--- title: "US CCPA DSAR Verification Guide" canonical_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act/dsar-verification" source_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act/dsar-verification" author: "Sorena AI" description: "US CCPA guidance for DSAR Verification, with practical decisions, evidence, edge cases, and external source citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "US CCPA" - "DSAR Verification" - "US CCPA DSAR Verification" - "compliance checklist" - "practical guidance" - "Compliance" - "Regulatory guidance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # US CCPA DSAR Verification Guide US CCPA guidance for DSAR Verification, with practical decisions, evidence, edge cases, and external source citations. *Artifact Guide* *US* *DSAR Verification* ## US CCPA DSAR Verification DSAR verification under the US CCPA is about confirming the requester with commercially reasonable methods, using only the information needed for that purpose, and denying or escalating requests that cannot be verified. This guide converts official requirements into scope, evidence, ownership, and review decisions for practical implementation, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. This page maps US CCPA DSAR verification to the minimum identity checks, acceptable verification methods, denial criteria, owner responsibilities, and review paths that product, legal, privacy, security, and compliance teams can apply. ## What should teams decide about DSAR verification under the US CCPA? Start by deciding how the business will confirm the consumer is the person making the request, or a person authorized to act for them, using commercially reasonable methods. The workflow should explain what information may be requested, what sources can be matched, what happens if the business cannot verify the request, and which requests can be routed to a different handling path. For access, deletion, and correction requests, the business may ask for information needed to verify identity, and any personal information collected for verification must be used only for verification and not for unrelated purposes. - Define the exact request type: know, delete, correct, or another verifiable consumer request. - Collect only the identity details needed to match the requester to records the business already holds. - Use commercially reasonable methods to verify the consumer or the consumer’s authorized agent. - Deny or hold the request if the business cannot verify the requester or if the request is submitted to the wrong party, such as a service provider or contractor. - Record the reason for the verification outcome and keep verification data separate from unrelated records. Sources for this answer: - [CCPA Regulations](https://oag.ca.gov/privacy/ccpa/regs?ref=sorena.io) - The regulations explain that businesses must inform consumers of their rights, handle consumer requests, verify identity, and use a reasonable method for verification. - [California Consumer Privacy Act (CCPA)](https://oag.ca.gov/privacy/ccpa?ref=sorena.io) - Attorney General FAQ guidance on verifiable consumer requests, identity verification, and request denials. - [Code Section Group](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Civil Code section 1798.130 and related provisions describe the request and verification workflow. ## Who should own DSAR verification, and what evidence should prove the decision? Ownership should sit with the team that can configure intake forms, account-based verification, manual review, and escalation to privacy or legal when the request is ambiguous or high risk. Evidence should show the request type, verification method used, the decision made, the reason for denial if applicable, and the record showing that verification data was used only for verification. - Name one accountable owner for the verification workflow and one reviewer for exceptions. - Keep request logs, verification rules, scripted decision notes, and approval records together. - Document when the business relied on account access, direct consumer confirmation, or other commercially reasonable methods. - Review the workflow after product changes, new request channels, or changes to the regulated CCPA process. Sources for this answer: - [Code Section Group](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Section 1798.130 requires businesses to verify requests and allows reasonable authentication. - [California Consumer Privacy Act (CCPA)](https://oag.ca.gov/privacy/ccpa?ref=sorena.io) - The FAQ explains that if a business asks for personal information to verify identity, it can only use that information for verification. - [CCPA Regulations](https://oag.ca.gov/privacy/ccpa/regs?ref=sorena.io) - The regulations require businesses to handle consumer requests and verify consumer identity. ## Which edge cases should teams check before relying on a DSAR verification decision? Check edge cases where the requester is an authorized agent, a parent or guardian, or a consumer who uses an account that the business cannot confidently match to the record set. Also check whether the request was sent to a service provider or contractor instead of the business itself. The business should also consider whether the request is for a right that requires a verifiable consumer request and whether the consumer has already been identified through a reasonable authenticated channel. - Verify authorized-agent submissions using the proof the business is allowed to request. - Treat service-provider and contractor intake as a routing problem unless the business relationship allows action on the request. - Do not over-collect identity data when the business already has enough information to verify the request. - If the request cannot be verified, send a clear denial reason and explain what the consumer can do next. Sources for this answer: - [California Consumer Privacy Act (CCPA)](https://oag.ca.gov/privacy/ccpa?ref=sorena.io) - The FAQ explains that authorized agents may submit requests and that businesses may require information to verify the consumer and the agent relationship. - [Code Section Group](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Section 1798.130 says service providers and contractors are not required to comply with verifiable consumer requests received directly from a consumer or authorized agent. - [CCPA