Implement automated DSAR identity verification using a token-based challenge sent to the requester's registered contact method

Verified steps

1. On DSAR receipt, generate a cryptographically random 32-byte token and store it server-side with a 24-hour TTL linked to the requestId; do not store the plain token — store its SHA-256 hash.
2. Send the plain token to the requester via the contact method already on record (email or SMS) with a message such as 'Click this link to verify your identity and activate your privacy request: https://privacy.yourdomain.com/verify?token=TOKEN'.
3. When the requester clicks the link, hash the received TOKEN and compare to the stored hash; on match, mark the request as identity-verified and start the fulfillment clock for regulatory deadline purposes.
4. Log the verification event with timestamp and verification method in your DSAR audit log; the log entry constitutes your evidence that the requester controlled the registered contact method.
5. If the requester cannot verify via the token (e.g., the email is itself the subject of a deletion request), provide an alternative verification path that collects only the minimum data needed — such as last four digits of a phone number — without requesting government ID unless the data sensitivity justifies it.
6. For unverified requests that time out, send a notification to the requester and close the request as UNVERIFIED after a reasonable period (typically 30 days), logging the closure reason.