At what point does collecting and sharing personal information intrude on an individual’s privacy?
By now just about everyone has heard of Cambridge Analytica. This is the formerly obscure British company that mined 87 million Facebook accounts to develop information that was used for political advantage. Public outrage over what The New York Times described as “Facebook’s lax management” resulted in the typically dressed down Facebook CEO Mark Zuckerberg attired as a Wall Street banker while explaining Facebook’s privacy policy before a congressional committee. Data privacy is very important to the American public, although it might not seem that way given the level of personal detail people freely share on their Facebook pages. Results from a recent study of more than 36,000 consumers across 18 countries, sponsored by Verint Systems and conducted by UK-based Opinium Research LLC, shows that consumers are conflicted over how businesses balance personalization and privacy. (See the Table below.)
Companies know that personalization is a winning marketing strategy. But for that strategy to work, the organization needs to know as much as possible about their customers. By assembling disparate pieces of metadata, skilled marketers can develop products and craft messages specifically tailored to target customers. Most people are OK with the notion of vendors giving them what they want—but only up to a point. Ever conscious of the well-publicized security breaches of confidential information, there is a growing discomfort with the care businesses exercise over their personal information. According to Pew Research Center’s national survey of 1,040 adults in the spring of 2016, 64% of Americans have personally experienced a major data breach. In a stunning breach at credit-reporting firm Equifax, criminals accessed the personal information of up to 143 million Americans—roughly 44% of the U.S. population.
Contact Centers Caught in the Middle of the Privacy Debate
Contact centers can find themselves in the middle of this personalization versus privacy debate. We record customers’ calls. We have records of their contacts over time. We know what they bought and why, and we think we know why they didn’t buy. We rarely secure their express authorization before we collect the raw data that empowers advanced analytics. While there is no need to seek the customer’s permission to collect and maintain necessary information for business transactions, at what point does the collection and sharing of personal information cross the mark and intrude on an individual’s privacy?
Privacy Laws in the USA
The United States lacks a comprehensive and clearly defined set of standards about what constitutes personally identifiable information (PII) and how it can be collected, processed and used. This means contact centers must rely on a patchwork of federal and state laws, as well as regulations and industry standards.
Those most directly applicable to the contact center are:
- Payment Card Industry Data Security Standard (PCI-DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- Fair Debt Collection Practices Act (FDCPA)
- Telemarketing Sales Rule (TSR)
- Electronic Communications Privacy Act (ECPA)
- Consent to Record
Two pieces of federal privacy legislation are currently winding their way through Congress. On the Senate side, the Consumer Privacy Protection Act of 2017 defines ‘‘sensitive personally identifiable information” to include virtually any information in electronic or digital form that identifies or could be used to identify a particular person. The bill goes on to define PII to include Social Security numbers, driver’s license numbers, financial account numbers, email addresses, biometric data and other identifiers.
Enter the General Data Protection Regulation (GDPR)
While the USA has struggled with the issue of data privacy, member states of the European Union, as well as the United Kingdom, have tackled the issue head-on and produced the General Data Protection Regulation (GDPR) that could well serve as a template for the United States. The GDPR has three main objectives:
- To give people more control over their personal data.
- To consolidate the different regulations, laws and guidelines across European Union member states into a central source.
- To streamline and create a clearer legal environment to improve business opportunities and lessen ambiguity with data sharing.
Personal data is defined very broadly to include any information “relating to an identified or identifiable natural person.” This includes the individual’s name, identification numbers, location data, an online identifier such as email addresses and Twitter handles, and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In other words, just about everything. A significant difference from the way U.S. companies secure approval to access personal information is that EU residents must affirmatively “opt in” to share their information. In the U.S., the default position is that users are willing to share some level of information. Their recourse is to take some action such as responding to the legalistic privacy statements sent in the mail or displayed in the far reaches of corporate websites.
Further, individuals have the right to be forgotten. Also known as “Data Erasure,” the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. However, information considered to be a necessary part of business, or required under some other regulatory requirement such as PCI or HIPAA, may be exempted from the need for authorization. This presumably would include such basics as contact information and account records that many times are required for compliance and audit trail purposes. As well, information voluntarily provided, such as telephone numbers as transmitted through caller ID, does not require express permission to be shared.
