Points of Interest Summer 2019 Page 9 andmaking“verifiable”consumerrequests to businesses. Financial and similar institutions are particularly vulnerable to such impersonation; after all, the Act requires businesses that receive verifiable consumer requests for the information to provide consumers with copies of all consumer information that the business has collected regarding the consumer (while certain information collected by financial institutions is exempted from the CCPA to the extent that it is governed by the federal Gramm-Leach-Bliley Act, that exception undoubtedly will not cover all information that such businesses collect about California consumers – the remainder is subject to the CCPA). It will be important for businesses – particularly larger businesses that may be targets of this sort of fishing – to develop robust internal procedures for ensuring that verifiable consumer requests are actually verified. Traditionally, businesses releasing information over the phone require customers to answer certain questions, such as the last four digits of the customer’s social security number or a mother’s maiden name, to verify their identity. However, in the context of a requesttoreleaseallpersonalinformation that a business has collected about a consumer (as required upon receipt of a verifiable consumer request under California Civil Code Section 1798.110(a) (5)), such traditional methods may not be sufficient. Thisisanareawhererulemaking by the California Attorney General would be particularly helpful. What Constitutes a “Category”? After a business receives a verifiable consumer request from a consumer and actually verifies that the request is from the consumer, the business is required, within certain time frames, to disclose, uponrequestbytheconsumerandamong other things, the categories of personal informationthatthebusinesshascollected about the consumer, the categories of sources from which the business has obtained personal information about the consumer, and the categories of third parties with whom the business shares personal information about consumers. The terms “category” and “categories” continue to appear throughout the Act, including in the definition of “aggregate consumer information.” With all of these “categories” referenced in the Act, one would think the Legislature would have seen fit to define what a “category” is, and how broad (or narrow) such a disclosure must be. No such luck. Absent such a definition in the Act, one possible source of guidance regarding how a business should categorize the informationitisrequiredtodiscloseisprior case law. But case law, too, leaves much to be desired. The California Supreme Court hasdefinedtheterm“category”tomean“a class, or division, in any general scheme of classification." Am. Coatings Ass’n v. South Coast Air Quality Management Dist., 54 Cal. 4th 446, 472 (2012) (citing the Second Edition of the Oxford English Dictionary); see also Prop “A” Protective Ass’n v. Mts. Rec. & Conservation Authority, 2018 Cal. Unpub. Lexis 4826, at *15-16 (July 17, 2018) (citing the 2018 edition of the Merriam-Webster Unbridged Dictionary and defining “category” to mean “a class, group, or classificationofanykind”). Obviously,these definitions are not all that helpful. It is hoped that the Attorney General will aid businesses by defining in some detail how these “categories” are to be constructedwhenrespondingtoverifiable consumerrequests. However,absentsuch guidance, or a clarifying amendment from the Legislature, each individual business must decide for itself, in consultation with its legal counsel, how broadly or narrowly to list these categories. When Do Consumer Requests Under the CCPA Become “Manifestly Unfounded or Excessive”? The Act requires businesses to respond to verifiable consumer requests. However, certain consumers – perhaps those having disagreements or disputes with the business – could wreak havoc by submitting repeated requests for information, each requiring verification andresponsewithinthetimeperiodslisted in the statute. The drafters of the statute appear to have considered this possibility, providing that businesses may either charge a consumer a “reasonable fee,” or refusetorespondaltogether,withrequests from consumers that are “manifestly unfoundedorexcessive." SeeCal.Civ.Code Consumer Privacy Act – continued from page 8 continued on page 10