Google’s strongest asset –its technology– has put the company in hot water once more.
The tech giant finds itself on the wrong side of a lawsuit involving alleged customer privacy violations via its own AI-powered, cloud-based contact center platform, known as Google Cloud Contact Center AI (GCCCAI).
While the dispute is far from solved, it opens new questions about privacy and data management; questions which, though crucial, seem to have been passed over by most relevant parties in the CX and IT services markets.
In short: A lawsuit was issued in October 2023 against Google in which it is alleged that the company “eavesdropped” and recorded calls between Verizon’s customers and CX agents working for the telecom company, effectively violating California’s Invasion of Privacy Act.
The alleged eavesdropping and recording would have been done through GCCCAI, which is used by corporate clients to improve customer care service via call automation, agent co-piloting and analytics-based insights.
According to the complaint, the plaintiff (a Verizon customer in California) was not aware that a third party (Google) was “present” during the call and did not explicitly consent to the customer interaction being listened to or recorded by that third party.
While not listed as a defendant, Verizon is mentioned constantly in the complaint.
Only one person is listed as the plaintiff. However, the complaint seeks to bring a class action lawsuit involving affected parties in California and the rest of the US, aiming for US$5,000 in statutory damages for each violation.
The tech: GCCCAI promises “more personalized, intuitive customer care from the first ‘Hello’” through the use of virtual agents and assistance to human agents, as stated by Google in a promotional video for the platform.
Virtual agents are the first point of contact with customers and can “seamlessly” hand off the call to a human agent if a more nuanced approach is required.
GCCCAI provides support to agents during calls by “identifying intent and providing real time, step-by-step assistance.”
In a case study of Verizon’s use of GCCCAI, Google explains that “the machine learning model that powers the solution learns from millions of anonymized historical support logs about the type of questions customers ask and how they phrase their questions. It is constantly learning and evolving as new offers change or expand.”
The core of it: The complaint alleges that “during consumers’ calls with Verizon’s support center, Verizon and Google fail to inform consumers, prior to any recording: (i) that a third party, Google, is listening in on consumers’ communications with Verizon, (ii) that a third party, Google, is tapping or otherwise making an unauthorized connection with the consumer’s telephone conversation using GCCCAI, and (iii) that the content of consumers’ confidential communications with Verizon are being recorded, collected, intercepted and analyzed by a third party, Google, using GCCCAI.”
The fine print: In its Service Specific Terms for its AI/ML services, Google states that it “will not use Customer Data to train or fine-tune any AI/ML models without Customer’s prior permission or instruction.” In this instance, the customer refers to business clients, not final consumers.
What’s being said: Though the lawsuit has received little media attention, a few CX analysts and industry lawyers have been discussing its potential implications for call center operators, their clients and providers of AI-driven CCaaS platforms.
“I wonder if the ‘call may be monitored for quality purposes’ statement can protect you,” commented Calltastic Co-Founder and CEO Leonardo López in a social media post. “Maybe it needs to be modified in a manner where it is disclosed that information from this call may be gathered from the company or its partners for quality purposes.”
“AI vendor friends, if you provide call analytics or agent assist technology, talk to a California lawyer about whether you should provide consumers with additional notices of what you are doing on the call,” said ZMAXINC COO and outsourcing advisor John Walter in a LinkedIn post. “This pitfall seems like an easy one to avoid.”
For your consideration: NSAM reached out to several Nearshore CX vendors which use third-party CCaaS platforms, seeking for comment on the Google case. None of the companies consulted were aware of the lawsuit, and very few showed awarness of the problem posed in the legal complaint before we brought it to their attention.
A preemptive approach: “The way we address that security question is that, with our CCaaS providers, we structure it so that we have specific private instances in a security arrangement, in a secure cloud bucket; in this case, we use Amazon,” commented ibex CIO Jim Ferrato in an interview with NSAM, referring to how ibex handles data privacy when using third-party CCaaS platforms.
“Ibex manages that security. It’s really no different than if the call was landing on our premises,” he explained. “We have contractual agreements, security agreements that ensure that we don’t commingle, that no other entity has access to that information. But all of that goes back to how you structure your CCaaS, both contractually and the physical setup of it.”
NSAM’s take: Beyond the final ruling on the case, what’s relevant to the industry at the moment are the questions raised by the lawsuit and how other providers and users of AI-driven CCaaS platforms will address them. Are new disclaimers required for voice-based interactions? Should more care be taken when structuring CCaaS platforms? Is that extra care enough? Will this lead to new provisions in SLAs?
The law rarely catches up to the development of new technologies, but cases such as this one can accelerate the pace of legislation and other regulatory actions. Even if the courts rule in favor of Google, state or even national authorities might use the case as a basis to develop privacy regulations specific to the use of AI in customer care interactions.
Service providers, AI vendors and corporate clients will have to be on the lookout not only for pitfalls related to this specific use of AI and cloud tech, but to others that might arise when taking different technologies (whether emerging or already established) to market.
The buy-side will want to be more careful too when managing vendors. More and more client names are being dropped in lawsuits involving CX providers.
Given the preference of many clients for keeping their dealings with service providers confidential –whether as a matter of market competition or reputational care–, we can see vendor managers and compliance officials paying more attention to the issue of privacy and data management in cloud CX setups.