For some privacy pros, adhering to the Telephone Consumer Protection Act can be as tricky as getting its name out in one breath.
At first blush, it could be hard to see why. A cursory glance of the law makes it appear straightforward: don’t spam people with automated marketing calls. Respect their privacy. End of story.
Not so much, some say.
“The TCPA has been a huge problem that we’ve had to deal with,” said Capital One Senior Director Ryan Barker, FiP, CIPM, CIPP/C, CIPP/US. “Last year – the declaratory ruling from July 2015 from the [Federal Communications Commission] – gave us additional risks that were not really contemplated before the rule.”
To understand those problems, however, it’s important to grasp the issues catalyzing the TCPA’s birth 25 years ago, its subsequent major revisions since, and the quickly morphing technology that has spurred those changes.
Enacted in 1991 and adopted in 1992, Congress originally enacted the law, formally known as 47 U.S.C. 227, as a way to double down on the increasingly voluminous amounts of telemarketing calls to residential and mobile lines – the latter an increasingly pressing problem during its fledgling years, when users were charged per-call. “[I]ndividuals’ privacy rights, public safety interests, and commercial freedoms of speech and trade must be balanced in a way that protects the privacy of individuals and permits legitimate telemarketing practices,” it said. The law’s different provisions covered fax advertisements, wireless calls, and landline dials. In essence, “the TCPA restricts the making of telemarketing calls and the use of automatic telephone dialing systems and artificial or prerecorded voice messages,” reads an FCC memo.
Fast-forward to 2003, when the FCC and the FTC developed the National Do-Not-Call-Registry, a separate-yet-related entity under the FTC’s control, with agencies taking joint enforcement duties.
This creation acknowledged communication technology's metamorphosis.
“The telemarketing industry has undergone significant changes in the technologies and methods used to contact consumers, which have resulted in significant growth in the number of telemarketing calls,” the FCC said in a statement announcing the registry. “There has been a corresponding increase in consumer frustration and dissatisfaction.”
That frustration continued to grow even after the creation of the Do-Not-Call list, with the agency releasing step-by-step guidelines for individuals who were still plagued by robocalls and wanted the government to get companies to stop.
In 2013, 10 years later, the FCC revised the TCPA to include three new provisions. Telemarketers would now be required to gather “prior express consent” before using autodialers for robocalls; said consent would need to go beyond an “established business relationship,” and their automated calls had to include an “automated, interactive ‘opt-out’ mechanism” so consumers could easily avoid continued communication.
Next came the aforementioned July 2015 mandate, TCPA Omnibus Declaratory Ruling and Order, the result 19 different petitions for FCC clarification of the law.
But the mandate's attempt to shed light on the definition of an autodialer, what express written consent looks like, and how the law impacts mobile culture, among others, has, in many cases, seemed to further confuse companies even more.
That was evident at a House Energy and Commerce subcommittee hearing September 22, at which witnesses from a healthcare and an energy company, among others, complained about the ways in which the FCC's 2015 order seemed to make understanding TCPA's rules more difficult rather than simpler.
For the FCC, however, making these distinctions was a necessary opportunity to stem the ever-increasing spam complaints, the steady growth of which was not being curbed by the agency's legal stopgaps.
“Between 2010 and 2012, consumer complaints about calls to wireless phones doubled, to an average of over 10,000 complaints per month in 2012,” the 2015 order states. “In 2013 and 2014, the commission received roughly 5,000 or 6,000 such complaints per month, lower than in 2011 and 2012, but still a substantial monthly total that is persistently one of the top consumer concerns.” The FTC had similarly large numbers of complaints.
In many cases, those complaints turned into lucrative, capless class actions for plaintiffs and payouts large enough to cripple small businesses.
