Are you getting identity verification right for CCPA?
Handing out sensitive personal information to unauthorized persons when a Data Subject Request (DSR) has been submitted constitutes a data breach under the California Consumer Privacy Act (CCPA). Here’s a quick rundown of what you should and shouldn’t do.
The CCPA grants consumers rights to access and delete their information. Businesses are assigned the complex task of making sure that with those rights, personal information does not end up in the wrong hands. Handing out information to unauthorized persons constitutes a data breach under the CCPA, turning it into a costly and damaging affair.
Here’s the catch 22: Businesses must be certain to a “reasonable” or “reasonably high” degree that the requester is who they say they are, whilst at the same time making sure not to burden the consumer any more than necessary. After all, complicating the process for consumers to exercise the CCPA rights can’t be the desired effect of the identity verification process.
Firstly, a clear and appropriate consumer verification process needs to be defined by the team responsible for data protection. Secondly, the team handling data subject requests needs to be well-trained, monitored, and re-trained regularly.
Two European studies show how the GDPR’s broad access rights can lead to data privacy disasters. In August 2019 an Oxford PhD student uncovered that almost a quarter of businesses who had sensitive information about a simulated victim, provided it without verifying the attackers identity at all. Only 40% had a process in place that would have blocked the attack.
A study from May 2019 revealed even more grim findings. It evaluated the verification processes of 55 organizations by attempting to impersonate data subjects. They managed to get full access to sensitive personal information from 15 of these organizations
Both studies used unsophisticated attack-methods. The researcher submitted access-requests under the name of someone else, and submitted publicly available information to back up this claim upon request for verification, if such a request even came at all.
A recent New York Times article tested the verification processes that were implemented by US businesses in response to the CCPA, and did not find any good news. Some businesses choose to use vendors to handle the identity verification process for them. These vendors, such as Berbix, would ask the consumer to upload their government-issued ID and, in some cases, even take a selfie to cross-check. This had consumers shocked.
Can it really be that we have to give up more personal data, to get access to our data?
This paradoxical reality is not the intention of the CCPA, which should be apparent to anyone who read the law and the proposed regulations. Attorney General Becerra’s (proposed) regulations make it clear that businesses should ask for information that they already have, to check whether the provided information corresponds with what they have on file. They may only deviate from this in the exceptional case that they can’t properly verify the consumer’s identity in any other way.
So what are the do’s and don’ts for CCPA identity verification?
If the consumer has a password-protected account with you, the Attorney General’s proposed regulations state that businesses are allowed to verify their identity by asking them to log back into that account.
But what happens if the consumer does not have an account, or if they make the request via an offline method (e.g. a phone call)?
Datawallet's Consumer First compliance automatically asks the consumer to re-authenticate in case there is a password protected account. If not, we ask the appropriate security questions, verify phone numbers and email addresses, and take all required measures to make sure that you know who you are dealing with.CCPAConsumer PrivacyResourcesDatawallet