Telemarketers – Don’t Sleep on State Data Privacy Laws

TCPA: The Federal Baseline for Telemarketing

Companies that engage in telemarketing may be familiar with regulations like the Telephone Consumer Protection Act (TCPA). The TCPA has long been the cornerstone of federal regulation for marketing calls and text messages, outlining rules regarding when and how consumers can be contacted, how consent must be obtained, and how Do Not Call (DNC) lists must be respected. It also imposes obligations around caller ID and restrictions on the use of prerecorded messages and predictive dialing. Because TCPA violations can result in significant statutory damages, often in the form of class action lawsuits, businesses tend to focus on building compliance programs around this federal law when problems arise.

Layering on State Privacy Laws

What is sometimes overlooked, however, is that compliance with the TCPA alone does not insulate a company from risk. State privacy laws (at 19 passed and counting) increasingly impose obligations that interact directly with telemarketing practices, particularly when it comes to recording conversations or using consumer data collected during those interactions. California has been at the forefront of these developments with laws like the California Invasion of Privacy Act (CIPA) and the California Consumer Privacy Act (CCPA), both of which can create liability for companies that are otherwise TCPA compliant.

CIPA is primarily concerned with the interception and recording of communications. Unlike federal wiretapping law, which generally requires only one party to consent to a recording, CIPA is an “all-party consent” law. This means that before a company records a phone call or an in-person conversation in California, it must secure the agreement of everyone involved. Telemarketers who record calls for quality assurance, training, or compliance monitoring therefore need to ensure that they provide a clear disclosure and obtain consent before beginning the recording. The same rule applies to in-person interactions in which door-to-door sales representatives, for example, cannot secretly record conversations with potential customers without potentially violating California law.

The CCPA, and the other state privacy laws, on the other hand, regulate the use of personal data collected from consumers. When things like call recordings capture information such as a name, phone number, or address, that information qualifies as personal information under the state privacy laws. Businesses must therefore provide consumers with notice about what information is being collected and how it will be used. If recordings are analyzed to assess consumer sentiment, identify purchasing signals, or train artificial intelligence tools, those uses need to be disclosed in a privacy policy as well. Additionally, it’s important to keep in mind that under the state privacy laws, consumers have various rights afforded to them, such as a right to request their information be deleted, or the right to opt of the sale or sharing of their personal information.

The Interplay: Why Both Matter

What this creates is an interplay between federal telemarketing law and state privacy law that companies should not ignore. A company may secure the required TCPA consent to place a call yet still violate state privacy law if it records the call without appropriate disclosures. Similarly, a company may comply with the TCPA in structuring its outbound dialing campaign, only to find itself in violation of the state privacy laws if it lacks the proper disclosures about how the data that is collected may be stored or used. This overlapping framework means compliance must be holistic. It is no longer enough to think about federal telemarketing rules in isolation; state privacy requirements must be considered part of the compliance strategy.

Important Considerations for Companies

1. Collaborate compliance efforts: Don’t treat the TCPA and privacy laws separately. Rather, foster collaboration across teams to design workflows and consent practices that can account for both.
2. Update privacy notices: Clearly disclose if calls or in-person conversations are recorded and how recordings will be used.
3. Train relevant employees: Agents should know not just about DNC rules, but also about consent requirements for recordings.
4. Honor consumer rights requests: Ensure systems can locate, delete, or provide copies of personal information related to a consumer if they make a request under applicable state privacy laws. Systems must also have the capability to honor consumers’ right to opt out of the sale or sharing of personal information.
5. Apply a layered consent approach: Secure consent both for contacting under the TCPA and for any recording/data use under state privacy laws.

Ultimately, companies that treat TCPA compliance as the end of the story may be exposing themselves to unnecessary risk. State privacy laws add additional obligations that are relevant to telemarketing, especially as businesses increasingly use technology to capture and analyze consumer conversations. Understanding the impact these laws may have on your business can help mitigate exposure to risk and supports building trust with consumers who are more aware than ever of how their data may be collected or used by companies. If you have questions about complying with the TCPA, state privacy laws, or the interplay of them, please contact us at connect@compliancepoint.com.