Three States Lead the Way in Consumer Privacy Protections

The United States is unique among industrialized nations in that it does not have a national law assuring consumer privacy rights. In due time we expect there will be a national law. but for now individual states are taking the initiative. Three states, California, Colorado, and Virginia, have passed consumer privacy laws. States that have privacy laws under active consideration include Massachusetts, North Carolina, New Jersey, Ohio, and Pennsylvania.

While these laws differ in detail, they are all broadly modeled after the General Data Protection Regulation (GDPR) enacted by the European Union. Understanding these laws is important because contact center agents frequently solicit new business and accept applications. Depending on the purpose, application forms can request highly detailed personal information. It is not a violation of international or state laws to collect consumer information, but it is essential that there be a sound business purpose for collecting this data, that it be treated with the utmost security, and that consumers understand that they have the right to verify and challenge the information.

The terms controller and processor are frequently referenced in state privacy legislation. They are derived from the GDPR, which governs privacy rules in the European Union and is the foundational document for state laws and privacy laws in non-EU countries. Controller ;means the natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data. Processor means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. An organization can act both as a controller and processor, which is typically the case with contact centers.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act went into effect Jan. 1, 2020, with enforcement beginning six months later. The CCPA confers specific privacy rights to California residents and establishes obligations on the part of businesses that deal with consumer information.

The CCPA is aimed at for-profit entities that collect or receive personal information from California residents and meet one or more of these criteria: (a) Have annual gross revenue that exceeds $25 million (b) Annually receive, buy, sell, or share, directly or indirectly, the personal information of 50,000 or more California residents, devices, or households or (c) 50 percent or more of their annual revenue is derived from the sale of personal information about California consumers. Personal information includes virtually any type of information that can be traced back to a specific individual. The definition of sell is very broad. It includes disclosing, disseminating, making available, or transferring personal data and more. Transferring consumer data from a covered entity to a subsidiary that is not covered under the law is considered a sale and is therefore prohibited under the CCPA. Since it does not matter where the business is headquartered, the impact of CCPA extends beyond the borders of California.

Civil penalties range from $2,500 per violation or $7,500 per each intentional violation. There is no maximum for multiple violations.

Consumer rights and business obligations:

  • Consumers have the right to request that a business that collects personal information disclose the categories of sources from which that information was collected and the business purpose for collecting or reselling the information.
  • Upon request, a controller that collects personal information must delete that personal information and the business must generally comply, unless the information is essential for conducting business with the customer.
  • A business that collects consumers' personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.
  • A business that sells personal information to third parties must notify consumers that the information could be sold, and the consumer has the right to opt out of the sale.
  • A business is required to create a separate "Do Not Sell My Personal Information" web page with a clear and conspicuous link from its homepage that informs California consumers that they can opt out of the sale of their personal information.
  • Consumers have the right to obtain their personal information in a format that allows them to transmit it to another organization.
  • Consumers have a private right of action that allows them to seek statutory or actual damages if their sensitive personal information is subject to unauthorized access, theft, or disclosure as a result of businesses' failure to implement and maintain required reasonable security measures.

The Virginia Consumer Data Protection Act (CDPA)

The Virginia Consumer Data Protection Act was signed into law March 2, and goes into effect Jan. 1, 2023. Personal data is defined as "any information that is linked or reasonably linkable to an identified or identifiable natural person." It does not include de-identified data or publicly available information. The CDPA applies to "persons that conduct business in the commonwealth or produce products or services that are targeted to residents of the commonwealth and that during a calendar year, control or process personal data of at least 100,000 consumers, or control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data." The penalty is up to $7,500 for each violation.

Consumer rights and business obligations:

  • Consumers may request that inaccurate information be deleted.
  • Consumers may obtain a copy of personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another organization.
  • Consumers may choose to opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or profiling.
  • A controller shall respond to the consumer without undue delay. If the controller declines to act he must notify the consumer and provide justification within 45 days.
  • A controller shall establish a process for a consumer to appeal the controller's refusal to act on a request within a reasonable period of time after the consumer's receipt of the decision.
  • Consent is required to process sensitive data.

Colorado Privacy Act (CPA)

On July 7, Colorado became the third state to pass comprehensive consumer privacy legislation, following California and Virginia. The Colorado act becomes effective July 1, 2023. It applies to businesses that process the personal data of 25,000 consumers in Colorado and receive any revenue or discount from the sale of data. Personal data explicitly excludes any de-identified data or publicly available information. Civil penalties are capped at not more than $2,000 per violation and not more than $500,000 total for any related series of violations.>

Consumer rights and business obligations:

  • The right to confirm whether a controller is processing his/her personal data and to access that data.
  • The right to correct inaccuracies in personal data.
  • The right to delete personal data concerning the consumer.
  • The right to obtain personal data in a portable and, to the extent technically feasible, readily usable format and transmit the data to another entity without hindrance.
  • Businesses collecting or processing personal information must provide an accessible and clear privacy notice.
  • Businesses must specify the express purposes for which personal data is collected and processed.
  • Affirmative consent must be secured before collecting and otherwise processing sensitive data.

In the absence of comprehensive federal privacy legislation, states have seized the initiative. As the number of states enacting their own laws increases, pressure on Congress to enact nationwide guidance also grows. At this time, the Consumer Online Privacy Act (COPRA) is the only federal privacy bill working its way through Congress. The purposes of COPRA are to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.

Here are some suggested actions to help assure compliance with current and future privacy laws:

  • Include compliance in agent training programs.
  • Include compliance in quality monitoring evaluations.
  • Discourage agents from requesting personally identifiable information during the course of conversation unless you have the customer's authorization on file or the information is essential to the conduct of the business.
  • The contact center recording and quality monitoring apparatus should be able to detect possible violations during the course of an interaction. A superior solution will trigger alerts to agents if they need to provide disclosures or if there is risk of securing private information without the consent of the customer.
  • Recording and analytics should go hand in hand. Artificial intelligence-infused analytics should be able to detect patterns and possible causes for compliance exposures.
  • Extend recording to departments and individuals beyond the contact center that customarily interact with consumers regarding matters that could impact privacy. Examples include loan officers, collectors, inside sales personnel, and human resources departments.
  • Work closely with your compliance department or officer to help assure that contact center compliance is harmonious with company policies and initiatives.

Dick Bucci is principal analyst at Pelorus Associates.