Readers are encouraged to submit their questions to


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

We will tap the expertise of IAPP members to answer your questions.

Elise Berkower, CIPP
QDo any laws cover the sending of marketing messages to cell phones?

AIn the U.S. there are some statutory and regulatory restrictions on sending promotional messages to cell phones and other wireless devices. (Much of the impetus for regulation arose from the fact that consumers have to pay to receive these messages.) The laws and rules that intersect in this space are CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act) (15 USC §§7701-7713) and the Federal Communications Commission's (FCC) Wireless Email Rule (64 CFR §64.3100), which was promulgated pursuant to CAN-SPAM and covers "mobile service commercial messages"; and the Telemarketing and Consumer Fraud and Abuse Prevention Act (TCFAP) (15 USC §6101-6108), the Telephone Consumer Protection Act (TCPA) (47 USC §227), and the Telemarketing Sales Rule (TSR) (16 CFR §310.1 et seq.) along with the national Do Not Call registry that the Federal Trade Commision (FTC) maintains (www.donotcall.gov). Some states also have their own Do Not Call registries, so telemarketers have to be familiar with those laws, too.

The easiest way to figure out which laws and rules apply to a promotional message is to look at the destination to which the message is being sent. If the destination is an email address - with a "@" and a domain - CAN-SPAM and the FCC's wireless email rule apply. If the destination is a telephone number, then the TCFAP, TCPA and TSR apply.

CAN-SPAM covers traditional email messages, as well as text (also known as SMS or Short Message Service) messages, and MMS (Multi-media Messaging Service) messages that contain graphics, video and audio components. These formats all fall within the FCC's definition of a "Mobile Service Commercial Message" (MSCM), assuming that the primary purpose of the message is commercial.

Under CAN-SPAM, wireless service providers were supposed to create special domains for their customers to use for sending and receiving "mobile service messages." These specific domains are required to be listed on the FCC's Wireless Domain Registry (available at www.fcc.gov/cgb/policy/ DomainNameDownload.html).

If the primary purpose of a "mobile service message" is commercial, the sender needs "express prior authorization" from the recipient to send it. "Express prior authorization" can be obtained by oral or written means, including electronic methods. A sender may obtain the subscriber's express prior authorization to transmit MSCMs to that subscriber in writing. Written authorization may be obtained in paper form or via an electronic means, such as an electronic mail message from the subscriber. It must include the subscriber's signature and the electronic mail address to which MSCMs may be sent. Senders who choose to obtain authorization in oral format also are expected to take reasonable steps to ensure that such authorization can be verified.

Because the consent standard for sending Mobile Service Commercial Messages is so high, the usual practice is for commercial emailers and Email Service Providers (ESPs) to block all emails going to the domains listed on the FCC's Wireless Domain Registry.

But, in its "Primary Purpose" Rule (16 CFR §316.3), the FTC recognized that emails can contain mixed content, i.e., both commercial content and content that is not commercial. If an analysis of a message intended to be sent to an email address that contains a domain listed on the FCC's Wireless Domain Registry concludes that the primary purpose of a mixed content message is NOT commercial, then the sender doesn't need the recipient's express consent to send it. It should be noted that the "express consent" requirement does not pertain to forwarded messages, unless there's an inducement or consideration offered for forwarding the message.

The TCPA and TSR also cover telemarketing SMS (text) as well as voice messages.

The TCPA was enacted in 1991 to address certain telemarketing practices, including calls to wireless telephone numbers, which Congress found to be an invasion of consumer privacy and even a risk to public safety. The TCPA specifically prohibits calls using an automatic telephone dialing system or artificial or prerecorded message "to any telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, or other common carrier service, or any service for which the called party is charged." (47 USC §227[b][1][A][iii]). The TCPA defines an "automatic telephone dialing system" as "equipment which has the capacity (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers." (47 USC §227[a][1]) The CAN-SPAM Act provides that "[n]othing in this Act shall be interpreted to preclude or override the applicability" of the TCPA. (15 USC §7712[a]).

In 2003, the FCC released a Report and Order in which it reaffirmed that the TCPA prohibits any call using an automatic telephone dialing system or an artificial or prerecorded message to any wireless telephone number. This includes both voice calls and SMS text messaging calls to wireless phone numbers.

The Telemarketing and Consumer Fraud and Abuse Prevention Act (TCFAP) gave the FTC the authority to promulgate the Telemarketing Sales Rule (TSR) (16 CFR §310.1 et seq.). The TSR prohibits telemarketers from engaging in various deceptive acts or practices, and imposes recordkeeping requirements. One section of the TSR created the National Do Not Call Registry (16 CFR §310.4[b][1][iii][B]). If a wireless telephone number is listed on the National Do Not Call Registry, a marketer is prohibited from calling that number unless it has an "established business relationship" with the consumer. An "established business relationship" is defined as "a relationship between a seller and a consumer based on (1) The consumer's purchase, rental, or lease of the seller's goods or services or a financial transaction between the consumer and seller, within the eighteen (18) months immediately preceding the date of a telemarketing call; or (2) The consumer's inquiry or application regarding a product or service offered by the seller, within the three months immediately preceding the date of a telemarketing call." (16 CFR §310.2[n]).

As marketers seek to utilize new technologies to promote their products, they need to become familiar with existing laws under which their activities may fall, as well as to keep abreast of new legislation that may affect the ways they interact with their existing and prospective customers.

Elise Berkower, an attorney and CIPP, is the Executive Vice President of Privacy Strategy at Chapell & Associates, a leading strategic consulting firm focusing on privacy, marketing and public policy. Prior to joining Chapell & Associates, she served as DoubleClick's Senior Privacy Compliance Officer for six years, helping DoubleClick's ad serving, search, Web site analytics, email and direct marketing clients address privacy issues. She participates in many privacy and technology industry groups, and is a member of the Advisory Board of The Privacy Advisor. She can be reached at


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

This response represents the personal opinion of our expert (and not that of his/her employer), and cannot be considered to be legal advice. If you need legal advice on the issues raised by this question, we recommend that you seek legal guidance from an attorney familiar with these laws.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»