Can a business require identity verification for CCPA requests?

Yes, businesses must verify your identity before responding to access, deletion, and correction requests. They typically match two to three data points they already have about you such as name, email, account number, or purchase history. For sensitive requests like deletion, they may require signed declarations under penalty of perjury. However, verification cannot be used to create barriers. Businesses cannot collect new personal information solely for verification purposes.

California CCPA Demand Letter | Consumer Privacy Rights Enforcement

California CCPA Demand Letter

Consumer Privacy Rights Enforcement Under Civil Code 1798.100 et seq.

California Consumer Privacy Act Framework

California Civil Code 1798.100 et seq.: The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides California residents comprehensive privacy rights over their personal information. I help consumers enforce these rights and businesses respond to demands.

Business Applicability Thresholds

CCPA applies to for-profit businesses collecting California residents' personal information that meet at least one threshold:

Threshold	Requirement
Revenue Threshold	Annual gross revenue exceeding $25 million (adjusted for inflation)
Data Volume Threshold	Annually buys, sells, or shares personal information of 100,000 or more consumers or households
Data Revenue Threshold	Derives 50% or more of annual revenue from selling or sharing consumers' personal information

Exemptions: Non-profit organizations and government agencies are exempt. Businesses below all three thresholds are not covered. Some data types have specific exemptions (employee data had temporary exemption, now expired; B2B contact data has narrow exemption).

Key CCPA/CPRA Statutory Provisions

Section	Right/Obligation
1798.100	Right to Know what personal information is collected; data portability
1798.105	Right to Delete personal information
1798.106	Right to Correct inaccurate personal information (added by CPRA)
1798.110	Right to Know categories and specific pieces of personal information
1798.120	Right to Opt Out of sale or sharing of personal information
1798.121	Right to Limit use of sensitive personal information (added by CPRA)
1798.125	Right to Non-Discrimination for exercising privacy rights
1798.130	Business response obligations and 45-day timeline
1798.150	Private right of action for data breaches (only private enforcement)
1798.155	AG and CPPA administrative enforcement for other violations

Personal Information Covered

CCPA defines "personal information" broadly to include:

Identifiers: Name, alias, postal address, email, IP address, account name, SSN, driver's license, passport
Commercial information: Records of products/services purchased, purchase history, tendencies
Biometric information: Fingerprints, face recognition, voice recordings for identification
Internet activity: Browsing history, search history, interaction with websites/apps
Geolocation data: GPS coordinates, location tracking data
Professional/employment: Job history, performance evaluations (limited exemptions)
Education information: Non-FERPA protected education records
Inferences: Profiles created from above data reflecting preferences, behavior, attitudes
Sensitive personal information (CPRA): SSN, precise geolocation, race/ethnicity, religious beliefs, union membership, genetic data, biometrics for ID, health info, sex life/orientation, citizenship status

CCPA Consumer Rights

Right to Know / Access (1798.100, 1798.110)

You can request that a business disclose:

Categories of personal information collected about you
Specific pieces of personal information collected
Categories of sources from which information was collected
Business or commercial purposes for collecting, selling, or sharing
Categories of third parties with whom information is shared
Information covering the preceding 12 months

Right to Delete (1798.105)

You can request deletion of personal information collected from you. Businesses must:

Delete your personal information from their records
Direct service providers and contractors to delete your information
Notify third parties who purchased or received your information to delete it

Deletion Exceptions: Businesses may retain information necessary to: complete transactions, detect security incidents, exercise free speech, comply with legal obligations, conduct research in public interest, or enable internal uses reasonably aligned with consumer expectations.

Right to Correct (1798.106)

Added by CPRA, effective 2023. You can request that a business correct inaccurate personal information about you. Businesses must use commercially reasonable efforts to correct the information and instruct service providers to do the same.

Right to Opt Out (1798.120)

You can opt out of:

Sale of personal information: Businesses selling your data to third parties for monetary or valuable consideration
Sharing for cross-context behavioral advertising: Sharing with third parties for targeted advertising across websites/apps (added by CPRA)

Businesses must provide a "Do Not Sell or Share My Personal Information" link on their homepage. They must also honor Global Privacy Control (GPC) browser signals as valid opt-out requests.

