DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-3, 5-8 and 12-20 are allowed.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 7/30/21, 8/10/21 and 9/30/21 are being considered by the examiner.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Scott Brient on 11/9/21.
The application has been amended as follows: 
1.  	(Currently Amended)  A method comprising: 
receiving, by computing hardware, via a browser application executed on a user device, a consumer rights request for a data subject, wherein the consumer rights request is for performing an action with regard to personal data associated with the data subject; 
detecting, by the computing hardware, a state of the browser application indicating a location of the user device;

determining, by the computing hardware, a level of identity verification required based on the law;
generating, by the computing hardware and based on the level of identity verification, a graphical user interface for the browser application by configuring a first identity verification prompt on the graphical user interface and excluding a second identity verification prompt from the graphical user interface, wherein: 
the first identity verification prompt is configured for receiving input for a first type of identity verification that requires login credentials for the data subject, and
the second identity verification prompt is configured for receiving input for a second type of identity verification that requires at least one piece of identify information for the data subject;
transmitting, by the computing hardware, a first instruction to the user device to present the graphical user interface on the user device;
receiving, by the computing hardware, the input for the first type of identity verification via the first identity verification prompt; 
	verifying, by the computing hardware, an identity of the data subject based on the input for the first type of identity verification; and
responsive to verifying the identity of the data subject, causing, by the computing hardware, performance of the action with regard to the personal data associated with the data subject, wherein the method further comprises:
determining which of the first identity verification prompt and the second identity verification prompt to include in the graphical user interface based on a criterion comprising which of the first type of identity verification and the second type of identity verification requires provision of fewer pieces of personal data to verify the identity of the data subject. 

2.	(Original)  The method of Claim 1 further comprising:
determining, by the computing hardware, a minimum type of identity verification required to be provided by the data subject based on the level of identity verification required, wherein the first type of identity verification comprises the minimum type of identity verification.

3. 	(Original)  The method of Claim 2, wherein the minimum type of identity verification required for the data subject comprises a type of identity verification requiring a least amount of input for the data subject from a plurality of types of identity verification that meet the level of identity verification required. 

4.	(Cancelled) 

5.	(Currently Amended)  The method of Claim 1, wherein the first type of identity verification requires fewer user-provided inputs than the second type of identity verification.

6. 	(Currently Amended)  The method of Claim 1, wherein causing performance of the action comprises:
from at least one data repository; and 
performing an electronic operation with the personal data based on the consumer rights request.

7.	(Original)  The method of claim 1, wherein verifying the identity of the data subject based on the input for the first type of identity verification comprises:
providing information included in the consumer rights request to an external system; 
receiving information from the external system based on the information included in the consumer rights request; and 
verifying the identity of the data subject based on the input for the first type of identity verification and the information received from the external system. 

8.	(Currently Amended)  A system comprising; 
	a non-transitory computer-readable medium storing instructions; and
	a processing device communicatively coupled to the non-transitory computer-readable medium,
	wherein, the processing device is configured to execute the instructions and thereby perform operations comprising:








	

receiving, by computing hardware, via a browser application executed on a user device, a consumer rights request for a data subject, wherein the consumer rights request is for performing an action with regard to personal data associated with the data subject; 
detecting, by the computing hardware, a state of the browser application indicating a location of the user device;
identifying, by the computing hardware, a law that applies to the consumer rights request based on the location;
determining, by the computing hardware, a level of identity verification required based on the law;
generating, by the computing hardware and based on the level of identity verification, a graphical user interface for the browser application by configuring a first identity verification prompt on the graphical user interface and excluding a second identity verification prompt from the graphical user interface, wherein: 
the first identity verification prompt is configured for receiving input for a first type of identity verification that requires login credentials for the data subject, and
the second identity verification prompt is configured for receiving input for a second type of identity verification that requires at least one piece of identify information for the data subject;
transmitting, by the computing hardware, a first instruction to the user device to present the graphical user interface on the user device;
receiving, by the computing hardware, the input for the first type of identity verification via the first identity verification prompt; 
	verifying, by the computing hardware, an identity of the data subject based on the input for the first type of identity verification; and
responsive to verifying the identity of the data subject, causing, by the computing hardware, performance of the action with regard to the personal data associated with the data subject, wherein the processing device is further configured to execute the instructions and thereby perform operations comprising:
determining which of the first identity verification prompt and the second identity verification prompt to include in the graphical user interface based on a criterion comprising which of the first type of identity verification and the second type of identity verification requires provision of fewer pieces of personal data to verify the identity of the data subject. 


9. 	(Cancelled) 

10.	(Cancelled)

11.	(Cancelled)
	
12. 	(Currently Amended)  The system of Claim 8, wherein causing performance of the action with regard to personal data associated with the data subject comprises:
identifying the personal data associated with the data subject from at least one data repository; and 
performing an electronic operation with the personal data based on the consumer rights request.

