Handling Consumer Verification under the CCPA Proposed Regulations
The California Consumer Privacy Act (“CCPA” or “the Act”) requires a business, upon a request from a consumer, to disclose personal information that it has about the consumer (“request to know”), as well as to delete personal information collected from the consumer. The verification of these requests is an extremely important aspect of the new law. After all, one of the main purposes of the CCPA is to prevent unauthorized disclosures of personal information.
The Act authorizes the California Attorney General to establish rules and procedures “to govern a business’ determination that a request for information received from a consumer is a verifiable request.” Cal. Civ. Code § 1798.185(a)(7). In accordance with this mandate, the proposed California Consumer Privacy Act Regulations (“Draft Regulations”) issued by the California Attorney General on October 10, 2019 set forth detailed guidance on handling consumer verification under the Act.
The authentication of a verifiable consumer request requires that businesses establish strong documented processes and procedures to ensure that the personal information of the business’ customers are protected while the business operates in the CCPA compliance.
General Rules Regarding Verification
The Draft Regulations require that a business establish, document, and comply with a reasonable method for verifying that a person making a request to know or a request to delete is the consumer about whom the business has collected information. See Draft Regs. § 999.323(a). These requests could be submitted directly by a consumer or by an authorized agent acting on the consumer’s behalf. Id. § 999.326.
Requests to opt-out of sale of personal information, unlike requests to know and requests to delete, do not need to be verified. See Draft Regs. § 999.315(h). Also, a business that maintain de-identified consumer information does not have to provide or delete the de-identified information in response to a consumer request, nor is it required to re-identify individual data to verify the request. See Draft Regs. § 999.323(e).
The Draft Regulations require that a business should:
– Whenever feasible, match the identifying information provided by the consumer to information already maintained by the business, or use a third-party identity verification service. See Draft Regs. § 999.323(b).
– Avoid requesting additional information from consumers for purposes of verification. If this is not possible, request additional information but use it only for purposes of verification, security, and fraud prevention, and delete any newly collected information as soon as practical after processing the consumer’s request. Id. § 999.323(c).
– Avoid collecting sensitive personal information such as social security numbers, driver’s license numbers, account numbers, credit card numbers (in combination with security code, access code, or password), medical information, or health insurance information, unless necessary for the verification purposes. See id. § 999.323(b).
Businesses must consider a variety of factors in determining a reasonable verification method, including the type, sensitivity, and value of the personal information; the risk of harm posed by unauthorized access or deletion; the likelihood that fraudulent or malicious actors would be seeking the information; whether the information can be spoofed; the manner in which the business interacts with the consumer; and available technology for verification. See Draft Regs. § 999.323(b)(3).
Businesses must also implement reasonable security measures to detect fraudulent identity-verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information. See Draft Regs § 999.323(d). Even though a request to opt-out of sale does not require a verification, a business may deny the request if it has a good-faith, reasonable, and documented belief that the opt-out request is fraudulent. Id. § 999.315(h).
Verification for Password-Protected Accounts
If a business maintains a password-protected account with the consumer, the business may verify the consumer’s identity through its existing authentication practices for the consumer’s account, provided that it follows the General Rules Regarding Verification requirements. See Draft Regs § 999.325(a). In this case, the business must authenticate the consumer twice: (1) first, at the time of the request; and (2) second, before disclosing or deleting the data. Id. Presumably, if the consumer is already logged into the account when time she makes the request, then the business would only need to authenticate the consumer before the disclosure or deletion.
If the business suspects malicious or fraudulent activity on or from a password-protected account, the business should not comply with the request until further verification procedures establish the identity of the consumer.
Verification for Non-Account Holders
When the consumer does not have or cannot access a password-protected account, the required authentication procedure depends on the type of the request and the nature of the requested information (see Draft Regs. § 999.325(b)-(d)):
– Compliance with a request to know categories of personal information requires that a business verify a consumer’s identity to a reasonable degree of certainty. This may include matching at least two data points provided by the consumer to data points maintained by the business.
– Compliance with a request to know specific pieces of personal information requires that a business verify a consumer’s identity to a reasonably high degree of certainty. This may include matching at least three data points provided by consumer to data points maintained by the business + a signed declaration under penalty of perjury that the requestor is the consumer at issue. Businesses must keep signed declarations a part of their record-keeping requirements.
– Compliance with a request to delete may require that a business verify a consumer’s identity to a reasonable or reasonably high degree of certainty depending the on sensitivity of information and the risk of harm posed to the consumer from unauthorized deletion.
If a business maintains personal information in a manner associated with a named actual person, the business may verify a consumer by requiring the consumer to provide evidence that matches the personal information maintained by the business. See Draft Regs. § 999.325(e)(1).
If a business maintains personal information in a manner that is not associated with a named actual person (for example, where a website collects consumers’ IP addresses), the business may verify a consumer by requiring the consumer to demonstrate that they are the sole consumer associated with a non-name identifying information. See Draft Regs. § 999.325(e)(2).
If there is no reasonable method by which a business can verify the identity of a consumer to a degree of required certainty, the business shall state so in a response to the consumer request. If the business cannot verify the identity of any consumer whose personal information the business holds, the business should state so in its privacy policy. The business must also explain why it has no reasonable method by which it can verify the identity of the requestor and is required to assess every year whether such a method can be established. See Draft Regs. § 999.325(f).
Verification of Requests Submitted by Authorized Agents
When a consumer uses an authorized agent to submit a request to know or a request to delete, a business has discretion to require written proof of authorization and verification of identity directly from the consumer and may deny the request from the agent who does not submit proof of authorization. See Draft Regs. § 999.326.
Verification for Purposes of Opt-In to Sale of Personal Information by Minors
A business that has actual knowledge that they collect and maintain personal information of children under the age of 13, must establish, document, and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child. This affirmative authorization is required in addition to any verifiable parental consent required by the Children’s Online Privacy Protection Act. See Draft Regs. § 999.330.
Such reasonable methods include:
– providing consent form to be signed by parent or guardian under penalty of perjury;
– requiring a parent or guardian, in connection with a monetary transaction, to use a credit or debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
– having a parent or guardian call a toll-free number staffed by trained personnel, or connect to trained personnel via video-conference, or communicate with trained personnel in person;
– verifying a parent or guardian’s identity by checking a form of government-issued identification against databases of such information.
Businesses reviewing the Draft Regulations should be mindful that they are not final and remain subject to change. The publication of the Draft Regulations commenced a public comment period that will continue through December 6, 2019. The Attorney General will also hold public hearings in early December in Sacramento, Los Angeles, San Francisco, and Fresno that will provide public an opportunity to present statements or comments with respect to the Draft Regulations. The final regulations are expected to be published by July 1, 2020.
Looking for Help? Get started on our CCPA guide.