Aptible’s CCPA Compliance Guide provides a useful overview of what CCPA compliance means for startups, and this blog post complements it by diving into a central topic of the CCPA: consumer-request verification. The CCPA is pretty specific about how you should verify the identity of a requester, and in this blog post we’ll outline the various ways in which you can verify a consumer’s identity.
Let’s start at the very beginning. There is one general CCPA requirement you need to keep in mind: Your business needs a “reasonable” process for verifying that the individual making a request of your organization actually is the individual they claim to be. That’s it. You need a “reasonable” method of confirming that people are who they say they are. And this general rule applies whether you receive a request to access information or a request to delete data.
This might sound easy, but a lot of companies fail to verify requests properly, which could lead to legal exposure. (Check out this BlackHat presentation on how one research was able to “hack” the GDPR verification requirement and obtain lots of data about someone else--his spouse!) The bottom line is that getting this right matters.
As outlined in our CCPA Compliance Guide, the CCPA gives consumers a number of rights related to their data. These include the right to know (what information does the business have about me?), the right to delete (please erase all the information you have about me), and others.
The rights to know and delete are particularly important because businesses do not have to comply with all requests to disclose and delete. If that were the case, anyone could request information about anyone else! Instead, businesses only need to comply with verifiable consumer requests to know and delete if you can verify the identity of the requester, and confirm that the requestor is seeking information about their own data.
So in order to verify requests, you need to design a method to “reasonably” verify identities. In adopting a specific verification method (or, in all likelihood, a collection of verification methods), the CCPA regulations describe four categories of actions and principles you must execute or follow in all cases:
Information Matching. When possible, you must match the identifying information the consumer supplies in their request with the information your business currently has on the same consumer (alternatively you can use a third-party verification service to verify this on your behalf).
Only Collect Necessary Information. You must avoid collecting certain kinds of personal information -- such as a name in combination with a social security number, or an email address or username in combination with a password or security question and answer -- not required for the goal of verifying a consumer’s identity.
Relatedly, you must generally avoid requesting new information from the requester unless you need additional information to verify the requester’s identity. You must only use this additional information for verification purposes and must delete it as soon as possible after you have processed the consumer request.
Think About These Things. You must consider the following variables as you define your verification process:
The type, value, and sensitivity of the information the business collects and maintains on the consumer (if the data is valuable or sensitive, you must adopt a more stringent verification process -- more on that below)
The risk of harm posed by an unauthorized access or deletion of the data
The odds that a fraudulent or bad actor would attempt to access the information
Whether the information the consumer supplies for verification-purposes is sufficient for guarding against fraudulent requests (i.e., is the information the business requests that the requester provide something only the actual individual might know or have access to?)
The way in which your business already interacts with the consumer
All available technology you could use for verification purposes.
Reasonable Security Standards. You must maintain reasonable security measures designed to detect fraudulent requests and to prevent the unauthorized access or deletion of consumer data.
If your business already maintains password-protected accounts for your consumers, then you can use the existing account authentication process to verify the requesting consumer’s identity -- but only so long as you abide by all the rules that apply generally to verification, all of which are outlined above. If you suspect that the requester’s attempt to authenticate their identity using the existing account is a fraudulent effort, then you must not comply with the request until you take additional steps to verify the requester’s identity.
If you do not have a password-protected account with the consumer (or the consumer cannot access the account), then verification gets a little tricky, and how you verify the requester’s identity hinges on the type of request (i.e., whether it’s a request for access to or deletion of information) as well as the kind of data. Here are some general guidelines:
If a consumer without a password-protected account requests access to the categories of personal information you have collected about them, then you need “a reasonable degree of certainty” that the requester is who they say they are. That’s a relatively low bar, and it makes sense because if someone is requesting just the categories or kinds of information your business collects, then the stakes might not be particularly high in the event of an unauthorized disclosure of information. There certainly could be damage, but it’s likely to cause less harm than other information disclosures.
The “reasonable degree of certainty” standard can be met by matching at least two data points provided by the consumer with data points the business already has about that requesting consumer.
If a consumer without a password-protected account requests access to specific pieces of information your business has collected about them, then you need “a reasonably high degree of certainty” that the requester is who they say they are. Again, this makes sense because if you accidentally provide specific pieces of information about an individual to an unauthorized party, the prospect of harm is higher than if you share only categories of information collected.
The “reasonably high degree of certainty standard” can be met by matching at least three requester-provided data points with three data points you already maintain on the consumer.
If a consumer without a password-protected account requests that you delete their data, then you need to decide whether to apply either a “reasonable degree of certainty” standard or a “reasonably high degree of certainty” standard -- this decision depends on the kind of data that would be deleted. In particular, the standard should slide from a “reasonable degree” to a “reasonably high degree” based on the sensitivity of the data and prospect of harm if there is an unauthorized deletion of the data.
That’s a lot of pressure to pick the standard yourself, but the CCPA only requires that you “act in good faith when determining the appropriate standard to apply” in a given case. If you’re unsure what to do, reach out to a lawyer for support.
That’s an overview of what’s required in order to verify consumer identities. You should speak with an attorney to determine what specific approach might be best for you, but this is what you need to know to get started. If you’re interested in learning more about obtaining CCPA compliance, head over to our full guide on the topic.