Recent GDPR Enforcement Underscores the Need to Verify the Identity of Persons Requesting Data about Themselves

December 2019

Recently, the Spanish data protection authority—the Agenica Española de Protección de Datos—fined a Spanish gas company €12,000 (about $13,200) for responding to a data subject request (i.e., a person's requesting data about himself or herself) without properly verifying the data subject’s identity under European Union’s General Data Protection Regulation (GDPR). This enforcement action serves as a reminder for businesses to appropriately respond to and verify data subject requests or risk violating the law and paying fines. Similarly, when the California Consumer Privacy Act (CCPA) comes into effect on January 1, 2020, businesses will need to have analogous procedures for handling consumer requests from California residents.

GDPR Data Subject Requests

The recent enforcement action from the Spanish data protection authority emphasizes that a business must confirm the identity of the individual making a request. If a business is unsatisfied as to the identity, Article 12(6) of the GDPR provides that a business can request further information to confirm identity. However, businesses still need to comply with the GDPR’s overarching principles, including confidentiality and data minimization. In accordance with the latter, the GDPR states that a data controller should not retain personal data for the sole purpose of being able to certify potential requests.

The Article 29 Working Party (a data privacy and protection advisory body that was replaced by the European Data Protection Board after GDPR enactment) confirmed that there are no specific procedures in the GDPR on how to verify a person making a request for information about himself or herself. The GDPR simply states that a data controller should use “all reasonable measures” to verify the identity of a person making a request, especially online. It is left to businesses to create and follow procedures to verify the identity of a requestor and ensure that they do not disclose personal data to the wrong person, infringe any data subject rights, or make it too difficult for the data subjects to exercise their rights, any of which would violate the GDPR.

CCPA Consumer Requests

The CCPA proposed regulations include guidance on verifying consumer requests. Although not yet enacted, the proposed regulations’ verification procedures give businesses a sense of what would likely be acceptable under the CCPA. The proposed regulations note that, whenever feasible, businesses should match the identifying information provided in the request to the personal information of the requestor already maintained by the business, or use a third-party identity verification service. Businesses should seldom request additional information for verification, but if a business does collect new personal information for verification, the proposed regulations require businesses to delete it as soon as practicable after processing the request. Further, businesses should avoid collecting unnecessary sensitive personal information.

Under the CCPA proposed regulations, the type of request mandates the standard of certainty needed for verification. For example, for a request to know the categories of personal information collected, a business needs to verify the requestor’s identity to a "reasonable" degree of certainty, which may include matching at least two data points provided by the requestor with data points maintained by the business. However, for a request to know specific personal information collected, a business must verify the requestor’s identity to a "reasonably high" degree of certainty, which may include obtaining a signed declaration that the requestor is the consumer whose personal information is the subject of the request.

Common Verification Practices

Ideally, mechanisms for users to request personal information should include the information needed to verify the requestor's identity.

  • Request that individuals with existing accounts log in if they wish to make a request, but do not require individuals to create accounts in order to make a request.
  • Try to verify identities using information included in the request.
  • If you used a verification method to obtain the personal information, use the same method to verify a request, such as an email coming from the same address, or an authentication mechanism that allows an individual to log into his or her account.

The extent to which additional information might be needed for identity verification can vary.

  • Consider the context, circumstances, and reasonable expectations of individuals. For example, if a request is made from an email account that you have recently used to correspond with the requester, it might be reasonable to assume that the request has been made by the requester.
  • Account for risks relating to the information requested. For more sensitive information, exert more verification efforts, such as asking for more information or more sensitive information.

If additional information is required to verify the requestor's identity, use discretion.

  • Try to request only information that your business has previously obtained from the requestor.
  • Avoid requesting information that is more sensitive or potentially more harmful than the information included in the request.
  • Limit your additional information requests to the minimum amount and only what is relevant in the given context.
  • Avoid using or requesting personal information that typically does not change, such as social security numbers or government-issued identifiers, as such data is more prone to being obtained by unauthorized persons.
  • Try using knowledge-based questions directly related to the requestor and confidential enough that only the requestor can answer them.

If you need assistance complying with or creating policies for the GDPR, the CCPA, or other privacy laws, please contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
Client Alert

FTC Reverses Course on Treatment of Debt Payoff Under HSR Act

More
News

Michael R. Thiessen Recognized as Pro Bono Spotlight by KCMBF for August

More
Client Alert

Property Owners Can Push the Issue Under Illinois Mechanic’s Lien Law

More
News

Brian P. Pezza Quoted in SHRM Articles on Employee Vaccination Status Disclosure and Employer Vaccination Policies

More
News

Lauren R. Carey Creates New Blog for Social Media Influencers

More
News

Michael D. Mulligan Publishes Article in ACTEC Law Journal Comparing Sales to an Intentionally Defective Irrevocable Trust and a to Beneficiary Intentionally Defective Irrevocable Trust

More
News

Neal F. Perryman Named to Missouri’s POWER List in Employment Law by Missouri Lawyers Media

More
Client Alert

FTC Adds Teeth to the ‘Made in USA’ Rule

More
News

John C. Bodnar Named BTI M&A Client Service All-Star

More
News

David W. Sweeney Represents Advantes Group in $7.2 Million Apartment Project

More
Diversity & Inclusion

Golf Foundation of Missouri Awards First Larry L. Deskins, Sr. Scholarship

More
News

Four Lewis Rice Attorneys Named 2022 “Lawyer of the Year” by Best Lawyers

More
Client Alert

Supreme Court Limits Ability to Compel Access to Private Property Without Compensation

More
News

Lewis Rice Wins $1.5 Million in Compensation for Covington Landowners

More
News

Lewis Rice Recognized as Top M&A Firm by BTI Consulting Group

More
Client Alert

Missouri Now Requires Employers to Provide Leave and Accommodations for Victims of Domestic and Sexual Violence

More
News

61 Lewis Rice Attorneys Named Best Lawyers for 2022, 16 Named Ones to Watch

More
News

Lewis Rice Wins Nearly $500,000 in Compensation for Sarasota Landowners

More
News

Matthew J. Haas Offers Commentary for Inside P&C Article on Business Interruption Insurance and COVID-19

More
Client Alert

OSHA’s New Guidance Regarding Indoor Mask Wearing, COVID-19 Vaccination Mandates, Regular Testing of Unvaccinated Workers, and More

More