Article takeaways
- Some pointers on complying with the upcoming CCPA Laws
- The impact CCPA will have on the advertising industry
With the California Consumer Privacy Act’s (CCPA) effective date of January 1, 2020, only a few weeks away, chances are high that your clients who do business in or with the state of California are wrapping up last-minute details to ensure they’re in compliance with the coming regulations.
CCPA presents businesses with a couple of distinct opportunities from an advertising and marketing standpoint:
- A chance to build (or rebuild) trust with consumers.
- Examine consumer data use and collection practices.
At its base, CCPA is a consumer data privacy protection law. It’s designed to give Californians control over their personal data and better understanding and visibility into how companies use that data.
So how does this impact advertising and marketing firms?
Much of the data these organizations collect is considered personally identifiable information (PII). This personal information is important to marketers and advertisers—how else would a company know, for example, who is actually purchasing their product or service? The regulations stipulated by CCPA will change how consumer data is collected, used, and stored.
On top of these changes, PII is included in the types of data that Californians can request via a verifiable consumer request (VCR). Your clients impacted by CCPA will need to be prepared for VCRs when the law goes into effect in the new year.
VCRs: What Matters for CCPA Compliance
Complying with CCPA requires attention to detail, a commitment to transparency, and a willingness to rely on experts to handle the complex parts of the law. One of the more difficult parts of CCPA compliance is correctly and efficiently verifying identities for consumer data requests.
When a Californian submits a request for data, the company receiving the request must first verify the identity of that individual. This is one of the most important steps in the fight against fraud since data revealed in a VCR can be used in myriad ways by enterprising fraudsters.
It’s also important to remember that companies must offer a range of VCR submission methods depending on how the business functions. Companies that function entirely online, for example, won’t be required to maintain a toll-free phone line for VCR submissions. Brick-and-mortar stores, however, will have to offer consumers an in-person VCR submission option in addition to a phone-based and online option.
The influx of VCRs can’t really be predicted at this point, but if we look to Europe’s GDPR as a guide, it’s safe to assume that most businesses will receive a not-insignificant number of requests. The identity verification (IDV) process for each request must be approached appropriately based on the type of request and the information it involves; manual IDV processes won’t be a viable option for most companies, from either a time or a staffing standpoint.
So what should your clients in the advertising and marketing industries look for in an automated CCPA IDV solution? Keep an eye out for these four important elements:
- Seamless functionality. Consumers today are incredibly sensitive to even small amounts of friction during account setup, account verification, or payment process.
In fact, IDV solution leader IDology found, via independent research for its Second Annual Consumer Digital Identity Study, that approximately one-third of new online account setups are abandoned due to long or unnecessarily complicated IDV processes.
Help arm your clients against customer disengagement and negative user experiences with a solution that verifies identities quickly and without directing the user away from their device.
- Intelligent, dynamic escalation. In some instances of VCR submission, an individual’s identity either will not be able to be verified on the first attempt, or the data request will be sensitive enough to require additional, “stepped up” verification. An IDV solution for CCPA should be intelligent enough to detect VCRs needing extra verification and apply appropriate friction for the user.
While it’s important to avoid the overly complex IDV processes that are prone to user abandonment, rampant hacks and data breaches across virtually all industries have taken a serious toll on consumer trust levels. Striking a balance between clearly insufficient IDV processes and security that is over-engineered or not user-friendly is the best way to keep your customers safe and maintain excellent customer retention rates.
- Scalability. Most businesses are unlikely to receive a large number of VCRs on January 1, but as the law becomes more heavily publicized, more requests will roll in. The IDV solution your client implements for VCRs under CCPA must be able to accommodate varying request volumes without sacrificing features, security, reliability, or user experience.
Approximately 80 percent of respondents to IDology’s Seventh Annual Fraud Report survey reported that they anticipate a version of CCPA becoming federal law in the relatively near future. Even if the majority of your client base (or your client’s customer base) is located outside of California, implementing CCPA-compliant IDV processes is a smart long-term move.
- Wide range of resources for detecting fraud. While machine learning (ML) and artificial intelligence (AI) are the current buzzwords in the fraud industry today, you and your clients need to understand exactly what these technologies can and cannot do before you rely on them completely.
When it comes to detecting and preventing fraud, ML and AI have limitations. This may not always be the case, particularly as technology progresses, but for now, the best, most reliable solution is to employ a combination of ML/AI and human intelligence.
IDology’s highly trained fraud team analyzes suspicious transactions and requests even if some of the information submitted seems to be completely legitimate at first glance. The information exchanged during a VCR can be used for ill gain by fraudsters, so it’s vital that an IDV solution relies on deep data sources to verify the requestor’s identity and human intelligence to bring light to even slightly anomalous data.
The Bottom Line
We are officially down to the wire when it comes to implementing identity verification solutions for VCRs under CCPA. Whether or not you or your clients conduct business in California, you need to be prepared.
The consumer data privacy regulations put forth by CCPA are already making their way into the legislative sessions of states across the nation, so the likelihood of these privacy protections eventually covering all Americans is high. Be ready to handle VCRs come January 1, 2020, without damaging your customers’ trust with the right IDV solution.