The  California Consumer Privacy Act of 2018, or CCPA for short, is a law that protects the privacy rights of California consumers. In a way, it provides consumer support because it grants consumers the right to access their data, the right to request the deletion of personal information, and the right to opt-out of the sale of personal information. Any business who serves California residents and satisfies one or more of the following thresholds should comply with the CCPA rules:

a) an annual gross revenue of over $25 million;

b) annually receives personal information of 50,000 or more consumers, households, or devices;

c) derives 50 percent or more of its annual revenue from selling consumers’ personal information.

It’s natural for businesses to worry about data breaches and fraudsters because they could lose it all. The CCPA’s verifiable consumer request, on the other hand, with no classification as to what request is to be considered as verifiable, makes it harder for businesses to protect their customers’ information. So, how will it affect the consumer support process?

What is a verifiable consumer request?

When a consumer wants to access their personal information that was collected by a business or when a customer wants to request for deletion of their collected information, they should submit a verifiable request to your consumer support.  A verifiable consumer request  is defined as:

“… a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify… to be the consumer about whom the business has collected personal information.”

Otherwise, a business doesn’t have to provide information to the person making the request if the business cannot verify “that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.“

In addition to CCPA compliance, businesses should provide two or more designated methods for submitting the requested information, namely a toll-free number for consumer support or a website address (if the business has a website) that allows consumers to directly contact the company.

They should disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer. Moreover, the business shall not require the consumer to create an account with the business in order to make a verifiable request.

It is stated that the business shall promptly take steps to determine whether the request is a verifiable request. But what is the classification of a verifiable request? How do you consider one’s request as verifiable? Since it’s a bit fuzzy in this area, as a business owner, you need to step up your business to meet the requirements and secure the customer’s information.

How does it affect the customer support process?

The verifiable consumer request introduces a threat to both businesses and consumers as this can be exploited by fraudsters. The fine for information leaks is up to $750 per individual whose personal information has been leaked. So, a business should impose stronger practices to verify the identity of the person requesting such information. For instance, they can provide toll-free numbers to their customer service that consumers can easily access. The challenge there is, how will you know that the one calling is the right person and not a fraud?

Moreover, fraudsters are experts on bypassing security measures, thus tricking customer representatives. If your business happens to have weak security measures about this situation, you’ll find yourself soon entangled with fines and charges for providing access to unauthorized third parties via fake requests.

Aside from that, you should ensure that all individuals handling consumer inquiries about the business’ privacy practices or the business’ compliance with this law are informed of all the requirements. They should also know how to direct consumers to exercise their rights under the CCPA law.

There is a need to orient your front liners about the CCPA rules and guidelines like the Section 1798.120 of the law, which states that a consumer shall have the right at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.