Charles H. Kennedy
When most privacy officers think about the legal issues they face, their focus is on laws affecting the collection, use, disclosure and protection of personal information. They may overlook the laws affecting the ways their companies market to consumers. Yet, some of the most active areas of privacy regulation and enforcement involve the use of telemarketing, fax advertising and commercial email to reach customers and potential customers.
If you are not entirely confident that your company is in compliance with these requirements, it would be a good idea to meet with your marketing people. Here are some questions and why they matter.
Do You Use Telemarketing?
Companies that contact customers and potential customers by telephone must comply with state and federal telemarketing laws and regulations. Those rules cover a wide range of restrictions, including the times of day during which calls may be made, the permissible uses of autodialers and artificial or prerecorded voices, and re-strictions on calls to mobile telephone numbers.
Perhaps most importantly, the federal government and many states have established Do-Not-Call (DNC) registries, and generally prohibit telemarketers from placing calls to residential telephone numbers on the lists. The exceptions to the DNC rules vary extensively from state-to-state, and many state laws are more restrictive than the federal rules. For example, it is permissible under federal law to place sales calls to persons with whom the caller has an established business relationship, or EBR, even if those persons' telephone numbers appear on the national DNC list. However, many states define EBRs more restrictively than the federal rules or do not recognize an EBR exception at all. Unless and until the Federal Communications Commission declares that all more restrictive state telemarketing rules are pre-empted
by federal law, companies making interstate telemarketing calls must comply with the conflicting restrictions of all states.
Also, federal law and most state laws require each company engaged in telemarketing to maintain company-specific DNC lists. In order to satisfy this requirement, each telemarketer must train its representatives to record customers' requests not to be called again by that company, and a process must be in place by means of which those requests can be honored within 30 days of the time they are made. A customer's specific DNC request terminates any EBR between that customer and the calling company.
State and federal telemarketing calls are complex and aggressively enforced. All companies engaged in telemarketing should adopt compliance policies and ensure that their personnel are trained in their requirements.
Do You Record or Monitor Calls with Consumers?
Companies that use telephones for marketing, customer service or collections typically monitor those calls for quality control purposes. Such monitoring may be accomplished by having supervisors listen in on conversations with customers, or by recording some or all of those conversations for later review. Whichever method is used, federal and state wiretapping and eavesdropping laws apply.
Compliance with wiretapping laws is complicated by two factors.
First, the federal wiretapping law (the Electronic Communications Privacy Act, or ECPA) expressly permits the states to impose stronger limitations on eavesdropping and wiretapping, and the states generally take the view that their laws apply both in the caller's state and in the called party's state. This fact requires companies to conduct monitoring in accordance with the laws of the state or states in which monitoring occurs as well as with each state of residence of the customers whose conversations are monitored or recorded.
Second, most wiretapping laws were enacted many decades ago and are a poor fit with modern technology. One example of this problem is the so-called "business telephone exception," which permits supervisors to listen in on employee conversations using an extension telephone or other device normally furnished under tariff by the telephone company. In the days when all telephones and other customer equipment were leased from a monopoly telephone company at tariffed rates, this rule was easy to apply. Recording of calls using a tape recorder, for example, was outside the exception because telephone companies did not lease tape recorders. Today, telephone subscribers buy their equipment from a variety of sources and no equipment is provided under tariff, so no one can say precisely what types of equipment are inside and outside the scope of the "business extension exception."
The most persistent issue posed by wiretap laws is consent. Under federal law and the laws of most states, a conversation may be monitored or recorded with the prior consent of only one party to the call. When an employee of your company calls from such a "one-party consent" jurisdiction to another, it is sufficient that your employee has agreed to the monitoring of the call. The customer's consent is not required.
If your employee calls to or from a "two party consent" state, however, your company must obtain the customer's consent to monitoring before the conversation begins. Most companies do this by making a recorded announcement at the start of the call, on the theory that the customer's decision to proceed with the call after hearing the announcement constitutes the required consent. This approach may be impractical, however, when a company makes an outbound sales or collection call. Few persons who have not chosen to make a telephone call will wait patiently while an artificial voice tells them the call will be recorded. For this situation, the company must look to other provisions of law in two-party-consent states before monitoring. For example, some states have specific exceptions to the consent requirements for quality control monitoring; others permit recordings to be made in conjunction with audible "beep" tones transmitted at specified intervals. Only a careful review of the laws of all states involved will ensure compliance.
Do You Send Fax Advertisements?
Many businesses, such as lenders that send updated rate sheets to brokers and other intermediaries, rely heavily on fax messages to communicate commercial information. Under federal law, including the Junk Fax Prevention Act of 2005, that marketing channel must be used with great care.
Notably, unsolicited fax advertisements ordinarily may not be sent at all, even if the message offers a mechanism for opting out of future faxes from the sender. There are narrow exceptions to this rule: notably, a fax ad may be sent to someone with whom the sender has an EBR, so long as the sender obtained the recipient's fax number by means of voluntary communication from the recipient. Also, a fax advertisement may be sent with the recipient's prior written invitation or permission. Even when one of these exceptions applies, the message must contain a clear and conspicuous notice that the recipient may ask not to receive future fax advertisements from the sender, along with a domestic contact telephone and facsimile machine number and a cost-free mechanism for making the opt-out request.
Do You Send Commercial Emails?
No one likes to get spam, and the Federal Trade Commission (FTC) has made anti-spam enforcement one of its top consumer protection priorities. Although a complete explanation of the federal CAN-SPAM Act's provisions is beyond the scope of this article, companies should be aware that even an occasional commercial communication between a sales representative and an actual or potential customer is subject to the CAN-SPAM requirements, including labeling of the message and offering of an opt-out mechanism by which the recipient can ask not to receive future emails from the sender. Notably - and this is a common source of confusion - there is no EBR exception in the CAN-SPAM Act.
Also, the process by which your company records and complies with opt-out requests must be foolproof. The FTC has shown it will attack even unintentional failures to honor opt-out requests, such as those that result from programming errors or miscommunication. The result of such errors, even when made in complete good faith, can be payment of a substantial penalty and entry of a consent decree that will make the FTC your marketing supervisor for years to come. If there is any question about the adequacy of your company's email compliance procedures, it is not too soon to make a top-down review of those procedures to correct any deficiencies.
Charles H. Kennedy is Of Counsel to
the Washington office of Morrison & Foerster, LLP and has taught cyberlaw and communications law for ten years
at The Columbus School of Law, Catholic University of America. He also is the author of two books on communications law and the co-author of two other books. He can be reached at firstname.lastname@example.org.