Cal. Code Regs. tit. 11, § 7060
General Rules Regarding Verification.
Effective Jan 1, 2026Register 2025, No. 39Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135, 1798.140 and 1798.185, Civil Code.State of California
- (a) A business shall establish, document, and comply with a reasonable method for verifying that the person making a request to delete, request to correct, request to know, or request to access ADMT is the consumer about whom the business has collected information.
- (b) A business shall not require a consumer to verify their identity to make a request to opt-out of sale/sharing, to make a request to limit, or to make a request to opt-out of ADMT. A business may ask the consumer for information necessary to complete the request; however, it shall not be burdensome on the consumer. For example, a business may ask the consumer for their name, but it shall not require the consumer to take a picture of themselves with their driver's license.
(c) In determining the method by which the business will verify the consumer's identity, the business shall:
- (1) Match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business before requesting additional information, or use a third-party identity verification service that complies with this section.
- (2) Avoid collecting the types of personal information identified in Civil Code section 1798.81.5, subdivision (d), unless necessary for the purpose of verifying the consumer.
(3) Consider the following factors:
- (A) The type, sensitivity, and value of the personal information collected and maintained about the consumer. Sensitive personal information shall warrant a more stringent verification process.
- (B) The risk of harm to the consumer posed by any unauthorized deletion, correction, or access. A greater risk of harm to the consumer by unauthorized deletion, correction, or access shall warrant a more stringent verification process.
- (C) The likelihood that fraudulent or malicious actors would seek the personal information. The higher the likelihood, the more stringent the verification process shall be.
- (D) Whether the personal information to be provided by the consumer to verify their identity is sufficiently robust to protect against fraudulent requests or being spoofed or fabricated.
- (E) The manner in which the business interacts with the consumer.
- (F) Available technology for verification.
- (d) A business shall avoid requesting additional information from the consumer for purposes of verification. If, however, the business cannot verify the identity of the consumer from the information already maintained by the business, the business may request additional information from the consumer, which shall only be used for the purposes of verifying the identity of the consumer seeking to exercise their rights under the CCPA, security, or fraud-prevention. The business shall delete any new personal information collected for the purposes of verification as soon as practical after processing the consumer's request, except as required to comply with section 7101.
- (e) A business shall not require the consumer or the consumer's authorized agent to pay a fee for the verification of their request to delete, request to correct, or request to know. For example, a business must not require a consumer to provide a notarized affidavit to verify their identity unless the business pays for or compensates the consumer for the cost of notarization. A business that compensates the consumer for the cost of the notarization shall provide the consumer with instructions on how they will be reimbursed prior to the consumer's submission of the notarized affidavit.
- (f) A business shall implement reasonable security measures to detect fraudulent identity-verification activity and prevent the unauthorized deletion, correction, or access to a consumer's personal information, or access to information about a business's use of ADMT with respect to a consumer.
- (g) If a business maintains consumer information that is deidentified, a business is not obligated to provide or delete this information in response to a consumer request or to re-identify individual data to verify a consumer request.
- (h) For requests to correct, the business must verify the consumer based on personal information that is not the subject of the request to correct. For example, if the consumer is contending that the business has the wrong address for the consumer, the business shall not use address as a means of verifying the consumer's identity.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135, 1798.140 and 1798.185, Civil Code.
History
1. Change without regulatory effect adopting new article 5 heading and renumbering section 999.323 to new section 7060, including amendments, filed 5-5-2022 pursuant to section 100, title 1, California Code of Regulations (Register 2022, No. 18).
2. Amendment of section and Note filed 3-29-2023; operative 3-29-2023 pursuant to Government Code section 11343.4(b)(3) (Register 2023, No. 13).
3. Amendment filed 9-22-2025; operative 1-1-2026 (Register 2025, No. 39).