If your company does business domestically, some of your customers are very likely from California, which as the largest state accounts for 12% of the U.S. population, according to U.S. Census Bureau data. That means there’s a good chance your company has California citizen data, and you need to be abiding by the California Consumer Privacy Act (
CCPA).
CCPA creates new rights allowing individuals to control access to, deletion of, and sharing of their personal information collected by businesses. The CCPA, which also provides compliance guidance for businesses, took effect on Jan. 1, having been signed into law in June 2018. The California attorney general can begin taking enforcement action under the CCPA on July 1.
Watchpoints for the Contact Center
By now you have implemented software, processes, and procedures to protect your customer databases. The advent of the CCPA adds a new set of functions and responsibilities. You will have to implement new processes and procedures to comply with the CCPA customer-defined rights, and the contact center is the likely place for implementation. This means not only adding in new software but also conducting more training for the contact center agents.
Specifically, the CCPA allows California consumers the right to:
- Know and access personal information that is collected, processed, used, shared, or sold
- Delete personal information stored by businesses and service providers
- Opt out of the sale of their personal information
- Act without discrimination on price or service when exercising any of the above
Businesses Subject to CCPA
Your California-located business may be subject to the CCPA if it:
- Has more than $25 million in gross annual revenue
- Buys, receives, processes, distributes, or sells the personal information of 50,000 or more consumers, households, or devices
- Makes 50% or more of annual business revenue from the sale of consumers’ personal information
For businesses located outside of California, the CCPA applies if a company:
- Collects or sells personal information of California residents, defined as any individual who is a permanent resident in the state, even if traveling outside of the state.
- Meets one or more of the three criteria above for companies located in California
CCPA Business Obligations & Cost Estimates
Under the CCPA, businesses are obliged to:
- Provide notices to consumers at or before the time of data collection
- Create procedures for responding to consumer opt-out, access, and deletion requests, within specific timeframes
- Identify and verify consumers who initiate requests
- Disclose financial incentives for the retention or sale of personal information, explaining how the information value is calculated and detailing how the incentive is allowed under the CCPA
- Maintain request and response records for 24 months, to demonstrate compliance
To help businesses understand the costs associated with CCPA compliance, Berkeley Economic Advising and Research assessed the impact in a
report provided to the attorney general’s office. Based on its analysis of legal, operational, technological, and business costs associated with compliance, Berkeley estimated initial compliance costs depending on business size. As courts review the CCPA legislation, additional costs may emerge, but here are the initial cost estimates:
- $50,000 -- small businesses with fewer than 20 employees
- $100,000 -- medium businesses with 20 to 100 employees
- $450,000 -- Businesses with 100 to 500 employees
- $2 million -- enterprises with more than 500 employees
About 75% of California businesses will have to comply with the CCPA, for a total initial compliance cost of $55 billion, according to the Berkeley analysis.
This Isn’t the End
This year is expected to be an active year for consumer privacy laws, with more than 300 cybersecurity- and privacy-related laws proposed within 43 states and Puerto Rico. This issue is also before Congress at the federal level, but little progress has been made. If a federal bill does come to pass, it will probably supersede the state bills. This will add to the confusion for those managing contact centers, and I’d expect court cases and interpretations of the CCPA that will further define the scope and obligations of the law.
One last note: The European Union’s General Data Protection Regulation (GDPR), which took effect in May 2018, specifies similar but not the same compliance mandates (see a
comparison here). So, complying with the GDPR helps prepare for doing the same for the CCPA.