Verification Under the CCPA Statute
A leading challenge to a business in complying with the CCPA is determining whether a consumer who is requesting to know what information that business has on him/her is, in fact, truly that consumer and not an imposter. Section 1798.140(y) of the statute defines a “[v]erifiable consumer request” as “a request that is made by a consumer…that the business can reasonably verify…to be the consumer about whom the business has collected personal information.” It goes on to state that “[a] business is not obligated to provide information to the consumer…if the business cannot verify…that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.” The statute cites a long list of requirements in the context of verification:
- A business shall provide the information specified in §1798.100(a) [i.e., the categories and specific pieces of personal information the business has collected] to a consumer only upon receipt of a verifiable consumer request. 1
- A business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information pursuant to §1798.105(a) [i.e., right to request that a business delete any personal information about the consumer which the business has collected from the consumer] shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records. 2
- A business that collects personal information about a consumer shall disclose to the consumer, pursuant to §1798.130(a)(3) [i.e., a business shall, in a form that is reasonably accessible to consumers the category or categories the personal information collected about the consumer in the preceding 12 months], the information specified in §1798.110(a) [i.e., what personal information is being collected and circumstances surrounding that collection] upon receipt of a verifiable consumer
request from the consumer. 3
- A business that sells personal information about a consumer, or that discloses a consumer’s personal information for a business purpose, shall disclose, pursuant to §1798.130(a)(4) [i.e., information sold or disclosed in the previous 12 months], the information specified in 1798.115(a) [i.e., the categories of personal information collected, sold, and shared] to the consumer upon receipt of a verifiable consumer request from the consumer. 4
- A business must disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer. 5
- The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business’ duty to disclose and deliver the information within 45 days of receipt of the consumer’s request.” 6
- The business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business in order to make a verifiable consumer request. 7
Verification Under the CCPA Regulations
Section 999.323(a) of the Regulations prescribes the general rule of verification of the identity of requestors:
“A business shall establish, document, and comply with a reasonable method for verifying that the person making a request to know or a request to delete is the consumer about whom the business has collected information.”
The rest of §999.323 addresses the process for constructing an identity verification process. Relevant points include:
- “Whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with this section.” 8 The concept of a third-party identity verification service is not found in the CCPA statute but is introduced here.
- “Avoid collecting the types of personal information identified in Civil Code section 1798.81.5(d), unless necessary for the purpose of verifying the consumer.” This is a reference to personal information such as Social Security numbers, driver’s license numbers and similar identification numbers, and other personal information that is particularly sensitive or advances identity theft. 9
- Considerations of potential elements for use in the verification process include: 10
a. The type, sensitivity, and value of the personal information collected and maintained about theconsumer (this point cites §1798.81.5(d) personal information as presumptively sensitive);
b. The risk of harm to the consumer posed by any unauthorized access or deletion;
c. The likelihood that fraudulent or malicious actors would seek the personal information;
d. Whether the personal information to be provided by the consumer…is sufficiently robust to protect against fraudulent requests or being spoofed or fabricated;
e. The manner in which the business interacts with the consumer; and
f. Available technology for verification.
Point “d” does not describe what qualifies as “robust”; the idea of certain types of personal information not lending itself to fraudulent requests is almost certainly new.
- A side effect of verifying a requestor is the necessity of asking him/her for additional personal information in order to complete the verification. Section 999.323(c) articulates the general rule that “[a] business shall generally avoid requesting additional information from the consumer for purposes of verification.” It qualifies this by stating that
[i]f, however, the business cannot verify the identity of the consumer from the information already maintained by the business, the business may request additional information from the consumer, which shall only be used for the purposes of verifying the identity of the consumer seeking to exercise their rights under the CCPA, and for security or fraud-prevention purposes.
This subsection closes by stating that “[t]he business shall delete any new personal information collected for the purposes of verification as soon as practical after processing the consumer’s request, except as required to comply with section 999.317” [i.e., record keeping provisions].
- “A business shall not require the consumer or the consumer’s authorized agent to pay a fee for the verification of their request to know or request to delete.” 11
- “If a business maintains consumer information that is deidentified, a business is not obligated to provide or delete this information in response to a consumer request or to re-identify individual data to verify a consumer request.” 12
1. Cal. Civ. Code §1798.100(c).
2. Cal. Civ. Code §1798.105(c).
3. Cal. Civ. Code §1798.110(b).
4. Cal. Civ. Code §1798.115(b).
5. Cal. Civ. Code §1798.130(a)(2).
8. The CCPA Regulations §999.323(b)(1).
9. The CCPA Regulations §999.323(b)(2).
10. The CCPA Regulations §999.323(b)(3).
11. The CCPA Regulations §999.323(d).
12. The CCPA Regulations §999.323(f).