Just when we thought 2020 was difficult enough, now we can add another layer of risk to the long list of challenges we’ve faced this year, when California begins enforcing the California Consumer Privacy Act (CCPA) on July 1.
In the first six months of this year, we’ve seen a spike in fraud targeting the elderly and accompanying the Paycheck Protection Program and Coronavirus Aid, Relief, and Economic Security Act. We’ve also experienced a delay in the tax season and the distribution of the 2020 Census. In the second half of the year, we’ll likely experience challenges associated with the presidential election as well as the ongoing social and economic implications of COVID-19.
In comparison to the trials and tribulations presented by 2020 so far, the enforcement of the CCPA is a relatively minor development. However, companies that ignore it do so at their own peril. California’s Attorney General remains committed to moving ahead with CCPA enforcement on July 1, and CCPA is probably the first of many state laws designed to strengthen consumer privacy rights in the United States. Furthermore, the California Privacy Rights Act, AKA CCPA 2.0, a more robust version that would replace CCPA, will be on the November ballot later this year.
More Lawsuits and Financial Penalties on the Horizon
CCPA has been in place since 2018 but has not been enforced until now. Starting in July, we will likely see companies fined for noncompliance and consumers collecting damages of $100–$750 per incident (here come the class action lawsuits!).
For example, if a firm experiences a breach involving unintentional violations and impacting 50,000 Californians, at $2,500 per unintentional violation, the total fine assessed by the state of California would be $125 million.
If those affected Californians then sued the company and won the minimum in damages of $100 for each incident, the company would pay an additional $5 million, not including legal fees and brand risk. Find out more about how much a breach could cost here.
Tens of Millions of Californians Will Want Answers Quickly, Easily, and Safely
New data from IDology’s Third Annual Consumer Digital Identity Study indicates that 22 million Californians plan to submit an estimated 113 million CCPA access requests. From a demographic perspective, the most likely consumers to submit requests will be younger with higher incomes. These consumers might be particularly technically savvy and represent the greatest long-term potential for revenue for the companies they do business with. They might also be the most likely to participate in a class action lawsuit and/or make use of the civil action opportunities that CCPA allows.
While companies face a monumental task of fulfilling these requests in a timely manner, many continue to overlook the importance of identity verification and its role in ensuring a successful, secure, and compliant process related to data subject access requests (DSARs).
It’s worth noting that responding to DSARs is a critical and complex part of CCPA compliance, with potentially hundreds of permutations. Yet complying with this aspect of CCPA is at the heart of ensuring customer data privacy and security.
According to IDology’s Third Annual Consumer Digital Identity Study, 67% of consumers don’t think companies do enough to secure their personally identifiable information. Additionally, consumers dislike friction during the identity verification process, especially during “moments of trust,” when a company hopes to foster a trust-based relationship with new and existing customers.
Minimizing the Stresses and Strains on Your Organization and Its Customers
While CCPA has the potential to become a major thorn in the side of any organization that fails to prepare for its enforcement, there’s still time for your business to prepare to withstand regulatory scrutiny.
First, as an organization, acknowledge that CCPA is coming and that it will result in enforcement activity. Second, set aside time to focus on your approach to identity verification, especially as it relates to DSARs.
Thankfully, due to data privacy laws already in existence, including the General Data Protection Regulation (GDPR) in Europe, there are already best practices that reflect a deep understanding of the potential missteps around security, user experience, and how to integrate new laws into existing privacy systems.
There’s also guidance available on how to utilize third-party providers and leverage their expertise to mitigate risk and automate the process, including how to offer customers multiple options to submit a request.
And keep in mind that CCPA compliance does not necessarily mean CCPA security. Research shows that when complying with GDPR, numerous companies struggled to verify the legitimacy of the data requests they received.
As mentioned, CCPA is likely to be the first of many data privacy laws in the United States. Many other states plan to follow suit, with 85% of citizens in other states supporting CCPA-like measures and 87% saying they’d be likely to request access to the personal data that companies hold in their possession.
A recent webinar conducted with WireWheel featuring Erin Illman, partner and chair at the privacy and information security practice Bradley LLP, went into more detail about minimizing identity verification for CCPA data subject access requests, the state of CCPA readiness, regulatory updates, and best practices for identity verification to help you minimize your risk exposure while managing DSARs. Click here to access the recording.
Click here to learn more about how IDology is helping organizations prepare for CCPA. To speak to an IDology identity verification specialist, call Toll free (866) 520-1234