S2 E19: State-level TCPAs: The Requirements and Risks

State-level TCPAs: The Requirements and Risks


Jordan Eisner: Well, hello everybody. Welcome to Compliance Pointers and welcome back to those of you who are regular listeners and subscribers. I’m your host, Jordan Eisner, VP of Sales with CompliancePoint.

Not too much about me. I’ve been with the company for 10 years, was a consultant for a little time, and now head up really business development, work closely with our delivery team, and have a very basic understanding of a lot of these different regulatory areas and frameworks and new areas of data security and privacy that we’ll consult on.

But I’m always joined by guests and consultants with specific knowledge or high expertise in a particular area. And today, that’s Kevin Mayfield and Tony Jarnigan from our marketing compliance group. And these are very expert consultants in the FCC’s Telephone Consumer Protection Act, the FTC’s Telemarketing Sales Rule, state-specific rules around telemarketing or direct marketing as it’s sometimes referred to, texting, calling consumers directly for the purposes of solicitation, or sometimes just for even informational, right?

Because there’s a lot of laws, federal and state, that govern communication directly to consumers. It’s privacy law and other sorts of things here in the United States and abroad. So today, we’re going to be discussing the TCPA, but not at a federal level, actually. So several states have passed what we and others have deemed many TCPAs that put restrictions on direct marketing efforts inside their own borders.

And so today, we’re going to dive into those laws, what they require, and what the risk would be to not comply within these states and maybe what organizations or our clients we serve are doing.

But before we start with the first question, as I mentioned, I’m Kevin Mayfield. Kevin, I think you’re going to be 10 years with CompliancePoint this year. I might have done this on a previous intro, but that’s right, isn’t it?

Kevin Mayfield: Ten years in July, yep, 10 years.

Jordan Eisner: Ten years in July. Okay, so just a couple months out. Worked for a parent company originally and then worked for financial institutions previously, and then came back, CompliancePoint, wow, almost 10 years ago now at this point. Yeah, so managing consultant on the team.

Anything else you would want to add, Kevin?

Kevin Mayfield: This is my second podcast this year already. One of my goals this year was to take my telemarketing expertise to the web. And so I’m doing that in the way of podcasts, it appears.

Jordan Eisner: You know, you got to give the people what they want. And that’s more of you talking about telemarketing compliance.

So and then, Tony, I got your tenure right the first time we did a podcast. The second time, I think I doubled it. And I’ve thought about that. And while I have egg on my face for getting it wrong, I think that’s because you were a client of ours for so many years too that I’ve obviously been familiar.

So now I’m just making excuses for myself, right? So Tony, what would you add for yourself too? I know it’s been a couple of years at CompliancePoint working closely with Kevin Mayfield and Steve Gniadek who have also had as well from our marketing compliance group. Prior to that, you were with Disney Grand Vacations. What else would you add?

Tony Jarnigan: Oh, Disney Vacation Club.

Jordan Eisner: That was a big taboo. See, I keep putting my foot in my mouth.

Tony Jarnigan: I was with Disney, as you mentioned, Disney Vacation Club for 10 years and Disney did many other things before that. And then other big-name organizations before that. So I actually have probably over 20 years of experience in this space.

Not to try to outdo Kevin, but 20 years.

Jordan Eisner: Well, let’s dive into the questions. Tony, I think I’m going to since you have more experience than Kevin. Send them all your way and Kevin can add any color that he wants to. But let’s start with the basics. What are mini-TCPAs?

Tony Jarnigan: Well, that’s a great question to start off with and you’ll undoubtedly get different answers depending on who you talk to and what you read. Some reference the term to mean any state law that has any similar provisions as the federal TCPA or Telephone Consumer Protection Act, or most often are more restrictive in any area of the TCPA.

And in that context, the term has been around really, a lot of people think it’s only been around the last three years. It’s been around quite a while. I’ve seen it referenced the term mini-TCPA reference for several years, at least 10 years, maybe longer to just reference those laws and states where it’s more restrictive in any area of the TCPA.

