- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
CCPA Privacy FAQs: How far can a company go to validate the identity of an individual making a data subject access request?
- If a company receives a written request from a current employee that is personally known, a phone call may be sufficient to satisfy the identity of the requestor. It would likely be unreasonable to ask them for additional proof of identity.
- If a company receives a request by email, and in that email the requestor provides an address which does not match the address a company has on record, it would be reasonable to confirm another detail which the company holds on record.
The means by which the request is delivered may also affect your decision about how far a company needs to go to confirm the requestor’s identity. For example, if a request is made from an email account with which a company has recently corresponded with the requestor, it may be reasonable (particularly if the personal information kept has no sensitivity) to assume that the request has been made by the requestor. On the other hand, if the request is made via a social networking website or on blank letter paper, it may be more prudent to check whether it is a genuine request.
1. CCPA, 1798.100(c).
2. CCPA, 1798.140(y).
3. Working Party Paper 242 Rev.01, Guidelines on the Right to Data Portability at 13-14 (5 April 2017).
4. See UK Information Commissioner’s Office, Subject Access Code of Practice: Dealing with Requests from Individuals for Personal Information at 24.