Telecommunications & Marketing

Junk Fax Prevention Act (JFPA)

2005 - Congress passed this in part to clarify whether consent was required for commercial faxing (right - who does this in a marketing campaign anymore - LOL). The JFPA specifically provides that consent can be inferred from an EBR, and it permits sending of commercial faxes to recipients based on an EBR, as long as the sender offers and opt-out in accordance with the act. Penalties include a private right of action and statutory damages of up to $500 per fax.

EBR

Established Business Relationship

MSCMs

Mobile Service Commercial Messages (MSCMs) The CAN-SPAM Act defines an MSCM as "a commercial electronic mail message that is transmitted directly to a wireless device that is utilized by a subscriber of a commercial mobile service." MSCM domain registry is used to check against to confirm appropriate authorization exists.

Telephone Consumer Protection Act of 1991 (TCPA)

The FCC (Federal Communications Commission) issued this regulation that places restrictions on unsolicated advertising by telephone and facsimile and updated them in 2012 to address robocalls. The FCC has determined that these prohibitions encompass text messages also. 2012 - revisions were made to this to govern prerecorded calls (robocalls) and the use of automatic telephone dialing systems (autodialers) to reconcile its rules with the TSR. Now, even if a business relationship exists, they MUST obtain "prior express written consent" for all robocalls to residential lines. Second, this rule includes a provision that allows consumers to "opt out of future robocalls during a robocall." Also, these additions harmonize better with the FTC's rules to require "assessment of the call abandonment rate to occur during a single calling campaign over a 30 day period, and if the single calling campaign exceeds a 30 day period, we required that the abandonment rate be calculated each successive 30 day period or portion thereof during which calling campaign continues. Finally, also consistent with the FTC robocalls to residential lines made by healthcare related entities governed by the Health Insurance Portability and Accountability Act (HIPAA) are exempt from the above requirements.

International Safe Harbor Privacy Principles

The International Safe Harbor Privacy Principles or Safe Harbor Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. A safe harbor is a legal provision in a statute or regulation that provides protection from a legal liability or other penalty when certain conditions are met.

Exceptions Based on Consent

The TSR allows sellers and telemarketers to call consumers who consent to receive such calls. This must be clear and conspicuous. Consent must be in writing, must state the number to which calls may be made and must include the consumer's signature. A valid electronic signature is acceptable. If online, the "please call me" button may NOT be prechecked. They also cannot use sweepstakes entry forms to collect consent.

Telecommunication Carrier

The term "telecommunications carrier" is a catch-all that covers all entities that provide some form of telecommunications services to consumers, businesses, governments and other telecom providers as their primary business. This may include fixed or mobile communications, and/or voice or data.

Intrusion on Seclusion Tort

The tort of "intrusion on seclusion" imposes liability on "one who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns. To succeed in an intrusion tort claim, the plaintiff must show that "the intrusion would be highly offensive to a reasonable person." In contrast with intrusion tort requirements, telemarketing regulations in the US address milder intrusions, which do not require a showing of "highly offensive" intrusion.

Enforcement Provisions

This can be enforced by the FTC, state attorneys general or private individuals. Violations by civil penalties of up to $42,530 per call. Also, some states have their own versions of telemarketing sales rules that carry additional penalties and may have different requirements.

US Do Not Call Registry

This registry is perhaps the best known of the FTC's TSR requirements and remains the most popular consumer program EVER implemented by the FTC. This provides a means for US residents to register residential and wireless phone numbers that they do not wish to be called for telemarketing purposes. The FTC, the FCC and state attorneys general enforce the DNC Registry, which now contains over 229 million participating phone numbers (and is still growing). Violations can impose high fines and violators may be subject to nationwide injunctions that prohibit certain conduct and may be required to pay redress to injured consumers. They must update this list every 31 days.

