An Overview of the TCPA: Definition and Damages
The Telephone Consumer Protection Act (TCPA) impacts any company that communicates with consumers and businesses via telephone, facsimile or text messages. Whether the communications are designed to share information, gather information or market products or services, the sender must have the consent of the recipient or face significant fines and damages.
Enacted in 1991, the TCPA addresses consumer privacy issues, primarily for pre-recorded telemarketing calls to people’s homes or calls to mobile phones, where the cost of receiving calls shifts from the caller to the recipient. The TCPA authorizes the establishment of the federal Do Not Call list. In addition, it sets the rules for the types of consent needed to make certain types of calls. It also establishes a private right of action for aggrieved consumers that’s not generally available under the Federal Trade Commission’s (FTC) Telemarketing Sales Rule.
The TCPA is extremely attractive for plaintiffs. It provides for statutory damages of $500 per call or text or actual damages, whichever is greater, and up to $1,500 per call for willful or knowing violations. Clearly, there are significant potential damages for violations. For example, if a company were sending 10,000 text messages at $500 per text, it could face $5 million in potential damages. Importantly, there’s no cap on statutory damages. As a result, there are numerous multi-million dollar settlements each year.
The TCPA requires consumer consent before using an autodialer to send texts or make calls to mobile phones, as well as for sending pre-recorded marketing messages to landlines. The level of consent required under the TCPA is determined by the content of the message. Commercial or telemarketing calls require a higher level of consent. Calls that are purely informational require a lesser level of consent. There are also some exemptions in the TCPA, such as emergency notices, messages from service carriers (such as AT&T and Verizon) and healthcare messages under the Health Information Portability and Accountability Act (HIPAA).
The Threshold Question
When considering placing calls to mobile phones, there is one central question: “Is an autodialer being used?” The TCPA defines an autodialer as a system that has the “capacity to store or produce telephone numbers to be called using a random or sequential number generator and to dial such numbers.”
When the law was enacted in 1991, Congress recognized that there were abuses with autodialed calls that were made using numerical sequences or randomly in the hopes of reaching someone. But today’s world is different. Legitimate companies now use predetermined lists to reach consumers, usually developed through business leads or third parties. The issue is that the statute continues to define autodialers as “the capacity to store and produce telephone numbers…” That has been a problem in litigation. Plaintiffs plead that companies are using autodialers. But when companies use a dialer today, the numbers are not automatically dialed. Numbers are entered into the system, and someone has to press a button to make the call.
As a result, companies and industry associations have petitioned the Federal Communications Commission (FCC) for a clear definition of an autodialer. Last July, the FCC issued a ruling saying that a system can be an automatic dialing system if it has the “potential capacity to autodial,” even though it’s not currently being used for autodialing. The ruling rejected petitions seeking a “present” capacity definition. It also said that, if a system requires a software fix or the unlocking of a dormant function to perform autodialing, it is still an autodialer.
The FCC did caution that “theoretical capacity” is not sufficient to classify a system as an autodialer. It did not, however, detail what theoretical capacity means, specify how easy it must be to modify a system for autodialing or define what the system is. Therefore, the only safe dialer that’s not an autodialer is a traditional rotary phone.
Consent for Informational or Transactional Calls
The TCPA draws a distinction between informational calls and marketing calls. Examples of informational calls include debt collection, political messages, airline notifications, surveys or research calls, bank balances and fraud alerts, school notifications and payment reminders. These are messages that the FCC considers “expected and desired by consumers” and are thus not marketing.
Informational calls require prior express consent. The FCC has ruled that if consumers provide their cell phone numbers to the caller, whether in writing or orally, they have given consent for the caller to contact them for informational or transactional messaging, but not for marketing.
There are critical points to consider, however. For example, in the recent Kolinek v. Walgreen Co. case, Mr. Kolinek sued Walgreens because he had received a text message reminding him to refill a prescription. He had provided Walgreens with his mobile number when he picked up his prescription but had supposedly been told that it would only be used to verify his identity for future refills. When Walgreens used the number to send text messages with the refill reminders, Mr. Kolinek sued on behalf of all similarly situated consumers.
