Utility optimizes user experience for self-service data subject requests under CCPA

At a glance

In preparing for CCPA, a utility needed to enable customers to request access to or deletion of their personal data via the company’s website. To ensure that the data subject request (DSR) process offers users the best experience possible, they contacted us.

Customer challenge

The California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020, grants California residents a series of rights regarding their personal data, including the rights to

• • Request information about the personal data a business has collected about them
• • Access their personal information in a portable format
• • Request deletion of their personal information by the business and by its service providers

(Click here to see the full list of resident rights under CCPA.)

A large utility knew they needed to offer residents the ability to request access to and deletion of their personal data via the company website. The legal and business teams mapped out a flowchart of each DSR process and asked Primitive Logic to design and implement a user experience that aligns with the utility’s reputation for excellent customer service.

Approach and solution

Logic20/20 had successfully completed several projects for this client, including a re-platforming of their 800-page website that incorporated design and UX upgrades. Having first-hand experience with our UX expertise — and knowing of our experience regarding CCPA and other data privacy regulations — they knew we were the right choice for this project.

We met with our client’s business and legal teams to discuss the requirements and parameters of the project, including

• • Categories of requestors
• • Information required to access customer and non-customer records
• • Request fulfillment procedures
• • Format of data reports
• • Request-tracking process
• • Processes for requests received via the call center
• • Processes for canceling requests
• • Limitations on requests

Leveraging the insights gained in these meetings, we designed an experience that enables each category of users to securely submit requests for access or deletion (after verifying their identities), requiring as few screens and as little user input as possible.

We built an interactive sitemap of the entire DSR process featuring wireframes of all required pages. To verify the identity of each requester, we incorporated a two-factor authentication process using verification codes sent to the person’s cell phone (via text message) or email address. We also determined that placing the Request Center screen (where the user selects data report or data deletion) after the validation screens would reduce the total number of screens, since both types of requests require the same two-factor authentication process.

Instead of requiring a separate process for handling call-center requests, we created a new requester category for customer service reps. Our client will add an option for managing consumer privacy requests on the rep’s dashboard, which will allow the rep to take the person’s information verbally and enter a process that mirrors the online self-service experience.

Once we had approval for the sitemap and wireframes, we moved into the user interface design stage, creating desktop and mobile designs for each screen based on our client’s existing styles and templates.

With the user interface design in place, we proceeded with a fully responsive implementation of the new features, incorporating both desktop and mobile functions in a single code base. We also provided the client with analytical functions on the back end, allowing them to track the number of customers who submit requests for data access and deletion.

Value and benefits - “the wins”

When the project was complete, our client had an optimized, responsive user experience that not only meets their customers’ high expectations, but also provides room to grow should they need to add more content — or should changes be needed to comply with future data privacy regulations.