The Telecommunications Act of 1996

This was a major piece of legislation that reshaped numerous aspects of telecommunications markets. Section 222 of the act governs the privacy of customers information provided to and obtained by telecommunications carriers. Prior to this act, carriers were permitted to sell customer data to 3rd party marketers without consumer consent. The statute imposed new restrictions on the access, use and disclosure of customer proprietary network information (CPNI). More details below about CPNI.

Self Regulation for Online Advertising

Two prominent examples of this are the: (1) Digital Advertising Alliance (DAA) Self regulatory principle's for online behavioral advertising - This is a non-profit organization that collaborates with business, public policy groups and public officials to establish and enforce "responsible privacy practices across industry for relevant digital advertising, providing consumers with enhanced transparency and control. The self regulatory principles include guidelines for interest-based advertising in the desktop/laptop environment and the mobile space as well as for cross-device use of data. An important feature of this is the consumer management of opt-outs. (2) Network Advertising Initiative (NAI) Code of conduct - non-profit/self regulatory association comprised exclusively of 3rd party digital advertising companies. All members agree to uphold to the conduct. The code requires notice and choice with respect to interest-based advertising, limits on the types of data that member companies can use for advertising purposes, and a number of substantive restrictions on member companies collection, use and transfer of data used for online behavioral advertising. Both of these have enforcement mechanisms.

Telemarketing

US Federal and State laws place legal limits on the manner in which organizations can call individuals for marketing and fundraising purposes. Telemarketing laws in the US provide considerable detail about what types of "intrusions" are permitted under federal law. The FCC (Federal Communications Commission and the FTC have coordinated closely on these laws.

VoIP

Voice over Internet protocol - a phone connection through a personal computer with any type of broadband Internet connection.

FCC Approach to Robotexts

2015 - the FCC issued an order explicitly stating that text messages sent to wireless devices are subject to the same consumer protections as voice calls under the TCPA. This means that the TCPA prohibits companies from sending text messages via equipment that sends the messages without human intervention, known as "robotexts" - absent express consent. 2017 - FCC provided further guidance on robotexts including: (1) consent can be revoked by the consumer at any time by an reasonable means (2) the mere fact that a consumer's wireless number appears in the contact list of another wireless customer is not sufficient to establish consent and (3) when a caller has consent for a wireless number and the number has been reassigned, the caller is not liable for subsequent calls if the new consumer makes the caller aware of the change.

Tort

A tort, in common law jurisdiction, is a civil wrong that causes a claimant to suffer loss or harm, resulting in legal liability for the person who commits the tortious act. It can include intentional infliction of emotional distress, negligence, financial losses, injuries, invasion, etc.

Abandonment Safe Harbor

According to the FTC guidance, the abandoned call Safe Harbor provides that a telemarketer will not face enforcement action for violating the call abandonment prohibition if the telemarketer: - uses technology that ensures abandonment of no more than 3% of all calls answered by a live person, measure per day per calling campaign. - Allows the telephone to ring for 15 seconds or four rings before disconnecting an unanswered call - Plays a recorded message stating the name and telephone number of the seller on whose behalf the call was placed whenever a live sales representative is unavailable within 2 seconds of a live person answering the call - Maintains records documenting adherence ot the preceding 3 requirements To take advantage of the Safe Harbor, a telemarketer must first ensure that a live representative takes at least 97% of the calls answered at all, and calls to nonworking numbers do not count in this calculation. Finally, a telemarketer must keep records that demonstrate its compliance with the other Safe Harbor provisions.

TSR and Disclosure

At the beginning of the call, before delivering any sales content, telemarketers MUST disclose: - the identity of the seller - That the purpose of the call is to sell goods or services - The nature of those goods or services - In the case of a prize promotion, that no purchase or payment is necessary to participate to win, and that a purchase or payment does not increase the changes of winning. These calls must NOT be deceptive and truthful. A connected call cannot leave "dead air" and must be connected with a live person. For a company to use pre-recorded sales message they must receive opt-in for these.

