CCPA Compliance with Privacy Ledger

New consumer data privacy regulations seem to be emerging monthly, at a time when most companies are struggling to keep up with existing legal requirements and growing demands from consumers. Embracing customer privacy is increasingly an indication of a healthy brand, providing consumers the confidence needed to share their personal data. This generates consumer trust and builds brand loyalty, allowing brands to be more competitive through an increased level of service and greater customer lifetime value. A user’s experience around their privacy preferences (dubbed Privacy UX by Gartner) is therefore critical to your bottom line. Gaining consent, in an easy and user-focused manner, is obtainable through a dynamic customer journey complete with adaptive authentication and authorization.

Current State

Currently most companies are addressing the privacy requirements in a very binary manner: prompt the customer/partner/employee with a blanket privacy policy and ask for consent to all or nothing. The trouble is, this does little to build customer confidence and trust in your brand. Consumers, by accepting these policies, grant access to massive amounts of PII data collection, used which is then processed and often shared with 3rd parties and/or monetized.  Less ethical corporations have used technology blockades to sweep this abuse under the rug leveraging the lack of education in the marketplace as well as the limited legal guidelines around privacy laws enforcement. However, that situation is changing and the push toward progressive consent, complete with granular options and intent-based grants is becoming the class standard. 

Privacy laws such as CCPA require brands to inform users of any data collection taking place, categorize data collection by the PII data type, and communicate the intended use of the data. Consumers can then choose to “opt-out” of data sharing or request additional information in the form of access requests. Given the intent behind the laws to educate and inform the users of their data collection and rights, it’s no surprise that legal experts and regulators have expressed concerns with the “all or nothing” blanket approach to privacy policies.

Setting aside legal precedence and guidelines, consumers have also grown weary of unfettered data collection and misuse. There has been a seismic realization within society that one’s identity and personal data belongs to them, not to a data processor or a marketing company. This creates new expectations on a brand to only ask for necessary data AND prompt the consumer for consent to process that data in a privacy-conscious manner. Progressive consent becomes the new progressive profiling, but instead of focusing on marketing data aggregation, it focuses on consumer’s privacy needs. 

Technical Insights 

Progressive brands like Apple are adopting progressive consent solutions and differentiating based on consumer placing privacy preferences at the forefront of the user experience. When third-party applications require use of personal or sensitive data, Apple prompts the end-user in a “just-in-time” manner informing them of the request and providing additional context so that the user can make an informed decision.

Privacy Notice

In the identity space, delegated authorization and identity federation standards like OAuth and OIDC are now more widely adopted and provide consent workflows that allow for more granular and progressive-style disclosure. Companies are leveraging these standards for more than just third-party federation agreements, adding them to all web and mobile apps that they own. OAuth already has a consent model built into its core design that gives consumers the means to explicitly grant consent to specific data or capability.

How then can we utilize this standard to process/store/manage progressive user consent in a way that is compliant with current and proposed privacy regulations, making your applications future-proof?  

Cloudentity’s Approach

Cloudentity Authorization Control Plane (ACP) securely enables company’s API-driven initiatives by adding continuous authorization throughout the application ecosystem. This contextual authorization includes the capability to store and query all user consent grants and revocation as a secure ledger that is cryptographically signed, which we call the “Privacy Ledger”.  

Every time a consumer grants a consent, regardless of whether it’s a part of an OAuth consent screen or a privacy preferences screen, we capture the digital fingerprint of the consumer, the action that was consented to, and all contextual metadata required by regulations. All of these data points are securely stored in the Privacy Ledger in an immutable log for compliance with the auditing requirements set by laws like CCPA and GDPR. The Privacy Ledger can then be accessed directly and displayed to consumers to visualize exactly what they consented to, when they consented to it, and why it was collected, empowering the consumer to take control of their data privacy and building trust and loyalty with the brand.

Additionally, the Privacy Ledger can be accessed by the Data Protection Officer (DPO) or designated individual in charge of privacy in case of an audit or litigation where immutable proof of the consumer consent is required.  

The Privacy Ledger provides a rich set of APIs to fetch consent events in an open standards compliant format. Built to comply with Kantara’s Consent Receipt, the consent preferences are made available in a self-serve UI that can be embedded into the company’s consumer portal. Additionally, we include admin level APIs and dashboards that generate compliance reports for DPOs and CISOs.

Use Cases 

The use cases for Privacy Ledger in conjunction with a progressive consent approach are varied and include:

Consent Records Collection 

As a Data Protection Officer of a company that values privacy, I need the ability to record in a secure and immutable way each action or operation that relates to any consumer consent grants across our applications. These actions may include:  

  • Any OAuth scope grant or revocation performed by the consumer 
  • Any consent grant/revocation performed by the end-user 
  • Expiration of time-based scope/consent grant  

Compliance Reports 

As a Data Protection Officer that values consumer trust, I must be able to generate privacy compliance reports in the event of litigation, audit or internal risk review. I must be able to quickly filter consent data and generate reports based on:  

  • specific data type,  
  • data classification, 
  • privacy jurisdiction, 
  • action that required explicit approval, 
  • subset of consumers or specific consumer   

To meet the current and emerging regulatory standards the report must include : 

  • Who Consented: the name of the individual, or other identifiers (e.g. online username, session-ID, Authentication context, etc.)
  • When They Consented: online records that include a timestamp 
  • What They Were Told at the Time: a master copy of the document or data capture form containing the consent statement in use at that time, along with any separate privacy policy or other privacy information, including version numbers and dates matching the date consent was given.  
  • How They Consented: Records should include the data submitted as well as a timestamp to link it to the relevant version of the data capture form.  
  • Environmental Context: IP address, Device fingerprint, Location etc… 
  • What They Consented to: context of the consent grant (which scope, which consent etc..), context of the data (data classification PII/Sensitive etc..)  
  • Cryptographic Signature: Signature of the audit record to ensure immutability at least at the record level.  

Adhering to privacy standards can be challenging, especially as your applications become more complex with the addition of distributed services, APIs, and serverless resources like AWS Lambda all collecting and passing user data across environments. Ensuring that you’re capturing every consent action alongside contextual information to establish some form of identity is necessary to prove compliance with legislation. Cloudentity’s Privacy Ledger, part of our Authorization Control Plane, can help in capturing all of the necessary information and make it accessible to end-users to comply with disclosure and preference management requirements of the laws.

Interested in learning more? Sign up for a demo today.