You thought your contact center had enough problems, having to comply with the European Union’s General Data Protection Regulation (
GDPR) and the California Consumer Privacy Act (
CCPA). These regulations are shifting the ownership and use rights of consumer data from the collector to the consumer.
In the U.S., the lack of federal regulations has stimulated states to make their own rules, and you can expect the number of regulations to increase over time. About 300 bills dealing with privacy and security are before various legislatures today. As they pass, the regulations will confront contact center management and the enterprise with the need to support varying, conflicting, and confusing regulations.
The Big Apple Takes a Bite
The New York legislature, for example, has worked on a number of privacy-related acts. Most notable is the
Stop Hacks and Improve Electronic Data Security Act, or SHIELD (s5575B), which passed in July 2019 and is due for enforcement to begin on March 21, 2020. The law requires companies to ensure they are providing reasonable safeguards to prevent data breaches that put consumer and employee information at risk. It expands the definition of personal or private information to include credit card, biometric, and account login information, besides consumer name and Social Security number.
Two pieces of legislation have died in committee. The first is the New York Privacy Act (NYPA) Data Fiduciary (s5642). Applauded by data privacy advocates, the NYPA would have been a more comprehensive version of the CCPA. NYPA opponents, including industry groups, saw it as a new obstacle to publishers and platforms.
The NYPA primarily had proposed a higher standard of consumer protection on data collection companies. The bill would have given consumers more control over what data would have been collectable, as well as the right to sue companies directly. This latter provision is known as a
private right of action.
This bill introduced the concept of the data fiduciary. As data fiduciaries, companies that collect consumer data must act in the best interest of the consumers, rather than the business as is common today. The bill specified:
“Personal data of consumers shall not be used, processed, or transferred to a third party, unless the consumer provides express and documented consent. Every legal entity, or any affiliate of such entity, and every controller and data broker, which collects, sells or licenses personal information of consumers, shall exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.”
The Health Insurance Portability and Accountability Act (HIPAA), which prohibits the free exchange of patient data between healthcare providers, provided the model for establishing a data fiduciary. The goal in establishing data fiduciaries is to ensure the same level of consumer care as defined in HIPAA. The data fiduciary model creates a different framework than the CCPA or GDPR, neither of which have such a provision.
Despite the NYPA having died in committee, other states may use it as a framework for legislation.
The other New York bill not to make it out of committee was S224, covering consumer protection. This bill would have required companies to provide collected personal data to a consumer upon request. Companies would have to respond to at least one request from each consumer per year.
Nevada Gets into the Act
Nevada businesses have been working under legislation since Senate Bill 220 went into effect on Oct. 1, 2019. The law gives consumers the right to opt out of having personally identifiable information sold by online operators. The law requires website and online services operators to follow the consumer’s direction not to sell their personal data. The Nevada law differs from the CCPA.
SB 220 defines “operators” as those that:
- Operate or own an Internet website or online service for commercial purposes
- Collect and maintain information, covered by the law, from consumers who reside in Nevada and use or visit the Internet website or online service
SB 220 doesn’t apply to entities regulated by the Gramm-Leach-Bliley Act, for financial services, or HIPAA.
The Beginning, Not the End
This is only the beginning of the varied and probably conflicting legislations states will enact. Until the federal government overrides the existing and proposed legislations, contact center and the enterprise will have to evaluate who they serve and what laws govern the use of their consumer information. Look for a growing number of consultants to fill this space