“I think the plaintiffs' expressed interest in it is in some respects because statutory damages are available,” said Alston & Bird’s Dominique Shelton. “And so we’ve got $500 per violation, and those damages can be tripled if it’s a willful violation or intentional. That’s been attractive to plaintiffs way before the July 2015 order.” That’s an either $500 or $1500 fine for each call-sans-consent. Many organizations, like Wells Fargo and Capital One, have felt the sting of such suits. Companies are eager to get this right.
The devil is in the details, however, and it's there that companies often trip up.
“Part of it is understanding that the TCPA is not just one specific thing,” said Ifrah Law’s Michelle Cohen, CIPP/US. “It has many twists and turns."
Barker took it a step further. “One of the issues with the TCPA is that it impacts all lines of business," he said. "This rule applies across the board. It literally hits every area that we have at Capital One. ... It covers everything.”
There’s also the fact that nearly all types of companies are under this legislation's umbrella.
“The TCPA is not limited to large corporations,” Shelton said. That includes titans of industry, mom-and-pop stores, and religious institutions. Even campaigns are not exempt. While companies may autodial without consent to notify its customers of a fraud, breach, identity theft, or a money transfer, government agencies and those collecting on behalf of debt to the government are the only organizations who do not have to worry about the TCPA at all, Cohen said.
Another considerable issue is how the TCPA’s 2015 order defines an autodialer.
“It really expanded the scope of what an autodialer is,” Barker said. “Initially, before this order came out … it was pretty clear cut what a dialer is.” Now, if your phone has the capability to dial thousands of numbers in quick succession, even if it can be manually turned off, it is considered an autodialer under the provision.
“The definition includes the present and potential and future capability of an autodialer,” Barker continued. “The reality is, based on the FCC’s order, your iPhone could become an autodialer” because a user could download an app that gives them that capability. FCC lawmakers “refuse to give example of what an autodialer is, the only thing they give they are not,” he said. “Rotatory phones aren’t,” for example.
Of course, autodialing is out of the question in most cases without consent, which Barker said can be tricky to define. There’s “no one easy answer,” he continued. While applications for a service can count as an opt-in, how does one handle the opting-out process, which the FCC mandates must be clear and straightforward? For example, if a consumer decides to cancel a Capital One credit card notification, does that mean he or she is sick of receiving information on his or her savings account? “For a lot of companies, that causes some big problems,” Barker said.
Consent is also fleeting. Say a company has obtained permission to call a consumer’s mobile phone, and that number gets reassigned. “We call you up, but the number no longer belongs to you. It rings and it rings,” Barker said. “The voicemail doesn’t say anything about whose number we reached.” Under the 2015 order, companies are “still expected to know that that number doesn’t belong to [their] customer.” Companies have one shot to discover a number has been re-assigned to a non-consenting, new individual, even if it they have no notification or indication from the voicemail message that they’re speaking with a new person. Every other call after that first attempt is considered an autodial without consent and is therefore a punishable offense.
That's especially problematic when one considers that “100,000 numbers are every day reassigned,” Cohen said. Upkeep becomes a problem.
Barker agreed. “Even if the business feels good about their content capture, it moves into hygiene,” he said. While there are companies who scrub number lists to check for re-assignments, they only have an estimated 80 percent accuracy. With fines up to $1500 per call, that’s quite a gamble for companies to make. Barker should know: Capital One paid a $73 million TCPA settlement in 2014. In the face of such huge fines for miss-stepping, “there’s a lot of pushback about this,” Barker said. "Companies are saying, ‘this is kind of unworkable.’”
Text messages are another source of confusion. While the original law doesn’t specifically acknowledge them, the FCC’s order says that yes, SMS messages fall under the same provisional legislation as actual calls, a move that Shelton said many companies view as a “gotcha” move.
“People like alerts,” Barker said. And with text messages, consent is easier to obtain since most programs hinge on an opt-in system. While he acknowledged that many companies have found solace notifying their customers with in-app messages, which are not regulated by the TCPA, he found that customers still prefer the “history” and immediacy that comes with texts. Reassignment, however, becomes a problem in this space.