13.	(Currently Amended)  The system of Claim 12, wherein the electronic operation comprises at least one of retrieving and displaying the personal data on the computing device, deleting the personal data from the at least one data repository, or updating the personal data in the at least one data repository.


providing information included in the consumer rights request to an external system; 
receiving information from the external system based on the information included in the consumer rights request; and 
verifying the identity of the data subject based on the input for the first 
 
15.	(Currently Amended)  The system of Claim 8, wherein the location of the user device comprises at least one of a current geographical location of the computing device or a past geographical location of the computing device.

16.	(Currently Amended)  A non-transitory computer-readable medium having program code that is stored thereon, the program code being executable by one or more processing devices for performing operations comprising:



	

receiving, by computing hardware, via a browser application executed on a user device, a consumer rights request for a data subject, wherein the consumer rights request is for performing an action with regard to personal data associated with the data subject; 
detecting, by the computing hardware, a state of the browser application indicating a location of the user device;
identifying, by the computing hardware, a law that applies to the consumer rights request based on the location;
determining, by the computing hardware, a level of identity verification required based on the law;
generating, by the computing hardware and based on the level of identity verification, a graphical user interface for the browser application by configuring a first identity verification prompt on the graphical user interface and excluding a second identity verification prompt from the graphical user interface, wherein: 
the first identity verification prompt is configured for receiving input for a first type of identity verification that requires login credentials for the data subject, and
the second identity verification prompt is configured for receiving input for a second type of identity verification that requires at least one piece of identify information for the data subject;
transmitting, by the computing hardware, a first instruction to the user device to present the graphical user interface on the user device;
receiving, by the computing hardware, the input for the first type of identity verification via the first identity verification prompt; 
verifying, by the computing hardware, an identity of the data subject based on the input for the first type of identity verification; and
responsive to verifying the identity of the data subject, causing, by the computing hardware, performance of the action with regard to the personal data associated with the data subject, wherein, the program code is further executable by the one or more processing devices to perform operations comprising:
determining which of the first identity verification prompt and the second identity verification prompt to include in the graphical user interface based on a criterion comprising which of the first type of identity verification and the second type of identity verification requires provision of fewer pieces of personal data to verify the identity of the data subject. 

17.	(Original) The non-transitory computer-readable medium of Claim 16, wherein the law exists in the location.

18.	(Currently Amended)  The non-transitory computer-readable medium of Claim 16,the program code is executable by the one or more processing devices todetermine a minimum type of identity verification required to be provided by the data subject based on the level of identity verification required, wherein the first type of identity verification comprises the minimum type of identity verification. 

causing performance of the action 
identifying the personal data associated with the data subject from at least one data repository; and 
performing an electronic operation with the personal data based on the consumer rights request.

20.	(Currently Amended) The non-transitory computer-readable medium of Claim 19, wherein the electronic operation comprises at least one of retrieving and displaying the personal data on theuser device, deleting the personal data from the at least one data repository, or updating the personal data in the at least one data repository.


Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance:
Pelkey U.S. Pat. No. 9584964 discloses determining type of authentication based on device location and policy.
Gerber, Jr. et al. U.S. Pub. No. 20110190009 discloses method for enforcing policy related to privacy settings and authentication based on location.
The prior art of record do not explicitly disclose the specific steps recited in independent claims to determine and select level of verification steps based on location and laws that apply to the request, and determining which of the first identity verification prompt and the second identity verification prompt to include in the graphical user interface based on a criterion comprising which of the first type . 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Lopez et al. U.S. Pub. No. 20190378073 discloses business-aware intelligent incident and change management.
Maung U.S. Pub. No. 20180285887 discloses computing systems for heterogeneous regulatory control compliance monitoring and auditing.
Bell et al. U.S. Pub. No. 20160246991 discloses method for automated privacy compliance.
Federgreen et al. U.S. Pub. No. 20150154520 discloses automated data breach notification.
Driscoll et al. U.S. Pat. No. 10373119 discloses checklist generation.
Chieu et al. U.S. Pub. No. 20200092179 discloses compliance validation for services based on user selection.
Belfiore, Jr. et al. U.S. Pub. No. 20180146004 discloses methods for cybersecurity risk assessment.
Siris U.S. Pub. No. 20140250537 discloses method for data governance and licensing.
Rathood U.S. Pat. No. 10310723 discloses presenting plurality types of interfaces and fucntions for conducting various activities.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIN HON (ERIC) CHEN whose telephone number is (571)272-3789. The examiner can normally be reached Monday to Thursday 9am- 7pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHIN-HON (ERIC) CHEN/Primary Examiner, Art Unit 2431