What is a Verifiable Request under the CCPA?
Businesses are required by the California Consumer Privacy Act (CCPA) to provide consumers with information after they have made a verifiable request. Businesses must not provide information if the business cannot verify the consumer making the request is the consumer about whom the business has collected information. So what does a business need to do under the law to verify consumer requests?
The verification of these requests is an extremely important aspect of the law. After all, the purpose of the law is to prevent unauthorized disclosures of personal information. If anyone can now get a person’s information by requesting it through the CaCPA, then the law will have failed in its primary purpose.
Much of the rules necessary to respond to this question have not been written yet. Paragraph 7 of subdivision a of Section 1798.185 in the CA Consumer Privacy Act authorizes the Attorney General to make regulations concerning the steps that a business must take in order to verify a request.
The text of the law authorizes the Attorney General to establish rules and procedures “to govern a business’ determination that a request for information received by a consumer is a verifiable request”. For example, should businesses be able to assume that a request submitted through a password-protected account maintained with the business by the consumer is sufficient to consider it reasonably verified? How will businesses allow users without an account to request information and verify that they are the same person as the business collected information on?
The answers to these questions will be set out in regulations to be issued by the Attorney General on or before January 1, 2020. The law requires the CA AG to solicit broad public participation concerning the regulations to be adopted between now and then.
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW …
It is worth noting that a consumer does not need to make the request themselves, which could pose part of the problem for businesses verifying the requests. Requests may also be made by individuals if they are authorized by the consumer to act on their behalf. The law authorizes the Attorney General to issue regulations concerning the procedures for an opt out request from a person authorized by the consumer. Part of the law suggests that this person may have to register with the Secretary of State, but we will find out more as the Attorney General issues regulations.
How does the GDPR handle identity verification?
Recital 64 of the European Union General Data Protection Regulation tells controllers to use all reasonable measures to verify the identity of a data subject requesting access.
Some of the best practices for identification from GDPR involve:
– Don’t make it too difficult to exercise rights by creating unreasonable requirements.
– Don’t gather data more sensitive data than the data that is the subject of the request.
– Don’t ask for standard ways of verifying identity such as government issued documents.
– Try to use the same method of authentication as when you received the data.
– Try to verify the data subject’s knowledge of information that they already gave to you.
We will closely follow the issue of how to verify consumer requests under the California Consumer Privacy Act between now and 2020. We welcome you to stop back later to see the progress made by the California Attorney General in issuing regulations governing this and other areas of business. In the meantime, we welcome you to review the rest of our CaCPA privacy coverage:
Learn more about California’s new law:
Right of Access in CCPA
CCPA Right to Delete
Applying the 9 CCPA Exemptions to Deletion Requests
GDPR Right of Access Under Article 15
Right to Rectification (Correction) Under GDPR Article 16
GDPR Right to Erasure Under Article 17
Right to Data Portability under GDPR Article 20
Data Subject Access Request Management Tools and Procedures
Individual Rights Manager Software
Legal Obligation Exceptions to the CCPA Right to Delete
Internal Use Exceptions to the CCPA Right to Delete
Research Exception to the CCPA Right to Delete