S3 E36: How State Privacy Laws Impact Telemarketing

Audio version

How State Privacy Laws Impact Telemarketing

Transcript

Jordan Eisner  

Welcome to another episode of Compliance Pointers. I am joined today by Kara Urbaniak, who’s nearing 4 years with Compliance Point. If not already there, when will you hit four years, Kara?

Kara Urbaniak  
I had in March, so about 4 1/2 now.

Jordan Eisner  
OK. Oh wait, you already hit four, so you’re coming up on 5.

Kara Urbaniak  
Yeah, I already hit 4.
Getting close goes quick.

Jordan Eisner  
Time flies when you’re consulting on data privacy and marketing compliance law, so.

Kara Urbaniak  
That’s what they’re saying.

Jordan Eisner   0:57

As what I just alluded to time flying being related to, Kara is a consultant on both our marketing compliance and data privacy teams here at CompliancePoint. So under our regulatory division if you will, but she’s quite familiar with telemarketing law like TCPA, Telemarketing Sales Rule, also state specific laws and then also data privacy as well. She supports that team and that’s going to be more along the lines of GDPR, CCPA and the other 18 states in the US that have set up privacy laws.
We’re going to be talking about how state data privacy laws affect telemarketers. And before you tune out and decide, OK, this doesn’t apply to me, telemarketers is a broader definition than you think, and it’s not the classic calling out of a phone book in a boiler room type. You know, it could be text messaging, it could be B2B calls. Even there are a lot of types of calls that meet the definition of a telemarketer depending on the state and the location. But really, outbound calls for solicitation purposes could mean that your company does meet the definition of a telemarketer. So this is going to be some timely information on how organizations, mainly B2C, but sometimes B2B can be affected by some of the state privacy laws in their outbound marketing activities when telephone is included. So and for those of you joining us for the first time or watching the first time, Compliance Pointers is a podcast sponsored by Compliance Point. We’re a consulting firm specializing in a few different areas, one of those being regulatory compliance, but also information assurance and cybersecurity and this podcast we talk about a wide variety of topics in many different areas and I’d encourage you to check out our website or the podcast for many of the episodes from this season. I think we’re in the 30s.
Or past seasons. So, Kara, let’s begin by looking into some of the specific laws. So there’s CIPA, the California Invasion of Privacy Act. Why is this law relevant for telemarketers?

Kara Urbaniak  
Yeah, good question. Thanks, Jordan. I’d say when we think about compliance and telemarketing, the TCPA is usually what takes center stage, and that’s for good reason. But in today’s reality, the truth is that businesses can’t necessarily afford to look at telemarketing rules and privacy laws as separate silos anymore.
These are really two areas that are overlapping more than ever, and companies that want to stay compliant should really try to weave them together into a single strategy.

So, for example, you mentioned laws like CIPA. There are additional considerations with things like this that often play into telemarketing in the telemarketing world. For example, with CIPA, that’s really primarily concerned with the interception and recording of communications, which many telemarketers are doing. And that’s also a great point you made, Jordan, that telemarketing isn’t always what we maybe traditionally think in the sense of somebody blasting texts or blasting calls. It’s really up to how the states define them. So if you’re soliciting the sale of goods or services, it could be applicable. So just something to keep in mind as we talk about that.
Going back to CIPA, that’s really again concerned with the interception and recording of communications, and that does require consent before monitoring or recording a call or even an in-person conversation. And what that means is that California is a two-party consent state, so even though we may be familiar with things like the federal wiretapping laws, there are states like California and laws like CIPA that preempts that and have stricter standards. So in the telemarketing world, telemarketers who record calls for things like quality assurance or training.
Compliance monitoring, things like this, you really need to ensure that you’re providing a clear disclosure and that you’re obtaining that consent before the beginning of the recording. And this is really important for telemarketers that are calling into the state of California, even if they’re located outside of the state. And I think that’s something that we often forget and it’s important to keep in mind. And then the last thing I would just add in there is that AI and automated tools have brought in some additional consideration. So it’s really just best to be transparent before the start of the conversation.

Jordan Eisner  
Right. Yeah, you brought up a good point there in that it’s not where the calls are placed from, but where they’re placed to. So no matter where you are, if you’re placing in the state of California, CIPA applies to you, there might be some exemptions that exist that you know I’m not aware of, but for the most part you can expect telemarketing into that state.

Kara Urbaniak  
Right.

Jordan Eisner  
That you need to abide by that law. OK, keeping in California, but moving to maybe a broader range. There’s the California Consumer Privacy Act. I’m sure most businesses are aware of it now, and I know it’s been.
Amended with the CPRA just a few years ago and now this is one of the first that we’re starting to see enforced with I think it was Sephora and then I can’t remember the other organization, but there was one earlier just this year, so.
How can CCPA impact telemarketers?

