Verifiable Consumer Request

Under CCPA Section 1798.140(ag), a request made by a consumer, or authorized agent, that the business can reasonably verify as coming from the consumer or their authorized representative. Businesses must establish procedures to verify requestor identity before responding to rights requests—providing data to the wrong person or deleting another consumer's data would be serious violations. Verification requirements should balance security against access—businesses can't make verification so burdensome that it effectively denies rights, but must protect against fraudulent requests. CCPA regulations provide verification guidance: for access requests, verify to a reasonable degree matching at least two data points already maintained; for deletion requests, use heightened verification matching at least three data points plus a signed declaration under penalty of perjury; for sensitive account information, use even stricter verification. Organizations should: implement multi-factor verification appropriate to request sensitivity and relationship with consumer, provide clear instructions to requestors, consider risk-based approaches tailoring verification to data sensitivity, avoid requesting excessive additional information, and document verification methods and decisions.