The Challenge Under CCPA of Verifying the Identities of Consumers Making Personal Data Requests
By Procopio Partner and Privacy and Cybersecurity Practice Group Leader Frederick K. Taylor
As we’ve previously reported, the California Attorney General (AG) released draft regulations for the California Consumer Privacy Act (CCPA) on October 10, 2019. We’ve addressed new requirements in the regulations that aren’t explicitly contained in the CCPA, and the notice provisions and requirements for handling consumer requests. In this article we’ll drill down on what businesses need to do to verify the identity of consumers making requests concerning their personal information.
General Rules Regarding Verifying Identity
Under the CCPA, consumers can make requests to businesses to either discover the personal information that a business has collected on them (often referred to as the “right to know”), or to delete that information. The proposed regulations present rules and illustrative guidelines for businesses to verify the identity of the consumer making the request to know or request to delete his or her information.
The regulations require businesses to establish, document and comply with a reasonable method for verifying that the person making a request to know or a request to delete is the person about whom they’ve collected the information. In determining the method for verifying a consumer’s identity businesses are required to, if feasible, match the consumer’s identifying information to information already maintained by the business. In verifying a consumer’s identity, companies must also avoid collecting personal information unless doing so is necessary for verification.
In determining verification methods, businesses must consider the following factors: the type, sensitivity and value of the personal information collected and maintained about the consumer; the risk of harm to the consumer posed by any unauthorized access or deletion; the likelihood that fraudulent or malicious actors would seek the information; whether the personal information provided to verify is sufficiently robust to protect against fraudulent requests or spoofing; the manner in which the business interacts with the customer; and available technology for verification.
Businesses should also avoid requesting additional information unless it is necessary for verification of a consumer attempting to exercise rights under the CCPA. Any new personal information collected for this purpose should be deleted as soon as practicable after processing the consumer’s request.
The new regulations also require that businesses implement reasonable security measures to detect fraudulent verification activities. If a business suspects fraud or malicious activity, it cannot comply with the consumer’s request until further verification procedures help it determine that the request is authentic.
Working With Consumers That May or May Not Have a Password-Protected Account
If a business has a password-protected account with the consumer it can use its existing authentication practices for verification, provided it also re-authenticates the consumer’s identity before disclosing or deleting the consumer’s data.
If, on the other hand, a business doesn’t have a password-protected account, the requirements for verification are varied depending upon the sensitivity of the personal information being requested to know or delete. If the request to know only involves categories of data, then the business is required to verify identity to a reasonable degree of certainty. This can be achieved by matching two reliable data points with the consumer. If the request to know involves specific pieces of personal information a more exacting standard applies. The business is required to verify identity to a reasonably high degree of certainty. This can be achieved by matching three reliable data points with the consumer and obtaining a sworn declaration from the consumer confirming he or she is making the request.
It is clear from the draft regulations that requests to delete will require businesses to exercise both caution and judgment. Where a request to delete concerns sensitive personal information, a business must evaluate the degree of certainty it will use when verifying a consumer’s identity. Thus, for example, a request to delete family photographs should require more stringent verification than a request to delete a browsing history. Further, a business must act in good faith when determining how to verify a request.
Overall, the proposed regulations on verification will allow enforcement of the new statutes on verification of requests to know and to delete under the CCPA and provide details and practical guidance on what’s expected of businesses in the verification process.
The AG will be taking public comments on these regulations until December 6, 2019.
Frederick K. Taylor is a Partner at Procopio and the leader of its Privacy and Cybersecurity Practice Group. He represents clients in a wide variety of industries including high technology, Internet and electronic commerce, financial institutions, chemical companies, public entities and Native American tribes. Fred’s practice focuses on litigation in the areas of intellectual property, privacy and cybersecurity, financial institutions, complex commercial disputes, environment enforcement defense and Native American issues. He has served as First Chair in multiple jury trials, bench trials, arbitrations, mediations and appellate matters. Fred is licensed to practice in all California Courts, the Ninth, Eleventh and Federal Circuit Courts of Appeal, and multiple Federal District Courts including Texas, Florida and Illinois.