Right to Limit Sensitive Personal Information (1798.121)

CPRA added the right to limit use of sensitive personal information to only what is necessary to perform services or provide goods reasonably expected. Sensitive PI includes:

SSN, driver's license, passport numbers
Precise geolocation
Racial/ethnic origin, religious beliefs, union membership
Contents of mail, email, text messages
Genetic data, biometric data for identification
Health information, sex life/orientation
Citizenship/immigration status

Right to Non-Discrimination (1798.125)

Businesses cannot discriminate against you for exercising CCPA rights by:

Denying goods or services
Charging different prices or rates
Providing different quality of goods/services
Suggesting you will receive different treatment

Response Timeline Requirements

Request Type	Response Deadline	Extension
Right to Know	45 calendar days	+45 days (must notify within initial 45)
Right to Delete	45 calendar days	+45 days
Right to Correct	45 calendar days	+45 days
Opt Out of Sale/Share	15 business days	None
Limit Sensitive PI	15 business days	None

Verification Requirements

Businesses must verify your identity before responding to access, deletion, and correction requests:

Standard requests: Match 2-3 data points business already has (name, email, account number)
Sensitive requests (deletion, sensitive PI): May require higher verification (signed declaration under penalty of perjury)
Account holders: Log in to account may satisfy verification
Authorized agents: Written permission from consumer or power of attorney required

CCPA Demand Letter Strategy

When to Send a CCPA Demand

Business failed to respond to your CCPA request within 45 days (or 90 with proper extension notice)
Business denied your request without valid exemption
Business provided incomplete or evasive response
Business requires unreasonable verification or creates barriers
Business continues selling/sharing after opt-out request
Business discriminated against you for exercising rights
Data breach occurred due to inadequate security (private lawsuit basis)

Elements of an Effective CCPA Demand

Element	Content
California Residency	State clearly that you are a California resident (required for CCPA rights)
Specific Right Invoked	Cite the exact CCPA section (1798.100, 1798.105, etc.) and right exercised
Timeline of Events	Document original request date, any responses received, deadlines missed
Verification Provided	List identifying information you provided (name, email, account, etc.)
Violation Identified	Specify how business violated CCPA (missed deadline, improper denial, etc.)
Specific Demand	What you want: complete data disclosure, deletion confirmation, compensation
Deadline	Reasonable deadline for response (10-14 days for follow-up demands)
Consequences	Intent to file AG/CPPA complaint, pursue legal action if applicable

Escalation Path

Step 1 - Initial Request: Submit CCPA request through business's designated methods (privacy form, email, toll-free number)
Step 2 - Follow-Up (Day 45+): If no response, send written follow-up citing violation of 1798.130 response requirements
Step 3 - Demand Letter (Day 50-60): Formal demand letter with specific legal citations and consequences
Step 4 - Regulatory Complaints: File with CA Attorney General and California Privacy Protection Agency
Step 5 - Litigation (breach only): For data breaches under 1798.150, send 30-day pre-suit notice then file lawsuit

Private Right of Action - Data Breach Only: Under current CCPA, you can only sue for damages under Section 1798.150 for data breaches caused by failure to maintain reasonable security. For all other violations (access, deletion, opt-out, etc.), enforcement is through California Attorney General and Privacy Protection Agency only. Your demand can threaten AG complaints, not private lawsuits (unless data breach).

Authorized Agent Requests

If submitting requests on behalf of a consumer as an authorized agent:

Provide written authorization signed by the consumer
Power of attorney satisfies authorization requirement
Business may still require consumer to verify identity directly
Registered agents (CA Secretary of State) may have streamlined verification
Document the authorization chain in your demand letter

Common Business Defenses and Responses

Business Claim	Your Response
"We can't verify your identity"	Offer additional verification; ask what specific data points needed; cite reg prohibiting collection of new PI for verification
"We don't have your data"	Request confirmation in writing; if you have evidence they do (account, purchases), cite it
"The data is exempt"	Request specific exemption cited; most exemptions are narrow; challenge overbroad claims
"We need more time"	Extension must be communicated within initial 45 days with reason; only one 45-day extension allowed
"We don't meet CCPA thresholds"	Request verification of revenue/data volume; many businesses claim exemption incorrectly
"Your request is excessive/repetitive"	First two access requests per year are protected; deletion/opt-out have no frequency limit