Kara Urbaniak  
Yeah, there are, like you said, there are a handful of states that have this and I think we’re just going to continue to see states and enact their own comprehensive state privacy laws. So understanding the basics is really important and looking to California is a good example there.
These kinds of privacy laws regulate the use of personal data that’s collected from consumers, as many of us know. So when things like call recordings end up capturing information like your name or your phone number or even your address, that information can then qualify as personal information under the state privacy laws.
So with that in mind, businesses really need to provide consumers with notice about what information is being collected and how it’s going to be used. And this needs to be upfront before the information is collected. So tying that back to call recordings, if the recordings are analyzed and going to be collected to assess things like.
Consumer sentiment or identifying things like purchasing signals or even training artificial intelligence tools that needs to be disclosed in your company’s privacy policy. Additionally, these state laws, most of them give consumers the right to request their information to be deleted or other rights like the right to opt out of the sale or sharing of their personal information. So these are also important considerations when your business is the one that’s storing things with call recordings that may potentially have their personal information in them or then potentially share or sell that information under the CCPA’s definition.

Jordan Eisner  
OK, well.
And I should have disclosed at the top of this podcast that this is going to be a pretty quick one. We’re moving right through these topics here.
So shifting away from the privacy law to a degree in talking about, you know, TCPA and other telemarketing laws.
Companies that outbound telemarket have been aware of that for a long time just by, you know, nature of the business and necessarily, you know, to stay above some of the potential fines that could be levied or class action suits against the company, but how can they incorporate efforts?
Into what they’re already doing to comply with TCPA and other telemarketing laws to bolt on to that these privacy laws. All right with with that effort. Does that make sense the way I’m asking that?

Kara Urbaniak  
Yeah, it does. Good question. Thank you. I would say one of the key considerations here, like you said, is really to collaborate the compliance efforts, meaning not treating the TCPA and the privacy laws as two totally separate instances, I think rather fostering collaboration across.
The teams to design workflows and consent practices that can account for both. So as we had discussed the TCPA and privacy compliance overlaps, we don’t want to silo them. So fostering collaboration across groups like compliance, marketing, legal operations and other relevant business areas.
This really ensures that the workflows address both the telemarketing rules and data privacy obligations. So teams that are handling TCPA compliance and teams handling privacy compliance don’t necessarily need to be working in isolation. We want to make sure that the workflows that they’re designing for the websites or other instances where consent isn’t.
Needed that they’re really working together and making sure that those two compliance areas work together. I would say. Secondly, you’d want to ensure that you update your privacy notices accordingly. So if you are going to be storing and collecting call recordings, you want to clearly disclose those if the in call, the calls or the in person conversations are going to be recording and how they will be used. So we don’t want to necessarily just say they’re going to be used or just say you know this call is going to be recorded. We want to kind of go beyond the generic statement in the privacy notice and explain to individuals how that will be used.

So whether it’s for training, quality control or even a I analysis, I think making that kind of upfront disclosure and providing that transparency really helps build trust with consumers and helps avoid surprises later down the line.
Another consideration I would say is training is going to be a huge aspect, so really just training relevant employees in both the TCPA front and privacy compliance. So if you have agents, they need to know not just about DNC rules but consent requirements for recording so.

Jordan Eisner  
Yeah.

Kara Urbaniak  
Understanding the basic requirements like how do you properly obtain consent for a recording, or what are some common things to look for and how to recognize when a consumer is trying to exercise what are their privacy rights requests. So keeping agents in your other.
Employees familiar with those types of use cases is going to be really important here. If consumers do make a request, I would say when other important consideration is doing that in a timely manner. So we see a lot of times that they’re getting these requests, they may respond to them, but it’s not always in the proper time frame.
So ensuring that your systems can locate, delete, or provide copies of personal information related to the consumer if they do make a request under these applicable state privacy laws is really going to be important and that that can be a big process, but understanding where your data is located and housed within your company is going to be really key.
Need to keeping this compliance and stay. Um.

Jordan Eisner  
Yeah.

Kara Urbaniak  
Lastly, I would just say like applying a layered consent approach, so securing consent for both contacting under the TCPA and then recording for or consent for recording or data use under the state privacy laws. So it’s not necessary that you want to combine the disclosure and make it so long and lengthy that the consumer isn’t understanding it but applying a layered consent approach and really implementing clear language can help get the consent for both at the same time. Bottom line though is really it’s just it’s really going to be important to weave together both privacy law requirements and your telemarketing compliance to reduce risk.
Build that consumer trust and streamline operations.

Jordan Eisner  
Straight to the point. Yeah, and I would say too the training stuff, and I think sometimes the why behind it is important too, with individuals not just so so there’s some understanding some connection.
As to why they do it, why it matters, and maybe that can help with retention of everything they’ve got going on when they’re outbound marketing right to be able to keep track with ensuring their compliance and honoring state specific laws.

Kara Urbaniak  
Definitely.

Jordan Eisner  
Anything else you would add?

Kara Urbaniak  
I think like I said, it really comes down to team collaboration across the two or across the various business units that’ll be involved and really just staying upfront and honest with consumers and providing that disclosure upfront is gonna help build trust and foster trust in your company to keep doing these kinds of things.

Jordan Eisner  
OK, short and sweet. Appreciate it Kara. And yeah, for our listeners and watchers. That was a lot and a little bit of time. If you have more questions on any of that, please don’t hesitate to reach out to us. Connect@compliancepoint.com is an e-mail you can directly e-mail into and you can also interact on our website compliancepoint.com.

Kara Urbaniak  
Thank you.

Jordan Eisner  
Many other ways to inquire and ask questions or get support until next time. Thank you, Kara. Thanks everybody else. Be well.

Kara Urbaniak  
Thanks, Jordan.