With California Consumer Privacy Act (CCPA) enforcement beginning July 1, enterprises are under more pressure than ever to comply with the new law. This is despite having limited resources and budgets resulting from the pandemic, with 56 percent of data privacy professionals expecting an increase in CCPA rights requests as a result of COVID-19. Under CCPA, California consumers can request what types of personal data have been collected and why, and can also request the deletion of personal information and ask that their information not be sold to third parties. Currently, 51 percent of companies are receiving more than 10 requests a week, and 20 percent are receiving more than 100 requests a week (source: Truyo, April 2020).
Increasing this pressure is the added potential for businesses to mistakenly commit fraud during personal data disclosure. As most businesses have shifted online, organizations must be able to verify the individual making the data request is the legitimate account owner and not a fraudster trying to obtain someone else’s personal data. If someone can obtain an individual’s personal information by requesting it through the CCPA, the law becomes ineffective, putting confidential personal information into the wrong hands.
Companies that must comply with CCPA (based on their size, type of business and whether or not they have California customers) are responsible for ensuring the person making the rights request is who they claim to be to keep personal information protected while mitigating the chances of fraud.
How can organizations safely and securely comply with the rapid increase in rights requests, especially while resources are more limited than usual due to pandemic-related budget constraints?
As near-daily data breaches, phishing and social engineering attacks continue to expose user information on the dark web, cybercriminals can easily gain access to Personally Identifiable Information (PII) including names, passwords, email addresses and home addresses of consumers victimized by their fraud vectors. They can use this PII to log in as the user, change passwords to lock users out, and access user benefits. Therefore, if a CCPA request is submitted through a password-protected account maintained with the business online, it’s impossible to know whether the person making the rights request is the actual account owner or a fraudster who gained access to the account with exposed information. Enterprises without proper identity verification measures in place can easily hand over personal information to the wrong person unknowingly.
To facilitate secure rights requests businesses cannot trust that the person making the request is who they say they are. Today’s advanced fraud landscape complicates an already difficult data privacy situation because exposing consumer information to the wrong consumer can have devastating repercussions. The data requested in rights requests is rich with PII and therefore holds a significant commercial value to cybercriminals. Because this information is of high value, fraudulent data rights requests are set to be a huge attack vector for fraud. Armed with this information, fraudsters can then perpetrate identity theft and even take over other online accounts of legitimate consumers.
To safely comply with verifiable consumer requests, organizations need to have a high level of assurance that the person making the request is legitimate. This means businesses must shape their ongoing verification methods on a few strategic factors, such as:
- Type, sensitivity or value of personal information
- Risk of harm to the consumer posed by unauthorized access or deletion
- Likelihood that bad actors would seek the information
- Vulnerability to being spoofed
- Manner in which the business interacts with the consumer
- Available technology for online verification
As a best practice, businesses need to ensure they have reliable ways to authenticate the digital identities of new users. For example, if you only rely on self-reported data (e.g., name, address, phone number) to create an online account, then anyone with access to that information can submit verifiable consumer requests.
Tethering a new account to a government-issued ID document and a corroborating selfie provides a significantly higher bar of identity assurance. And by requiring a biometric (e.g., a 3D face map) at account opening, modern enterprises can then rely on that same biometric to prove someone’s digital identity when they make a verifiable consumer request.
To remain compliant, organizations must seek identity verification solutions that:
- Provide business customers with a complete list of the personal data collected.
- Manage consumer requests for deletion of personal data after the identity verification has been performed. If your identity verification provider stores this information on their servers, you will need a process to easily remove personal data, if requested.
- Have a policy against re-selling consumer data without prior acknowledgment (businesses should seek written confirmation that consumer data is kept strictly confidential).
- Store personal data securely and have predetermined data retention policies in place to assure the timely deletion of that data.
- Can manually override retention policies and have consumer data deleted upon written request.
A recent survey found that 86 percent of CISOs and compliance officers in North American organizations subject to CCPA are not sure whether their organizations gather and store more consumer data than necessary. To minimize risks, organizations should only keep data that is necessary to the direct service of the business. Implementing a data tracking system will also ensure organizations can access and delete data collected over the past 12 months if requested under CCPA.
A June 2020 survey found that nearly one-third of organizations have just started planning for CCPA. More than 20 percent of respondents reported that they are either somewhat unlikely to be, very unlikely to be, or don’t know if they will be fully compliant with CCPA on July 1. With only 14 percent of respondents completely CCPA compliant, enterprises clearly have a long road ahead to be prepared for enforcement.
A digital identity verification solution with data security, transparency and retention policies to comply with CCPA is key for enterprise compliance, critical for keeping consumer information protected and essential to granting California consumers their rights under CCPA.