Can the CCPA Access Right Be Saved? Realigning Incentives in Access Request Verification

Abstract

The California Consumer Privacy Act access right has the potential to give Californians a level of control over their personal information that is unprecedented in the United States. However, consumer privacy interests will be in peril unless the access right is accompanied by an effective access request verification requirement. Requiring companies to respond to access requests when they cannot verify that the requestor is the subject of the requested data puts sensitive personal information at risk. Inversely, allowing companies to shirk their access request responsibilities by claiming that data is unverifiable diminishes consumers’ data control rights. Thus, in the context of access request verification policy, there is an inherent tension between privacy as confidentiality and privacy as control. The success of the access right, and thus all CCPA data control rights, hinges on an access request verification policy that successfully balances these competing privacy interests. The endemic identity theft caused by credit application verification systems demonstrates why such balancing cannot be wholly left to private companies. In the credit context, balancing has been driven by the profit maximization interests of businesses, which currently do not align with consumer privacy interests. Fortunately, several scholars have proposed methods for aligning these divergent interests. The strengths and weaknesses from these proposed solutions to identity theft provide a useful framework for building a system that incentivizes companies to prioritize consumer privacy when developing access request verification systems.