The regulations implementing the CCPA require that a business verify the identity of a consumer that submits a specific-information access request to a “reasonably high degree of certainty.” The regulations provide as an example matching three pieces of personal information provided by the consumer with three pieces of personal information maintained by the business and obtaining a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.

Although businesses are permitted to request that consumers sign a declaration under penalty of perjury, only 1% of companies state in their privacy otices that they require such an affidavit or a declaration. However, it is possible that once a data subject request has been submitted, other companies also request a signed verification prior to providing information in response to a specific-information access request, even if that prerequisite is not in the corporate privacy notice.