Operationalizing CCPA Compliance with Automated Identity Verification
September 10, 2019
The DSR Tidal Wave
Thanks to GDPR and other global privacy regulations, consumers now have a right to know what and how much of their data a company is collecting and storing, but few regulators have provided concrete recommendations for how businesses should respond to Data Subject Requests (DSRs) in a safe, secure, and timely fashion.
With no clear direction, and only a handful of tools available to help streamline requests, many companies either architected their own DSR processing method, or began handling each request manually – a highly ineffective (and insecure) process that made DSRs even more challenging, costly, and time-consuming.
In a recent study, law firm Squire Patton Boggs reported completing the same number of DSRs in the first five months of 2019 as they’d handled during the entire year of 2018. Of 64 organizations they surveyed, 67% reported an increase in costs associated with the process of responding to DSRs, and 27% hired new personnel to deal with this growing trend.
Now, more than a year into GDPR, and with California Consumer Privacy Act (CCPA) coming into force on January 1, 2020, it’s become clear that the DSR tidal wave is far from over, and companies need a better way to handle these requests.
DSR Regulatory Implications
Under GDPR, even if companies have an effective process to handle DSRs, they may still be fined to the fullest extent (4% of total worldwide annual turnover or €20M, whichever is greater) if they impose unreasonable or disproportionate requirements to authenticate individuals exercising their rights to access their data.
Under CCPA, which is set to go into force on January 1, 2020, a business that responds to a verified DSR (known in legal terms as a Consumer Rights Request, or CRR) must disclose all of the data they’ve amassed from the individual over the last 12 months prior to their request. Aggregating this data can be laborious in and of itself, but even more challenging is CCPA’s mandate for businesses to respond to a CRR within 45 days.
The new laws might require faster turnaround time, but so do your employees and customers. Companies that don’t respond quickly enough to DSRs and CRRs run the risk of being bombarded with follow-up emails and calls from impatient data subjects who expect immediate action on their requests.
Why DSRs Need Identity Verification
A recent Black Hat Conference presentation revealed just how much data companies were inadvertently sharing with fraudsters. It’s common knowledge that cybercriminals impersonate real people online, but now, they’re using their email spoofing and document falsifying skills to take advantage of a giant privacy loophole: submitting DSRs with the purpose of gaining access to personal data that isn’t theirs.
Without proper identity proofing, organizations end up doing the exact opposite of what these new global privacy regulations were intended to achieve:
- Broadening subjects’ rights and giving them ownership of their data
- Holding organizations accountable for their data security practices
- Decreasing instances of fraud in an increasingly data-centric world
Identity verification should be the very first step in every organization’s DSR workflow, and choosing a verification mechanism that produces a higher level of assurance can be especially beneficial for weeding out bad actors, bots, and other cybercriminals.
American companies that handle DSRs today are currently employing verification tactics that offer little to no assurance (e.g. self-attested verification and ID document scanning without biometric verification). Industry experts recommend stepping up DSR verification processes by incorporating biometric verification (e.g. a driver’s license compared to a selfie) and a public records check to doubly validate that the data subject is who they claim to be, prior to handing over the personal data they’ve requested.
How Evident Helps
Evident is transforming the DSR and CRR process. Our automated identity verification platform offers a higher level of assurance and exceptional user experience, making it easier for companies to quickly respond to DSARs with less risk, and enabling them to manage multiple verifications through a single, secure portal.
With Evident, global enterprises can verify data subjects’ identities in 177 different countries, including the U.S. and all of Europe, while helping them to protect their users’ personal data with end-to-end encryption, and to demonstrate accountability and compliance with new privacy regulations like GDPR and CCPA.