By Procopio Partner and Privacy and Cybersecurity Practice Group Leader Frederick K. Taylor
As we’ve previously reported, the California Attorney General (AG) released draft regulations for the California Consumer Privacy Act (CCPA) on October 10, 2019. We’ve addressed new requirements in the regulations that aren’t explicitly contained in the CCPA, and the notice provisions and requirements for handling consumer requests. In this article we’ll drill down on what businesses need to do to verify the identity of consumers making requests concerning their personal information.
General Rules Regarding Verifying Identity
Under the CCPA, consumers can make requests to businesses to either discover the personal information that a business has collected on them (often referred to as the “right to know”), or to delete that information. The proposed regulations present rules and illustrative guidelines for businesses to verify the identity of the consumer making the request to know or request to delete his or her information.
The regulations require businesses to establish, document and comply with a reasonable method for verifying that the person making a request to know or a request to delete is the person about whom they’ve collected the information. In determining the method for verifying a consumer’s identity businesses are required to, if feasible, match the consumer’s identifying information to information already maintained by the business. In verifying a consumer’s identity, companies must also avoid collecting personal information unless doing so is necessary for verification.
In determining verification methods, businesses must consider the following factors: the type, sensitivity and value of the personal information collected and maintained about the consumer; the risk of harm to the consumer posed by any unauthorized access or deletion; the likelihood that fraudulent or malicious actors would seek the information; whether the personal information provided to verify is sufficiently robust to protect against fraudulent requests or spoofing; the manner in which the business interacts with the customer; and available technology for verification.
Businesses should also avoid requesting additional information unless it is necessary for verification of a consumer attempting to exercise rights under the CCPA. Any new personal information collected for this purpose should be deleted as soon as practicable after processing the consumer’s request.
TO READ MORE AND OUR SUMMARY, PLEASE VISIT OUR WEBSITE (https://www.procopio.com/articles/view/verifying-identity-of-ccpa-requesters)