Call compliance is crucial for contact center managers. You shouldn’t ignore federal directives such as the Telephone Consumer Protection Act of 1991 and National Do Not Call Registry, and additional regulations for certain industries, as non-compliance can result in penalties and legal action. It’s important to brush up on call compliance and make sure you adhere to legislation and guidelines. Otherwise, you could jeopardize your business.
In this guide you will learn:
- The 2 call center compliance regulations that every call center manager should know.
- 7 additional call center compliance regulations that might impact your business, depending on your location and industry.
There are 2 Universal Call Center Compliance Regulations
As a call center manager, there are two major call compliance regulations you need to know:
Telephone Consumer Protection Act of 1991
The Telephone Consumer Protection Act of 1991 (TCPA) is a federal statute designed to protect the privacy of customers. This piece of call compliance legislation originally governed telemarketing communications via phone calls, but it’s since been extended to SMS texts.
At first, this law limited the use of automatic dialing systems, or “autodialers”, and pre-recorded voice messages, then incorporated fax machines, and then SMS. Although TCPA is nearly 30 years old, it’s still the bedrock of call compliance legislation in the United States, and you need to understand it.
TCPA stipulates what you can and can’t do when calling, faxing, and texting customers. Below is what you need to know:
Unless customers have given prior consent, you can’t:
- Call customers before 8 a.m. or after 9 p.m. (local time).
- Call customers on the Do Not Call Registry.
- Ignore the Do Not Call Registry.
You also can’t use automated telephone equipment or an artificial voice/recording when calling:
- A hospital, physician’s office, health care facility, or other emergency services.
- Cellular telephones or smartphones.
- A customer when the call will be charged.
Agents must always:
- Provide customers with their name and the name of the company.
- If asked, provide customers with a telephone number/address of the company.
There are other regulations, but these are the most important ones.
TCPA non-compliance can be costly. Customers or their attorneys can sue you for up to $500 for each violation (or recover any money lost, if greater), or seek a court injunction, or both. Customers or attorneys can sue you for up to $1,500 for each violation if the violation was “willful”, meaning intentional or deliberate.
National Do Not Call Registry
The National Do Not Call Registry (DNC), effective from 2003, improves compliance with TCPA. Essentially, it’s a huge database maintained by the federal government (the Federal Trade Commission, or FTC, to be exact) which lists the phone numbers of customers who don’t want to be contacted by telemarketers.
The premise is simple: If customers don’t want to receive telemarketing calls, they can add their details to the DNC. As a call center manager, you can’t call people on the DNC for 5 years. If you do, people can report you to the FTC. This is no joke, and the penalties are severe, and violators face fines of up to $40,000 (significantly more than TCPA).
There are exemptions to this rule:
- DNC only applies to personal calls, not business-to-business calls.
- DNC doesn’t apply to calls from political organizations, not-for-profit organizations, debt collectors, or people/businesses conducting surveys.
There are Industry-Specific Call Center Compliance Regulations
TCPA and DNC affect every call center manager in the US, but there are additional industry-specific call compliance regulations that might impact your operations. Most of these pertain to data governance (how you process, store, and share sensitive information) and general telephone etiquette.
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) pertains to call center managers in the healthcare industry — all those working in hospitals, physician’s offices, retirement homes, etc. HIPAA is a complex labyrinth of data governance regulations, but call center managers should know, at the very least, the most important principle:
It’s against the law to disclose medical information without a patient’s consent.
Most of HIPAA concerns all the sensitive information that healthcare organizations collect and process from patients. This is called electronic protected health information, or ePHI. You need to keep it safe.
How you keep ePHI safe depends on your approach to call management. Here are some of the ways you can incorporate the principles of HIPAA into your organization:
- Only provide access to ePHI to people who need it.
- Only provide people with ePHI for facilitating a particular task. Agents don’t need access to much ePHI if they are selling a medical-related product, for example.
- Only allow authorized users to access your private communications network.
- Authorized users should only communicate with other authorized users.
- Make sure you don’t transmit ePHI outside of your call center network.
- Keep ePHI safe in a cloud-based secure messaging network.
- Encrypt communications.
- Use “message lifespans,” which remove messages containing ePHI from authorized users’ computers after a certain time.
- Use an “app timeout,” which logs out authorized users from your network after a certain time.
This list isn’t exhaustive, and not all of the items will apply to you. There are lots of ways you can adhere to HIPAA in a call-center environment.
Penalties for HIPAA non-compliance are more expensive than those for TCPA and DNC non-compliance:
- $100-50,000 for each violation or patient record
- The maximum penalty is $1.5 million per year for violations of the same provision.
Fair Debt Collection Practice Act
DNC doesn’t apply to debt collectors unless someone has filed for bankruptcy protection. However, call center managers working for debt collection agencies need to adhere to the Fair Debt Collection Practice Act (FDCPA). The FCC governs FDCPA.
What you need to know:
- Agents can only call debtors during certain times of the day — 8 a.m. to 9 p.m.
- Agents cannot lie, harass, or engage in “unfair practices” over the phone or via other channels like SMS and email.
If you don’t comply with FDCPA, customers can take you to court and sue you for all kinds of things, such as:
- Damages for physical distress.
- Damages for emotional distress.
- Statutory damages up to $1,000.
- Lost wages.
- Wage garnishment recovery.
- Attorney fees/costs.
This can amount to thousands and thousands of dollars.
Truth in Lending Act of 1968
The Truth in Lending Act of 1968 (TILA) protects customers from lenders who use unfair and inaccurate billing practices. TILA is the oldest act in this guide, but this piece of legislation still has far-reaching consequences for call center managers who work for lending companies. You should be aware of this law if agents sell loans or process payments from customers over the phone or through other channels.
What you need to know:
- You need to provide information about loan products so customers can make comparisons with other lenders.
- Agents can’t use high-pressure sales tactics when selling loan products.
TILA is different from some of the other call compliance regulations on this list. As well as civil penalties, call center managers who willfully/knowingly violate TILA can receive a criminal fine of $5,000, up to 1 year in prison, or both.
The Sarbanes-Oxley Act, effective 2002, sets requirements for public company boards, public accounting firms, management firms, and some privately-held companies in the US.
Most of the Sarbanes-Oxley Act won’t concern you, but some provisions are relevant to call center management. Primarily, you can’t delete recorded calls or financial records in the event of an investigation. There are severe criminal sanctions and civil penalties for call center managers who do, with seven-figure fines not uncommon.
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI-DSS), established in 2006 by credit card companies, stipulates how contact centers process credit card information — and where they store this data.
There are lots of PCI-DSS requirements, and call center managers should do things like:
- Build and maintain a secure payment network.
- Maintain a vulnerability management program.
- Protect all credit card data.
- Monitor and test networks regularly.
- Create an information security policy.
- Use strict access control measures.
“One-party consent” is one of many federal telephone call recording laws in the US. This piece of legislation states that just one person (or “party”) needs to be told that a company is recording their call. This means customers are not always informed about call recordings.
However, there are laws at the state level that require agents to tell customers about a call recording. You will have to adhere to “two-party consent” laws in the following 11 states:
- New Hampshire
If you don’t tell customers in these states that you are recording their call, you could face criminal proceedings.
“In the context of recording conversations, the states in our country are divided as either ‘one-party consent’ states or ‘two-party consent’ states,” says Commerce magazine. “A ‘two-party consent’ state makes it a crime to record or eavesdrop on a conversation, including a private in-person communication or telephone call, without the consent of all parties to the conversation.”
General Data Protection Regulation
The General Data Protection Regulation (GDPR) is, perhaps, the most complex of all call compliance regulations on this list, and it’s the most recent. Since 2018, GDPR has protected the data of customers across the European Union (and the United Kingdom), but this legislation has ramifications for call center managers in the US too.
Call center managers must abide by GDPR standards if they handle data from customers in the EU and the UK. As the vast majority of US companies sell products and services internationally, GDPR will apply to nearly every call center manager. There are far too many of these standards to list here, but some of the most important are:
- You must keep data secure at all times.
- Data can only be kept for as long as you need it, usually no longer than 6 years.
- You must delete a customer’s data if they ask you to.
GDPR fines are colossal, with penalties of up to 10 million Euros (around $11.3 million at the time of publication) or, in some cases, 2 percent of total global turnover.
This is money your organization probably can’t afford, so don’t ignore GDPR!
What Happens if You Don’t Comply With These Regulations?
Non-compliance isn’t just costly in a financial sense, but it could ruin your reputation. If you don’t adhere to the law and other guidelines, customers could flag your phone numbers and post about your practices on the internet. This can have a significant impact on your business.
Flagged numbers can cause several problems such as:
- Customers/phone carriers will flag your calls as “scam likely” or “spam risk.”
- This makes it difficult for agents who use outbound calls for marketing/sales.
- It will be more difficult for you to generate leads.
Before You Hang Up…
Your contact center might already abide by TCPA and DNC, but you need to know about other compliance regulations in your industry. Whether you work in debt collection, healthcare, or another sector, non-compliance with the above regulations could result in fines of millions of dollars. Plus, you could do irreversible damage to your business reputation.
There are also state-specific compliance laws and ethical dialing practices you need to comply with. Otherwise, customers could flag your company’s phone numbers and leave you negative reviews online.