On Sept. 11, 2019, the California State Senate approved the Consumer Call Protection Act of 2019, SB-208. The measure seeks to protect consumers from fraudulent robocalls and enact into law provisions that, despite strong support from Federal Communications Commission (FCC) Chairman Ajit Pai, have not been enacted on the federal level. The bill empowers the Public Utilities Commission of California (Commission) to work with the attorney general to enforce the law, and also requires telecommunication providers to authenticate and verify caller identification for calls made using an internet protocol network.
Specifically, the bill dictates that telecom companies implement Secure Telephony Identity Revisited (STIR) and Secure Handling of Asserted information toKENs (SHAKEN) protocols (or comparable technology) that require outbound calls to be issued with a digital “token” that can be verified when received by the call recipient. If the tokens match, then the call is considered authenticated. If the tokens do not match, the recipient would be alerted to that fact.
Fraudulent Robocalls a Pervasive Problem, Expected to Worsen
Approximately 5.1 billion robocalls were made in October 2018, according to Irvine tech firm YouMail, with the average American receiving 16 robocalls per month. Such calls accounted for 30% of all calls made in 2018, according to First Orion, provider of caller-ID and call-blocking services for major cell companies. Some states and municipalities are harder hit than others, including California, with people in cities such as Los Angeles receiving nearly 172 million robocalls in October 2018.
Fraudsters typically utilize a technique called “neighbor spoofing,” where scammers pretend to be from the same area code as the consumer in the hopes the recipient will be more likely to believe the call is personally relevant. Common schemes that utilize neighbor spoofing include scammers falsely claiming to be a local utility company threatening to levy penalties for past due electric bills or fake IRS calls claiming that the recipient’s taxes are past due.
California’s Bill Creates Regulatory “Bite” that Recent FCC Statements Lack, but Opponents Cite Issues with the Bill
Proponents of the legislation note that while the federal government has encouraged telecommunication companies to implement authentication and verification technology to protect consumers, it has stopped short of requiring companies to act by a specified date. Therefore, California enacted this legislation to require companies to comply by a hard deadline to ensure strong consumer protections. However, the technology that SB-208 requires telecom companies to implement is expensive, causing worry that additional costs will be passed on to consumers since the legislation contains no provision requiring telecom companies to absorb the costs.
Opponents of the legislation note that state regulatory schemes not in lockstep with federal regulations create the potential for complicated compliance regimes, especially if other states follow California’s lead. Additionally, opponents assert that California’s law is not compliant with jurisdictional requirements, noting that the California Public Utilities Commission does not have jurisdiction over the wireless services that fraudsters use to send out its calls. Notes from the June 25, 2019 Assembly Committee on Privacy and Consumer Protection point out, however, that whether the callers are classified as a utility or an information service by the government, the “impact on the recipient of the call is identical” and therefore warrants such oversight.
Robocalls are a pervasive problem throughout the nation, and California’s proposed legislation outlines a definitive solution, which the federal government strongly supports. However, the cost associated with the implementation of the new technology is steep, and costs are likely to be shouldered by consumers.