Sara is the Data Privacy Officer (DPO) at a large retail company. She’s the first to admit she’s still figuring out the implications of the California Consumer Protect Act (CCPA). And the clock is ticking.
CCPA gives consumers rights to access, delete, correct and move the data that Sara’s company collects about them. CCPA is the first major U.S. state law designed to increase transparency about how companies collect, process, share and sell personal information.
When the European Union General Data Protection Regulation (GDPR) required that companies handling consumer information employ a DPO, Sara was tapped by her company’s CISO to take on that role. She got her feet wet in data privacy management with GDPR and handles Data Subject Access Requests (DSARs) through manual processes, relying on email questionnaires and Excel spreadsheets. The real floodgates will open in January 2020, when Sara expects to receive thousands of Subject Rights Requests (SRRs) from California consumers asking to access, delete, correct or move the data that the company has collected about them.
Let’s take a closer look at what Sara is dealing with.
To process requests, Sara must first verify and authenticate them
Sara needs to ensure that SRRs her company receives are legitimate and coming from the appropriate person — in other words, confirming that they are who they say they are.
- Verification – making sure any asset a user provides, such as a document or email address, is legitimate
- Authentication – making sure that asset is tied specifically to that individual
When her company receives a consumer’s SRR, how does Sara know that the request is really coming from that person?
- Best-case scenario: the consumer already has an online account with the company and Sara can verify their identity using their existing login information.
- Worst-case scenario: the person isn’t even a customer. Sara needs more information about the person to fulfill the SRR. But the law says she can’t collect more information than she already has. Policymakers want to ensure that a company can’t benefit from the consumer’s SSR. If your company has zero information on that person, you’re in a catch-22 situation.
Between the best-case scenario—the requestor is customer who has an online account—and the worst-case scenario—they aren’t a customer and you can’t identify them—is another huge abyss of murky SRRs: consumers may not be making the requests themselves.
Sara is thinking:
- How do I know the requestor is really the parent of a minor child as they claim?
- What if this is an estranged spouse trying to track down their partner?
- Is this a watchdog group checking to see how I respond to SRRs?
- Am I going to expose information to a hacker?
A large-scale cyber attack could involve thousands of SRRs inundating your system with fraudulent assets in an attempt to steal consumers’ personal data. Or it could be one individual waging a personal vendetta against a family member or (former) friend.
The complexity of verifying and authenticating SRRs is a looming headache for businesses like Sara’s. Simply operationalizing a process involving such a large amount of data is daunting. Many businesses aren’t prepared to scale their data privacy management for CCPA, nor are they prepared to achieve the high level of collaboration and transparency required across different functions for prompt response to SSRs.
And then there’s the risk of violations and lawsuits.
What happens if you don’t respond to an SRR? Maybe you don’t have the processes in place yet, or maybe you just choose to ignore the SRRs. If you’re found in violation of CCPA, your company will be subject to fines. Under CCPA, fines are enforced by the Attorney General and can reach up to $7,500 per every violation (in the case of intentional violations). Non-intentional violations are subject to a $2,500 maximum fine.
The fines are harsh, but probably won’t put your company out of business. A data breach, on the other hand, could have a much larger impact. A data breach occurs when your company gives data to the wrong person, regardless of whether it was intentional or accidental. Breach investigations can uncover various types of data misuse—a red flag for regulators and fodder for class action lawsuits. This type of liability can be much more costly than fines.
The good intentions of the CCPA open up a can of privacy worms, especially for B2C companies like Sara’s.
What’s Sara to do?
Take action now
A third-party can provide a “Goldilocks” solution to remove the burden of verification and authentication. As a third-party provider, WireWheel helps verify that an email, driver’s license, or other asset a consumer provides as proof of identity is legitimate as well as authenticate that it’s connected to a specific individual. An additional option for an electronic sworn affidavit allows a user to certify their identity, giving you a legal document to support your SRR activity. Our encrypted environment secures the data and we never use data for any purpose other than verification and authentication of your company’s SRRs.
By solving the twin challenges of verification and authentication, Wirewheel can lift a monumental worry from the shoulders of B2C companies. In our upcoming blogs we will explore how Wirewheel’s data privacy management platform also helps you assign tasks, query data stores, and identify specific consumer data to respond to SRRs.
If you’d like to learn more about CCPR and SRRs, check out the eBook, 5 Keys to Managing Subject Rights Requests.