OneTrust Pro Tips: Verifying CCPA Consumer Requests

Featured Image

You’ve heard it before, and you’ll hear it again: the California Consumer Privacy Act (CCPA) is now in effect and will be enforced by the California Attorney General on June 1, 2020.

The CCPA provides California residents with a new set of privacy rights and requirements, allowing California consumers to request information from covered businesses regarding the collection of their personal information (i.e., the right to know or access). As small and mid-size businesses receive more consumer privacy requests to know or delete, they must verify the identity of the consumer making the request to move forward on fulfillment. As a result, growing businesses need to establish a reasonable method of verification.

Here’s a breakdown of what a “verifiable consumer request” is, how to verify requests, and how your SMB can implement reasonable verification methods with OneTrust Pro.

What is a “Verifiable Consumer Request”?

Under the CCPA, businesses are required to verify consumers for requests to know, access, or delete personal information.  The California Attorney General’s Modified Regulations (the “Regulations”) defines the term “verify” as confirming that the person making a request to know or delete is the consumer tied to the personal information the business has collected or is the parent or legal guardian of that consumer who is less than 13 years of age. Furthermore, the law defines a “verifiable consumer request” as:

A “request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, according to regulations adopted by the Attorney General under paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information.”

For small business owners and their privacy teams to successfully verify a consumer request, they must establish, document, and comply with a reasonable method for verifying consumers. However, in light of these requirements, guidelines for verifying consumers aren’t entirely clear.

The CCPA empowers the California State Attorney General to set rules on how businesses must establish a reasonable verification method. So far, the Attorney General has released proposed regulations, which are not yet finalized. But once they are, these regulations will help to clarify how to verify requests to know and to delete, including how to verify requests made via password-protected accounts and requests from non-accountholders.

How Can Small Businesses Verify Consumer Requests?

Since the CCPA offers limited guidance regarding request verification, small and mid-size privacy teams often face challenges determining the method by which they should verify a consumer’s identity. For example, although minimal, the CCPA provides the following guidelines for verifying right to know requests :

  • Businesses may require consumer authentication that is reasonable depending on the nature of the personal information requested
  • Businesses may require consumers to submit requests through an existing account with the business if they have one. However, businesses may not obligate consumers to create an account if they do not have one.
  • Businesses need to associate the information provided in the request to any of the consumer’s personal information previously collected by the business

Fortunately, the Regulations provide greater clarity on verification procedures. The Proposed Regulations set forth basic rules that businesses must follow, which include:

  • Avoiding the collection of sensitive personal information, unless necessary for verification
  • Tailoring verification methods based on sensitivity, risk of harm, vulnerability, consumer interactions, and available technology
  • Ensuring third-party verification services are CCPA compliant
  • Documenting compliance with verification requirements
  • Concealing specific pieces of personal information if unable to verify the consumer
  • Matching personal information from the request to the consumer’s existing personal information maintained by the business
  • Choosing whether to disclose categories of personal information if unable to verify the consumer
  • Denying a deletion request if unable to verify the consumer

Although these Regulations have helped to provide some context around verification procedures, some growing businesses may still be unsure of their options. The Regulations group verifiable requests  into two groups:

  • requests submitted via a registered password-protected online account and;
  • requests submitted via a non-registered account.

Depending on their capabilities, small and mid-size privacy teams can implement one, or both, of these verification methods.

Verification of Password-Protected Accounts

Based on how businesses set up their intake methods, individuals may have the option to submit a consumer rights request through a password-protected account. In this case, verification is simple and easy. Businesses can simply leverage their existing authentication systems and practices to verify requests from account holders. This stands as long as they follow the Regulation’s specific rules and re-authenticate the consumer before completing the request.

Verification of Non-Account Holders

This is where verification can get challenging and complicated, especially for SMBs.

For non-account holders, the Regulations outline specific verification requirements for businesses based on the right the consumer is exercising, the level of sensitivity, and the risks associated with the request.

  • For a request to know the categories of personal information collected, businesses must verify a consumer’s identity by includes matching at least two reliable data points from the consumer’s request with information maintained by the business.
  • For a request to know specific pieces of personal information, businesses must verify a consumer’s identity by matching at least three reliable data points from the consumer’s request with the information maintained by the business. This also includes obtaining the consumer’s signed declaration under penalty of perjury to further confirm that the requestor is the consumer.
  • For a request to delete personal information, businesses must verify a consumer’s identity to a reasonable or reasonably high degree of certainty based on the information’s level of sensitivity and the level of risk of harm to the consumer. However, before complying, businesses must require consumers to re-verify themselves.

Household Information & Parent Verification for Minors.

The Regulations also impose a particular set of procedures for requests to access or delete household information or minors’ personal information.

For households with consumers that have password-protected accounts, businesses may process requests to know or delete through that account, per the Regulations. For households without a password-protected account, businesses may omit certain information about the household or delete personal information unless:

  • All consumers of the household jointly request access or deletion
  • The business individually verifies each consumer
  • The business verifies that each consumer is currently part of the household

The Regulations also require businesses to obtain verifiable parental consent when honoring consumer rights requests from parents on behalf of a minor under the age of 13. This involves implementing a parental verification process that is reasonable and calculated to ensure the requestor is, in fact, the minor’s parent or guardian.

A few ways for small and mid-size privacy teams to verify a parent include:

  • Instructing a parent or guardian to sign and return a consent form under penalty of perjury
  • Allowing a parent or guardian to verify their identity with trained personnel via a toll-free telephone number, video conference, or in-person
  • Cross-checking (and then immediately deleting) a form of government-issued identification against databases of the same information

Verifying Requests Submitted by Agents.

Last, but not least, businesses should expect to receive consumer rights requests submitted by authorized agents. These agents are given the authorization to exercise consumer rights and submit requests but must be registered with the California Secretary of State to do business in California and exercise privacy rights on behalf of the consumer.

Under the Regulation, if a business receives a right to know or right to delete request from an authorized agent, they can require the consumer to give the agent signed permission to carry out the request. Alternatively, the consumer can also choose to verify their own identity, or directly confirm with the businesses that they authorized the agent to submit the request. However, if an agent can provide proof of authorization then the businesses cannot require the consumer to complete those tasks.

Due to the limited time, resources, and technology available to small and mid-size privacy teams, implementing a reasonable method of verification can be a long-term project from start to finish. As a result, they often won’t have a way to implement a reasonable verification method or are unable to verify a request to the appropriate level of reasonable certainty. In this case, until privacy teams have a fully developed and documented verification process, it’s best practice for them to explain why there is no reasonable verification method within the privacy policy. Additionally, to ensure growing businesses meet CCPA requirements, they should proactively incorporate these methods into their privacy program.

How OneTrust Pro Can Help You!

Among the many privacy compliance challenges facing growing businesses, verifying a consumer’s identity is top of the list for small and mid-size privacy teams trying to comply with CCPA consumer rights requests. With OneTrust Pro for CCPA, small and mid-size privacy teams can implement and support multiple identity verification methods required to fulfill CCPA requests, including email and phone verification, known customer information, and account sign-up authentication. Using CCPA-compliant tools, growing businesses can simplify and streamline verification by enabling consumers to provide the required information and evidence needed to verify their identity and proof of residents, as well as integrate with ID verification technology.

The CCPA makes it clear that businesses are required to comply with consumer privacy requests upon verification, and it’s crucial that growing businesses do not overlook this requirement. SMB privacy teams should proactively incorporate an ID validation process in their privacy program and consider CCPA compliant solutions that are simple, automated, efficient. Get started on your CCPA compliance journey today with OneTrust Pro!

Onetrust All Rights Reserved