S1 E2: Effective Record Keeping for Do Not Call Compliance


Matt Cagle:  Hi, everybody. Welcome to the latest episode of Compliance Pointers. I’m your host today, Matt Cagle. I am the SVP and GM at CompliancePoint and worked in our marketing compliance practice, which we’ll be touching on today, for about the first decade of my time with the company.

Today, I’m joined by the Director of our Marketing Compliance practice, Steve Gniadek. Steve is going on his 20th year with CompliancePoint. So when you want to hear from someone who knows these rules inside and out and has, at this point, about to be decades of experience advising clients on evidence gathering and record keeping, Steve’s probably the best in the business. So I’m excited to be talking with him today about this topic.

Steve, I touched on it a little bit, but really today we want to focus on why it’s important to keep records to maintain evidence of your DNC compliance and, frankly, your compliance with other applicable federal and state marketing rules.

So I guess when we think of it from a TCPA and do not call perspective, what evidence and records come to mind that companies need to make sure that they have and are maintaining?

Steve Gniadek: Yeah, I mean, the more evidence you have, obviously, the better defendable position you’re going to be in. So really, the evidence that you should be maintaining should be anything where you could defend yourself against unwarranted claims from consumer complaints or even regulatory requests. I mean, it’s things like a written do not call policy, making sure that your agents or anyone placing outbound calls are aware of what the rules and regulations are, that they’re aware of what your company’s specific requirements and policies are.

You need to train those agents on how to accept and honor an internal DNC request. You have to make sure that this policy states that these agents are trained. And then you have to have records that the agents took the training. I mean, initially upon hire as well as annually for refresher training.

So you have to have a written do not call policy. You should maintain written compliance guidelines. It’s one thing that companies have policies and procedures, but sometimes when we start working with companies, they might have them in email forms and different areas of different business units and different areas of the regulations, and it’s not one consolidated document. So it’s a good idea to put all of those policies and procedures into one written comprehensive guidelines, which kind of outlines, who’s responsible for what area. This is what the law is, and this is how we comply with the law.

So you have to have, you should have written compliance guidelines, call records, outbound call logs, inbound call logs. There’s any evidence that demonstrates what number you called, what the disposition was, when you called it, how many times you called it. You really should keep those records.

Same with scrubbing records, making sure that you are scrubbing these campaigns against the appropriate DNC lists. That scrub might happen differently depending on the type of campaign. If it’s an EBR (established business relationship) campaign, you might be required to scrub against certain state lists or areas or look for expired EBRs. If it’s an express written consent, that could be treated differently, or even things like cold call campaigns.

Matt Cagle: So I guess for those that are not familiar with the alphabet soup of do not call compliance, a couple points there. When we talk about scrubbing, that means suppression. So checking your calling, your texting file, your distribution list, against all the applicable do not lists or other third party lists that are out there. So this could be your national do not call registry. It could be one of the state do not call lists. It could be the wireless lists. There are even lists of TCPA litigators out there now. So making sure that you have records of basically those file management activities, including what was your starting point, who did you want to contact, why did you want to contact them, and then who did you remove from that contact list and why. Was it because they were on a do not list? Was it because they were on your internal opt-out list? Or was it some other factor?

Steve Gniadek: You bring up a good point with the internal DNC lists. I mean, we’ve run across a lot of companies that might keep or block phone numbers from being called. But an internal DNC list should really be maintained with the phone number and the date that request was made. That way you have evidence that, yes, this person requested to be added to the internal DNC list on such and such date, you added them. And then to go back to the call log records, you demonstrate that after that request was made, added to your list, you no longer placed any calls to that phone number. So you really need to have the phone number along with the date.

The training I mentioned, really important, those also evidence of EBRs or express written consent. Where did that lead come from? What was it? A trade show where they filled out a consent form? Was it a website URL where there was disclosure language on there? You really need to make sure that you keep those records as well so you know where those leads came from. Because you’re going to be applying exemptions to those calls you’re placing to numbers on a DNC list, you need to have evidence of why you called that number.

And then also lastly, there’s telemarketer registrations. There’s 34 states that have some form of telemarketer registration. There are going to be exemptions that apply to that. But again, you just want to do the right thing. With these states, as well as the federal DNC list, just make sure you’re registered so that you can demonstrate that you’re aware of what those rules are and they take the appropriate process to make sure you’re only following callable records.

Matt Cagle: So you mentioned the term EBR multiple times for people that are not familiar, that means established business relationship. That is a very common exemption under not only the federal rules, but many of the state rules. Essentially, it lets you contact an individual after they have expressed interest in learning more about your company and its services or because they’ve purchased from your company or are a current customer of your company. So that is a very common exemption.