Sample CCPA Demand Letters

Sample 1: Follow-Up Demand - Failure to Respond

[Your Name] [Your California Address] [Email] [Phone] [Date] VIA EMAIL AND CERTIFIED MAIL [Company Name] Privacy Department / Legal Department [Address] Re: CCPA Violation - Failure to Respond to Consumer Request Original Request Date: [Date - 50+ days ago] Dear [Company]: I am a California resident writing regarding your failure to respond to my California Consumer Privacy Act request submitted on [Date]. ORIGINAL REQUEST: On [Date], I submitted a request under California Civil Code Section 1798.100 and 1798.110 to know: 1. The categories of personal information you have collected about me; 2. The specific pieces of personal information you have collected; 3. The categories of sources from which my personal information was collected; 4. The business purposes for collecting my information; 5. The categories of third parties with whom you share my information. I provided the following verification information: [Name, email, account number, etc.]. CCPA VIOLATION: Under Civil Code Section 1798.130(a)(2), you were required to respond to my verifiable consumer request within 45 days. As of today, [current date], [X] days have passed without any response. You did not notify me of any extension within the initial 45-day period. Your failure to respond constitutes a violation of CCPA. DEMAND: I demand that you: 1. Immediately provide complete response to my original request as required by Sections 1798.100 and 1798.110; 2. Deliver the requested personal information in a portable, readily usable format; 3. Explain your failure to comply with CCPA response requirements. Respond to this demand within 10 business days. CONSEQUENCES OF CONTINUED NON-COMPLIANCE: If you do not comply, I will: 1. File a formal complaint with the California Attorney General's Office (Privacy Enforcement); 2. File a complaint with the California Privacy Protection Agency; 3. Pursue all other available legal remedies. The Attorney General may seek civil penalties of up to $2,500 per violation or $7,500 per intentional violation under Section 1798.155. I expect your immediate attention to this matter. Sincerely, [Your Name] Enclosure: Copy of original CCPA request dated [Date]

Sample 2: Right to Delete Demand

[Your Name] [Your California Address] [Email] [Date] [Company Name] Privacy Officer [Address] Re: California Consumer Privacy Act - Right to Delete Request Demand for Deletion Under Civil Code Section 1798.105 Dear [Company]: I am a California resident exercising my Right to Delete under California Civil Code Section 1798.105. IDENTITY VERIFICATION: Name: [Your Full Name] Email: [Email associated with your account] Account Number: [If applicable] California Address: [Address] Additional Verification: [Last purchase date, phone number, etc.] DELETION REQUEST: Pursuant to Section 1798.105(a), I request that you delete all personal information you have collected from me, including but not limited to: - Account profile and registration information - Transaction and purchase history - Browsing and interaction data - Cookies and tracking identifiers - Communications and correspondence - Any inferences or profiles created about me - Any other personal information as defined in Section 1798.140(v) SERVICE PROVIDERS AND THIRD PARTIES: Under Section 1798.105(c), you must also: 1. Direct all service providers and contractors to delete my personal information from their records; 2. Notify all third parties to whom you sold or shared my personal information to delete my information. RESPONSE REQUIREMENTS: Under Section 1798.130, you must respond within 45 calendar days. If you claim any exemption under Section 1798.105(d), you must specify which exemption applies and provide the retained information categories. Upon completion, provide written confirmation that: 1. My personal information has been deleted from your systems; 2. Service providers and contractors have been directed to delete my information; 3. Third parties have been notified to delete my information. If you need additional verification, contact me at [email/phone]. I am available to provide reasonable verification but will not provide information you do not already have about me. Sincerely, [Your Name]

Sample 3: Data Breach Pre-Suit Notice (30-Day Cure)

