Are the verification requirements for access and deletion requests the same under the CCPA as they are under the GDPR?
Both the CCPA and the GDPR provide individuals with a right to request access to their personal information and a right to request the deletion of their personal information.1 As a result, businesses that field rights requests are required to ensure that the requestor is indeed the individual he or she is claiming to be. The failure to properly verify an individual, and the subsequent unauthorized disclosure, can trigger data breach provisions under both laws.
While the GDPR provides high-level guidance on how to verify the identity of a requestor, the CCPA and the accompanying Proposed Regulations are more specific in their requirements. 2 Below is a comparison of the requirements for verifying the identity of a requestor under the GDPR and under the CCPA.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. Cal. Civil Code 1798.100(a); 1798.105(a); 1798.120(a); GDPR Art. 15; GDPR Art. 17.
2. On October 11, 2019, the Office of the California Attorney General proposed regulations to implement the CCPA. The Proposed Regulations largely add to the CCPA’s verification requirements.
3. GDPR Art. 12 (6)
4. GDPR, Recital 64
5. CCPA, Proposed Regulation 999.323(c)
6. Cal. Civil Code 1798.130(a)(7)
7. CCPA, Proposed Regulation 999.323(a)
8. CCPA, Proposed Regulation 999.323(d)
9. CCPA, Proposed Regulation 999.324(a)
10. CCPA, Proposed Regulation 999.313(c)(1)
11. CCPA, Proposed Regulation 999.325(b)
12. CCPA, Proposed Regulation 999.325(c)
13. CCPA, Proposed Regulation 999.315(h)
14. CCPA, Proposed Regulation 999.325(d)
This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.