But it sprung up again in the last three years or so in the context of state laws that define automated system much more broadly than an ATDS or again, automatic telephone dialing systems is defined. And that’s the context of our discussion today. So we’re talking Florida, Oklahoma, and then more recently, Maryland. And then even currently, there’s a proposed law in West Virginia.

Jordan Eisner: Okay. Florida, Oklahoma, Maryland, and proposed law in West Virginia. Got it.

Well, let’s start there. Give us a bit of a background on those states and what gave rise to this movement.

Tony Jarnigan: Well, so for years, what constituted, and as many of our listeners may remember, what constituted an ATDS was in a state of flux, right? There are different federal courts throughout the country defined the term differently. So the considerations were different depending on where you were calling. Everyone clamored for a more consistent definition.

So in 2021, we had the landmark Supreme Court Facebook decision. And there the SCOTUS ruled that it’s a system that must either store telephone numbers to be called using a random or sequential number generator or produce numbers to be called using a random or sequential number generator. And that’s a pretty narrow definition compared to what many jurisdictions had been holding. And, you know, we’re only talking cells here, no landlines.

And the telemarketing industry was very happy with that more narrow definition. Plaintiff’s attorneys couldn’t be happy about that though, right? So just three months later, again, this is July 2021, Florida passed a rather startling law that used the term automated system and said it’s one that selects nothing about how it selects, but one that selects or dials a number to both cells and landlines.

So even if your agents are fat-fingering dialing your system selected, the next record to be called is probably an automated system. And you’re now in scope for having to get express written consent as well as in scope for other provisions that, you know, we’ll talk about in a minute.

The following year, Florida considered changing the or language to and, so that, you know, the system would have to both select and dial the number, but it failed then.

In the meantime, Oklahoma passed a copycat law in 2022 using the same “or” language, but there are quite a few exemptions there as we’ll see. Another copycat law was proposed in Michigan, it failed. Then Maryland last year proposed and passed a copyright version. Again, using the broader or language.

But Florida did again propose changing its language to and, and it passed last year. So the state that got the whole thing rolling, my current state of Florida, walked its language back so to speak. And we still have Oklahoma and Maryland using the or language. And now there’s, as we mentioned, there’s the law proposed in West Virginia that uses the same or language.

Kevin, do you have anything you want to add there?

Kevin Mayfield: Just I guess reiterate on, you know, as to Jordan’s question on what got this movement rolling, really was that Supreme Court decision. And you know, there was a lot of plaintiff’s attorneys out there that make their living off suing people under the TCPA. And when it became more difficult, I mean, there’s no doubt in my mind that, you know, that this movement is being driven by the plaintiff’s attorney and lobby groups and so forth to make it easier for them to sue companies under their many TCPAs.

Jordan Eisner: And you mentioned requiring express written consent. Define that, right, for the audience.

Tony Jarnigan: Well, similar to the TCPA, right, if you’re calling a cell phone, but now again with these many TCPAs that includes landlines, you know, with what would be a system that is defined under the state law, you have to have express written consent. And you know, there are a number of elements there.

You have to have, you have to make sure that the person is providing you consent to call them with an automated system that would again, which would be that would constitute an automated system under the state rule, you know, at a specific phone number that your consent is not required in order to be able to purchase.

What else Kevin?

Jordan Eisner: Some sort of action, right, like checking a box or something.

Tony Jarnigan: Yeah, you have to affirmably check a box. It can’t be pre-checked.

I’m sorry, Kevin, I think we talked over you. What did you add?

Kevin Mayfield: Oh, just that, you know, that the language should mention that it’s going to be, you know, telemarketing calls or calls about products and services, some of that nature.

Jordan Eisner: It needs to be clear and conspicuous. I remember some of that.

Tony Jarnigan: Exactly right. It needs to be clear. That’s a big one. Thanks for reminding us, Jordan. It has to be clear and conspicuous, that means that generally it should appear above the call to action button, not afterwards. And it should be generally appear in the same font size and with the same contrast, you know, with the background as the surrounding language.

Jordan Eisner: Some very clear requirements. And so the states, from what you can tell, right, with their express written definitions, mirror that of the TCPA, or they’re very similar, at least if you have express written consent as defined by the TCPA, can you assume that you have it in those states?

