AI Summarize

Share

If your business collects customer data, you're probably familiar with data subject (customer) requests. They often run along the lines of "I want to see the data you hold on me," or "I want you to delete everything you have on me."

These requests are common, and it's your job to make sure they are legitimate. Depending on where the customer resides, you may need to comply with data privacy laws like the GDPR (General Data Protection Regulation) that affects businesses targeting EU customers (the UK also has its own very similar version) and the CCPA/CPRA (California Consumer Privacy Act and its amendment, the California Privacy Rights Act). But before you can action these requests, you must verify the requester's identity.

This is where things get tricky. You need enough information to identify the data subject accurately. At the same time, if you ask for too much information, you risk breaching another key data privacy rule: data minimization.

In this guide, we will break down the key rules that affect identity verification under the GDPR and CCPA/CPRA, including taking a deep dive into data minimization and its ramifications. Our eight action points will help your team to hit the sweet spot – requesting only the data you need and nothing more.


Both GDPR and CCPA/CPRA give individuals enforceable rights over their personal data. These include:

  • The right of access (to know what data a company holds)
  • The right to deletion
  • The right to correction.

When someone makes such a request, a business, known legally as a data controller under GDPR or a business under CCPA/CPRA, must confirm that person's identity before releasing or deleting information. Otherwise, you could disclose data to the wrong person, which would be a clear data breach.

The challenge is finding balance: verifying identity strongly enough to prevent fraud but not so aggressively that you violate data minimization.

GDPR Identity Verification Requirements: Adequate, Relevant, and Limited

Under both GDPR and CCPA/CPRA, identity verification is permitted and encouraged. However, the extent of the checks you are permitted to carry out is different.

Some key terminology for this section includes:

  • Data Subject Access Request (DSAR): Request from a data subject to view/amend/delete the data your business holds on them.
  • Information Commissioner's Office (ICO): UK entity that regulates the UK GDPR, and provides detailed guidance on how to apply it.

Reasonable and proportionate: Identity verification under the GDPR

Under the GDPR, there are no prescriptive rules about what data a business must collect for identity verification. However, Article 5(1)(c) explicitly requires that all data collection be "limited to what is necessary."

GDPR Article 5: Limited to what is necessary

The supervisory authority in the UK (the ICO) states that you must be satisfied that you know the identity of the requester and that you can ask for information to verify an individual only if necessary; the standard applied is "easonable and proportionate".

As the following examples will show, the UK ICO explains that there are subtle differences in how businesses verify ID, depending on their relationship with the data subject.

Note: The UK Data Protection and Digital Information Bill (once enacted) will amend certain SAR/DSAR provisions, for example codifying the "reasonable and proportionate search" standard in UK GDPR.

In-organization DSAR: Low identity verification requirements

As shown in the example below, the GDPR may not require the same level of identity verification for an internal DSAR as it would for one originating outside of the organization.

GDPR Requirements on an internal DSAR

External DSAR: Medium identity verification requirements

Even when the DSAR originates outside of your business, there may be easy ways to identify the customer without asking for more information than is truly needed. As the example below from the ICO shows, even when there is a discrepancy in the information you hold and that provided by the data subject, a simple customer reference number may be enough to verify their identity.

GDPR Requirements on an external DSAR

External DSAR in businesses handling sensitive data: Strong identity verification requirements

However, how can your business handle identity verification in more sensitive DSARs? The example below shows that an DSAR submitted to a doctor's office may need more formal identity verification, as the risk of harm is greater if a data breach occurs.

GDPR External DSAR How to Handle Sensitive Data

So, if someone makes a data-access or deletion request, you might confirm their registered email address, phone number, or account login instead of demanding a driver's license. The ICO's stance is clear: proportionate verification means using what you already have before asking for more.

Identity verification under CCPA/CPRA: Reasonable or high degree of certainty

Data minimization is also a core principle of the CCPA/CPRA. However, in contrast with the GDPR, the CCPA/CPRA lays out more prescriptive steps for identity verification.

The CPPA regulations (§7062) require that businesses verify consumers' identities "to a reasonable or reasonably high degree of certainty," depending on both the sensitivity of the information requested and whether the consumer has an account.

