The evolving US data protection landscape: A timely update

If you are a contact center (or any consumer-facing business) operating in California or Colorado, heads up! Effective July 1, 2023, you can face thousands of dollars in fines for violating data privacy laws in those states.

After a bit of a delay, the brand-new California Privacy Protection Agency (CPPA) began enforcing the provisions of the California Privacy Rights Act (CPRA). The California law is among the most strict out of the gate, as it allows no grace period to correct reported breaches and a fine of up to $7,500 for each violation.

The Colorado Privacy Act (CPA), meanwhile, provides a cure period of 60 days. On the other hand, if you don’t take corrective action, then you can face a whopping fine of up to $20,000 per violation.

In other words, pay attention. In the United States, different states have different laws, and each sector might even have its own standards for data security, depending on the jurisdiction.

While the legislative approach in the US has traditionally not included an expectation of privacy regarding personal data, over 10 states are in the process of implementing new comprehensive and rights-based data protection laws. In addition to the CPRA the CPA coming online, such laws are already in effect in Connecticut and Virginia. As of this writing, the Utah Consumer Privacy Act is slated to go into effect by the end of 2023 and the Montana Consumer Data Privacy Act in October 2024. The Tennessee Information Protection Act and the Iowa Consumer Data Protection Act will do so in 2025, and the Indiana Consumer Data Privacy Act by January 2026. Similar pieces of legislation, the Texas Data Privacy and Security Act and the Florida Digital Bill of Rights, have yet to be signed into law. If they are passed, which is overwhelmingly likely, then they will take legal effect in July 2024.

All the new state laws attempt to standardize the collection and use of consumers’ personal information by imposing similar obligations on businesses regarding transparency and privacy notifications, as well as limiting their ability to process certain kinds of data. Companies in those states must also perform data protection assessments for the information they collect and retain. Like the European GDPR, the new laws explicitly protect the individual’s control over their personal information, including access, correction, deletion, transfer, and the option to block certain uses.

However, there are also some distinct differences among the various state laws:

‘Sensitive personal data’

The first thing to consider is what exactly constitutes “sensitive personal data” that the new laws are intended to protect?

The various states all agree that race, ethnic origin, religion, philosophical beliefs, biometric data, and personal health information fall under the rubric of sensitive personal data. But that’s where it ends.

California has adopted the broadest definition, including items that no other state does, such as ID numbers (SSN, passport, etc.), account and credit card numbers, union membership, and email texts. Virginia and Colorado, on other end of the scale, use the most limited definition of all the states on our list.

Consent

Another aspect of data privacy is consent laws, which can cover voice recordings and data collection. For recordings, US federal law and most states only require one party to a conversation to give consent, but 11 states require all-party consent. Adding to the patchwork quilt of recording laws is the fact that some states require consent to be explicitly stated, whereas other states accept implied consent based on behavior or location.

As for data collection, all the new state laws allow people to opt-out at any time and demand that their personal information (as defined in each state) not be captured by a particular company. Most have an opt-in clause, which requires businesses to obtain consent from individuals before collecting sensitive personal information (or information on known children). Some states also require businesses to recognize and respect automated opt-out preference signals (global privacy controls, such a browser settings and the like).

Enforcement and penalties

Most of the US state data privacy laws do not include a provision providing a private right of action, although a civilian complaint may trigger an investigation. On the other hand, the CPRA allows private individuals to initiate legal action in response to data breaches that compromise their personal data.

As already noted, penalties for violating the various laws differ according to state. Utah and Connecticut, for example, impose a fine of $5,000 per violation; however, Iowa and Utah allow the organization a grace period of 90 and 30 days, respectively, to correct the breach of data privacy. Montana’s 60-day cure period provision, on the other hand, will terminate on April 1, 2026. Tennessee will triple fines for willful or knowing violations of the law, while Colorado caps possible penalties at $500,000.

Future outlook

Tighter data privacy and protection requirements in the US - covering a wider scope of activities and providing more extensive enforcement options - are primarily designed to prevent deceptive business practices, negligence, and fraud. The rapid development of communication technology and channels will make this process even more urgent and critical.

That’s why the immediate forecast is for more US states and jurisdictions to join this trend in the coming months and years. While no federal law governing online privacy has yet been enacted by Congress, a new bill – the American Data Privacy and Protection Act, H.R. 8152 – passed through the House Energy and Commerce Committee nearly without opposition in July 2022. The proposed legislation would standardize and unify protections and corporate obligations, and empower the Federal Trade Commission to issue regulations and enforce compliance.

Stay tuned.

How NICE Compliance Center can help you

NICE Compliance Center reduces complexities and turns regulatory compliance headaches into easy, automated, simplified tasks. It will assist you in dealing with all the rapidly developing changes to global data privacy standards, as we’ve seen most recently in the US market. Whether you are a brick-and-mortar contact center or cloud-based, NICE Compliance Center will keep you in the race and give you peace of mind.

Uncompromising compliance

For effective compliance in the contact center, you need real-time active monitoring, analysis, and agent guidance. You also need to be able to capture, retain, identify, and retrieve every customer interaction in the event of a claimed regulatory breach.

NICE Compliance Center provides it all. It is an end-to-end solution to monitor and manage all your regulatory compliance and policy adherence activities in one place. Powered by the market-leading NICE Engage platform and intelligent analytics, it identifies gaps in compliance and automatically provides real-time notifications to agents, together with tools for taking corrective action.

NICE Compliance Center puts you in control, while improving your contact center’s operational efficiency and the customer experience. It enables you to:

• Comply with multiple regulations: MiFID II, HIPAA, Dodd-Frank Act, FCA, GDPR, PCI-DSS, CCPA/CRPA, PIPEDA, ECPA, PDPA, PDPB, and more.
• Ensure interactions are safely stored and discoverable, including tagging for search and retrieval – one of the most challenging aspects for database compliance.
• Reduce the time and complexity involved in carrying out policy updates, such as changing retention periods.
• Evaluate compliance levels for any team, at any time.

As a result, you’ll see improvement in KPIs like total cost of ownership (TCO) and reduced time to remediate breaches. A proactive approach lowers the risk of regulatory violations, makes it easier to take corrective action, and saves time and resources with more targeted retention. In the event of an audit or data privacy claim, NICE Compliance Center makes it easy to search for all impacted interactions and, if need be, apply playback lock or extraction.

Preemptively spot compliance risks, improve IT efficiency, and keep customers happy with NICE Compliance Center – even when the rules keep changing.