Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps: Part 4 – Verified Requests for Data

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps:
Part 4 of a Series

Verified Requests for Data

The CCPA is hurtling headlong toward implementation on January 1, 2020.  The Act, which is likely to be amended, perhaps substantially, in the next sixty days, and which has no guiding regulations, continues to present a conundrum for companies faced with designing and implementing policies and procedures that need to be consumer-ready by Day 1.

One requirement that has created substantial confusion and uncertainty is directly related to a key element of the Act – the right of consumers to control the personal information held by companies. Under the Act, companies must develop or identify internal mechanisms to respond to a consumer’s exercise of their right to access the information collected about them, verify their identity, respond within the mandated 45 days, and document both the request and response.

While the obligation is clear and seemingly innocuous, it is creating both confusion and its own cottage industry of consultants and service providers.

The sticking point of this requirement is determining how a company will reasonably verify the requester’s identity. The California Attorney General was to have adopted regulations to help businesses determine when a request is a verified consumer request (sometimes referred to by the quaintly anachronistic acronym “VCR”). Those regulations have not yet been proposed.

In the interim, companies are left with little more than what feels like the type of direction from U.S. Supreme Court Justice Potter Stewart, when he was forced to define a threshold test for obscenity in 1964:

“I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description, and perhaps I could never succeed in intelligibly doing so. But I know it when I see it….”

Like so much of the CCPA, the obligation is appropriate on its face, but difficult to implement.

Consider This:

At the moment, the law deems a consumer’s request “submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account” as a VCR.

That sounds safe enough, until you consider all the helpful extensions on your phone or personal computer (now linked, of course) that remember those passwords and facilitate signing on to a variety of websites.  The popularity of linking a site to Facebook can make the verification particularly unsafe. Using these services, a consumer’s child, your spouse, co-worker or essentially anyone that recovers your unlocked device has exactly the same access to the information the consumer perhaps did not want the company collecting, maintaining and selling in the first place. Not to mention what a hacker with only minimal skills or access to dark web tools could do.  The CCPA does not address these issues, and it’s unclear whether the Attorney General will provide meaningful guidance.  As with so much of the Act, we can expect lawsuits to fill in the blanks.

And What About This?

Businesses often collect information from consumers with little formality, and often without passwords or other identifying steps.  In fact, consumers, in an attempt to reduce their digital footprint, often prefer to engage in e-commerce as a guest, rather than be inundated with solicitations.  Similarly, companies often collect biometric and other data, which is personal information under the CCPA, without any real interaction with the consumer.  In these cases, submitting through a “password-protected account” is not an option.

While we can hope that the state Attorney General addresses these issues, it should spur serious consideration of how to reduce a company’s exposure.

Require Two-Factor Identity Verification/Authentication

Instead of quickly providing the requested information, companies should consider the following response: “We received a request from this account for access to all personal information we have collected about you in the last 12 months. If this was you, please respond with XYZ. If this was not you, please contact our privacy hotline immediately at XXX, or the State Attorney General’s office at XXX.”

Do You Really Need This Information in the First Place?

Companies need to seriously consider limiting what information they collect about consumers in order to avoid not only the vast new burdens, but also inadvertent disclosure of that information to unauthorized third parties under the new law. One could argue that the VCR component of CCPA inadvertently creates another unfettered black market for consumer information via “consumer requests.”

There will no doubt be consumer lawsuits against companies alleging that they failed to properly comply with CCPA, but we can also expect follow-on suits against companies who tried in good faith but failed in one or another aspect of implementation by “sharing” personal data of a consumer with the wrong consumer.

Companies need to think carefully about their “information request” response plans, and to test them as craftily as they test their breach response plans and conduct tabletop exercises.


Read our other blogs in this series on Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps:

 Part 1 – the Data Map
 Part 2 – the Breach Response Plan
 Part 3 – the Privacy Policy


Robert E. Braun
 is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.