[Your Name] [Your California Address] [Email] [Phone] [Date] VIA CERTIFIED MAIL - RETURN RECEIPT REQUESTED [Company Name] Legal Department [Address] Re: Notice of CCPA Violation Under Civil Code Section 1798.150 30-Day Opportunity to Cure Before Litigation Dear [Company]: This letter constitutes formal notice under California Civil Code Section 1798.150(b) of your violation of the California Consumer Privacy Act. THE DATA BREACH: On or about [Date], you suffered a data breach that resulted in unauthorized access to and acquisition of my personal information. You notified me of this breach on [Date]. The compromised information included: [List: Name, Social Security number, financial account numbers, driver's license, medical information, etc.] CCPA VIOLATION: You violated Section 1798.150(a)(1) by failing to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information to protect it from unauthorized access, destruction, use, modification, or disclosure. Evidence of your inadequate security includes: [List known security failures: unencrypted databases, lack of multi-factor authentication, failure to patch known vulnerabilities, inadequate access controls, prior breaches showing pattern, regulatory findings, etc.] MY DAMAGES: As a result of your security failure, I have suffered: 1. Out-of-pocket expenses: $[amount] (credit monitoring, credit freezes, identity protection) 2. Time spent responding to breach: [X] hours at $[rate] = $[amount] 3. Increased risk of identity theft requiring ongoing vigilance 4. Emotional distress and anxiety Under Section 1798.150(a)(1)(A), I am entitled to statutory damages of not less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is greater. 30-DAY CURE PERIOD: Pursuant to Section 1798.150(b), you have 30 days from receipt of this notice to cure the violation. To cure, you must: 1. Implement comprehensive reasonable security measures and provide written confirmation; 2. Provide me with 24 months of three-bureau credit monitoring and $1 million identity theft insurance; 3. Reimburse my out-of-pocket expenses: $[amount]; 4. Compensate me for time and other damages: $[amount]. LITIGATION: If you fail to cure within 30 days, I will file a civil action in California Superior Court seeking: - Statutory damages of $750 per incident; - Actual damages; - Injunctive or declaratory relief; - Any other relief the court deems proper. Contact me at [email/phone] to discuss resolution. Sincerely, [Your Name] Enclosures: - Your breach notification letter - Documentation of my expenses and damages

Sample 4: Opt-Out of Sale/Sharing Demand

[Your Name] [Your California Address] [Email] [Date] [Company Name] Privacy Department [Address] Re: CCPA Right to Opt Out - Do Not Sell or Share My Personal Information California Civil Code Sections 1798.120 and 1798.135 Dear [Company]: I am a California resident exercising my right to opt out of the sale and sharing of my personal information under California Civil Code Section 1798.120. IDENTITY INFORMATION: Name: [Your Name] Email: [Email] Account: [Account ID if applicable] OPT-OUT REQUEST: Effective immediately, I opt out of: 1. The SALE of my personal information to any third party for monetary or other valuable consideration (Section 1798.120(a)); 2. The SHARING of my personal information with any third party for cross-context behavioral advertising (Section 1798.120(a) as amended by CPRA). COMPLIANCE REQUIREMENTS: Under Section 1798.135(a)(4), you must comply with this opt-out request within 15 business days. You must: 1. Cease all sale and sharing of my personal information immediately; 2. Not require me to create an account to process this request; 3. Notify all third parties to whom you have sold or shared my information in the preceding 90 days; 4. Confirm compliance in writing. ONGOING OBLIGATION: You may not sell or share my personal information unless I subsequently provide express authorization. Any attempt to seek re-authorization must clearly and conspicuously describe my right to decline. Please confirm receipt and compliance within 15 business days. Sincerely, [Your Name]

CCPA Enforcement

Private Right of Action - Data Breach Only

Section 1798.150 - Limited Private Lawsuits: CCPA provides private right of action ONLY for data breaches resulting from failure to implement reasonable security. Statutory damages: $100-$750 per consumer per incident, or actual damages (whichever greater). 30-day pre-suit notice required. All other CCPA violations are enforced only by government agencies.

Elements for 1798.150 Claim:

Plaintiff is a California resident (consumer)
Business failed to implement and maintain reasonable security procedures
Nonencrypted and nonredacted personal information was subject to unauthorized access/exfiltration
Plaintiff's personal information was compromised
30-day pre-suit notice provided with opportunity to cure

AG and CPPA Enforcement

Enforcement Authority	Jurisdiction	Penalties
California Attorney General	All CCPA violations	Up to $2,500 per violation; $7,500 per intentional violation
California Privacy Protection Agency (CPPA)	All CCPA/CPRA violations (since 2023)	Same penalty structure; administrative enforcement powers

Filing Regulatory Complaints

California Attorney General:

Website: oag.ca.gov/contact/consumer-complaint-against-business-or-company
Select "Privacy" category
Provide timeline, copies of requests and responses, evidence of violation
AG prioritizes systemic violations and repeat offenders

California Privacy Protection Agency:

Website: cppa.ca.gov
Dedicated privacy enforcement agency (first in U.S.)
Issues implementing regulations and guidance
Handles consumer complaints and investigations

Common CCPA Violations

Missed deadlines: No response within 45 days (or 90 with proper notice)
Incomplete disclosure: Providing partial data when full disclosure requested
Improper denial: Claiming exemption without valid basis
Verification barriers: Demanding excessive verification information
Selling after opt-out: Continuing to sell/share after receiving opt-out request
No "Do Not Sell" link: Missing required homepage link
Ignoring GPC signals: Failing to honor Global Privacy Control browser setting
Discrimination: Different prices, quality, or access for exercising rights
Inadequate security: Failure to protect personal information (enables private lawsuit)

