Verifiable Consumer Request (VCR)
What is Verifiable Consumer Request?
A “verifiable consumer request,” is a requirement under the California Consumer Privacy Act (CCPA) in order for a business to provide its consumers with access to personal data in the business’s possession or control. Because the novel CCPA allows consumers to request access to their sensitive personal data, and in some cases to delete it, businesses must take extra security measures when verifying the identity of the individual making the request, as well as the authority of any individual making a request on the consumer’s behalf.
The language of the CCPA states specifically that a verifiable consumer request is “a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to the regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information.”
Consumer requests under the CCPA are an extension of the consumer’s newly established right to know what personal data is being collected by a company, as well as the right to delete personal data in a company’s possession. Such requests may be made by consumers themselves, or by legal representatives acting on their behalf. Because the new regulations aim to provide the consumer with more security, not less, it is imperative that any company responding to a request to access or delete personal data acts with heightened vigilance when verifying the identity of the person making the request.
While new methods of security are being developed all the time to protect personal data, there are a number of best practices that companies can follow when verifying a consumer request. Firstly, it will always be in the company’s best interest to maintain a comprehensive understanding of the nature of the data it manages, and especially when handling consumer requests. This means there should be little to no ambiguity surrounding the sensitivity of the data being requested, or the risk it might pose to the consumer should the data be compromised.
As a general rule, the company should aim to use personal information already in its possession to match any information provided by a consumer upon request, wherever it is safe and reasonable to do so. The company should also be cautious of collecting for verification any particularly sensitive materials, such as social security information or personal financial data, except when it is absolutely necessary in order to verify the request. Many companies will need to employ a third-party identity verification service in order to manage a larger volume of consumer requests, and in such cases will be responsible for making sure the services they use are secure and in compliance with CCPA regulations.
National Law Review - https://www.natlawreview.com/article/verifying-ccpa-requests-to-know-and-requests-to-delete
Morgan Lewis - https://www.morganlewis.com/blogs/sourcingatmorganlewis/2019/09/the-ccpas-verifiable-consumer-request-requirement-and-data-breach-risks#:~:text=A%20%E2%80%9Cverifiable%20consumer%20request%E2%80%9D%20is,and%20that%20the%20business%20can
IAPP - https://iapp.org/news/a/verified-consumer-request-dont-naively-slip-into-the-crack-or-is-it-a-chasm/