The Importance of Consumer Verification for DSARs

A researcher recently exploited the data subject access rights section of the General Data Protection Regulation (GDPR) to gain access to the personal data of his significant other in a demonstration of concern about the exploitation of privacy laws for identity theft.

Both the GDPR and the upcoming California Consumer Privacy Act (CCPA) give individuals the right to access their personal information when held by businesses. For GDPR, it applies to all EU organizatiolns processing personal data. For CCPA, the new California law applies to businesses meeting certain revenue or data thresholds starting on January 1, 2020. They also require businesses to delete personal information under certain circumstances.

There have already been a few reports of problems with data subject access rights, including entities sending the personal information about the wrong individual in response to a valid data subject access request.

The problem is one that is under consideration by California legislators as well as the California Attorney General’s Office. In the proposed amendments to the CCPA under consideration by the California Senate, AB-25 (employee data exclusion) also includes a change to allow consumers to better verify consumers. This change would allow businesses to require consumers with an account to login to it before they submit their access request. The current version (as amended by SB-1121 last year) only says that the business shall not require the consumer to create an account to make a verifiable consumer request.

The AB-25 amendments, if passed, would also allow businesses to require authentication which is reasonable in light of the nature of the personal information requested. The concept of authentication which is proportional to the sensivity of the personal information is also used in GDPR compliance.

Whatever the California State legislature does on this issue, the California Attorney General is also likely to weigh with additional regulatory requirements this fall. Section 1798.185(a)(7) of the California Consumer Privacy Act calls on the AG to establish rules and procedures to govern a business’ determination that the outreach is a verifiable consumer request under the law. The CCPA also currently asks the AG to weigh in on a mechanism for a consumer to request information and verify it.

The focus on verifiable consumer requests kicked off earlier this year when businesses and privacy professionals began to consider how to verify requests made by third-parties on behalf of consumers. The CCPA explicitly allows them to be made. However, the introduction of third-parties into the equation makes authentication even more challenging.

The authentication of a verifiable consumer request requires the establishment of strong processes and procedures to ensure that the personal information of the business’ customers are protected while the business operates in CCPA compliance.

This is going to be an issue that plays out in the next few months and years. Businesses need to make sure that in their efforts to comply with the new privacy laws, they do not unknowingly weaken their safeguards on personal information. The last thing that consumers need is a new way for hackers to gain access to all of their personal information.

If your organization is looking for technical solutions to the problem of consumer verification, please call Clarip at 1-888-252-5653 or use our contact form to send us a message.