skip to main content

Avoiding CCPA Forest Fires

  • Matt Botti

    Matt Botti

Created at September 25th, 2019

Avoiding CCPA Forest Fires

After about 1900 the U.S. government started aggressively fighting forest fires and designating large swaths of land as national forests and parks to protect them from fires.  This led to fewer fires but led to growth conditions so that when fires did occur, they were larger and more damaging. I’m not advocating for fewer national forests or parks; I am just noting that unintended consequences must be considered.

As the countdown for companies to comply with the California Consumer Privacy Act (CCPA) continues, one requirement could result in unintended consequences.  CCPA gives individuals the right to know, twice a year, all the data about them that a business has collected. If that was not challenging enough, a company can’t just share that information with anyone who requests it.  First, a business must confirm the individual making the request is in fact who he or she claims. That requirement presents potential unintended consequences.  

First, consideration must be given to sensitivities surrounding the individual making the request. If the verification process is too difficult, the consumer could become frustrated, causing damage to the brand and potentially even an escalated formal complaint.  If a brand requests additional sensitive personal information from an individual just to confirm identity, that alone could heighten the consumer’s distrust of the company and harm the brand. Using a third-party provider such as Acxiom to help confirm identity reduces risk by removing, to at least some extent, the burden on both the consumer and the brand and places it elsewhere.  

Next, we broaden our view a bit further into the data governance and business processes necessary to comply with CCPA. Fulfilling the consumer request can require a complex business process.  Data governance policies need to be in place or in the process of definition to identify where to even start.  A fundamental question is: at what point is data considered “collected” and thus reportable?  Secondly, what if a consumer’s identity cannot be verified? What alternative processes need to be in place to ensure consumer care is maintained?  Acxiom, a leader in consumer privacy for nearly 50 years, has wrestled with these issues and has developed solutions brands can leverage to navigate these challenges.

Finally, there is no one size fits all approach to identity verification or authentication.  The sensitivity of the data suggests that a multi-faceted approach is needed with potentially multiple points of interaction.   For verification of an individual requesting less sensitive information, sending and receiving a one-time passcode (OTP) to validate ownership of an email or phone number could be sufficient.  Acxiom and others offer this email or phone verification capability.  This is particularly useful when a brand only has prospect information on a consumer.  In a situation where a consumer already has a relationship with the brand and interacts through a brand portal, the consumer could be asked to provide information only he or she would know, such as a loyalty ID, the details of recent orders, etc.  

A brand might like to require account creation to fulfill a consumer request, but CCPA prohibits that as a requirement.  A consumer may have and may use an existing login as part of the identity verification process, but he or she can’t be forced to establish or use one.   Integration with third parties, like Acxiom, and leveraging identity verification and authentication technologies can again be used to accomplish this.  A brand may also wish to use, where present, security questions, existing authentication portals, or existing verification processes for custom support.  Another approach is requesting the consumer upload identity documents such as a driver’s license or passport for verification with auto-deletion of the information after verification.

CCPA affords consumers an unprecedented level of control over the use of their data.  Businesses would be wise to think long and hard about the solutions they employ to comply with CCPA to avoid adding fuel to the fire.