The CCPA provides detailed guidance about how to verify consumer requests:
- Make the verification process proportionate to the value of the data at issue–in other words, if a consumer requests a copy of more sensitive information such as location history, the process for authenticating the request should be more rigorous than if the request was for a copy of less sensitive data like a music playlist.
- If a consumer has a password protected account with you, you can require them to log in to make the request, but if they don’t have one already, you can’t require them to create one.
- If a consumer without an account makes a right-to-know request for the categories of information you hold about them, you need to verify at least two data points about the consumer, and if they make a request for a copy the actual information you collected, you need to verify at least three data points about them and obtain a declaration signed under penalty of perjury that the information requested is about them and you need to keeps those declarations in your CCPA records.
- For delete requests, verify two or three data points depending on the sensitivity of the information. If you want to use a two-step verification process, for example emailing a consumer a link to click to confirm their delete request, that’s okay to do—just explain that process in your privacy policy.
- Verify consumers without collecting new information if possible, especially sensitive information like government identity documents. If you do collect new information, either delete it after verification or keep it with your CCPA compliance records only, and don’t use it for any other purpose.
- Use reasonable measures to detect identity fraud and to safeguard personal information. If you suspect fraud, don’t comply with a request unless you’re sure it’s genuine.
- If there’s no reasonable way to verify a consumer, you can deny the request and explain why. This could happen for example if someone interacted anonymously with your website–you might still have relevant data in your log files and have no way to match it to the consumer.
- Finally, make sure verifying requests does not require the consumer to pay any out-of-pocket fees, or if there are fees (e.g., for a notary) that you reimburse them.
The CCPA treats requests to opt out of sales differently than request for access to data or to delete data. You are not required to verify opt-out requests. You may do so, but you need to make the process easy for consumers, with minimal steps, and you cannot impose any steps that could impair a consumer’s decision or ability to opt-out.