Kevin Mayfield: Yeah, we’ve gotten a legal opinion on that. And our attorneys felt like, you know, if you’ve got express written consent under the TCPA, that it’s valid for these state mini TCPAs as well.

Jordan Eisner: Well, I spent a lot of time talking about or asking, following up on the EWC express written consent. I was going to ask about other usual provisions, right? So express written consent, what else, you know, are these states being coined mini TCPAs, what other provisions are usual?

Tony Jarnigan: Well, the big one, right, is the broader definition of an automated system, again, being one that selects and or dials a number, depending on which state you’re looking at now, whether it’s Florida or one of the other two. And with, you know, much broader than the TCPA.

And then no more than three call or text attempts in 24 hours. That’s had a fairly big impact on a lot of businesses. So you got to make sure you’re in fact including any solicitous texting in the attempts count. So if you’re calling three times in 24 hours and also texting once, then you’re over the limit, right? Because texts are calls, calls are texts. So you need to make sure you’re including texts in your in your attempts limit as well.

These states are also trimming off an hour of calling time at the end of the day. 9:00 p.m. is too late, which is the federal standard. So they’re requiring the business stop calling at eight.

There’s also a rebuttable presumption that a call or text to a state area code is to a resident of that state. So you should be basing your calling rules on state of residence, as we’ve always advised, and you should have records showing that a consumer if a consumer lives outside the respective state, even though they may have an area code of that state and you’re not abiding by all these owners requirements to call that consumer, you need to make sure you have proof that they live elsewhere other than the state. So that again, it’s a presumption that is rebuttable if you have the proof.

They generally contain a reference to caller ID requirements and basically you just can’t make sure you’re not blocking caller ID from being transmitted.

Kevin, do you have anything else to note there?

Kevin Mayfield: Just to add on a little bit about the three calls or text within a 24-hour period. You know, that’s hard, hard for some people to manage. I mean, a lot of a lot of companies, it’s easy for them to manage three calls in a day. But this we’re talking about rolling 24 hours here, right? So that becomes a little bit more difficult.

Also the state of Florida doesn’t define calls and texts. So therefore, you know, we’re advising that you should treat them the same, right? So that doesn’t mean you get three calls and three texts. I mean, you’re calling a phone number, you’re texting that same phone number, you’d be pretty hard pressed to make an argument that texts aren’t calls and calls aren’t texts. So just be mindful of that if you are texting that, you know, that’s going to those are going to count in that attempt.

Tony Jarnigan: Also, another question we get to is sometimes about, well, what are the subject matter parameters around there? And the laws generally say that, you know, it has to be, you can’t call more than three times in that rolling 24-hour period about the same subject matter. I don’t think that that’s necessarily an invitation that you can get creative with, you know, trying to disguise what you’re calling about. So if you’re if you’re a business that’s offering, you know, generally the same kind of business, then, you know, you’re probably in scope for this three-call limit, regardless of how you tee up the purpose of the call. So we wouldn’t advise testing that at all.

Jordan Eisner: Yeah, I my mind goes to the three-bite rule. But that’s because I have young children at home and require three bites before they can say they don’t like something. Same goes in the telemarketing world. Three calls for it to next day.

Well, let’s talk about what matters then, right? Real world impact. What’s the risk of noncompliance here? You know, what are you seeing? Is it really just theory right now? Or are we seeing legal action against organizations breaking these laws? What’s the current state?

Tony Jarnigan: Well, we certainly saw a lot in Florida after the law passed and then they changed their like I said, they walked their language back. I’ll let Kevin speak to the rest of that.

I don’t know that we’ve seen a whole lot of action in Oklahoma. Again, they have 20-some exemptions in Oklahoma. I don’t know that we’ve seen a whole lot of action in Oklahoma yet.

And it’s Maryland’s law just took effect January 1st, so it might be a little too soon there. Maryland’s law just got amended recently and I’ll speak to more than just a second that have much bigger impact.

So you have to be more concerned about your systems in these states, right? So even you say, well, I don’t I’m not using an ATDS, you know, under the TCPA as it’s defined because of the Facebook decision. But you know, more than likely, there’s a lot more platforms out there that’s going to be captured in the definition of these state laws. So you have to make sure you have express written consent.

