IAPP CIPP/US Exam - Topic 1 Question 93 Discussion

Under the California Consumer Privacy Act (CCPA), businesses must verify the identity of individuals making data access requests to ensure the security of personal information. The most secure and straightforward way to verify a consumer's identity is by requiring the individual to log in to their password-protected account, as this demonstrates that the requester is the account owner.

Why Password-Protected Accounts Are Best for Verification:

Account-Based Relationship: If the consumer has a password-protected account with the business, verification can typically be achieved by having the consumer log in to the account. This is considered a sufficient method of verifying identity under CCPA guidelines.

Minimizing Risk: Verifying identity through account login reduces the risk of fraudulent access to personal information, as only the account owner has access to the login credentials.

Explanation of Options:

A. Take a photo of herself with her driver license: While this might verify identity, it is more intrusive and poses unnecessary risks of identity theft. This is not a preferred or common method under the CCPA.

B. Provide a notarized affidavit signed by two witnesses: This is excessive and impractical for verifying identity in most cases, particularly for an online store.

C. Log in to her password-protected account with the company: This is correct. Logging into a password-protected account is a straightforward and secure way to verify the identity of a requester under the CCPA.

D. Phone the company and provide her contact details and credit card number: This method is insecure, as it could lead to identity theft or fraudulent access if someone else provides this information.

Reference from CIPP/US Materials:

CCPA Regulations (11 CCR 999.323): Specifies identity verification requirements, including the use of password-protected accounts.

IAPP CIPP/US Certification Textbook: Covers secure methods for verifying consumer identity under the CCPA.