The California Consumer Privacy Act (CCPA) was enacted at the beginning of this year, and enforcement will start July 1, 2020. Is your company prepared?
At its core, the CCPA is intended to improve Californians’ data privacy rights by giving them an effective way to control their personal information. The legislation is part of a global backlash against the misuse of consumer data, and it specifically cites the 2018 Cambridge Analytica scandal where millions of people were alarmed to discover that their personal data was used for political advertising without their consent.
A familiarity with the intentions of the CCPA is necessary in order to fully understand its regulations. The legislation’s goal is to provide California residents with the right to:
- know what personal data is being collected about them;
- know who their personal data is being sold or disclosed to;
- say no to the sale of their personal data;
- access their personal data;
- request for their personal data to be deleted;
- and not be discriminated against for exercising their privacy rights.
What Counts as Personal Information?
The CCPA uses a broad definition of personal data: anything that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The legislation provides examples such as:
- name or alias;
- postal address, email address, IP address;
- account name, unique personal identifier;
- social security, driver’s license, or passport number;
- browsing, search, or purchase history;
- and geolocation data.
Who is Subject to CCPA?
Just because your business is based outside of California doesn’t mean the CCPA is not applicable. The CCPA applies to any for-profit company that does business in California, collects consumers' personal information, and meets one or more of the following thresholds:
- +$25 million annual gross revenue;
- buys, sells, receives, or shares the personal data of 50k or more consumers, households, or devices;
- or earns more than half of its annual revenue from selling consumers' personal data.
The CCPA also applies to any entity that shares common branding with a business that meets at least one of the above thresholds. Think of it like a parent being deemed responsible for the actions of their child.
What are the Penalties of Violating CCPA?
There are steep consequences for noncompliance with the CCPA. The legislation includes provisions for civil penalties of up to $2,500 per violation, which can be increased to $7,500 if the violation is deemed to be intentional.
A security breach compromising customer’s personal information is also a cause for civil action under the CCPA. Companies that have a data breach may have to pay up to $750 per California resident affected. Talk of CCPA-related lawsuits have already begun, with a class action lawsuit filed against the company behind Houseparty for allegedly sharing personal information without consent.
Identity Verification for CCPA Compliance
CCPA gives consumers the right to request their personal data, but it does not prescribe the method to ensure you are giving the data to the right person. A request for data access may just be a fraudster impersonating someone to steal their sensitive personal information. A business can find itself in a sticky situation if they provide personal information of a consumer to the wrong party in response to a fraudulent request. In addition to leading to poor publicity and lost customer trust, it is also considered a data breach and cause for a class action lawsuit under the CCPA itself. The financial and fintech industries are especially at risk of this type of fraud considering the sensitivity and value of the personal data they possess. A European study recently revealed just how easy it is for fraudsters to take advantage of data access requests. They found around a quarter of businesses provided sensitive information without verifying the identity of the requester, and 15% requested a form of identity that could easily be stolen or forged. The study also found that larger or regulated businesses tended to have stronger identity verification requirements, implying that businesses that invest in anti-fraud and know your customer (KYC) policies will likely be more successful at identifying fake requests.
In summary, while implementing processes to be compliant with CCPA and allow customers to request access to their personal data, it is vital to not overlook the requirement to verify the requestor’s identity. The best defense against this new avenue of fraud is a robust identity verification system. Cognito’s identity verification service is designed to help your company be CCPA compliant. Contact us to learn more.