By Dean Short
We are within weeks of the most comprehensive data privacy law ever enacted on U.S. soil coming into effect on January 1, 2020. The California Consumer Privacy Act (or “CCPA”) is sweeping and applies to any company doing business with California consumers. The primary rights granted to California consumers include the rights to know the categories or specific pieces of personal information each company subject to the law has collected or retains about the California consumer and the right to have their information deleted within the statutory periods provided.
Before a company is required to provide access to the personal information it holds or allow the consumer to request deletion of their records, the law provides for a safeguard to require ‘verification’ of the consumer making the request. This requirement protects consumers from falsified requests and alleviates the need for companies to respond to ‘bogus’ requests to access or delete information. The rules related to verification were punted in the original language of the law passed in the Summer of 2018 but have been fleshed-out by the California Attorney General recently on October 20, 2019, just over two months prior to the law taking effect.
According to the draft regulations introduced by the Attorney General’s office, the term “Verify” means:
“[T]o determine that the consumer making a request to know or request to delete is the consumer about whom the business has collected information.”
Seems straightforward enough. However, the regulations delve into the actual process of verification by adapting a sliding scale of verification requirements depending on the sensitivity of the personal information that each request is targeted at. The new regulations mandate that companies must establish rules and methods to verify the identity of the consumer that is making the request. Instead of a hard-fast rule, the CCPA takes a page from the European Union’s GDPR by adopting a reasonableness standard of verification depending on the ‘type, sensitivity, and value of the personal information’ and taking into consideration the ‘risk of harm to the consumer posed by unauthorized access or deletion’ among other factors.
The regulations do however, proscribe guidelines on the verification process. If the company has a consumer login for ‘account holders’ then the company may utilize their login to password protected accounts to verify their consumers. If the business does not have consumer login functionality then the requests may be verified either by ‘matching’ of information provided by the requesting consumer or by a more comprehensive process if the information requested is sensitive information such as credit card, social security or health data.
For less sensitive data, the consumer may request either to know the categories of information requested or specific pieces of information. For the categories of information, the regulations require a ‘matching’ of at least two pieces of information in order to confirm the identity of the requestor. For specific pieces of information, the regulations use three pieces of information as the threshold in order to ‘match’ a consumer request with records on file. This could entail that the company require the consumer to provide information that it generally collects from its consumers such as name, email address and perhaps home address or other identifying information. For requests to delete information the law requires an assessment by each company of the sensitivity of each type of data requested to be deleted. Companies must be careful however as the regulations require that the company does not collect more information than is necessary to verify the consumer.
For sensitive data, the law requires a more stringent verification process. This may require that the company require for access or deletion of credit card information for the consumer to provide the three digit code on the reverse side of the credit card before access or deletion of such records. The regulations go so far as to require the company to obtain a signed sworn declaration in the event the consumer requests specific pieces of highly sensitive information.
The verification process is an integral feature of the CCPA and many companies will struggle to establish a process for verification depending on the types of information that will be regularly requested by California consumers. It is likely that the CCPA is at the forefront of data privacy laws that will likely expand to other states within the United States in order to offer similar rights to other States’ residents. Fortunately the law allows, and outright contemplates, the outsourcing of verification requirements to third party providers that may assist companies in understanding and complying with the verification process. Please contact Bear Flag Services for further information to find out how our company may assist your company with compliance with these complex requirements.
Or e-mail us at: [email protected]
Excerpt from CCPA Regulations Article 4. Verification of Requests § 999.323. General Rules Regarding Verification
(a) A business shall establish, document, and comply with a reasonable method for verifying that the person making a request to know or a request to delete is the consumer about whom the business has collected information. (b) In determining the method by which the business will verify the consumer’s identity, the business shall: (1) Whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with this section. (2) Avoid collecting the types of personal information identified in Civil Code section 1798.81.5(d), unless necessary for the purpose of verifying the consumer. (3) Consider the following factors: a. The type, sensitivity, and value of the personal information collected and maintained about the consumer. Sensitive or valuable personal information shall warrant a more stringent verification process. The types of personal information identified in Civil Code section 1798.81.5(d) shall be considered presumptively sensitive; b. The risk of harm to the consumer posed by any unauthorized access or deletion. A greater risk of harm to the consumer by unauthorized access or deletion shall warrant a more stringent verification process; c. The likelihood that fraudulent or malicious actors would seek the personal information. The higher the likelihood, the more stringent the verification process shall be; d. Whether the personal information to be provided by the consumer to verify their identity is sufficiently robust to protect against fraudulent requests or being spoofed or fabricated; e. The manner in which the business interacts with the consumer; and Page 18 of 24 f. Available technology for verification. (c) A business shall generally avoid requesting additional information from the consumer for purposes of verification. If, however, the business cannot verify the identity of the consumer from the information already maintained by the business, the business may request additional information from the consumer, which shall only be used for the purposes of verifying the identity of the consumer seeking to exercise their rights under the CCPA, and for security or fraud-prevention purposes. The business shall delete any new personal information collected for the purposes of verification as soon as practical after processing the consumer’s request, except as required to comply with section 999.317. (d) A business shall implement reasonable security measures to detect fraudulent identityverification activity and prevent the unauthorized access to or deletion of a consumer’s personal information. (e) If a business maintains consumer information that is de-identified, a business is not obligated to provide or delete this information in response to a consumer request or to reidentify individual data to verify a consumer request. Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, 1798.140, and 1798.185, Civil Code.
 Provided that companies meet the thresholds set forth in the new law.
Dean Short & Bear Flag Services LLC
Dean Short is a Montage Attorney and the founder of Bear Flag Services, LLC, a data privacy focused third party service provider that assists with CCPA and other data privacy law compliance. Mr. Short previously worked at Dykema and Tucker Ellis in Los Angeles before working in-house with Toshiba in Irvine, CA then starting his own legal practice based in Newport Beach. Mr. Short is proudly a University of San Diego School of Law alumni.
Or e-mail Dean at: [email protected]