Wireless Message Rules Under CAN-SPAM

CAN-SPAM also applies to mobile service commercial messages (MSCMs). This includes text messages. The CAN-SPAM Act defines an MSCM as "a commercial electronic mail message that is transmitted directly to a wireless device that is utilized by a subscriber of a commercial mobile service." The message must have (or utilize) a unique electronic address that includes "a reference to an Internet domain." This Act covers SMS technology but does NOT cover phone-to-phone messages. The same "commercial" and "transactional" email rules apply to these messages. For each MSCM, express prior authorization is required. It must be clear and expressly given (an affirmative action to give authorization is required - such as checking a box). Authorization must be given prior to sending of the MSCM. Notice must also be provided that the subscriber may be charged by their wireless provider, etc. The subscriber may revoke the authorization at anytime. There is other criteria also but this is a quick summary.

California Online Privacy Protection Act (CalOPPA)

California Do Not Track Requirements 2003 - California passed the 1st law in the nation to require operators of commercial websites, including mobile apps, to "conspicuously post" a privacy policy if they collect personally identifiable information (PII) form those living in California. In 2013 this was amended by Assembly Bill 370 - these amendments required privacy policies to include information on how the operator responds to Do Not Track signals or similar mechanisms. The law also requires privacy policies to state whether 3rd parties can collect PII about the site's users. The CalOPPA, including its Do Not Track amendments requires the operator of a website to display a privacy notice that meets certain content requirements. These include disclosing: - The categories of PII collected through the site - The categories of 3rd party entities with whom the operator may shar PII or other content - How the operator responds to web browsers Do Not Track signals or other mechanisms that provide consumers the ability to choose regarding collection of PII about an individual consumer's online activities overs time and across 3rd party websites. - Whether other parties may collect PII about an individual consumer's online activities over time and across different websites when a consumer uses the operator's website.

Existing Business Relationship Exception

Callers may call a consumer with whom a seller has an established business Relationship (EBR) provided the consumer has not asked to be on the seller's entity-specific DNC list. The TSR recognizes tow distinct types of relationships: "customers" and "prospects" An EBR exists if the consumer has purchased, rented or leased the seller's goods or services (or completed a financial transaction with the seller) within 18 months preceding a telemarketing call. The 18 month period runs from the date of the last payment, transaction or shipment between the consumer and the seller. Prospect: An EBR exists with a prospect if the consumer has made an application or inquiry regarding the seller's goods and services. This EBR runs for 3 months form the date of the person's inquiry or application.

2003 CAN-SPAM

Controlling the Assault of Non-Solicited Pornography and Marketing Act. This was never intended to eliminate all unsolicited commercial email but rather to provide a mechanism for legitimate companies to send emails to prospects and respect individual rights to opt out of unwanted communications. This act applies to anyone who advertises products or services by electronic mail directed to or originating from the US. The law covers the transmission of commercial email messages whose primary purposes is advertising or promoting a product or service. Spam filtering software is still widely used to screen out as much of the continuing spam as possible. This act nonetheless has fulfilled an important purpose. It has created the rules of the road for how legitimate organizations send emails, including clear identification of the sender and a simple unsubscribe or opt-out. The CAN-SPAM Act prohibits deceptive things like: - false or misleading headers - deceptive subject lines - display return email address clearly that allows recipients to contact the sender - provide a clear way to opt-out - respect the opt-out within 10 business days - sexually oriented material to include a warning label CAN-SPAM is enforced primarily by the FTC and carries penalties of fines of up to $42,530 per violation. Other federal regulators and the state attorneys general and other state officials thought can also enforce this Act. CAN-SPAM preempts most state laws that restrict email communications, although state spam laws are not superseded by CAN-SPAM to the extend such laws prohibit false or deceptive activity.

