The cold call has been around for a very long time as a marketing strategy. But more recently, automated testing has become a popular alternative. More than 76 percent of US consumers have received texts from a business, and according to recent reports, many of those consumers responded positively to being texted. That’s probably why 84 percent of businesses are currently using or planning to use text messaging in their businesses. But for organizations that engage with consumers with automated phone calls or texts, a few compliance questions need to be answered first.
The California Consumer Privacy Act (CCPA) and the Telephone Consumer Protection Act (TCPA) can create confusion for companies attempting to comply with both privacy acts. TCPA, which requires businesses to obtain written consent prior to contacting consumers via telephonic means (voice or text), means that companies must maintain “do not call” lists which contain personally identifiable information (PII). But the CCPA grants consumers the right to have their PII deleted by the companies which hold it. So which act takes precedence?
The following chart highlights key provisions under the California Consumer Privacy Act and the Telephone Consumer Protection Act. It can be used as a guide for determining how to comply with both acts.
|What is it?||A comprehensive set of privacy laws related to consumer data||An act that prohibits making automated calls or texts to consumers without sufficient prior express consent|
|To whom does it apply?||Companies doing business with California citizens:
1. Have annual revenue of $25 million+
2. Make at least 50% of their revenue from the sale of California consumer data,
3. Collect/share/buy/sell the data of 50,000 state consumers or more
|U.S. consumers who own a phone|
|When did it take effect?||Jan. 1, 2020||1991 (with several updates from the Federal Communications Commission related to new technologies)|
|Who does the Act protect?||California residents that are in the state for a purpose that isn’t temporary/transitory. This includes those domiciled in California but outside of the state temporarily. Consumers are defined as customers of household goods/services as well as employees and B2B transactions.
|All U.S. consumers|
|What are the penalties for non-compliance?||$750 per person, per violation||$500-$1,500 per violation|
|How to comply with TCPA and CCPA.||As a federal law, TCPA supersedes state laws, including CCPA.
The TCPA creates a legal obligation for companies to keep an updated “do not call” list that would supersede the “right to deletion” granted by the CCPA.
Other exceptions to CCPA include PII required to complete a transaction requested by the consumer or PII required for “reasonable business purposes.”
Evolution of TCPA and Recent Rulings
Compliance issues aside, the definition of the types of communications governed by TCPA is in flux. Recently, the Seventh Circuit joined four other circuits in narrowing the definition of an Automatic Telephone Dialing System – a marketing strategy regulated by TCPA – to exclude equipment that dials numbers from a customer database. Circuit Judge Amy Coney Barrett ruled that, due to a grammatical error in TCPA, a computer that stores and randomly call consumers does not meet the definition of an autodialer and is therefore not regulated by TCPA.
Meanwhile, the Ninth Circuit has broken with the Seventh, Second, Third, Sixth and Eleventh Circuits definition of an autodialer is much broader, and the issue may find its way to the U.S. Supreme Court without (or in spite of), a comprehensive ruling by the Federal Communications Commission.
Organizations should first understand what data they currently have, how it is stored, and how it is updated. Vendors should be given guidelines for how to comply with both “do not call” requests and requests for deletion. Consumers should be notified that they cannot have all of their data deleted if they choose to remain on a “do not call” list.