And yes, absolutely, maintaining records of that is vital, including when was the date of that interaction when that established business relationship was created. There are timeframes in which those EBRs are valid, and you need to make sure you know the starting point and then on a state-by-state basis when those expire. So those records are vital. And same thing for the express written consent that you mentioned, Steve. That is probably the most common exemption we see with our clients when they’re texting or calling their customers is having that written permission to do so and making sure that you have the record of that. Should you ever need to provide it to someone demonstrating that you had the appropriate permission to contact that individual?

Steve Gniadek: Yeah, and you bring up a good point with the states as well. You know, a little bit different than maybe CAN-SPAM rules when it comes to telemarketing or texting laws. The federal rules don’t necessarily preempt the state rules, and we’re going to run into a lot of states that have more restrictive rules than the federal rules.

You know, for example, just talking about the EBRs under federal rules, you’d have three months to call someone based on their inquiry, just a general inquiry. But there’s going to be eight, seven or eight states or so that don’t recognize that general inquiry as an exemption, which would require you to have express written consent technically to call into those states. So it’s important to make sure you’re aware of what the state rules are in addition to the federal rules, and then just always adhere to the more restrictive rules.

Matt Cagle: So Steve, we just ran through the various evidence and records that companies need to maintain. Real quick, I want to bring it up a level and first remind our audience that this isn’t a nice to have. It’s a must-have. The federal and state rules are pretty explicit about the records that need to be kept and the duration in which you need to keep those.

So not only is it required, but there’s also a benefit, and that benefit can be found in the safe harbor that’s provided in both of the federal telemarketing and do not call rules, the Telephone Consumer Protection Act, TCPA, and the telemarketing sales rule, the TSR. Both of those federal requirements require policies and procedures, training, do not call suppression, and so on.

But if you maintain records of that and can demonstrate it to a regulator or an Attorney General, that can be a defensible position. If you can show that, yes, there was an error, and this is going to happen with the volume of calls or texts that companies generate. But if you had human or technical error, if you have those records and evidence at that point, you can show it was an error, and they will frankly move on in those cases to the bad guys, the ones that are intentionally breaking the rules. If you can prove it was an accident, that can save your company a lot of money and a lot of time and pain.

Steve Gniadek: A lot of bad PR.

Matt Cagle: Yes, a lot of bad PR.

So Steve, I talked about how it’s required for safe harbor. What are the other reasons companies would want to make sure they’ve got these records?

Steve Gniadek: I mean, a big thing, the important thing for having evidence is just that you can defend yourself, right?

I mean, I can give you a real-world example. I mean, if a company is getting a lot of consumer complaints and a regulator happens to reach out at the state or federal level, they’ll want evidence. They’ll want records. They’re not going to take your word for it that, hey, I never called that number after June 1st. They’re going to want to see the records to prove that you didn’t call that number after June 1st.

Or if you have, for example, high abandonment rates, yes, they might ask for your abandonment rates from February of 2023 from the dialer. But in addition to that, they’ll also ask for the raw data along with what the dispositions for each call were, which dispositions were live answers and which weren’t. And they’ll run a manual calculation. I mean, the only way, again, you can do that is through dial records and evidence of the dispositions and things like that.

So it’s really important just to have that so you can defend yourselves. I mean, consumers complain about legal calls all the time, just to go to an exemption aspect here. A consumer goes to a website, fills out their name, address, phone number, and hits submit, and then gets a call 10 minutes later and is wondering why they’re getting called because they’re on a DNC list. Well, again, there’s an instance where you would need to have that evidence of where that lead came from and that you had an exemption to call them. They’re not going to take it for granted or your word for it that it was a legal call. You’re going to have to prove that it was a legal call.

Matt Cagle: It’s a good point. Taking that a step further, unfortunately, in this space, you now have this group of professional plaintiffs, basically people that try to get a company to call or text them in a non-compliant fashion. And then as soon as they receive that communication, they have a demand letter that they will send saying you broke whatever applicable federal or state requirement and that you need to pay them however many thousands of dollars to settle that issue.

We see this very often with companies that place compliant communications and have compliant processes throughout. But these plaintiffs are basically trying to find someone who’s not confident in their compliance posture that is willing to write that check to make the problem go away. You are in a much better position if you can confidently say that yes, we did contact you. This is the date and times that we did reach out to you. But even more importantly, this is why. This is your request for information from our company, either through this hand raiser event or this completion of this form on this website where you gave consent.

Having those records and being able to confidently provide that to the plaintiff, to the plaintiff’s attorney saying no, this was a compliant communication or communications and here’s our records of that is a very strong position to be in to hopefully address that particular issue and keep it from snowballing into something bigger.

Steve Gniadek: Yeah, I mean, and that’s become a more common tactic is to request a do not call policy. I mean, they really don’t care about your do not call policy. They’re just hoping you don’t send them one and they can try to get, you know, $2500 up to $7000. I mean, we’ve seen all sorts of demands, but usually if you send them the information like your do not call policy or respond to them and say this is why we called you, we have an exemption you went to this site on this date and you reply to them, they’ll usually just move on to their next target.

