When it comes to preventing data breaches, compliance with contact center regulations is very important. Perfect compliance can’t always guarantee a lack of data breach. But, it’s still the best way to prevent them, especially in this day and age.
Keeping up to date with the latest compliance regulations is hard. It’s especially tricky for contact center executives who already have a lot to keep track of, and a lot of work. In the end, however, it’s critical to keep up to date and fully comply. The consequences of non-compliance in a contact center can be huge. They include extensive fines and litigations, and can just be a general pain to deal with.
In this blog, we will break down everything you need to know about compliance law, to make things as simple for you as possible.
Types of Contact Center Compliance
It can be complicated to keep track of all of the different kinds of compliance acts and what each one means. Our checklist on TCPA compliance can help ensure that you are following all of the rules. However, if you would like to understand the bigger picture of different types of complaince, read below to see the different kind of compliance acts and what your contact center will need to do to stay compliant.
What is the California Consumer Privacy Act (CCPA)
In June of 2018, the state of California passed a consumer privacy act known as AB375. AB375 allows consumers the right to demand two things from any company:
- All information that the company saved on them
- A full list of third parties with whom this information was shared
Furthermore, the law lets consumers sue these companies if the privacy guidelines are violated- even if there’s no breach.
Any company with personal data on 50,000+ California residents, and with $25+ million annual revenue, must comply with CCPA. This law is not only for companies based in California or the US.
Some of the key rights include:
- Companies must disclose any and all personal data they collect from a consumer for business purposes
- Companies must inform consumers about the categories of data collected and how it’s used
- Consumers must be given access to their own data
- Companies must delete any personal data on request. Furthermore, any 3rd party company who had the data must delete it also
- The consumer must have the ability to opt-out of the sale of personal data
What is the Telephone Consumer Protection Act (TCPA)
In 2013, the Telephone Consumer Protection Act (TCPA) was passed. The TCPA restricts usage of pre-recorded telemarketing calls, and Automated Telephone Dialing Systems (ADTS). It forbids call centers from making outbound sales calls, sending texts, or broadcasting pre-recorded messages without the expressed consent of the consumer.
What is Call Monitoring Consent
Contact centers often monitor calls for the purposes of training and evaluating employees. However, there are several state laws in the US (Wiretapping law, Privacy law, and Employment law) that require all parties in the call to be notified that the call is being recorded.
- For incoming calls, the caller should be notified before the call is connected
- For outgoing calls, the agent’s script should include the necessary information
What are Robocalls
The Federal Communications Commission (FCC) recently passed a law requiring that callers get written consent (on paper or electronically) to make pre-recorded telemarketing calls or texts to a wireless number.
Some landline and cell service providers offer call-blocking services. Users can choose whether or not to subscribe to this service. The FCC’s ruling allows service providers to block calls as a default.
What is Fair Debt Collection Practice
The Fair Debt Collection Practice Act (FDCPA) was passed in 1977. The FDCPA prohibits contact centers from using threatening or abusive language, or unfair debt collection practices. This applies to almost every kind of debt- including for utility payments, auto loans, credit cards, phone bills, etc.
It does not, however, include business debts.
What is TSR and DNC
The FTC passed legislation called the Telemarketing Sales Rule (TSR). TSR helps protect consumers, and their privacy, from unscrupulous telemarketers. It does this by forcing outbound call centers to meet certain criteria and provide certain information for the convenience of the call’s receiver.
The Two-Second Rule: When the consumer picks up a call, the agent should be available within two seconds- or else, a recorded message should play, stating the name and number of the caller.
- Outbound callers may not block their caller ID or use a hidden number
- The consumer should be given at least 15 seconds (4 rings) to answer the phone. Call abandonment may not rise above 3%
- Contact centers may keep recordings of calls for no more than two years
- Telemarketers and other sellers may not send their invoices through utility or mortgage accounts
- Telemarketers need written consent from the consumers before calling with regards to any of the following:
- appointment reminders
- updates on prior sales transactions
- order status notifications
- recall notifications
- If a business uses automated calls, it must inform the user at the beginning of the message, and provide an option to opt-out
- Consumers may register with the National Do-Not-Call list (DNC). Businesses may not call any consumer registered with the DNC list
What is GDPR
GDPR or General Data Protection Regulation, initiated by the European Union (EU), is a list of rules and regulations to strengthen data protection across the EU and other countries. It replaces the Data Protection Directive (DPD), the UK Data Protection Act, and other similar acts throughout Europe.
