The California Consumer Privacy Act (CCPA) requires the California Attorney General to take input from the public on regulations to implement the law, which does not go into effect until 2020.

The Electronic Frontier Foundation has filed comments on two issues: first, how to verify consumer requests to companies for access to personal information, and for deletion of that information; and second, how to make the process of opting out of the sale of data easy, using the framework already in place for the Do Not Track (DNT) system.

Verification of Requests

When it comes to verifying requests that users make of businesses to access their own data, EFF asked the Attorney General to carefully balance the interest of the consumer in obtaining their own personal information without undue delay or difficulty, with their interest in avoiding theft of their private data by people who might make fraudulent CCPA requests for data.

If a consumer already has a password-protected account, the Attorney General should mandate use of that password to verify the account. Further, the business must ensure that the requester really knows the password, and didn’t just steal a laptop with an open app, by requiring the requester to log out of the account and present the password again. The AG should also encourage, but not require, two-factor authentication as a form of verification in cases where doing so poses no risk to the user.

If a consumer does not have a password, the company must be as certain as is reasonably possible that the requester is the subject of the personal information being requested.

Opting Out of Sales

We also encourage the Attorney General to rely on the existing Do Not Track (DNT) system when issuing rules about consumer requests to opt-out of data sales. The DNT system combines a technology (a browsing header that announces the user prefers not to be tracked online) with a policy framework (how companies should respond to that signal).

The DNT header is already widely supported by most major web browsers, including Google Chrome, Mozilla Firefox, and Opera. EFF proposes that the Attorney General require any business that interacts with consumers directly over the Internet to treat a browser’s DNT request as a request to opt-out of data collection.

We thank the Attorney General’s office for the opportunity to comment on CCPA regulations, and look forward to making further comments about consumer data privacy.

To read EFF’s comments in full, please click here.