CIPP US - Chapter 10

Do Not Call Registry

register created by federal law where consumers add their phone numbers and free themselves from unsolicited telemarketing and commercial telephone calls DNC rules do not apply to: 1. Nonprofits calling on their own behalf 2. Calls to customers with an existing relationship within the last 18 months Inbound calls, provided that there is no "upsell" of additional products or services 3. Most business-to-business calls

Cable Communications Policy Act of 1984

regulates the notice a cable television provider must furnish to customers, the ability of cable providers to collect PI, the ability of cable providers to disseminate PI and the retention and destruction of PI by cable television providers.56 It also provides a private right of action for violations of the aforementioned provisions, At the time of entering into an agreement to provide cable services, and on an annual basis thereafter, cable service providers are required to give subscribers a privacy notice that "clearly and conspicuously" informs subscribers of: (1) the nature of the PI collected, (2) how such information will be used, (3) the retention period of such information and (4) the manner by which a subscriber can access and correct such information.59 The act limits cable service providers' right to disseminate PI without the "written or electronic consent" of the subscriber, unless the disclosure is subject to a specified exception.61 A number of exceptions to this provision do exist. Specifically, disclosures may be made (1) to the extent necessary to render services or conduct other legitimate business activities, (2) subject to a court order with notice to the subscriber or (3) if the disclosure is limited to names and addresses and the subscriber is given an option to opt out.62

Rules Governing How Calls Can Be Made Under Telemarketing Laws

1. Call only between 8 a.m. and 9 p.m. 2. Screen and scrub names against the national DNC list 3. Display caller ID information Identify themselves and what they are selling 4. Disclose all material information and terms19 5. Comply with special rules for prizes and promotions 6. Respect requests to call back 7. Retain records for at least 24 hours 8. Comply with special rules for automated dialers

Telephone Consumer Protection Act of 1991

A federal law that places restrictions on telephone solicitation and updated in 2012 to address robocalls and text messages. FCC issued.

State Regulation: California Do Not Track Requirements 2003

Amended in 2013 California Online Privacy Protection Act (CalOPPA), which required privacy policies to include information on how the operator responds to Do Not Track signals or similar mechanisms. The law also requires privacy policies to state whether third parties can collect PII about the site's users.93 These include disclosing: 1. The categories of PII collected through the site 2. The categories of third-party entities with whom the operator may share PII or other content 3. How the operator responds to web browsers' Do Not Track signals or other mechanisms that provide consumers the ability to choose regarding collection of PII about an individual consumer's online activities overs time and across third-party websites 4. Whether other parties may collect PII about an individual consumer's online activities over time and across different websites when a consumer uses the operator's website94

customer proprietary network information (CPNI).

CPNI is information collected by telecommunications carriers related to their subscribers. This includes subscription information, services used, and network and billing information as well as phone features and capabilities. It also includes call log data such as time, date, destination and duration of calls. Certain PI such as name, telephone number and address is not considered CPNI. The 2007 CPNI order requires customers to expressly consent, or opt in, before carriers can share their CPNI with joint venture partners and independent contractors for marketing purposes. First, carriers must notify law enforcement when CPNI is disclosed in a security breach within seven business days of that breach. Second, customers must provide a password before they can access their CPNI via telephone or online account services. The order also establishes carrier CPNI compliance requirements. Carriers must certify their compliance with these laws annually, explain how their systems ensure compliance and provide an annual summary of consumer complaints related to unauthorized disclosure of CPNI.

TSR Sales Calls Disclosures

Cost and quantity Material restrictions, limitations, or conditions Performance, efficacy, or central characteristics Refund, repurchase or cancellation policies Material aspects of prize promotions Material aspect of investment opportunities Affiliations, endorsements, or sponsorships Credit card loss protection Negative option features He Debt relief services

Fax marketing & Junk Fax Prevention Act (JFPA)

Enforced by the FCC, prohibits unsolicited commercial fax transmission. The JFPA specifically provides that consent can be inferred from an EBR (established business relationship), and it permits sending of commercial faxes to recipients based on an EBR, as long as the sender offers an opt-out in accordance with the act. For purposes of the JFPA, "existing business relationship" has the same definition as it does in the FTC's DNC rule.

