Part 1 of the "Compliance Explained to My Friends" series
While the entire world goes into shutdown due to the Corona pandemic, it would be easy to forget about the ongoing privacy concerns that the California Consumer Privacy Act (CCPA) has thrown up in recent months. Indeed, with the CCPA perhaps being the most significant and comprehensive legislation to enter the US data privacy landscape, most contact centers are still concerned about what to do, how to comply, and how to avoid fines.
As a result, in the past three months, I've become somewhat of compliance "celebrity" with customers, partners, and even friends, asking me to explain the intricacies of the California Consumer Privacy Act (CCPA). To make sense of it all, we decided to turn all these questions into a series "Compliance Explained to My Friends" and ask the brightest minds and privacy experts to help us. In this issue, we sat with Lydia de la Torre.
NICE: The contact center is often a maze of regulations with our customers needing to comply with HIPAA, PCI DSS, MIFID II, Dodd-Frank, and more, which all have implications on record-keeping. With CCPA, there is an incentive to minimize data. How does it work for businesses who still need to keep copies?
Prof. de la Torre: First, it is important to mention that some activities are specifically excluded from the scope of CCPA, either because they are regulated by other federal or State data laws or because they are related to compliance with other laws, cooperation with law enforcement, or performed in relation to legitimate interests of the business. For example, CCPA does not apply to activities governed by other laws (including HIPAA, FCRA, GLBA, CalFIPA and the Driver’s Privacy Protection Act). CCPA-related obligations on businesses also do not apply to the extent that they could restrain the business's ability to comply with federal, state, or local laws; a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Therefore, to the extent that record keeping practices are related to records outside of the scope of CCPA or aligned with general legal retention obligations, there should not be an issue under CCPA.
Second, even where the business receives a request to delete, CCPA enables organizations to retain records in certain circumstances. That said, data minimization is incentivized by CCPA both in terms of transfers to service providers (where only the data required to provide the services should be transferred) and in terms of minimizing issues that may arise in the context of responding to a Right to Know request (where businesses may be under obligation to disclose records that they would prefer to not make public if they hold them at the time they received the request.)
NICE: What steps can contact centers take to protect customer data?
Prof. de la Torre: The first step is to know your data. If you do not know what data you hold then you cannot comply with CCPA. Every law-firm is pushing the “data mapping” thing but, quite frankly, if you do not have an automated way to tag your data and find it, you are better off investing in getting one than carrying out a data-mapping exercise that can quickly become obsolete. In the meantime, at least map your ecosystem noting which database connects to which and how they share data at a high level.
Another step is to ensure you have “reasonable” security in place. The legal boundaries over what constitutes or does not constitute “reasonable security” are somewhat undefined, but one good resource of advice from a California perspective is reading the recommendations on the 2016 California Data Breach Report (which includes a call for stronger encryption, multiple-factor authentication). CCPA creates a private right of action for data breaches where certain data is exposed and we are likely to see an increase in class-action litigations related to breaches that could lead to significant settlements.
NICE: What would you suggest best practice when handling 'Right to Deletion' requests?
Prof. de la Torre: I think it's important that organizations understand and follow through, methodically, the necessary steps to ensure complete deletion is carried out. From a CCPA perspective, complete deletion means across all channels and all forms of personal information. This includes:
- erasing the data from backup systems as well as live systems
- informing data subjects as to what will happen to the data about them when the deletion request is fulfilled, including backup systems.
- If the deletion request can be instantly fulfilled but the data will remain within the backup environment for a certain period of time until it is overwritten, best practice would be to put the backup data ‘beyond use’, even if it cannot be immediately overwritten. If the backup data cannot be immediately erased, it must not be used for any other purpose (i.e. the backup should be simply held on the system until it is replaced in line with an established schedule).
NICE: CCPA gives customers the right to access their data, to have their data deleted and to opt-out of allowing a business to sell their data. Do customers need to be authenticated when making requests for access, or deletion?
Prof. de la Torre: Yes, authentication is required but the thresholds of what constitute valid authentication vary. The CCPA sets out some general factors to consider, with specific rules applying to situations where the consumer either holds a password-protected account with the business or not. For accounts which are not password protected, the CCPA sets specific guidelines depending on the type of request, with stricter verification guidelines applying before providing specific information, and no requirements for when customers request to opt-out of sales. As a result, organizations need to consider the following factors when designing their verification processes:
- The type, sensitivity, and value of the personal information they collect and maintain about the consumer.
- The risk of harm to the consumer posed by any unauthorized access or deletion
- The likelihood that fraudulent or malicious actors would seek this personal information (the higher the likelihood, the more stringent the verification process);
- Whether the personal information that is provided by the consumer to verify their identity is sufficiently robust to protect against fraudulent requests, being spoofed, or fabricated
- The manner in which the business interacts with the consumer; and
- Available technology they can use for verification
NICE: Under what circumstances can a request to access data be denied and still be compliant with CCPA?
Prof. de la Torre: Businesses do not need to disclose a customer's information in situations when they cannot verify the identity of the person making the request. In these cases, they are to inform the customer that it cannot verify their identity. With this said, businesses should never disclose a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, account passwords, or security questions and answers, regardless of the ability to verify the authenticity of the request.
Furthermore, in cases where there is a conflict with federal or state law and a business cannot satisfy a consumer’s request to receive their personal information, the business must inform the requestor and explain why their request is being denied.
NICE: What best practices can you suggest for denying access?
Prof. de la Torre: In situations when you're not required to provide access, and yet have received a request from a consumer to do so, it is good practice to have the below procedures in place in order to satisfy any audits of your organization.
- Have a policy for recording details of the requests received, particularly those made by telephone or in person;
- Check with the requester to make sure the request is clearly understood, which can help avoid later disputes about how the business has interpreted the request; and
- Keep a log of verbal requests.
CTA text: NICE offers a dedicated one-stop-shop solution for CCPA with Compliance Center. Visit us here or schedule a demo.
About Lydia de la Torre: Lydia de la Torre started working in Data Protection in 1997. She has extensive professional experience working on complex EU, US, and international data protection issues in the private sector. She has worked as senior counsel at a major Spanish Law Firm (Garrigues) and as privacy counsel/consultant in the private sector for Fortune 500 companies such as eBay, PayPal, Intuit and HP. Professor de la Torre’s current areas of interest include EU data protection laws and data protection at the local and State level in California. Lydia de la Torre also teaches Comparative Data Protection Law at Santa Clara University and maintains a popular data privacy blog, 'Golden Data' on Medium.
