4-Step Guide to CCPA CRR Identity Verification & Fulfillment
January 2, 2020
With the new year celebrations behind us, CCPA is now in full effect. Luckily for businesses that are still navigating compliance with new Consumer Rights Request (CRR) stipulations, enforcement will begin six months from January 1 (the date that the AG issued the final regulations), which means that by July 1, 2020, companies must be able to demonstrate full compliance with CCPA.
The following is a 4-step guide to developing an effective and compliant CRR workflow.
- Create CRR Personas
CRRs are a particularly tricky aspect of CCPA because there’s no easy or accurate way to predict their volume and frequency. Perhaps more effective for organizations that are still in the throes of determining their approach to CRRs is to personify the data subjects who are likely to submit requests:
- Consumers with a registered account
- Consumers without a registered account
- Vendors or contractors
- Privacy lawyers
Once you’ve developed CRR personas, the next step is to determine how to capture their requests in accordance with CCPA laws.
- Refine Request Capture
In an attempt to choke off excessive CRR traffic, some companies are only enabling their account holders to submit CRRs after they’re logged into their platforms. While this is certainly an easier way to authenticate a requestor, it’s not fully compliant, as it doesn’t offer a non-gated way for any individual to submit their request.
In reality, companies gather a lot of data from individuals, whether they’re an account holder, a website visitor, or a third-party consumer, and under CCPA, individuals now have a right to know what and how much of their data is being held or sold.
Companies are certainly allowed to have CRR portals for registered account holders, but those that do this must also have a public-facing portal so that any of the aforementioned personas are able to submit a request.
- Add Identity Verification
The new CCPA laws around CRR mandate the implementation of identity verification prior to fulfilling an individual’s request. Companies that are subject to CCPA currently fall into one of three categories:
- Doesn’t have any kind of identity verification whatsoever
- Has an identity verification mechanism, but one that isn’t flexible or scalable enough to accommodate the influx of CRRs
- Uses an outdated technique in lieu of proper identity verification that is no longer deemed to be adequate or secure (e.g. multi-factor authentication like email, SMS, etc. and even self-attested through account login)
Identity verification may no longer be optional with CCPA laws, but with so many tools to choose from, companies should be able to find a mechanism that supports their CRR workflow. Different tools produce variable verification types, and choosing the most effective one for your organization will depend entirely on the nature of the business and the sensitivity of the personal data it collects, holds, and transfers.
Companies need to evaluate their data collection and storage to determine what level of assurance is needed for their specific CRR identity verification methods, while also taking into account how reasonable (or unreasonable) the request process is for the individual, as CRR workflow simplicity is yet another CCPA requirement.
Another thing to note is that – while not specifically mentioned in the CCPA text – organizations are generally discouraged from asking a data subject to send them a copy of their ID document via email to prove their identity. This is because the simple act of submitting an unencrypted document is neither secure nor safe for both the company and the individual, especially when organizations experience data breaches on a daily basis.
- Configure ID Verification Level of Assurance
Most enterprises leverage multi-factor authentication (MFA) to recover their users’ or employees’ accounts. A basic example of this is when a password is combined with an SMS or email code to authorize a login or transaction.
There are a few problems with this method, chief of which are the insecurities of mobile devices and email platforms. Cybercriminals can easily initiate a password reset request, and then spoof an enterprise employee’s mobile device and/or email address to hack into their account or potentially compromise an entire system. New mobile device vulnerabilities are exposing the dangers of using SMS or email corroboration for MFA account recovery.
The following examples illustrate why certain MFA and 2FA methods are no longer considered to be sufficient means of authentication without added verification:
- SIM Swaps: Even with access to one other personal piece of information (e.g. social security number, date of birth, first name, etc.), hackers can call a carrier and move a user’s phone number to a new SIM card that they own.
- Text Interceptions: Well-equipped criminals with access to an SS7 portal can grab text messages with account recovery codes and use them to log in before the account owner has even seen them.
Alternatives to these now-outdated authentication methods include identity corroboration through ID scans, selfie match, liveness detection, MNO verification, and, on the highest end of the level of assurance spectrum, virtual in-person verification. Companies can still leverage their tried-and-true MFA systems, but it’s recommended that they add a higher identity verification level of assurance or step-up verification for special cases that require it.
Lower levels of assurance may be appropriate if a consumer asks about the types of data being collected, but if they’re asking to actually see the data being collected or if they’re requesting deletion, a stronger level of assurance is preferable.
How Evident Helps
Evident can help you get to a higher level of identity verification assurance for situations that require it. If for example, a user that conducts multiple, high-value transactions on your platform is requesting access or deletion of their data, you’ll want to verify that they are who they claim to be and that they’re not a bad actor impersonating them to gain access to their personal data.
Evident also supports operationalizing your chosen identity verification method through integration with platforms like OneTrust and through automation. Our verification platform supports PII minimization, has an intuitive brandable UX/UI, and is scalable from a manual workflow in terms of volume and implementation options once companies begin to understand the full effect of CRRs on their business.