Record Keeping Requirement under TSR

In general, the following records must be maintained for two years from the date that the record is produced: 1. Advertising and promotional materials 2. Information about prize recipients 3. Sales records 4. Employee records 5. All verifiable authorizations or records of express informed consent or express agreement For each type of record listed above, the TSR includes lists of the information that must be retained. For example, sales records must include: (1) the name and last known address of each customer, (2) the goods or services purchased, (3) the date the goods or services were shipped or provided and (4) the amount the customer paid for the goods or services. Similarly, for all current and former employees directly involved in telephone sales, records must include: (1) the name (and any fictitious name used), (2) the last known home address and telephone number and (3) the job title(s) of each employee. Additionally, if fictitious names are used by employees, the TSR also requires that each fictitious name be traceable to a specific employee.

Video Privacy Protection Act (1988) and (2012)

Prevents retailers from disclosing video-rental records without the customers consent or a court order. Forbids sale of this information to anyone. Exceptions are provided for instances in which the disclosure: (1) is made to the consumer themselves; (2) is made subject to the contemporaneous written consent of the consumer; (3) is made to law enforcement pursuant to a warrant, subpoena or other court order; (4) includes only the names and addresses of consumers; (5) includes only names, addresses and subject matter descriptions and the disclosure is used only for the marketing of goods or services to the consumers; (6) is for order fulfillment, request processing, transfer of ownership or debt collection; or (7) is pursuant to a court order in a civil proceeding and the consumer is granted a right to object.71 The act requires that PI be destroyed "as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to such information."72 2012, changed retention period to 2 years due to Netflix.

Telephone Consumer Protection Act

Prohibits telephone solicitations using automated dialing systems or a pre-recorded voice or unsolicited First, the FCC revised its established business relationship exemption for robocalls. Now, even if a company has an established business relationship with a consumer, it is required to receive "prior express written consent" for all robocalls to residential lines.27 Second, the rules include a provision that allows consumers to "opt out of future robocalls during a robocall." In 2015, the FCC issued an order explicitly stating that text messages sent to wireless devices are subject to the same consumer protections as voice calls under the TCPA.

mobile service commercial messages (MSCMs)

The CAN-SPAM Act prohibits senders from sending any MSCMs without the subscriber's "express prior authorization." The FCC requirements are quite detailed, and can be summarized as follows: 1. "Express prior authorization" must be "express," meaning that the consumer has taken an affirmative action to give the authorization. Authorization may not be obtained in the form of a negative option. If the authorization is obtained via a website, the consumer must take an affirmative action, such as checking a box or hitting a button. 2. The authorization must also be given prior to the sending of any MSCMs. There is no provision to grandfather existing authorizations that senders may have obtained 3. Consumers must not bear any cost with respect to the authorization or revocation processes. 4. Each authorization must include certain required disclosures stating that: A. The subscriber is agreeing to receive MSCMs sent to his or her wireless device from a particular (identified) sender. B. The subscriber may be charged by his or her wireless provider in connection with the receipt of such messages. C. The subscriber may revoke the authorization at any time. 5. These disclosures must be clearly legible and in sufficiently large type (or volume, if given via audio). They must be presented in a manner that is readily apparent to the consumer. These disclosures must be separate from any other authorizations contained in another document. Additionally, if any portion of the authorization/disclosure is translated into another language, then all portions must be translated into that language. 6. As noted above, the authorization must be specific to the sender and must clearly identify the entity that is being authorized to send the MSCMs. The FCC rule prohibits any sender from sending MSCMs on behalf of other third parties, including affiliates and marketing partners. Each entity must obtain separate express prior authorizations for the messages it sends. 7. Authorization may be obtained in any format, oral or written, including electronic. Although writing is not required, the FCC requires that each sender of MSCMs must document the authorization and be able to demonstrate that a valid authorization (meeting all the other requirements) existed prior to sending the commercial message. The commentary notes that the burden of proof rests with the sender. 8. With regard to revocations, senders must enable consumers to revoke authorizations using the same means the consumers used to grant authorizations. (For example, if a consumer authorizes MSCMs electronically, the company must permit the consumer to revoke the authorization electronically.) 9. Additionally, the MSCMs themselves must include functioning return email addresses or another Internet-based mechanism that is clearly and conspicuously displayed for the purpose of receiving opt-out requests. Note: Consumers must not be required to view or hear any further commercial content during the opt-out process (other than institutional identification). 10. The FCC rule maintains the CAN-SPAM-mandated 10-business-day grace period following a revoked authorization, after which messages cannot be sent.

