Editor’s note: This is the second article in a three-part series addressing some of the more significant areas of the regulations implementing the California Consumer Privacy Act.
The California Consumer Privacy Act affords California residents several data privacy rights, including the right to know, access and delete specific pieces or categories of personal information that a business has collected about them and the right to “opt-out,” which refers to a consumer’s right to request that a business not sell their personal information to third parties. The California attorney general is responsible for issuing regulations governing how consumers or their authorized agents can submit “verifiable consumer requests” to exercise their CCPA rights. Recent changes to the CCPA regulations, however, will make it more difficult for businesses to receive, verify and respond to data requests submitted by consumers.
The CCPA regulations provide two methods businesses can use to verify the identities of individuals submitting data access and deletion requests. (Note: A consumer’s “request to opt-out need not be a verifiable consumer request” and is not subject to the same identity verification process as set forth for data access and deletion requests.) First, if a business maintains a password-protected account, it “may verify the consumer’s identity through the business’s existing authentication practices for the consumer’s account,” provided this practice also adheres to the CCPA’s other general requirements. Second, if the individual does not have a password-protected account, identity verification becomes more complex and is subject to different standards, depending on the nature of the request and the type of the personal information at issue.
For example, if a business receives a data request related to accessing general categories of personal information, it must verify the consumer’s identity to a “reasonable degree of certainty,” which may include matching at least two data points provided by the consumer with other “reliable” data points the business already maintains about that individual. For a request seeking access to specific pieces of personal information, the business must verify the consumer’s identity to a “reasonably high degree of certainty,” which may include matching at least three “reliable” data points in the same manner and collecting a “signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.” For a data deletion request, the business must verify the consumer’s identity to either a “reasonable” or “reasonably high” degree of certainty, depending on the sensitivity of the personal information requested for erasure and the risk of harm posed by its unauthorized deletion.
The CCPA’s definitional problem
The February regulations amended the “Definitions” section by adding the word “signed” and defining it to mean “that the written attestation, declaration, or permission has either been physically signed or provided electronically per the Uniform Electronic Transactions Act, Civil Code section 1633.7 et seq.” The California attorney general’s office indicated that it included this definition, in part, to clarify that certain signature-related requirements under the CCPA may be satisfied through either physical or electronic signatures.
However, it is important to note that UETA Section 1633.7 does not actually define “electronic signature.” Rather, it provides, in relevant part, that a “record or signature may not be denied legal effect or enforceability solely because it is in electronic form” and a “contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation.” In fact, “electronic signature” is correctly defined at UETA Section 1633.2(h) as “an electronic sound, symbol, or process attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the electronic record.” The UETA makes clear that a “digital signature” is considered “a type of electronic signature.”
Although the incorrect citation of the UETA in the CCPA regulations was seemingly included in error, it could significantly impact how businesses comply with the regulations.
Signatures and contracting with authorized agents
According to the Final Statement of Reasons, the definition of “signed” was included in the CCPA regulations because it “refers to signed documents: businesses may require consumers to provide [third party] authorized agents ‘signed’ permission before allowing them to submit requests to know, delete, and opt-out on the consumer’s behalf.” In particular, in the original October version of the CCPA regulations, Section 999.315(g) provided that “[a] consumer may use an authorized agent to submit a request to opt-out on the consumer’s behalf if the consumer provides the authorized agent written permission to do so,” and Section 999.326(a) provided that when a consumer retains an authorized agent to submit data requests on his or her behalf, the business may require the consumer to “[p]rovide the authorized agent written permission to do so[.]” When California added the definition of “signed” during the amendment process in February, it also inserted the term into Sections 999.315(a) and 999.326(a). In turn, the former was amended to allow authorized agents to submit opt-out requests “if the consumer provides the authorized agent written permission signed by the consumer” and the latter was amended so that businesses may require consumers to “[p]rovide the authorized agent written and signed permission to do so[.]”
