Data Security Laws

Data Security Laws and How They Affect Your Call Center

Whether your contact center handles sensitive information such as payment credentials, SSN’s, and medical history or merely names and phone numbers, data security should be a priority, especially when bringing in new technology vendors or expanding your operations. Depending on your industry and what type of information you handle, different rules and regulations may apply. In determining what exactly you need to do to pass muster, let’s first define the differences between security laws and security standards.

Laws vs. Standards

Security laws are created by government organizations and attempt to keep citizens safe by requiring companies to follow certain guidelines surrounding the accepting, storing, and transmitting of sensitive information, whether analog or digital. It can be difficult to keep track of the various laws and what they mean for your operations, but it’s also vitally important, as a violation could mean legal trouble as well as devastating data breaches affecting you and your customers or clients. Operating a contact center in the 21st century also means you need to be aware of major data security laws in the country you’re based in, as well as any other country in which you do business.

Security standards, meanwhile, are set by non-government entities and are often industry specific. While there may not be legal ramifications to not abiding by security standards, not adhering their guidelines can still mean big trouble for your contact center. For example, PCI-DSS was created by an alliance of major payment card companies and sets the security standards around payment information privacy. Failure to meet PCI-DSS requirements, in addition to making you more at risk for data breaches, can mean having the ability to accept major credit cards revoked and giving your competitors a huge advantage over you.

For more information about PCI-DSS, you can read more on our blog or talk to a Plum representative (our platform has been PCI-DSS compliant since 2013), but for the remainder of this article, we’ll be digging deeper into data security laws. The ones that, if you were to avoid them, would put your company at risk in the legal sphere.


GDPR, or the General Data Protection Regulation, is probably the data security policy that you’ve heard about most frequently in recent years. Implemented, in 2016, the regulation applies to any organization that deals with data pertaining to European Union citizens. Notably, this applies not only to EU-based companies, but also to any organization who deals with EU citizen data anywhere in the world. So, for example, even if your call centers are all in the U.S. or Asia, if you have any customers, clients, subscribers, etc. in the EU, you must adhere to the GDPR laws.

When it comes to contact centers and GDPR, the big things to keep in mind are customer consent, transparency, and accessibility. Anytime you store information that can be used to identify a person (such as name, birthdate, location, or even IP address), the customer must be made aware that it is being stored. Including in the form of call recording. Companies must also allow customers or users to access the data you’re storing about them and delete it if desired. And, should a data breach occur, you are obligated to notify anyone whose data was included.

For a more detailed look at what is included within GDPR regulations, read the ZDNet guide here.

Vertical Laws in the US

There are currently no US laws that are as thorough and sweeping as the GDPR, but there are, however, several industry-specific laws that may pertain your contact center. Below is a list of some laws that may affect the data you store (or do not store). Please note that this is not a comprehensive list, and you should consult industry publications and your legal teams to stay current with what laws may pertain to you.

  • US Privacy Act of 1974
    If you work for a federal government agency, you have no doubt heard of the US Privacy Act of 1974. This law governs collection, maintenance, use, and dissemination of individuals’ data by federal agencies. However, it has no impact on private industry or online data collection.
  • Gramm-Leach-Bliley Act (GLBA)
    Effective as of 1999, the GLBA deals with the financial sector. The act requires financial institutions to be transparent about their information-sharing practices and to protect non-public personal information.
  • Health Insurance Portability and Accountability Act (HIPAA)
    Whether or not you work in a medical field, you’ve no doubt heard of HIPAA, which governs the privacy of patients’ medical information. If your contact center handles any personal medical information, you must be HIPAA-compliant. Compliant IVRs such as Plum Fuse can help you with this.

Other Relevant Laws in the US

In addition to the federal laws described above, there are a number of state level laws that may apply to your contact center. For example, as of 2019, all 50 US states have enacted forms of data breach notification laws.

In 2020, California became the first state to create a major privacy rights and consumer protection law with the California Consumer Privacy Act (CCPA). Similar in scope to the GDPR, the CCPA gives California residents the right to know what personal data is being collected, whether that data is sold or disclosed, say no to the sale of personal data, and have control over the data being stored. This law applies not only to California-based businesses, but also to any companies who do business with California residents.

Using the CCPA as a template, several other states are now also working on adopting their own privacy rights laws. This seems to be a trend that will become more and more important to all US-based businesses in the coming years.

How These Laws Affect Your Contact Center

Keeping up with the various laws and regulations that impact your contact center can be a daunting task, and can be made even more difficult when adopting new technology vendors that may or may not be compliant with all your industry standards. When you choose an IVR vendor such as Plum Voice, you can trust that you’re getting top notch technology that is compliant with major standards including HIPAA, PCI DSS, and SOC 2. Contact a Plum representative today to discuss how we can help your contact center.