(a) If a business maintains a password-protected account with the consumer, the business may verify the consumer’s identity through the business’s existing authentication practices for the consumer’s account, provided that the business follows the requirements in section 999.323. The business shall also require a consumer to re-authenticate themself before disclosing or deleting the consumer’s data.
(b) If a business suspects fraudulent or malicious activity on or from the password-protected account, the business shall not comply with a consumer’s request to know or request to delete until further verification procedures determine that the consumer request is authentic and the consumer making the request is the person about whom the business has collected information. The business may use the procedures set forth in section 999.325 to further verify the identity of the consumer.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130 and 1798.185, Civil Code.