The California Consumer Privacy Act (CCPA) was enacted at the beginning of this year, and enforcement will start July 1, 2020. Is your company prepared?
At its core, the CCPA is intended to improve Californians’ data privacy rights by giving them an effective way to control their personal information. The legislation is part of a global backlash against the misuse of consumer data, and it specifically cites the 2018 Cambridge Analytica scandal where millions of people were alarmed to discover that their personal data was used for political advertising without their consent.
A familiarity with the intentions of the CCPA is necessary in order to fully understand its regulations. The legislation’s goal is to provide California residents with the right to:
The CCPA uses a broad definition of personal data: anything that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The legislation provides examples such as:
Just because your business is based outside of California doesn’t mean the CCPA is not applicable. The CCPA applies to any for-profit company that does business in California, collects consumers’ personal information, and meets one or more of the following thresholds:
The CCPA also applies to any entity that shares common branding with a business that meets at least one of the above thresholds. Think of it like a parent being deemed responsible for the actions of their child.
There are steep consequences for noncompliance with the CCPA. The legislation includes provisions for civil penalties of up to $2,500 per violation, which can be increased to $7,500 if the violation is deemed to be intentional.
A security breach compromising customer’s personal information is also a cause for civil action under the CCPA. Companies that have a data breach may have to pay up to $750 per California resident affected. Talk of CCPA-related lawsuits have already begun, with a class action lawsuit filed against the company behind Houseparty for allegedly sharing personal information without consent.
CCPA gives consumers the right to request their personal data, but it does not prescribe the method to ensure you are giving the data to the right person. A request for data access may just be a fraudster impersonating someone to steal their sensitive personal information.
A business can find itself in a sticky situation if they provide personal information of a consumer to the wrong party in response to a fraudulent request. In addition to leading to poor publicity and lost customer trust, it is also considered a data breach and cause for a class action lawsuit under the CCPA itself. The financial and fintech industries are especially at risk of this type of fraud considering the sensitivity and value of the personal data they possess.
A European study recently revealed just how easy it is for fraudsters to take advantage of data access requests. They found around a quarter of businesses provided sensitive information without verifying the identity of the requester, and 15% requested a form of identity that could easily be stolen or forged. The study also found that larger or regulated businesses tended to have stronger identity verification requirements, implying that businesses that invest in anti-fraud and know your customer (KYC) policies will likely be more successful at identifying fake requests.
In summary, while implementing processes to be compliant with CCPA and allow customers to request access to their personal data, it is vital to not overlook the requirement to verify the requestor’s identity. The best defense against this new avenue of fraud is a robust identity verification system.
Cognito’s identity verification service is designed to help your company be CCPA compliant. Contact us to learn more.