January of 2020 begins the California Consumer Privacy Act (CCPA) and without a doubt, it will change the compliance landscape permanently. While CCPA has been called America’s GDPR, it’s by no means a rubber stamp of Europe’s largest data act. Undoubtedly organizations that thrive on customer data are now on notice — legislation safeguarding customer data is on the rise.
Why Is There a CCPA?
The recent rash of catastrophic data breaches has made consumers wary of data collection in general. Facebook and Google have also made generous contributions to public distrust. That leads us to California, a land where many new laws get the old trial balloon.
There’s a good reason the Golden State is the launch site for so much legislation. California’s population simmers just under 40 million, larger than many countries. When California adopts a law, the nation often follows. The real compliance issue for any business here is how likely they are to collect personal data from a California resident—it’s almost impossible not to. And right to the point, so much of that data comes from millions and millions of phone calls.
Are You Subject to CCPA?
If you’re reading this blog, you’re wondering how CCPA will affect the calls you record every day. Your first step is to find out if your organization will fall under CCPA in the first place. Here’s a CCPA qualification checklist:
- Is your annual gross revenue in excess of $25 million?
- Does your company collect, share, or sell customer information in excess of 50,000 individuals?
- Are at least 50% of your company’s yearly earnings from selling customer data?
Just one of those bullets puts any company doing business in or with Californians in the CCPA crosshairs. Like GDPR, CCPA is comprehensive and penetrates many common company data practices. For many, sweeping changes are about to fall on their privacy practices.
New Regulations: What Does CCPA Change?
CCPA is consumer-centered and gives Californians these (and other) rights:
- Consumers in California have the right to know what personal data a business has collected
- They’re entitled to know if and to whom their personal data has been sold or revealed
- A consumer can demand a business discontinue sharing their personal data
- They have the right to access personal data collected by a business
- The consumer must receive the same pricing and services whether or not they’ve exercised any of their CCPA rights
Is My Call Recording CCPA Compliant?
That depends on your data collection policy and practices. Gaining customer consent is (hopefully) already part of your agent phone practices, but as noted above the consumer has the right to know not only what you’ve collected on them, but also to deny the sharing of it. Having a call transcript to accompany the recording is vital for your protection if and when a CCPA right becomes an issue for your enterprise. You’ll need to know exactly where you collected every piece of customer information from.
Consent Is Key
When updating your phone scripts for CCPA, you’ll want to make sure that the recorded call contains clear and informed consent from your customers. For a long time, bundled consent has been used to collect swaths of data with a single instance of consent. This is true of call recordings and document requests alike. CCPA call compliance requires more than bundled consent. Perhaps it will be awkward at times, but you may need to prompt consumers for multiple forms of consent during a call. On the bright side, this is where call recording and having an automatic, accurate transcript protects you immensely.
You may even have a bit of a headstart on CCPA requirements as there’s quite a bit of overlap with GDPR. However, these two acts are not interchangeable. Most notably they differ on the very definition of personal data. CCPA’s definition is:
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or is reasonably linked, directly or indirectly, with a particular consumer or household.
The Risks of Compliance Failure
January 2020 is the date your business needs to be ready for CCPA call compliance and to be sure, non-compliance is costly. Not only can consumers file civil actions against a company for CCPA violations, but the state of California can also as well. The CCPA gives citizens the right to bring a civil action against companies that violate the law and stipulates that damages run between $100 and $750—or higher when more damage is evident. Plus, the state can bring charges against a company directly, levying a $7,500 fine for each alleged violation not addressed within 30 days. Ouch.
Prepping for CCPA Call Compliance
Step 1: Train Your Call Agents
Maybe that seems obvious, but it needs a mention. Your greatest line of defense is a compliance-savvy staff. Talking about compliance has its place in training new employees. However, showing your agents how a properly executed call goes speaks volumes to them. Make training and QA one thing. When you score an agent on their call performance, take the opportunity to use your recordings. Hoping that your call agents learn all the ins and outs of compliance laws is unrealistic. CCPA has already been amended and it’s not even enacted yet. However, showing your employees a call that checks every box—identification, disclosure, consent, etc. teaches faster and more effectively than that PowerPoint they yawned through.
Step 2: Leverage Your Existing PCI Compliance Practices
There’s more to CCPA call compliance than just knowing where your data came from. IAPP notes that a consumer’s non-encrypted or non-redacted personal information stolen or disclosed as a result of the business’s failure to maintain reasonable security permits the consumer to sue the company for damages up to $750 per incident. Courts can tack on more damages if they deem it appropriate.
If your call center took only 50 calls a day it would still be a full-time job to comb through every recording and transcript to redact personal information. Using a call recording platform that employs AI to automatically perform PCI DSS masking of personal information is crucial. That platform also needs to encrypt call data to be considered reasonably secure. This area of compliance is where Cloud recording really takes the cake. Our modern Cloud was built on encryption practices that protect data from theft by making it unusable to would-be thieves.
Step 3: Armor Your Company with Transcripts
No one wants to go to court, but we all have lawyers for a reason. When the state can sue you, would you rather prevent, or just react? Make sure you have complete, redacted, and accurate transcripts of your customer conversations. Those transcripts can be your best defense in a dispute. They document compliance along with your recordings and they allow you to rapidly locate areas of concern. Your call recording platform becomes vital during the remediation process. Fundamentally, that platform should easily allow you to look at employee performance to see if your staff is following updated policies.
CCPA goes live in January 2020. Reach out today and talk to us about your compliance needs and let us help you get compliant for more than just CCPA.
Brian is a freelance technology writer and media editor based out of Central New Jersey. He’s logged 20 years of experience in the Telecom industry and side-hustles in the record industry. Brian started his career in technology at a company that made analog modems. He migrated to a marketing career in the call recording industry where he learned exactly how and why calls are monitored for quality assurance. These days Brian fuses his skills together to deliver his researched observations about telephony and compliance laws in polished articles and videos. He’s also composed the music for a long list of big Hollywood trailers. He does not miss the sound of analog modems but he is endlessly fascinated with phones.