Obligation to Verify Consumer Requests under CCPA

Lydia F de la Torre
Oct 29 · 9 min read

Business are required to establish, document, and comply with a reasonable verification method for consumer requests.

IABI — Image from page 218 of “Injurious insects and the use of insecticides [microform] : a new descriptive manual on noxious insects, with methods for their repression” (1894)

Key points

Businesses and, to some extent, service providers, shall “establish, document, and comply” with a reasonable verification method.

As a general rule, requests to know, requests to delete, and request to opt-in for sales require the verification of the consumer but request to opt-out do not.

There are specific factors to be considered by businesses when creating their verification processes.

Where possible, the additional collection of information should be minimized.

The CCPA proposed rules set a number of general factors to consider. Specific rules apply for situations where the consumer holds a password-protected account with the business. Absent a password protected account, the CCPA sets specific guidelines depending on the type of request, with stricter verification guidelines applying before disclosing specific pieces of information and no requirements applying for request to opt-out of sales.

Additionally, special verification rules apply to situations where the request is made through an agent, received by a service provider, or relates to household data.


NOTE: This article was created to be used by the students of Santa Clara Law School attending Comparative Privacy Law during the 2020 Spring Semester. It is based on an initial reading of the Proposed CCPA Rules (“Proposed CCPA Regs.” or “Proposed Regs.”) issued by the California Attorney General on October 2019. It is expected that the rules will be amended before they become final. The contents of this article DO NOT CONSTITUTE LEGAL ADVICE. Organizations seeking to comply with the CCPA would be well served by engaging experienced privacy counsel to identify their obligations under the law.


General Rules

(See, CCPA Proposed Regs § 999.323 / Authority cited: Section 1798.185, Civil Code. / Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, 1798.140, and 1798.185, Civil Code)

Businesses and, to some extent, service providers, have an obligation to verify consumer requests under the CCPA. For that purpose, a business shall “establish, document, and comply” with a reasonable verification method for a request to know or a request to delete. (See, CCPA Proposed Regs § 999.323 (a)).

As a general rule, requests to know, requests to delete, and request to opt-in for sales require the verification of the consumer but request to opt-out do not.

When verifying the identity of a consumer, a business shall:

  • whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with the requirements for verification.
  • avoid collecting certain types of personal information identified in , unless necessary for the purposes of verifying the consumer.

(See, CCPA Proposed Regs § 999.323 (b)(1)&(2))

The business shall consider the following factors when designing the verification process:

  • The type, sensitivity, and value of the personal information collected and maintained about the consumer. Applying stringent verification methods to sensitive or valuable personal information shall warrant a more stringent verification process (personal information identified in Civil Code section 1798.81.5(d) shall be considered presumptively sensitive);
  • The risk of harm to the consumer posed by any unauthorized access or deletion (the greater the risk of harm the more stringent the verification process);
  • The likelihood that fraudulent or malicious actors would seek the personal information (the higher the likelihood, the more stringent the verification process);
  • Whether the personal information to be provided by the consumer to verify their identity is sufficiently robust to protect against fraudulent requests,being spoofed, or fabricated;
  • The manner in which the business interacts with the consumer; and
  • Available technology for verification.

(See, CCPA Proposed Regs § 999.323 (b)(3))

A business shall generally avoid requesting additional information. However, if the business cannot verify from the information it already maintains, the business may request additional information, so long as:

  • The information shall only be used for the purposes of verifying the identity, and for security or fraud-prevention purposes.
  • The business shall delete any new personal information for verification as soon as practical, except as required to comply with record keeping obligations.

(See, CCPA Proposed Regs § 999.323 (c))


Example:

If a business maintains personal information in a manner associated with a named and actual person, the business may verify the consumer by requiring the consumer to provide evidence that matches the personal information maintained by the business. For example, if the business maintains the consumer’s name and credit card number, the business may require the consumer to provide the credit card’s security code and to identify a recent purchase made with their credit card to verify their identity to a reasonable degree of certainty.


Example:

If a business maintains personal information in a manner that is not associated with a named and actual person, the business may verify the consumer by requiring the consumer to demonstrate that they are the sole consumer associated with the non-name identifying information. This may require the business to conduct a fact-based verification process that considers different factors.


A business shall implement reasonable security measures to detect fraudulent identity verification activity and prevent unauthorized access to or deletion of a consumer’s personal information. (See, CCPA Proposed Regs § 999.323 (d))

If there is no reasonable method by which a business can verify the identity of the consumer to the degree of certainty required by this section, the business shall state so in response to any request and, if this is the case for all consumers whose personal information the business holds, in the business’s privacy policy. The business shall also explain why it has no reasonable method by which it can verify the identity of the requestor.

  • The business shall evaluate on a yearly basis whether such a method can be established and shall document its evaluation.

Special Rules for Password Protected Accounts

(See, CCPA Proposed Regs § 999.324 / Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.185, Civil Code.)

If a business maintains a password-protected account with the consumer, the business may verify the consumer’s identity through existing authentication practices for the account. This is provided that the business follows the general requirements for verification (see above, “General Rules”):

  • The business shall require a consumer to re-authenticate before disclosing or deleting the consumer’s data.

If a business suspects fraudulent or malicious activity on or from the password-protected account, the business shall not comply with a consumer who requests to know or requests to delete, until further verification procedures. These procedures should determine that the consumer’s request is authentic and the consumer making the request is the person whom the business has collected information.

