On July 1, 2020, the California Consumer Privacy Act hit two milestones. It was the midyear point of its Jan. 1, 2020, implementation and the day full enforcement of the law officially began.

The six-month grace period between implementation and enforcement was designed to give businesses an opportunity to get ahead of the CCPA and put programs in place. Of course, when that grace period was built into the law, no one anticipated a pandemic and millions of people moving to remote work, shifting their online habits to accommodate massive shutdowns. However, California Attorney General Xavier Becerra promised to go on with enforcement, despite the challenges brought on by COVID-19.

Now that enforcement has ramped up, organizations have to be prepared to comply with data subject requests and the overall data privacy regulations included in CCPA — with or without COVID-19-impacted delays. How prepared are organizations to meet the changes that went into effect July 1? DataGrail’s "Mid-Year CCPA Trends Report 2020" looks at DSRs based on the first part of 2020 and provides a guideline on what companies can anticipate as we move forward under full CCPA implementation.

Types and number of consumer rights requests

One of the most frequent questions DataGrail receives is, “How many data subject requests should I expect per year?” That’s difficult to predict, but understanding the types of requests can help an organization plan how they will handle them.

There are three types of requests: the right to know the data collected or access requests, the right to deletion or deletion requests, and the right to say no or “do not sell” requests.

"Do not sell" requests are the most common type of DSR, and our research shows that in 2020, the average business-to-consumer company will receive on average 84 DNS requests per million records. That’s out of a total of 170 DSRs per million records a B2C can expect to receive each year.

In the early days of the CCPA, consumers, by far, wanted their records deleted. But by February, more people had made DNS requests, which has stayed consistent throughout the first half of 2020. In fact, 48% of all requests are DNS, compared to 31% for deletion requests and 21% of individuals making access requests. There was a slight spike of deletion requests in June, which perhaps could be attributed to companies refreshing their privacy policies to prepare for the July 1 enforcement.

To facilitate these requests manually, organizations can expect to spend approximately $240,000, requiring the resources of as many as two dozen employees.

Verifying DSRs

When the CCPA was first introduced, data privacy and cybersecurity professionals were concerned about the verification of the requestor. How will you know the person asking to be forgotten or to access records is who they say they are?

“In the name of empowering consumers, the law is actually introducing threat vectors that can be manipulated by fraudsters,” Socure Global Privacy Lead Annie Bai, CIPP/C, CIPP/US, CIPM, FIP, and CulhaneMeadows Partner Peter McLaughlin, CIPP/US, CIPT, wrote for the IAPP in August 2019. “This presents a considerable risk to organizations by enabling a data breach while ostensibly trying to comply with the law and support a consumer’s data access request.”

The CCPA did foresee this problem and set up checks and balances by requiring companies to verify and authenticate those making any type of data request. “For password-protected accounts, the proposed regulations allow businesses to verify the consumer’s identity through its existing authentication practices if those practices are otherwise consistent with the CCPA regulations,” Ballard Spahr's Philip Yannella and Gregory Szewczyk wrote for Cyber Advisor.

For non-password protected accounts, they added, the CCPA suggests a multi-tiered verification process. “To meet this standard, businesses could match two ... pieces of consumer provided personal information with personal information maintained by the business. For requests to know specific pieces of information, businesses must verify the consumer to a reasonably high degree of certainty, which can be accomplished by matching three ... pieces of consumer provided personal information with personal information retained by the business.”

Our research shows just how vital the verification process is to prevent fraud. Three out of every 10 requests will likely not be verified and could be fraudulent attempts at accessing or deleting data. In fact, of the unverified DSRs, 21% were marked spam. Or, for every five requests a company receives, one will be spam.

Whereas DNS requests make up the majority of verified requests, fraudulent requests are most often access requests, making up 70% of all unverified inquiries. This validates the attempts of fraud by trying to gain access to someone’s personal data.

Using the EU General Data Protection Regulation as a guide, the first major CCPA fines should come in October. This could change the way consumers submit data requests, especially if there is a large data breach, and we still don’t know how the pandemic will impact future requests. 

Photo by Markus Spiske on Unsplash