Yeah, and they know that you’re buttoned up and they’re wasting their time going after you. They’ll go after somebody else.

Matt Cagle: So Steve, we’ve worked with a lot of clients over more years than I mentioned at the top that we would want to mention and have seen clients that really struggle with this in a variety of areas.

I’ve got a few thoughts and then I’m curious about yours, but when we’re engaged with a client we will audit their record keeping and where we see them struggle the most, at least in my opinion, usually comes down to their vendors.

If they’re leveraging vendors for lead generation, if they’re leveraging vendors to support with the outbound efforts or the inbound efforts, there are often issues with knowing are those records being maintained? How long are they being maintained? How can the client access them if needed? Are they requiring their vendors to keep those records contractually?

Often there’s some standard contractual language, but is it covering the records that you actually need to be included? So that would be one area I would caution companies on is make sure you know who’s keeping these records, how long they’re keeping them, and again, in what format, and then periodically audit those vendors. Ask for a report from some random month a few years ago and see if they’re able to provide that to you. I think you’ll be surprised at how often they fail.

And one caution, if you are transitioning vendors, make sure you get those records before you sever that relationship. We’ve had clients that lost years of records because the vendor went out of business or they terminated the agreement and never got those records before the relationship ended.

Steve Gniadek: Yeah, I mean, accessibility is a good point there, too. I mean, they’re not going to give you months and months and months to prove your innocence. They want it pretty quickly. So any records that might be archived off to open up space for more recent records, you know, you need to make sure that you can go back to those archives and you can find them in a quick manner and then it’s everything you need. You know, because again, without that evidence, you really don’t have a defendable position.

Matt Cagle: Another question we get is given how important it is to have records of express consent or of the established business relationship is with these products that let you record the consumer’s interaction with the lead form. It’s the screen capture technology.

I’ve been asked and Stephen, curious about your thoughts if that’s something that companies have to maintain or is there something else that they can keep?

Steve Gniadek: I wouldn’t say you have to. It’s nice to have and it’ll definitely make your life easier. But I wouldn’t say you have to have it as long as you have a process in place that you without having that tool, as long as you have a process in place that you could find the phone number of the person’s complaining, find out what did that web page or that lead source look like at the time they entered their information.

So for example, did it have the proper express written consent language? Was it clear and conspicuous or was it buried and hidden in small font and hard to read? Hopefully, that’s not the case, but that’s just the exact reason that you should have at least a version of what those lead sources look like in those date ranges of when that person entered that information.

You know, it’s really again proving that you had the proper valid consents, that it’s clear and conspicuous and you know that you are able to call a number regardless of its DNC status based on that consent.

Matt Cagle: Yeah, I agree. The screen captures are nice to have. If you have the storage space and the funds for that service and to maintain that, that’s excellent. That’s a best practice. If not, if you are able to capture the IP address, the data, the customer entered on the form, again, the date and time that they submitted that form.

And like Steve said, most importantly, what did that form look like at that date and time? How clear was the language? Was it obvious as to what the consumer was agreeing to? Those are critical and making sure you keep those records at bare minimum is basically table stakes for anyone that wants to leverage phone calls or text messages to market to prospects and customers.

Steve Gniadek: So let me just add on real quick. Yeah, it’s also important to keep scripts, right? What type of outbound campaign was it? Was it a cold call campaign, which might differ than what you need to keep if it was an informational type campaign? So even having the scripts of what that call was about, I mean, if you don’t have the call recording, if you have the scripts, that’ll go a long way as well, just to, you know, because obviously the rules are different for, say, an informational or customer service type call than it would be for a cold call campaign. So it’s important to have those scripts as well and version control those. You know, these are the scripts we use between these dates and this is what these calls were about. So it’s important to have that information as well.

Matt Cagle: And it may be obvious, but make sure you know what your records say about you. First off, you need to keep these. Hopefully you’re doing that. Make sure you’re keeping them for the required timeframe and they’re accessible when you need them.

Also make sure that they tell the story that they should be telling, that you’re operating in a compliant fashion. I’d say right now for anyone listening that has concerns about what their data, their records and evidence may say about their compliance is address it and then make sure you document that. When did you identify the issue? When did you fix it?

Have the record showing that you went through that exercise and that you remediated and then hopefully the record showing everything you did from that point forward.

Steve Gniadek: You know, just add on to that too. And you know, another big piece with the record keeping obviously QA, you know, you’re listening to your QA process, listening calls, make sure that you know, internal DNC requests are accepted and honored as they should be versus maybe someone saying not interested right now, call me back later. You know, it’s just important to have all the evidence you can to defend yourself.

