Verifiable Consumer Request (VCR)

What is a verifiable consumer request?

A "verifiable consumer request" is a foundational concept under the California Consumer Privacy Act (CCPA, as amended by the CPRA). It is the mechanism through which consumers exercise most of their privacy rights, including the right to know what personal information a business has collected, the right to delete personal information, the right to correct inaccurate personal information, and the right to access information about a business's use of automated decision-making technology.

The CCPA defines a verifiable consumer request as a request made by a consumer, by a consumer on behalf of the consumer's minor child, or by an authorized agent acting on the consumer's behalf, that the business can reasonably verify as coming from the consumer about whom it has collected personal information (Civil Code § 1798.140(ak)). An authorized agent may be a natural person or a business entity registered with the California Secretary of State that the consumer has authorized to act on their behalf.

Verification is required because the CCPA provides consumers with access to, correction of, and deletion of personal information. Without identity verification, a business responding to a request could inadvertently disclose personal information to the wrong person, creating a data breach rather than fulfilling a privacy right. The verification requirement balances the consumer's right to exercise control over their data against the risk of unauthorized access.

Which requests require verification

Not all consumer requests under the CCPA require the same level of identity verification. The CCPA regulations (Cal. Code Regs., tit. 11, §§ 7060–7063) establish different verification standards depending on the type of request and the sensitivity of the information involved.

Requests to know categories of personal information collected require verification to a "reasonable degree of certainty," meaning the business must match at least two data points provided by the consumer against personal information it already maintains, along with a process for evaluating those data points (§ 7062(b)).

Requests to know specific pieces of personal information require verification to a "reasonably high degree of certainty," meaning the business must match at least three data points against its records and must also obtain a signed declaration under penalty of perjury from the requestor (§ 7062(c)).

Requests to delete personal information require verification at a level appropriate to the sensitivity of the data involved, ranging from a reasonable degree to a reasonably high degree of certainty (§ 7062(d)).

Requests to correct inaccurate personal information, added by the CPRA (Civil Code § 1798.106), require verification to the same degree applicable to requests to know or delete, depending on the nature of the personal information.

Requests to access information about automated decision-making technology (ADMT) require verification to a reasonably high degree of certainty under the September 2025 CCPA regulations (§ 7062(f)). If the business cannot verify the request, it must deny it.

Requests to opt out of the sale or sharing of personal information, to limit the use and disclosure of sensitive personal information, and to opt out of automated decision-making technology do not require identity verification (§ 7026, § 7027). However, a business may ask for enough information to ensure the opt-out is applied to the correct consumer record.

Verification standards in the regulations

The CCPA regulations (Article 5, §§ 7060–7063) establish a detailed verification framework.

General rules (§ 7060): Businesses must establish, document, and comply with a reasonable method of verification. Whenever feasible, businesses should match identifying information provided by the requestor against personal information already in the business's possession. Businesses must avoid collecting new personal information from the consumer for verification purposes unless necessary, and must not collect sensitive information (such as Social Security numbers, driver's license numbers, or financial account information) unless no other reasonable method of verification is available. Any personal information collected solely for verification must be deleted as soon as practicable after the request is processed. The verification process must take into account the type, sensitivity, and value of the personal information at issue, the risk of harm to the consumer from unauthorized disclosure, the likelihood that fraudulent or malicious actors would seek the information, the robustness of the identifying information provided, the manner in which the business interacts with the consumer, and the technology available for verification.

Password-protected accounts (§ 7061): If a consumer has a password-protected account with the business, the business may verify identity through its existing authentication practices, provided those practices meet the general requirements of § 7060. For requests to know specific pieces of personal information, the business must also re-authenticate the consumer before disclosing data.

Non-accountholders (§ 7062): Verification of consumers who do not have accounts with the business follows the tiered standards described above (two-point match for reasonable degree of certainty; three-point match plus signed declaration for reasonably high degree of certainty).

Authorized agents (§ 7063): When a consumer uses an authorized agent, the business may require the agent to provide proof of the consumer's written permission, and may require the consumer to verify their own identity directly with the business unless the agent has a power of attorney. The September 2025 regulations clarify that a business cannot require a consumer to resubmit a rights request in their individual capacity when the request was properly made through an authorized agent (§ 7063(a)(2)).

Response timelines

Businesses must confirm receipt of a verifiable consumer request within 10 business days, providing information about how the business will process the request (§ 7021). The business must substantively respond to the request within 45 calendar days of receipt. If additional time is reasonably necessary, the business may extend the response period by an additional 45 calendar days (for a maximum of 90 calendar days total), but must notify the consumer of the extension and the reason for it within the initial 45-day period. Requests to opt out must be processed as soon as feasibly possible, but no later than 15 business days.

Businesses cannot require consumers to create an account in order to submit a request and must provide at least two methods for submitting requests (such as a toll-free telephone number, an email address, a web form, or a postal address). If a business operates a website, it must also accept requests through its website. A business is not required to provide personal information to a consumer more than twice in a 12-month period.

Verification when the business cannot verify

If a business cannot verify a consumer's identity for a request to know specific pieces of personal information, it must inform the consumer that it cannot verify their identity and must treat the request as a request to know the categories of personal information collected. If it still cannot verify, it may deny the request, explain why, and (if applicable) ask the consumer whether they would like to submit a request to opt out of the sale or sharing of their personal information.

If a business cannot verify a consumer's identity for a deletion request, it may deny the request but must inform the consumer and must also ask whether the consumer would like to opt out of sale or sharing, if the business sells or shares personal information.

Beyond California

The verifiable consumer request concept originated in the CCPA, but analogous verification requirements now appear in comprehensive privacy laws across more than 20 states. Virginia's CDPA, Colorado's CPA, Connecticut's CTDPA, and other state privacy laws all require businesses to establish reasonable methods for verifying the identity of consumers who submit privacy requests, though the specific standards and terminology vary by state. Some states use the term "authenticated request" rather than "verifiable consumer request." In all cases, the underlying principle is the same: a business must confirm the identity of the person making a privacy request to prevent unauthorized access to, or deletion of, personal information.