NOTE: Since the writing of this blog, CCPA has been replaced with CPRA.
The CCPA: California Consumer Privacy Act provides a broad array of privacy rights to Californians. These rights provide Californians with the ability to request disclosures relating to the categories and specific pieces of personally identifiable information (PII) the business has collected and/or sold to third parties, as well as the ability to request the deletion of any PII the business has collected.
In order to process CCPA requests in compliance with the law, businesses must take steps to verify the identity of the requestor. The rationale for this may seem obvious: businesses must be able to verify the legitimacy of a CCPA request before taking any substantive action with respect to an individual’s PII.
But the verification requirement also accomplishes a more subtle goal of the law: it allows for user’s to exercise their individual privacy rights without sacrificing any degree of security. In short, it helps bridge any gaps between privacy and security. Without any requirement to verify the identity of the consumer making a CCPA request, the business would risk potentially disclosing sensitive information to the wrong consumer, or worse, someone masquerading as a consumer. Because of the potential risks associated with a business’s response to a CCPA request, verification of identity is a necessity.
This article will examine the following four topics:
- The definition of a “verifiable consumer request” under the CCPA;
- When the CCPA requires verifiable requests to be processed;
- How to properly verify a CCPA request; and
- Why verification of the consumer’s identity matters
Table of Contents
The definition of a “verifiable consumer request” under the CCPA
The CCPA defines a “verifiable consumer request” as a “request made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State [who is] authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify to be the consumer about whom the business has collected personal information.”
Should the business be unable to verify the authenticity of the consumer making the request, the definition also makes clear that the business is under no obligation to respond to requests for disclosures related to PII collected, sold, or disclosed for business purposes.
When the CCPA requires verifiable requests to be processed
When a consumer makes a request to a business involving his or her PII, the business under certain circumstances must verify the authenticity of the request before responding to it. Under the CCPA, businesses must verify a consumer request in the following instances:
- When a consumer makes a request to a business that collects PII to disclose to the consumer the categories and specific pieces of PII the business has collected;
- When a consumer makes a request to a business to delete any PII pertaining to the consumer which the business has collected;
- When a consumer requests that a business that collects the consumer’s PII to disclose the following to the consumer:
- The categories of PII the business has collected pertaining to the consumer;
- The categories of sources from which the PII was collected;
- The business or commercial purpose for the collection or sale of the PII;
- The specific pieces of the consumer’s PII that the business has collected; and
- When a consumer requests that a business that sells the consumer’s PII or discloses it for a business purpose disclose the following to the consumer:
- The categories of PII the business has collected pertaining to the consumer;
- The categories of PII the business has sold pertaining to the consumer;
- The categories of third parties who whom the PII was sold to; and
- The categories of PII the business disclosed for a business purpose.
If your business receives any of the following requests under the CCPA, the law requires that you verify the identity of the requestor. Notably, the consumer is not required to make a verifiable request to the business in order to exercise the right to “opt-out” of the sale of the consumer’s PII.
How to properly verify a CCPA request
The CCPA provides a number of requirements businesses must follow during the verification process. These requirements include the following:
- Consumers must not be required to create an account with the business in order to make a verifiable request;
- In instances where a consumer makes a request to a business that either collects the consumer’s PII or sells or discloses the PII for a business purpose, the CCPA requires the business do the following in order to verify the consumer’s identity:
- Associate the information provided by the consumer in the verifiable request to the PII previously collected by the business about the consumer; and
- PII provided by the consumer within the CCPA request must be used solely for the purpose of verifying the request itself. The business may not use the PII collected under these circumstances for an alternative purpose (e.g. adding their email address to a marketing list).
In addition to the CCPA itself, the draft regulations issued by the California Attorney General offer additional guidance regarding the verification process. Similarly to the CCPA, the regulations require that businesses “match the identifying information provided by the consumer [in the request] to the personal information of the consumer already maintained by the business.” Moreover, the regulations permit businesses to utilize third-party services to verify the identity of the requestor.
In total, the CCPA regulations recommend that businesses consider the following six factors when determining verification methods of consumers’ identities:
- The type, sensitivity, and value of the consumer’s PII. The more sensitive or valuable the information is, the greater the need for a more stringent verification process. Presumptively sensitive information includes the following:
- Social security numbers
- Medical or health information
- Account numbers or credit or debit numbers
- Any risk of harm posed to the consumer by unauthorized access or deletion of the consumer’s PII. The greater the risk of harm posed to the consumer, the greater the need for a more stringent verification process
- The likelihood that malicious actors would attempt to obtain the PII
- The level of robustness of the information provided by the consumer within the request to accurately identify the consumer and prevent fraudulent requests
- The manner in which the consumer and the business communicate
- Any available technology to authenticate the consumer’s identity
Provided that the business cannot identify a reasonable verification process, the business must state this in its response to the requestor. On a yearly basis, businesses must evaluate and document whether a reasonable identification process can be established.
Why verification of the consumer’s identity matters
It has already been broadly discussed as to why businesses must verify disclosure and deletion requests under the CCPA. Requiring businesses to authenticate the identity of the individual making the request serves a dual purpose: 1) it allows businesses to maintain the security, confidentiality, and integrity of the PII they have processed and collected while at the same time complying with legitimate CCPA requests; and 2) it allows consumers to to be confident that their PII will not fall into the hands of malicious actors seeking to obtain their PII via illegitimate means. In short, the verification process allows businesses to honor the privacy requests of consumers while upholding sound information security principles.
Pursuant to honoring CCPA requests, businesses must ensure that they maintain an updated Privacy Policy at all times. This Privacy Policy must accomplish the goal of fully informing consumers of their rights under the CCPA, including their right to request the deletion of collected PII as well as their right to know what PII that the business has collected and sold. Your Privacy Policy must also state how consumers can exercise their privacy rights. To that end, Termageddon’s Privacy Policy generator can help you stay up to date with privacy laws avoid significant fines and lawsuits.