Blog Home

Call Center Regulatory Compliance


The Team at CallMiner

March 12, 2020

graphic of cog wheels and how they interact with each other
graphic of cog wheels and how they interact with each other

Accommodating regulatory guidelines and remaining compliant with strict mandates can be tough for any call center organization to do.

As communication technologies continue to evolve, so too do the various threats that target them. Call centers are at the bullseye in terms of their strategic attractiveness for malicious actors. Such organizations regularly intercept and process important, sensitive data pertaining to customers and clients across a large variety of industries. This makes them veritable treasure troves of highly valuable information if left improperly guarded against attacks.

Unfortunately, threats to consumer safety and privacy during dealings with call centers come in many forms, warranting a more encompassing approach to protection than other organizations might have use for. Read on to learn more about a few relevant regulations call centers must abide by to ensure the information they process remains secure.

Regulations That Impact Call Centers

Of particular importance to call center companies are regulations involving data privacy and protection.

The most widely applicable regulatory rule set is that of the PCI-DSS. However, both the HIPAA in the US and the GDPR in the EU are of importance to organizations outside of their respective territories.


This first set of rules and regulations is designed and enforced by leaders of the Payment Card Industry.

PCI-DSS stands for “Payment Card Industry Data Security Standards” and although it is not necessarily enforced at a governmental level in many jurisdictions, the PCI Security Standards Council holds companies accountable for failing to abide by established standards. In the event of failure to follow the rules put forth in this group of standards, companies may be fined by the council.

The Six Goals of the PCI-DSS

The PCI-DSS classifies the rules it contains under a series of six major goals. These goals are as follows:

  • Build and Maintain a Secure Network
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Monitor and Test Networks
  • Maintain an Information Security Policy

Compliance with PCI-DSS involves understanding the above goals and documenting specific efforts outlined within the set of standards to meet them. Modern call centers that handle consumer payment card information should adopt the best practices the council’s official documents specify, such as following appropriate methods for ensuring PCI call recording and transcription compliance.


The “Health Insurance and Portability Act” or HIPAA governs key aspects of handling private health information within the US.

Since being passed in 1996, this act has been amended with additional information pertaining to the handling of electronic health records and more. The act’s Privacy Rule details these important regulations, delineating the processes that must be followed to access, edit and share electronic protected health information securely.

The bulk of the act’s requirements pertain to in-house administrative protocols and technological requirements for proper compliance.

Safeguarding Health Information

Protected health information must be kept completely secure at all stages of use, storage and transfer to be compliant with the HIPAAs many regulations. However, there are numerous specifics defined within the HIPAAs Privacy Rule that detail exact measures that must be taken on the part of organizations that deal with such information regularly.

An important facet of the HIPAA’s rules pertaining to staff training is as follows:

“Entities must show that an appropriate ongoing training program regarding the handling of PHI is provided to employees performing health plan administrative functions.”

Without proper training on data security policies having been implemented within an organization, a business could be subject to significant fines or worse.

Requests for Privacy Protection

In addition to implementing specific safety measures for handling electronic protected health records, health care call centers within the US must take appropriate measures to safeguard such information extensively if requested to do so by the individual such records belong to.

Organizations in this position should ensure that their systems permit such functions to be carried out safely in order to remain compliant.


GDPR stands for the “General Data Protection Regulation” – a group of laws designed to improve the handling of consumer information of all kinds as pertains to tracking, monitoring and more.

Most call centers monitor conversations constantly as a rule and are likely to find guidelines in the GDPR particularly applicable to their daily operations. Specifically, the rules in the GDPR apply to companies dealing with consumer information originating in the European Economic Area.

Storing Outreach Information

Keeping potential leads on file, though a particularly common practice for many outbound call centers, is no longer recommended due to GDPR privacy mandates. Retiring lists of contacts over time and safely disposing of data is now required to meet the exacting rules of this multifaceted body of regulations.

Preserving Anonymity

Data collection techniques of all kinds that involve persons who reside in or are from the EEA must make reasonable attempts to preserve said persons’ anonymity in addition to obtaining consent prior to collection of said data.

Download our white paper, Sitel + CallMiner Survey: Preventing Fraud and Preserving CX with AI, to learn more about the importance of data security for compliance within the call center environment.

Fair Debt Collection Practices Act (FDCPA)

Collections agencies must comply with the Fair Debt Collection Practices Act (FDCPA), a federal law that places restrictions on what debt collectors can do and say when collecting certain debts. A related regulation, the Fair Credit Reporting Act (FCRA), sets requirements for how debts are reported to credit bureaus and disclosed on consumers’ credit reports.

The FDCPA applies to debt collectors who collect on the following types of debts:

  • Credit cards
  • Mortgages
  • Medical debt
  • Other debts primarily for household, family, or personal use

Restrictions under the FDCPA include:

  • Debt collectors may not contact debtors prior to 8:00 a.m. or after 9:00 p.m. They also are not permitted to contact debtors at their place of employment if they know the employer does not allow such contacts in the workplace.
  • Debt collectors may not engage in behaviors or activities intended to harass debtors or others (family members, friends) over the phone or through any other contact methods.
  • Debt collectors may not contact consumers directly when they know the debtor is represented by an attorney.
  • Debt collectors must state the Mini-Miranda at the start of communications with a debtor. The Mini-Miranda is a legal warning disclosing to the debtor that the individual initiating the contact is a debt collector, the purpose of the communication is to collect a debt, and any information provided by the consumer will be used in effort to collect the debt.

Interaction analytics solutions can help collections and accounts receivables management (ARM) firms eliminate contact center compliance risk and ensure agent compliance by analyzing every interaction.

Download our white paper, 10 Ways Speech Analytics Empowers the Entire Enterprise, to learn more about how speech analytics can benefit every facet of your organization.

The various regulatory provisions described above concern most major call centers in the Western hemisphere and should be studied in detail to ensure the standards they mandate are met.


What tools and strategies does your company use to ensure compliance?

Contact Center Operations Risk Management & Compliance North America EMEA APAC Collections Industry