CCPA Explained: Part 8 - Article 4. Verification of Requests

 Oct 15, 2019 10:00 AM
by Derek Lackey

§ 999.323. General Rules Regarding Verification

A  A business will develop, document and comply with a process to verify the identy of individuals who make a request to know or a request to delete.

B In doing so, the business will:
1 Match the identifying information to the personal information on hand, or use a third party verification services that can do that.
2 Avoid collecting the types of information identified in Civil Code Section 1798.81.5(d) unless required to identify the individual.
3 Consider the following:
a) Sensitive or valuable personal information requires a more stringent verification process. The information identified in the Civil Code Section 1798.81.5(d) should be treated as sensitive data.
b) Consider the risk of harm to the consumer. If it is likely, a more stringent verification process is required.
c) Consider if fraudulent or malicious actors would value this information. The higher the liklihood the more stringent the verification process should be.
d) the information you ask for to verify the consumer - is it robust enough to protect it against fradulent requests or being spoofed or fabricated?
e) the manner in which your business interacts with the consumer.
f) technologies avaiable for the verficiation process.

C Avoid collecting additional information unless needed. If needed a business can ask for more information and it can only be used for the purpose of verification and or security or fraud-prevention. This data should be deleted as soon as possible after processing the consumer request, except as requied in Section 999.317 to prove compliance.

D A business shall use reasonable security measures to detect fraud and protect personal information from unauthorized access.

E A business does not have to respond to requests regarding this information if the business maintains the data in a de-identified format.

§ 999.324. Verification for Password-Protected Accounts

A If a business maintains a password-protected account with the consumer, their identify can be verified through existing authentication practices, as long as Section 999.324 is followed. The consumer must re-authenticate themselves prior to turning over any information.

B If a business suspects fraudulent activity on or from the password protected account, further verficiation is required. The business may use the procedures described in Section 999.325 to further identify the consumer.


§ 999.325. Verification for Non-Accountholders

A If a consumer does not have or cannot access a password-protected account the business should comply with subsections B through G of this section, inadition to 999.323

B Regarding a request to know - A business must verify the consumer is who they say they are, to a reasonable certainty. A reasonable standard is matching 2 data points to the information the business has on hand.

C  Regarding a request to know - A business that requires a higher degree of certainty can request 3 pieces of ID that match the personal information on file for verification purposes with a signed declaration under penalty of perjury, that the consumer is who they say they are. All declarations should be kept on file.

D Regarding a request to delete - the business can use 2 standards to assess the sensitivity of the data - reasonable certainly or a high degree of certainty in order to delete the information requested. For example, deleting a family's photographs requires a high degree of certainty, while deleting their browser history may only require a reasonable degree of certainty. A business is expected to act in good-faith when verifying the consumer and follow the regulations in Article 4 of the CCPA.

E Examples:
(1) If a business maintains personal information in a manner associated with a named actual person, the business may verify the consumer by requiring the consumer to provide evidence that matches the personal information maintained by the business. For example, if the business maintains the consumer’s name and credit card number, the business may require the consumer to provide the credit card’s security code and identifying a recent purchase made with the credit card to verify their identity to reasonable degree of certainty.
(2) If a business maintains personal information in a manner that is not associated with a named actual person, the business may verify the consumer by requiring the consumer to demonstrate that they are the sole consumer associated with the non-name identifying information. This may require the business to conduct a fact-based verification process that considers the factors set forth in section 999.323(b)(3).

F A business must inform consumers when a request is made or in the business' Privacy Policy, if they cannot verify a consumer based on the information they maintain. An explanation is required and an annual review to see if internal practices can change in order to allow for verification.


§ 999.326. Authorized Agent

A  When a consumer uses an authorized agent to submit a request to know or a request to delete, the business may ask for:
1 the consumers signed permission to do so, and
2 for the consumer to verify their own identity with the business.

B Sub-section A does not apply if the agent can prove power of attorney (Probate Code 4000 to 4465)

C A business can deny a request by an authorized agent if they cannot prove they have been authorized by the consumer to act on their behalf.


CCPA Explained: Article 1 General Provisions - Part 1 - Scope and Definitions

CCPA Explained: Article 2 - Notices to Consumers - Part 2 - Notice at Collection

CCPA Explained: Part 3 The Right to Opt-Out and Offering Financial Incentives

CCPA Explained: Part 4 - Privacy Policy

CCPA Explained: Part 5 - Article 3 -Business Practices for Handling Consumer Requests

CCPA Explained: Part 6 - Article 3 -Business Practices for Handling Consumer Requests

CCPA Explained: Part 7 - Article 3 -Business Practices for Handling Consumer Requests