CCPA Privacy FAQs: How far can a company go to validate the identity of an individual making a data subject access request?

The CCPA requires that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted. In order to access or delete their information, a consumer must submit a “verifiable consumer request.”¹ While the term implies that a business must take steps to “verify” that the individual who has made a request is indeed the person about whose information they would like the company to take action, the CCPA does not specify what steps it considers to be sufficient (or that it considers to be inadequate) to accomplish the verification. Rather, the Act directs the Attorney General to adopt regulations to help guide companies on how to accomplish consumer verification.² If the Office of the Attorney General has not finalized regulations by the time that the CCPA goes into force, many businesses are likely to apply a sliding scale verification process under which they establish higher-threshold steps needed for verification (e.g., government issued ID) when a request might permit access to sensitive consumer information (or the deletion of important consumer data) and lower-threshold steps needed for verification (e.g., confirmation to an email address previously on file) when a request would permit access only to low-sensitivity consumer information (or the deletion of relatively unimportant consumer data).In comparison, in Europe the Article 29 Working Party – the predecessor to the European Data Protection Board – recognized that while there “are no prescriptive requirements to be found in the GDPR on how to authenticate the data subject,” controllers have an obligation to “strongly ascertain” the identity of a data subject before responding to a request regarding information.³ While in some situations, verifying the email address of a data subject (e.g., sending a communication to the data subject at the email address that a company has previously associated with the individual) may be sufficient to “strongly ascertain” identity, in other instances it would not. Specifically, email verification has well accepted vulnerabilities to impersonation and supervisory authorities have advised controllers that they should not assume that a data subject is who they say they are based upon the mere fact that an “email address matches the company’s records” and have advised gathering “further information,” prior to responding to the data subject’s request.⁴ In the United Kingdom, the Information Commissioner’s Office published a ‘Subject Access Code of Practice’ which provided guidance on (amongst a multitude of other things) how to confirm a requestor’s identity. In short, the Code recommended asking only for enough information to judge whether the person making the request is the individual to whom the personal data relates. What is reasonable may be circumstance specific. For example:

If a company receives a written request from a current employee that is personally known, a phone call may be sufficient to satisfy the identity of the requestor. It would likely be unreasonable to ask them for additional proof of identity.

If a company receives a request by email, and in that email the requestor provides an address which does not match the address a company has on record, it would be reasonable to confirm another detail which the company holds on record.

The means by which the request is delivered may also affect your decision about how far a company needs to go to confirm the requestor’s identity. For example, if a request is made from an email account with which a company has recently corresponded with the requestor, it may be reasonable (particularly if the personal information kept has no sensitivity) to assume that the request has been made by the requestor. On the other hand, if the request is made via a social networking website or on blank letter paper, it may be more prudent to check whether it is a genuine request.

1. CCPA, 1798.100(c).

2. CCPA, 1798.140(y).

3. Working Party Paper 242 Rev.01, Guidelines on the Right to Data Portability at 13-14 (5 April 2017).

4. See UK Information Commissioner’s Office, Subject Access Code of Practice: Dealing with Requests from Individuals for Personal Information at 24.

How far can a company go to validate the identity of an individual making a data subject access request?

In comparison, in Europe the Article 29 Working Party – the predecessor to the European Data Protection Board – recognized that while there “are no prescriptive requirements to be found in the GDPR on how to authenticate the data subject,” controllers have an obligation to “strongly ascertain” the identity of a data subject before responding to a request regarding information.³ While in some situations, verifying the email address of a data subject (e.g., sending a communication to the data subject at the email address that a company has previously associated with the individual) may be sufficient to “strongly ascertain” identity, in other instances it would not. Specifically, email verification has well accepted vulnerabilities to impersonation and supervisory authorities have advised controllers that they should not assume that a data subject is who they say they are based upon the mere fact that an “email address matches the company’s records” and have advised gathering “further information,” prior to responding to the data subject’s request.⁴ In the United Kingdom, the Information Commissioner’s Office published a ‘Subject Access Code of Practice’ which provided guidance on (amongst a multitude of other things) how to confirm a requestor’s identity. In short, the Code recommended asking only for enough information to judge whether the person making the request is the individual to whom the personal data relates. What is reasonable may be circumstance specific. For example:

If a company receives a written request from a current employee that is personally known, a phone call may be sufficient to satisfy the identity of the requestor. It would likely be unreasonable to ask them for additional proof of identity.

If a company receives a request by email, and in that email the requestor provides an address which does not match the address a company has on record, it would be reasonable to confirm another detail which the company holds on record.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, 1798.100(c).

2. CCPA, 1798.140(y).

3. See Assembly Bill 25 passed on November 13, 2019.

4. Working Party Paper 242 Rev.01, Guidelines on the Right to Data Portability at 13-14 (5 April 2017).

5. See UK Information Commissioner’s Office, Subject Access Code of Practice: Dealing with Requests from Individuals for Personal Information at 24.

Did California Declare War on Attorney Client Privilege? How the CCPA Impacts Privilege Protections

The hastily drafted CCPA raises serious issues concerning the attorney-client privilege, work-product doctrine, and client confidentiality. Drafted in approximately one-week as a political compromise to address a proposed privacy ballot initiative,¹ the CCPA contains provisions that are all too unclear regarding an attorney’s obligations to maintain client confidentiality and privilege. Without further clarification from the legislature or the California Attorney General’s rulemaking process, this lack of clarity is likely to lead to litigation.

