If you have a call center, you know that a number of state and federal regulations govern your operations. And, like all regulations, the phrase “ignorance is no excuse” applies. Even if you unintentionally violate a regulation, you may still be subject to hefty fines and penalties. This review of the regulatory environment will help you to ensure that your call center compliance measures are right for your specific industry and business.
Telemarketing Consumer Protection Act (TCPA)
The Federal Communication Commission (FCC) is one of the federal organizations that govern call center operations. The TCPA’s rules apply to telemarketing calls, which includes auto-dialed calls, prerecorded calls, text messages and unsolicited fax transmissions.
The TCPA rules include a list of things you can’t do, including:
- Calling a home telephone number before 8 a.m. or after 9 p.m. in the local time zone
- Calling a home telephone number if it appears on the National Do-Not-Call List
- Dialing any emergency telephone line
- Calling a patient room in a hospital or a similar facility
- Calling a telephone number used by a paging service, cell phone service, or any other service that charges the called party
- Auto-dialing a mobile number, or calling a mobile number with a prerecorded message
- Disconnecting an unanswered call before four rings or 15 seconds
- Abandoning more than three percent of all outgoing calls where a person answers
- Not providing a recorded messages that identifies the caller if an autodialed call can’t be answered by a live representative within two seconds, or not providing an opt-out option for the called party
The TCPA does have some exceptions and other restrictions for prerecorded calls, so you need to determine if any of those refer to your business in order to confirm your call center compliance.
National Do Not Call Registry
The Federal Trade Commission (FTC) established the National Do Not Call (DNC) Registry in 2003. The purpose was to protect consumers from aggressive telemarketing firms. The FTC has won millions of dollars in lawsuits against businesses that didn’t honor DNC listings.
In short, if your phone number is on the DNC Registry, telemarketing companies wanting to sell goods or services aren’t allowed to place unsolicited calls to your phone. There are exceptions for political organizations, charities, and telephone surveyors.
Health Insurance Portability and Accountability Act (HIPAA)
If you’re involved with the health care industry, you need to know how the HIPAA regulations relate to call center compliance. Whether you work in a health plan, or you’re a business associate of an organization that is covered by HIPAA rules, complying with HIPAA regulations is critical.
The HIPAA Privacy Rule requires that covered organizations follow standards to protect the privacy of Personal Health Information (PHI) when it is gathered, stored, and transmitted electronically. The HIPAA Security Rule describes appropriate measures you need to take to protect PHI. It covers standards for administration, physical, and technical protection.
You must adequately control who has access to electronic PHI, the security you use to protect data when you transmit it, and the cyber security you use to prevent data breaches.
Fair Debt Collection Practices Act (FDCPA)
If your call center acts to collect debts, the FDCPA may apply to you. The FDCPA doesn’t cover business debts, or collectors who are employees of the business that the debtor owes. It does apply to collection agencies, debt buyers, and lawyers who offer a debt collection service.
If your call center falls into one of the covered businesses, you must comply with the FDCPA rules about how you can contact a debtor. In summary, there are restrictions that include:
- Only calling between the hours of 8 a.m. and 9 p.m. in the debtor’s time zone
- Avoiding any form of harassment when calling or using other forms of contact
- Only contacting a debtor’s attorney if you have the attorney’s contact information
- Stopping all contact if the debtor sends you a written notice to stop contact
- Providing information about the debt such as the name of the creditor, the amount owed, information about disputing the debt and requesting the name and address of the creditor;
- If you didn’t provide the required information about the debt in your first contact, you must send a written notice including this information within five days of the initial contact if
These restrictions on contact with a debtor don’t mean you can’t sue or take other legal action to collect the debt.
Payment Card Industry Data Security Standard (PCI DSS)
Major players in the credit card industry established the Payment Card Industry Security Standards Council to ensure security for cardholder data. The Council created the PCI DSS standards, but the companies that formed the Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., enforce those standards.
If your call center accepts, processes, stores, or transmits credit card information, you must comply with the PCI DSS standards, which regulate 12 areas. You can meet call center compliance standards by following these requirements.
- Secure your networks with firewalls
- Configure settings such as passwords to protect the data
- Protect stored data including masking account numbers on receipts, and limiting access
- Encrypt cardholder data that is sent across public networks
- Install and regularly update anti-virus software
- Maintain secure systems using best practices
- Limit access to cardholder data to only those with a need to know
- Uniquely identify users who have access to data
- Restrict physical access to data
- Use logging and log management to monitor data access
- Test systems for vulnerability regularly
- Establish and enforce policies that regulate security requirements for all employees
State Requirements Governing Call Recording
Recording telephone calls in a call center is a very common way to improve the skills of call center staff and improve the customer experience. In the United States, federal law requires one-party consent. Most states have also passed laws governing call recording that require either one-party or two-party consent. State laws also differ in how they describe what constitutes consent.
General Data Protection Regulation (GDPR)
The European Union (EU) passed a wide-ranging law called the GDPR to protect the data rights of their residents regardless of the location where EU residents are doing business. Therefore, the GDPR law does apply to U.S. companies who are serving people living in the EU. Given the complexity of the GDPR, consulting with a lawyer may be the best way to ensure call center compliance.
In general, the GDPR affects call centers in a number of areas. Here are some examples:
- Consent. The rules about consent are much more stringent and require that the consumer give consent freely for a specific purpose. Their consent must be informed, unambiguous, and revocable.
- Data Privacy. Data privacy is critical for EU residents. You need to explain what you will do with their data. There are also rules about allowing EU residents to access their data and to request that you delete data.
- Data Security. The GDPR addresses a number of data security issues that may be more stringent than those in applicable U.S. regulations.
Maintaining call center compliance is a critical task. It requires extensive employee training and software that gives you the flexibility to meet regulatory requirements. For more information about how Call Tools can help you to stay compliant, contact us today.
