California Consumer Privacy Act Third Party
Verification Services

Below is a description of the requirements of the CCPA that may be outsourced to our company to help businesses comply with the new CCPA regulations.

The California Consumer Privacy Act sets forth sweeping new requirements that grant new rights to California consumers starting January 1, 2020. The law applies to companies with gross revenues >$25m, or those who buy, receive or sell personal information of 50k or more CA consumers, households or devices; or if they derive 50% of their annual revenues from selling consumers’ personal information. The new law applies to companies worldwide that fit the criteria if they collect CA consumer data.

The new law grants the rights of CA consumers including, among other things: • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information; • The right to delete personal information held by businesses; Our service company, Bear Flag Services, LLC, will be capable of allowing businesses to outsource their responsibilities with respect to: 1. Customized 1-800 number with interactive voicemail and customized e-mail hosting for consumer requests; 2. Intake services and logging of CA consumer requests to enforce their rights to know and rights to delete their personal information; 3. Verification of the consumers as required by the new law (as described below) including matching of consumer provided information with business records in coordination with designated business data privacy personnel and if necessary, obtaining sworn declarations from requesting consumers; 4. Sending initial responses to ‘verified’ CA consumers regarding the timeframe for response to their requests; 5. Coordination with designated business personnel responsible for data privacy to comply with the requests; 6. Substantive responses to the verified CA consumer confirming or denying their requests to know and rights to delete their personal information; 7. Maintaining records and logs of requests on behalf of the businesses. Below is a description of the requirements under the CCPA as introduced recently in October 2019 by the regulations enforcing the CCPA. For more information see: https://oag.ca.gov/system/files/attachments/press_releases/CCPA%20Fact%20Sheet%20%2800000002%29.pdf

Responding to Requests to Know and Requests to Delete Personal Information about a California Consumer:
A business shall confirm within 10 days and provide information about how the business will process the request, the business’s verification process and when the consumer should expect a response.

A business must substantively respond to requests to know and requests to delete within 45 days. The 45 day period begins on the day that the business receives the request, regardless of the time required to verify the request. If a longer period is required then the business will have an additional 45 days (for a total of 90 days to respond) if the business provides notice to the consumer of the need for additional time and an explanation of the reason why it will take longer. The business may deny a request that seeks identification of sensitive information such as SSN, financial account numbers, health insurance or medical records, account password, or security questions and answers. If the request is denied then the business must inform the consumer of the basis for their denial. The business must use reasonable security measures when transmitting personal information to the consumer. The business is required to provide an individualized response to the consumer when responding to the verified request to know categories of personal information, categories of sources, and/or categories of third parties from whom the information was obtained. The business may not simply refer to the general practices outlined in its privacy policy to comply with the requirements in the CCPA. The company must also disclose the categories of personal information and categories of sources of personal information and categories of third parties to whom a business sold or disclosed personal information specific enough to allow a consumer sufficient understanding of the categories listed. If the business cannot verify the consumer then it is not required to respond to a request to know or delete the personal information of the unverified consumer.

If a company is asked to delete personal information they must comply by either (1) permanently and completely erasing the personal information on its existing systems with the exception of archived or back-up systems; (2) deidentifying the personal information; or (3) aggregating the personal information. The business must also specify the manner of deletion of the personal information in its response to delete the information. If a business denies the request it must describe the statutory reason for such denial. The business must delete any personal information that is not subject to the exception and not use the personal information retained for any other purpose than provided for by the exception. The business may allow the consumer to choose to delete only select portions of their personal information when responding to a request to delete if a global option to delete all personal information is more prominently presented than the other choices.

TRAINING AND RECORD KEEPING:

The businesses may establish their own manner of training and record keeping regarding handling of requests and the actions taken but requires that a business maintain records of consumer requests made pursuant to the CCPA, and of how the business responded to said requests, for at least 24 months. Further, the CCPA allows the records to be maintained in a ticket or log format so long as it includes the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part. The CCPA requires all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA to be informed of all the requirements in the CCPA and these regulations and how to direct consumers to exercise their rights under the CCPA and the regulations. The CCPA regulations also require that a business’s maintenance of information for record-keeping purposes, where that information is not used for any other purpose, does not by itself violate the CCPA or these regulations. The logs and records may not be used for any other purposes than to comply with the CCPA.

