(1) A controller shall establish two or more methods to enable consumers to submit a request to exercise their consumer rights under this part. The methods must be secure, reliable, and clearly and conspicuously accessible. The methods must take all of the following into account:(a) The ways in which consumers normally interact with the controller.
(b) The necessity for secure and reliable communications of these requests.
(c) The ability of the controller to authenticate the identity of the consumer making the request.
(2) A controller may not require a consumer to create a new account to exercise the consumer’s rights under this part but may require a consumer to use an existing account.
(3) A controller shall provide a mechanism on its website for a consumer to submit a request for information required to be disclosed under this part. A controller that operates exclusively online and has a direct relationship with a consumer from whom the controller collects personal data may also provide an e-mail address for the submission of requests.
