CCPA: Compliance Issue and Major Fraud Risk

The California Consumer Privacy Act (CCPA) signals a major step in online privacy rights for California consumers and will likely make its way onto the national scene in the near future. In fact, research shows that 80 percent of businesses predict that CCPA will become national law at some point in the next five years.

CCPA is set to go into effect on January 1, 2020, with enforcement—along with predictably steep fines for violations and the possibility of class-action lawsuits for breaches—beginning July 1 of the same year.

Unfortunately, businesses may see an uptick in unauthorized, spoofed, and fraudulent requests for personally identifiable information (PII), particularly as companies scramble to implement identity
verification (IDV) procedures that comply with CCPA regulations.

Fraudsters are adept at making quick adjustments to their processes when the online landscape changes, and CCPA is unlikely to be any different.

On top of ensuring that they’re compliant with CCPA regulations, any company that does business in or with the state of California will need to take advantage of additional fraud-deterring technology.

Implementing advanced fraud prevention tools helps companies avoid fraudsters that aim to take advantage of the vulnerabilities and unintended security consequences of CCPA.

CCPA Compliance

California’s new consumer privacy regulations are a result of the state addressing the aggressive use of private data by advertisers without consumer knowledge or consent. CCPA grants consumers several specific rights regarding their digital identity. Under CCPA, consumers can:

• Find out what personal information a company has collected on them
• Know whether their personal information has been sold or disclosed and to whom
• Tell an organization not to sell their personal information
• Access their personal information
• Request that a company delete their personal information

The law also stipulates that companies cannot penalize consumers who exercise their privacy rights by restricting access to services or raising prices.

What’s important to bear in mind, however, is that when a consumer submits a request for their data (referred to as a verifiable consumer request [VCR], a subject rights request, or a subject access request), the responding organization must first verify that person’s identity.

Handing over personal information to someone who isn’t who they say they are compromises PII, increases the risk of fraud, harms customer relationships and brand trust, and can ultimately result in major fines, penalties, and lawsuits.

Identity Verification Under CCPA

What makes the identity verification process a bit more complex is the fact that CCPA regulations prohibit companies from requiring individuals to create a password-protected online account to submit a VCR. Organizations must also provide consumers with at least two different VCR submission methods, such as an online form, a toll-free phone number, or an in-store form, depending on the primary means of customer interaction.

Any organizations that haven’t put much effort into their identity verification procedures in the past need to work quickly to implement CCPA-compliant solutions before 2019 comes to a close.

Taking clues from GDPR

Although CCPA regulations differ somewhat from the specifics of GDPR, US companies should pay close attention to indicators of fraud risk that appeared after GDPR was put into place in Europe.

GDPR was widely anticipated, but research suggests that many organizations were underprepared for the influx of consumer information requests they received.

As a result, experts suspect that fraudsters did not encounter strong identity verification measures from many companies when they requested consumer data.

James Pavur, an Oxford University researcher, put these shortcomings into high relief with the study he conducted with security consultant Casey Knerr. Pavur and Knerr designed their study to investigate how fraudsters skilled in social engineering could exploit the weak identity verification systems most companies relied on after GDPR went into effect.

When the results of the study were analyzed, Pavur and Knerr identified several concerning trends:

●      Of 150 companies involved in the study, 72 responded to fraudulent requests for consumer data.

●      83 of those 150 companies confirmed to an unverified individual that they had information about a consumer.

●      24 percent of companies contacted in the study released personal information to an individual who provided only an email address and phone number as proof of identity.

● 16 percent of companies in the study attempted to authenticate an individual’s identity with information that is easily forged.

This failure to adequately authenticate identities in the wake of GDPR—whether due to time constraints, lack of knowledge, or insufficient process training—signals a high likelihood that fraudsters can and will exploit companies that are not fully prepared for CCPA.

Meeting CCPA Requirements

CCPA is not yet a California law, but it will be officially on the books on January 1, and the likelihood is high that this privacy legislation will become national law in the future.

Companies that haven’t already started to prepare are late to the game—and to add a layer of complexity, there is no magic, one-size-fits-all compliance solution.

Fortunately, California’s Attorney General Xavier Becerra’s proposed regulations give industries and businesses a level of flexibility to develop and implement IDV processes that fit their individual use cases. Becerra’s proposal grants organizations the leeway to handle IDV processes in-house or work with a third party to minimize complexity and offer safe, flexible, simple, and user-friendly options across varying channels and requestor types.

Many industry-leading companies are enlisting the help of a third-party identity verification service to quickly and safely offer robust identity verification methods for the required channels and all data sensitivity levels, requested actions, and requestor types.

Depending on how a given organization is structured, CCPA compliance may mean authenticating identities in person, online, over the phone, via mobile devices, or with some combination of verification methods.

IDology’s analysis puts the number of potential combinations at over 800. An email address and phone number may not be sufficient in all cases—and the penalty, both in terms of expense and company
reputation, is very high.

When companies rely on third-party identity authentication services to handle their identity verification needs, company leaders are then free to focus on the other parts of their business and the CCPA statute.

VCRs must be handled promptly and with care. CCPA compliance is not optional, and it isn’t something to develop on a trial-and-error basis.

In today’s digital age, a company’s security policy is no longer a hidden, behind-the-scenes part of the business—it’s an important part of the organization’s brand, and it must be protected.

Organizations that use an established identity authentication service will be able to ensure the ongoing health of their reputation by complying with CCPA regulations rapidly and with minimal disruption to everyday business functions.

About the Author: Christina Luttrell is the chief operating officer for IDology, a GBG company and leader in multi-layered identity verification and fraud prevention. In her 10 years at IDology, Luttrell has significantly advanced the company’s technology, forged close relationships with IDology customers and driven the development of technology innovations that help organizations stay ahead of constantly shifting fraud tactics without impacting the customer experience. Luttrell has been recognized as one of the Top 100 influencers in identity by One World Identity. 

Photo credit: © momius - stock.adobe.com