What Does The CCPA’s CPRA Amendment Mean For Contact Centers?

The California Consumer Privacy Act (CCPA) was recently amended to include the California Privacy Rights Act (CPRA). What does this mean for contact centers that do business in California? 

MiaRec is responsible for hundreds of contact centers in the financial, retail, and government sectors. As a California-based organization, we have to follow CCPA regulations to ensure our customers’ and their workers’ safety.

In this article, we will be exploring what CCPA and its recent amendment, the CPRA, mean for contact centers. You will learn who the CCPA applies to, how to comply, and the serious consequences of not complying. By the end of this article, your contact center will have a solid game plan on how to be CCPA-compliant.  

What Is The California Consumer Privacy Act?

According to the State of California Department of Justice’s Office of The Attorney General, “The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them.”  

Personal information is defined as any information that identifies, relates to, or could reasonably be linked to the consumer or their household. This includes but is not limited to, SSINs, internet browsing history, fingerprints, and any information that could be used to know the consumer's preferences and behavior. 

The California Protection Agency states that the CCPA gives California residents ‌the following rights:

• The right to delete personal information businesses have collected from them (subject to some exceptions);
• The right to correct inaccurate personal information that businesses have about them;
• The right to know what personal information businesses have collected about them and how they use and share it;
• The right to opt-out of the sale of their personal information;
• The right to opt-out of the sharing of their personal information for cross-context behavioral advertising;
• The right to limit the use and disclosure of sensitive personal information collected about them; and
• The right to non-discrimination for exercising their CCPA rights

Who Does The CCPA Apply To?

Any for-profit business that does business in California and also fulfills any of the following requirements has to follow the CCPA:

• Have a gross annual revenue of over $25 million;
• Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices; or
• Derive 50% or more of their annual revenue from selling California residents’ personal information.

This means that even if your contact center is located in Oregon (or anywhere else), you would still have to follow the CCPA if you do business with California-based organizations or consumers. 

The CCPA does not apply to non-profits or smaller companies that do not meet the minimum revenue thresholds.

What Is The California Privacy Rights Act? 

In January 2023, the CCPA was amended to include the California Privacy Rights Act (CPRA). The amendment makes it so that companies who are required to follow the CCPA, now also have to extend these rights to current and past workers in California. 

If you have one or more employees working remotely in California, the law would apply to those employees, even if your organization is not based in California. This also includes independent contractors and job applicants. 

The CPRA also expands on what information consumers and workers have a right to access. It makes a distinction between "sensitive personal information" and "personal information". While there is an overlap between what is considered sensitive personal information and personal information, sensitive personal information also includes racial or ethnic origin, religious beliefs, and more.

The CPRA gives consumers and workers additional rights, including: 

• The right to be notified about when and why their data is being collected
• The right to correct inaccurate personal information that a business has about them
• The right to limit the use and disclosure of sensitive personal information collected about them
• The right to opt-out of cross-contextual advertising
• Employees have the right to access an employee privacy policy regarding personal data collection, which should be posted and easily accessible

While the CPRA only applies to organizations who meet the CCPA’s thresholds, it is recommended that you have a CCPA-compliant privacy policy already in place if you are approaching the revenue threshold, since the legislation includes a 12-month lookback period for employee requests.

Why Was The CPRA Added?

The CPRA was approved in November 2020 by California voters. While California is the first state to extend consumer data privacy rights to workers, it likely will not be the last.

Organizations can access increasingly personal information about their workers. Some reports estimate that, by 2025, at least seven out of ten American companies will track employees to measure productivity. In fact, 25% of monitoring tools are already more invasive than they were in 2021.

The Biden administration has commented that they are aware of the increasing invasiveness of worker surveillance, and plans to examine the rise of worker surveillance software. Even if the CCPA does not apply to you, it is very likely more states will be taking their own preventive measures to protect consumer and worker privacy rights. 

What Do I Need To Do To Comply?

In our previous article covering CCPA compliance, we covered a three-step plan for CCPA success: Transcribe. Analyze. Train. This holds true today. 

1. Make Transcripts

You will have to notify customers or workers of your privacy policy for collecting, using, and transferring personal information. You will also have to notify them of their right to request copies, correct, and delete their personal information.

Because this law requires proof of informed consent, your calls need to have clear audio and accurate transcripts. These calls have to be organized and well-documented so that you can easily access call recordings to prove consent as needed. 

2. Use Voice Analytics

Most Voice Analytics solutions offer some degree of additional security. For example, MiaRec has Automatic Data Redaction. Rather than having agents manually pause and resume recording to prevent your customer’s private information from being recorded, Auto Redaction automatically removes sensitive information from call audios and its associated transcripts.

The CPRA has also expanded on what counts as a “breach liability” to include unauthorized access or disclosure of certain data elements (e.g., email addresses, passwords, or security questions). This means that you need to be extra thorough on who has access to what data in your organization.

Some Voice Analytics solutions will have role-based access settings and 256-bit encryption to prevent unauthorized access and tampering. MiaRec also offers Audit Trail Details so that contact centers can track when users are accessing audio files and transcripts.

3. Train Your Call Staff

For your contact center to comply with CCPA, you will need to ask for customer permission to record. You may even have to ask customers multiple times for their constant to record, depending on the call. Your agents need CCPA training so that they know exactly how to request permission to record and when, depending on the call. 

Additional Steps To Accommodate the CPRA Amendment

In addition to this 3-step plan, you need to have processes in place for when people ask to view their personal information. Most organizations will have to respond to worker data privacy requests within 45-90 days. You may be able to deny the request if responding proves “impossible or would involve a disproportionate effort”.

We recommend reviewing your data inventory, third-parties agreements, and privacy policies. You need to know who has access to what data, why, where, when, and how it is being used. 

With the addition of the CPRA, you will be required to post an employee privacy statement and disclose to employees in California what kind of personal information has been collected in the last 12 months. Your employee privacy policy should state how the data will be used, and whether it will be sold or shared at any point.

What Happens If I Do Not Comply?

Beginning July 1st, 2023, the CPRA will be enforced by state regulators. The California Attorney General and the California Privacy Protection Agency (CPPA) will both enforce the CCPA. 

Both entities can charge administrative fines of $2,500 per violation or $7,500 per intentional violation if the victim is under 16 years old. 

Violating the CCPA can be extremely costly. On August 24, 2022, the Attorney General's office announced that a retail cosmetics company would experience its first enforcement action settlement. They had to pay penalties of $1.2 million USD after it allegedly violated the CCPA’s requirement to disclose the sale of personal information, as well as the ability for consumers to opt-out of the sale of their personal information.

Conclusion

You now know how CCPA and its newest CPRA amendment impact your contact center, and what you can do to comply. 

Review your privacy policy with our 1-page checklist on call center efficiency. Discover how you can improve existing processes to accommodate the CPRA amendment. 

MiaRec can help secure your contact center to meet CCPA regulations. To learn more about what MiaRec can do to keep your organization and its workers safe, schedule a call with one of our sales experts.