Under Cal. Code Regs. Tit. 11, § 7062:

  • For requests to know categories of personal information: verify to a "reasonable degree of certainty" (e.g., match at least two data points).
  • For requests to know specific pieces of personal information: verify to a "reasonably high degree of certainty" (e.g., match at least three data points + a signed declaration under penalty of perjury).
  • For requests to delete or correct: the standard depends on the sensitivity of the personal information or the risk of harm posed by unauthorised deletion/correction.

The California Privacy Protection Agency (CPPA) has recently emphasised the data-minimisation angle: businesses must not "require a consumer submitting a request to opt-out of sale/sharing to […] provide additional information beyond what is necessary"

Key terminology includes:

  • Verifiable Consumer Request (VCR): A VCR is the same as an DSAR under the GDPR – a request from a data subject to view, amend, or delete their data.
  • California Privacy Protection Agency (CPPA): The organization responsible for enforcing the CCPA, along with the California Attorney General.

How identity verification works in practice

If the consumer has a password-protected account, existing login authentication generally satisfies verification.

As shown below in an excerpt from CPPA Regulation § 7062, if a user does not have a password-protected account, you may need to match two or three data points (like email address, order history, and shipping ZIP code) and, in some cases, obtain a signed declaration under penalty of perjury before fulfilling the VCR.

CCPA Regulation 7062 screenshot

The CCPA's inclusion of the two or three data points criterion makes it easier to quantify what data minimization means under the CCPA/CPRA. You should be on safe ground as long as your business does not exceed these parameters during the identity verification process.

Sensitivity and risk of harm

A crucial determinant of whether identity verification needs to be carried out to a reasonable or reasonably high degree of certainty under CCPA/CPRA is the sensitivity of the data and the risk of harm.

The examples shown below from CPPA Regulation § 7062(d) state that a request to delete family photographs would require a reasonably high degree of certainty. By contrast, a request to delete browsing history would only require a reasonable degree of certainty.

CCPA Regulation 7062 d screenshot

Key difference: CCPA/CPRA opt-out requests

Perhaps the most notable distinction is how CCPA/CPRA treats opt-out requests, such as when a consumer says, "Do not sell or share my personal data.”

As shown below, in an April 2024 Enforcement Advisory, the CPPA warned that asking for identity verification in such cases may violate the law's data-minimization requirement. Businesses were found to be "asking consumers to provide excessive personal information to exercise their opt-out rights.”

CCPA Enforcement Findings from Apr 2024

VCRs can vary widely. Therefore, each business must:

  • Establish which CCPA requirements apply to the VCR
  • Document their decision
  • Comply with the regulations

How the GDPR and CCPA/CPRA Compare

In short, the GDPR trusts businesses to use their judgment within the guidelines of "reasonable and proportionate" verification. By contrast, CCPA/CPRA gives you explicit thresholds – two or three data points.

Both, however, agree on the same principle: collect no more information than absolutely necessary to confirm who you're dealing with.

8 Key Actionable Points for Small Businesses

What does identity verification under the GDPR and CCPA/CPRA look like in practice? The following checklist can help your business handle DSARs confidently and compliantly.

1. Map and document when verification may be needed

Under the GDPR, many organizations — particularly those processing large volumes of sensitive data — must appoint a Data Protection Officer (DPO). However, the CCPA/CPRA does not require this specific role; instead, it mandates that a person be designated to handle in-house data privacy matters.

The next step for the DPO, or CCPA/CPRA-designated individual, is to analyze which types of consumer/data-subject requests will require identity verification and which are safe to process without additional requests.

What to do:

  • Identify the types of rights your business supports (e.g., access/know, delete, correct, opt-out of sale/sharing).
  • For each, decide whether verification will be required (and to what standard).

Simplify the process for your team by including a table in your Privacy Policy or internal processes. Categorize the types of requests under the GDPR and CCPA/CPRA and identify the identity verification standard that applies.

2. Apply data minimization to identity verification

The verification process itself involves processing personal information, so make sure you do not collect more than is necessary.