Regulations](https://oag.ca.gov/privacy/ccpa/regs?ref=sorena.io) - The regulations explain how consumer requests should be handled and verified. ## How should teams operationalize DSAR verification with proportionate controls? Use a workflow that captures the request type, the verification method, the minimum identity information collected, the result, and the reason if the request is denied or needs more review. Keep verification narrowly tailored so the business can confirm identity without turning the process into a broad data collection exercise. The output should be a verified request, a follow-up request for more information, a denial with a reason, or an escalation to privacy or legal review when the facts are unclear. - Create a short intake question that identifies the DSAR verification scenario. - Map each scenario to a required verification method, evidence field, owner, reviewer, and decision date. - Keep verification records distinct from substantive response records where possible. - Update the workflow when the CCPA regulations or official guidance change. Sources for this answer: - [Code Section Group](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Section 1798.130 requires reasonable authentication and limits the use of verification data. - [California Consumer Privacy Act (CCPA)](https://oag.ca.gov/privacy/ccpa?ref=sorena.io) - The FAQ says verification data may be used only for verification and that businesses may deny requests they cannot verify. - [CCPA Regulations](https://oag.ca.gov/privacy/ccpa/regs?ref=sorena.io) - The regulations explain how to verify the identity of consumers making requests. *Recommended next step* *Placement: after the practical guidance* ## Turn US CCPA DSAR Verification into assigned work This US CCPA guide turns DSAR Verification into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena. - [Open Assessment Autopilot for US CCPA](/solutions/assessment.md): Turn DSAR Verification into scoped questions, evidence fields, and review tasks. - [Review US CCPA source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. ## Primary sources - [Enforcement Advisory No. 2024-01 Applying Data Minimization to Consumer Requests](https://cppa.ca.gov/pdf/enfadvisory202401.pdf?ref=sorena.io) - Supports CCPA consumer-request verification, minimization, opt-out signal handling, or request-response operations for this verification guide. - Quote: "2024-01 Applying Data Minimization to Consumer Requests Short Title Enforcement Advisory No" - [California Consumer Privacy Act (CCPA)](https://oag.ca.gov/privacy/ccpa?ref=sorena.io) - California Attorney General guidance supports CCPA consumer-request verification, limited use of verification data, and 45-calendar-day response tracking. - Quote: "If the business asks for personal information to verify your identity, it can only use that information for this verification purpose." - [CCPA Regulations](https://oag.ca.gov/privacy/ccpa/regs?ref=sorena.io) - Supports CCPA consumer-request verification, minimization, opt-out signal handling, or request-response operations for this verification guide. - Quote: "how to verify the identity of consumers making requests" - [Code Section Group](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Supports CCPA consumer-request verification, minimization, opt-out signal handling, or request-response operations for this verification guide. - Quote: "The business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested" - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer%5Fprivacy%5Fact.html?ref=sorena.io) - Supports CCPA consumer-request verification, minimization, opt-out signal handling, or request-response operations for this verification guide. - Quote: "On March 29, 2023, the Office of Administrative Law approved the California Privacy Protection Agency's regulations and filed" ## Related Topic Guides - [California CCPA/CPRA Opt Out Signal Workflow Guide](/artifacts/us/california-consumer-privacy-act/opt-out-signal-workflow.md): California CCPA/CPRA guidance for Opt Out Signal Workflow, with practical decisions, evidence, edge cases, and external source citations. - [CCPA Global Privacy Control (GPC): team obligations and technical implementation](/artifacts/us/california-consumer-privacy-act/faq/gpc.md): US CCPA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations. - [How should teams decide whether US CCPA applies?](/artifacts/us/california-consumer-privacy-act/faq/thresholds.md): US CCPA guidance for Thresholds, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Applicability Test Guide](/artifacts/us/california-consumer-privacy-act/applicability-test.md): Practical guidance for the US CCPA applicability test, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Compliance Checklist](/artifacts/us/california-consumer-privacy-act/checklist.md): Practical guidance for the US CCPA checklist, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Compliance Guide](/artifacts/us/california-consumer-privacy-act/compliance.md): Practical guidance for the US CCPA compliance, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Consumer Rights Workflow Guide](/artifacts/us/california-consumer-privacy-act/consumer-rights-workflow.md): US CCPA guidance for Consumer Rights Workflow, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Contract Classification Workflow Guide](/artifacts/us/california-consumer-privacy-act/contract-classification-workflow.md): US CCPA guidance for Contract Classification Workflow, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Dark Patterns Guide](/artifacts/us/california-consumer-privacy-act/dark-patterns.md): US CCPA guidance for Dark Patterns, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Data Broker Crossover Guide](/artifacts/us/california-consumer-privacy-act/data-broker-crossover.md): US CCPA guidance for Data Broker Crossover, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Deadlines and Compliance Calendar Guide](/artifacts/us/california-consumer-privacy-act/deadlines-and-compliance-calendar.md): US CCPA guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Do not sell or share Guide](/artifacts/us/california-consumer-privacy-act/do-not-sell-or-share.md): US CCPA guidance for Do not sell or share, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Do Not Sell Share Implementation Guide](/artifacts/us/california-consumer-privacy-act/do-not-sell-share-implementation.md): US