As we’ve previously reported, the California Attorney General (AG) released draft regulations for the California Consumer Privacy Act (CCPA) on October 10, 2019. We’ve addressed new requirements in the regulations that aren’t explicitly contained in the CCPA, and the notice provisions and requirements for handling consumer requests. In this article we’ll drill down on what businesses need to do to verify the identity of consumers making requests concerning their personal information.

General Rules Regarding Verifying Identity

Under the CCPA, consumers can make requests to businesses to either discover the personal information that a business has collected on them (often referred to as the “right to know”), or to delete that information. The proposed regulations present rules and illustrative guidelines for businesses to verify the identity of the consumer making the request to know or request to delete his or her information.

The regulations require businesses to establish, document and comply with a reasonable method for verifying that the person making a request to know or a request to delete is the person about whom they’ve collected the information. In determining the method for verifying a consumer’s identity businesses are required to, if feasible, match the consumer’s identifying information to information already maintained by the business. In verifying a consumer’s identity, companies must also avoid collecting personal information unless doing so is necessary for verification.

In determining verification methods, businesses must consider the following factors: the type, sensitivity and value of the personal information collected and maintained about the consumer; the risk of harm to the consumer posed by any unauthorized access or deletion; the likelihood that fraudulent or malicious actors would seek the information; whether the personal information provided to verify is sufficiently robust to protect against fraudulent requests or spoofing; the manner in which the business interacts with the customer; and available technology for verification.

Businesses should also avoid requesting additional information unless it is necessary for verification of a consumer attempting to exercise rights under the CCPA. Any new personal information collected for this purpose should be deleted as soon as practicable after processing the consumer’s request.

The new regulations also require that businesses implement reasonable security measures to detect fraudulent verification activities. If a business suspects fraud or malicious activity, it cannot comply with the consumer’s request until further verification procedures help it determine that the request is authentic.

Working With Consumers That May or May Not Have a Password-Protected Account

If a business has a password-protected account with the consumer it can use its existing authentication practices for verification, provided it also re-authenticates the consumer’s identity before disclosing or deleting the consumer’s data.

If, on the other hand, a business doesn’t have a password-protected account, the requirements for verification are varied depending upon the sensitivity of the personal information being requested to know or delete. If the request to know only involves categories of data, then the business is required to verify identity to a reasonable degree of certainty. This can be achieved by matching two reliable data points with the consumer. If the request to know involves specific pieces of personal information a more exacting standard applies. The business is required to verify identity to a reasonably high degree of certainty. This can be achieved by matching three reliable data points with the consumer and obtaining a sworn declaration from the consumer confirming he or she is making the request.

It is clear from the draft regulations that requests to delete will require businesses to exercise both caution and judgment. Where a request to delete concerns sensitive personal information, a business must evaluate the degree of certainty it will use when verifying a consumer’s identity. Thus, for example, a request to delete family photographs should require more stringent verification than a request to delete a browsing history. Further, a business must act in good faith when determining how to verify a request.

If a business cannot reasonably verify the identity to the appropriate degree of certainty, it must inform the consumer and explain why the request could not reasonably be verified. If the business can’t verify identity for any of the consumers it has information about, it’s required to state that in its privacy policy and, on a yearly basis, evaluate and document whether a method can be established to cure the verification issue.

Summary

Overall, the proposed regulations on verification will allow enforcement of the new statutes on verification of requests to know and to delete under the CCPA and provide details and practical guidance on what’s expected of businesses in the verification process.

The AG will be taking public comments on these regulations until December 6, 2019.