Privacy Risks Emerge in DSAR Responses by Businesses

Organizations need to be aware of potential privacy risks during their General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) compliance efforts. Although enhanced transparency and consumer control around data privacy can result in higher trust from consumers, they can also create privacy concerns in and of themselves.

For example, Amazon reportedly responded to a data subject access request (DSAR) under GDPR with voice recordings from another user in December. The user requested their data from the organization but was given voice recordings and command transcripts made by the Amazon Alexa device of another user. The user requesting access to their personal data did not own an Alexa.

How could this happen?

GDPR requires organizations to provide a protected individual with their personal data upon request. The right to access is defined by GDPR Article 15, which specifies the information that must be provided to a data subject upon request for access to their personal data. It is part of the data subject access rights.

GDPR does not require DSAR automation. Instead, GDPR can be fulfilled if an individual is instructed to email the company’s privacy team and the organization subsequently manually fulfills the request.

With each company building its own DSAR process, it can introduce automation mistakes, bad actors and human error into the process. In the case of Amazon, the company told media that it was a case of human error.

The California Consumer Privacy Act (CCPA) has a similar requirement to GDPR with its own right to access for consumers. Covered businesses will need to provide individuals with the ability to access their personal information starting on the new privacy law’s implementation date of January 1, 2020.

As part of the CCPA process, organizations are required to respond if they receive a verifiable consumer request. In other words, if the business can not verify the identity of the consumer, then they are not required to provide the requested user’s personal information. This puts the onus on businesses to ensure that the information is being provided to the proper individuals.

How will businesses verify users?

This has not been specified by the CCPA in its text yet. Instead, the law requires a business “to take steps to determine whether the request is a verifiable consumer request” and prohibits a requirement to create an account. Businesses are expected to match up the information provided by the consumer to the personal information already in the business’ possession to verify the consumer. The California Attorney General is expected to issue regulations to further clarify the procedures that a business must follow.

The public discussion process for these regulations will start in a few days with six public hearings held by the CaAG across California. Getting the procedures for verifying a consumer request right over the next year will be important as a privacy law that increases privacy leaks subverts the intent of the process.

What will happen with the DSAR regulations?

It is far too soon to know. There has been little discussion, if any, of whether California should set specific procedures that risk being too rigid, or more general rules for organizations that may not provide enough guidance or protections.

The trend in discussions at the federal level has been against the creation of rigid rules that limit flexibility and innovation. However, with the large number of data breaches happening over the past few years, opening up a new avenue to expose personal data to bad actors could become a problem.

Support among the public for greater power over its data has been strong since Cambridge Analytica. We last talked about the importance of data privacy to the public back in November, when a new Harris Poll revealed that Americans choose data privacy as the most pressing issue on their minds. Data privacy was chosen ahead of healthcare, supporting veterans, and job creation, among other things.

Solidifying the DSAR process against leaks will be an important component of protecting consumer privacy over the next few years. It has already happened accidentally to Amazon. As requests for personal information increase, it may happen more. Businesses need to ensure that they are putting in place adequate protections against leaks in their DSAR process – both for GDPR and for the upcoming CCPA law.

More Blog Posts About Data Subject Rights:

Survey: Majority of UK Consumers will Exercise Data Subject Access Rights in Next Year
GDPR Deadline to Bring Data Subject Access Requests
Forrester: People Care about Data Privacy More Than Ever Before

Improve Data Privacy for GDPR or CCPA with Clarip

The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.

Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.