Are businesses required to offer the same methods for submitting DSR requests under the CCPA as they are under the GDPR?

No.

Much like the GDPR, the CCPA gives consumers certain rights over their data. In particular, California residents have the right to request access to their personal information, the right to request the deletion of their personal information, and the right to opt out of the sale of their personal information.¹

Businesses that are already GDPR-compliant will have pre-existing methods for fielding data subject requests, such as web portals, email addresses, or dedicated phone numbers. While these methods may be adequate, businesses should double check that all of the CCPA’s requirements are met. Whereas the GDPR has very few requirements governing submission methods, the requirements under the CCPA and Proposed Regulations are numerous.²

The end result is that if a business is GDPR compliant with respect to how data subjects are able to submit rights requests, it may not be CCPA compliant. In contrast, if a business is CCPA compliant with respect to how consumers are able to submit rights requests, it will almost certainly be GDPR compliant.

Below is a comparison of the requirements for methods to submit requests under the GDPR and under the CCPA.

GDPR

CCPA

There are no specific requirements governing the methods by which a data subject can submit a request.
A business should provide methods for requests to be made electronically, especially where personal data is processed by electronic means.³

Access:

If a business only operates online, it is only required to provide an email address.⁴
If a business is not only online, it must provide, at a minimum, a toll-free number and a website address.⁵
If a consumer submits a request in a manner that is not a designated submission method, the business must either treat the request as if it was properly made or it must instruct the consumer on how to properly make the request.⁶

Opt-out:

A business must provide a link on the homepage titled “Do Not Sell My Personal Information.”⁷
A business must provide at least two methods for submitting requests (no exception for online-only).⁸
One of the methods must be an interactive form accessible through the “Do Not Sell” link.⁹
At least one method to opt-out must reflect the manner in which the business primarily interacts with the consumer.¹⁰
The business must treat user-enabled global privacy controls as a valid opt-out request.¹¹
If a consumer submits a request in a manner that is not a designated submission method, the business must either treat the request as if it was properly made or it must instruct the consumer on how to properly make the request.¹²

Delete:

A business must provide at least two methods for submitting requests (no exception for online-only).¹³
If a consumer submits a request in a manner that is not a designated submission method, the business must either treat the request as if it was properly made or it must instruct the consumer on how to properly make the request.¹⁴

Are the verification requirements for access and deletion requests the same under the CCPA as they are under the GDPR?

No.

Both the CCPA and the GDPR provide individuals with a right to request access to their personal information and a right to request the deletion of their personal information.¹ As a result, businesses that field rights requests are required to ensure that the requestor is indeed the individual he or she is claiming to be. The failure to properly verify an individual, and the subsequent unauthorized disclosure, can trigger data breach provisions under both laws.

While the GDPR provides high-level guidance on how to verify the identity of a requestor, the CCPA and the accompanying Proposed Regulations are more specific in their requirements. ² Below is a comparison of the requirements for verifying the identity of a requestor under the GDPR and under the CCPA.

GDPR

CCPA

General Rules:

There are no specific requirements for the verification of a requestor.
If a business fails to properly verify the identity of a requestor, and ultimately discloses a consumer’s personal information to a third party without the consumer’s authorization, this will trigger the GDPR’s data breach provisions.
If there are doubts concerning the identity of an individual, the controller may request additional information.
The controller must use all reasonable measures to verify the identity of a data subject who requests access to their information.
A business must establish procedures for verifying the identity of a requestor. This implies that the procedures must (or should) be documented and complied with.

General Rules:

If a business fails to properly verify the identity of a requestor, and ultimately discloses a consumer’s personal information to a third party without the consumer’s authorization, this may or may not trigger the CCPA’s data breach provisions.
A business shall avoid requesting new information for verification unless it is necessary to complete the verification.⁵
Any additional information collected for the purposes of verification may only be used to verify the individual.⁶
A business must establish, document, and comply with a reasonable method for the verification of requests.⁷
A business cannot require the consumer to pay a fee for the verification of their identity. This includes requiring a consumer to provide a notarized affidavit (unless the business compensates the consumer for the cost of notarization).⁸
If the consumer maintains an account, the business may verify their identity through that account using the business’ standard verification measures.⁹

Access:

If a specific information-access request is denied, the business must evaluate the request as if it were a category-access request.¹⁰
A business must verify individuals who submit category-level access request to a reasonable degree of certainty, which may include matching at least two data points.¹¹
A business must verify individuals who submit specific-information access requests to a reasonably high degree of certainty, which may include matching at least three pieces of personal information.¹²

Opt-Out:

A request to opt-out does not need to be verifiable.¹³

Deletion:

A business must verify individuals who submit deletion request to a reasonably high degree of certainty, which may include matching at least three pieces of personal information.¹⁴