Legal and Regulatory Developments in 2020—and What to Expect in 2021

Think about this. 2020 has (thankfully) come to an end, but the rapid and largely unrestrained spread of COVID-19 has upended our normal way of life and caused tremendous economic losses. On top of that, we just completed a bitterly contested presidential election.

While all this was happening, important things were happening on the legislative and regulatory front, some of it predicated on the pandemic and some carryover from ongoing regulatory and legislative initiatives. This article attempts to summarize significant developments in 2020, and share some thoughts about what to anticipate in 2021.

As a word of caution, laws and regulations are highly complex, subject to change, and for every rule there are always exceptions. Any effort to summarize in a few bullet points laws and regulations that can extend to 100 pages or more, necessarily omits information that may be very pertinent to your particular situation. Do not confuse this article with legal advice.

Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act)

• The TRACED Act is the first federal anti-robocall law. It provides additional protections in addition to those already included in the Telephone Consumer Protection Act, such as prohibiting telemarketing robocalls to individuals who have not provided written permission to accept these calls.
• Grants the FCC more authority to go after scammers responsible for unwanted robo­calls.
• Requires voice service providers to develop call authentication technologies.
• Requires the FCC to initiate rule-making to help protect subscribers from receiving unwanted calls or texts from callers using unauthenticated numbers.
• Service providers must develop a system which informs customers when they receive a “spoofed” call.
• Increases fines on spam robocallers from $1,500 to as much is $10,000 per illegal call.

California Consumer Privacy Act (CCPA)

• The CCPA applies to any for-profit entity that collects and receives personally identifiable information from California consumers and meets specified criteria. The entity need not be located in California.
• California residents may instruct organizations not to sell their personal information.
• Grants consumers the right to request access to, or deletion, of their personal information.
• A business’s methods for submitting requests to opt-out shall be easy for consumers to execute.
• Business are required to create a separate “do not sell my personal information” webpage with a clear link to their homepage.
• Expressly provides private right of action and statutory damages from data breaches caused by the lack of reasonable safeguards, even if there was no actual harm.
• On November 3rd, the Consumer Privacy Rights Act (CPRA) was approved. This allows California consumers to block companies from selling or sharing their personal information, imposes limits on how websites track data that they sell to partners, and establishes an enforcement arm.
• Penalties are $2,500 for each violation or $7,500 for each intentional violation.

Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)

• Requires that any person or business that owns or licenses computerized data that includes private information of residents of New York must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information.
• Breach notification applies to any person or business which owns or licenses computerized data which includes private information of a resident of New York.
• The SHIELD Act expands the definition of private information to include account numbers, credit card numbers, driver’s license numbers and biometric information, or alternatively, a username or email address in combination with a password or security question.
• Unless the exposure was inadvertent, notices must be sent out to affected persons.
• The court may impose penalties of the greater of up to $5,000 or up to $20 per instance with a cap of $250,000 for knowing and reckless violations.
• A court may impose penalties of not more than $5,000 per violation.

The Emergency Family and Medical Leave Expansion Act (EFMLEA)

• In general, this Act applies to any individual who is unable to work because of COVID-19.
• Provides up to two weeks (80 hours) of paid sick leave plus an additional 12 weeks (10 of those paid) of expanded family and medical leave for reasons related to COVID-19.
• The Emergency Paid Sick Leave Act (EPSLA) requires employers with fewer than 500 employees to grant workers up to two weeks (80 hours) paid sick leave at their regular rate of pay (up to $511 per day with a cap of $5,110) if the employee is unable to work due to COVID-19.
• If the employee is unable to work because they are caring for someone under quarantine or a child (under 18) whose school is closed due to COVID-19, or the employee is experiencing symptoms of COVID-19 and seeking diagnosis, the employee may be compensated at two-thirds of their regular rate of pay (up to $200 per day with a cap of $2,000).
• Self-employed individuals can claim up to $200 per day or 67% of their “average daily self-employment income,” whichever is less, for up to 10 weeks of family leave.
• Covered private employers qualify for reimbursement through refundable tax credits for all qualifying paid sick leave wages and qualifying family and medical leave wages paid to an employee who takes leave under the FFCRA (Families First Coronavirus Response Act).
• Businesses with fewer than 50 employees may qualify for an exemption from paid sick leave or family and medical leave for childcare if granting the leave would jeopardize the viability of the business.
• Penalties are on hold during current grace period.

