Locke Lord QuickStudy: Verifying the Verifiable – Considering a “Verifiable Consumer Request” Under the CCPA

You can’t hear it often enough: the California Consumer Privacy Act of 2018  (CCPA)—Cal. Civ. Code § 1798.100 et seq.—comes into effect on January 1, 2020 with enforcement by the Attorney General beginning on July 1, 2020 (6 months after the effective date).  Yes, really.  This broad-sweeping Act does many things, including permitting California consumers* to request information from covered businesses about the California consumers’ personal information collected by said businesses.

Under the CCPA, a California consumer may submit two kinds of verifiable consumer requests to a covered business.  The first type requests that the business provide, for example, the types of personal information collected by the business; the personal information specifically collected by the business; and the identity of entities with which the business shared and/or sold the personal information.  The second type requests that the business delete the consumer’s personal information.  Upon receipt of either kind of request and verification of the identity of the requestor, the business must promptly respond.

Despite giving considerable detail about what may be requested, the CCPA does not provide much explanation of what constitutes a verifiable consumer request or how a business is to verify such a request.  The CCPA defines “verifiable consumer request” as:

[A] request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information.

Cal. Civ. Code. § 1798.140(y).  Notably, however, the CCPA identifies only one mechanism for “reasonably verify[ing]” that the request was made by the consumer or by someone authorized to submit such request on the consumer’s behalf, and leaves it to the Attorney General to provide further guidance:  

On or before January 1, 2020, the Attorney General shall solicit broad public participation to adopt regulations to further the purposes of this title, including, but not limited to, the following areas:

*   *   *

Establishing rules and procedures . . . to govern a business’ determination that a request for information received by a consumer is a verifiable request, including treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business’ authentication of the consumer’s identity, within one year of passage of this title and as needed thereafter.

Cal. Civ. Code. § 1798.185(a)(7).  

Covered businesses cannot afford to take a “wait and see” approach to developing internal policies on how to “reasonably verify” a request from a California consumer.  While awaiting specific guidance from the Attorney General, considerations should include, for example:

• types of information to request in order to verify a consumer’s request;
• mode of communication with a consumer regarding the request;
• templates for a consumer to use to make a request based on whether or not the consumer has an online account with the business;
• whether to verify requests in-house or through a third party vendor (and the potential implications of sharing personal information with such a third party); and 
• possible guidance from how requests are already verified for other purposes, including, for example, under the European Union’s General Data Protection Regulation (GDPR). 

We also note that the CCPA allows for up to two requests within a 12-month period to seek identification of information collected over the 12 prior months for which a covered business is required to respond and provide personal information.  We will soon provide a separate QuickStudy on this 12-month “look back” period.

_{* Under the CCPA, a “consumer” is “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.”  Cal. Civ. Code 1798.140(g).}