The California Consumer Privacy Act, or CCPA, is an unprecedented privacy law going into effect January 1, 2020. CCPA is expected to be the strictest data privacy law in the U.S. and will accomplish three major objectives, giving California residents the right to:

1. Know what information businesses are collecting about them
2. Tell a business not to share or sell their personal information
3. Protections against businesses that do not uphold the value of their privacy.

CCPA compliance is a fast-approaching reality for organizations around the world. If they receive personal data from California residents, then they must implement a number of procedures including:

• Right to Access: Organizations subject to the CCPA must honor consumers’ requests regarding the right to access their personal information. The disclosure process of the information requested must be free of charge for a consumer and sent by physical mail or electronically.
• Right to Delete: Organizations subject to the CCPA have an obligation to honor consumers’ requests regarding the right to delete their personal information.

Verifiable Consumer Requests

When a consumer requests a copy of their personal information (or requests its deletion), your organization can only comply if it’s a verifiable request — in other words, you need to verify a person’s identity before disclosing the requested information or deleting it.

But how does a business or organization know that the consumer attempting to exercise these rights is who they claim to be?

This is where online identity verification comes into play. The role of online identity verification is to tie the digital identities of your online customers and users (who they claim to be) to their real-world identities (who they are in real life).

Large-scale data breaches, phishing and social engineering attacks have made it easier for fraudsters to assume the online identities of legitimate account owners through account takeover fraud, which involves a criminal gaining unauthorized access to a user’s account and using it for some type of personal gain.

This means when a consumer requests to know what information has been collected about them, the business or organization must ensure that they do not inadvertently divulge personal information to a would-be fraudster.

The most reliable way to ensure that data is securely shared is via biometric authentication. Face-based biometrics are far more convenient for consumers than traditional methods of online verification. They’re also much more secure and cannot be hacked or duplicated. The data can be kept on the device, rather than on a server or in the cloud, and can remain secure even if the device is stolen. Just as important, face-based biometrics offers a simple one-step solution to the problem of remembering a vast array of PINs and passwords.

How face-based authentication works

Jumio’s biometrics-based approach starts when a new user creates an online account. Users are asked to use their smartphone or webcam to capture a picture of their government-issued ID (such as a driver’s license, passport or ID card) and a selfie, which are then compared to each other to deliver a definitive match/no match decision. As part of the identity proofing process, Jumio creates a 3D face map of the user, which is then stored and bound to the new customer during the initial enrollment process.

3D face-mapping contains 100 times more data points than a 2D photo, and is required to accurately recognize the correct user’s face while concurrently verifying their human liveness.

Spoofing attacks by fraudsters are on the rise in an attempt to fool the selfie requirement. Spoofing attempts generally use a photo, video or a different substitute for an authorized person’s face in order to acquire someone else’s privileges or access rights. To foil these attempts, modern identity verification companies leverage certified liveness detection that captures biometric data through a smartphone’s front-facing selfie camera or a desktop computer’s webcam.

Let’s assume that a California-based consumer makes a CCPA request to know what data has been captured by the organization. Companies want to ensure that the CCPA requestor is the legitimate account owner. Instead of relying on a username and password, the user only needs to capture a new selfie. Because a complete face map was captured when the account was created, the user just needs to take a fresh selfie. A new face map is then compared to the original 3D face map captured during enrollment and a match/no match decision is made. This authentication process takes just seconds to complete.

This type of authentication enables online companies to reliably authenticate CCPA requests and ensure that information is only shared with legitimate customers, not bad actors posing as customers to secure personal information. It also nullifies the risk of account takeover since it does not rely on a username and password which could have easily been stolen from the dark web, phishing or social engineering.

Download the Guide to CCPA Readiness for Online Identity Verification to learn how Jumio can help your business comply with the CCPA.