For businesses, one of the more worrisome scenarios under the CCPA occurs when they mistakenly provide personal information of a consumer to the wrong party in response to a consumer request, whether because of fraud or simple mistake. Because the definition of data breach under the CCPA is very broad, the unauthorized sharing of personal information with the wrong party could theoretically give rise to a civil cause of action with statutory penalties of $100-$750, per consumer. As a result, businesses have been anxiously waiting to see how the proposed Regulations would address the consumer verification process.
The good news for businesses is that the proposed Regulations provide significant detail concerning the verification process, and those details will likely assuage the concerns of many businesses about potential litigation.
As a general matter, the proposed Regulations require that businesses verify consumers wherever possible using personal information collected from the consumer (or use a third-party identification service that complies with same requirements). Businesses should use reasonable security measures to detect fraudulent identity verification procedures and prevent the unauthorized access to or deletion of a consumer’s personal information.
Password Protected Accounts
For password-protected accounts, the proposed Regulations allow businesses to verify the consumer’s identity through its existing authentication practices if those practices are otherwise consistent with the CCPA regulations. Businesses must also require that consumers making requests through password-protected accounts re-authenticate themselves before responding to a deletion or right to know request. If the business believes that there is fraudulent or malicious activity on a password-protected account, it may require additional verification procedures to confirm the consumer request is authentic.
Two-Tier Verification For Non-Password Protected Accounts
The proposed Regulations outline a two-tier verification process for non-password protected accounts. This process requires that businesses verify requests to know categories of personal information to a “reasonable degree of certainty.” To meet this standard, businesses could match two (2) pieces of consumer provided personal information with personal information maintained by the business. For requests to know specific pieces of information, businesses must verify the consumer to a reasonably high degree of certainty, which can be accomplished by matching three (3) pieces of consumer provided personal information with personal information retained by the business. The proposed Regulations provide businesses with discretion for verifying requests to delete, depending on the sensitivity of the personal information. The table below lays this out.
|Abbreviated Right to Know (Categories of Personal Information)||Right to Know Specific Pieces of Information||Right to Delete|
Using information provided by consumer, verification must be to reasonable degree of certainty, which may include matching at least two data points provided by the consumer.
All deletion requests require verification at the time of the request, and re-verification before any data is deleted.
Business may use its discretion, based on sensitivity of data, whether to use two or three-step verification.
E.g., deletion of browsing history may only require reasonable degree of certainty whereas deletion of family photos may require reasonably high degree of certainty.
Using information provided by consumer, verification must be to reasonably high degree of certainty, which may include matching at least three data points provided by the consumer and obtaining a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the requests.
The proposed verification process, especially for a right to know specific pieces of information collected about the consumer, sets a high standard—particularly insofar as the proposed Regulations discourage businesses from using sensitive information such as SSN for matching purposes (as discussed below). The declaration envisioned by the proposed Regulations adds an additional hurdle for consumers.
Businesses will have to make a determination of what pieces of personal information to use for matching purposes based on what information they are holding for consumers, and the sensitivity of such information. One likely consequence, however, is that the added verification procedures will reduce the number of verifiable requests to know specific pieces of information as well as requests to delete that businesses must honor. Don’t be surprised if privacy advocates decry the heightened verification procedures in the upcoming Public Comment period.
Shielding Sensitive Data From the Verification and Response Process
The proposed Regulations directly address the concern discussed above about potential civil causes of action stemming from mistakes made during the consumer request process by explicitly prohibiting businesses from providing in response to a request to know the following sensitive information:
- social security number
- driver’s license number
- state identification number
- medical and health information
- financial account number
- account passwords, or
- security questions and answers.
The proposed Regulations, furthermore, prohibit businesses from requesting such information in the verification process “unless necessary.”
The CCPA’s private right of action only applies to unauthorized access and theft, exfiltration or disclosure of personal information as defined under the California breach notification statute—which is notably narrower than the definition of personal information under the CCPA and similar to the sensitive data listed above. The effect of the proposed Regulations, then, is largely to prohibit businesses from unnecessarily collecting or disclosing the kinds of data that might trigger a cause of action under the CCPA in the event of a breach.
Use of Authorized Agents to Make Consumer Requests
The CCPA allows consumers to use authorized agents to make consumer requests, increasing the potential for fraud where tricksters impersonate authorized agents or even use bots to scam businesses into providing consumer information. The proposed Regulations allow businesses to guard against this by requiring that such agents produce a signed authorization from the consumer. Businesses can also require that consumers using agents separately verify their identify to the business to prevent fraud
Requirements Where a Business Cannot Verify a Consumer
The use of a categorical disclosure may be particularly useful for a business that receives requests to know from website visitors who do not have accounts open with the business and otherwise haven’t provided any other information that the business can use to verify their identity.