The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 and will go into effect in 2020. Among many concerns about the ability of small businesses to comply with obligations imposed by the CCPA is the requirement that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted. Whether or not your practice involves regular questions of Privacy Law, your clients may be asking you about the CCPA. By keeping data minimization objectives in mind and not over-thinking compliance obligations, verifying the identity of a data requestor may be straight-forward.
The ability to control how one’s data is used is a cornerstone of the CCPA. However, this puts a burden on a business to ensure that only a “verified” consumer accesses the requested data and avoid fraudulent requests. To access or delete information, a consumer must submit a “verifiable consumer request.” While the term implies that a business must take steps to “verify” the individual making the request, the CCPA does not specify what steps it considers to be sufficient (or that it considers to be inadequate) to accomplish the verification.
With little to go on, a business might be tempted to act over-cautiously and require more information than is actually necessary to verify identity. With data minimization principles in mind, it is important to recognize privacy risks to avoid. Don’t over-reach; avoid obtaining more sensitive or potentially harmful information than is necessary to complete the request. Also, avoid asking for sensitive documents such as a passport.
A good rule of thumb is try to use the same method that was used to gather the data in first place. For example, your client operates a consumer website featuring information and users are required to provide a username and password to register with the site. Ask the requestor to provide a username and password to verify. If two-factor authentication was used, then challenge that requestor using the same method. Don’t ask for a driver’s license.
If a client is asking for additional resources on how to implement policies and procedures, it is useful to look to industry-standard references, such as NIST. A good (but technical) explanation Guidelines on verifying identity. If this is too technical, a client should work with a consultant who can explain the framework. One valuable upside is that if a business is required to respond to a regulator or litigant, the business can point to use of the industry standard as reasonable basis for compliance efforts.
Are you tasked with advising a client how to craft a CCPA policy or procedure? There is no requirement that companies create a written policy for processing requests. If a company chooses to create an internal policy or procedure for handling data access and deletion requests, the following four topics are relevant:
- Data subject verification. Before taking any action, a company should verify that the individual that submitted the request is the individual to whom the data belongs. Verifying identity depends upon the type of data maintained. Remember, if the requestor signed up with a username and password, use this to verify.
- Communications. A business must respond to a requestor, even if the request is a denial. To streamline a timely response, a company may choose to create template communications and procedures.
- Evaluating the request. The right to be forgotten is not an absolute right. Some companies choose to include a discussion of when the right does, and does not, have to be granted within their internal policy or procedure. If refused: Reply with a reason and provide options: regulator, court?
- Completing a Request. Upon verification of the identity of a requestor and a determination that a deletion request should be granted, a business can include instructions for technical steps that should be taken in order to erase an requestor’s information.
For clients implementing processes and procedures to respond to individuals who invoke their rights under the CCPA, meeting the requirement to verify the requestor’s identity (and reduce the risk of complying with a fraudulent request) can present a risk. However, with data minimization objectives in mind, using verification methods that make sense in the context of the requestor’s data, may reduce some of the burden of verifying the identity of a data requestor.
FOR EDUCATIONAL PURPOSES ONLY. NOT LEGAL ADVICE.