CCPA guidance for Do Not Sell Share Implementation, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA DSAR Workflow Guide](/artifacts/us/california-consumer-privacy-act/dsar-workflow.md): US CCPA guidance for DSAR Workflow, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Enforcement And Penalties Guide](/artifacts/us/california-consumer-privacy-act/enforcement-and-penalties.md): US CCPA guidance for Enforcement And Penalties, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Financial Incentives Guide](/artifacts/us/california-consumer-privacy-act/financial-incentives.md): US CCPA guidance for Financial Incentives, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA GPC Signal Guide](/artifacts/us/california-consumer-privacy-act/gpc.md): US CCPA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Minors Guide](/artifacts/us/california-consumer-privacy-act/minors.md): US CCPA guidance for Minors, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Notice at collection Guide](/artifacts/us/california-consumer-privacy-act/notice-at-collection.md): US CCPA guidance for Notice at collection, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA penalties and fines Guide](/artifacts/us/california-consumer-privacy-act/penalties-and-fines.md): US CCPA guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Personal And Sensitive Pi Categories Guide](/artifacts/us/california-consumer-privacy-act/personal-and-sensitive-pi-categories.md): US CCPA guidance for Personal And Sensitive Pi Categories, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Privacy Law FAQ](/artifacts/us/california-consumer-privacy-act/faq.md): Practical guidance for the US CCPA FAQ, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Privacy Notices And Disclosures Guide](/artifacts/us/california-consumer-privacy-act/privacy-notices-and-disclosures.md): US CCPA guidance for Privacy Notices And Disclosures, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Privacy Policy Guide](/artifacts/us/california-consumer-privacy-act/privacy-policy.md): US CCPA guidance for Privacy Policy, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Privacy Policy Template Guide](/artifacts/us/california-consumer-privacy-act/ccpa-privacy-policy-template.md): US CCPA guidance for CCPA Privacy Policy Template, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Requirements Guide](/artifacts/us/california-consumer-privacy-act/requirements.md): Practical guidance for the US CCPA requirements, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Risk And Cyber Audits Guide](/artifacts/us/california-consumer-privacy-act/risk-and-cyber-audits.md): US CCPA guidance for Risk And Cyber Audits, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Scope and Thresholds Guide](/artifacts/us/california-consumer-privacy-act/scope-and-thresholds.md): US CCPA guidance for Scope and Thresholds, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Service Provider Contractor And Third Party Contracts Guide](/artifacts/us/california-consumer-privacy-act/service-provider-contractor-and-third-party-contracts.md): US CCPA guidance for Service Provider Contractor And Third Party Contracts, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Service Provider Contractor Contracts Guide](/artifacts/us/california-consumer-privacy-act/service-provider-contractor-contracts.md): US CCPA guidance for Service Provider Contractor Contracts, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Thresholds Guide](/artifacts/us/california-consumer-privacy-act/thresholds.md): US CCPA guidance for Thresholds, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA vs CPRA Guide](/artifacts/us/california-consumer-privacy-act/ccpa-vs-cpra.md): US CCPA guidance for CCPA vs CPRA, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA vs GDPR Guide](/artifacts/us/california-consumer-privacy-act/ccpa-vs-gdpr.md): US CCPA guidance for CCPA vs GDPR, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about consumer request verification under the CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dsar-verification.md): US CCPA guidance for consumer request verification, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Dark Patterns under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dark-patterns.md): US CCPA guidance for Dark Patterns, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Data Broker Crossover under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/data-broker-crossover.md): US CCPA guidance for Data Broker Crossover, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Do not sell or share under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/do-not-sell-or-share.md): US CCPA guidance for Do not sell or share, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Financial Incentives under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/financial-incentives.md): US CCPA guidance for Financial Incentives, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Minors under the California CCPA?](/artifacts/us/california-consumer-privacy-act/faq/minors.md): US CCPA guidance for Minors, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Notice at collection under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/notice-at-collection.md): US CCPA guidance for Notice at collection, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Personal And Sensitive Pi Categories under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/personal-and-sensitive-pi-categories.md): US CCPA guidance for Personal And Sensitive Pi Categories, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Privacy Policy under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/privacy-policy.md): US CCPA guidance for Privacy Policy, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Risk And Cyber Audits under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/risk-and-cyber-audits.md): US CCPA guidance for Risk And Cyber Audits, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Service Provider And Contractor Contracts under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/service-provider-and-contractor-contracts.md): US CCPA guidance for Service Provider And Contractor Contracts, with practical decisions, evidence, edge cases, and external source citations. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/us/california-consumer-privacy-act/dsar-verification