NOTE: This act is scheduled to expire December 31, 2020. We included it here because of the possibility that it may be extended.

California Assembly Bill 5 (AB5 or “Gig Worker Bill”)

• Applies to freelance workers who reside in California, even if the business that hires the freelance worker is located outside of California.
• Companies that hire independent contractors and freelancers must classify them as employees, unless they can prove that three specified conditions exist.
• There are notable exceptions, such as doctors, lawyers, accountants, graphic designers and entertainers.
• Freelance workers who become reclassified as employees gain various protections such as a guaranteed minimum wage and overtime pay.
• Employers may not reclassify an individual who was an employee on January 1, 2019, to an independent contractor due to this measure’s enactment.
• Nothing in this act is intended to diminish the flexibility of employees to work part-time or intermittent schedules or to work for multiple employers.
• Hiring firms that are found to have misclassified employees as independent contractors can be required to pay fines, penalties, and back-pay and benefits.
• California law imposes a civil penalty of up to $25,000 per violation on an employer that willfully misclassifies individuals as independent contractors.

What We Can Expect in 2021

Privacy remains a top concern of the American public. The United States is alone among leading nations in that we do not have a national law that defines and protects personal privacy. The states have been filling that gap. California has taken the lead with the California Consumer Privacy Act, but other states are following California’s lead. Besides California, Nevada and Maine have enacted privacy legislation and nine additional states have introduced legislation. Similarly, although New York was out in front with the SHIELD Act, we can expect to see other states follow New York’s lead.

Another trend we are seeing is broadening the definition of what constitutes Personally Identifiable Information (PII). Federal-level legislation that defines PII, such as TCPA and HIPAA, was enacted when virtually no one had email addresses or Twitter handles. Illinois, Washington and Texas now even include biometric data.

Looking forward, contact center management must be mindful of legislative initiatives that seek to draw a bright line between employees and contract workers. Contact centers employ large numbers of part-time workers, particularly during busy seasons. The California Supreme Court has ruled that companies must use a three-pronged test to determine if an individual is an employee or an independent contractor. California later codified that ruling. The worker is NOT an employee if the following conditions exist:

• The worker is free to perform services without the control or direction of the company.
• The worker is performing work tasks outside the usual course of the company’s business.
• The worker is performing the job duties of their regularly established trade, occupation or business.

Sometimes there is an additional requirement which states that the contractor must be in business for themselves. This is generally proven by the contractor having, for example, a business license.

This is the California view but unfortunately there is no universal definition of what distinguishes an employee from a freelancer. Savvy contact centers will make sure that their workforce management software has the flexibility to adjust to changing definitions of an employee as well as continuing changes in state minimum wages and adherence to federally mandated paid-time-off requirements to accommodate COVID-19. Eric Hagaman, Senior Product Manager for Aspect Software, advised: “With a resurgence of the coronavirus looming, state and federal laws giving paid sick leave to infected employees can significantly impact contact center schedules. Aspect WFM software offers office-bound and work-at-home agents the flexibility to accommodate the unconventional schedules needed to fill vacancies left by workers and sick leave.”

I also reached out to Verint Systems for their views on how to tackle the challenges of meeting compliance obligations, while at the same time, adjusting to COVID-induced changes in scheduling and worker location. Verint’s Dan Spohrer, Vice President, Product Strategy, emphasized the importance of maintaining the same standards for data protection, risk governance, internal controls, security and supervision for home-workers as they would in an office environment. He said, “Ultimately, businesses must realize that compliance processes are only as good as the data they are able to gather from their employees, no matter where they operate. That data is mostly unstructured, such as customer interactions.” He added, “Organizations are increasingly turning to artificial intelligence, big data analytics and automation to help them remain compliant with regulations and thrive in this new reality.”

Over the past 10 years, Dick Bucci (The Compliance Guy) has written extensively about laws and regulations that impact the contact center. Copies of these papers are available upon request at no charge.