How do we know the person making a request is really that person and not someone else who may or may not have authorization from the actual person we are being given?
Answer – This was answered in greater detail in the webinar – likely after this question was posed in the chat. The short answer is that you generally should require (and in California must require) verification of identity before releasing personal data, i.e., responding to a data “access” request. You don’t have to do this for a mere opt-out request, and for practical reasons most (but not all) companies don’t require a verification for an opt-out request – but you should always impose a “captcha”-type requirement in order to prevent bot traffic from mischievously generating false opt-outs.
