Recent GDPR Enforcement Underscores the Need to Verify the Identity of Persons Requesting Data about Themselves

December 2019

Recently, the Spanish data protection authority—the Agenica Española de Protección de Datos—fined a Spanish gas company €12,000 (about $13,200) for responding to a data subject request (i.e., a person's requesting data about himself or herself) without properly verifying the data subject’s identity under European Union’s General Data Protection Regulation (GDPR). This enforcement action serves as a reminder for businesses to appropriately respond to and verify data subject requests or risk violating the law and paying fines. Similarly, when the California Consumer Privacy Act (CCPA) comes into effect on January 1, 2020, businesses will need to have analogous procedures for handling consumer requests from California residents.

GDPR Data Subject Requests

The recent enforcement action from the Spanish data protection authority emphasizes that a business must confirm the identity of the individual making a request. If a business is unsatisfied as to the identity, Article 12(6) of the GDPR provides that a business can request further information to confirm identity. However, businesses still need to comply with the GDPR’s overarching principles, including confidentiality and data minimization. In accordance with the latter, the GDPR states that a data controller should not retain personal data for the sole purpose of being able to certify potential requests.

The Article 29 Working Party (a data privacy and protection advisory body that was replaced by the European Data Protection Board after GDPR enactment) confirmed that there are no specific procedures in the GDPR on how to verify a person making a request for information about himself or herself. The GDPR simply states that a data controller should use “all reasonable measures” to verify the identity of a person making a request, especially online. It is left to businesses to create and follow procedures to verify the identity of a requestor and ensure that they do not disclose personal data to the wrong person, infringe any data subject rights, or make it too difficult for the data subjects to exercise their rights, any of which would violate the GDPR.

CCPA Consumer Requests

The CCPA proposed regulations include guidance on verifying consumer requests. Although not yet enacted, the proposed regulations’ verification procedures give businesses a sense of what would likely be acceptable under the CCPA. The proposed regulations note that, whenever feasible, businesses should match the identifying information provided in the request to the personal information of the requestor already maintained by the business, or use a third-party identity verification service. Businesses should seldom request additional information for verification, but if a business does collect new personal information for verification, the proposed regulations require businesses to delete it as soon as practicable after processing the request. Further, businesses should avoid collecting unnecessary sensitive personal information.

Under the CCPA proposed regulations, the type of request mandates the standard of certainty needed for verification. For example, for a request to know the categories of personal information collected, a business needs to verify the requestor’s identity to a "reasonable" degree of certainty, which may include matching at least two data points provided by the requestor with data points maintained by the business. However, for a request to know specific personal information collected, a business must verify the requestor’s identity to a "reasonably high" degree of certainty, which may include obtaining a signed declaration that the requestor is the consumer whose personal information is the subject of the request.

Common Verification Practices

Ideally, mechanisms for users to request personal information should include the information needed to verify the requestor's identity.

  • Request that individuals with existing accounts log in if they wish to make a request, but do not require individuals to create accounts in order to make a request.
  • Try to verify identities using information included in the request.
  • If you used a verification method to obtain the personal information, use the same method to verify a request, such as an email coming from the same address, or an authentication mechanism that allows an individual to log into his or her account.

The extent to which additional information might be needed for identity verification can vary.

  • Consider the context, circumstances, and reasonable expectations of individuals. For example, if a request is made from an email account that you have recently used to correspond with the requester, it might be reasonable to assume that the request has been made by the requester.
  • Account for risks relating to the information requested. For more sensitive information, exert more verification efforts, such as asking for more information or more sensitive information.

If additional information is required to verify the requestor's identity, use discretion.

  • Try to request only information that your business has previously obtained from the requestor.
  • Avoid requesting information that is more sensitive or potentially more harmful than the information included in the request.
  • Limit your additional information requests to the minimum amount and only what is relevant in the given context.
  • Avoid using or requesting personal information that typically does not change, such as social security numbers or government-issued identifiers, as such data is more prone to being obtained by unauthorized persons.
  • Try using knowledge-based questions directly related to the requestor and confidential enough that only the requestor can answer them.

If you need assistance complying with or creating policies for the GDPR, the CCPA, or other privacy laws, please contact one of our Cybersecurity & Data Privacy attorneys.