The Court denied Walgreens' motion to dismiss because questions remained about the context in which Mr. Kolinek and other members of the class provided their phone numbers and the expectations of how the numbers would be used. The case eventually settled for $11 million. As this case demonstrates, it’s important to consider consumers’ expectations when they provide their phone numbers.
Consent for Telemarketing Calls
Under the TCPA, there are two types of calls that require a higher level of consent:
- An “Advertisement,” which is defined as “any material advertising the commercial availability or quality of any property, goods, or services.”
- Telemarketing, which is defined as “…the initiation of a telephone call or message for the purpose of encouraging the purchase or rental or investment in property, goods, or services which is transmitted to any person.”
Advertisements and telemarketing require “prior express written consent.” Prior written consent is “an agreement in writing, bearing the signature of the person called, that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or pre-recorded voice, and the telephone number to which the signatory authorizes such advertisements or telemarketing messages to be delivered.”
Written agreements, which can be electronic, must clearly and conspicuously disclose that:
- The agreement authorizes the seller or the caller to deliver telemarketing calls using an automatic telephone dialing system or an artificially prerecorded voice. and
- The person is not required to sign the agreement or enter into the agreement as a condition of purchasing any products or goods or services.
Prior express written consent can be obtained in print, online or through an Interactive Voice Response (IVR) service. The agreement must include the consumer’s wireless number, as well as his or her signature. If the agreement is online or through IVR, it must satisfy the ESIGN Act, with consumers having to click or press a key to provide their electronic signatures. If the agreement is executed over the phone, the call must be recorded.
What If Calls Contain Both Informational and Marketing Content?
According to a July 2003 FCC Report and Order, if a call or text contains both informational and marketing content, it’s considered a marketing call. If the content includes any type of marketing message, it puts the entire call in the marketing category.
For example, if a mortgage broker calls to inform customers of lower interest rates—even though customers want that information—the call is considered marketing because it’s communicating the availability of a new mortgage product. Calls from phone companies introducing new calling plans or from credit card companies offering overdraft protection fit a similar profile and also are considered marketing.
Companies can include URLs in text messages, if they are strictly for informational purposes. If the URL links to any kind of marketing on the company’s web site, however, it becomes problematic.
The TCPA and HIPAA
The FCC recognizes that HIPAA offers certain privacy protections that are the same as or exceed those of the TCPA. Therefore, in certain areas, the FCC has provided a carve-out for messages that are subject to HIPAA.
In its October 16, 2012 ruling, the FCC added two exemptions from the prior express written consent requirement for marketing calls:
- Artificial voice or prerecorded telemarketing calls to residential phones are exempt from the TCPA’s prior express written consent rules, if the call delivers a healthcare message made by or on behalf of a covered entity or business associate, as defined under the HIPAA Privacy Rule.
- Mobile phones have a similar exemption, requiring only prior express consent—meaning that the consumer has provided his or her mobile number to the caller.
What Is a Healthcare Message?
If a call is healthcare related or delivers a healthcare message, the HIPAA rules apply. If it’s not healthcare related, the TCPA rules apply. But what is a healthcare-related call or healthcare message?
A healthcare-related call or healthcare message must be from a covered entity or a business associate, as those terms are defined in the HIPAA Privacy Rule. The challenge is that, while the HIPAA Privacy Rule addresses the use and disclosure of protected health information (PHI), it does not make it clear what constitutes a healthcare message.
In its 2012 ruling, the FCC offered the following examples of calls that would be eligible for the exemption: prescription refills, immunization reminders, post-hospital discharge follow-up, health screening reminders, medical supply renewal requests and generic drug migration recommendations.
Marketing Under HIPAA
HIPAA has its own definition of what is and isn’t marketing. Under HIPAA, marketing is “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” A communication is not marketing if it imparts information about a product or service that is included in a healthcare benefits plan offered by a covered entity, gives information concerning treatment or describes goods or services for case management or care coordination.
