State Law

Organization Seeks FCC Ruling Invalidating Amendments to Florida Telemarketing Law

As detailed in prior articles, the recent amendments to the Florida Do-Not-Call Act and the Florida Telemarketing Act (the “Florida Amendments) created a state-level “mini TCPA.” The Florida Amendments went into effect on July 1st, 2021, and the state lawsuits now made possible under the new private right of action have already started to trickle in.

In an effort to thwart this endeavor, an organization called the Enterprise Communications Advocacy Coalition (ECAC), which describes itself as the “only coalition dedicated exclusively to advocacy on behalf of the contact center industry,” recently filed a Petition for Declaratory Ruling with the Federal Communications Commission.  In the Petition, the ECAC requested the FCC to preempt those portions of the Florida Amendments that “relate to interstate telemarketing to the extent that they are more restrictive than” the FCC’s rules and regulations implementing the federal TCPA.

What is Federal Preemption?
The doctrine of federal preemption is based upon the Supremacy Clause of the  Constitution, which states that federal law is “the supreme Law of the Land” notwithstanding any state law to the contrary.  Under the federal preemption doctrine, federal law supersedes conflicting state laws. This can happen when a federal statute or regulation contains explicit preemptive language, or by implication, when Congress’s preemptive intent is implicit in the relevant federal law’s structure and purpose.  The ECAC’s petition relies upon the implied intent of Congress in granting the FCC the power to enact uniform rules enforcing the TCPA.

The Petition
In its Petition, the ECAC points out that in 2003 the FCC itself observed that “any state regulation of interstate telemarketing calls that differs from our rules almost certainly would conflict with and frustrate the federal scheme and almost certainly would be preempted,” and that “any party that believes a state law is inconsistent with section 227 (the TCPA) or our rules may seek a declaratory ruling from the Commission.”

The ECAC argues that four specific aspects of the Florida Amendments create a more restrictive environment applicable to interstate telemarketing laws than the TCPA and its associated regulations and must therefore be preempted.  The four aspects are as follows:

Call Time Restrictions – The Florida Amendments narrow the permissible calling time window for telephone solicitations (which ends at 9:00 p.m. under the FCC’s rules)  to 8:00 p.m. The Petition argues that this imposes increased compliance costs on telemarketers that make interstate calls to Florida residents and “frustrates the federal objective of creating national rules.”

Call Frequency Limits – The Florida Amendments restrict the number of “commercial solicitation phone calls” that a telemarketer may make from any number to any person over a 24-hour period to three (3) calls.   The Petition claims that this restriction places an enormous burden on telemarketers that initiate interstate calls to track this data, and infringes telemarketers’ rights to free speech.

Caller ID Restrictions The Florida Amendments ban commercial telephone solicitors from using technology that “deliberately displays a different caller identification number than the number the call is originating from to conceal the true identity of the caller.” In the Petition, the ECAC notes that the FCC’s TCPA regulations “specifically permit the telemarketer to substitute the name of the seller on whose behalf the telemarketing call is placed as well as the seller’s customer service telephone number, provided that a call recipient may call the telephone number provided to make a do-not-call request during regular business hours.” Thus, the revised Florida laws, in this respect, are “expressly at odds with the TCPA regulations.”

Automated Equipment/Automatic Telephone Dialing System – The Florida Amendments restrict telephonic sales calls involving an “automated system for the selection or dialing of telephone numbers or playing of a recorded message when a connection is completed to a number….”  In its Petition, the ECAC notes that the TCPA restricts calls initiated with “an automatic telephone dialing system” – a term defined in the TCPA and the FCC’s regulations, and that “automated system” as used in the Florida Amendments is undefined, and goes on to argue that to the extent the undefined term in the Florida Amendments “includes equipment that is not within the definition of automatic telephone dialing system, the statute must be preempted”

What Comes Next
Under Section 5(d) of the Administrative Procedure Act, the FCC may issue declaratory rulings terminating a controversy or removing uncertainty with respect to its rules.  After a petition requesting such a is submitted, the next step in the process is for the FCC to issue a notice seeking public comments on the petition.  After the notice submission period, the FCC considers the comments and issues a ruling.  The entire process can take months or longer, depending upon the matter and the agency’s timeframe.

<p>

</p>

<p><strong>You must be logged in and authorized to view this content.</strong></p>

<p>

</p>

 

Colorado Becomes the Latest State to Enact a Comprehensive Privacy Law

The Centennial State recently enacted a comprehensive new privacy law.  The Colorado Privacy Act (ColoPA) will become effective on July 1, 2023, six months after the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VA CDPA), which both take effect on January 1, 2023.  ColoPA is substantially similar to existing state privacy laws and the EU’s General Data Protection Regulation (GDPR), but there are some key differences. The remainder of this article summarizes the important aspects of ColoPA and how they compare to existing state privacy laws.

Definitions
ColoPA defines “consumer” to mean a natural person who is a Colorado resident acting only in an individual or household context in providing personal data, which is analogous to the VA CDPA’s definition of consumer and is narrower than the comparable definitions used in the CCPA and the GDPR.  ColoPA specifically excludes an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of something acting in an employment context.

Under ColoPA “personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person and does not include de-identified data or publicly available information.

Application
ColoPA applies to legal entities that conduct business in, or produce products or services that are targeted to Colorado consumers and that either (1) control or process personal data or more than 100,000 Colorado consumers per calendar year; or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data, and control or process the personal data of at least 25,000 Colorado consumers.

ColoPA’s applicability standards are similar to those in the VA CDPA, although ColoPA’s second applicability standard is broader, encompassing the receipt of discounts as well as revenue from the sale of personal data.

