We entered 2021 with a new U.S. administration and fresh ideas about the regulatory role of the federal government.
Based on President Joe Biden’s public statements and appointments to key leadership positions, there was reason to expect some significant changes in the laws that directly impact contact centers.
However, 2021 has turned out to be a very difficult year for getting new legislation passed. There have been bold proposals, but a sharply divided Congress has constrained the ability to move forward on new laws.
There have been bold proposals, but a sharply divided Congress has constrained the ability to move forward on new laws.
Consequently, there have been some refinements to existing federal laws. However, most of the significant action in 2021 has been at the state level.
(As a word of caution, laws and regulations are highly complex, subject to change, and for every rule there are always exceptions. Any effort to summarize in a few bullet points laws and regulations that can extend to hundreds of pages each necessarily omits information that may be very pertinent to your particular situation. Do not confuse this article with legal advice.)
Telemarketing Sales Rule (TSR)
- The Telemarketing Sales Rule requires telemarketers to make specific disclosures of material information, prohibits misrepresentations, sets limits on the times telemarketers may call consumers, prohibits calls to a consumer who has asked not to be called again, and sets payment restrictions for the sale of certain goods and services
- Recent investigations indicate that the Federal Trade Commission (FTC) may now be resurrecting the issue of the application of the TSR’s “established business relationship” (EBR) exemption to an internet-based lead generation mechanism
- The TSR provides, among other things, that it is a violation of the Rule to initiate any outbound telemarketing call to a person when that person’s telephone number is on the National Do Not Call Registry, unless the seller has an EBR with such a consumer
- According to the FTC, the lead generation entity must itself have a relationship with the consumer. In other words, it is the lead generator, not the service provider, which has an inquiry-based EBR with the person
- TSR regulations now require telemarketers and sellers to include a clear and conspicuous description of the material terms and conditions in the recording of the featured goods, services, or charitable donations for which payment is sought. The FTC had previously permitted the use of an audio recording to memorialize a consumer’s oral authorization of a charge for a telemarketing transaction if the payment was not made by a credit or a debit card, provided that the telemarketer also made certain disclosures to the person
Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act)
- The TRACED Act is the first federal anti-robocall law. Passed in 2019, it provides additional protections to those included in the Telephone Consumer Protection Act. These include prohibiting telemarketing robocalls to individuals who have not provided written permission to accept these calls. It also requires voice service providers to develop call authentication technologies
- In 2021 Congress directed the Federal Communications Commission (FCC) to establish regulations to create a process that streamlines the ways in which a private entity may voluntarily share with the Commission information relating to a call or text message that violates prohibitions regarding robocalls or spoofing. In response, the FCC directed its Enforcement Bureau to create and monitor an online portal located on the FCC website
- Providers of voice services must implement the STIR/SHAKEN authentication framework in their internet protocol networks and to take reasonable measures to implement an effective call authentication framework in their non-internet protocol networks
- Increases fines on spam robocallers from $1,500 to as much as $10,000 per illegal call
Fair Debt Collections Practices Act (FDCPA)
- The Fair Debt Collections Practices Act is intended to eliminate abusive, deceptive, and unfair debt collection practices. It also protects reputable debt collectors from unfair competition and encourages consistent state action to protect consumers from debt collection abuses
- The FDCPA has recently been amended. A debt collector may not call a consumer more than seven times within seven consecutive days or within a period of seven consecutive days after having had a telephone conversation with the person in connection with the collection of such debt
- The amended law now allows debt collectors to use email and text messages to communicate with consumers regarding their debts, subject to certain limitations
- Debt collectors are now prohibited from communicating or attempting to communicate through a social media platform if the messages are viewable by the general public or by the debtor’s social media contacts
- Voicemails collectors leave must be limited to providing the collection agency’s business name (without indicating the company is in the debt collection business) and requesting that the debtor respond to the voicemail. Voice messages also must provide contact information
New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
- The SHIELD law, signed into law in 2019 and which went into effect in 2020, expands data security and breach notification requirements to cover any business that collects the private data of New York residents, not just companies that conduct business in the state
- It requires that any person or business that owns or licenses computerized data that includes the private information of residents of New York must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of private information
- It also expands the definition of private information to include account, credit card, and driver’s license numbers and biometric information or alternatively, usernames or email addresses in combination with password or security questions
- Previously, for a breach to trigger a consumer notification, private information would have had to be actively acquired by an unauthorized party. Now a notification must be sent to any consumer whose data was simply accessed by an unauthorized party
- The New York State Attorney General can seek up to $250,000 for violations by a company, up from the previous statute’s $150,000
California Consumer Privacy Act (CCPA)
- The CCPA was passed by the California State Legislature in June 2018, signed into law in October 2019, and became effective on January 1, 2020. The CCPA applies to any for-profit entity that collects and receives personally identifiable information from California consumers and meets specified criteria. The entity need not be located in California
- Penalties are $2,500 for each violation or $7,500 for each intentional violation
- The first class-action lawsuit alleging data breaches under the CCPA was filed in February 2020 by California resident Bernadette Barnes in Barnes v. Hanna Andersson LLP and Salesforce.com, Inc. at the San Francisco division of the United States District Court.
