Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after allowance or after an Office action under Ex Parte Quayle, 25 USPQ 74, 453 O.G. 213 (Comm'r Pat. 1935). Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, prosecution in this application has been reopened pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/23/2022 has been entered. This action is made Non-Final.

Status of claims
This office action is in response to application filed on 11/23/2022
Claims 1-21 are pending and rejected; claims 1, 8 and 15 are independent claims

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/23/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Brannon et al. US Pub. No. 2019/0392173 A1 (hereinafter Brannon1) in view of Brannon et al. US Pub. No. 2020/0167501 A1 (hereinafter Brannon2). (Disclosed in the IDS)

Brannon1  teaches:
	As to claim 1, a computer-implemented method for verifying a request for personal information (see Brannon1 ¶588, before a data subject request can be processed, the data subject's identity may need to be verified), the method comprising:
	receiving, by a server computing system, a request for personal information of a requester (see Brannon1 ¶588, data subject access request) the request associated with a government regulation related to consumer privacy rights (see Brannon1 ¶481, under various legal and industry standards related to the collection and storage of personal data, the organization or entity may not have or may no longer have a legal basis to continue to store the data, the organization or entity may not have or may no longer have a legal basis to continue to store the data… to ensure that the organization may not be in violation of one or more legal or industry regulations), the request including a first identifier identifying the requester (see Brannon1 ¶81, providing a communication to the entity, wherein the communication, (a) comprises a unique identifier associated with the data subject,);
	determining, by the server computing system, a location where the personal information is stored in one or more databases (see Brannon1 ¶500, automatically determine where the data subject's personal data is stored; and (2) in response to determining the location of the data);
	searching, by the server computing system based on the determined location of the personal information, the one or more databases using the first identifier and using identifier expansion to identify a second identifier related to the first identifier and identifying the requester, the second identifier associated with one or more past transactions involving the requester and an entity associated with the one or more databases (see Brannon1 ¶213, receiving a data subject access request from the user ; ¶2583, in response a data subject submitting a request…automatically determine where the data subject's personal data is stored; ¶625, one or more data models that map an association between one or more pieces of personal data stored within one or more data assets of the particular entity and one or more privacy campaigns of the particular entity… use one or more suitable data mapping techniques to link, or otherwise associate, the one or more pieces of personal data stored within one or more data assets of the particular entity; ¶664, database that collects, processes, contains, and/or transfers data);
	forming, by the server computing system, a question using the one or more data points; verifying, by the server computing system, identity of the requester using at least the second identifier and the question (see Brannon1 ¶591, the system, when validating a data subject's identity, may begin by verifying that a person with the data subject's name, address, social security number, or other identifying characteristic (e.g., which may have been provided by the data subject as part of the data subject access request) actually exists) ; and
	based on verifying the identity of the requester: generating, by the server computing system, a notification indicating that the request for the personal information is accepted (see Brannon1 ¶¶596 673, the data subject access request may be a subject’s rights request where the data subject may be inquiring for the organization to provide all data that the particular organization has obtained on the data subject or a data subject detection request where the data subject is requesting for the particular organization of delete all data that the particular or4ganization has obtained on the data subject); and

Brannon1 does not explicitly teach but the related art Brannon2 teaches::
	searching, by the server computing system based on the determined location of the personal information, the one or more databases using the first identifier and the second identifier to identify one or more data points associated with the requester(see Brannon2 ¶461, the system is configured to scan the one or more databases by searching for particular data fields comprising one or more pieces of information that may include personal data;
searching, by the server computing system, the one or more databases for the personal information of the requester based on one or more of the first identifier or the second identifier (see Brannon2 ¶461, the system is configured to scan the one or more databases by searching for particular data fields comprising one or more pieces of information that may include personal data. The system may, for example, be configured to scan and identify one of more pieces of personal data such as: (1) name; (2) address; (3) telephone number; (4) e-mail address; (5) social security number…¶462,  in response to discovering one or more pieces of personal data in a particular storage location, identify one or more associations between the discovered pieces of personal data).

Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the invention, to modify the data processing system for data testing to confirm data deletion and related methods disclosed by Brannon1 to include the data processing user interface monitoring systems and related methods, as thought by Brannon2. A person of ordinary skill in the art would have been motivated to do so, with a reasonable expectation of success because, personally identifiable information (PII), which may be information that directly (or indirectly) identifies an individual or entity include names, addresses, dates of birth, social security numbers, and biometric identifiers such as a person's fingerprints or picture are useful for improved systems and methods to manage personal data in a manner that complies with policies, as taught by Brannon.

As to claim 2, the combination of Brannon1 and Brannon2 teaches the method of claim 1, further comprising verifying, by the server computing system, that the requester is associated with the first identifier (see Brannon2 ¶328, personal data may include, for example: (1) the name of a particular data subject (which may be a particular individual); (2) the data subject's address; (3) the data subject's telephone number… ¶332, responding to one or more data access requests by an individual).

As to claim 3, the combination of Brannon1 and Brannon2 teaches the method of claim 2, further comprising verifying, by the server computing system, that the requester is associated with the second identifier (see Brannon2 ¶328, personal data may include, for example: (1) the name of a particular data subject (which may be a particular individual); (2) the data subject's address; (3) the data subject's telephone number… ¶332, responding to one or more data access requests by an individual).

As to claim 4, the combination of Brannon1 and Brannon2 teaches the method of claim 1, wherein forming the question using the one or more data points includes identifying customer information to ask the requester for verification (see Brannon2 ¶461, scan and identify one of more pieces of personal data such as: (1) name; (2) address; (3) telephone number; (4) e-mail address; (5) social security number; (6) information associated with one or more credit accounts (e.g., credit card numbers); (7) banking information; (8) location data; (9) internet search history…; ¶718, the system may verify the age of a data subject in response to prompting the data subject to provide identifying information of the data subject (e.g., via a response to one or more questions); ¶630, the system is configured to perform these testing steps until at least a particular number of data points regarding each interface have been collected (e.g., a sufficiently large sample size, a predefined number of tests, etc.).

As to claim 5, the combination of Brannon1 and Brannon2 teaches the method of claim 1, wherein forming the question using the one or more data points includes degerming one or more types of questions to ask the requester for verification, the one or more types of questions including one or more of: a payment method, a content of a shopping cart, or a name of a person (see Brannon2 ¶385, one or more inventory attributes may comprise one or more other pieces of information such as, for example: (1) the type of data being stored by the first data asset; (2) an amount of data stored by the first data asset; (3) whether the data is encrypted; (4) a location of the stored data (e.g., a physical location of one or more computer servers on which the data is stored)).

As to claim 6, the combination of Brannon1 and Brannon2 teaches the method of claim 5, wherein the one or more databases comprises a database associated with the entity and at least one database associated with a third-party service associated with the entity. (see Brannon1 ¶201, managing a plurality of data assets of an organization with a third-party data repository; ¶202, managing a plurality of data assets of an organization with a unique subject identifier database)

As to claim 7, the combination of Brannon1 and Brannon2 teaches  the method of claim 6, further comprising: transmitting, by the server computing system, a notification to the requester indicating that the request for the personal information is denied based on failing to verify the identity of the requester (see Brannon1 ¶475, if the DSAR was not submitted by the particular data subject, deny the request).
As to independent claim 8, this claim directed to a system executing the method of claim 1; therefore, it is rejected along similar rationale.
As to independent claim 15, this claim directed to a computer program product comprising computer-readable program code to be executed by one or more processors when retrieved from a non-transitory computer-readable medium, the program code including instructions to execute the method of claim 1; therefore, it is rejected along similar rationale.
As to dependent claims 9-14 and 16-21,  these claims contain substantially similar subject matter as claim 2-7; therefore, they are rejected along the same rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NEGA WOLDEMARIAM whose telephone number is (571)270-7478. The examiner can normally be reached Monday to Friday, 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/NEGA WOLDEMARIAM/Examiner, Art Unit 2433                        


/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433