How Could CCPA Impact Chargebacks?
- November 6, 2019
- 6 minutes
New legislation is changing the way businesses handle consumers’ personal information. While the policy’s intentions are good, certain features of the California Consumer Privacy Act (CCPA) could negatively affect your chargeback management strategy.
A High-Level Overview of CCPA
WHAT is CCPA? CCPA stands for California Consumer Privacy Act. The legislation grants Californians new rights, and it regulates how businesses handle personal information.
Some of the law’s features that will most likely impact chargebacks include the following:
- The business has to tell its consumers what personal information will be collected and how that information will be used.
- When asked, a business has to be able to tell the consumer what information it has on file.
- If the customer asks the business to delete the information that’s been collected and stored, the business must comply.
WHEN does CCPA go into effect? CCPA is expected to take effect on January 1, 2020.
WHO needs to comply with CCPA? Businesses that sell to Californians and have at least one of the following characteristics will need to follow new CCPA rules:
- Gross annual revenue is $25 million or higher
- Personal information is collected from 50,000 or more consumers, households, or devices
- The sale of personal information accounts for 50% or more of the business’s annual revenue
What Impact Could CCPA Have on Chargeback Management?
Unfortunately, some issues won’t be fully understood until after CCPA takes effect. However, there are a few observations that have been made already. The four biggest concerns are:
One of the requirements of CCPA relates to “requests to know.” CCPA grants consumers the right to know what information businesses have collected and stored. If a verified customer asks, the business has to expose the data that’s on file.
Fraudsters could use this rule to unlawfully gain access to other people’s information.
For example, a security expert conducted an experiment to test a similar requirement in Europe’s GDPR (General Data Protection Regulation). He reached out to several businesses and tested how they would handle a “right to access” request made in someone else’s name.
One in four businesses handed over personal information without verifying the request.
Through the experiment, the security expert was able to obtain the following information about his fiancée: her high school grades, her mother’s maiden name, her credit card information, several year’s worth of travel details, her account logins and passwords, her past shopping history, her social security number, and much more — a total of 60 distinct pieces of personal information.
Even if your business has a stringent verification process and rigidly follows it, other business won’t necessarily do the same.
If inattentive merchants make it easy for fraudsters to access personal information, you could receive more unauthorized purchases — and the resulting chargebacks.
CCPA also includes a “right to delete” requirement. When verified consumers ask, you must delete all personal information you have on file.
California law defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
That includes, but is not limited to, the following pieces of information:
- IP address
- Telephone number
- Email address
- Bank account number
- Credit or debit card number
- Records of products and services purchased or considered
- Usage logs
- Browsing history
- Social security number
- Driver’s license number
- Passport number
- Biometric information
- Physical characteristics
- Medical or health information
- Geolocation data
- Education information
- Employment-related information
- Any inferences drawn about preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes
To fight a chargeback, you need compelling evidence. Compelling evidence is information you can use to prove the validity of the original transaction or contradict the chargeback. But most forms of compelling evidence are also personal information.
Consider a hypothetical scenario:
Jon Jones signed up for a subscription to your online music streaming service. He enjoyed the tunes for months before deciding it was a luxury he couldn’t afford. He planned to cancel before his card was charged again, but he forgot. Regretting the extra expense, Jon decides to commit friendly fraud — but he takes it to the next level.
First, he calls and exercises his rights under CCPA. He wants you to delete all his personal information that you have on file. This includes his name, credit card information, streaming history, and much more.
Then, he calls the bank and disputes the latest bill. Jon falsely claims he cancelled his subscription, but you charged him anyway.
You receive the chargeback and suspect friendly fraud. Under normal circumstances, you’d fight back. But when you try to look up the order in your system, there is nothing there. You can’t even match the chargeback to a purchase, let alone gather any compelling evidence.
You have to simply accept the chargeback as a loss.
Chargeback prevention alerts help merchants and banks communicate in various ways to resolve payment disputes. This collaboration can help prevent chargebacks from happening.
However, CCPA could reduce the effectiveness of these tools. If consumers ask to have personal information deleted, you probably won’t have the insight you need to resolve their potential problems.
Consider a hypothetical scenario:
When it comes to online safety, Mary Manning is hyper vigilant. She has fully embraced CCPA because she thinks it is a surefire way to protect her personal information.
After every online purchase, Mary calls the business and asks to have her personal information deleted. She thinks the less information businesses have, the better.
One day, Mary buys a pair of shoes from your store — the heels are a gift for her daughter. After placing the order online, Mary demands you delete all her information. A month later, Mary inspects her credit card bill and finds a purchase she doesn’t recognize. Because the shoes she bought from you were a gift for someone else, she has forgotten about them. Panicked, Mary calls the bank and claims she was a victim of fraud.
Mary’s bank is part of a prevention alert network. When the dispute comes in, the bank sends off an alert. Under normal circumstances, you’d easily be able to resolve the issue without a chargeback. But since all of Mary’s order information is gone, you can’t explain what she bought. You can’t even offer her a refund!
The most successful fraud and chargeback management strategies are data-driven.
For example, many fraud detection tools gather massive amounts of data from every transaction processed and analyze the information. The goal is to identify characteristics that are common in cases of fraud. Then, if future transactions follow those same patterns, they are flagged as high risk.
However, these strategies are only effective if they are based on complete data sets. If information is missing, conclusions won’t be accurate.
Consider a hypothetical scenario:
Paul Peterson really likes the name-brand purses you sell. A few months ago, he bought some stolen credit card numbers and used them to buy a bunch of your purses. He enjoyed how easy it was to turn around and sell them for cash.
But after fooling you once, Paul has had a really hard time fooling you again — your fraud detection tool is just too good!
But now, Paul thinks he can use CCPA to his advantage. He can get around your fraud filters without nearly as much effort. All he has to do is ask you to delete his personal information after each fraudulent purchase. Then you won’t recognize things like his IP address or shipping address because there will be no past activity to compare them to. There will be no way to connect his new fraud to his old, red-flagged purchases.
The more holes you have in your data, the less reliable your data-driven decisions will be.
What Does This All Mean?
Does this mean CCPA will cause you to lose hundreds of thousands of dollars to chargebacks? No. Are chargeback management tools worthless? No. Should you just give up and accept chargebacks as a loss? No.
Any policy change could potentially impact your business—whether the new expectations come from the Federal Trade Commission, card brands, or a state law. But the results won’t necessarily be negative or impossible to manage.
There are ways to minimize the effect CCPA has on your business. If you’ve read this article, you’ve already completed the first two phases:
- Understand what has been proposed.
- Recognize what could change.
Now, be sure to complete the last two steps:
- Comply with what you are being asked to do.
- Adapt and optimize.
At Midigator®, we believe the challenges of running a business should be delivering great products or services, not managing payment risk.
You shouldn’t have to worry about how CCPA may or may not impact your business. Let Midigator remove all those complexities so you can get back to doing what you do best — growing your business.
Sign up for a demo today.