Earlier this year, the California Consumer Privacy Act (CCPA) took effect, and will most likely impact your contact center since about 12% of the U.S. population lives in California. The CCPA protects California citizens who reside in and out of the state for travel purposes. There are similar regulations passed by other states and another 300 proposed regulations working their way through state legislatures. Training your contact center agents is a compliance requirement. Poorly trained agents can expose you to CCPA compliance mistakes and subsequent penalties.
What is Required?
Even if your current systems are compliant, you must train your agents at the contact center to comply with the CCPA. The agents may unknowingly create non-compliant situations when a citizen contacts your business about a request or problem. The CCPA doesn’t provide specific employee training requirements that an organization can use to demonstrate compliance with the law.
The CCPA requires agents who handle inquiries about a company’s privacy practices, compliance, or consumer requests to receive training in the CCPA regulations. The training should include explanations to consumers of how they can exercise their CCPA rights. Businesses are required to develop, document, and comply with a CCPA training policy.
Demonstrating Compliance
Record-keeping is part of the compliance requirements. This documentation shouldn’t be used for any other purpose. Businesses must document all CCPA related requests and responses. This record-keeping must include the following:
- The exact date when a consumer initiates a request
- The type of the request such as a record change or deletion
- How the request was made (in person, online, mail, etc.)
- The response date or dates submitting the response
- What happened as a result of the request (complied, denied, partially denied)
- When denied, what was the reason given for denying the request
Record Retention
Your business must retain the signed consumer declarations as part of the consumer request record-keeping obligation. CCPA regulations restrict the use of these records to assessing and improving businesses’ CCPA compliance. Deletion records can also ensure that consumers’ personal information remains erased following a request. The consumer’s documentation can’t be shared with third parties unless there is a legal obligation to disclose the records.
You must retain consumer request records for a minimum of 24 months. The statute of limitations for compliance enforcement could be as long as four years.
Publishing Compliance
Businesses that buy, and receive, sell or share the personal information of more than 10 million consumers in a calendar year for commercial purposes, must also compile annual metrics identifying the number of consumer requests received, complied with, and denied. The company must also report the median or mean number of days it took for the business to respond to each request and, if denied, for what specific reason. This information must then be included in the annual update of the business’s privacy policy or posted on its website by July 1st of each year.
For example, if a business satisfies the threshold requirement in 2020, it must publish the required data by July 1, 2021.
Enter the California Privacy Rights and Enforcement Act (CPRA)
The California Privacy Rights and Enforcement Act of 2020 ballot initiative will appear on the November 2020 general election. If the CPRA is passed, it’s anticipated to become effective on January 1, 2023.
The CPRA also includes considerations regarding additional record-keeping requirements that will be issued by the California Privacy Protection Agency (CCP Agency), a new enforcement agency as part of the CPRA.
You may not be affected by the CCPA or the CPRA in the future. However, many states are watching California when it comes to considering their own legislation. So far, California has been in the forefront, but other states are bound to follow its lead, so you need to prepare rather than wait until some legislation is enacted that affects you.