CCPA Puts Consumers in Control of Their Data

January 1, 2020 marks more than just a new calendar year. For Californians, it marks a shift in power. The California Consumer Privacy Act (CCPA) will go into effect, and state residents will be allowed to take back control of their personal data. The rest of the nation will keep a close eye on California to inform and set the tone for a future federal privacy standard.

Driven by rampant headlines on the latest large-scale data breaches and frequent reports on the use and exploitation of personal information, consumers are beginning to understand the benefits of transparency and look forward to an opportunity to gain full awareness over the collection, storage and sharing of their personal data. Furthermore, they will be able to take action. As a result, companies have been preparing in advance of January 1 to shift business processes so they will have the resources and solutions in place to meet a potential deluge of consumer inquiries.

However, in preparing to meet the demands of consumers, there is a larger issue at stake that many companies may be overlooking. Consumers having a direct line to request sensitive information from companies opens a floodgate of opportunity for malicious individuals or parties to deceitfully impersonate consumers with the sole purpose of gaining access to their sensitive information.

The consequences can be severe for companies without the right precautions in place to verify personal identity accurately and quickly.

These companies – and any company conducting business in California – will only have six months before the enforcement of CCPA. This is quite an abrupt deadline for companies to see CCPA in action and quickly adjust processes before facing major backlash or penalties. Responding to consumer data subject requests (DSRs) should not be a daunting process, but it is one that leaves companies to their own devices to figure out without regulatory recommendations or oversight. With the potential influx of requests, a safe, secure and prompt response is imperative to avoid a spiral of damage that can affect brand reputation and, even more dire, bottom lines.

Navigating the Challenges – and Understanding the Consequences

CCPA should come as no surprise to any modern organization. While CCPA focuses on California, no less than 25 other states have enacted data security mandates. The spotlight on privacy reached a pinnacle when the European Union’s General Data Protection Regulation (GDPR) took effect in May 2018, introducing the world to a new and grand-sweeping data privacy regulation. Acting as a primer, the severity of GDPR became clear in less than a month and a half. In July 2018, British Airways was the first company fined ($230 million) for a data breach that illegally collected personal consumer data. Hotel conglomerate Marriott faced a similar fate as the second company penalized for a breach that compromised personal data.

With GDPR as a warning sign and proof of enforcement, companies should be well aware of CCPA and prepared for it to take effect, especially given that legal experts have speculated that CCPA – though not as comprehensive as the GDPR – will be more strictly enforced because the U.S. generally has more rigorous regulatory oversight than the EU. But preparation and execution are two different beasts.

At face value, policies like GDPR and CCPA are in place to protect consumers, put them at ease and enable them to exercise their rights to request access or deletion of their data. What consumers may not fully understand are the nuances and complications that can arise with these new rights and how they can unknowingly place themselves at even further risk. Simply put, CCPA will introduce another avenue for hackers to steal personal data for identity theft or other criminal activity.

Cybercrime across the world has reached an all-time high. More data created means more data to exploit. McAfee estimates that the global cost of cybercrime may be as much as $600 billion. Needless to say, business is booming for cybercriminals. For companies, the parameters are clear: If they meet any of the qualifying criteria (an annual gross revenue of more than $25 million; access to personal data of more than 50,000 people; or more than 50 percent of revenue earned from selling personal consumer information), they are responsible for verifying the identities of individuals requesting their information. Failure to do so could result in serious repercussions.

For consumers, recovering from identity theft is not easy. It can have long-lasting effects that can take more time than expected to rectify, including financial loss and a potential impact on credit and reputation. This exhausting process can sour consumers to continue their interaction with a business.

Recently, PCI Pal, a U.K.-based payment solution provider, conducted a global survey that found 83 percent of consumers claim they will stop spending money with a business for several months following a data breach. More than one-fifth said they would cease business or interaction with a company following a breach. If a company were to lose one-fifth of its business, that would have dramatic impact to their revenue – not to mention a degradation of consumer trust in their brand.