Compliance Roles
ColoPA is similar to the GDPR and the VA CDPA in that it defines two main compliance roles: controllers and processors.   Controllers are required to perform a data protection assessment of any processing activities that present a heightened risk of harm to consumers, which includes processing for targeted advertising, profiling, and the sale of personal or sensitive data.

Those acting as a processor of data are to be governed by a contract that describes the type of data subject to processing, confidentiality obligations, subcontracting requirements, security measure, and audit rights.

Consumer Rights
Like existing state privacy laws, ColoPA grants consumers the right to make requests to (1) opt-out of certain types of processing; (2) access their personal data; (3) correct inaccuracies in their personal data; (4) delete their personal data; and (5) obtain a copy of their personal data in a portable format.

ColoPA’s opt-out rights are similar to those in the VA CDPA, in that they allow consumers to opt-out of processing of their personal data for purposes of targeted advertising, the sale of personal data, or for profiling the consumer in a way that produces legal or similarly significant effects on the consumer.  A controller has 45 days to respond to a consumer request, which may be extended once by an additional 45 days when reasonably necessary. Like under the VA CDPA, a controller must also provide consumers with an appeals process if it denies a consumer’s request.

Rules and Enforcement 
The Colorado Attorney General will promulgate rules for a universal opt-out mechanism under ColoPA by July 1, 2023, and will further promulgate rules for issuing opinion letters and interpretative guidance to develop an operational framework, including a safe harbor for compliance, by July 1, 2025.

Thankfully, there is no private right of action under ColoPA. Instead, the Colorado Attorney General and district attorneys have exclusive enforcement rights. Upon receipt of a notice of violation, a controller has 60 days to cure the violation. However, the right to cure will be repealed on January 1, 2025.

Conclusion
As state after state introduces its own privacy legislation, the compliance challenges mount, which will increase the pressure on Congress to enact a single, comprehensive privacy law at the federal level that will preempt conflicting state law. Until that happens, those companies that may be subject to ColoPA should start planning for compliance, however challenging that might be.

You must be logged in and authorized to view this content.

flag, colorado, state-28562.jpg

Failure to Present Internal DNC Policy Can be Costly

In its infinite wisdom, when drafting the TCPA Congress included two separate and distinct grounds upon which to base a private cause of action.

§227(b) Claims

First, there’s 47 USC §227(b)(1)(A), which makes it unlawful “for any person within the United States, … to make any call… using any automatic telephone dialing system or an artificial or prerecorded voice … to any telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service” or (under §227(b)(1)(B), “to initiate any telephone call to any residential telephone line using an artificial or prerecorded voice… without the prior express consent of the called party…”

§227(c) Claims

Then, there’s 47 USC §227(c), which codified the creation of the national DNC registry, and prohibits telephone solicitations to any number listed on the registry absent consent or other exemption. Subsection (c) includes a private right of action under §227(c)(5), which states that any “person who has received more than one telephone call within any 12-month period by or on behalf of the same entity in violation of the regulations prescribed under this subsection may, if otherwise permitted by the laws or rules of court of a State, bring, in an appropriate court of that State…an action to recover actual monetary loss or to receive statutory damages of up to $500 for each violation.”

Both §227 subsections (b) and (c) state that a “person or entity may bring, in an appropriate court of that State…an action to recover actual monetary loss or to receive statutory damages of up to $500 for each violation,” and give courts the discretion to treble damages for willful or knowing violations §227(b) or (c).

So when bringing a TCPA claim under §227(b), the “violation” upon which the claim is based refers to calling a cellular line using an ATDS, or placing a prerecorded call to a residential line without the recipient’s prior express written consent. With a §227(c) claim, the “violation” consists of calling a number listed on the national DNC registry more than once in a calendar year without the recipient’s prior express written consent.

Despite the fact that “violations” upon which to base a TCPA suit are limited to the grounds stated above, TCPA plaintiffs frequently claim that other elements of the statute and its accompanying regulations also constitute “violations” that justify litigation. Once such violation is the failure to produce a written internal DNC policy upon demand, as required by FCC regulation 47 C.F.R. 64.1200(d).

Many plaintiffs demand a written copy of a company’s internal DNC policy and sometimes file suit based on a failure to comply. Because they are unsupported by statute, courts often dismiss these “No DNC Policy” claims, but not always.

A company’s failure to produce a written DNC policy upon request recently resulted in a Massachusetts Court awarding damages based on that “violation.” In Perrong v. All Star Chimney Solutions, Inc., professional TCPA plaintiff Andrew Perrong filed a lawsuit that involved four automated calls placed to a number listed on the national DNC registry in violation of 47 U.S.C.§227(c), and also claimed that the defendant “did not have a written policy, available on demand, pertaining to do-not-call requests”

Perrong obtained a default judgment the Court awarded $500 for each call but did not grant Perrong’s request for an additional $500 for each call based on the defendant’s lack of a written do-not-call-policy. Instead, the court determined that “the failure to maintain a written policy, available on demand, pertaining to do-not-call requests” designated only “one violation”, and awarded Perrong $500 rather than the $2,000 he requested.

Naturally, the Court should not have awarded anything for the “No DNC Policy” violation, but you can never count on a Court doing the right thing, especially when the presentation of a simple one-page document can prevent that outcome altogether.

The defendant’s failure to present a policy “on demand” only cost them $500 in this case, but it could have been far worse. Perrong’s lawsuit was not brought as a class action, and there is nothing preventing another court from mistakenly including a “No DNC Policy” award as an element of class action damages, which would increase potential liability by orders of magnitude.

The lesson is simple. Have a written DNC policy on hand and produce a copy whenever someone requests it. It’s not a very high burden to meet and doing so can save you a considerable amount of headache. Sample DNC policies are available for download on the Blacklist Academy platform.

You must be logged in and authorized to view this content.