Baton-passing doesn't protect organizations from compliance, and the FCC will fault companies even if a third party they hired made the mistake.
“You’re not insulated because the vendor that you used didn’t do the right things,” said Zaveri Tabb’s Deval “Dev” Zaveri.
Lastly, Shelton added, the order muddies the water surrounding calls beyond telemarketing. “In a number of class actions, looking to the legislative history, and interpreting the regulations themselves, they seem to be limited to telemarketing, but then we have this July 15 order, in which it seems the FCC seems to be taking it beyond that, which is concerning,” she said. “The regulations talk really about telemarketing messages. There’s a little bit of an anomaly there that needs to be fleshed out.”
With all these specific areas of contention within the TCPA, it’s no wonder privacy pros are confused. How does a company comply?
Know your stuff – or call upon those who do. “Call your lawyer,” Cohen said. “I want to help people reach customers, but do it in a way that will help you avoid trouble.” If not your lawyer, get somebody who “understands the various parties across the different sides,” she added, and don’t rely on “random information on the internet.”
Spend money to review your business practices and to train your employees. After all, Cohen said, proactive protection will be cheaper than paying a large fee in settlements or fines in the future. “Compliance is key,” she added. “The best money that could be spent is understanding the law is dotted Is and Ts crossed, and [it] puts you in the best situation to defend yourself.” Use the opportunity before a new marketing campaign goes out to make sure everyone is on the same page, she added.
Communicate with others in your company and ensure that they both understand the law, what’s at stake if it’s broken, and how to comply with it. This isn’t just a problem for the legal team, Cohen said.“Take a step back. Make sure the marketing department is in communication with legal and understands there are laws, and that you can get yourselves in a huge class action without any intention of doing anything wrong.”
“Check the businesses under your umbrella and evaluate your tools,” he said. For autodialers specifically, sometimes the best thing a company can do is to make a smart decision mired in what guidance the TCPA has been specific on. “Lots of companies are taking a risk-based, common sense approach to what they call a 'manual phone,'” he said. Cohen added, "Just make sure the consent piece is there, and “do what you say and say what you do."
Zaveri took this “common sense” attitude so far as to push back against the narrative that the TCPA is a troublemaker. “I wouldn’t say the TCPA is problematic,” she said. While come groups, like the Department of Commerce, have maintained the law impedes businesses, Zaveri disagreed. “If we take a step back, the TCPA does not prohibit normal business communication.”
The problem hinges on autodialing without a customer’s ok. In those instances, “people are being hassled,” she said.
Once you have it, however, it’s a different story. “Here’s what I say: if you get their express written consent – you can autodial,” Zaveri said. “If you don’t, dial manually.”
Zaveri countered Barker’s assessment that database hygiene is hard to maintain. “Once you have the express written consent, keep your databases updated,” she continued. “Scrub your databases regularly.” Of course, that depends on how much scrubbing one’s company can afford, she added.
Perhaps more importantly is to acknowledge the expressed frustration of a client and handle it. “Deal with customer complaints,” she said. “I have cases where the customer has gone to the company and said, ‘you’re calling me, stop calling me,’ and the company just blew them off. And then he came to me, and now we have a class action.”
While organizations walk this tight-rope of TCPA adherence, the jury is still out as to why many pros look at the TCPA with such consternation. As far as Zaveri is concerned, it’s not the FCC’s problem. “I have no qualms on this one,” she said. “These people know the law and these people chose not to follow it. And they’re not going to stop until [fines are] more expensive, or − I don’t know what the answer is.”
Cohen favored a “happy balance” of company compliance and increased FCC clarity and understanding.
“People are trying to eat dinner with their families, and they're getting these robocalls, and they don’t know how to opt out – it’s become this class action vehicle,” she said. “Should [companies] be complying? Of course they should.” But things have gotten crazy. The TCPA “is kind of killing businesses," she added.
One thing's for certain, Zaveri said: “Everyone can unite over how much we hate robocalls.”
If you want to comment on this post, you need to login.