Top 10 Identity Verification Takeaways from CA AG’s Proposed CCPA Regulations
California Attorney General Xavier Becerra posted his much-anticipated draft of proposed regulations pertaining to the implementation of the California Consumer Privacy Act (CCPA) on Thursday, October 10. The CCPA goes into effect Jan 1, 2020 with enforcement commencing on July 1, 2020.
Businesses have been looking forward to AG Becerra’s regulations to provide clarity and guidance on the many aspects of CCPA, especially given that they have fewer than 90 days to ensure that their systems and processes are compliant with the Act.
Poorly designed and executed CCPA identity verification opens up significant risks of compromising customer data and enabling fraud, and the business runs the risk of incurring fines. This double whammy also harms customer trust. Clunky identity verification with unreasonable friction will give end customers a poor user experience with negative brand repercussions.
Prior to the proposed regulations, CCPA was somewhat vague in its guidance. While AG Becerra’s regulations are not yet finalized (public comments conclude on December 5, 2019) the proposed details offer businesses the clarity and directives they need to create and implement compliant, safe, and user-friendly identity verification processes.
Below are important initial key takeaways and considerations:
Preliminary estimates suggest a total of $467 million to over $16 billion in costs to comply with the draft regulations, if finalized, during the time period of 2020 to 2030.
The Attorney General considered and rejected prescribing a specific method for all businesses to follow to verify the identities of persons submitting requests to know or delete personal information. According to the Initial Statement of Reasons (ISOR) the AG wishes to provide flexibility to industries that have different needs and use cases. For example, physical retail outlets should offer in-store personal data request forms. This also leaves the door open to future changes as security, fraud, and technology changes.
The AG’s regulations categorize verifiable requests two ways: 1) registered password-protected online account and 2) non-registered account.
A major area of concern with respect to CCPA is fraudulent access to customers’ personally identifiable information. The potential for this scenario to occur is represented in a GDPR Blackhat research study that demonstrated the startling number of UK-based businesses that gave information to someone other than the requestor. With respect to security, the AG’s guidance centers on the implementation of “reasonable security measures to detect fraudulent identity-verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information.” This is a topic that deserves further investigation by companies.
The proposed rules enable businesses to fill requests in-house using the personal information they have on their requesting customer or use a third-party identity verification service to fulfill these requests.
In addition to a toll-free phone number and online form, the proposed regulations stipulate that requests may be submitted in person, such as via a physical retail outlet and through the mail. This will drive the number of potential combinations of request submission methods to well above 200 permutations.
AG Becerra recommends varying the verification thresholds and requirements based on the sensitivity of the data requested and the nature of the request—i.e., whether the user simply their data versus the user asking the business to delete their data. A data deletion request should mandate higher levels of verification.
If a business cannot confirm the identity of a requestor, it must describe in writing the reason for the denial. Having transparent reason codes returned to the business and ultimately the requestor will be essential for compliance and a positive customer experience. This transparency will also facilitate dynamic escalation to other methods of identity verification if needed.
The AG’s proposed regulations give businesses the flexibility to “step up” or escalate additional verification methods to requestors. The information collected should only be used for the purposes of verifying the requestor’s identity and/or security or fraud-prevention purposes. Any new personal information collected must be immediately deleted after verification.
The AG requires multi-factor authentication even with a registered password-protected online account. In some cases, the AG recommends businesses require three forms of identity for verification. Additionally, a business shall use a two-step process for online requests to delete data. In these cases, the consumer must first submit the deletion request and then separately, “out of band,” confirm that they want their personal information deleted.
A smooth, efficient IDV process will be an essential part of businesses coming into compliance with CCPA. In fact, AG Becerra warns that companies that try to maintain a manual verification process will ultimately incur far higher costs than businesses that implement an automated solution from day one.