration under penalty of perjury verifying the requestor’s identity.

If a business is unable to verify a request to know categories of personal information, it may deny the request. If they cannot verify a request to know specific pieces of personal information, the business must deny the request. In both cases, the business must inform the requestor why the request was denied.

Learn more about responding to requests to know.

Requests to Delete

Requests to delete must also be verifiable. The level of verification required will depend on the nature of the personal information the requestor wants deleted. For example, a request to delete the consumer’s browsing history may only require a reasonable degree of certainty, while a request to delete family photos may require a reasonably high degree of certainty, as defined above.

If a business cannot verify the requestor’s identity, it may deny the request and then inform the requestor why it has done so. However, if that business also sells or shares personal information, it must ask the consumer if they would like to make a request to opt out, and provide them with information on how to make that request.

Learn more about responding to requests to delete.

Requests to Opt Out

Consumer requests to opt out of the sale or sharing of their personal information do not need to be verifiable. In fact, a business cannot make verification a requirement. However, if the business has a good-faith, reasonable, and documented belief that a request to opt out is fraudulent, it may deny the request. In this case, the business must explain to the requestor why it believes the request is fraudulent.

Learn more about responding to requests to opt out.

Requests to Limit

Similar to requests to opt out, businesses cannot require verification for a request to limit use and disclosure of sensitive personal information. However, if the business has a good-faith, reasonable, and documented belief that a request to opt out is fraudulent, it may deny the request. In this case, the business must explain to the requestor why it believes the request is fraudulent.

Learn more about responding to requests to limit.

Requests to Correct

With regard to a request to correct inaccurate personal information, may require the consumer to verify their identity. If their identity cannot be confirmed, businesses have the discretion to choose whether or not to deny the request.

Learn more about responding to requests to correct.

Verification by Account Login

If a consumer already has a password-protected account with a business, the business may verify the consumer’s identity through its existing account-authentication practices. This verification must still follow the general rules outlined above, and the business must require the account holder to re-authenticate themselves before the data is deleted or transferred. However, businesses cannot require a consumer to create an account in order to process a CCPA privacy request.

If the business suspects fraudulent activity from the password-protected account, the business must not comply with the request until further verification procedures authenticate the requestor’s identity.

Household Information Requests

There are special rules for verifying requests for specific pieces of personal information about a household or the deletion of household information. A household means a group of people who (1) reside at the same address, (2) share a common device or service provided by the business, and (3) are identified by the business as sharing the same group account or unique identifier.

If the household has a password-protected account, the business may use its normal authentication procedures to verify the request, as described above. If not, the business must make sure all of these conditions are met:

  • All consumers of the household jointly request to know specific pieces of information for the household or the deletion of household personal information
  • Each member of the household is individually verified
  • Each member making the request is currently a member of the household

Authorized Agents

Consumers may submit CCPA privacy requests through an authorized agent. If it is a request to know or request to delete, the business may require the agent to prove it has signed permission to make the request. It may also require the consumer to:

  • Verify their own identity directly with the business, or
  • Directly confirm with the business that they provided the authorized agent permission to submit the request on the consumer’s behalf

These requirements would not apply when the consumer has provided the agent with power of attorney.

Third-Party Verification Services

Businesses can use third-party verification services to verify CCPA consumer requests. These services must still abide by the same rules, but they offer a few benefits to businesses. First, they offer convenience—businesses don’t need to keep their own staff trained and up to date with all the rules listed above. Second, by using an outside vendor, businesses can avoid collecting any new personal information from the consumer during the verification process.

For example, a third-party verification service may ask consumers to submit a photo of themselves holding up their driver’s license. The service verifies that the person is who they say they are, and sends a confirmation token to the business. In this way, the business did not collect the consumer’s biometric data (a faceprint, in this case) or their ID information.

Choosing the Correct Verification Method

Establishing the right identity verification procedures in advance will make it much easier to respond to privacy requests as they come in.

The first step in verification should be determining whether the consumer has a password-protected account. If so, then requests can be verified using existing account-authentication procedures, as described above.

If they do not have a password-protected account, the verification method depends on the type of request and sensitivity of the personal information involved. It helps to divide requests into two groups:

Requests Requiring a Reasonable Degree of Certainty

  • Requests to know categories of personal information collected
  • Requests to delete common information (browsing history, email address, etc.)

Requests Requiring a Reasonably High Degree of Certainty

  • Requests to know specific pieces of personal information collected
  • Requests to delete sensitive information (e.g., family photos or unique documents)

The first group of requests can generally be verified using email verification or email verification plus matching one additional data point. The second group may be verified by using email plus two additional data points and a signed declaration. Refer to the general rules outlined above when deciding what is appropriate.

The two types of requests to know—categories vs. specific pieces of information—are easy to distinguish from each other. Requests to delete require a bit more nuance. When creating their CCPA data map, a business should examine each category of personal information they collect and determine if it warrants a higher degree of verification with regard to deletion requests. Consider what harm an unauthorized deletion could cause to the consumer. Is the information unique? Is it likely to be important to the consumer?

Finally, is the personal information shared by a household? If so, the business must verify all household members’ identities and confirm that they are all joining in the request.

With these questions answered, businesses can quickly and reliably determine what level of verification is needed for a specific request.

Become CCPA Compliant

Verification of consumer requests is just one component of a larger system of CCPA compliance. TrueVault Polaris is an automation tool that guides businesses step-by-step through the entire process of becoming CCPA compliant, including defining the proper verification procedures. Contact us today to get started.

Schedule Call