According to Ryan Hollenbeck, Senior Vice President of Global Marketing and Customer Experience for Verint, “Consumer demands for data privacy, ethical business practices and security are driving the increasing pace and scope of regulatory and compliance demands worldwide. These new regulations affect everything from how organizations engage with customers, to how they process and archive records. To prepare for requirements tied to GDPR and other regulations, organizations must identify and address blind spots and gaps, and maintain the discipline of ongoing compliance. Having the right processes and technology in place is key to protecting their customers, to their brand reputations, and financial security.”
Recordings of telephone conversations are considered personally identifiable information. Contact centers must secure authorization from consumers prior to recording the call. Consumers have the right to request copies of these recordings, as well as other electronic data in a “commonly used machine-readable format.”
Some other key provisions are:
- “Clear and affirmative consent” to the collection and processing of personally identifiable information;
- A right to transfer your data to another service provider;
- The right to know when your data has been hacked (organizations must alert affected users within 72 hours); and
- Privacy policies must be explained in clear and understandable language.
In general, the GDPR shifts the scales in favor of consumers when it comes to the acquisition, processing and application of personally identifiable information. Very significantly, the GDPR not only applies to organizations located within the EU but also to organizations located outside of the EU “if they offer goods or services to, or monitor the behavior of, EU data subjects.” This obviously means that U.S. companies that do business in the European Union, as well as the United Kingdom, must comply with the GDPR or risk penalties that could amount to as much as 4% of the firm’s total worldwide annual revenue. Since it would be very difficult to administer different privacy policies in the U.S. and Europe, it is likely that some companies will adopt the GDPR requirements as a global standard. This will take time. It is estimated that only about 20% of international organizations were ready for GDPR when it became effective on May 25, 2018. Miki Migdal, President of the Enterprise Product Group for NICE, said, “As privacy becomes a customer experience differentiator, and driven by the risk of heavy fines for noncompliance, GDPR is a huge concern for customers worldwide.”
What Are the Implications for Contact Centers?
In conjunction with senior management, contact centers need to structure a privacy policy. This must include clear definitions of what legally and ethically constitutes personally identifiable information. There will be different definitions for different environments. Healthcare providers must comply with HIPAA and virtually every company must comply with privacy provisions of the Telemarketing Sales Rule.
Some suggestions based on my extensive research are:
- Implement a mechanism for communicating the privacy policy to customers and other constituents such as suppliers and employees. The policy statement should be in clear and understandable language.
- In response to GDPR and current U.S. legislative initiatives, develop a plan to encourage customers and others to expressly opt in to share specific personal information.
- Also to comply with the GDPR, you should request and record customer express authorization. If you have this authorization on record, it will continue that way until the consumer requests that it be revoked. Separate authorizations are required for different call purposes.
- Working with your compliance office, try to stay on top of laws and regulations and craft policies and procedures that are consistent with the overall corporate compliance program.
- Periodically train or otherwise inform agents of compliance requirements and include compliance as a performance review objective.
- Supervisors should monitor agents for possible security lapses such as shutting down credit card numbers, repeating numbers out loud for people to hear, or physically removing personally identifiable information via laptops, thumb drives, email or other means.
- When in doubt, encrypt.
- Hardware and software should be capable of recording and reconstructing multichannel communications. It should be quick and easy to retrieve specific interactions. Some laws require that recordings be archived for five or even seven years.
We reached out to several contact center leaders for input to this article. Let me wrap this up with some sage advice from Scott Kendrick, VP of Marketing for CallMiner: “Businesses today have an incredible amount of customer data on their hands that needs to be handled and used responsibly. When used properly and for legitimate business reasons, consumer data provides the key to delivering an optimal experience that saves time for the customer and creates tailored interactions. However, as companies use data to improve customer experience, they must ensure both they and their vendors are protecting consumer information reducing exposure to identity theft and data breaches.”