Consumer choice over data has been an increasingly important issue for regulators and litigants alike. With several states passing comprehensive privacy laws in recent years, most of the focus has been on digital marketing and adtech. However, businesses should not lose focus of changes in the telemarketing world—under the new privacy laws, the federal Telephone Consumer Privacy Act (TCPA), or state “mini-TCPAs.”
State Privacy Law Concerns
As of July 1, 2023, there are four states with comprehensive privacy laws in effect and another nine that have passed laws going into effect in coming years. The laws differ, but in general, they require disclosures relating to what personal data is being collected, the source of the data, and whether it is shared or sold. They also generally require businesses to offer consumers the right to opt out of data sales.
Each company’s compliance regime will look different. However, certain practices relating to telemarketing—including those involving lead lists—could trigger notice and opt out obligations under these new state laws.
TCPA Updates
In 2021, the Supreme Court held in Facebook v. Duguid, 141 S. Ct. 1163 (2021), that to constitute an automatic telephone dialing system (ATDS) subject to the TCPA, the system needs to have the capacity either to store or produce a number using a random or sequential number generator. In the subsequent years, there have been several cases that appear to have further narrowed the TCPA liability threat, requiring actual use of the random or sequential number generator for liability.
For example, in Panzarella v. Navient Solutions, Inc., 37 F.4th 867 (3d Cir. 2022), the Third Circuit held that a for a call to violate the TCPA, it must actually use an ATDS’s capacity to store or produce a number using a random or sequential number generator—capacity without use is not enough. The Southern District of New York came to the same conclusion in Jiminez v. Credit One Bank, N.A., 2022 U.S. Dist. LEXIS 179434, *19 (S.D.N.Y. Sept. 30, 2022).
However, while the litigation landscape may be trending in favor of defendants, businesses must still stay abreast of regulatory changes. On July 20, 2023, the TRACED Act amendments to certain exempted calls went into effect. Pursuant to those amendments, artificial or prerecorded calls made to residential lines for non-commercial purposes, or for commercial purposes that do not constitute telemarketing, are now subject to a limit of three calls within any consecutive thirty-day period if made without consent.
State Mini-TCPAs
As court rulings have narrowed the scope of TCPA liability, several states have begun pushing back with their own “mini-TCPAs.” These laws vary quite a bit, and new bills are proposed in multiple states each legislative season. However, there are some common components that often appear in these bills.
Many states expand the definition of autodialer, reducing the impact of the Duguid holding. These laws also often require mandatory disclosures about opt-out rights and options.
Another common component is to expand the TCPA’s quiet hours. The TCPA prohibits calls before 8:00 AM and after 9:00 PM. Many mini-TCPAs tighten those quiet hours in different ways: Some laws adjust the start time to 9:00 AM, while others adjust the end time to 8:00 PM. Other laws impose call volume restrictions, limiting the number of calls within twenty-four hours.
In other words, while the TCPA front may be moving towards a more predictable risk landscape, the mini-TCPA front is getting less predictable. Given the fact that some of these laws have private rights of action with statutory damages, businesses should monitor these developments closely.
Greg Szewczyk is a partner with Ballard Spahr and a co-chair of its national Privacy and Data Security group.