All outbound contact centers should comply with regulations to protect data and ensure safe and ethical calling practices. While there are overarching procedures for outbound dialing, your organization might need to adhere to additional call compliance regulations depending on your industry. In this guide, learn about the legal frameworks in different sectors.
3 Essential Compliance Guidelines for Outbound Dialing
The FCC regulates companies that carry out outbound dialing in the United States. Due to the rise in robocalls—Americans received 3.6 million of them in December 2021 alone, regulations for outbound calls have become stricter. Furthermore, organizations like telemarketing companies face severe penalties for non-compliance. Here are the top three rules you need to follow to adhere to call compliance:
1. Telephone Consumer Protection Act
Legislated in 1991, the Telephone Consumer Protection Act (TCPA) is the primary compliance mandate for outbound dialing. This law regulates many marketing functions in an outbound call center, including auto dialing, leaving ringless voicemails, and sending SMS messages to leads and customers.
TCPA imposes many restrictions on outbound call centers. Agents can’t:
- Contact customers before 8 a.m. local time or after 9 p.m. local time.
- Contact customers on the National Do Not Call Registry (more on that in the next section).
- Use artificial voice recordings when soliciting leads and customers.
- Send unsolicited fax messages to promote goods and services.
This list isn’t exhaustive, and the government can fine organizations up to $500 for any TCPA violation.
2. National Do Not Call Registry
The National Do Not Call Registry (DNC) is a database that allows consumers to report unsolicited calls from organizations. Outbound call centers like yours cannot contact customers on the DNC, and breaking this rule will count as a TCPA violation. To comply with DNC, compare your marketing lists with information on the registry and remove people who have asked not to receive unsolicited communications.
STIR/SHAKEN is a relatively new technology framework from the FCC that attempts to prevent robocallers and spam calls from reaching consumers. It verifies outgoing communications and tells consumers whether a caller is who they say they are through their caller ID. While STIR/SHAKEN isn’t a call compliance regulation like TCPA, contact center managers should know how this technology works.
Managers should also ensure they use STIR/SHAKEN compliant voice service providers. For example, companies like Verizon and AT&T have implemented this technology already. That’s because failing to work with compliant partners can result in service interruptions, reputation damage, and lower answer rates for outbound call centers. As of March 2022, most voice providers are now STIR/SHAKEN-compliant; however, two companies, Vonage and Bandwidth, recently received citations from the FCC for not implementing this framework.
Compliance Regulations for Different Industries
In addition to the guidelines listed above, different industries might have specific laws and rules that govern compliance. Here are some of the most important regulations:
Outbound call centers in retail, hospitality, finance and other sectors that use processors to accept payments from customers need to abide by the Payment Card Industry Data Security Standard (PCI DSS). This information security standard mandates that call centers process, store, and transmit credit card information in a secure environment. There are different PCI DSS levels based on how many credit card transactions a call center processes annually.
PCI DSS guidelines include:
- Installing and maintaining a firewall to protect cardholder data.
- Encrypting the transmission of payment data across open and public networks.
- Guarding against internal theft of cardholder data.
- Disposing cardholder information on hard drives.
- HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that lays down guidelines for healthcare organizations that handle sensitive patient information. Unlike many of the regulations in this post, HIPAA non-compliance can result in criminal penalties, including imprisonment.
- Omnibus Rule: The Ombinus Rule extends HIPAA responsibilities to business associates (and their subcontractors) working in healthcare.
- HITECH: The Health Information Technology for Economic and Clinical Health Act (HITECH) promotes the meaningful use of health information technology.
- AICPA: The American Institute of Certified Public Accountants (AICPA) has a code of ethics that requires its members to act with integrity, competence, and due care.
- GLBA: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect sensitive data and explain their information-sharing responsibilities to customers.
- FSMA: The Food Safety Modernization Act (FSMA) is a law that protects public health by strengthening food safety.
FERPA: The Family Educational Rights and Privacy Act (FERPA) allows parents to access their children’s education records, have those records amended, and control the disclosure of personally identifiable data.
- NERC CIP: North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulates and enforces the security of the Bulk Electric System—the interconnected electrical system in North America.
Regional and Miscellaneous
- GDPR: The General Data Protection Regulation (GDPR) is a law that protects the collection, processing, storage, and sharing of private information belonging to customers in the European Union (EU), European Economic Area (EEA), and the UK. All companies that handle data from customers in these regions will need to adhere to this legislation or face expensive penalties for non-compliance. Under GDPR, the EU can impose fines of up to €20 million or 4 percent of global turnover from the preceding financial year, whichever amount is higher.
- CCPA: The California Consumer Protection Act (CCPA) is a law that protects the collection, processing, storage, and sharing of private information belonging to customers in California. All companies that handle data from customers in California will need to adhere to CCPA.
- SOX: The Sarbanes-Oxley Act protects investors from fraudulent accounting by corporations. Public companies in various sectors might have to carry out an annual audit that proves they engage in accurate and data-secured financial reporting.
Importance of Contact Center Compliance
Contact centers not only have to adhere to call compliance regulations for outbound dialing but might need to comply with laws and standards in their respective industries. Whatever regulations impact your sector, you must follow the rules. Otherwise, you could face harsh penalties for non-compliance. Making your outbound contact center operations compliant can result in healthier and more ethical calling practices.