Article 3 of the CCPA covers the required forms of communication that needs to be designated between a business and its consumers for submitting ‘Requests to Know’ and ‘Requests to Delete’.
Request to Know
- A business to which the CCPA applies must provide two or more methods (can be a phone number, link, form, toll free number, email address et cetera) for consumers to submit “requests to know’ (can be a phone number, link, form, email address et cetera), which, at a minimum, must include a toll-free number.
- If the business operates a website, then an interactive web form accessible through that website is required.
- Exemption: The requirement to have a toll-free number does not apply to businesses that operate exclusively online and have a direct relationship with a consumer from whom it collects personal information if they maintain a website that allows consumers to request their personal information.
- Businesses having an indirect relationship with their consumers need to have at least two methods to submit such requests and one of them must be a toll-free number.
- One of the methods should reflect the manner in which the business primarily interacts with the consumers.
- Example: If a business has a website but primarily interacts with the consumers at a retail location, then a form must be available to be filled up and submitted by the consumer at the retail location.
Request to Delete
- A business should use a two-step process to file online requests to delete, where the first step comprises of submitting the request and the second step consists of confirmation to delete personal information.
- If the consumer submits a request that is not in accordance with one of the designated forms of submission then (1) the submission should be treated as if it has been submitted in the designated manner or (2) the consumer should be provided with specific directions on how to submit the request.
Obligation to verify Consumer Requests
Businesses and, to some extent, service providers, have an obligation to verify consumer requests under the CCPA. For that purpose, a business shall “establish, document, and comply” with a reasonable verification method for a request to know or a request to delete. As a rule, requests to know, requests to delete, and request to opt-in for sales require the verification of the consumer but request to opt-out do not.
When verifying the identity of a consumer, a business shall:
- whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with the requirements for verification.
- avoid collecting certain types of personal information identified in Cal. Civil Code Section 1798.81.5(d), unless necessary for the purposes of verifying the consumer.
The business shall consider the following factors when designing the verification process:
- The type, sensitivity, and value of the personal information collected and maintained about the consumer.
- The risk of harm to the consumer posed by any unauthorized access or deletion (the greater the risk of harm the more stringent the verification process)
- The likelihood that fraudulent or malicious actors would seek the personal information (the higher the likelihood, the more stringent the verification process);
- Whether the personal information to be provided by the consumer to verify their identity is sufficiently robust to protect against fraudule
- The way the business interacts with the consumer; and
- Available technology for verification.
A business shall implement reasonable security measures to detect fraudulent identity verification activity and prevent unauthorized access to or deletion of a consumer’s personal information.
Special Rules for Password Protected Accounts
If a consumer maintains a password-protected account with the business , the business may verify the consumer’s identity through existing authentication practices for the account. The business shall require a consumer to re-authenticate before disclosing or deleting the consumer’s data.
If a business suspects fraudulent or malicious activity on or from the password-protected account, the business shall not comply with a consumer who requests to know or requests to delete, until further verification procedures. These procedures should determine that the consumer’s request is authentic and the consumer making the request is the person whom the business has collected information.
Verification of Identity for Non-Account Holders
To establish specific verification standards and requirements that apply where a consumer does not have or cannot access a password-protected account. These standards and requirements differ depending on the right that the consumer is requesting to exercise:
For a request to know the categories of personal information collected:
- Verification of the identity of the consumer making the request must be to a reasonable degree of certainty.
- A reasonable degree of certainty may include matching at least two data points provided by the consumer with data points maintained by the business, which the business has determined to be reliable for the purpose of verifying the consumer.
For a request to know specific pieces of personal information:
- Verification of the identity of the consumer making the request must be to a reasonably high degree of certainty, which is a higher bar for verification.
- A reasonably high degree of certainty may include matching at least three pieces of personal information provided by the consumer with personal information maintained by the business, that it has determined to be reliable for the purpose of verifying the consumer together. This should include a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.
- Businesses shall maintain all signed declarations as part of their record-keeping obligations.
For a request to delete personal information:
- Verification of the identity of the consumer making the request must be to a reasonable degree or a reasonably high degree of
certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized
- For example, the deletion of family photographs and documents may require a reasonably high degree of certainty, while the
deletion of browsing history may require a reasonable degree of certainty.
- A business shall act in good faith when determining the appropriate standard to apply.
For requests to opt-out of sales:
A request to opt-out need not be a verifiable consumer request. If a business, however, has a good-faith, reasonable, and documented belief that a request to opt-out is fraudulent, the business may deny the request. The business shall inform the requesting party that it will not comply with the request and shall provide an explanation why it believes the request is fraudulent.
For request to opt-in to sales:
Requests to opt-in to the sale of personal information shall use a two-step opt-in process where the consumer shall:
- Clearly request to opt-in; and then
- separately confirm their choice to opt-in.
A business shall use methods that are reasonably calculated to ensure that the person providing consent is the child’s parent or guardian, which include:
- Providing a consent form to be signed by the parent or guardian under penalty of perjury and returned to the business by postal mail, facsimile, or electronic scan;
- Requiring a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
- Having a parent or guardian call a toll-free telephone number staffed by trained personnel;
- Having a parent or guardian connect to trained personnel via video-conference;
- Having a parent or guardian communicate in person with trained personnel; and
- Verifying a parent or guardian’s identity by checking a form of government-issued identification against databases of such information, where after such verification is complete, the parent or guardian’s identification is promptly deleted by the business from its records.
Prepared by Christopher L. Rasmussen, Esq., Managing Partner – Commercial, Trademark, and Privacy Practice Group, Inventus Law, PC., 3260 Hillview Avenue, Palo Alto, CA 94304, email@example.com, 1.408.482.3216 and Abhilipsa Panda, Intern, Inventus Law, PC., 3260 Hillview Avenue, Palo Alto, CA 94304, firstname.lastname@example.org. Please do not hesitate to contact Mr. Rasmussen or Ms. Panda if you have any questions about this memo, CCPA, or privacy matters.