No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

CCPA Puts Consumers in Control of Their Data

…But Are They Who They Claim to Be?

by David Thomas
November 8, 2019
in Data Privacy, Featured
hacker in red hoodie sitting at laptop

Thanks to CCPA, Californian consumers are about to have more control over their personal data. Evident CEO David Thomas stresses that identity verification is key if organizations hope to prevent fraud when responding to data subject requests.

January 1, 2020 marks more than just a new calendar year. For Californians, it marks a shift in power. The California Consumer Privacy Act (CCPA) will go into effect, and state residents will be allowed to take back control of their personal data. The rest of the nation will keep a close eye on California to inform and set the tone for a future federal privacy standard.

Driven by rampant headlines on the latest large-scale data breaches and frequent reports on the use and exploitation of personal information, consumers are beginning to understand the benefits of transparency and look forward to an opportunity to gain full awareness over the collection, storage and sharing of their personal data. Furthermore, they will be able to take action. As a result, companies have been preparing in advance of January 1 to shift business processes so they will have the resources and solutions in place to meet a potential deluge of consumer inquiries.

However, in preparing to meet the demands of consumers, there is a larger issue at stake that many companies may be overlooking. Consumers having a direct line to request sensitive information from companies opens a floodgate of opportunity for malicious individuals or parties to deceitfully impersonate consumers with the sole purpose of gaining access to their sensitive information.

The consequences can be severe for companies without the right precautions in place to verify personal identity accurately and quickly.

These companies – and any company conducting business in California – will only have six months before the enforcement of CCPA. This is quite an abrupt deadline for companies to see CCPA in action and quickly adjust processes before facing major backlash or penalties. Responding to consumer data subject requests (DSRs) should not be a daunting process, but it is one that leaves companies to their own devices to figure out without regulatory recommendations or oversight. With the potential influx of requests, a safe, secure and prompt response is imperative to avoid a spiral of damage that can affect brand reputation and, even more dire, bottom lines.

Navigating the Challenges – and Understanding the Consequences

CCPA should come as no surprise to any modern organization. While CCPA focuses on California, no less than 25 other states have enacted data security mandates. The spotlight on privacy reached a pinnacle when the European Union’s General Data Protection Regulation (GDPR) took effect in May 2018, introducing the world to a new and grand-sweeping data privacy regulation. Acting as a primer, the severity of GDPR became clear in less than a month and a half. In July 2018, British Airways was the first company fined ($230 million) for a data breach that illegally collected personal consumer data. Hotel conglomerate Marriott faced a similar fate as the second company penalized for a breach that compromised personal data.

With GDPR as a warning sign and proof of enforcement, companies should be well aware of CCPA and prepared for it to take effect, especially given that legal experts have speculated that CCPA – though not as comprehensive as the GDPR – will be more strictly enforced because the U.S. generally has more rigorous regulatory oversight than the EU. But preparation and execution are two different beasts.

At face value, policies like GDPR and CCPA are in place to protect consumers, put them at ease and enable them to exercise their rights to request access or deletion of their data. What consumers may not fully understand are the nuances and complications that can arise with these new rights and how they can unknowingly place themselves at even further risk. Simply put, CCPA will introduce another avenue for hackers to steal personal data for identity theft or other criminal activity.

Cybercrime across the world has reached an all-time high. More data created means more data to exploit. McAfee estimates that the global cost of cybercrime may be as much as $600 billion. Needless to say, business is booming for cybercriminals. For companies, the parameters are clear: If they meet any of the qualifying criteria (an annual gross revenue of more than $25 million; access to personal data of more than 50,000 people; or more than 50 percent of revenue earned from selling personal consumer information), they are responsible for verifying the identities of individuals requesting their information. Failure to do so could result in serious repercussions.

For consumers, recovering from identity theft is not easy. It can have long-lasting effects that can take more time than expected to rectify, including financial loss and a potential impact on credit and reputation. This exhausting process can sour consumers to continue their interaction with a business.

Recently, PCI Pal, a U.K.-based payment solution provider, conducted a global survey that found 83 percent of consumers claim they will stop spending money with a business for several months following a data breach. More than one-fifth said they would cease business or interaction with a company following a breach. If a company were to lose one-fifth of its business, that would have dramatic impact to their revenue – not to mention a degradation of consumer trust in their brand.

Technology Can Provide a Safeguard

Companies in California, or those conducting business with California residents, need solutions in place to find out who officially “owns” the personal data requested through a DSR. Without a middleman to protect both consumers and companies, the entire goal of CCPA to protect consumer privacy rights is negated, instead providing a greater chance for cybercriminals to compromise personal data.

There are simply not enough tools available nor baseline knowledge of how to thwart this issue. Some think a manual process to verify DSRs will work, and it may have in the past.

However, CCPA will place a higher demand on manual resources and quickly find these earlier processes to be unwieldy, ineffective and too time-consuming.

An added layer of urgency is the response timeframe mandated by CCPA, requiring companies to respond to DSRs within 45 days. This time crunch increases the pressure on these organizations to turn around requests quickly, which can have a causal effect of introducing human error that can harm consumers even more than they realize and expose the company to damages.

