CCPA Compliance and Your Customer Identity Program
Principally, all California residents are protected under the California Consumer Privacy Act with respect to any information that relates to them. This means that companies around the world will have to comply with the California Consumer Privacy Act if they receive personal data from California residents and if they — or their parent company or a subsidiary — exceed one of three thresholds:
- Annual gross revenues of $25 million;
- Obtains personal information of 50,000 or more California residents, households or devices annually; or
- 50% or more annual revenue from selling California residents’ personal information.
Because many forms of identity verification collect personal information including information on government-issued IDs, biometric information, and/or pictures of consumers, these solutions are bound to comply with CCPA.
CCPA broadly defines personal information to cover types of information not traditionally considered personal information in the United States, including:
- IP addresses
- Email addresses
- Records of purchasing or consuming histories or tendencies
- Browsing history and search history
- Geolocation data
- Audio, visual, or thermal information
- Professional or employment information
- Education information
What to Look for in a CCPA Compliant Identity Verification Solution
CCPA-compliant solutions should be transparent about the types of personal data collected as part of the identity verification process. Your chosen identity verification solution must:
- Be able to equip their business customers with a complete list of the personal data collected confidential.
- Be able to manage consumer requests for deletion of personal data after the identity verification has been performed.
- Have a policy against re-selling consumer data without prior acknowledgment (businesses should seek written confirmation that consumer data is kept strictly confidential).
- Store PII data securely and have predetermined data retention policies in place to assure the timely deletion of that data.
- Have the ability to manually override retention policies and have consumer data deleted upon written request.
Identity verification solutions that are already PCI-DSS compliant have a significant head start because of the security and data protection mandates they must meet and vet with independent auditors. Likewise, any solution that is already GDPR compliant should be able to tick most, if not all, of the compliance mandates of CCPA.
