Privacy Law Basics: Stop Callin' Me! Telephone Consumer Protection Act (TCPA)

The fifth law in our series is the Telephone Consumer Protection Act, often abbreviated as "TCPA."

Statute Telephone Consumer Protection Act
Reference 47 U.S.C. § 227
Year Passed 1991
Covered Entity Senders of commercial communications with a marketing or advertising purpose
Regulated Activity Unsolicited commercial communication
Private Right of Action Yes
Enforcement Agency Federal Communications Commission (FCC)
Preemption No
Remedies/Penalties Statutory damages up to $500 per illegal communication

A.     Background. Seeking to address the negative business impacts of the high volume of fax transmission tying up consumer and business phone lines, as well as wasting resources, Congress passed the TCPA in 1991 to prohibit the sending of unsolicited commercial fax transmissions. Thus, the privacy harms under the TCPA are more nuisance and expense-elated, rather than those more severe privacy harms of intrusion, unauthorized information collection or the disclosure of confidential information.

The TCPA was challenged upon its passing by various marketing associations for being unconstitutional, but to no avail. Over the years, the law has been widely praised as being pro-consumer and even pro-business in reducing unwanted calls, texts and faxes. At the same time, many businesses have lamented the private right of action the TCPA provides, spawning unwarranted and trivial law suits, including large class actions. In 2015, the FCC issued an order clarifying the agency’s interpretation of the TCPA. While the guidance clarified and expanded compliance possibilities for businesses, the focus of the Act remains the consumer or recipient of unwanted calls, faxes, or texts. Businesses must work diligently to comply, to include gaining consumer consent and using compliant technologies and third parties, as applicable.

B.     Who is covered? While many think of the TCPA as applying to only fax transmissions, the reality is it restricts all solicitations and advertisements made over telecommunications equipment, or “telemarketing,” and the use of automated telephone equipment. So, communications subject to TCPA compliance can include phone calls, text messages and faxes.

The TCPA defines an automated telephone dialing system, or “ATDS” as “equipment, which has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator, to dial such numbers.” In 2015, the FCC expanded the definition to include any devices or applications that can perform such functions, including smartphones, tablets, VoIP phones, calling applications and texting applications.

C.     What personally identifiable information is covered? The TCPA regulates not so much PII, but rather the use of selected customer or subscriber information to send the regulated communications

D.     What you can and can't do.

1.     Calls.  Overall, in order to call recipients, a sender must secure express written consent for all prerecorded telemarketing calls to residential lines and all autodialed or prerecorded calls to wireless numbers. Prior express written consent is not required for prerecorded telephone calls to residential lines that are purely informational in nature (see below) and made to residential phone numbers that are not included in the National Do-Not-Call Registry. However, prior express consent (oral or written) for any pre-recorded or autodialed calls to a mobile number is required.

Additionally, the TCPA prohibits the making of “any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice:

     (a)  To any emergency telephone line (including any "911" line and any emergency line of a hospital, medical physician or service office, health care facility, poison control center, or fire protection or law enforcement agency);

     (b)  To the telephone line of any guest room or patient room of a hospital, health care facility, elderly home, or similar establishment; or

     (c) To any telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service, or any service for which the called party is charged for the call, unless such call is made solely to collect a debt owed to or guaranteed by the United States.”

 2.     Faxes. The TCPA similarly requires consent to receive advertising or telemarketing via faxes. Senders can be exempt from the consent requirement, if the sender can show:

     (a) An “existing business relationship” with the recipient; or

     (b) They obtained the number of the telephone or facsimile machine through the voluntary communication of such number, within the context of such established business relationship, from the recipient of the unsolicited advertisement, or a directory, advertisement, or site on the Internet to which the recipient voluntarily agreed to make available its facsimile number for public distribution, with some exceptions.

     (c) The unsolicited advertisement contains a notice meeting requirements under paragraph (2)(D) of the statute.

