The news is spreading like reverberations in an echo chamber. As of January 1, Californians have individualized privacy rights akin to those granted in Europe in recent years thanks to the California Consumer Privacy Act (CCPA).
The new law aims to claw back some self-determination over the personal information that flows everywhere in the digital economy, granting Golden State residents rights of transparency, access and deletion. This means that a Californian can ask to view and/or have deleted all the personal information (PI) that a business holds about them. They can also request that their personal information not be sold to third parties.
These rights must be exercised on an individual basis by making requests directly of businesses. However, the CCPA does not provide a standard mechanism or reliable intermediary for making these impactful requests. It leaves every business on its own to figure out how random data deletion would impact its operations and products, and to figure out how they will ascertain if any given requestor really is a Californian and truly the person they say they are.
This is risky business. The nature of the internet is such that an unknown portion of these faceless requests could be disingenuous, ranging from “black hat” bad actors trying to obtain personal data to “white hat” agnostic actors testing the system. We saw this happen in Europe when the General Data Protection Regulation’s data access rights were rolled out in 2018. In studying corporate responses to consumer requests by European businesses, security researchers James Pavur and Casey Knerr called them out as a “scalable attack vector for acquiring deeply sensitive information about individuals.”
It’s a double-edged challenge for companies to open their data stores in a manner that is responsive to consumers but defensive against unauthorized actors. There are already complex global industries that monetize stolen personal data, investing immense resources into unearthing new vulnerabilities and developing threat vectors. Breached and stolen data is the fuel behind identity theft and fraud. And now companies are being mandated to open a new door for the transparency and release of data.
Where are the gatekeepers for these doors? The requests will be handled online and by call centers, which are vulnerable to social engineering and automated attacks. We need the equivalent of gates (processes) and screeners (people) and x-ray machines (malware detection) and policies (governance) and even smart doorbells (logging and monitoring). The law only requires businesses to comply with a “verified consumer request” but does elaborate on what “verified” means. It merely says, “The business shall promptly take steps to determine whether the request is a verifiable request.” Take steps!?! Could it be any vaguer?
Fortunately, this expertise already exists in many business operations. Although data privacy compliance departments may not be familiar with identity verification as a solution, their colleagues in the fraud, digital channel operations and account opening departments have long used scientific, competitive and highly accurate methods of verifying real identity by assessing data points and online behavior. A number of companies provide point solutions which use big data services to produce insights into the authenticity and risk profile of emails, phone numbers and addresses. Other companies verify identity documents online and check identities against global watchlists for know-your-customer and anti-money laundering purposes.
At Socure we bring it all together by running advanced analytics over the widest set of integrated data in the market, to provide real-time identity risk scores and trusted identity verification. This is the key to safely answering verified customer requests generated by CCPA. Socure will produce a multidimensional view of the requester with a real-time verification and risk score at the point of contact before a single shred of data has been exposed or removed.
We look forward to supporting safe implementation of CCPA — and the privacy rights it delivers to consumers — by leveraging advanced machine learning and data science techniques to ensure trust in the engagement between companies and their consumers.
We’ll dig deeper into the issues of CCPA, customer verified requests, and the use of leveraging AI-based methods of identity verification and risk in our webinar “Will the California Privacy Laws Expose You to More Fraud? AI-Based Identity Verification as a Solution”.
Annie C. Bai
Privacy, data security, and fintech lawyer and compliance officer. Annie is a graduate of NYU School of Law and former law clerk to the Hon. A.W.Thompson in the District of Connecticut. Her experiences range from the non-profit to Fortune 500 sectors. She advises Socure on privacy, cyber, AI innovation, data/model governance, fair banking, and AML/BSA compliance. IAPP notables include CIPP/US, CIPP/C, CIPT, FIP, and Education Advisory Board.