Damages in Data Breach Cases

Damage Type	Amount/Calculation
Statutory Damages (1798.150)	$100-$750 per consumer per incident
Actual Damages	Documented out-of-pocket costs, time spent (hours x rate), fraud losses
Credit Monitoring Value	24 months full-service = ~$500-$1,000 retail value
Class Action (per person)	Typically $25-$125 for general class; more with documented harm
Individual Settlement	$500-$5,000+ with strong documentation and negotiation

Documentation is Critical: For both regulatory complaints and data breach lawsuits, maintain detailed records of all CCPA requests, business responses, timelines, and any damages incurred. Timestamped evidence strengthens your position significantly.

Attorney Services

CCPA Rights Enforcement

I represent California consumers in CCPA/CPRA matters and help businesses respond to privacy demands and regulatory inquiries. Flat-fee demand letters and hourly representation available.

For Consumers

Draft and submit CCPA rights requests (access, deletion, correction, opt-out)
Escalate non-responsive or non-compliant businesses
Prepare follow-up demand letters with proper legal citations
File complaints with California Attorney General and CPPA
Data breach claims under Section 1798.150 (30-day notice and litigation)
Evaluate class action participation vs. individual claims
Negotiate credit monitoring and compensation settlements

For Businesses

CCPA/CPRA compliance program implementation
Privacy policy drafting and updates
Consumer request intake and response procedures
Verification protocols and exemption analysis
Respond to demand letters and regulatory inquiries
Data breach response and notification compliance
Defense against Section 1798.150 claims
AG and CPPA investigation response

Pricing

Service	Fee
CCPA Demand Letter	$450 flat fee
Hourly Representation	$240/hour
Data Breach Pre-Suit Notice	$450 flat fee
Compliance Consultation	$240/hour

Why Legal Counsel Matters: For consumers, properly drafted CCPA demands with correct statutory citations and escalation language get results. For businesses, CCPA compliance failures can result in penalties of $7,500 per intentional violation multiplied by thousands of consumers. Getting the response right matters.

Schedule a Consultation

Book a call to discuss your CCPA matter. I will review your situation, assess the strength of your claims or exposure, and recommend a strategy.

Contact

Email: owner@terms.law

Frequently Asked Questions

CCPA applies to for-profit businesses that collect California residents' personal information and meet at least one threshold: annual gross revenue exceeding $25 million, buying/selling/sharing personal information of 100,000 or more consumers or households annually, or deriving 50% or more of annual revenue from selling or sharing personal information. Non-profits and government agencies are exempt. Small businesses below all thresholds are not covered.

Private lawsuits are limited to data breaches only under Section 1798.150. You can sue if a business failed to implement reasonable security measures and your unencrypted personal information was breached. Statutory damages range from $100 to $750 per consumer per incident. For other CCPA violations like failure to respond to access, deletion, or opt-out requests, only the California Attorney General and Privacy Protection Agency can enforce. Your remedy for non-breach violations is filing complaints with these agencies.

Businesses must respond to access, deletion, and correction requests within 45 days. They can extend once for an additional 45 days (90 days total) if reasonably necessary, but must notify you of the extension within the initial 45-day period. Opt-out requests for sale or sharing must be honored within 15 business days with no extension allowed. Missing these deadlines is a CCPA violation.

Yes, businesses must verify your identity before responding to access, deletion, and correction requests. They typically match two to three data points they already have about you (name, email, account number). For sensitive requests like deletion, they may require signed declarations under penalty of perjury. However, verification cannot be used to create barriers. Businesses cannot collect new personal information solely for verification purposes.

Yes, you can designate an authorized agent to submit CCPA requests on your behalf. The agent must have written permission signed by you or a power of attorney. The business may still require you to verify your identity directly and confirm that you authorized the agent. Some businesses accept requests from agents registered with the California Secretary of State, while others require direct consumer verification regardless.

Under Section 1798.150(b), before filing a lawsuit for a data breach, you must provide the business 30 days written notice identifying the specific CCPA provisions violated and giving them an opportunity to cure. Send the notice via certified mail. If the business actually cures the violation within 30 days and provides written statement that no further violations will occur, you cannot recover statutory damages. This pre-suit notice is mandatory and failure to comply will result in dismissal.