This past July, the California Consumer Privacy Act (CCPA) hit two milestones. The six-month point of the law being in force arrived, and enforcement began.
The law had a six-month grace period, but no one anticipated that during this period there would be a pandemic that forced millions to switch to remote work with most activities moved online. Nevertheless, California Attorney General Xavier Becerra decided to continue with enforcement as planned.
With enforcement ramping up, organizations are being tested on whether they can handle managing data subject requests from users, along with CCPA requirements regarding selling data and disclosures surrounding consumer data.
Were businesses ready for the CCPA?
Data Subject Requests
One of the most frequently asked questions is, “How many data subject matter requests should I expect per year?” The answers vary by industry and company size. Understanding the types of request a business will receive can help them plan for how to handle and process requests.
Under the CCPA, there are three different types of requests users can make to a company: the right to know the data collected, or access requests; deletion requests; and “do not sell” (DNS) requests.
By a large margin, consumers preferred to have their records deleted at the beginning of 2020. But as the year progressed, DNS requests increased and have subsequently remained the most common request. Our research found that 48 percent of all requests were DNS compared to 31 percent for deletion requests and 21 percent for access requests.
To answer how many Data Subject Requests (DSRs) businesses should expect per year, we can consider the average business-to-consumer company, which will receive around 170 DSRs per million records each year. Out of these, 84 will be DNS requests if consumer preferences to prevent businesses from selling their data continue.
To facilitate these requests manually, organizations can expect to spend approximately $240,000, requiring the resources of as many as two dozen employees.
When the CCPA was first introduced in 2018, privacy and security experts had concerns about verifying those who requested personal data from a company. How would businesses be able to confirm that persons attempting to access records are who they say they are, and will consumers’ privacy be at greater risk if malicious actors attempt to steal information?
“In the name of empowering consumers, the law is actually introducing threat vectors that can be manipulated by fraudsters,” wrote security and privacy experts Annie Bai and Peter McLaughlin. “This presents a considerable risk to organizations by enabling a data breach while ostensibly trying to comply with the law and support a consumer’s data access request.”
In further revisions of the CCPA, verification was addressed, and a system of checks and balances was put in place by requiring companies to verify and authenticate individuals making data requests. Jennifer Elleman and Steven Stransky of Thompson Hine wrote a recent article detailing how certain CCPA amendments addressed the risk that comes without verification. The CCPA regulation now provides two methods businesses can use to verify the identities of individuals submitting data access and deletion requests.
“First, if a business maintains a password-protected account, it ‘may verify the consumer’s identity through the business’s existing authentication practices for the consumer’s account.’ Second, if the individual does not have a password-protected account, identity verification becomes more complex and is subject to different standards, depending on the nature of the request and the type of the personal information at issue.” (Privacy Tracker, June 30, 2020)
In the first case, verification is simple for password-protected accounts, though passwords are not always fail-proof. In the second case, verification becomes more ambiguous and companies must determine proper measures to confirm the identity of an individual and protect their data.
For accounts that aren’t password protected, the CCPA suggests a multi-tiered verification process. According to Phillip Yannella and Gregory Szewczyk, “To meet this standard, businesses could match two . . . pieces of consumer-provided personal information with personal information maintained by the business. For requests to know specific pieces of information, businesses must verify the consumer to a reasonably high degree of certainty, which can be accomplished by matching three . . . pieces of consumer-provided personal information with personal information retained by the business.” (Cyber Adviser, October 21, 2019)
Our company’s report reveals how vital the verification process for DSRs is to prevent fraud. Three in 10 requests will go unverified and could be attempts at accessing or deleting other individuals. Out of these unverified DSRs, 21 percent were marked as spam by businesses.
While DNS requests make up the majority of verified requests from users, requests identified as fraudulent are most commonly access requests — an astounding 70 percent of all unverified inquiries. This data point validates the suspicion that people may attempt to misuse DSRs to gain access to another individual’s personal data.
If the CCPA follows the path of the General Data Protection Regulation (GDPR), expect to see major fines from the CCPA. High profile cases and company privacy practice exposure could change the way in which consumers submit data requests, especially if there is a large data breach. We still don’t know how the pandemic will impact future requests.
By Daniel Barber is the CEO and co-founder of DataGrail, a technology platform that helps organizations automate their privacy programs and become compliant with CCPA, GDPR and other privacy regulations.