Matt Cagle: So, Steve, for a company that doesn’t feel strongly about their current evidence collection practices and policies or if they are someone that’s looking to really build a record keeping program from scratch, what would you recommend?

Steve Gniadek: Yeah, they obviously should go through all the different regulatory areas, you know, comparing with a do not call policy and training and just really everything from telemarketer registrations to call abandonment rates and scripting. It’s just go through all of those different areas, see what evidence you have or what you might be lacking and then also make sure that those records are going to cover all of the requirements.

I mean, one of the common pitfalls we see is a lot of companies are aware of the federal rules and do a great job of adhering to the federal rules, but there’s no evidence whatsoever, no awareness sometimes of the state rules. And like we said earlier, the states can be a lot more active at enforcement and have more restrictive rules. So you just need to go through all of the different areas and make sure that you are covered and that you’re adhering to the most restrictive rules and following those rules. And then again, demonstrate how you’re going to do that.

Monitoring enforcement is a big key here because it’s one thing to have these written policies and guidelines in place, but if you’re not doing any type of monitoring enforcement to make sure that those rules are being adhered to, it’s almost pointless to have those guidelines, right?

So you have to make sure you’re monitoring enforcement and that’s also part of the safe harbor you talked about earlier.

Matt Cagle: Yeah, I mean, for someone that’s starting from scratch or might be concerned about their overall evidence collection at this point, my advice would be, like Steve said, baseline it.

First off, what do you have to keep? What are you legally required to be maintaining records of at both the federal and state level? If you don’t know that, you need to figure that out.

And then go through the exercise of everything that you have to keep. Are you keeping it? Who’s keeping it? Is it yourself? Is it a vendor? What format is that record being maintained in? Is it accessible if you need it? What’s the retention policy? How long do you have to keep it? Are we meeting that retention policy? Do we have backups in place? If this is a vital record that we need to rely upon for defensibility purposes?

Basically going through that whole assessment exercise of what do I have to do? How am I doing it? Who’s responsible for this? Do they know they’re responsible for it? And then ultimately, is all of this being done as expected? Once you do that, we would then recommend that.

Steve Gniadek: Let me just add to that real quick too. So you’re like, who’s responsible? But also, if you go on vacation for two weeks or if you leave the company or whatever the case may be, is there a backup? Does somebody else know how to do this too? Because having one person in charge of all this is probably not the best idea because of things like vacations or if someone moves on, you need to have it all documented so that someone else can come in and pick it up and fill in that person’s place so you don’t lose a step there with your defense.

Matt Cagle: Redundancy, I know it might seem obvious to the audience, but far too often in our engagements, we’re talking to one person from legal or compliance or marketing and IT and no one knows what the other’s doing. No one knows who’s keeping these records. One person’s trying to do it all. You don’t want to be overly reliant on that one individual. Make sure you’ve got that redundancy in place.

Steve Gniadek: Or even one department or group thinks it’s being done one way, but in reality, it’s not. It’s being done a different way.

Matt Cagle: That’s where that assessment is of value, right? To make sure you know who’s keeping these and validate that they are.

That leads me to my next point, which is to test this periodically. We do this for clients all the time. Go back and make sure you can pull whatever record or evidence you want to test from a year or two ago. Make sure that’s available in the format that you expect.

Then ultimately document all of this, train on this, and again, test it to make sure it’s occurring as required.

Steve Gniadek: Even post-call data audits are a good exercise to make sure you have records when it comes to outbound dial records or things like what was the disposition of this call or what time did we call it at or how many times did we call it. You really need the records, the dial records, things like that to show that, hey, we called this number three times, not 300 times like the consumers alluding to.

I had a call or an email from a client even just yesterday that the consumer is complaining that they received 17 calls one morning from this company and they had one call, not 17. That’s just another common thing that we see.

If you go into a lead gen site, for example, looking for insurance and you fill out your information, one, you is calling that lead from that company, one, you have to make sure that it was a valid express written consent or that you had an exemption to call to begin with. Some of these lead generators might pass that lead to five different insurance companies. That five insurance companies might call that person 10 times each, which could result in 50 calls. You need those records to show, no, we only called it three times. Here are our records. We call 50 times in a day. Again, the only way to do that is through evidence.

Matt Cagle: We had permission to call them three times, being a very important part of that as well.

Well, Steve, thank you. I think we’re coming up on time. Appreciate everyone for taking the time to listen. We do produce content like this on a regular basis, so make sure you subscribe through your platform of preference. Make sure you don’t miss any of this content.

For those of you who would be interested in some help in this area, as I mentioned, Steve and I both came up in the marketing compliance group. We have a team that focuses on this and helps clients with challenges like this on an ongoing basis. If you’d like to discuss this, please reach out to us or email us at connect@compliancepoint.com.

Thank you.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.