Key Takeaways
- Analyzes whether recording customer service and sales calls triggers the CCPA’s new risk assessment requirements.
- Identifies the specific CCPA triggers most relevant to call recording, particularly when AI analytics are applied to recordings.
- Notes related obligations under state wiretapping laws and other state privacy frameworks.
Recording customer calls is among the most common data collection practices in business. Contact centers, healthcare providers, financial services firms, and countless other industries record customer interactions for quality assurance, training, compliance, and dispute resolution. The familiar “this call may be recorded for quality and training purposes” disclosure has become almost reflexive. But with the CCPA’s new risk assessment requirements now in effect, businesses subject to the CCPA should revisit this practice—particularly where call recordings are analyzed using AI or used in ways that go beyond simple storage and retrieval.
Our earlier posts on CCPA risk assessment basics discuss when the CCPA risk assessment requirement applies and the general requirements for conducting and reporting a risk assessment. This post focuses specifically on the call recording context.
How Businesses Use Customer Call Recordings
At its most basic level, call recording captures audio of a conversation between a customer service representative and a customer, stores that recording, and makes it available for later playback. Many businesses, however, now use AI-powered speech analytics tools to extract additional value from those recordings. These tools can transcribe calls, identify topics discussed, detect customer sentiment and emotion, flag compliance concerns, score agent performance, and generate profiles of individual customers based on their communication patterns, expressed preferences, or emotional responses across multiple interactions.
It is this AI-enhanced use of call recordings—rather than simple storage—that raises the most significant, but not the only CCPA risk assessment questions.
CCPA Risk Assessment Triggers for Call Recording Programs
Businesses should evaluate at least the following potential risk assessment triggers in connection with their call recording programs:
Sensitive Personal Information. Call recordings frequently capture sensitive personal information. Under the CCPA, sensitive personal information means personal information that reveals information about a consumer, such as: SSN, driver’s license number, passport number, precise geolocation, racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, union membership, genetic data, biometric information for the purpose of uniquely identifying a consumer, and information about a consumer’s sex life or sexual orientation. This is not an exhaustive list, but no doubt information that could be captured on a recorded line.
Customers who call healthcare providers, pharmacies, or health insurance companies for example, routinely disclose such information. But remember, the CCPA excludes certain categories of personal information including protected health information covered under the Health Insurance Portability and Accountability Act and medical information under the California Confidentiality of Medical Information Act. Importantly, not all health and medical information is covered under these laws, and could be covered by CCPA!
If a business uses voice biometrics—either to verify a caller’s identity or as part of a speaker analytics program that analyzes vocal patterns to identify individuals—it is processing biometric information, which is sensitive personal information under the CCPA. Even a speech analytics platform that generates a persistent voice profile of a customer may implicate this category. A risk assessment may be required for processing of that kind.
Systematic Observation. The CCPA risk assessment regulations require an assessment when businesses profile consumers through systematic observation. Automated processing of information obtained from call recordings could be used to infer or extrapolate a consumer’s intelligence, aptitude, performance at work, economic situation, behavior, location, etc. based upon systematic observation. When this occurs in connection with a consumer acting in their capacity as an educational program applicant, job applicant, student, employee, or independent contractor for the business, a risk assessment may be needed.
Automated Decision-Making. Where call recording analytics feed into automated systems that make significant decisions about consumers—such as creditworthiness determinations, insurance coverage decisions, or healthcare recommendations—the ADMT risk assessment trigger may be engaged.
State Wiretapping and Consent Laws
Separate from the CCPA risk assessment requirements, businesses recording customer calls must comply with state wiretapping and call recording consent laws. California’s Invasion of Privacy Act (CIPA) requires all-party consent for recording telephone calls. Several other states—including Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington—also require all-party consent. Businesses that record calls involving customers in those states without proper consent face significant litigation exposure. The wiretapping consent requirement and the CCPA risk assessment obligation are independent—satisfying one does not satisfy the other.
What Businesses Should Do
Businesses that record customer calls should document the full lifecycle of those recordings: what is captured, where it is stored, how long it is retained, who can access it, and whether any AI or analytics tools are applied to the recordings. Where recordings capture sensitive personal information or are analyzed by AI to generate profiles or inform significant decisions about customers, a CCPA risk assessment should be considered by businesses covered under the CCPA.
For the procedural requirements of completing a risk assessment—including the required contents of the risk assessment report and the certification obligation to the CPPA—Part 2 of our risk assessment series provides the relevant guidance.