CCPA vs. identity‑verification tradeoffs

A California privacy request can start with a contradiction: to delete your data, a company may ask you for more data first. The California Consumer Privacy Act regulations require businesses to verify requests to know, delete, and correct, and California’s privacy agency says some companies have been asking for excessive information in that process. (cppa.ca.gov 1) (cppa.ca.gov 2) California’s enforcement staff put that warning in writing in Enforcement Advisory No. 2024-01. The advisory says businesses should apply data minimization when handling privacy requests and should not collect more information than is necessary just to confirm identity. (cppa.ca.gov) The law itself gives companies a reason to be cautious on the other side too. A business has 45 days to disclose, correct, or delete information after receiving a verifiable consumer request, so sending data to the wrong person can turn a privacy right into a privacy breach. (cppa.ca.gov) That is why verification rules are not one-size-fits-all. California’s regulations treat identity checks as part of the request-handling system, and the state’s guidance says businesses must explain in their privacy policy how they verify requests to know, delete, and correct. (cppa.ca.gov 1) (cppa.ca.gov 2) The pressure gets higher when the company uses outside tools to do the checking. California’s 2026 regulations say third-party identity verification services are themselves subject to the Consumer Privacy Act rules for requests to delete, correct, or know, which means outsourcing verification does not outsource compliance. (cppa.ca.gov) California is also widening the machinery around deletion. Regulations approved on November 13, 2025 created the Delete Request and Opt-out Platform, a state-hosted system that lets Californians send one deletion request to multiple data brokers, with consumer access starting in January 2026 and broker pickup becoming mandatory on August 1, 2026. (cppa.ca.gov) That one-click system solves one problem and sharpens another. If a data broker has to decide whether a request in the platform matches a person in its files, the broker needs enough signals to match records, but every extra signal can become another piece of personal information to store, secure, and eventually delete. (cppa.ca.gov 1) (cppa.ca.gov 2) Artificial intelligence adds a second layer because the same company may be verifying a person in one workflow while moving that person’s data through models, vendors, and shared systems in another. California finalized new rules on September 23, 2025 covering automated decisionmaking technology, risk assessments, and cybersecurity audits, with the package taking effect on January 1, 2026 and some automated decisionmaking duties starting January 1, 2027. (cppa.ca.gov) Europe is wrestling with the same problem from the model side. In Opinion 28/2024, adopted on December 17, 2024, the European Data Protection Board said artificial intelligence models trained on personal data cannot automatically be treated as anonymous and said regulators should examine whether personal data can be extracted directly or through prompts. (edpb.europa.eu) That matters in multi-tenant systems, where one model or service can serve many customers at once. If personal data can leak through outputs, logs, or debugging trails, then the old privacy playbook of “collect first, sort it out later” stops working for both verification teams and artificial intelligence teams. (edpb.europa.eu) (cnil.fr) The practical shift is that privacy design now has to happen in two places at once. One design controls how you prove a requester is really the right person, and the other controls how that same person’s data moves through models, vendors, logs, and shared infrastructure after the request is approved. (cppa.ca.gov) (cppa.ca.gov) (edpb.europa.eu)