Obligation to Verify Consumer Requests under CCPA

Business are required to establish, document, and comply with a reasonable verification method for consumer requests.

IABI — Image from page 218 of “Injurious insects and the use of insecticides [microform] : a new descriptive manual on noxious insects, with methods for their repression” (1894)

Key points

Businesses and, to some extent, service providers, shall “establish, document, and comply” with a reasonable verification method.

As a general rule, requests to know, requests to delete, and request to opt-in for sales require the verification of the consumer but request to opt-out do not.

There are specific factors to be considered by businesses when creating their verification processes.

Where possible, the additional collection of information should be minimized.

The CCPA proposed rules set a number of general factors to consider. Specific rules apply for situations where the consumer holds a password-protected account with the business. Absent a password protected account, the CCPA sets specific guidelines depending on the type of request, with stricter verification guidelines applying before disclosing specific pieces of information and no requirements applying for request to opt-out of sales.

Additionally, special verification rules apply to situations where the request is made through an agent, received by a service provider, or relates to household data.


NOTE: This article was created to be used by the students of Santa Clara Law School attending Comparative Privacy Law during the 2020 Spring Semester. It is based on an initial reading of the Proposed CCPA Rules (“Proposed CCPA Regs.” or “Proposed Regs.”) issued by the California Attorney General on October 2019. It is expected that the rules will be amended before they become final. The contents of this article DO NOT CONSTITUTE LEGAL ADVICE. Organizations seeking to comply with the CCPA would be well served by engaging experienced privacy counsel to identify their obligations under the law.


General Rules

(See, CCPA Proposed Regs § 999.323 / Authority cited: Section 1798.185, Civil Code. / Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, 1798.140, and 1798.185, Civil Code)

Businesses and, to some extent, service providers, have an obligation to verify consumer requests under the CCPA. For that purpose, a business shall “establish, document, and comply” with a reasonable verification method for a request to know or a request to delete. (See, CCPA Proposed Regs § 999.323 (a)).

As a general rule, requests to know, requests to delete, and request to opt-in for sales require the verification of the consumer but request to opt-out do not.

When verifying the identity of a consumer, a business shall:

(See, CCPA Proposed Regs § 999.323 (b)(1)&(2))

The business shall consider the following factors when designing the verification process:

(See, CCPA Proposed Regs § 999.323 (b)(3))

A business shall generally avoid requesting additional information. However, if the business cannot verify from the information it already maintains, the business may request additional information, so long as:

(See, CCPA Proposed Regs § 999.323 (c))


Example:

If a business maintains personal information in a manner associated with a named and actual person, the business may verify the consumer by requiring the consumer to provide evidence that matches the personal information maintained by the business. For example, if the business maintains the consumer’s name and credit card number, the business may require the consumer to provide the credit card’s security code and to identify a recent purchase made with their credit card to verify their identity to a reasonable degree of certainty.


Example:

If a business maintains personal information in a manner that is not associated with a named and actual person, the business may verify the consumer by requiring the consumer to demonstrate that they are the sole consumer associated with the non-name identifying information. This may require the business to conduct a fact-based verification process that considers different factors.


A business shall implement reasonable security measures to detect fraudulent identity verification activity and prevent unauthorized access to or deletion of a consumer’s personal information. (See, CCPA Proposed Regs § 999.323 (d))

If there is no reasonable method by which a business can verify the identity of the consumer to the degree of certainty required by this section, the business shall state so in response to any request and, if this is the case for all consumers whose personal information the business holds, in the business’s privacy policy. The business shall also explain why it has no reasonable method by which it can verify the identity of the requestor.

Special Rules for Password Protected Accounts

(See, CCPA Proposed Regs § 999.324 / Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.185, Civil Code.)

If a business maintains a password-protected account with the consumer, the business may verify the consumer’s identity through existing authentication practices for the account. This is provided that the business follows the general requirements for verification (see above, “General Rules”):

If a business suspects fraudulent or malicious activity on or from the password-protected account, the business shall not comply with a consumer who requests to know or requests to delete, until further verification procedures. These procedures should determine that the consumer’s request is authentic and the consumer making the request is the person whom the business has collected information.

Verification of Identity for Non-Account Holders

(See, CCPA Proposed Regs § 999.325 / Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.185, Civil Code.)

The Proposed Regs. establish specific verification standards and requirements that apply where a consumer does not have or cannot access a password-protected account. These standards and requirements differ depending on the right that the consumer is requesting to exercise:

For a request to know the categories of personal information collected:

(See, CCPA Proposed Regs § 999.325)

For a request to know specific pieces of personal information:

(See, CCPA Proposed Regs § 999.325)

For a request to delete personal information:

(See, CCPA Proposed Regs § 999.325)

For requests to opt-out of sales:

A request to opt-out need not be a verifiable consumer request. If a business, however, has a good-faith, reasonable, and documented belief that a request to opt-out is fraudulent, the business may deny the request. The business shall inform the requesting party that it will not comply with the request and shall provide an explanation why it believes the request is fraudulent.

(See, CCPA Proposed Regs § 999.315)

For request to opt-in to sales:

Requests to opt-in to the sale of personal information shall use a two-step opt-in process where the consumer shall:

(See, CCPA Proposed Regs § 999.316 / Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135, and 1798.185, Civil Code.)

Parental verification: A business shall use methods that are reasonably calculated to ensure that the person providing consent is the child’s parent or guardian, which include:

This affirmative authorization is in addition to any verifiable parental consent required under the Children’s Online Privacy Protection Act, 15 U.S.C. sections 6501, et seq.

See, CCPA Proposed Regs § 999.330 / Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135, and 1798.185(a)(6), Civil Code.

Use of An Authorized Agent

(See, CCPA Proposed Regs § 999.326 / Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.110, 1798.115, 1798.130, and 1798.185, Civil Code.)

Except when consumers have provided the authorized agent with power of attorney, pursuant to Probate Code sections 4000 to 4465 ©, when a consumer uses an authorized agent to submit a request to know or a request to delete, the business may require that the consumer:

A business may deny a request from an agent that does not submit proof that they have been authorized by the consumer to act on their behalf.

Special rules regarding handling requests for service providers:

(See, CCPA Proposed Regs § 999.314 / Authority cited: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, 1798.140 and 1798.185, Civil Code.)

If a service provider receives a request to know or a request to delete from a consumer regarding personal information that the service provider collects, maintains, or sells on behalf of the business it services, and does not comply with the request, it shall explain the basis for the denial.

However, a service provider that is a business shall comply with the CCPA and the CCPA regulations with regard to any personal information that it collects, maintains, or sells outside of its role as a service provider.

(See, CCPA Proposed Regs § 999.314 (c) — (e))

Special Rules for Household Data:

(See, CCPA Proposed Regs. § 999.318 / Authority cited: Section 1798.185 / Civil Code. Reference: Section 1798.100, 1798.105, 1798.110, 1798.115, 1798.120, 1798.130, 1798.140, and 1798.185, Civil Code)

Where a consumer does not have a password-protected account with a business, a business may respond to a request to know or request to delete as it pertains to household personal information by providing aggregate household information, subject to verification requirements.

If all consumers of the household jointly request access to specific pieces of information for the household or the deletion of household personal information, and the business can individually verify all the members of the household subject to verification requirements, then the business shall comply with the request.

Golden Data

Legal blog about data laws

Lydia F de la Torre

Written by

Teacher. Counsel. Author. Queen bee.

Golden Data

Legal blog about data laws

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade