If a right to know or delete request comes from a consumer’s agent rather than directly from the consumer, you can require the consumer to demonstrate that they’ve authorized the agent in a signed document by asking them to provide you with a copy of it, and you can separately verify the consumer’s identity. If an *opt out* request comes from an agent, you can only require the agent to submit a document signed by the consumer proving the agent is authorized to act on the consumer’s behalf. If a consumer uses opt-out settings in their browser or device, you need to respect those, and you should treat them as direct requests from the consumer. This is a change from current law that generally allows companies to ignore “do not track” settings in operating systems or browsers as long as they disclose this in their privacy policy. 

Under the CCPA, consumers have the right to request information about their household instead of just about themselves. If there’s a password-protected account associated with the household, you can process the requests as per your usual procedures via the account. If there is no related account, then you should only process right to know or delete requests if all household members join in the request, and if you verify the identity of each of them and their status as a household member. If a member of the household is under age 13, obtain parental consent before disclosing household information. Note we’ll review rules for working with children in more detail in part 6 of our agenda.