Exceptions to the DNC Rules

DNC rules apply to for-profit organizations and cover charitable solicitations placed by for-profit telefunders. DNC rules DO NOT apply to: - Nonprofits calling on their own behalf - Calls to customers with an existing relationship within the last 18 months - Inbound calls, provided that there is no "upsell" of additional products or services - Most business-to-business calls

State Telemarketing Laws

Neither the TSR nor the FCC rules preempt state laws. The majority of states have enacted telemarketing laws - creating additional legal requirements for telemarketers. For examples: - More than half the states require that telemarketers obtain a license or register with the state. - States can also created their own DNC lists, with differing exceptions, fines or methods of consumer enrollment from their federal counterpart. - Some states require that telemarketers identify themselves at the beginning of the call or that the telemarketer terminate the call without rebuttal if the recipients of the call so desires - States must also required that a written contract be created for certain transactions.

Opt-In / Opt-Out Rules for CPNI under the Telecommunications Act

These rules have shifted over time. In 1998, the FCC issued a rule requiring carriers to obtain express consent from customers before using CPNI, even for carriers own marketing purposes. This was struck down in 1999 in US West Inc vs. Federal Communications Commission. In this case, the 10th circuit found that the opt-in requirement violated the 1st Amendment speech rights of the carries, Thus, the standard shifted to an opt-out system for carriers' OWN use of CPNI. In 2002, the FCC issued final rules requiring carriers to obtain express consent before CPNI could be share with 3rd parties, but allowed sharing of CPNI with join venture or independent contractors unless customers opted out within 30 days of being notified. In 2007, the CPNI order then required customers to expressly consent or opt-in before carriers can share their CPNI with join venture partners and independent contractors for marketing purposes. The 2007 regulations also included requirements aimed at curbing pretexting or gaining access to CPNI through fraudulent means. Carriers must notify law enforcement when CPNI is disclosed in a security breach within 7 business days of that breach. 2nd - customers must provide a password before they can access their CPNI via telephone or online account services. Carriers must certify their compliance with these laws annually, explain how their system ensure compliance and provide an annual summary of consumer complaints related to unauthorized disclosure of CPNI.

CPNI Requirements under the Telecommunications Act

Customer Proprietary Network Information (CPNI). This is information collected by telecommunications carriers related to their subscribers. Customer proprietary network information is the data collected by telecommunications companies about a consumer's telephone calls. This includes information, services used, and network and billing information as well as phone features and capabilities. It also includes call log data such as time, date, destination and duration of calls. Certain personal information such as name, telephone number, and address is NOT considered CPNI. Under the Telecommunications Act - this puts requirements on carriers to limit access, use and disclosure of CPNI. Specifically, carriers can use and disclose CPNI only with customer approval or "as required by law." Carriers do not need approval, however, to use, disclose, or provide marketing offerings among service categories to which customers already subscribe. Carriers can also use CPNI for billing and collections, fraud prevention, customer service and emergency services.

The Do Not Call Safe Harbor

This allows sellers and telemarketers can use to reduce the risk of liability. Per the guidance. If a seller or telemarketer can establish that as part of its routine business practice, it meets the following requirements, it will not be subject to civil penalties or sanctions for erroneously calling a consumer who has asked not be called, or for calling a number on the National Registry: - The seller or telemarketer has established and implemented written procedures to honor consumers' request that they not be called [and] - The seller or telemarketer has trained its personnel, and any entity assisting in its compliance, in these procedures, [and] - The seller, telemarketer or someone else acting on behalf of the seller...has maintained and recoded an entity-specific Do Not Call list [and] - The seller or telemarketer uses, and maintains records documenting a process to prevent calls to any telephone number on an entity specific Do Not Call list or the National DNC Registry. This provided that the latter process involves using a version of the National Registry form the FTC no more than 31 days before the date any call is made [and] - The seller, telemarketer, or someone else acting on behalf of the seller...monitors and enforces compliance with the entity's written Do Not Call procedures [then] - The call is a result of error. This DNC Safe Harbor provides an important protection for sellers and telemarketers because violations of the TSR can result in civil penalties of up to $42,530 per call.