GENERAL RULES REGARDING VERIFICATION:

Section 999.323 of the regulations implementing the CCPA provide for general rules regarding the process of verification to ensure that the person making the requests to know what information is collected and stored and/or to delete such information is the consumer about whom the business has collected information.
Businesses are required to establish, document, and comply with a reasonable method for verifying that the person making a request to know or a request to delete is the consumer about whom the business has collected information.
Whenever feasible, a business must match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identify verification service. The businesses are required to avoid collecting the types of personal information unless necessary to perform the verification.
There are a variety of factors in determining the level of verification method, such as the type, sensitivity, and value of the personal information collected and maintained, the risk of harm posed by any unauthorized access or deletion, the likelihood that fraudulent or malicious actors seeking the information, whether the information can be spoofed, the manner in which the business interacts with the consumer, and available technology for verification. The regulations requires businesses to generally avoid requesting additional information from the consumer for purposes of verification. It allows businesses to request additional information from the consumer if they cannot verify the identity of the consumer with the information they already have, but restricts them from using that information for any purpose other than verification or security or fraud-prevention. It further requires a business to delete any new personal information collected for the purposes of verification as soon as practical after processing the consumer’s request. Further, the regulations require a business to implement reasonable security measures to detect fraudulent identity-verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information.

HOW TO VERIFY:

If the business does not maintain a password protected account for its consumers then the business must establish a verification procedure as specified in the regulations. The verification process must verify the identity of the consumer making the request to a reasonable degree of certainty. It further provides that a reasonable degree of certainty may include matching at least two data points provided by the consumer with the data points maintained by the business.
If the consumer is requesting to know specific pieces of personal information then the business must verify the identity of the consumer making the request to a reasonably high degree of certainty, which is a higher bar for verification. A reasonably high degree of certainty to be the matching of at least 3 pieces of personal information provided by the consumer with personal information maintained by the business together with a signed declaration under penalty together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. The businesses must maintain all signed declarations as part of their record keeping.
For a request to delete, the business must act in good faith when determining the appropriate standard to apply when verifying the consumer in accordance with the regulations set forth in Article 4. It allows a business to verify the identity of the consumer to a reasonable degree or a reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion. For example, the deletion of family photographs and documents may require a reasonably high degree of certainty, while the deletion of browsing history may require a reasonable degree of certainty. This subdivision is necessary to provide businesses guidance regarding the standard they should apply when verifying requests to delete. It also provides businesses flexibility in determining whether to use a reasonable degree or a reasonably high degree of certainty, but also holds them accountable for making a good-faith determination. The subdivision also gives guidance
to businesses by providing an example of when a business may require a lower or higher standard for verification.
The regulations provide illustrative examples of how to verify non-accountholders. The first example addresses a situation where a business has personal information associated with a named actual person such as a consumer’s name and credit card number. It explains that the business could verify the consumer by asking for the credit card security code and recent purchases made with the credit card. The second example addresses a situation where personal information is not associated with a named actual person. It explains that the business may verify the consumer by requiring the consumer to demonstrate that they are the sole consumer associated with the non-name identifying information and that the business may be required to conduct a fact-based verification process
The CCPA requires a business to inform the consumer in response to any request to know or request to delete that it receives if there is no reasonable method by which it can verify the consumer’s identity to the degree of certainty required. If there is no reasonable method to verify the consumer’s identity to the degree of certainty required for all the personal information the business holds, this subdivision requires the business to disclose in its privacy policy why there is no reasonable method. The subdivision further requires the business to evaluate and document on a yearly basis whether a method can be established.
Definitions: “third-party identity verification service” means a security process offered by an independent third party who verifies the identity of the consumer making a request to the business. Third-party verification services are subject to the requirements set forth in Article 4 of these regulations regarding requests to know and requests to delete.
Update requirements for Businesses PRIVACY POLICYs under the CCPA:
Under the CCPA you must have a privacy policy displayed that is easily accessible and understandable to consumers, including those with disabilities. It needs to be posted conspicuously and specifically describes where you must post this policy to comply with the privacy policy provisions of the CCPA. The new law creates specific rules to address what needs to be included in the privacy policy and how to describe the consumers’ rights under the new law to make it helpful to consumers including an explanation off hte procedures for a consumer to designate an authorized agent to act on the consumers’ behalf in submitting requests to businesses and a designated contact to answer consumers’ questions on the business’s privacy policy and practices.
Section 1798.130 (a)(5) requires a business to disclose certain information in its privacy policy and to update that information at least once every 12 months.
It must have a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of consumer personal information and of the rights of consumers regarding their personal information. The privacy policy provides in one place all the disclosures required by the CCPA, including explanations of the consumer privacy rights conferred by it.
Note: Our business partners with a law firm to prepare and implement the proper Privacy Policy requirements and advice on how to display and message to consumers regarding their new rights. The law will change over the coming years and our business will create reminders to update the privacy policy each 12 months and will suggest updates to the privacy policy in accordance with any updates to this new law.
For more information please email: [email protected]