Like I said, Oklahoma has several exemptions, so that’s probably I’d say the least risky of these simply because there are so many exemptions, including calls to EBRs or established business relationships.

Again, Florida is not as risky anymore since the change to its language from or to and.

But you know, there’s it’s both Florida and Maryland now have, you know, penalties that were $500 for violations similar to the TCPA and traveled up to fifteen hundred. So again, Maryland just amended their law to include a private right of action for statutory damages. It had already had a private right of action for actual damages. Now it is similar to the TCPA with, you know, $500 penalty per violation, as I said, for travel to fifteen hundred for if the violation is knowing and willful. Everyone always sues for the travel damages so you might as well say $1500.

Another aspect of this is that the amendment also has language that would presume to invalidate any arbitration clause that businesses are using associated with consent. You know, where you’re trying to get consumers to agree to arbitrate claims versus going to court. So that’s interesting. That’s the first time that I think that’s the first time I know of personally that, you know, a state is, you know, would attempt to invalidate arbitration clauses that businesses are using.

Kevin Mayfield: More evidence that that’s being driven by the plaintiff’s attorney lobby groups.

You know, I would add is that this Maryland thing is no joke. Like we when we saw this get passed in Florida initially, which is it mimics what Maryland has. I mean, I think there were some like two thousand lawsuits filed in the first year or something like that.

I mean, if you’re calling into Maryland, there’s a 100% chance that a whole lot of people calling into Maryland are going to see themselves getting sued under this law because even if you’re calling with a preview-type system where it’s selecting the record to dial, that’s going to bring it into the purview under this Maryland law.

And I mean, text blasting, you can forget about that. I mean, there’s no way around it. You’re going to be really any kind of texting platform unless it’s, you know, super manual one-to-one type thing.

Jordan Eisner: OK, so that’s helpful and I think brings into the light some of the scrutiny around it and the onus on the organizations to comply with this.

So what else? What else should they be aware of? This has been a great recap of these many TCPAs. What have we not covered, Kevin or Tony or Tony or Kevin that you would want to leave the audience with before we wrap up?

Tony Jarnigan: Well, this is an interesting aspect. I think that even if you have express written consent that probably exempts you from not being able to call if you based on your platform, right? But you may be exempt from the behavior, what we call the behavioral aspects, that is the calling times and attempts, but you may not be. You may still be, you know, even with express written consent, depending on the law, like in Maryland, even with express written consent, you know, we think that you would still be in scope for the calling times and attempts limit rule. So yeah, I mean, I think at the end of the day, if you’re getting express written consent, at least in these handful of states, right, express written consent, along with only calling and texting three times, 24 hours, making sure you have the records, you know, if you’re calling an area code that’s outside the state that shows that the person does in fact live outside the state, then, you know, you should be in pretty good shape.

But yeah, you just got to make sure you understand, you know, what applies to you.

Jordan Eisner: Kevin, anything you’d add?

Kevin Mayfield: No, I don’t think so. Tony did a pretty good job recapping everything there. Like you said, you just got to, you’re calling into one of these states, you got to understand what applies to you. And obviously, this is, we’re starting to see this as a trend. You know, it’s a very bipartisan type topic, and very popular for politicians to talk about and show what they did for their constituents and their state. So you know, we haven’t been seeing a lot of these things fail.

Michigan did fail, tried it and did fail. But for the most part, any of these that we’ve seen come down have passed with flying colors.

Jordan Eisner: Well, that’s good. Appreciate the update. Appreciate your guys’ time on this podcast today. I know we’ll have you back on here.

So thanks again, and thank you to our listeners. And subscribe if you haven’t already. And especially if telemarketing compliance is your thing, this is the source.

So yeah, subscribe, leave a review, tell all your friends. And if you’re interested on a more serious note, connecting with compliance, putting on any of these topics and seeing how we maybe could be a resource for your organization, please do visit our website, compliancepoint.com. Email us at connect@compliancepoint.com. Or reach out to Kevin, Tony or myself, all on LinkedIn and all happy to field your questions and concerns.

Until next time.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.