Data subject access requests - The rub
The GDPR provides that data subjects can query data controllers to learn about the personal data processed by that data controller. The CCPA has similar provisions that provide consumers with the right to query a business to learn about the personal information processed by the business. Under both data protection regimes, when a requestor queries a data controller / business, the data controller / business can query the requestor for additional information to confirm the requestor's identity (GDPR Art. 12(2) and (6); Recitals 57 and 64) (CCPA at 1798.185; CCPA proposed regulations Art 4. Section 999.323). Thus, requestors could face an unpleasant situation; in order to learn what personal data is being processed, they probably will have to provide additional personal data.
Data controllers / businesses need to be careful in determining how to verify the identify of a requestor. Unduly burdensome or disproportionate verification information could subject a data controller to fines under the GDPR or the CCPA.