24 Sep, 2019 | 3 min read

California Consumer Privacy Act: Questions to Ask Your IAM Solution Provider

  • Ishara Naotunna
  • Product Marketing Manager - IAM - WSO2

Image credits: Jon Tyson on Unsplash

Privacy regulations are something you cannot escape. Like the sun on a summer’s day. Or taxes. They come in different forms, hefty fines, and long lists of rules and complexity.

Just like any regulation (like we experienced with GDPR before), CCPA has its own set of rules (and confusions). But this blog should help with figuring out what it means and this shows how identity and access management (IAM) can help you solve your regulatory challenges.

Personal data Any information relating to an identified or identifiable natural person (directly or directly) or in particular by reference to an identifier such as a name, an identification number, location data, online identifier or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Data subjects Any identified or identifiable natural person to which the personal data relates to. Any individual who is in California for other than a temporary or transitory purpose, and any individual who is domiciled in California who is outside the State for a temporary or transitory purpose
Privacy rights The right to be informed, to erasure (to be forgotten), access, rectification, restriction of processing, data portability, and object. The right to request disclosure, request deletion, access and data portability, opt-out, and not to be discriminated.

Source: WSO2's webinar on CCPA and IAM

We wrote a couple more resources on CCPA. This article should further help you with figuring out what CCPA is all about and this shows how identity and access management can help you solve your regulatory challengest.

But let’s face it. As a business, it affects one thing and it starts with R.

Reputation. And being in the news for meddling with a user’s privacy is the last thing you need.

You might already have an identity and access management (IAM) solution provider or you are looking for a solution in order to become compliant. Here are the questions that you should ask from your existing or potential IAM solution providers:

How can you help to delete or anonymize user data as per users' requests?

Being able to delete or anonymize user data is a key requirement in CCPA. It’s important that your IAM solution has capabilities in place to do this swiftly so users are able to have their data pseudonymized or deleted at their request. Ideally, their IAM solution should have a tool for anonymization, consent management, and data accessibility such as dashboards/user portals.

What features do you provide to become compliant?

Consent management is a key capability of privacy compliance as it concerns recording, reviewing, and revoking consent of users in a particular system. Users should be able to access their information (Personal Information/PI) within a certain company, such as categories of PI, sources of PI and the purpose of data collected. Your IAM solution should also be able to anonymize or delete user details based on their requests.

What processes or steps do you have in place to become CCPA compliant?

This would be quite simple for your IdP if they already have experience in GDPR compliance. In an ideal scenario, they would have capabilities surrounding consent management, account management, and data processing so consent and user data are effectively managed. If they have case studies of how they’ve helped other companies to become compliant, be sure to ask!

What internal processes do you have in place to become CCPA compliant?

Does the IAM solution provider themselves look for consent among their users? Have their users actively opted-in? Do they have efficient systems to manage consents? Internal examples are usually some of the best indicators.

Considering WSO2 Identity Server for your compliance journey? Read this article to get a complete overview of how we can support you. Few highlights include:

  • We’re already experienced in the compliance game. Our entire platform was made GDPR compliant last year.
  • Our privacy tool kit makes the right to anonymization a piece of cake.
  • Consent management capabilities based on RESTful APIs

You can learn more about our capabilities for regulatory compliance here. Got questions? Let us know.