Telemarketing Sales Rule of 1995 (aka Telemarketing and Consumers Fraud and Abuse Prevention Act)

The Telemarketing Sales Rule (TSR) defines telemarketing as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call." Issued by FTC. The U.S. National DNC Registry is perhaps the best known of the FTC's TSR requirements and remains the most popular consumer program ever implemented by the FTC

Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003

The act applies to anyone who advertises products or services by electronic mail directed to or originating from the United States. The law covers the transmission of commercial email messages whose primary purpose is advertising or promoting a product or service. Enforced by FTC. CAN-SPAM was never intended to eliminate all unsolicited commercial email, but rather to provide a mechanism for legitimate companies to send emails to prospects and respect individual rights to opt out of unwanted communications. The CAN-SPAM Act: 1. Prohibits false or misleading headers 2. Prohibits deceptive subject lines 3. Requires commercial emails to contain a functioning, clearly and conspicuously displayed return email address that allows the recipient to contact the sender 4. Requires all commercial emails to include clear and conspicuous notice of the opportunity to opt out along with a cost-free mechanism for exercising the opt-out, such as by return email or by clicking on an opt-out link 5. Prohibits sending commercial email (following a grace period of 10 business days) to an individual who has asked not to receive future email 6. Requires all commercial email to include (1) clear and conspicuous identification that the message is a commercial message (unless the recipient has provided prior affirmative consent to receive the email) and (2) a valid physical postal address of the sender (which can be a post office box) 7. Prohibits "aggravated violations" relating to commercial emails such as (1) address-harvesting and dictionary attacks, (2) the automated creation of multiple email accounts and (3) the retransmission of commercial email through unauthorized accounts 8. Requires all commercial email containing sexually oriented material to include a warning label (unless the recipient has provided prior affirmative consent to receive the email)

Required TSR disclosures

The identity of the seller That the purpose of the call is to sell goods or services The nature of those goods or services In the case of a prize promotion, that no purchase or payment is necessary to participate or win, and that a purchase or payment does not increase the chances of winning

Self-Regulation for Online Advertising

Two prominent examples are the Digital Advertising Alliance (DAA) Self-Regulatory Principles for Online Behavioral Advertising and the Network Advertising Initiative (NAI) Code of Conduct. DAA, is the consumer management of opt-outs. The NAI Code of Conduct is a list of self-regulatory principles that all NAI members agree to uphold. The Code requires notice and choice with respect to interest-based advertising, limits on the types of data that member companies can use for advertising purposes, and a number of substantive restrictions on member companies' collection, use, and transfer of data used for online behavioral advertising. 83

Prohibition on Call Abandonment

Under the TSR, an outbound telephone call is "abandoned" if a person answers it and the telemarketer does not connect the call to a live sales representative within two seconds of the person's completed greeting. For a company to use prerecorded sales messages, it must have the prior express consent (opt-in) of the consumer. the abandoned call Safe Harbor provides that a telemarketer will not face enforcement action for violating the call abandonment prohibition if the telemarketer: 1. Uses technology that ensures abandonment of no more than three percent of all calls answered by a live person, measured per day per calling campaign 2. Allows the telephone to ring for 15 seconds or four rings before disconnecting an unanswered call 3. Plays a recorded message stating the name and telephone number of the seller on whose behalf the call was placed whenever a live sales representative is unavailable within two seconds of a live person answering the call 4. Maintains records documenting adherence to the preceding three requirements For the small number of calls that are abandoned, the TSR's Safe Harbor requires the telemarketer to play a recorded greeting, consisting of the company's name and phone number and a statement that the call was for telemarketing purposes. This recorded message may not contain a sales pitch.25

Do Not Call Safe Harbor

[I]f a seller or telemarketer can establish that as part of its routine business practice, it meets the following requirements, it will not be subject to civil penalties or sanctions for erroneously calling a consumer who has asked not to be called, or for calling a number on the National Registry: 1. The seller or telemarketer has established and implemented written procedures to honor consumers' requests that they not be called, [and] 2. The seller or telemarketer has trained its personnel, and any entity assisting in its compliance, in these procedures, [and] 3. The seller, telemarketer, or someone else acting on behalf of the seller . . . has maintained and recorded an entity-specific Do Not Call list, [and] 4. The seller or telemarketer uses, and maintains records documenting, a process to prevent calls to any telephone number on an entity-specific Do Not Call list or the National Do Not Call Registry. This, provided that the latter process involves using a version of the National Registry from the FTC no more than 31 days before the date any call is made, [and] 5. The seller, telemarketer, or someone else acting on behalf of the seller. . . monitors and enforces compliance with the entity's written Do Not Call procedures, [then] 6. The call is a result of error.

Telecommunications Act of 1996

the sweeping update of telecommunications law the act governs the privacy of customer information provided to and obtained by telecommunications carriers. Prior to the act, carriers were permitted to sell customer data to third-party marketers without consumer consent. The statute imposed new restrictions on the access, use and disclosure of customer proprietary network information (CPNI).