What to do:

  • Before asking for ID documents (passport, driver's licence), ask: Can we verify the identity with information we already hold? This could include a username, email address, purchase history, or another unique identifier.
  • Confirm you have sufficient data points to satisfy CCPA/CPRA's two or three data point requirements, or the GDPR's adequate, relevant, and limited requirement (consider the ICO guidance below).

    ICO Guidance What to Ask for in DSAR

  • Document your decision and rationale that you are not over-collecting (or under-collecting).

For a small site/app, simple verification (email link and username check) may suffice for lower-risk requests. Use stronger verification only when risk demands, such as the deletion of very sensitive data.

3. Differentiate verification standards by risk and existing relationship

Both regimes allow you to scale verification based on risk and whether you already have a bona fide relationship with the requestor.

What to do under CCPA/CPRA:

  • In line with CCPA/CPRA §7061 (shown below), if the requester is logged into a password-protected user account, you may use your existing login authentication as verification. However, if there are any suspicions of fraudulent or malicious activity, further verification is required.

    CCPA Section 7061 screenshot

  • If the requester is unknown (no account, or forgot their username), then you must request more verification. Under CCPA/CPRA, non-account holders must provide and match two or three data points, depending on the sensitivity and risk of the request.

What to do under the GDPR:

  • For the GDPR, businesses can use the "reasonable and proportionate” standard, which will be less stringent if they know the user. As shown below in GDPR Recital 64 (recitals provide guidance for interpreting the GDPR, but are not legally binding), "all reasonable measures” should be used. Still, data must not be retained solely for identity verification.

    GDPR Recital 64 Identity Verification

For both regimes, consider creating a "decision tree" in your internal policy: Start with: "Is the requester logged in and previously authenticated?" → Yes → Light verification. No → Escalate.

4. CCPA/CPRA: Verifying identity is not required for every right (opt-out of sale/sharing)

Under CCPA/CPRA, you could breach data minimization and impose an unlawful burden on your customers if you make them verify their identity to exercise rights such as opting out of the sale or sharing of their personal data.

How to avoid this trap:

  • For opt-out rights (sale/sharing), ensure your process does not require a burdensome identity verification. CPPA advisory warns about this.
  • Make sure your opt-out interface is simple, clearly communicated, and doesn't require you to collect new personal data just for verification unless justified. This will ensure compliance with the scenario highlighted by the CCPA below.

    CCPA How to Verify Identity Scenario

The CPPA's April 2024 enforcement advisory explicitly notes: "A business shall not require a consumer submitting a request to opt-out of sale/sharing to create an account or provide additional information beyond what is necessary …".

Whenever possible, it makes sense to provide a no-login-required route for opt-out. If login or ID-check makes sense (e.g., for account transformation), explain it clearly in your Privacy Policy.

Tip for your Privacy Policy: Clarify whether you treat an opt-out as a "verifiable consumer request" or a lighter duty, and ensure you do not impose a full identity verification process for such requests unless justified.

5. Ensure retention and handling of verification data aligns with minimization

Asking for documents for verification means you also process and store that data. Under both regimes, you must also apply minimization to verification and not retain newly collected data longer than is necessary.

For the General Data Protection Regulation (GDPR), Recital 64 sets out that organisations should "use all reasonable measures to verify the identity of a data subject" before responding. Meanwhile, under the California Privacy Rights Act/California Consumer Privacy Act (CPRA/CCPA) regulations, § 7062 specifically outlines thresholds of matching two or three data points (or more) depending on the risk.

What to do:

  • Limit what you collect: only what is necessary for verification.
  • Delete or anonymise the verification data once its purpose is fulfilled (or ensure retention only for legitimate reasons, e.g., to show you responded correctly).
  • Document your retention policy for verification data and ensure access controls.

6. Transparent consumer information: reflect verification in your privacy policy and request process

Both the GDPR and CCPA/CPRA require transparency. Your Privacy Policy should explain the data access request process, what you collect for verification, and your users ' rights.

What to do:

  • In your Privacy Notice, include a section: "How we verify identity when you request your data.”
  • In your "request" interface (form or portal), include plain-language guidance: what you need from them, why, how you'll use it, and how long you'll keep that verification info.

