Consumers Demand More Data Privacy Protections—California Responds

If you have never experienced a data breach of your private information, you are likely in the minority. According to the Consumer Protection Bureau, the second-biggest category of consumer complaints in 2017 was fraud and identity theft. Reported consumer losses exceeded $900 million with a median of $420 per claim. Some of the most notable recent security breaches are listed in the table.

Understandably, consumers are up in arms about violations of their privacy and legislators have taken notice. California, a state noted for being out front in both technical and social innovation, is the first to enact comprehensive privacy legislation. The California Consumer Privacy Act (CCPA) will go into effect January 1, 2020. The CCPA confers specific privacy rights to California residents and establishes obligations on the part of businesses that deal with private consumer information.

CCPA seeks to protect and regulate the collection and sharing of “personal information.” It is aimed specifically at for-profit entities that collect or receive personal information from California residents, and meets one or more of the following criteria:

• Has annual gross revenue that exceeds U.S. $25 million;
• Annually receives, buys, sells or shares, directly or indirectly, the personal information of 50,000 or more California residents, devices or households;
• 50% or more of its annual revenue is derived from the sale of personal information about California consumers.

Since it does not matter where the business is headquartered, the impact of CCPA will extend beyond the borders of California.

Key provisions of CCPA

• Personal information (PI) includes virtually any type of information which can be traced back to a specific individual or household including address, names of children, ages or dates of birth, religion, telephone number, education, medical condition, social security number, debit card, credit card, bank account, payment history, email address, web address, biometric information and more.
• A business is required to create a separate “Do Not Sell My Personal Information” web page with a clear and conspicuous link from their homepage that directs California consumers that they may opt out of the sale of their personal information.
• Consumers have the right to request that a business which collects personal information disclose to that consumer the categories of personal information collected, the categories of sources from which that information was collected, and the business or commercial purpose for collecting or reselling the information.
• Consumers may request that a business which collects personal information delete that personal information and the business must generally comply, unless the information is essential for conducting business with the customer.
• A business that sells personal information to third parties must notify consumers that the information may be sold and the consumer has the right the right to opt out of the sale.
• The definition of “sell” is very broad. It includes disclosing, disseminating, making available, transferring personal data and more. Transferring consumer data from a covered entity to a subsidiary that is not covered under the law is considered a “sale” and is therefore prohibited under the CCPA.
• If there is a security breach of computerized consumer records containing personal data, the organization must notify each individual to whom it maintained information. It doesn’t matter if the data is maintained in or outside of California.
• Civil penalties shall not be more than $2,500 per violation or $7,500 per each intentional violation. There is no maximum for multiple violations. All proceeds from violations will be deposited in the Consumer Privacy Fund.

CCPA Is Setting the Tone for Other Statewide Privacy Laws

There is a strong international trend toward extending more privacy protection to consumers. California state legislators were inspired by the General Data Protection Regulation (GDPR) adopted May 25th, 2018, by the European Union. The CCPA, while less stringent than GDPR, is setting the tone for other statewide privacy laws. Penalties for noncompliance can be severe both financially and in terms of corporate reputation.

Now is the time to bone up on these laws, devise internal policies to help assure compliance, conduct training with supervisors and agents, and work closely with your compliance officer to align contact center practices with the overall corporate compliance program.

Pelorus Associates specializes in contact center compliance. We have written extensively about Dodd Frank, GDPR, the Truth in Lending Act, The Telephone Consumer Protection Act, PCI-DSS, and many other laws and regulations that impact the contact center. This article is based on a complete reading of the CCPA and research from leading consultants and attorneys. This article is not a legal document.