The GDPR gives the citizens control over how organizations may use their personal data. It allows people to request all data. Furthermore, the individual may order it to be deleted. GDPR applies to any business that stores information on EU residents, even if they’re not in the EU.
What is the Truth in Lending Act
The Truth in Lending Act (TILA) was passed in 1968. TILA requires contact centers to disclose all information about terms, interest rates, and late fees to their customers.
It was designed to protect consumers in their dealings with lenders, and with creditors. It applies to most kinds of consumer credit, including closed-end credit and open-end credit.
What is the Dodd-Frank Act
The Dodd-Frank Wall Street Reform and Consumer Protection Act is a law that regulates the financial markets and protects consumers. This law requires contact centers to record all phone conversations. Furthermore, the contact centers must save these recordings, with the date and time stamp, in a searchable format.
What is the Sarbanes-Oxley Act
The Sarbanes-Oxley Act was passed in 2002 after the Enron Scandal. It is a federal law that protects employees, shareholders, and the public from accounting errors and fraudulent financial practices.
This legislation also requires businesses to assure that recorded calls are not altered or deleted before the mandated timeframe.
What is HIPAA
The Health Insurance Portability and Accountability Act of 1996 was enacted to improve the efficiency and effectiveness of the American health care system. It requires organizations exchanging information for health care transactions to take steps to prevent the flow of personal health information with third parties and follow national implementation guidelines, including;
- The use of standard electronic transactions and data for certain administrative functions
- Standardizing the medical codes that providers use to report services to insurers
- Creating specific identification numbers for employers (Standard Unique Employer Identifier [EIN]) and for providers (National Provider Identifier [NPI])
- Creating specific identification numbers for health plans and payers (Standard Unique Health Plan Identifiers [HPID])
What is PCI-DSS
The Payment Card Industry Data Security Standard (PCI DSS) was established in 2006 by five major credit card companies. It sets the industry standard for organizations that store, process or transmit payment card data. It also outlines a set of standards that contact centers must follow if they process credit card payments.
PCI mandates 12 high-level requirements from merchants and any other businesses that handle payment card data. The companies must do the following:
- Install and maintain a firewall configuration that protects cardholder data
- Encrypt the transmission of cardholder data across open, public networks
- Never use vendor-supplied defaults for system passwords or any security measures
- Protect stored cardholder data
- Always use and maintain up-to-date anti-virus software
- Develop and maintain secure systems and applications
- Restrict the access to cardholder data on a ‘need-to-know’ basis
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor any access to the network’s resources and cardholder data
- Regularly test security systems and processes
- Maintain a company policy that addresses information security
What is the Equal Credit Opportunity Act (ECOA)
The ECOA is intended to give all creditors a fair chance at obtaining a loan, whether they be an auto lender, mortgage company, bank, credit union, credit card issuer, or even a retailer offering a store-branded credit card. It prohibits discrimination based on sex and marital status, race, ethnicity, age, religion, national origin, and other characteristics. This act applies to all telephone interactions in addition to in-person applications.
What is the Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act requires contact centers and financial institutions (such as check-cashing businesses, mortgage brokers, payday lenders, nonbank lenders, personal property or real estate appraisers, retailers that issue branded credit cards, professional tax preparers, and courier services), offering consumers financial products or services like loans, financial or investment advice, or insurance, to explain their information-sharing practices to their borrowers, giving them the option to opt-out. It also requires that businesses must maintain written documentation of their security protocols.
GLBA states that financial organizations must:
- Make sure the security and confidentiality of customer data
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such data
- Protect against unauthorized access to, or use of, such data that would result in substantial harm or inconvenience to any customer