Consider using a flowchart in your internal documentation and training materials, such as: Request submitted → Verification needed? → Type of verification → Explanation sent to user → Data provided.

7. Document decisions and maintain an audit trail

If a regulator audits you (for example, the ICO or CPPA), you'll need to demonstrate that you verified identity reasonably, only asked for necessary data and adhered to minimization.

What to do:

  • Log for each request: request type, identity-verification steps taken, verification outcome, data provided or denied, and retention of verification data.
  • Periodically review (e.g., annually) the number of verification failures, the number of escalated checks needed, and whether your standard remains proportional.
  • For small businesses, use a simple spreadsheet or database log for request handling. Include columns: Request ID, date, type, identity checks used, whether the user logged in, whether extra ID was collected, outcome, and retention actions.

As shown below, under the CCPA §7062(g), if your business is unable to determine a reasonable method for verifying a data subject's identity, this must be explained to the person making the request. At least once each year, you must attempt to establish a reasonable method and update your Privacy Policy accordingly.

CCPA 7062 Line 6 screenshot

8. Periodically review your verification process against shifting regulatory expectations

Data-protection law is evolving, and regulators regularly issue new guidance on topics like biometrics, identity proofing, and data minimization. Your business must ensure its verification practices are up to date.

What to do:

  • Set a calendar reminder (annually or biannually) to review ICO updates, CPPA advisories, state laws, and sector-specific guidelines.
  • Adjust your verification standard if your business model or risk profile changes (e.g., you start collecting more sensitive data or you move into markets with higher risk).
  • Conduct a mini-audit every 12 months, listing out all consumer request types, verification used, analyzing whether any excessive collection occurred, and updating policies and training according to new or amended regulations.

Practical Checklist for Your Data-Protection Process

Use this checklist to review your verification practices:

  • Have you mapped every type of data-subject/consumer request your business supports?
  • For each request type, have you defined whether you need identity verification and to what standard?
  • Does your verification process rely first on existing authentication data that your system already holds?
  • Are you only collecting additional identity data when absolutely necessary, and documenting that justification?
  • Have you outlined how long you'll retain a copy of verification data (or whether you'll delete it), consistent with minimization?
  • Is your verification process clearly described in your privacy policy/notice and your request procedure?
  • Are you logging each request and verification decision (audit trail)?
  • Have you scheduled a periodic review of your verification process in light of new guidance/regulatory changes?
  • For California-based consumers or data relating to California residents, are you following CCPA/CPRA verification standards (e.g., matching data points, not verifying for low-risk opt-out) and responding within required time frames?
  • For EU/UK / GDPR-governed individuals, are you applying ICO guidance on "reasonable and proportionate" verification and aligned with the data-minimization principle?

Summary

For your small business, the bottom line is this: you must have a verification process, but it must be calibrated to the level of risk, aligned with data minimization, and tailored to the relevant data privacy regulation.

In simple terms, don't collect more information than you need to verify the requestor, don't retain verification data longer than you need to, and make sure your Privacy Policy and request process reflect what you do.

Here's a simple comparison table:

Feature GDPR / UK GDPR CCPA/CPRA
Verification threshold "reasonable and proportionate" – case-by-case (Recital 64) "reasonable" vs "reasonably high" degree of certainty, with numeric thresholds (§ 7062)
Opt-out of sale/sharing Not applicable / no equivalent explicitly in GDPR Business must not require excessive identity verification for opt-out (11 CCR § 7026(c))
Authentication via account login Yes — if data subject uses existing credentials, verification may be light Yes — if consumer has password-protected account, existing login authentication may suffice (11 CCR § 7061(a))
Record-keeping / audit trail Must document verification steps and decisions (ICO guidance) Business must maintain verification records; if no reasonable verification method exists, must state so and review at least annually (11 CCR § 7062(g))

By following the eight actionable points above and using the checklist, you'll be well-positioned to handle both GDPR/UK-/EU-style verification demands and CCPA/CPRA demands for California residents. At the same time, you will avoid overly burdening your users or exposing your business to regulatory risk.

Bottom line: Regulators expect a tailored approach. Your verification should match the risk and data sensitivity, use existing authentication where possible, and be fully documented to demonstrate proportionality.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy