Consumer Request Channel
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
4 hours 41 minutes
Welcome everyone. Toe Lesson 8.3
We are now going to discuss the Consumer Request Channel.
This is how your organization will receive and operationalize all of those consumer requests that you might be receiving. Because the residents of California now have the ability to access delete an opt out of the sale of their information.
Let's jump right into it
the learning goals and objectives for less than 8.3.
we will review the standard timeline for fulfilling a consumer request.
we will review the various factors to evaluate when designing your own consumer request channel.
Then item number three.
We will look at different consumer requestion all models
you might recall. In the last lesson, I said we were going to look at Riel World examples.
We will be doing that in this lesson here now, and we're also going to in less than 8.4.
Let's jump into it.
This is the timeline of your standard consumer request.
Remember, under the CCP A. You have 45 days to respond to an individual's consumer request
once you receive it.
let's look at the first item there.
You've received your consumer request.
You absolutely need to perform what is called verification exercises. You must be able to verify the identity of the consumer.
Please be aware that there are a growing number of fraudulent consumer requests that bad actors air now submitting to get the personal information of individuals.
Essentially, they're weaponizing the CCP A against the very individuals that it's supposed to protect.
Any consumer request channel needs to have an identity verification mode built into it. So there's various ways of ensuring someone's identity as they, in fact being the person that they represent themselves to be,
feel free to go on to the market and look,
there's some best practices, including getting additional information. If need to be phone calls, have them confirm what middle school they grew up at, etcetera.
You're familiar with the security questions
moving forward, though,
as the timeline continues, you must be able to begin compiling the information that is requested
or in the alternative, deleting and opting out of the sale of that information.
You need to pull it off all within the 45 days because you must return the completed consumer request back to the consumer within those 45 days
or in the alternative request that you receive an additional 45 days, but you have to do it within the first window. Alternatively, it would just be a 90 day window.
Please be aware that you do need to the moment you receive your consumer request. Very frankly,
immediately begin addressing the request itself.
There is no specific method of capture that necessarily works for every single company.
No size fits all.
You basically need to have some general rules to follow.
your business needs to develop some sort of project management solution or tool.
It doesn't even need to be software, necessarily.
It could just be an internal process, which basically needs patients. Coffee in a spreadsheet. Okay,
you just need to be able to track various items and be able to take it them in a way that's organized because
you're going to be progressing through and receiving multiple requests simultaneously.
I strongly believe it's unlikely that you're going to get one consumer request every quarter or so.
That's not what I'm seeing the market. And that's not what other privacy professionals are seeing, either.
The number of requests will absolutely drive the type of consumer requestion will you build.
Of course, that's dependent upon your type of business model.
There's generally four different types of consumer request channels.
We will introduce you to the first one here. Now
the other three arm or high volume consumer requests will address those in lessons 8.4
without further ado.
Example, One is simply nothing more than just having an interactive email address.
that works fine.
Statistically, approximately 50% of the businesses out there have little more than just an interactive email address that can receive a consumer request.
There's a 50 50 shot. They are using this methodology.
If you look at item, too,
they do little more than just build a new email address.
It could be privacy at the name of the business dot com.
Then someone on the receiving end of that email is then able to address the consumer request and make sure it gets satisfied.
They frequently used the inbox for that very email as the ticket management solution
very low tech, and it's very rudimentary.
The reason that works is. And if you look at item number three, generally a businesses who use this type of solution are Onley receiving less than five consumer requests a month.
If you are getting more than that,
this solution is not going to work for you because you're gonna have too many things to keep track off.
let me point out, the CCP requires you to also provide a toll free number in order to effectuate a CCP a consumer request.
You need to build out the capability to have that toll number line, man.
What we recommend is you have someone trained.
It could be someone in customer service wherever to understand the nature of the request.
Then that individual in
Let's Go with customer service.
Well, then email the privacy at business dot com address,
thereby capturing the request and then sending it back to the individual who called in.
Basically, the reason why the toll free number was included was because there was a concern by privacy advocates that seniors and other individuals who are less familiar with technology would not be able to fill out a request online.
If you go to any government website, in fact, is a great example. Try registering to vote in whatever state you live.
You will see that there's a similar mechanism where there's toll free numbers available,
concluding lesson 8.3 here,
Your consumer Request channel timeline needs to be appreciated. You cannot ignore it because if you fall out of the 45 day window, you will be violating the specific obligations that your company has set upon itself because it does business for California residents, therefore exposing you to potential non compliance with the California Attorney General.
Please make sure you can pull this off within 45 days.
There are various what we're calling here. Low cost models for fielding and addressing consumer requests.
Make sure that the email address is actually functional that you tested out beforehand.
Believe it or not, I had one client who had an email address, but it was never actually viewed by anyone.
It just went into some inbox black hole. So
test it out, Please.
The only way you're really going to pull this off if you're doing again. Less than five consumer requests a month is using, as I mentioned there ah, lot of patients.
It's going to have to be micromanaged because you're going to be getting requests from individuals to have their information deleted and or in the alternative, they might be asking for opt outs of the sale of their information or just a general access of information
that should, ideally, all be captured via email.
You might have to find yourself responding via email to get more information about the nature of the request.
Again, this is why choosing to use an email address is going to require a lot of micro management on your part.
It is therefore strongly recommended to avoid this methodology. If you're going to receive any more than five requests
that summarizes less than 8.3, and I will see you in the next lesson 8.4 as we go through the various consumer request channels that you can use if you are going to be receiving mawr than five requests a month,
this is high volume stuff
that's in the next lesson.
I recommend you tune in for that one.
I'll see you there