Using GDPR again as a preview of CCPA, there is no avoiding what is to come and no room for denial. Another survey, this time conducted by law firm Squire Patton Boggs, revealed that 71 percent of organizations saw an increase in data subject access requests (DSARs) because of GDPR. Furthermore, those companies receiving more requests experienced an increase in cost associated with managing DSARs. Companies that are not prepared to manage this drastic increase in requests without non-manual solutions in place will be especially vulnerable, as will companies that do not have CCPA compliance on their radars at all.

IT security provider ESET found that nearly half (44 percent) of respondents to a study of 625 business owners have never heard of CCPA. Even more shocking, 34 percent said they “don’t know” if they will need to change data processes, and 22 percent said they “don’t care.” Additionally, 35 percent of respondents say nothing in their business needs changing to meet CCPA compliance. These businesses will be even further behind with this flippant attitude and lack of preparation – more so if they plan to keep manual DSR processes in place.

Companies may not have even begun to get a handle on the personal consumer data they have already, and they will not have time to reverse-engineer once CCPA takes effect. This pool of nebulous data will be nearly impossible to sift through when consumers submit a DSR, and the ease at which they can do this is sure to be a proverbial headache for business operations. The policy calls for companies to offer a toll-free number and a webpage for consumers to have a way to opt-out of data collection. This level of accessibility only increases the likelihood for businesses to become quickly overwhelmed. The best solution is one that should also relieve company resources of this task. Whether companies are unprepared or believe they are fully ready for CCPA, without proper identity verification processes in place as the first step to managing a DSR, the entire process can become derailed and unsuccessfully fulfilled for the wrong individual.

Automation can be a scalable solution and a key business strategy to stay ahead of upcoming changes. Building identity verification into the forefront of DSRs will thwart personal and sensitive information from getting in the wrong hands. A streamlined, automated process will ensure CCPA sticks to its true objective – to protect consumers and combat fraud – ensuring businesses do not have to suffer the consequences. A robust automated solution can provide further reassurance, with tactics in place to authenticate identity using biometrics so sensitive data is only returned to the individual to whom it belongs. Ultimately, automation can solve the problem of too many cooks in the kitchen with a more “hands-off” approach. This allows data to travel through less workflows, which decreases the opportunity for inadvertently granting access to imposters and data thieves.

The Road Ahead

Consumers are more vocal and have more information at their fingertips than ever before. They feel empowered to take action on the collection, storage and selling of their personal data. We have seen that cybercrime shows no sign of slowing down – with new trends, tactics and threats appearing every day. The collaboration and trust between consumers and businesses needs to be strong so privacy regulations like CCPA can be effective and successful.

The trickle-down effect of not incorporating identity verification as a foundation to DSR management can be hard for a company to overcome. CCPA is meant to combat and decrease fraud but has the potential to do the complete opposite if identity verification is not a serious strategic consideration. This is only the beginning, too, with a promise of further complications as the nation watches California after the law goes into effect.

Whether or not businesses are ready, it is not an option to ignore identity verification when complying with CCPA. Consumer awareness has grown to a tipping point where businesses hold the primary responsibility to demonstrate compliance. Whether they have the tools and solutions in place is still up in the air, but it is clear identity verification is one of the most important considerations to take into account before January 1, 2020.


Tags: California Consumer Privacy Act (CCPA)
Previous Post

The True Cost of Website Inaccessibility

Next Post

Managing the Impact of AML Compliance: Technology vs. Human Capital

David Thomas

David Thomas

David Thomas is CEO and Co-Founder of Evident ID. He is an accomplished cybersecurity entrepreneur, having held key leadership roles at market-pioneers Motorola, AirDefense, VeriSign and SecureIT. He has a history of introducing innovative technologies, establishing them in the market and driving growth – with each early-stage company emerging as the market leader. Since being recruited by the Department of Defense at a young age, David has been at the forefront of cybersecurity innovation. David sees cybersecurity as the key ingredient to enable trustworthy and fast interconnectivity between the billions of people and devices that will soon be constantly connected.

Related Posts

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

cpo and ciso

Allies in Privacy, Security & Compliance: Why Closer Collaboration Between CPOs and CISOs Benefits Everyone

by Maria D'Avanzo
September 28, 2022

As a former chief privacy officer (CPO) of a publicly traded commercial real estate services firm, Maria D’Avanzo worked in...

snooping on private data

Survey: Leaders Claim to Be Ready for State Privacy Laws; Few Actually Are.

by Staff and Wire Reports
June 29, 2022

With state laws looming, where do companies actually stand today? A Womble Bond Dickinson survey examined current corporate preparedness along...

Vector of a cybersecurity worker monitoring servers.

Cybersecurity in 2022: More Acceleration, More Sophistication

by Mathieu Gorge
January 19, 2022

In 2022, nations and organizations around the world will continue working to protect customer data against hackers and accidental breaches....

Next Post
illustration of tug of war between AI robot and three businessmen

Managing the Impact of AML Compliance: Technology vs. Human Capital

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT