Laws regulate nearly every aspect of telemarketing businesses from training employees to fulfillment of purchased products. The newest types of law regulate the data businesses use to determine whether a service might be wanted – both how data are gathered and stored and how the information is used internally and between businesses.
Two relatively recent laws are good examples of both types of regulation, and though privacy laws are not, as yet, uniform or universal, you can expect more states to adopt rules like these in the coming years. As we saw with no-call list laws (also justified by residential privacy concerns), it does not take long for a requirement in only a few jurisdictions to spread nationwide.
California’s “Shine the Light” law. Many states have bank record privacy laws prohibiting disclosure of bank records without consent or legal process (e.g., a subpoena). California is the first state to enact a broader law regulating how any business shares data with third parties for marketing use.
As of Jan. 1, California required businesses that provide personal information about their customers to third parties for direct marketing purposes to implement a policy for how the data are shared and used and let consumers opt out of this marketing.
Businesses must inform customers of the types of data the company gave to third parties in the immediately preceding calendar year, the names and addresses of all third parties that received personal information from the business in the preceding calendar year and examples of the products or services marketed by those third-party firms. Consumers may request to opt out of this sort of marketing. A business cannot charge consumers for these requests.
Businesses that share this information are required to designate a mailing address, electronic mail address or a toll-free or facsimile number to which the opt-out and information requests can be delivered. The law requires all agents and managers who directly supervise employees having contact with customers to know this address and how to handle these requests, which need to be processed within 30 days.
Web sites must include a link to a page titled “Your Privacy Rights,” which explains the customer’s rights pursuant to this law (in addition to the business’ normal privacy policy).
The law exempts businesses with fewer than 20 full- or part-time employees but covers disclosure of almost all personal information including name and address, e-mail address, age and number of children of any consumer. The law provides for civil penalties of $500 per violation that can be raised to $3,000 per violation for willful, reckless or intentional violations, and attorney’s fees for successful plaintiffs.
Gramm-Leach-Bliley. On the federal level, the main data privacy law affecting telemarketing is the Gramm-Leach-Bliley Act, which regulates how financial institutions protect the security and confidentiality of customers’ nonpublic personal information. The Federal Trade Commission has adopted regulations to implement the act’s privacy provisions. Congress passed GLB in 1999.
Financial institutions must provide consumers a privacy notice before disclosing any nonpublic personal information to unaffiliated third parties. While clearly applicable to financial companies’ “inhouse” calling, GLB also applies to outsourcing businesses.
GLB requires this annual notice to include the financial institution’s policies and practices with respect to disclosing nonpublic personal information to affiliated and nonaffiliated third parties, disclosing nonpublic personal information of people who have ceased to be customers of the institution and protecting nonpublic personal information of consumers. Among the items required to be disclosed in the privacy policy are:
· The categories of nonpublic personal information collected about customers.
· The categories of nonpublic personal information disclosed concerning current and former customers.
· The categories of affiliates and nonaffiliated third parties to whom nonpublic personal information is disclosed.
· An opt-out notice allowing consumers to prevent the disclosure of nonpublic personal information to nonaffiliated third parties.
· The business’ policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
Vermont has a similar privacy provision applicable to financial institutions that covers disclosure of financial and health information regarding those institutions’ customers.
The FTC’s safeguard regulation describes how financial institutions must protect customer information. These institutions are required to develop, implement and maintain a comprehensive information security program to identify and address risks to the security of protected data. Third parties that provide services to financial companies should be aware of GLB and how it will regulate their relationship with their clients and will likely be required by contract to ensure compliance with this federal law.