The incorporation of UETA Section 1633.7 in the context of Sections 999.315(a) and 999.326(a) of the CCPA regulations generally does not raise concerns. As noted above, Section 1633.7 provides, in part, that electronic signatures (or contracts using them) should not be denied legal effect. Thus, pursuant to Sections 999.315(g) and 999.326(a), when a business seeks to verify that a consumer has given an authorized agent permission to submit data privacy requests on their behalf, it is logical to assume that the business should honor agreements executed between consumers and their agents, including agreements executed with electronic signatures. In other words, pursuant to UETA Section 1633.7, contracts between consumers and agents related to data requests should not be denied effect by a business during the data rights process simply because they were executed electronically.
Signatures and identity verification
In addition to addressing authorized agents, the Final Statement of Reasons sets forth a separate justification for including the definition of “signed” in the CCPA regulations, concluding that the inclusion of this new definition was necessary because businesses “may require consumers to verify their identity by providing a ‘signed’ declaration under penalty of perjury.” However, unlike in the context of verifying an agency relationship between a consumer and an authorized agent, the use of the word “signed” and (more specifically) references to UETA Section 1633.7 seems inappropriate in the identity verification process.
Pursuant to Section 999.325 of the CCPA regulations, if a business seeks to satisfy the “reasonably high degree of certainty” standard for verifying a data requestor’s identity, it generally needs to be able to match three data points related to the individual submitting that data request and obtain a “signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.” But a consumer submitting a data rights request to a business is not executing a contractual agreement with the business, which is the core concept of UETA Section 1633.7 (i.e., that a contract cannot be denied legal effect or enforceability because it is electronically signed). Rather, the consumer is making an attestation to exercise a legal right provided under the law. Thus, it is hard to reconcile the inclusion of “signed” and UETA Section 1633.7 within this context of seeking to confirm a consumer’s identity.
How businesses can comply
There was ample opportunity to amend the CCPA regulations to address the issue of “signatures” in the identity verification process prior to submitting them to the OAL. For instance, the regulations could simply have incorporated the definition of “electronic signature” or “digital signature” where appropriate or use different definitions altogether to avoid inserting UETA Section 1633.7 into the identity verification provisions where it does not apply. But the requirements outlined above are set forth in the final regulatory package and likely will become enforceable. Accordingly, businesses should consider the following two options when seeking to meet the “reasonably high degree of certainty” standard during the identity verification process.
First, a business may require that a signed declaration under penalty of perjury be submitted using a physical signature, an option available under the current definition of “signed” and a method traditionally used by businesses when requiring the signature to be notarized. Unfortunately, the final CCPA regulations provide that “a business may not require a consumer to provide a notarized affidavit to verify their identity[,] unless the business compensates the consumer for the cost of notarization.” The regulations do not recognize the fact that notarization is a service often provided for free by banks and similar institutions, and this clause raises yet another unnecessary complexity.
Second, a business may continue allowing data rights requests to be submitted electronically by following the requirements of UETA Section 1633.7 for satisfying the electronic signature requirements, even though they seem entirely inapplicable to the data rights process. For example, the business may consider requiring an individual submitting a data privacy rights request to explicitly agree to a common UETA disclaimer meant to clarify that the individual intends that their email signature or other online submission has the same force and effect as a manual signature. Such a statement could read, “Under penalty of perjury, I certify that the information in this declaration is true, accurate and complete and that it is my intention that this electronic request [e.g., email, interactive webform] to exercise a data right under the California Consumer Privacy Act shall carry the same force and effect as if I had manually signed this request.” The business may also consider including an additional disclaimer during the data privacy rights intake process for similar purposes: “This data rights request may be manually or electronically signed by any process that satisfies the California Uniform Electronic Transactions Act.”
In its rush to finalize the CCPA regulations and meet its statutory deadline, the California attorney general failed to address several errors and ambiguities within the regulations’ text. Unfortunately, the text related to the UETA and identity verification is just one such concern within the CCPA regulations. Accordingly, businesses acting with an abundance of caution may seek to use the disclaimers described above to demonstrate their good faith attempt to comply with the regulations’ conflicting and confusing requirements in this area.
Photo by Carson Arias on Unsplash
If you want to comment on this post, you need to login.