The crux of the problem lies in the CCPA’s broad reach and its vaguely worded exemptions. The CCPA confers an obligation upon businesses (a term which could apply to many law firms and their corporate clients depending upon the factual circumstances) to provide privacy notices to individuals about whom information is collected, to provide individuals with access to information held about them, and, in some instances, to delete information about individuals upon their request. As it is currently written, the CCPA contains an exemption which states that the “obligations imposed on businesses by Sections 1798.110 to 1798.135 [of the CCPA], inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law . . . .”² While the legislature presumably intended to ensure that the CCPA did not require a business or its outside counsel to disclose privileged information, on its face the exemption is limited only to the obligations imposed by “Sections 1798.110 to 1798.135.” It expressly does not apply to obligations imposed by other sections of the CCPA, such as Sections 1798.100 or 1798.105.

Sections 1798.100 and 1798.105 are particularly relevant when it comes to attorney-client privilege, work-product, and client confidentiality. Section 1798.100 contains within it the requirement that a business must, in response to an access request, “provide” to a consumer “specific pieces of personal information the business has collected” about the individual.³ Section 1798.105 contains within it the requirement that a business must, in response to a valid deletion request, “delete the consumer’s personal information from its records. . . .”⁴ The net result is that the statute does not on its face prevent a California resident from requesting that an attorney, or a business, disclose privileged, work-product, or confidential information that relates to the California resident, nor does it prevent the California resident from requesting that a law firm (or its client) delete privileged information that relates to the individual.

Other more general exemptions to disclosure in the CCPA could arguably apply, although it is unclear whether the legislature intended that these exemptions cover privileged, work-product, and confidential information of a client. For instance, Section 1798.145(j) states that none of the “rights afforded to consumers and the obligations imposed on the business” should “adversely affect the rights and freedoms of other consumers,” while Section 1798.145(a)(1) provides “the obligations imposed on businesses by this title shall not restrict a business’s ability to … [c]omply with federal, state, or local laws.”⁵ A business or law firm faced with the question of whether it must disclose privileged, work-product, or confidential information may turn to these sections to argue that the CCPA should not supersede other state laws concerning privilege, work-product, or an attorney’s ethical obligations to maintain client confidentiality.⁶ However, a consumer seeking disclosure of the information may conversely argue the more specific should govern over the general. Because the specific exemption concerning evidentiary privileges (such as privilege) expressly does not apply to all sections of the CCPA, so the argument goes, these other more general exemptions should not apply either.

As a result of the lack of clarity in the statute, Bryan Cave Leighton Paisner, LLP has specifically requested that the California Attorney General issue rulemaking clarifying that privileged, work-product, and confidential information of a client is exempt from disclosure under all of the provisions of the CCPA. Without rulemaking from the Attorney General or further clarification from the legislature, the CCPA otherwise leaves important issues that lie at the heart of the attorney-client relationship to the uncertainties of litigation.

Does the CCPA exempt businesses from having to disclose privileged communications?

Watch Video

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Does the CCPA exempt businesses from having to disclose privileged communications?
Yes and no.

The CCPA was put together quickly (in approximately one week) as a political compromise to address a proposed privacy ballot initiative that contained a number of problematic provisions. (For more on the history of the CCPA, you can find a timeline on page 2 of BCLP’s Practical Guide to the CCPA). Given its hasty drafting there are a number of areas in which the CCPA intentionally, or unintentionally, is at best ambiguous, or at worst leads to unintended results. One of those areas deals with attorney-client communications.

The CCPA confers an obligation upon businesses (a term which could apply to many law firms and their corporate clients depending upon the factual circumstances) to provide privacy notices to individuals about whom information is collected, to provide individuals with access to information held about them, and, in some instances, to delete information about individuals upon their request. As it is currently written, the CCPA contains an exemption which states that the “obligations imposed on businesses by Sections 1798.110 to 1798.135 [of the CCPA], inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law . . . .”1 While the exception presumably was intended to ensure that the CCPA did not require a business or an attorney to disclose privileged information, on its face it is limited only to the obligations imposed by “Sections 1798.110 to 1798.135.” More specifically, on its face it does not apply to the obligations imposed by other sections of the CCPA including Sections 1798.100 or 1798.105.

Sections 1798.100 and 1798.105 are particularly relevant when it comes to attorney-client privilege. Section 1798.100 contains within it the requirement that a business must, in response to an access request, “provide” to a consumer “specific pieces of personal information the business has collected” about the individual.2 Section 1798.105 contains within it the requirement that a business must, in response to a valid deletion request, “delete the consumer’s personal information from its records. . . .”3 The net result is that the statute does not on its face prevent a California resident from requesting that an attorney, or a business, disclose privileged information that relates to the California resident, nor does it prevent the California resident from requesting that a law firm (or its client) delete privileged information that relates to the individual.

Judicial interpretation (or intervention) may be needed to clarify whether the access and deletion rights of the CCPA are preempted by another federal, state, or local law that guarantees the confidentiality of attorney-client communications. Similarly courts may need to determine whether an access or deletion request could be refused based upon the exception within the CCPA that none of the “rights afforded to consumers and the obligations imposed on the business” should “adversely affect the rights and freedoms of other consumers.”4