Technology Can Provide a Safeguard

Companies in California, or those conducting business with California residents, need solutions in place to find out who officially “owns” the personal data requested through a DSR. Without a middleman to protect both consumers and companies, the entire goal of CCPA to protect consumer privacy rights is negated, instead providing a greater chance for cybercriminals to compromise personal data.

There are simply not enough tools available nor baseline knowledge of how to thwart this issue. Some think a manual process to verify DSRs will work, and it may have in the past.

However, CCPA will place a higher demand on manual resources and quickly find these earlier processes to be unwieldy, ineffective and too time-consuming.

An added layer of urgency is the response timeframe mandated by CCPA, requiring companies to respond to DSRs within 45 days. This time crunch increases the pressure on these organizations to turn around requests quickly, which can have a causal effect of introducing human error that can harm consumers even more than they realize and expose the company to damages.

Using GDPR again as a preview of CCPA, there is no avoiding what is to come and no room for denial. Another survey, this time conducted by law firm Squire Patton Boggs, revealed that 71 percent of organizations saw an increase in data subject access requests (DSARs) because of GDPR. Furthermore, those companies receiving more requests experienced an increase in cost associated with managing DSARs. Companies that are not prepared to manage this drastic increase in requests without non-manual solutions in place will be especially vulnerable, as will companies that do not have CCPA compliance on their radars at all.

IT security provider ESET found that nearly half (44 percent) of respondents to a study of 625 business owners have never heard of CCPA. Even more shocking, 34 percent said they “don’t know” if they will need to change data processes, and 22 percent said they “don’t care.” Additionally, 35 percent of respondents say nothing in their business needs changing to meet CCPA compliance. These businesses will be even further behind with this flippant attitude and lack of preparation – more so if they plan to keep manual DSR processes in place.

Companies may not have even begun to get a handle on the personal consumer data they have already, and they will not have time to reverse-engineer once CCPA takes effect. This pool of nebulous data will be nearly impossible to sift through when consumers submit a DSR, and the ease at which they can do this is sure to be a proverbial headache for business operations. The policy calls for companies to offer a toll-free number and a webpage for consumers to have a way to opt-out of data collection. This level of accessibility only increases the likelihood for businesses to become quickly overwhelmed. The best solution is one that should also relieve company resources of this task. Whether companies are unprepared or believe they are fully ready for CCPA, without proper identity verification processes in place as the first step to managing a DSR, the entire process can become derailed and unsuccessfully fulfilled for the wrong individual.

Automation can be a scalable solution and a key business strategy to stay ahead of upcoming changes. Building identity verification into the forefront of DSRs will thwart personal and sensitive information from getting in the wrong hands. A streamlined, automated process will ensure CCPA sticks to its true objective – to protect consumers and combat fraud – ensuring businesses do not have to suffer the consequences. A robust automated solution can provide further reassurance, with tactics in place to authenticate identity using biometrics so sensitive data is only returned to the individual to whom it belongs. Ultimately, automation can solve the problem of too many cooks in the kitchen with a more “hands-off” approach. This allows data to travel through less workflows, which decreases the opportunity for inadvertently granting access to imposters and data thieves.

The Road Ahead

Consumers are more vocal and have more information at their fingertips than ever before. They feel empowered to take action on the collection, storage and selling of their personal data. We have seen that cybercrime shows no sign of slowing down – with new trends, tactics and threats appearing every day. The collaboration and trust between consumers and businesses needs to be strong so privacy regulations like CCPA can be effective and successful.

The trickle-down effect of not incorporating identity verification as a foundation to DSR management can be hard for a company to overcome. CCPA is meant to combat and decrease fraud but has the potential to do the complete opposite if identity verification is not a serious strategic consideration. This is only the beginning, too, with a promise of further complications as the nation watches California after the law goes into effect.

Whether or not businesses are ready, it is not an option to ignore identity verification when complying with CCPA. Consumer awareness has grown to a tipping point where businesses hold the primary responsibility to demonstrate compliance. Whether they have the tools and solutions in place is still up in the air, but it is clear identity verification is one of the most important considerations to take into account before January 1, 2020.