IAPP-GDPR Web Banners-300x250-FINAL

Charles H. Kennedy

When most privacy officers think about the legal issues they face, their focus is on laws affecting the collection, use, disclosure and protection of personal information. They may overlook the laws affecting the ways their companies market to consumers. Yet, some of the most active areas of privacy regulation and enforcement involve the use of telemarketing, fax advertising and commercial email to reach customers and potential customers.

If you are not entirely confident that your company is in compliance with these requirements, it would be a good idea to meet with your marketing people. Here are some questions and why they matter.

Do You Use Telemarketing?

Companies that contact customers and potential customers by telephone must comply with state and federal telemarketing laws and regulations. Those rules cover a wide range of restrictions, including the times of day during which calls may be made, the permissible uses of autodialers and artificial or prerecorded voices, and re-strictions on calls to mobile telephone numbers.

Perhaps most importantly, the federal government and many states have established Do-Not-Call (DNC) registries, and generally prohibit telemarketers from placing calls to residential telephone numbers on the lists. The exceptions to the DNC rules vary extensively from state-to-state, and many state laws are more restrictive than the federal rules. For example, it is permissible under federal law to place sales calls to persons with whom the caller has an established business relationship, or EBR, even if those persons' telephone numbers appear on the national DNC list. However, many states define EBRs more restrictively than the federal rules or do not recognize an EBR exception at all. Unless and until the Federal Communications Commission declares that all more restrictive state telemarketing rules are pre-empted
by federal law, companies making interstate telemarketing calls must comply with the conflicting restrictions of all states.

Also, federal law and most state laws require each company engaged in telemarketing to maintain company-specific DNC lists. In order to satisfy this requirement, each telemarketer must train its representatives to record customers' requests not to be called again by that company, and a process must be in place by means of which those requests can be honored within 30 days of the time they are made. A customer's specific DNC request terminates any EBR between that customer and the calling company.

State and federal telemarketing calls are complex and aggressively enforced. All companies engaged in telemarketing should adopt compliance policies and ensure that their personnel are trained in their requirements.

Do You Record or Monitor Calls with Consumers?

Companies that use telephones for marketing, customer service or collections typically monitor those calls for quality control purposes. Such monitoring may be accomplished by having supervisors listen in on conversations with customers, or by recording some or all of those conversations for later review. Whichever method is used, federal and state wiretapping and eavesdropping laws apply.

Compliance with wiretapping laws is complicated by two factors.

First, the federal wiretapping law (the Electronic Communications Privacy Act, or ECPA) expressly permits the states to impose stronger limitations on eavesdropping and wiretapping, and the states generally take the view that their laws apply both in the caller's state and in the called party's state. This fact requires companies to conduct monitoring in accordance with the laws of the state or states in which monitoring occurs as well as with each state of residence of the customers whose conversations are monitored or recorded.

Second, most wiretapping laws were enacted many decades ago and are a poor fit with modern technology. One example of this problem is the so-called "business telephone exception," which permits supervisors to listen in on employee conversations using an extension telephone or other device normally furnished under tariff by the telephone company. In the days when all telephones and other customer equipment were leased from a monopoly telephone company at tariffed rates, this rule was easy to apply. Recording of calls using a tape recorder, for example, was outside the exception because telephone companies did not lease tape recorders. Today, telephone subscribers buy their equipment from a variety of sources and no equipment is provided under tariff, so no one can say precisely what types of equipment are inside and outside the scope of the "business extension exception."

The most persistent issue posed by wiretap laws is consent. Under federal law and the laws of most states, a conversation may be monitored or recorded with the prior consent of only one party to the call. When an employee of your company calls from such a "one-party consent" jurisdiction to another, it is sufficient that your employee has agreed to the monitoring of the call. The customer's consent is not required.

If your employee calls to or from a "two party consent" state, however, your company must obtain the customer's consent to monitoring before the conversation begins. Most companies do this by making a recorded announcement at the start of the call, on the theory that the customer's decision to proceed with the call after hearing the announcement constitutes the required consent. This approach may be impractical, however, when a company makes an outbound sales or collection call. Few persons who have not chosen to make a telephone call will wait patiently while an artificial voice tells them the call will be recorded. For this situation, the company must look to other provisions of law in two-party-consent states before monitoring. For example, some states have specific exceptions to the consent requirements for quality control monitoring; others permit recordings to be made in conjunction with audible "beep" tones transmitted at specified intervals. Only a careful review of the laws of all states involved will ensure compliance.

Do You Send Fax Advertisements?

Many businesses, such as lenders that send updated rate sheets to brokers and other intermediaries, rely heavily on fax messages to communicate commercial information. Under federal law, including the Junk Fax Prevention Act of 2005, that marketing channel must be used with great care.

Notably, unsolicited fax advertisements ordinarily may not be sent at all, even if the message offers a mechanism for opting out of future faxes from the sender. There are narrow exceptions to this rule: notably, a fax ad may be sent to someone with whom the sender has an EBR, so long as the sender obtained the recipient's fax number by means of voluntary communication from the recipient. Also, a fax advertisement may be sent with the recipient's prior written invitation or permission. Even when one of these exceptions applies, the message must contain a clear and conspicuous notice that the recipient may ask not to receive future fax advertisements from the sender, along with a domestic contact telephone and facsimile machine number and a cost-free mechanism for making the opt-out request.

Do You Send Commercial Emails?

No one likes to get spam, and the Federal Trade Commission (FTC) has made anti-spam enforcement one of its top consumer protection priorities. Although a complete explanation of the federal CAN-SPAM Act's provisions is beyond the scope of this article, companies should be aware that even an occasional commercial communication between a sales representative and an actual or potential customer is subject to the CAN-SPAM requirements, including labeling of the message and offering of an opt-out mechanism by which the recipient can ask not to receive future emails from the sender. Notably - and this is a common source of confusion - there is no EBR exception in the CAN-SPAM Act.

Also, the process by which your company records and complies with opt-out requests must be foolproof. The FTC has shown it will attack even unintentional failures to honor opt-out requests, such as those that result from programming errors or miscommunication. The result of such errors, even when made in complete good faith, can be payment of a substantial penalty and entry of a consent decree that will make the FTC your marketing supervisor for years to come. If there is any question about the adequacy of your company's email compliance procedures, it is not too soon to make a top-down review of those procedures to correct any deficiencies.

Charles H. Kennedy is Of Counsel to
the Washington office of Morrison & Foerster, LLP and has taught cyberlaw and communications law for ten years
at The Columbus School of Law, Catholic University of America. He also is the author of two books on communications law and the co-author of two other books. He can be reached at ckennedy@mofo.com.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»