The 2015 FCC Ruling: Exigent Healthcare Message Exemption
In 2015, the FCC issued another ruling in response to several petitions seeking an exemption from the TCPA’s consent requirement for calls or messages that impart sensitive and exigent health information. Broader than the 2012 exemption, the 2015 ruling exempts messages that are expected and desired by consumers, such as appointment reminders, lab results, wellness checkups and preoperative instructions. The FCC granted the exemption, but placed significant restrictions on their use, which, in many people’s opinion, make it moot. These conditions include:
- The call must be free to the end user.
- The customer must provide the wireless phone number to the caller.
- The message must contain certain disclosures.
- The message may not contain any telemarketing, cross-marketing, solicitation, debt collection or advertising content.
- The message must be short—one minute or less for calls and 160 characters or less for texts.
- There must be an easy opt-out mechanism and an immediate honoring of opt-out requests.
- There can be no more than one message per day, three messages per week, per sender.
To analyze their risks of violating the TCPA, organizations should ask themselves the following questions:
- Does the technology being used trigger the TCPA’s consent requirements? (It’s important to ensure that the dialer does not have the capacity to autodial.)
- Is the type of number being dialed mobile or residential? (The autodialer issue only comes up for mobile numbers.)
- Is the message likely to be deemed telemarketing or an advertisement under the TCPA?
- If the answer is yes, does an exemption or exception apply, such as the HIPAA exemption?
- If HIPAA does apply, is the call likely to be considered marketing under the HIPAA Privacy Rule?
When seeking to mitigate risk, organizations might consider the solutions on the market that scrub mobile numbers from call lists. They are not perfect, but they do reduce the risk of inadvertently dialing a cell phone.
Taking the following steps is the most effective way for organizations to avoid TCPA liability:
- Get and maintain the proper level of consent.
- For residential phones, use live agents and avoid prerecorded messages and artificial voices.
- For mobile phones, have live agents make manually dialed calls.
- Have members/subscribers identify the type of phone numbers they are providing.
- Hire a vendor to scrub for phone type—and scrub Do Not Call, wireless and reassigned number databases. (The number reassignment issue arises when someone provides consent and then changes her phone number and the old number is reassigned to a different individual who did not give consent.)
- Ensure the collection of consumer phone numbers is not limited. Don’t request consent for one specific purpose. Keep the request broad.
- Make sure to get prior express written consent for marketing messages/calls. Companies can obtain prior express written consent through member applications, account logins, customer service calls and online lead forms.
NOTE: After the webinars, on July 28, 2016, Anthem, Blue Cross Blue Shield of America, Well Care Health Plans and the American Association of Healthcare Administrate Management submitted a petition for an expedited declaratory ruling from the FCC, seeking to clarify provisions in the FCC’s July 15 Order related to healthcare calls. The petition states that it was made at the request of the staff of the FCC’s Consumer Protection and Governmental Affairs Bureau. The proposed revision would clarify the FCC’s analysis of what constitutes “prior express consent” when non-telemarketing calls are made by HIPAA-covered entities or their business associates. The revisions would also clarify that “prior express consent” can pass through a third-party intermediary (such as a state Medicaid agency), if the party’s interaction with an individual is subject to HIPAA. As revised, Paragraph 141 of the July 15 Order would read (with bold indicating changes/additions):
Para. 141: “We clarify, therefore, that provision of a phone number to a HIPAA “covered entity” or “business associate” as defined by HIPAA’s implementing regulations, whether by an individual, another covered entity, or a party engaged in an interaction subject to HIPAA, healthcare providerconstitutes prior express consent for treatment, payment, and health care operation healthcare calls subject to HIPAA by a HIPAA-covered entity and business associates acting on its behalf, as defined by HIPAA, if the covered entities and business associates are making calls within the scope of the consent given, and absent instructions to the contrary.” Examples of Prior Express Consent include, but are not limited to, the provision of a telephone number by an employer or a party authorized to implement the health insurance enrollment, application or renewal process on its behalf, and a state Medicaid agency or another governmental entity and/or their business associate(s) engaged in an interaction subject to HIPAA.
The petitioner also seeks a declaratory ruling relating to the “free-to-end-user” aspect of the exemption. The July 15 Order reads that the exemption only applies to “healthcare providers.” As revised, the July 15 Order exemption would also apply to a HIPAA-covered entity or business associate.