How Legislation is Driving the Future of Digital Identity

As we predicted last year, GDPR progress has driven additional identity-related legislation. Consumers want to know that steps are being taken to put value on their identity and politicians are enacting legislation around digital IDs. Consumers have also been driven to advocate for more ownership over how and when their personal information gets shared.

Mastercard recently released a study revealing that the overwhelming majority of individuals and business leaders (90%) feel data privacy is universally important. As a result, digital identity is at the forefront of conversations about the future of privacy, legislation and how PII can be protected.

Consumers Show a Willingness to Embrace Digital IDs

Multiple studies have proven that consumers are not only ready, but they are requesting digital IDs to authenticate their online engagement with government agencies and businesses alike.

Research from the DIACC (Digital ID and Authentication Council of Canada) revealed that 70% of Canadians want to see governments and the private sector come together to collaborate on a joint digital identity framework in Canada. This digital ID platform would enable the increased and inclusive access to government benefits, healthcare, e-commerce, and financial services. Respondents believe that this model will help better safeguard their personal information and create a more efficient user experience.

Digital IDs are Being Adopted Globally

Just last month, Colorado’s Gov. Jared Polis signed an executive order supporting the widespread adoption of “digital personal information technology.” Colorado residents will now be able to create a digital ID that can serve as proof of age, address or identification through the state’s myColorado mobile app. Theresa Szczurek, chief information officer since January, is helping lead the effort. Since the launch, about 20,000 Colorado residents have digitized their IDs.

Colorado is one of the early state adopters of digital identification – Washington D.C. also announced a forthcoming pilot program. The service is becoming a trend as state governments attempt to offer digital services on par with those offered by private companies.

The EU also recently extended the deadline for the revised Payment Services Directive (PSD2), which enables bank customers, both business and consumer, to give third-party providers permission to retrieve their account data from their banks. This push towards Strong Customer Authentication (SCA) is comprised of “an authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is).”

International and State Laws are Increasingly Addressing Data Privacy Legislation

A growing number of international, national and US state laws and regulations seek to govern the collection, safeguarding and sharing of consumer data, specifically to give consumers visibility and control over how their data is used. GDPR, which took effect last year,  is among the most notable and compressive of these regulations.

The California Consumer Privacy Act (CCPA), which will take effect in January 2020, is currently the strictest data privacy law in the US. In the absence of preemptive federal law, many U.S. states, including New York, are considering laws similar to the CCPA. Congress has also begun to consider what a national data privacy law might look like.

But privacy and data security experts suggest this may be just the tip of a very large iceberg. Many countries have passed or are considering similar laws. Brazil, for instance, has passed its own General Data Protection Law, which comes into force in 2020. Earlier this year, the EU announced tighter security for ID cards, making biometric data mandatory for ID cards. Under this new legislation, documents must include the two fingerprints of the cardholder, stored in a digital format, on a contactless chip.

One thing is clear – the future of digital identity is here. With consumers demanding a solution, and politicians clamoring to address security and data privacy concerns with the appropriate legislation, businesses must be prepared to comply with current and forthcoming privacy laws.

 

Book a demo to learn how Acuant can help address your needs.

Mythbusting the CCPA: Why the New California Consumer Privacy Act Matters to You

In less than 60 days, the California Consumer Privacy Act (CCPA) will take effect. Security and privacy experts say it is the strictest data privacy law in the US and requires protections similar to GDPR. This law grants California residents new rights with respect to personal information collected about them by companies. They have the right to know what information is being collected and to tell a business not to share or sell their personal information.

In addition, CCPA states that consumers have a right to access their information and a right to delete personal information. Businesses must honor consumer requests to access their information at no charge and send that information digitally or via snail mail. The costs for not complying with CCPA are serious and steep.

Non-compliant organizations can be penalized with an array of fees. Government entities can inflict a fine of $7,500 per violation. Consumers receive statutory damages between $1,000 and $3,000 and can file class action lawsuits without showing loss of property or money.  In the event of a data breach, consumers can recover damages of $100-$750 per incident. A sizeable breach of tens of thousands of customers can add up quickly and run into the millions.

As this law goes into effect on January 1, 2020, you may have some misinformation about some key aspects of the law and its impact on businesses around the globe. We want to let you know the #facts and bust some myths that might be giving you a false sense of security.

 

Myth #1: My business isn’t located in California; therefore, I’m exempt.

While CCPA only applies to California residents, it includes companies that have California customers. These regulations are expected to apply to more than 500,000 U.S. businesses. If your company receives personal data from California residents AND if it—or the parent company or a subsidiary—meet one of these three criteria, you must comply with CCPA regulations:

  • Your business collects personal information on 50,000 or more California residents, households or devices
  • 50% or more of your annual revenue comes from selling information on California residents
  • Your annual gross revenues exceed $25 million

Myth #2: I don’t keep sensitive data on my customers; therefore, I’m exempt.

CCPA isn’t limited to social security numbers or other Personally Identifiable Information (PII). Personal information is much broader in scope than most companies might think. It includes identifiers such as a real name, postal address and geolocation data, Internet Protocol address, email address. CCPA also covers records of purchase or consuming history, browsing and search history, employment and education information, biometric information, as well as audio, visual or thermal information.

It is difficult to imagine a business that doesn’t retain some information on their customers such as an email address or purchase history. Therefore, if you meet one of the three criteria above, you are likely impacted by CCPA.

Myth #3: I already comply with GDPR so I’m covered.

The CCPA’s required privacy policy disclosures are broader than those required by the GDPR. For example, GDPR defines personal data as any information relating to an identified or identifiable person.  But CCPA also includes information that is capable of being associated with a specific California resident or household, which makes the breadth of data that your business must be prepared to disclose greater than GDPR.  Additionally, CCPA requires your business to disclose whether it sells personal data and a description of third parties receiving that data. This privacy policy must be kept current, updated annually and cover the activities of the previous 12 months.

Another way CCPA goes beyond GDPR is how it defines “sale” – under the California regulation, it’s any form of disclosure, in any format, to any other third party in exchange for money or other valuable consideration. Consumers have the right to opt out of such sales with no repercussions. “Other valuable consideration” could arguably include providing your data to an analytics service for your own benefit, as that is valuable business intelligence.

On a more positive note, CCPA gives business up to 45 days – 15 days longer than GDPR – to verify the identity of requesting individuals and respond to disclosure requests and California residents can only make two requests every 12 months.

Myth #4: I don’t need any tools to help me with CCPA compliance.

As noted above, businesses need to verify the identity of the person requesting the data. Your business can only supply personal data if it is a verifiable request. The fact that there are 40 million residents in California, dozens of large-scale data breaches, account takeover fraud and a disturbingly growing trend of synthetic ID fraud means that your business needs to work with a company who can quickly, securely and seamlessly verify the identity of your customers. You don’t want to disclose personal information to a fraudster in an effort to comply with CCPA.

Acuant technology is designed to protect Personally Identifiable Information (PII) and addresses data privacy. We have a solution for every use case and problem you want to solve when it comes to identity verification. With Acuant, you can enhance security, prevent fraud and meet regulations – including CCPA and GDPR. All workflows are privacy minded, using encryption in the cloud with no images or data being stored.

 

To learn more about the Acuant Trusted Identity Platform, schedule a demo.

Gun Control: Current Purchasing Process and Technology’s Role

The topic of gun control is making headline news more and more consistently. With recent tragic events and ongoing gun control law battles, one might start to question and research what laws currently exist around purchasing a firearm today and what that process looks like.

When a customer buys a firearm from a Federal Firearm Licensed Dealer, they have to fill out government forms like ATF Form 4473, from the Bureau of Alcohol, Tobacco, Firearms and Explosives. ATF Form 4473 requires customers to fill out personally identifying information like names, addresses, and dates of birth. Customers also have to include information from valid government-issued photo IDs, like a driver’s license that includes their current address.  A National Instant Criminal Background Check System (NICS) background check transaction number is required as well. This background check determines if prospective firearms or explosives buyers’ name and birth year match those of a person who is not eligible to buy.

Firearms sellers rely on customers to fill out forms accurately, since they have to keep a log of all purchases. The ATF can inspect purchase logs, and lying on federal forms for a firearms purchase can result in a felony. Incorrectly filling out forms for a firearms purchase can result in severe consequences for the buyer and the seller, so it is imperative that the information gathered is accurate.

Intelligent data capture and identity verification can help to reduce fraud and errors in the firearms transaction process. Our recent partnership with ITouch Technology, a developer of multimedia technology for the hunting and fishing sports industry, has created a self-service kiosk solution that enables electronic capture of customer’s identification to be utilized for processing the ATF Form 4473 and NICS background checks. ITouch Technology’s kiosk application has been developed for use by federally licensed firearms dealers, and offers Acuant’s solution for accurate identification capture and information gathering.

Instead of manually filling out forms, Acuant’s software gathers data from government issued ID’s and auto-populates the information into government approved forms. Filling out forms manually can often result in inaccuracies, which can cause problems for buyers, sellers, and the ATF. Intelligent data capture guarantees accuracy.

Sporting goods retailers that sell hunting and fishing licenses can also benefit from intelligent data capturing solutions. Instead of filling out applications with a retail employee, customers can instead apply for a license at a self-service kiosk. Customers can scan their ID’s at the ITouch Technology self-service kiosk. Acuant’s solution will verify the customer’s identity while automatically filling out a license application with information gathered from the ID. This solution eliminates errors while the verification element ensures the person’s identity.

Purchasing a firearm is a serious matter, and immaterial of current federal regulations, it is clear that technology solutions can play a positive role in the current process.