How to Comply With the CCPA’s “Reasonable Verification” Requirement

CCPA Compliance: About "Right To Know"
If you have customers in California, you are probably familiar with the California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020. Because the state is a market comprised of nearly 40 million people, many businesses are choosing to comply even if they do not yet have customers in California.

The CCPA is designed to help better protect the digital collection, storage, and dispersal of personal consumer information.  This article provides a quick overview, and focuses on the “reasonable verification” requirement when a California consumer exercises their new “Right to Know” or “Right to Be Forgotten”.

Compliance with CCPA Consumer Information Requests

Let’s take a look at some of the facets of what CCPA compliance looks like.

When businesses subject to the CCPA receive information requests from California residents, those businesses are required to map out how certain personal information was collected, where and how it was stored, how it was processed, for what it was used, and with whom it was shared.

The California consumer is entitled to receive this information for anything collected within the 12 months that preceded the date of the request.  This is often referred to as the consumer’s “Right to Know” about how the business is using the consumer’s data.  Requests like these are often called “Requests for Information” or “Information Requests”.

Furthermore, the CCPA specifies what constitutes personal information. It defines it as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Compliance with a properly submitted Information Request requires the inclusion of the nature of the personal information collected; whether or not the information was collected directly or from a third party (and if so, where); whether or not the information was offered freely by the consumer, or via some other method; where the information is stored by the business, as well as when it is set to be deleted; the reason and/or intended use for which the information was procured; and what information has been sold to a third party.  Additional information may be required in certain circumstances.

Liability for Failure to Properly Respond to Information Requests Under the CCPA

Under the CCPA, businesses have 45 days to respond to Information Requests. Failure to do so can result in serious penalties and liability.

This relatively short window highlights the importance of having consumer information adequately organized and readily accessible. As companies may also need to track consumer information beyond their own business, implementing a form of data mapping is highly advised.

This will allow businesses to chart not only what the personal information was collected for their consumers, but also what it was used for and where it may have been sold or shared. This makes having a system in place that can automatically organize your consumer information an invaluable resource.

Request to Delete

In many cases, the CCPA takes things a little bit further – granting consumers the limited right to request the deletion of their personal information from a business’ records.  This is often called the consumer’s “Right to Be Forgotten”.  Requests like these are often called “Requests to Delete” or “Deletion Requests”.

Under Section 1798.105 of the CCPA, when a business receives a consumer request, it is obligated to delete that consumer’s information from its records and make sure any of their service providers who may also have the information delete it as well. Additionally, companies must make consumers aware of this right and how to exercise it.

This may appear cut and dry on the surface. However, there are several exceptions in which a business will not be obligated to delete a consumer’s personal information upon request. These exemptions allow businesses to keep personal consumer information when it has to do with the business:

(1) providing goods or services to the consumer;

(2) detecting and resolving issues related to security or functionality;

(3) complying with legal obligations;

(4) conducting research in the public interest;

(5) exercising free speech or ensuring another’s exercise of free speech; or

(6) using the information for internal purposes that the consumer might expect.

This means for example, if a customer requests the deletion of their information before the item they purchased has shipped, the company doesn’t have to delete any information need to accomplish the delivery.

As another example, a customer may be the victim of identity theft and hold a business subject to the CCPA responsible. Were they to submit a request for the deletion of their personal information, it may be rejected on the basis of “detecting and resolving issues related to security or functionality”, or “complying with legal obligations”, as the information may be needed to discover whether or not the company is, in fact, responsible for the data leak.  Moreover, if you do discover a data breach, you’re legally obligated to inform your customers. You can’t notify people without their contact information.

In addition, businesses have an exception that allows them to continue to use the information “for internal purposes that the consumer might expect”.  Put simply, if the company is using the information internally, in a manner that a customer would reasonably expect at the time the consumer provided the information, the business will likely be under no obligation to delete it.

However, the potential vagueness of the phrases “internal” purposes” and “that the consumer might expect” should not be read too broadly.  For example, it is not likely that a business selling specialty products would be able to keep a California customer on their mailing or email list after the California customer submitted a Deletion Request.

If a business decides not to comply with a Deletion Request, the business must notify the California consumer that the business will not comply with the request to delete, state the basis for denying the Deletion Request, including the statutory and regulatory exception the business is relying on, delete the any information about the consumer that does not meet any exception raised by the business; and stop using the consumer’s information for any other purpose.

Reasonable Verification

In both the instances of Information Requests and Deletion Requests, the business is required to verify that the request is legitimately coming from the person to whom the data belongs.

Failing to take this step will not only leave you in noncompliance, but it will also open you up to wasted time, money, and other resources. Worse than that, you may give sensitive information to a fraudster, exponentially exacerbating the issue.

Applications like Konfirmi offer exactly such a solution, and can easily be integrated into most websites, apps, and other online systems. 

For example, these apps allow both small businesses and large companies to use a variety of verification methods such as multi-factor or knowledge-based authentication to make sure the person you’re dealing with is who they claim to be.

Processing fraudulent requests would likely lead to far bigger headaches than finding or deleting the data. It is an aspect of the regulation that cannot be ignored.

Conclusion

While the impact of a California consumer’s new Rights to Know and to Be Forgotten are both significant by themselves, the requirement that the identity of the consumer must be “reasonably verified” cannot be overlooked.

Businesses should have a mechanism in place to comply with the verification requirement.  Ignoring the CCPA altogether is not an option, especially as other states are starting to follow suit.  Businesses will have to find tools that will allow them to quickly and easily maintain compliance with this complex and fluctuating landscape.

Konfirmi is one of those tools. This new agency over personal information is of no use — and is actually a detriment — if there is no verification of who is trying to exercise control over it. With heightened access must also come heightened vigilance.