CCPA enforcement straining manual privacy request processes

Dive Brief:

GDPR-compliant organizations were manually handling data requests, but the addition of the California Consumer Privacy Act is stressing manual processes, according to Anna Westfelt, co-head of Data Privacy Practice of law firm Gunderson Dettmer Stough Villeneuve Franklin & Hachigian, LLP, while speaking during a webcast hosted by DataGrail Tuesday.
CCPA-compliant organizations saw a massive uptick in requests in January, when the law went live, according to DataGrail research. In January, when some companies issued updates to their website privacy policies, organizations began to receive upwards of 25 privacy requests per 1 million consumer records.
However, more requests are done by bots, forcing organizations into more vigilant verification processes, according to Westfelt. The manual process "became a lot more complex quickly" because companies could face additional legal challenges by unintentionally contributing to identity theft.

Dive Insight:

Even though 33 entities requested an enforcement delay, the California attorney general plans to begin CCPA enforcement in July. The California AG can conduct "retroactive enforcement," pursuing any violations that occurred since January.

Two-thirds of organizations fear they cannot sustain their compliance, even as privacy becomes a living component of business strategy. Privacy audits will become routine, which will force some companies to overhaul their data mapping system. "That's an expensive challenge," said Westfelt.

Because companies are performing data requests manually, Westfelt recommends a layered approach to sorting requests depending on the risk of the data in question. Data could be harmful to the consumer if shared with the wrong individual.

In particular, access requests put consumers at risk if it is a fraudulent request. The best way to verify the identity behind a request is confirming information the consumer should know. "Then you're telling them something they already know," said Westfelt.

But companies also have to determine the safest and most readable format to relay the data over to the consumer: password-protected PDF file, download, CVS file, CVP file, or other options depending on file sensitivity.

Companies have assigned several individuals the task of handling requests because if data exists across systems, "you may not get a request done correctly at the first attempt," Westfelt said. There's also a possibility of someone accidentally adding data back into a system, after the consumer requested deletion.

Because of the nuances between GDPR and the CCPA, and the CCPA's "expansive definition" of what qualifies for certain requests, "it's information you probably wouldn't have looked for before," said Westfelt.

DataGrail projects the average number of data requests will reach about 11 per 1 million customer records in May, a decline from January. While deletion requests are highest in demand, Westfelt expects "do not sell" (DNS) requests to become the dominant action of consumers.

DNS requests have little impact on consumers because they don't have to sever ties with an organization, they just ensure their data is used by only the organization they give it to. Companies are reluctant to publicly post on their websites a reference to a DNS policy because it leaves the impression that it's an activity the organization engages in — even if they don't.

Companies are reluctant to publicly post on their websites a reference to a DNS policy because it leaves the impression that selling data is an activity organizations engage in — even if they don't.