What is a Verifiable Request under the CCPA
Over the past few years, the online privacy landscape has evolved and become more complex due to new regulations such as the CCPA. Complicated issues like verifying consumer requests became a burdensome task for companies to complete.
What is a verifiable request under the CCPA?
The CCPA, the California Consumer Privacy Act of 2018, is a ballot measure approved by California voters and is the first comprehensive consumer privacy rights obligation for businesses regarding the collection of personal customer information. It has evolved since its establishment and has updated its regulations to the California Privacy Rights Acts of 2020 (CPRA), which will become operative in 2023.
It allows California residents to request privacy verification from any businesses collecting personal information, regardless of where it is registered. This means that companies need to demonstrate that the person requesting to access, know, or delete their personal information is indeed the user to whom that information belongs or is the legal guardian of that user, under the age of 13.
The California Privacy Rights ACT (CPRA), which will become operative on January 1, 2023, updates its predecessor (CCPA). It will provide a broader range of consumer rights and add newly expanded requirements for businesses.
A few of the new regulations:
- Consumers will now be able to opt-out of sharing and selling their personal information.
- Businesses will need to justify storing personal customer information and state when they will discard it.
- Tighter mandates around vendor relationships, requiring both parties to maintain the same level of privacy protections.
- Businesses that collect large quantities of sensitive data that may put the consumer at risk may need to go through annual security audits.
How to verify CCPA consumer requests?
Understanding how to verify CCPA consumer requisitions is no small feat for teams trying to determine the most efficient and seamless methods to verify a customer’s identity. On the one hand, the process needs to be accurate, comprehensive, and compliant; on the other, it needs to be as frictionless as possible for an optimal customer experience.
These are the guidelines provided by the California Attorney General to businesses on how to verify consumer requests, adhering to the CCPA:
- Match the requester's identification information to the personal information already kept by the business.
- Collect any new personal information from the consumer, only if needed for verification (Social security numbers, access codes, account numbers, driver’s license numbers, health insurance policy numbers, etc.)
- Information collected for verification that was not previously held by the business should be immediately erased after processing the request.
- Businesses need to guarantee any third party involved is also CCPA compliant, adhering to the same regulations as the business.
- If unable to verify the customer's identity, contest the deletion or concealment of the personal information.
- Have systematic documentation of the verification requirements.
- Have the option to implement requests whether they are submitted via a registered or non-registered account, or both.
How does the GDPR handle identity verification?
The GDPR has set the standard for worldwide data privacy regulations in 2018 by requiring businesses to protect EU nationals on transactions occurring in EU member states, even if the consumers live outside the EU or even if only the company’s hosting servers are in the EU. There are quite a few similarities between the GDPR and the CPRA, although many would argue that the Californian version still has some catching up to do. American companies that target European citizens are responsible for complying with the GDPR. If they also have Californian customers, they are required to comply with both GDPR as well as CCPA regulations.
Like the CCPA, the GDPR attempts to govern what organizations can do with their customer’s information, allowing consumers to control their data.
Customers in the EU can send an official request to businesses to delete their personal information upon request, which has to be completed within 30 days if:
- The data is not needed in the future
- The data removal is consensual
- There are objections to the data usage
- The information may have been gathered illegally
How Mine PrivacyOps help companies verify consumer requests
Mine is looking ahead to the future of data ownership and bridging the gap between companies and consumers around data privacy rights. With Mine, consumers can discover and manage their personal data online, while companies can use an end-to-end platform to streamline and automate their privacy management and increase brand trust.
We developed MineOS to help companies deal with privacy requests while making the process more efficient and less prone to compliance risks.
Mine PrivacyOps assists companies by making it easy to verify and validate consumer requests. In the Portal, companies can find details (called “Evidence by Mine" ) from previous email interactions between the company and the requesting user that provide much-needed context about the data subject and its interactions its data sources.
The Portal also offers endless data integrations that allow businesses to fulfill multiple privacy requests with a click of a button. These automations help companies save valuable time and human resources.
Today, businesses offering privacy and security measures to their customers are no longer flaunting a nice-to-have luxury. User privacy and data protection are becoming the standard, and companies need to quickly catch up and enforce this as part of good business practice, strengthening brand trust and compliance with local laws. The MineOS platform allows just that.