Businesses are currently preparing for compliance with the California Consumer Privacy Act (CCPA) and its go-live date of January 1, 2020. One of the most complex yet critical elements of a company’s compliance efforts revolves around verifiable consumer requests (VCRs), aka subject rights requests.
In anticipation of the publication of draft regulations around verifiable requests this month by California Attorney General Xavier Becerra, which will provide more direction to businesses on how to comply with VCRs, we are analyzing some of the related important problem areas that companies need to consider and prepare for. Our analysis examines certain nuances in the law, as well as lessons learned from GDPR.
Today, some consumers opt for the guest checkout as they don’t trust the use of account usernames and passwords. Perhaps they don’t feel that companies possess the means to protect their privacy.
The CCPA does not require that a requestor have a username and password to authenticate themselves. Many people filing a VCR, if not the majority, may authenticate online via an organization’s website using a traditional method. If organizations are to comply with the CCPA, however, they must prepare for an array of customers and use cases where this will not apply.
The Act mandates two methods to initiate a VCR: online and via a toll-free number (unless the company operates exclusively online, in which case the phone number is not required). Organizations should expect California customers and fraudsters to contact their call centers. This poses a perplexing challenge: How will you authenticate identities over a phone line to facilitate a VCR? With SIM swapping and social engineering, mobile verification is not always possible. Call center social engineering is a well-established practice used by fraudsters as well.
The law mandates access to parents of minors in the state of California. Since most companies do not grant such access today, how will your organization do so when CCPA takes effect? This is a difficult use case, and until the AG provides guidance, businesses will need to provide multiple forms of authentication methods, including knowledge-based authentication, to verify the identities of minors.
A one-size, one-channel, single method cannot fit all when it comes to CCPA compliance. There are degrees of sensitivity and customer preferences that companies must take into account if they are to comply with CCPA without alienating their customers in the process.
Like GDPR, CCPA opens the door to more fraud and risk. We need only look to a recent Blackhat research experiment conducted by an Oxford University researcher for examples of how customer data requests made under the regulation could result in abuse. When it comes to CCPA, organizations must guard against giving away customer identity credentials to an authorized third party, then getting sued for doing so by the customer.
In addition to the points raised above, to ensure compliance with the CCPA without saddling the organization with excessive costs, companies should aim for an automated, scalable, self-service approach. They should also strike the balance between making the process too hard or too easy.
Finally, organizations must disavow themselves of the notion that no one will request access. In a recent paper, Gartner predicts that 1-3% of customers will do so. And while the Act covers California, many experts predict similar laws taking effect in other states and eventually covering the entire country.
Ultimately, while compliance is a necessity, companies should view CCPA as providing an opportunity to engage with their customers and build trust, which if done well, can create a competitive advantage.