The January 1, 2020, deadline to comply with the California Consumer Privacy Act (CCPA) is fast approaching. Signed into law in the summer of 2018, the CCPA creates a variety of new consumer privacy rights and will require many companies to implement policies and procedures to manage and comply with new consumer-facing responsibilities. Catch up on the details of the CCPA in our previous post, this LawFlash, and the Morgan Lewis CCPA resource center.
An IAPP article by Annie Bai and Peter McLaughlin recently caught our attention, as it discusses the business risks of complying with the “verifiable consumer request” requirement under the CCPA. Under the CCPA, a California consumer may (1) request that a covered business provide access to the consumer’s personal information or (2) request that his or her personal information be deleted. Upon receiving such a request, the covered business must verify the identity of the requesting individual and respond. However, there is not much clarity in the CCPA regarding how a covered business must verify an individual’s identity.
A “verifiable consumer request” is defined by the CCPA as “a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.110 and 1798.115 if the business cannot verify, pursuant this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.” (Emphasis added.)
The IAPP article notes that this requirement (and current lack of clarity) poses a significant threat for businesses that do not establish robust practices to verify the identities of requestors, as a business without such robust practices risks providing unauthorized third parties access to personal information via fraudulent requests.
As support, the IAPP authors point to a recent research experiment that found that certain companies responded to requests under a similar requirement under the GDPR after receiving basic identification documentation that could be easily counterfeited. In other words, hackers and fraudsters could potentially take advantage of this requirement to gain access to personal information from businesses seeking to comply with their legal obligations.
Notably, the researchers found that larger or regulated businesses tend to have stronger identity verification practices. The insight from this finding, as discussed by the IAPP article, is that businesses that invest in antifraud, know-your-customer, and similar verification programs will likely have better success in identifying fake requests.
Therefore, while implementing processes and procedures to respond to individuals who invoke their rights under the CCPA, it is important for businesses to not overlook the requirement to verify the requestor’s identity and the risk that this requirement presents. Businesses should consider strong verification programs similar to those employed by regulated entities, such as the financial services industry. In addition, business teams should consider the contractual and risk implications if the process for verifying requestor identities is performed by a third-party provider.
Be sure to visit Morgan Lewis’s CCPA resource center to stay up to date on important CCPA developments.