Set to come into effect in 2020, the California Consumer Privacy Act, A.B. 375 (CCPA) affords California residents an array of new rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected. Among other protections, the law stipulates that consumers have the right to request the deletion of personal information, opt out of the sale of personal information, and access the personal information in a “readily useable format” that enables its transfer to third parties without hindrance.
Who is Impacted?
Affected businesses are for-profit entities doing business in California that meet certain revenue or data collection volume requirements.
CCPA Compliance and Your Customer Identity Program
Principally, all California residents are protected under the California Consumer Privacy Act with respect to any information that relates to them. This means that companies around the world will have to comply with the California Consumer Privacy Act if they receive personal data from California residents and if they—or their parent company or a subsidiary—exceed one of three thresholds:
A annual gross revenues of $25 million;
B obtains personal information of 50,000 or more California residents, households or devices annually; or
C 50% or more annual revenue from selling California residents’ personal information.
Because many forms of identity verification collect personal information including information on government-issued IDs, biometric information, and/or pictures of consumers, these solutions are bound to comply with CCPA.
CCPA broadly defines personal information to cover types of information not traditionally considered personal information in the United States, including:
Records of purchasing or consuming histories or tendencies
Browsing history and search history
Audio, visual, or thermal information
Professional or employment information
What to Look for in a CCPA Compliant Identity Verification Solution
CCPA-compliant solutions should be transparent about the types of personal data collected as part of the identity verification process. Your chosen identity verification solution must:
Be able to equip their business customers with a complete list of the personal data collected confidential.
Be able to manage consumer requests for deletion of personal data after the identity verification has been performed.
Have a policy against re-selling consumer data without prior acknowledgment (businesses should seek written confirmation that consumer data is kept strictly confidential).
Store PII data securely and have predetermined data retention policies in place to assure the timely deletion of that data.
Have the ability to manually override retention policies and have consumer data deleted upon written request.
Identity verification solutions that are already PCI-DSS compliant have a significant head start because of the security and data protection mandates they must meet and vet with independent auditors. Likewise, any solution that is already GDPR compliant should be able to tick most, if not all, of the compliance mandates of CCPA.
How Jumio Can Help
Jumio enables any business that captures data from California residents with the requisite data security, transparency and retention policies to comply with CCPA.
Jumio will never sell consumer data to third parties. Just as importantly, Jumio stores and protects consumer data, captured during the identity verification process, under PCI-DSS’s strict data security requirements.
Jumio has the ability to delete any data captured during the online identity verification process, including information captured from government-issued IDs, biometric information, and selfie images. Business customers can enforce strict data retention periods or have the identity information deleted automatically after a verification decision has been rendered.