California Consumer Privacy Act Third Party
Below is a description of the requirements of the CCPA that may be outsourced to our company to help businesses comply with the new CCPA regulations.
The California Consumer Privacy Act sets forth sweeping new requirements that grant new rights to California consumers starting January 1, 2020. The law applies to companies with gross revenues >$25m, or those who buy, receive or sell personal information of 50k or more CA consumers, households or devices; or if they derive 50% of their annual revenues from selling consumers’ personal information. The new law applies to companies worldwide that fit the criteria if they collect CA consumer data.
Responding to Requests to Know and Requests to Delete Personal Information about a California Consumer:
A business shall confirm within 10 days and provide information about how the business will process the request, the business’s verification process and when the consumer should expect a response.
If a company is asked to delete personal information they must comply by either (1) permanently and completely erasing the personal information on its existing systems with the exception of archived or back-up systems; (2) deidentifying the personal information; or (3) aggregating the personal information. The business must also specify the manner of deletion of the personal information in its response to delete the information. If a business denies the request it must describe the statutory reason for such denial. The business must delete any personal information that is not subject to the exception and not use the personal information retained for any other purpose than provided for by the exception. The business may allow the consumer to choose to delete only select portions of their personal information when responding to a request to delete if a global option to delete all personal information is more prominently presented than the other choices.
TRAINING AND RECORD KEEPING:
GENERAL RULES REGARDING VERIFICATION:
Businesses are required to establish, document, and comply with a reasonable method for verifying that the person making a request to know or a request to delete is the consumer about whom the business has collected information.
Whenever feasible, a business must match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identify verification service. The businesses are required to avoid collecting the types of personal information unless necessary to perform the verification.
There are a variety of factors in determining the level of verification method, such as the type, sensitivity, and value of the personal information collected and maintained, the risk of harm posed by any unauthorized access or deletion, the likelihood that fraudulent or malicious actors seeking the information, whether the information can be spoofed, the manner in which the business interacts with the consumer, and available technology for verification. The regulations requires businesses to generally avoid requesting additional information from the consumer for purposes of verification. It allows businesses to request additional information from the consumer if they cannot verify the identity of the consumer with the information they already have, but restricts them from using that information for any purpose other than verification or security or fraud-prevention. It further requires a business to delete any new personal information collected for the purposes of verification as soon as practical after processing the consumer’s request. Further, the regulations require a business to implement reasonable security measures to detect fraudulent identity-verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information.
HOW TO VERIFY:
If the consumer is requesting to know specific pieces of personal information then the business must verify the identity of the consumer making the request to a reasonably high degree of certainty, which is a higher bar for verification. A reasonably high degree of certainty to be the matching of at least 3 pieces of personal information provided by the consumer with personal information maintained by the business together with a signed declaration under penalty together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. The businesses must maintain all signed declarations as part of their record keeping.
For a request to delete, the business must act in good faith when determining the appropriate standard to apply when verifying the consumer in accordance with the regulations set forth in Article 4. It allows a business to verify the identity of the consumer to a reasonable degree or a reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion. For example, the deletion of family photographs and documents may require a reasonably high degree of certainty, while the deletion of browsing history may require a reasonable degree of certainty. This subdivision is necessary to provide businesses guidance regarding the standard they should apply when verifying requests to delete. It also provides businesses flexibility in determining whether to use a reasonable degree or a reasonably high degree of certainty, but also holds them accountable for making a good-faith determination. The subdivision also gives guidance
to businesses by providing an example of when a business may require a lower or higher standard for verification.
The regulations provide illustrative examples of how to verify non-accountholders. The first example addresses a situation where a business has personal information associated with a named actual person such as a consumer’s name and credit card number. It explains that the business could verify the consumer by asking for the credit card security code and recent purchases made with the credit card. The second example addresses a situation where personal information is not associated with a named actual person. It explains that the business may verify the consumer by requiring the consumer to demonstrate that they are the sole consumer associated with the non-name identifying information and that the business may be required to conduct a fact-based verification process
Definitions: “third-party identity verification service” means a security process offered by an independent third party who verifies the identity of the consumer making a request to the business. Third-party verification services are subject to the requirements set forth in Article 4 of these regulations regarding requests to know and requests to delete.
For more information please email: [email protected]