The regulations implementing the CCPA require that a business verify the identity of a consumer that submits a specific-information access request to a “reasonably high degree of certainty.”[1] The regulations provide as an example matching three pieces of personal information provided by the consumer with three pieces of personal information maintained by the business and obtaining a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.[2]
Although businesses are permitted to request that consumers sign a declaration under penalty of perjury, only 1% of companies state in their privacy notices that they require such an affidavit or a declaration.[3] However, it is possible that once a data subject request has been submitted, other companies also request a signed verification prior to providing information in response to a specific-information access request, even if that prerequisite is not in the corporate privacy notice.
FOOTNOTES
[1] Cal. Code Regs. tit. 11, § 999.325(c) (2021).
[2] Cal. Code Regs. tit. 11, § 999.325(c) (2021).
[3] Greenberg Traurig LLP reviewed the publicly available privacy notices and practices of 555 companies (the Survey Population). The Survey Population comprises companies that had been ranked within the Fortune 500 at some point in the past five years as well as additional companies selected from industries that are underrepresented in the Fortune 500. While the Survey Population does not fully match the current Fortune 500 as a result of industry consolidation and shifts in company capitalization, we believe that the aggregate statistics rendered from the Survey Population are representative of mature companies. Greenberg Traurig’s latest survey was conducted between September and October 2022.