Consumers are up in arms about violations of their privacy, and legislators have taken notice. California, a state noted for being out front in both technical and social innovation, is the first to enact comprehensive privacy legislation. The California Consumer Privacy Act (CCPA) went into effect Jan. 1. It confers specific privacy rights to California residents and establishes obligations for businesses that deal with private consumer information.
CCPA seeks to protect and regulate the collection and sharing of personal information. It is aimed specifically at entities that collect or receive personal information from California residents and meet one or more of the following criteria:
- Has annual gross revenue that exceeds $25 million;
- Annually receives, buys, sells, or shares, directly or indirectly, the personal information of 50,000 or more California residents, devices, or households; and
- 50 percent or more of its annual revenue is derived from the sale of personal information about California consumers.
Since it does not matter where the business is headquartered, the impact of CCPA will extend beyond the borders of California.
Key provisions of CCPA include the following:
- Personal information includes virtually any type of information that can be traced back to a specific individual or household, including address, names of children, ages or dates of birth, religion, telephone number, education, medical condition, Social Security number, debit card, credit card, bank account, payment history, email address, web address, biometric information, and more.
- Businesses must create separate Do Not Sell My Personal Information web pages with clear and conspicuous links from their homepages that let California consumers know that they can opt out of the sale of their personal information.
- Consumers have the right to request that businesses that collect personal information disclose to them the types of personal information collected, the sources from which that information was collected, and the business or commercial purpose for collecting or reselling the information.
- Consumers can request that businesses that collect personal information delete that personal information and the businesses must generally comply, unless the information is essential for conducting business with the customer.;
- Businesses that sell personal information to third parties must notify consumers that their information can be sold and the consumer has the right the right to opt out of the sale.
- The definition of sell is very broad. It includes disclosing, disseminating, making available, transferring personal data, and more. Transferring consumer data from a covered entity to a subsidiary that is not covered under the law is still considered a sale and is therefore prohibited under the CCPA.
- If there is a security breach of computerized consumer records containing personal data, the organization must notify each individual to whom it maintained information. It doesn't matter if the data is maintained in or outside of California.
- Civil penalties shall not be more than $2,500 for each accidental violation or $7,500 per each intentional violation. There is no maximum for multiple violations. All proceeds from violations will be deposited in the Consumer Privacy Fund.
The CCPA has impacts for contact centers because they frequently collect personal information for both business and market research purposes. While is not a violation to collect information for legitimate business purposes, there is still the requirement to disclose the categories of information collected and the purposes for that. Contact centers involved in collecting applications for utility services, loans, credit cards, and insurance policies, for example, customarily collect personal information. Scripts should be prepared to include these requirements.
There is a strong international trend toward extending more privacy protection to consumers. California state legislators were inspired by the General Data Protection Regulation (GDPR) adopted in May 2018 by the European Union. The CCPA, while less stringent than GDPR, is setting the tone for other statewide privacy laws. Penalties for non-compliance can be severe, both financially and in terms of corporate reputation. Now is the time to bone up on these laws, devise internal policies to help assure compliance, conduct training with supervisors and agents, and work closely with compliance officers to align contact center practices with overall corporate compliance programs.
Dick Bucci is founder and chief analyst of Pelorus Associates. He can be reached at dbucci@pelorusassoc.com.