CCPA Identity Verification Compliance: Trial & Error

GDPR vs CCPA

The California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, gives consumers the right to access, delete, or opt out their personal data. This new act will apply to firms that fall under either of the descriptions below:

1. Any for-profit organization doing business in the state of California that is collecting California-based consumers’ personal information (or has data collected on their behalf), and meets one of the following criteria:
   • Has at least $25 million in annual gross revenues.
   • Buys, sells, shares and/or receives personal information of at least 50,000 California consumers, households or devices, annually.
   • Derives at least 50% of annual revenue from selling California consumers’ personal information.
2. Any business that controls or is controlled by an entity that meets the above criteria and shares common branding with that entity.

CCPA is similar in nature to the EU’s General Data Protection Regulation, but there are some key differences. In contrast to the GDPR, the CCPA doesn’t require mandatory implementation of:

• Concepts like privacy-by-design and privacy-by-default
• Data Protection Officer (DPO) requirements
• Data Protection Impact Assessments (PIAs)
• Restrictions on cross-border data transfers
• 72-hour breach notifications
• Foreign company registration requirements

One of the most notable commonalities between the GDPR and the CCPA is obligations surrounding Data Subject Requests (DSRs), which gives individuals certain rights around accessing, deleting, and opting out their personal data.

The biggest difference between GDPR and CCPA is how the regulations will differ in their enforcement – although GDPR is the more comprehensive law, the CCPA will be more strictly enforced, because the U.S. generally has more rigorous regulatory oversight than the EU.

Other key differences are as follows:

1. The GDPR is far stricter about what data processing is legally permissible. Affirmative consent is required for any data processing, not just reselling the data, but also collecting it in the first place.
2. The CCPA assumes permission (if the data is linked to an individual above 16 years old) and only requires that consumers be able to revoke that permission by opting out.
3. The CCPA’s disclosure requirements differ from GDPR insofar that, under CCPA, consumers must be notified of their rights and of what categories of information have been shared with or sold to third parties within the last year.

The differences between GDPR and CCPA are diverse, but it’s important to be aware of them so businesses can begin to assess how to work within their confines and demonstrate compliance while combating both fraud and legal retaliation.

Lawyers vs Cybercriminals

As part of the mandated requirements around CCPA DSRs, companies are not only obligated to furnish, delete, or opt individuals out of the sale of their data, they’re also required to verify every requester’s identity to avoid inadvertently sharing sensitive data with fraudsters. Companies that are subject to CCPA must also be able to keep track of each data subject request by logging the requester’s preferences as well as whether (or not) they’ve been verified.

We’ve talked a lot about how cybercriminals have a unique opportunity to take advantage of DSRs, but the other group that companies need to be prepared to placate on January 1, 2020 are the opportunistic data protection and privacy lawyers who will be proactively scrutinizing processes to see if companies will make mistakes and accidentally furnish data to the wrong person so they can sue on behalf of their consumers.

Companies must be ready on the very first day that the CCPA goes into effect, and must be able to handle DSR requests securely, consistently, compliantly, and possibly in high volume. Unfortunately there is no time to “warm up,” as the tidal wave of requests – including people’s motivation for each request – will be highly unpredictable.

Class Action Lawsuits

In addition to companies being purposely baited by lawyers to determine the strength of their identity verification processes, it’s also likely that companies will be subject to class action lawsuits due to improper data usage, which is why it’s important that your identity verification tool also have built-in encryption and data protection capabilities.

It should come as no surprise that the 2019 Carlton Fields Class Action Survey indicated that the next wave of class action suits will result from data breaches. In fact, companies predicting data privacy as the next wave of class actions nearly doubled from their 2018 survey (from 28.9% to 54.3%), likely due in large part to the growing frequency of large-scale data breaches.

Based on responses elicited from more than 300 general counsels and in-house attorneys, only 8.7% (26 companies) identified GDPR class action suits as a potential threat, while two-thirds of respondents (200 companies) reported concern about U.S. State data protection laws like CCPA, which leads them to believe that this and other state-level privacy regulations will be the reason for an expected uptick in data breach class action lawsuits.

How Evident Helps

Companies that are subject to CCPA and other U.S. State-level privacy regulations should be actively prepared and should begin documenting the steps they’re taking to demonstrate compliance with the law, which can dually serve as evidence that your company was not negligent with data in the event of a lawsuit or a breach.

Evident’s new Verified Data Request (VDR) DSR identity verification tool is helping businesses vet each request, distinguishing bad actors and bots from genuine individuals who want to access, delete, or opt out their personal data.

With connections to more than 6,500 authoritative data sources through a single API, Evident’s VDR is simplifying the identity verification portion of the DSR request workflow, enabling companies to corroborate a requester’s data points quickly, securely, and accurately, without ever returning “data subject not found” results.

In addition to supporting identity verification for DSR workflows, VDR also helps businesses demonstrate general privacy compliance through Evident’s asymmetric, end-to-end encryption, designed to protect each individual piece of personal data collected for verification purposes.

Want to learn more about how Evident can help reduce instances of fraudulent DSRs while also protecting sensitive data?

Contact our sales team.