A Guide to Verifying Consumer Requests for CCPA
A business must verify all CCPA right-to-know and deletion requests before fulfilling them, using a reasonable and documented verification method. A business is not, however, required to verify opt out of sale requests. What follows are a summary of the principles needed to design processes to verify CCPA requests.
General principles for verifying requests
The diligence and methods you use to verify requests should be proportional to the sensitivity of the personal information your business holds about the consumer. For sensitive information such as financial or precise geolocation information, a more robust process is needed than for less sensitive information like shopping history.
You cannot require a consumer to create an account with your service in order to make a request, but if they already have one, you can require them to use it. You also cannot require the consumer to pay any out-of-pocket fees, or if there are fees (e.g., for a notary) you must reimburse them.
Do not collect new information from consumers to verify a request where feasible, and in particular, avoid asking for identity documents like a driver’s license or passport. If you must collect new information to verify a request, do not use it for any other purpose—either delete it after use or maintain it strictly as part of your CCPA compliance documentation.
You may use a two-step verification process if desired, e.g., emailing a consumer with a link to click in order for them to confirm their request.
How to verify right-to-know requests
Right-to-know requests can take one of two forms under the CCPA: a request for the categories of information you maintain about a consumer or a request for a copy of the information you maintain about them. In the case of a request for the former, verify two or more data points about the consumer, and in the case of the latter, verify three or more data points about them. For example, you can verify the person making the request knows the consumer’s name, state of residence and has access to their email address. These three data points may suffice when the information to be disclosed is not very sensitive. For more sensitive information, it may be prudent to verify a full mailing address rather than state, and also a phone number.
Whenever you intake a right-to-know request, per the CCPA, you should obtain a declaration signed under penalty of perjury from the consumer that she or he is requesting information about themselves. Save those declarations as part of your compliance records.
How to verify delete requests
The rules for verifying delete requests track those for verifying right-to-know requests explained above—you should verify two data points, or three data points in the case of more sensitive personal information.
How to verify opt-out requests
CCPA does not require businesses to verify opt out requests. You are allowed to do so if desired, but any verification process must be simple, with minimal steps for consumers to follow, and you cannot include steps designed to discourage or prevent the consumer from opting out. If you do implement verification procedures and you reasonably believe a request is fraudulent, you are permitted to deny the request provided you explain your reasoning to the consumer.
What to do if you cannot verify a request