Connecting directly with consumers is extremely important in today's age of digital overload. Through personalized marketing, a sender connects directly with consumers in order to sell or market certain goods or services, avoiding the use of traditional forms of third-party publishers (such as radio, newspapers, and television) as intermediaries. The sender targets the consumer directly through telephone, fax, email, text message, or mail communications, building brand loyalty and fostering lasting relationships.

Direct marketing is a powerful business tool because of its low cost of entry and potentially immediate consumer response to a campaign, which often translates into real-time revenue growth. However, if used in an irresponsible way, it can cause substantial nuisance, cost, and inconvenience to consumers, and may be illegal if the marketing runs afoul of several laws, regulations, and voluntary codes of practice.

These laws and self-regulation standards require direct marketers to obtain different types of consent prior to marketing directly to consumers and/or provide consumers the ability to opt out of such direct marketing practices. There are also disclosure requirements and restrictions on what can be included in such solicitations. We take a general look at federal and state consumer protection and privacy laws, as well as self-regulation and codes of practice, that regulate direct marketing to consumers in the US and provide industry best practices. However, legal counsel should be consulted to address nuances that may apply based on specific campaign details.   

Telephone marketing-specific laws

There are several federal laws and rules that cover unsolicited commercial communication by telephone including the Telemarketing Consumer Fraud and Abuse Prevention Act (the Telemarketing Act), the Telemarketing Sales Rule (TSR), the Telephone Consumer Protection Act (TCPA), and the National Do-Not-Call Registry (DNC Registry).

Telemarketing Act

Under the Telemarketing Act, the Federal Trade Commission (FTC) is empowered to issue rules to enforce it. The Telemarketing Act prohibits deceptive and abusive telemarketing acts or practices, mandates certain disclosures or material information, requires express verifiable authorization for certain payment mechanisms, and sets record-keeping requirements. Further, it establishes a private right of action in federal court and is also enforced by state Attorneys General. 

TSR

The FTC enforces the TSR, which implements the Telemarketing Act. At a high level, the TSR applies to businesses that sell goods or services by telephone, which involves one or more interstate calls. In order to comply with the TSR, businesses should limit calls to consumers to specific hours, scrub numbers against the DNC Registry, keep and abide by do-not-call requests (including keeping an internal do-not-call list), disclose that a call is pre-recorded, display accurate information on the caller ID, identify themselves and the good or service they are selling on the call, disclose all material information during the call, and not make any material misrepresentations to induce a person to pay for goods or services. Further, there are additional rules regarding prize promotions, payment restrictions, prohibitions on outbound call abandonment, honoring consumer requests to call back, record keeping (requirements expand as of May 16, 2024), and billing in the TSR. However, certain calls are currently exempt from the TSR's restrictions and requirements, including calls placed by consumers in response to catalogs, general media advertising (subject to certain industry restrictions in the rule), truthful and non-misleading direct mail advertising (subject to certain industry restrictions in the rule), business-to-business (B2B) calls (except those calls concerning the sale of nondurable office and clearing supplies) (note this blanket B2B exemption is set to end on May 16, 2024), unsolicited calls made by consumers, and entities outside of the FTC's jurisdiction.

On April 16, 2024, the Federal Register published the FTC's amended TSR, which ends the blanket B2B exemption by prohibiting material misrepresentations and false or misleading statements in B2B telemarketing. The amended TSR also has additional recordkeeping requirements, but the TSR's recording-keeping requirements do not apply to B2B calls. Most of the amendments are effective on May 16, 2024. On the same day, the Federal Register published a new proposed TSR which would remove the exemption to calls made by consumers in response to advertisements for tech support services. This new proposed rule is not yet final as of the date of publication.

The TCPA

The TCPA is administered by the Federal Communications Commission (FCC) and may also be enforced by private litigants. It governs calls, texts, and faxes made for marketing and informational purposes, including those that are B2B. Of significant concern in relation to the TCPA are calls and texts to wireless lines using artificial or prerecorded voice recordings or an automatic dialing system (ATDS) (robocalls or robotexts). Telemarketing robocalls and robotexts, and calls using an artificial or prerecorded voice, are prohibited without receiving prior express written consent, which consent must include certain specific language. The written requirement can be met by meeting federal e-signature requirements. Informational robocalls and robotexts are prohibited without receiving prior express consent, but it does not need to be written. Calls and texts made for emergency purposes and certain health-related purposes are exempt from the TCPA's consent requirements.

The FCC sets and enforces rules for telemarketing calls. These rules require clear identification, do-not-call options (interactive mechanism and internal opt-out list), minimum ring times, and call abandonment restrictions. The FCC adopted regulations similar to the FTC's, banning calls to those on the seller's internal do-not-call lists and refraining from calling consumers on those internal lists as well as the numbers listed on the DNC Registry (discussed further below).

The Supreme Court narrowed the scope of the TCPA in Facebook, Inc. v. Duguid (141 S.Ct. 1163 (2021)). Pursuant to this decision, a device must have the capacity to use a random or sequential number generator to either store or create phone numbers to be an ATDS. Predictive dialers and other devices that store set lists of phone numbers and dial from these lists without using a random or sequential number generator do not qualify as ATDS. While this has cut down somewhat on TCPA claims, litigation continues based on other violations, such as internal do-not-call and DNC Registry violations.

