What needs to be in your internal “do-not-call” policy and when must you provide it?

William E. Raney, Partner – Copilevitz & Canter, LLC

William E. Raney, Partner – Copilevitz & Canter, LLC I’ve been on the frontlines of TCPA lawsuit defense and compliance for nearly 20 years. I marvel at how the statute intended to provide $500 (up to $1,500 for exceptionally bad situations) to consumers, per illegal phone call received, has morphed into a weapon misused by class action plaintiff attorneys to potentially devastate companies with multimillion dollar damages. The $500 per illegal call became thousands per call when individual plaintiffs added in additional violations, and it ultimately became millions per call when the class action bar discovered the statute.

One heartening trend, however, has been courts’ refusal to allow damages “per violation” of the TCPA, limiting damages to “per call.” Thus, if a plaintiff alleged a scripting error, curfew violation, a caller identification violation, and a “do-not-call” violation all in one call, the damages would still be $500 for the call, rather than $500 per violation.

One of these alleged “violations,” commonly sought by plaintiffs, is failure to provide a “do-not-call” policy “upon demand” or a policy in compliance with the TCPA’s restrictions. I am writing this article to detail what must be in your “do-not-call” policy and when you need to provide it to someone who requests it.

First, the regulations implementing the TCPA provide that “[n]o person or entity shall initiate any call for telemarketing purposes to a residential telephone subscriber unless such person or entity has instituted procedures for maintaining a list of persons who request not to receive telemarketing calls… .” 47 C.F.R. § 64.1200(d). That same section provides that the company must have a written policy, available upon demand, and that the person engaged in telemarketing must be informed and trained in the existence and use of the “do-not-call” list.

Entities making calls must honor requests from residential telephone subscribers not to receive calls, and must record the request, and the subscriber’s name and telephone number, on its internal “do-not-call” list. The request must be honored within a reasonable time, not to exceed 30 days of the request. Id.

These are the only elements you need to include in your internal “do-not-call” policy. This document does not detail program names, server locations, personnel names, client information, etc. that are all a part of your “do-not-call” procedures. Rather, it contains the above minimum elements and is used consistently with your other, private, procedures.

Further, as a condition of employment, you should maintain a record that all telemarketing personnel has read and understands the policy. You should periodically update training regarding the “do-not-call” policy and keep records of that training.

Finally, as set forth above, the policy is required to be provided to anyone who requests it “upon demand.” You should maintain a record of response to the request although you do not need to send it certified mail or any special way. E-mail records are sufficient for this purpose.

As you may know, training and keeping records of your training is one element in the “safe harbor” which protects you in the case of calls placed as a result of error. 47 U.S.C. § 227(c)(5).

When you get a request for your “do-not-call” policy, it is the “for public consumption” document you need to provide to the person who requests it, not trade secrets like client names, contracts, personal information, etc.

Please do not hesitate to contact me if you would like help drafting your internal “do-not-call” policy or designing a training program compliant with the law.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.