The Cable Communications Policy Act of 1984

This regulates the notice a cable television provider must furnish to customers, the ability of cable providers to collect personal information, the ability of cable providers to disseminate personal information and the retention and destruction of personal information by cable television providers. It also provides a private right of action for violations of the aforementioned provisions and allows for actual or statutory damages, punitive damages and reasonable attorneys fees and court costs. The act does not regulate the provisions of broadband internet services via cable because the act defines a "cable service" as "one-way transmission to subscribers of...video programming or...other programming service, and...subscriber interaction, if any, which is required for the selection or use of such video programming or other programming service. At the time of entering into an agreement to provide cable services, and on an annual basis thereafter, cable service providers are required to give subscribers a privacy notice that "clearly and conspicuously" informs subscribers of (1) the nature of the personal information collected, (2) how such information will be used (3) the retention period of such information and (4) the manner by which a subscriber can access and correct such information. This act further state that a cable TV service provider may only collect PII that is necessary to render cable services or to detect the unauthorized reception of cable services. This act make sure personal information cannot be distributed except for a few important exceptions (court order, to provide the service, etc). This act does NOT specify a date retention or destruction schedule, it does mandate that PII be destroyed when it is no longer needed for the purpose for which it was collected and there are no pending requests for access.

The Video Privacy Protection Act of 1988 (VPPA)

This was passed in response to the disclosure and publication of then-Supreme Court nominee Robert Bork's Video rental records. These records revealed what he was renting and was a huge privacy invasion. This act applies to "video tape service providers" who are defined as anyone "engaged in the business, in or affecting interest or foreign commerce, of rental, sale or delivery or prerecorded video cassette tapes or similar audio visual materials" as well as individuals who receive PII in the ordinary course of a videotape service providers business for marketing purposes. This requires that personal information be destroyed as soon as practicable but no later than one year from the date the information is no longer necessary for the purpose for which it was collected and there are no pending requests. This act provides a private right of action for violations and allows statutory damages, punitive damages and reasonable attorney's fees and court costs. The VPPA does NOT preempt stricter state laws. This landscape has changed drastically and in 2012 there were significant amendments made that allowed for on-time consumer consent that was valid for 2 years (for share movie information on social media). Most likely more amendments in this law will arise in this area with this market changing rapidly.

Telemarketing Sales Rule (TSR) in 1995

This was the FTC first issued Telemarking legislation that implemented the Telemarketing and Consumer Fraud and Abuse Prevention Act. This has since amended the TSR. The TSR defines telemarketing as "a plan, program or campaigns which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call. The TSR requires covered organizations to follow these rules: - Call only between 8am-9pm - Screen and scrub names against the national DNC list - Display caller ID information - Identify themselves and what they are selling - Disclose all material information and terms - Comply with special rules for prizes and promotions - Respect requests to call back - Retain records for at least 24 hours - Comply with special rules for automated dialers (more detail in further slides on this) Organizations MUST comply with this TSR as well as any applicable state laws. This rule requires ANY seller (or telemarketer calling on the seller's behalf) from calling any consumer who has asked not be be called again. Sellers and telemarketers are required to maintain internal suppression lists to respect these DNC requests. Neither the TSR nor the FCC rules preempt state law.

The Wireless Domain Registry

To help senders of commercial messages determine whether those messages might be MSCMs (rather than regular commercial email), the FCC has created a registry of wireless domain names (available on the FCC website). It is updated on a periodic basis as new domains are added. Senders are responsible for obtaining this list and ensuring that the appropriate authorizations exist before sending commercial messages to addresses within the domains.

Record-Keeping Requirements

To make enforcement more effective, the following records must be maintained for 2 years from the date the record is produced (These can be in any format): - Advertising and promotional materials - Information about prize recipients - Sales records - Employee records - All verifiable authorizations or records of express informed consent or express agreement. They must also keep detailed records of what was sold and to whom (and who sold it, etc)