On January 1, 2020, the California Consumer Privacy Act (CCPA) will - at long last - go into effect. For anyone following the journey of this soon-to-launch privacy law, this has been a long time coming.
In recent months, major adjustments have been coming together as California regulatory authorities have been waiting on the approval of certain amendments to the core characteristics of the upcoming data privacy framework.
Finally, as of October 11, 2019, we know exactly which CCPA amendments have been accepted and what the final CCPA law will look like. California Governor Gavin Newsom signed five amendments, confirming a number of substantive improvements that resolved some technical errors and further elaborated on the regulation.
Thanks to this development, we know specifically what the specific CCPA law looks like - but the rules that businesses will need to follow to comply with CCPA compliance are still being confirmed.
The California Attorney General released a draft version of these rules just days before the amendments were signed, and the public has until December 6th to comment on the draft version. After this open comment period ends, the AG will make revisions based on the public feedback before releasing the final version of the rules.
User identity verification rules, for example, are still in draft form - so businesses don't know if they will look exactly the same come January 1st.
However, we can look to the draft rules to get a solid idea of what is likely to be expected.
But before we dive into what the draft CCPA says about verification practices, let's quickly go over the amendments that were just signed into law.
So, what do these just-approved CCPA amendments (AB-25, AB-874, AB-1146, AB-1355 and AB-1564) mean?
While we won’t go over each specific, tiny change each of the amendments made to aspects of the CCPA, such as for opt-in requirements or treatment of data from minors, let’s touch on a few highlights.
Among other changes, the approved California Consumer Privacy Act amendments:
- exempt HR information from the CCPA, making sensitive HR data like emergency contact information and job applicant data out of scope of the new rules. Businesses must still provide notice on the the type of HR data collected, however.
- exempt B2B data, defined as personal information that’s collected in the course of providing services to a business. B2B customer personnel can opt out, but this opt-out opportunity does not apply to businesses themselves. In the event of a data breach, B2B employees would also retain private right of action.
- exempt vehicle information stored or shared for the purposes of recall or warranty-related automobile repair.
Apart from these exemptions, the CCPA amendments also:
- require data brokers to register with the California Attorney General
- require businesses to provide two ways for consumers to request personal data, including - at least - a toll-free number for consumers to call. This phone number requirement becomes null for businesses that operate solely online and have a direct relationship with a consumer for whom it collects sensitive data. In these cases, only an email address need be made available to users.
Now that we know all five CCPA amendments and how the final framework will look like, we simply need to patiently wait for the California Attorney General to refine the draft compliance rules.
So, in the meantime, what exactly does the draft CCPA say about verification?
Identity verification is vital for preventing data breaches and protecting the sensitive data of all consumers, which the California government is trying to facilitate with its CCPA regulations.
According to the CCPA draft rules, businesses will need to do the following:
- When verifying requests, user verification needs to match the consumer-provided information that the business already possesses about the consumer.
- The extent to which a business verifies a user should be equal to the sensitivity of the individual consumer request.
- Businesses are allowed to use a password-protected account as verification, but individual users would be required to re-authenticate before disclosing or deleting any of their data.
- Companies must take additional steps to verify in situations where they suspect fraudulent activity.
What about requiring users to create an account upfront? The draft CCPA requirements don’t allow this.
For individuals who don’t have their own accounts, the draft CCPA rules outline three types of required verification:
- For requests categorized as personal information: companies will need to verify identity “to a reasonable degree of certainty,” including at least two matching data points given by the customer that match data already held by the business.
- For consumer requests to obtain data currently held about them: verification needs to be verified to a reasonable degree of certainty as well, including verifying at least three data points and acquiring a signed declaration under penalty of perjury.
- For consumer requests to delete data about themselves: verification varies by level of sensitivity and risk of harm should an unauthorized deletion occur. Before final deletion, business must provide a two step process to confirm the deletion request.
Given these impending identity verification rules, businesses that handle the data of California residents will need to ensure that they get their own policies up to speed before the end of the year.
When a business possesses sensitive user information, including data that can be used to verify user identities, they must prove that their networks are CCPA compliant.
Mapping out data flow diagrams and organizing your data security team would be the first steps any business would take to start making sure they meet these data privacy rules - but safeguarding user information and following identity verification rules often ends up being a costly investment.
Unfortunately, many businesses would take a huge financial hit embarking on this journey by themselves.
But what if companies could offload these CCPA compliance concerns and outsource their data security to a trusted partner?
VGS data security solutions uniquely enable businesses to work with sensitive data without actually storing it or processing it through their own systems.
After implementing VGS Zero Data solutions, CCPA security requirements are covered, data is centralized for ease of location, and in the event your network is breached, you won’t have to notify your customers because their data can’t be accessed from your network. Find out how VGS Zero Data can protect your company’s sensitive data here.