Barnes alleges that high-end children’s clothing online retailer Hanna Andersson and its San Francisco, Calif.- headquartered cloud-based eCommerce platform Salesforce failed to adequately protect user data, therefore violating the CCPA.
Attorneys argue that Hanna Andersson left customers’ personal information vulnerable to access by unlicensed individuals and Salesforce failed to detect the data breach for almost three months.
The court heard that all during the breach—which occurred between September 16 and November 11, 2019—hackers stole personal information from an estimated 10,000 Hanna Andersson customers.
Virginia Consumer Data Protection Act (CDPA)
- The Virginia Consumer Data Protection Act was signed into law on March 2, 2021 and goes into effect on January 1, 2023
- Personal data is defined by the law as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” It does not include de-identified data or publicly available information
- The CDPA applies to “…persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that during a calendar year, control or process personal data of at least 100,000 consumers, or control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.”
- The penalty is up to $7,500 for each violation
Colorado Privacy Act (CPA)
- On July 7, 2021, Colorado became the third state to pass comprehensive consumer privacy legislation. The Colorado act becomes effective July 1, 2023
- The CPA applies to businesses that process the personal data of 25,000 consumers and receive any revenue or discount from the sale of data
- Personal data explicitly excludes any deidentified data or publicly available information
- Civil penalties are capped at not more than $2,000 per violation and not more than $500,000 total for any related series of violations
What to Expect in 2022
It is with great trepidation that I step out on the limb and make predictions about the future. As the great philosopher Yogi Berra once said, “Predictions are hard, especially if they are about the future.”
Based on some trends which are already underway, I feel fairly confident about new laws that may be passed by state legislatures.
However, based on some trends which are already underway, I feel fairly confident about new laws that may be passed by state legislatures. For federal legislation I am much less sanguine. Here goes:
- More privacy legislation at the state level. As noted earlier, California, Colorado, and Virginia have already passed privacy bills, and at this writing Ohio may soon have one become law. Other states where similar bills are working their way through legislatures are Hawaii, Maine, Maryland, Massachusetts, New York, and North Dakota
- Passage of a federal consumer privacy act. Over the years, various efforts have been made to enact a federal bill that ensures basic privacy rights to all citizens. The Information Transparency and Personal Data Control Act became the first piece of comprehensive privacy legislation introduced in the 117th U.S. Congress.
Although it may not happen in 2022, pressure from businesses trying to comply with multiple and sometimes conflicting state laws will compel Congress to enact nationwide standards.
- More states to introduce and subsequently pass “Gig worker” bills. California Assembly Bill 5 (AB5), popularly known as the “gig worker bill,” went into effect on Jan. 1, 2020. Among other provisions the bill establishes a test to differentiate between employees and contract workers.
The bill has been challenged in court, but it remains in effect at this time.
And, according to the Washington Post, legislators in Illinois, New Jersey, and New York are considering similar bills.
These bills have important implications for the contact center industry as there are companies that offer work-at-home independent contractor agents.
- Legislation at state level to expand paid family leave. More than 120 countries around the world provide paid maternity leave and health benefits by law, including most industrialized nations except Australia, New Zealand, and the U.S.
Efforts are being made to pass paid family leave legislation at the federal level, but as of this writing it is still being debated in Congress.
But four states: California, New Jersey, New York, and Rhode Island, currently require some form of paid family leave.
This is a very important benefit for contact center agents. Contact centers employ a large percentage of young working moms and dads that sometimes need time off to care for their children or elderly parents.
Regardless of federal action, companies with large contact centers may choose to provide paid family leave as an attractive benefit.
According to a report by Paid Leave for the United States entitled “Forging Ahead or Falling Behind? Paid family leave at America’s top companies” 29 of the top 60 employers in the United States now provide some form of paid family leave.
That’s it for now. See you this time next year. You can check www.pelorusreports.com for white papers and blog posts on legal/regulatory events. These are updated periodically.