None of these exceptions apply to unsolicited advertisements if sent by a sender to whom a request has been made not to send future unsolicited advertisements to such telephone facsimile machine. The TCPA also prohibits autodialed calls that engage two or more lines of a multi-line business.

 3.     Informational Messages vs. Telemarketing Messages. Informational messages or messages necessary to conduct normal business with an existing customer are regulated differently than telemarketing messages. Generally speaking, a communication that includes or introduces an advertisement, or encourages a purchase or investment will be found to be telemarketing. A call’s purpose has a direct impact on the compliance requirements under the TCPA. Senders of regulated communication should note that, in determining whether a call is a telephone solicitation, the purpose of the message (not its characterization by the sender) is the standard used by the FCC (and a court) as to whether the communications qualified as only informational or a message soliciting business from the recipient.

4.     Consent. With respect to calls, the TCPA requires different levels of consent depending on whether the nature of a call is for “telemarketing” or “informational” purposes. Non-telemarketing calls, such as purely informational and non-commercial messages, require a consumer's “prior express consent,” while telemarketing calls require a consumer's “prior express written consent.” Companies are expected to practice due diligence with whether consent is still viable or has become “stale.” For example, as cell phone numbers change often as they are reassigned to different users, companies should immediately update databases reflecting a revocation of consent upon first notice of such a change. Repeatedly calling the new number or otherwise failing to acknowledge the change in consent can result in liability attaching.

E.     What happens if you don't comply. A recipient of any communications that violate the TCPA may seek one or both of the following remedies:

1.     Sue the message sender for up to $500 for each violation or recover actual monetary loss, whichever is greater; AND/OR

2.     Seek an injunction against the sender

In those situations where the violation is deemed "willful," the plaintiff can seek treble damages ($1500) per each violation.

F.     Risks and Recommendations

1.     Maintain an accurate and current Do Not Call Database. The FCC requires each company to maintain its own database that is linked to the national Do Not Call Registry. The Federal Trade Commission established the National Do Not Call Registry and implemented regulations prohibiting commercial telemarketers from making unsolicited sales calls to persons who did not wish to receive them.

 2.     Manage third parties. As with CAN-SPAM compliance, many businesses may choose to use a third party to manage such commercial messaging, to include regulatory compliance. Senders must audit third parties to ensure they secure consent, monitor/update the Do Not Call Database, and otherwise manage TCPA compliance. However, it is important to remember that use of any third parties to carry out business for a company is no shield to liability or responsibility for information privacy practices. Courts and regulators have and will continue to prosecute the business and not just the third party for violations.

 3.     When it doubt, its telemarketing. One area in which companies can get into trouble in court is where “informational” communications look too much like “solicitations.” Many courts have ruled against businesses that have not taken care to properly delineate information messages about services from attempts to solicit new business. If a company does both with a message (provides information and solicits business) the communication will be considered telemarketing. Such “dual purpose” calls draw a court’s attention, especially as they can be interpreted to be deceptive. Deception may trigger a finding of willfulness.

4.     When in doubt, get consent. This is tried and true advice for all privacy matters. However, unlike many federal privacy laws, as the TCPA provides for a private right of action, putting this principle into practice can save an organization time and money in defending lawsuits--viable or not. Customer consent is a very strong defense to any TCPA action. This said, care should be taken to be transparent in all such consent mechanisms, to include advising the customer they may receive communications from an automated telephone dialing system. Companies should be careful to not place limitations on the scope of the consent. Often, by limiting consent to X number of text messages or calls, companies can get into trouble by exceeding that scope.

Conversely, companies should provide customers multiple options to opt out of telemarketing and informational communications. Again, in line with basic privacy principles, the presence of easy to use opt-out mechanisms demonstrates a good faith effort to comply with the law and the customer’s expectations. Records of consent and revocation of consent should be maintained for four years under the TCPA.

 5.     Stay tuned and seek counsel. With a new administration in place, including leadership in Congress and the FCC, it is possible there may be significant changes to this law. Furthermore, as with any law where a private right of action exists, it is always best to consult counsel to minimize risks wherever possible.

About The Author

Scot Ganow |