The same angst many companies experienced as the effective date for the California Consumer Privacy Act (“CCPA”) approached is resurging again as they prepare for the July 1 enforcement date. The Office of the California Attorney General Xavier Becerra estimates that compliance with the CCPA could cost businesses as much as $16 billion over the next 10 years. The Act is intentionally vague when it comes to how companies should operationalize requirements described in the law, allowing businesses to account for their unique resources and limitations. Some organizations may be tempted to pause in their preparations while California awaits the fate of the proposed California Privacy Rights Act (“CPRA”). If the CPRA is ultimately included on the California November 2020 ballot, voters will likely support the expanded law, although it will not take effect until January 1, 2023. Regardless of what happens in November, it is important to focus on compliance with the existing law now. One of those requirements is to have a solid process for verifying California consumers’ identity before responding to their exercise of any of the rights afforded them by the CCPA. There are three main options businesses can consider: putting in place a manual process, using a third-party service or leveraging an automated process. While mid to large-sized companies may lack enthusiasm for allocating budget for new technology in the current economic environment, we suggest that this is not the time to scrimp with cheap manual processes.
The CCPA’s customer verification requirement
Though not completely comparable, implementation of the European Union’s General Data Privacy Regulation (“GDPR”) taught California lawmakers some important lessons. In a study of 150 businesses subject to the GDPR, nearly 25% disclosed “personally identifiable information” (the EU’s equivalent to California’s “personal information”) without verifying the requester’s identity. In an attempt to stave off an uptick in identity fraud in California, the CCPA requires the following:
- Covered companies must develop a process for verifying customer identity;
- The verification process must be described in the company’s public-facing privacy policy;
- To the extent possible, companies should use personal information previously collected to match that of inquiring customers; and
- There must be a reasonably degree of certainty of the person’s identity before access to personal information is granted.
With little to no interpretive case law to resolve the complexities and vagaries of the CCPA, it is hard to know where the line between compliance and non-compliance lies. One thing A.G. Becerra made clear in March with the latest round of proposed amendments is that businesses cannot pass on the expense of customer identity verification to California residents who want to exercise their new privacy rights. In other words, companies planning to require customers to procure affidavits or similar notarized statements attesting to identity are out of luck, unless they put in place a process for reimbursing customers.
Options for verifying customer identity
So, we arrive to the question at hand… How will covered businesses serving California residents verify with a reasonable degree of certainty that the person requesting access to personal information is actually the customer? Of three possible choices – manual process, service provider verification, and automated process – only the latter two are viable options for the reasons described below.
Settling for a Manual Process
At first blush, a manual identity verification process may appear to be the best option for a cost-conscious company. Even in the best situation, however, a company will inevitably underestimate what is required to run such a process well, as well as the associated risks. Manual verification will likely involve adding verification duties to the role of an existing employee, creating an Excel spreadsheet or similar tracking document, then cobbling together necessary administrative system rights for the employee to match an inquiry to an existing California customer. While the business maintains all control over the process, the act of customer verification is very labor intensive, even before considering the number of company systems that may contain personal information. For example, if divisions within the same company use different marketing platforms containing personal information, none of which are connected to each other, it may be next to impossible to locate all relevant data when presented with a customer “do not sell” or delete request. Further, the safety of customers’ personal information entrusted to the company is completely dependent on the knowledge of the personnel completing the verifications and the quality of the security controls already in place. When something goes wrong – as it always does – the potential risk to the company’s reputation is extremely high, with no one else to blame for an unauthorized disclosure.
Relying on a Service Provider
If a business wants to maintain a high level of control while increasing efficiency and mitigating risk, incorporating identity verification services from a third-party service provider is a good choice. This usually involves pairing an external verification service with an internal consumer access response (“CAR”) process, allowing customer information to be manually passed to a service provider via a secure interface. Once the customer’s identity is confirmed by the service provider comparing information provided at the time of request to publicly available information, personnel within a company responsible for documenting a formal response in accordance with CCPA requirements can proceed. Pricing for an identity verification service can either be a flat fee for a small/medium sized company or a subscription-based fee for larger organizations. Both pricing models are rooted in the number of verification requests forward by the company to the service provider for processing – with individual verifications bundled in groups in tens to thousands. A well-rounded identity verification service can run anywhere from $2,000-$3,500 on an annual basis, but is well worth the cost. When selecting a service provider, pre-engagement due diligence and on-going monitoring are essential to ensuring service quality, since the company has little control over the verification process itself. Incorporation of a third-party verification service can mitigate the risk of liability for unauthorized disclosure of personal information, depending upon the contractual language between the parties, but not for the risk of disclosure itself.
Leveraging an Automated Process
Leveraging automation incorporates the identity verification process into an overarching privacy management solution. These tools assist an organization by performing essential compliance activities necessary for a well-functioning privacy program. Users see a single interface, but underneath is a host of tools knit together to handle identity verification as well as CAR receipt, response timing, data gathering, request fulfillment and metrics tracking. Bot technology can locate relevant personal information up to twelve times faster than an employee searching through corporate systems one by one in an attempt to verify a customer. Automated tools can also perform additional functions like legal updates, audit trail creation and workflow tracking – allowing other areas of the business to extract value from the same automated processes. Automating the full request management, from receipt through completion, comes with a larger price tag. A full CCPA-compliant solution can range from $24,000 to $100,000 a year, based on the complexity of a company’s IT infrastructure (the number of systems consumer data must be gathered from) and the thoroughness of documentation provided along the way (retained for evidence of CCPA compliance). So long as a company adheres to the proscribed process and properly trains personnel engaging with the primary tool interface, risk can be largely mitigated by the warranty and related services accompanying the bundled tools, potentially shielding the company’s reputation from a big hit if there is inadvertent disclosure of personal information to someone other than the customer.
Consumer advocacy group Californians for Consumer Privacy intends to include the CPRA on the November 2020 ballot, further expanding consumer privacy rights, but also offers some clarification for businesses attempting to comply with the CCPA. With the CCPA enforcement date on the horizon, however, organizations cannot afford to wait and see if those efforts are successful – especially since any new act would not go into effect until 2023. It is important for companies subject to the CCPA to operationalize their response processes and fill any process gaps now, if they have not already done so. Customer identity verification is an essential process, but the language of that law gives businesses the flexibility to decide between a manual process, a service provider or an automated tool. For the reasons described above, HBR recommends that businesses use some sort of verification service provider, at the very least, and larger organizations leverage an automated process. If you would like more information regarding the best foundation for your organization’s CCPA functionality or about building a broader privacy management program and related processes, please do not hesitate to contact me or another member of HBR’s information governance team.