How Customer Support PII Affects Your Ability to Comply with Various Regulations

The rise of data privacy and protection laws has made Personally Identifiable Information (PII) the hottest topic in the customer service industry lately. The new data regulations reshaped data processing practices to give consumers more power over their sensitive data.

The goal in mandating these procedures is to create transparency and trust between the parties to guarantee maximum data privacy and security. They don’t discuss specific tools that you need to use however, they clearly demanded the use of new generation software solutions that ensure data safety, such as customer support software.

PII is an expensive asset. It helps you deliver great customer experiences; however, collecting data carries big responsibilities. You should establish a team of IT experts who can oversee all data processing practices. Also, you will need a team of legal professionals who can create comprehensive company data policies for all employees. Your company’s data policy should be determined by your needs as well as privacy laws that are characteristic for your country or industry.

For instance, we have the General Data Protection Regulation (GDPR) that moderates the use of personal data in the European Union. Any business worldwide that collects personal data belonging to the EU residents must incorporate its definition of PII within their policies. Following this legal trend, California introduced the California Consumer Privacy Act (CCPA) in 2019.

Not so long after, the Californian law enforcement body decided to improve this privacy policy with the California Privacy Rights Act (CPRA), which was enacted last year. Therefore, you now have two privacy policies in California that you need to take care of to make the use of your customer PII legitimate. If you are in the US healthcare industry, HIPAA is your number one priority. Similarly, GLBA dictates rules for the financial industry, which has the toughest job in protecting customer PII due to multiple data attacks!

Hackers are trying to get customers’ financial information in every industry but it is easier to focus on gaining financial details from a financial institution. Lastly, the US education system recognizes a law too. Every student or student guardian can practice their rights regarding data disclosure and must consent to any type of data  collecting or storing.

Why is legitimate handling of customer data important? Research shows that 55% of US and European customers wouldn’t trust a company with their data if it is known for misusing or selling data without consent. Moreover, you can face multiple fines too.

Let’s make sure that you don’t!


The GDPR is the groundbreaking law for both EU and global businesses. The EU market is one of the most profitable, sought after markets in the world, which is why it was extremely important to establish a law to regulate its data use. The GDPR set the standard for consumer rights and many other policies followed it.

The key consumer rights are:

  • Data collection should be lawful, transparent, and fair: You need to nurture openness and collaboration regarding data processing to gain customers’ trust and comply with the GDPR.
  • Obligation to inform: You are not allowed to collect even your customer’s name without permission.
  • Data collection notification: To successfully start collecting PII, you need to send a clear notification to your customers outlining your plan of action first.
  • Consent request: Your data collection notice should include an easy-to-find consent button that your customers will click on if they decide to do business with you.
  • Right to access: After they give you their consent, you will need to allow your customers to access their data any time they want.
  • Option to rectify: Every now and then you may misspell your customer’s name or add a wrong date of birth. No one will notice that faster than the customers themselves, which is why you need to enable them to rectify their data when there is a need.
  • Right to be forgotten: One of the greatest GDPR innovations is the consumer’s right to delete their data a.k.a the right to be forgotten. When a customer decides to leave your company or simply stop using your services they become eligible for sending such requests.
  • Data portability: This type of customer request relates to the option to download all the data a company collected on you any time you want. This kind of data should be delivered in an easily transmissible format such as a PDF, and it should contain customer PII since the beginning of their cooperation.

GDPR encompasses the following PII:

  • Web data: current location, IP address, and cookies
  • Identity information: name, home or office address and ID numbers
  • Political choices
  • Data on ethnicity and race
  • Health and genetic data
  • Biometric data
  • Sexual orientation

Protect all customer PII, If you want to avoid massive GDPR fines that can amount to even €50 million.


The CCPA is the first comprehensive US data privacy law that tackles all aspects of digital and non-digital PII collection. It took effect at the beginning of last year and since then more than 50 lawsuits have been ordered. Some of the most expensive fines issued were against Salesforce and their customer Hannah Clothing because millions of customer PII were exposed. The CCPA followed the GDPR clauses regarding consumer rights in many cases; however, it introduced many novelties as well.

First, these two differ in terms of the customer definition. The GDPR recognizes only individuals as data subjects, while the CCPA takes into account households too. The CCPA body limits their oversight to PII collection of for-profit organizations that record annual revenue of $25 million, collect data of more than 50,000 consumers, or base their business on data sales. On the other hand, the GDPR applies to any business that processes the data of EU individuals.

The CPRA goes one step further and makes it clear what types of data are considered PII or sensitive data. It discusses the requirements you need to follow for each of them, and they are as follows:

  • Financial account: credit or debit card numbers
  • Login credentials: username and/or password
  • Government identifiers: ID number, Social Security number, driver’s license data, etc.
  • Precise geolocation
  • Race and ethnicity
  • Philosophical or religious beliefs
  • Content of nonpublic communications: messages, mail and email content
  • Biometric or health information: genetic data
  • Sexual orientation information

Another amendment to the existing CCPA law refers to new consumer rights, which make the Californian policy even closer to the GDPR. The CPRA officials added the right to restrict the disclosure or use of their data from third parties and the right to correct their PII. However, the most significant innovation was the right to opt-out from both sharing and sale of your personal data.


The US Department of Health and Human Services had a goal to improve the Health Insurance Portability and Accountability Act (HIPAA) of 1996 by introducing the HIPAA privacy rule. This law is relevant to healthcare providers across all the member states, but not to all the providers in the healthcare industry. It aims at protecting patients’ medical records or Electronic Protected Health Information (e-PHI).

The e-PHI implies:

  • PII put in medical records used by doctors and nurses
  • Conversations about a patient’s treatments and other clinical needs
  • Personal data stored in your computer system
  • Billing information


The US financial industry has its own data privacy law too. The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is the US federal law imposed with the goal of protecting the most sensitive PII: financial information. According to this law, all “significantly engaged” financial organizations must keep their clients’ nonpublic personal information (NPI) far from hackers’ hands. NPI refers to personal financial information that a client voluntarily shares with a financial institution.

The information that is considered to be NPI includes:

  • Data derived from transactions involving a financial product or service between a client and a financial institution: This case relates to payment history, account number(s), loan or deposit balance(s), and credit or debit card purchase(s).
  • PII a client shares with you: This includes basic PII such as their first name and last name,  as well as more sensitive data like personal and business addresses or credit card and social security numbers.


The Family Educational Rights and Privacy Act (FERPA) is the US education law enacted in 1974 that regulates the data processing of educational institutions that hold student data. According to this law, all the institutions that receive federal funding on a regular basis for educational purposes are considered to be educational institutions.

Over time and in light of the tech revolution, it became more important to focus on regulating the use of student electronic records. Now, only the student or their guardian (if they are underaged) has the right to disclose the collected PII to a third party.

The FERPA makes a distinction between three types of data: educational records, directory information and PII. In this case, PII refers to any student information related to their status as an individual and citizen, such as their Social Security number. The other two data types provide information about the individual as a student.

Join 1000s of businesses in delivering customer support in the most secure way possible.

Get Started Now
  • No credit card required
  • 14 day free trial