We’ve gone on the record before regarding the considerable challenges posed by the California Consumer Privacy Act, but it is worth repeating. The CCPA is more than just a compliance exercise for California customers. In particular, the requirement to provide consumers with secure access to the personal information held on them is something that many impacted companies will struggle mightily to accomplish.
Failing to comply with the Act comes with the threat of fines from the state of California, along with the potential for lawsuits from breached and disgruntled consumers. Additionally, failure to comply or doing so in a clunky way can harm the customer relationship. Requests for personal information, referred to by CCPA regulations and literature as “verifiable consumer requests” or VCRs, will typically occur at a moment of trust that can either reassure or concern the end user.
On top of concerns surrounding customer experience, businesses must also acknowledge that a poorly prepared identity verification program for CCPA that is difficult to deploy, manage, change, scale, and automate can cause a debilitating “death by a thousand cuts.”
Companies have plenty of benchmarks to meet as CCPA’s January 1, 2020 implementation date draws near, so keep reading to learn more about the hallmarks of a CCPA-compliant identity verification program.
1. The right amount of friction at the right time
According to our seventh annual fraud report, balancing fraud prevention and customer friction is the number one challenge to fraud deterrence. Consumers dislike additional effort when requesting access to their data—in fact, our research revealed that too much friction resulted in a 19 percent year-over-year increase in online account abandonment—but they do expect additional levels of verification to feel their info is being adequately safeguarded.
Deploying multiple layers of security is imperative with any identity verification process. Intelligent solutions that can dynamically approve and escalate when necessary provide the most value. Identity verification must balance the need for security with the customer’s desire (and need) for convenience by inserting enough security at the right point in the process of verifying an individual’s identity.
2. Multiple, integrated IDV methods with escalation capabilities
A legitimate consumer may struggle to provide the information needed to complete the identity verification process. In these cases, companies should be able to offer multiple methods to verify identities. Furthermore, if a consumer hits a roadblock, companies should escalate their request with the goal of resolving it quickly.
California Attorney General Xavier Becerra’s proposed regulations give businesses the flexibility to “step up” or escalate to additional verification methods for the purposes of verifying requestor identities. This escalation process should be done seamlessly; in other words, the IDV system should deploy the advanced method in one session based on certain criteria without interrupting the customer experience. In addition to a smooth user experience on the front end, the back-end escalation methods should be connected into one data stream and interface for easier management and reporting.
The information collected during this process should only be used to verify the requestor’s identity and/or for security or fraud prevention purposes. Any new personal information collected must be immediately deleted after verification.
3. Contextual sensitivity regarding the information requested
CCPA regulations stipulate that companies must match the identity verification method to the sensitivity of the data requested. Therefore, companies must select and align the identity verification methods with the consumer data they possess.
The general rule of thumb here is that the higher the data’s sensitivity, the more stringent the verification method employed. In other words, a consumer’s request to delete all of their family photos, for example, should be immediately escalated to a verification method that requires several steps and a deletion confirmation from the verified individual. A low-stakes request, such as access to an online restaurant reservation account, would not require escalation.
4. Call center solutions and training
Companies that offer customer service over the phone are required by CCPA regulations to maintain a toll-free phone number-based VCR method. Online-only companies are exempt from this requirement. To be able to accommodate VCRs via phone and process them in a reasonable period of time, however, companies using this channel must offer a safe, integrated verification process for the call center environment.
Call centers are sometimes known in the fraud industry an “fraud enablement channels,” so businesses will need robust IDV solutions and ongoing training for staff members. Companies and customer service representatives (CSRs) will need to be well educated in all fraud methods and know how to respond to hard-to-detect forms of fraud, such as social engineering attacks.
Tools such as dynamic KBA and mobile one-time passcodes are integral in reducing the frequency of these attacks. With the right technologies, IDV methods, and training, CSRs can protect themselves against CCPA-specific social engineering aimed at gathering PII.
5. A proven, scalable approach with the ability to automate
Since CCPA has yet to take effect, estimates regarding how many consumers will submit document requests remain educated guesses. Nonetheless, when the Act goes into effect on January 1, 2020 and becomes widely known, companies can expect a steady increase in the number of requests submitted. Gartner forecasts that VCRs could reach as high as 5 percent of all California-based customers.
Many industry experts predict that the CCPA may result in a nationalized data privacy law; in fact, there are many states with similar laws currently under consideration. Therefore, an identity verification solution must be serviceable in-house, scalable, and provide the option to automate requests from California initially and from other states in time.
6. Flexible and easy to update
The identity verification solution a company selects must be easily deployable, flexible, and simple to update without the need for IT services as the threat landscape changes or regulators adjust what they deem a compliant approach to identity verification.
An overly prescriptive approach that lacks such flexibility will eventually burden the company with too much red tape, alienate consumers, and ultimately prove problematic as technologies evolve, consumer preferences and practices change, and fraudsters find and exploit CCPA-related IDV gaps.
Beyond flexibility, a CCPA IDV solution should also return clear, easy-to-interpret codes when a verification attempt fails or results in an escalation. CCPA regulations stipulate that when a VCR requires more information for fulfillment or fails altogether, the company must provide the requestor with the reasoning behind the issue.
Transparent reason codes produced by the IDV system ensure that the business can meet this requirement of the law without impacting their compliance standing or the customer experience their company provides.
7. Mobile friendly
Companies should expect mobile-based requests and will need to offer mobile IDV for CCPA. According to our second annual consumer digital identity survey, 2019 was the first time that Americans opened more new accounts online with their mobile device (61%) than on a computer (56%) over the past 12 months.
Fortunately, the mobile platform offers convenient passive and active identity capabilities, including mobile attribute assessments and identity (e.g., name to phone), fortified one-time verification links, and document ID scan. Another bonus is that dynamic knowledge-based authentication can be intuitively presented via mobile device.
Gathering and using personal data is a very important task, and doing so responsibly requires sensitivity and attention to detail. As the trustees of consumer data—and regardless of the verification methods employed—companies must exercise caution when fulfilling requests for consumer data. As such, any identity verification solution that a company employs must focus on ensuring that consumer data remains safe and accessible only to those with a legal right to do so.