How to Implement CCPA Without Impacting Customer Service


How to Implement CCPA

One of the realities of working in customer service today is that you probably handle a significant amount of customer data on a daily basis. Personally identifiable information (PII) is any piece of data that can be tied back to a person’s identity. Name, address, date of birth, and Social Security number are the data points we often associate with PII, but information such as IP address or mobile phone data, when it’s combined with a name, is also considered PII.

So what does this mean for you and your business? Depending on where in the United States your company does business and exactly the type of PII you collect from customers and store in a database or server, you may be subject to the new consumer data privacy regulations set forth by the California Consumer Privacy Act (CCPA).

If you haven’t yet heard of CCPA or aren’t quite sure how CCPA impacts customer service, keep reading to learn more.

CCPA Requirements and Customer Service

In broad terms, the California Consumer Privacy Act (CCPA) impacts certain companies that do business in or with the state of California. The law went into effect on January 1, 2020, and will be enforced beginning in July 2020. At its core, CCPA grants several important data privacy rights to Californians.

Under CCPA, Californians have the right to:

  1. Know what data companies have on them
  2. Access their personal data
  3. Understand whether and to whom their personal information has been sold or disclosed
  4. Refuse the sale of their personal data
  5. Request that an organization delete their personal information

Another important part of CCPA is the law’s provision that prohibits companies from penalizing customers who take advantage of their privacy rights, whether by increasing prices or restricting services.

CCPA’s Impact on Customer Service

When a consumer in California submits a request to access, share or delete their personal data under CCPA (usually referred to as a verifiable consumer request, or VCR), the company receiving that request must first verify the identity of the requestor.

Customer service representatives are typically a business’s first line in fielding and fulfilling VCRs, so it’s vital that the individuals in these roles are both trained in data security and identity verification best practices as well as equipped with the tools they need to do their jobs correctly and efficiently. Releasing PII, especially if it’s sensitive, to the wrong person is a breach of privacy with far-reaching negative (and potentially costly) consequences.

Identity verification (IDV) is a vital step in ensuring CCPA compliance and avoiding fines, but it’s also a significant differentiator when it comes to customer experience. Research shows that American consumer distrust only deepens with successive hacks and data breaches. As a result, consumers place a high value on the security of an onboarding and servicing engagement, regardless of whether the process occurs online, in person, or over the phone.

Respondents to IDology’s second annual consumer digital identity survey reported that a secure account opening process (88%) is more important than the process being easy (67%) or quick (57%). Businesses also need to consider generational differences in their customer base. Younger consumers, particularly millennials and Generation Z, are far less likely to tolerate difficult or lengthy sign-up processes. Companies that employ cutting-edge IDV and fraud-deterring solutions that don’t create unnecessary hurdles for users will be at an advantage when it comes to customer acquisition and retention.

What makes the IDV process complex under CCPA is the fact that there are hundreds of potential combinations of requestor types (consumers with password-protected online accounts versus those without, for instance), request submission channels (such as an online or in-person form, email or phone), and verification methods (mobile ID document scanning, mobile authentication, or knowledge-based authentication questions, for example).

No one likes to jump through hoops to get the information they’re looking for, so if the identity verification process is rife with unnecessary speed bumps, customer experience is going to take a serious hit.

Preserving Customer Experience Under CCPA

If your company is impacted by CCPA, there’s no way to get around complying with the regulations or offering secure and effective IDV without damaging the reputation you have with customers and incurring significant fines. There’s a fine line, after all, between protecting your customers’ PII, complying with CCPA regulations, and putting in place so much security that you start to lose customers to the competition.

The following are IDology’s recommendations for maintaining great customer service while complying with CCPA:

1. Implement a scalable IDV solution

Once CCPA goes into effect, businesses should be prepared for a variety of VCRs from all types of requestors, including those with and without password-protected online accounts and guardians of minor children.

Fielding these requests manually is costly, cumbersome and inefficient. Gathering the data is time-consuming, but that step is only part of each request—before data compilation can begin, the identity of the requestor must first be verified. This means matching the identity data the requestor submits with data in the public record.

The best, most efficient way to do this is to use an IDV solution that verifies identities quickly by mining deep data sources. An automated, scalable solution will be able to handle large (and small) volumes of requests by verifying multiple identities concurrently, as opposed to a manual process that can only handle one request at a time. Once the requestor’s identity has been verified, your company can then go about compiling the data and delivering that information to the appropriate person.

2. Apply the right amount of friction at the right time

Friction—the ability of an IDV solution to determine the level of engagement, effort and identity information needed based on the data’s sensitivity and the specifics of the request—is what helps ensure that your company’s customer service representatives aren’t releasing information to a fraudster.

Depending on the sensitivity of the data requested, you may need to apply friction immediately or later in the IDV process and only under certain circumstances.

3. Communicate with your customers

CCPA regulations require companies to respond to VCRs within 45 days. In some cases, however, a VCR may take longer to fulfill. Companies can take up to 45 or 90 additional days to fulfill requests, but they must document a reason—and communicate that reason to the requestor.

This transparency is essential. Data privacy laws are founded on the principle of increasing transparency, after all, so be sure to equip your customer service representatives with the templates, information and tools they need to prevent any VCR responses from falling through the cracks.

Attention to customer experience will ensure that your business retains (and even gains) customers without compromising data security and compliance with important regulations.

Christina Luttrell is the COO for IDology, a GBG company and leader in multi-layered identity verification and fraud prevention. In her 10 years at IDology, Luttrell has significantly advanced the company’s technology, forged close relationships with IDology customers and driven the development of technology innovations that help organizations stay ahead of constantly shifting fraud tactics without impacting the customer experience.