Question 33
Domain 4: Individual Requests, Complaints and Privacy IncidentsA deletion request is submitted by an authorized agent. What should the organization do first?
Correct answer: A
Explanation
An organization should first verify that the agent is authorized to act for the consumer and, where appropriate, verify the consumer’s identity before processing a deletion request. This follows the basic privacy rule that requests from an agent require proof of authority and identity to prevent unauthorized disclosures or deletions.
Why each option is right or wrong
A. Verify the agent's authority and, where appropriate, the consumer's identity
Under the CCPA/CPRA, a business receiving a consumer request through an authorized agent may require the agent to provide signed permission from the consumer and may also ask the consumer to directly verify their identity or confirm that the agent is authorized, before acting on the request. See Cal. Civ. Code § 1798.130(a)(1) and 11 CCR § 7063(b), which permit these verification steps before a deletion request is processed. The first step is therefore to confirm the agent’s authority and, if needed, the consumer’s identity, because the organization cannot lawfully delete data on the basis of an unverified third-party request.
B. Reject all agent-submitted requests automatically
C. Send the consumer's entire file to the agent immediately
D. Require the agent to become an employee of the organization