  • The business may use the procedures established for verification of non-account holders to further verify the identity of the consumer (see below, “Verification of Identity for Non-Account Holders”).

Verification of Identity for Non-Account Holders

(See, CCPA Proposed Regs § 999.325 / Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.185, Civil Code.)

The Proposed Regs. establish specific verification standards and requirements that apply where a consumer does not have or cannot access a password-protected account. These standards and requirements differ depending on the right that the consumer is requesting to exercise:

For a request to know the categories of personal information collected:

  • Verification of the identity of the consumer making the request must be to a reasonable degree of certainty.
  • A reasonable degree of certainty may include matching at least two data points provided by the consumer with data points maintained by the business, which the business has determined to be reliable for the purpose of verifying the consumer.

(See, CCPA Proposed Regs § 999.325)

For a request to know specific pieces of personal information:

  • Verification of the identity of the consumer making the request must be to a reasonably high degree of certainty, which is a higher bar for verification.
  • A reasonably high degree of certainty may include matching at least three pieces of personal information provided by the consumer with personal information maintained by the business, that it has determined to be reliable for the purpose of verifying the consumer together. This should include a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.
  • Businesses shall maintain all signed declarations as part of their record-keeping obligations.

(See, CCPA Proposed Regs § 999.325)

For a request to delete personal information:

  • Verification of the identity of the consumer making the request must be to a reasonable degree or a reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion.
  • For example, the deletion of family photographs and documents may require a reasonably high degree of certainty, while the deletion of browsing history may require a reasonable degree of certainty.
  • A business shall act in good faith when determining the appropriate standard to apply

(See, CCPA Proposed Regs § 999.325)

For requests to opt-out of sales:

A request to opt-out need not be a verifiable consumer request. If a business, however, has a good-faith, reasonable, and documented belief that a request to opt-out is fraudulent, the business may deny the request. The business shall inform the requesting party that it will not comply with the request and shall provide an explanation why it believes the request is fraudulent.

(See, CCPA Proposed Regs § 999.315)

For request to opt-in to sales:

Requests to opt-in to the sale of personal information shall use a two-step opt-in process where the consumer shall:

  1. Clearly request to opt-in; and then
  2. separately confirm their choice to opt-in.

(See, CCPA Proposed Regs § 999.316 / Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135, and 1798.185, Civil Code.)

Parental verification: A business shall use methods that are reasonably calculated to ensure that the person providing consent is the child’s parent or guardian, which include:

  • Providing a consent form to be signed by the parent or guardian under penalty of perjury and returned to the business by postal mail, facsimile, or electronic scan;
  • Requiring a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
  • Having a parent or guardian call a toll-free telephone number staffed by trained personnel;
  • Having a parent or guardian connect to trained personnel via video-conference;
  • Having a parent or guardian communicate in person with trained personnel; and
  • Verifying a parent or guardian’s identity by checking a form of government-issued identification against databases of such information, where after such verification is complete, the parent or guardian’s identification is promptly deleted by the business from its records.

This affirmative authorization is in addition to any verifiable parental consent required under the Children’s Online Privacy Protection Act, 15 U.S.C. sections 6501, et seq.

See, CCPA Proposed Regs § 999.330 / Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135, and 1798.185(a)(6), Civil Code.

Use of An Authorized Agent

(See, CCPA Proposed Regs § 999.326 / Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.110, 1798.115, 1798.130, and 1798.185, Civil Code.)

Except when consumers have provided the authorized agent with power of attorney, pursuant to Probate Code sections 4000 to 4465 ©, when a consumer uses an authorized agent to submit a request to know or a request to delete, the business may require that the consumer:

  • Provide the authorized agent written permission to do so; and
  • verify their own identity directly with the business.

A business may deny a request from an agent that does not submit proof that they have been authorized by the consumer to act on their behalf.

Special rules regarding handling requests for service providers:

(See, CCPA Proposed Regs § 999.314 / Authority cited: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, 1798.140 and 1798.185, Civil Code.)

If a service provider receives a request to know or a request to delete from a consumer regarding personal information that the service provider collects, maintains, or sells on behalf of the business it services, and does not comply with the request, it shall explain the basis for the denial.

  • The service provider shall also inform the consumer that it should submit the request directly to the business on behalf of the service provider who processes the information and, when feasible, provide the consumer with contact information for that business.

However, a service provider that is a business shall comply with the CCPA and the CCPA regulations with regard to any personal information that it collects, maintains, or sells outside of its role as a service provider.

(See, CCPA Proposed Regs § 999.314 (c) — (e))

Special Rules for Household Data:

(See, CCPA Proposed Regs. § 999.318 / Authority cited: Section 1798.185 / Civil Code. Reference: Section 1798.100, 1798.105, 1798.110, 1798.115, 1798.120, 1798.130, 1798.140, and 1798.185, Civil Code)

Where a consumer does not have a password-protected account with a business, a business may respond to a request to know or request to delete as it pertains to household personal information by providing aggregate household information, subject to verification requirements.

If all consumers of the household jointly request access to specific pieces of information for the household or the deletion of household personal information, and the business can individually verify all the members of the household subject to verification requirements, then the business shall comply with the request.

Golden Data

Legal blog about data laws

Lydia F de la Torre

Written by

Teacher. Counsel. Author. Queen bee.

Golden Data

Legal blog about data laws

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade