Am I Sam?
In the Dr. Seuss classic “Green Eggs and Ham,” Sam-I-Am says who he is by carrying a sign. Setting aside for the moment that Sam’s role in the children’s book more closely resembles that of one who collects data based on consumer preferences—e.g., “Would you like them in a house? Would you like them with a mouse?”—let’s envision him as a consumer himself, protected under the California Consumer Privacy Act. Would his self-declaration “I am Sam” satisfy the verifiable consumer request requirements as set forth in the proposed final text of the act’s regulations?
It would not, should not, Sam-I-Am.
With potential enforcement by California Attorney General Xavier Becerra commencing in less than two weeks, businesses subject to the CCPA need to ensure that their proverbial i’s are dotted and t’s crossed. When it comes to verifying the identity of consumers, it’s incumbent upon businesses to establish a verification method.
Whether merely hoisting a sign cuts it is not Sam’s call. It’s up to the business.
Consumer verification under the CCPA comes into play when addressing requests to know and requests to delete. Significantly, it does not apply to requests to opt out of the sale of personal information.
Businesses need not go into great detail, however. As noted in the AG’s Final Statement of Reasons, the verification process must only be described “in general.” As AG Becerra explains: “This change was made in response to public comments requesting guidance regarding the level of detail businesses would be required to provide and raising concerns that specific descriptions would allow bad actors to evade security procedures or be onerous on businesses. Requiring a ‘general’ description benefits consumers by providing them a high-level understanding of the verification process while reducing the burden on businesses and minimizing the risk of fraud or malicious activity.”
Moreover, the verification method should be “reasonable”—a squishy word for sure, but the regulations do provide some guidance. Has the business taken into account the type, sensitivity, and value of the personal information requested? Has it assessed the risk of harm to the consumer posed by any unauthorized access or deletion? Is the chosen method sufficiently robust to protect against fraud, spoofing, or fabrication?
A number of businesses (such as Disney) have opted to use a third-party identity verification service, which the regulations make clear “are subject to the requirements … regarding requests to know and requests to delete.” Less clear, however, is whether businesses would be vicariously liable for any deficiencies in the third party’s services.
While Cal. Civ. Code § 1798.140(w)(2)(B) provides that businesses are not liable if a third party “uses” personal information “in violation of the restrictions set forth in this title,” it’s doubtful that the “reasonableness” of a given verification method would constitute a “use” in violation of a “restriction.”
Businesses need to consider a host of other factors—outlined in this checklist—before implementing an identity verification method, but perhaps the key takeaway from Xavier Becerra’s Final Statement of Reasons is that “determining the appropriate verification standard is fact- and scenario-specific.”
Indeed, at least one line of questioning conducted by Sam-I-Am—i.e., the one concerning the house and the mouse—is quite relevant to scenarios for household personal information. A business must verify not only whether the mouse is currently a member of the household, but also if the mouse is jointly requesting disclosure or deletion along with Sam. And if the mouse is a minor or an authorized agent … well, you get the idea.
Thank you! Thank you, Xavier-I-Am!
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.