Fax ads need prior written consent (except for where there is an EBR) to avoid violating the TCPA. Consent can be inferred from the relationship pursuant to the Junk Fax Prevention Act of 2005 (JFPA), which permits the sending of commercial faxes to recipients based on an EBR if the sender offers an opt-out in accordance with the TCPA. State laws may be stricter, mandating express permission and more opt-out requirements.

The FCC is cracking down on robocalls and robotexts. It recently made it easier to revoke consent and now requires more clear and conspicuous disclosures from marketers. As of January 27, 2025, consent for robocalls and robotexts will only be valid for the specific company you gave it to and must be clearly explained beforehand and logically and topically associated with the interaction (e.g., website) where the consumer provided consent. Not all lead generation will be prohibited as lead generators may collect and share leads about consumers interested in products and services but will be unable to collect and share consent.

National DNC Registry

The National DNC Registry, established by the Do-Not-Call Registry Act of 2003, is perhaps the best-known feature of the FTC's TSR requirements and directs most telemarketers or sellers to not call a number listed on the DNC Registry. The program provides a means for US residents to register residential and wireless phone numbers on which they do not wish to be contacted for telemarketing purposes (with specific exceptions, below). Telemarketers, sellers, and service providers may pay a fee to access the registry. Direct marketers should ensure that they 'scrub' their call lists against the DNC Registry at least once every thirty-one days.

Violations of the rule can lead to civil penalties of up to $51,744 per violation and violators may be subject to nationwide injunctions that prohibit certain conduct. Violators may also be required to pay redress to injured consumers. There is a private right of action where more than one call is made within a twelve-month period and provides for up to $500 or $1,500 per call as damages. As noted, DNC violations also violate the FCC Rule under the TCPA, creating a cause of action under that law as well. The DNC Registry rules apply to for-profit organizations and cover charitable solicitations placed by for-profit tele-funders. These rules do not apply to:

• non-profits calling on their own behalf (but not their paid, for-profit solicitors);
• political candidates and political organizations;
• calls to customers with an EBR within the last 18 months; or
• unsolicited inbound calls provided that there is no 'upsell' of additional products or services; and most business-to-business calls.

With the limitation on the definition of ATDS under the TCPA and the elimination of consent requirements in some circumstances, DNC claims have become a common approach taken by plaintiff's lawyers. However, the EBR exception makes these easier to defend than TCPA ATDS consent claims (for which there is no EBR exception), and consent (which need not be written) would create an EBR.

State telemarketing laws

The TSR and the TCPA do not preempt state laws that govern intrastate telemarketing. In the wake of the federal narrowing of what is an ATDS, some plaintiffs are electing to bring claims under state laws where the ATDS definition has not been narrowed. Many states have enacted their own telemarketing laws that create additional legal requirements for telemarketers. In general, these laws limit calls to between certain hours, require businesses to register with the state, require callers to identify themselves at the beginning of calls, and end calls at the request of the receiving consumer.

Under some state laws, compliance with the FTC's do-not-call regulations is deemed to be compliance with that state's laws. At least 12 states continue to maintain separate do-not-call lists which must be checked in addition to the National DNC Registry to avoid violating those states' laws.

Other types of direct marketing

Texts and mobile domains

A 'call' as used in the TCPA has been held by the courts and the FCC to govern text messaging. Accordingly, the requirements under the TCPA for calls to wireless numbers also apply to texts. In addition, state telemarketing laws typically apply to text messages.

Marketers may potentially be liable for TCPA violations where they enable consumers to send texts to their friends (i.e., send-to-friend campaigns). However, the narrowing of the scope of an ATDS makes these claims now less common. Further, the marketer will not be deemed the sender if the consumer controls the recipient, the content of the message, and the time of sending. Unlike commercial emails (infra), providing an incentive to a consumer to send a text to a friend does not convert the marketer into the sender.

Messages via mobile carriers can also be regulated under the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act) (infra) if they originate online and use an internet domain (e.g., [email protected]). Unlike other forms of email, where you can opt-out (as more fully discussed below), the use of mobile domains requires express opt-in from the consumer. This means they must clearly give permission beforehand, not through pre-checked boxes. Companies must disclose specific information about the messages and allow easy opt-out options through various methods, including reply functions within the message itself. The burden of proof for obtaining valid consent falls on the sender, who must document the authorization process. The FCC maintains a list of mobile domains that email markets can remove from their marketing lists if they are operating on an opt-out basis.

Email

The CAN-SPAM Act regulates commercial emails including setting some rules for transactional emails. It lets consumers opt out of unwanted commercial emails and gives the FTC and state Attorneys General enforcement power. Except for the limited rights of email services to bring claims against mass spammers, there is no private right of action.

The law applies to commercial emails to consumers and in a B2B context. It bans misleading information in email addresses and subject lines and requires a clear and easy opt-out option for commercial emails. Companies must also include a valid return address and identify commercial emails as ads. Sexually suggestive emails need warning labels. 

The FTC has clarified that a company will not be deemed the sender of an email it facilitates or encourages a consumer to send, such as a promotional 'invite-a-friend message, except if it gives the consumer anything of value to do so (including a sweepstakes entry) it will be deemed the sender and responsible for ensuring that the consumer does not send to anyone that has opted-out from commercial emails from that company and that the consumer's e-mail includes a mechanism for the recipient to opt-out from future commercial e-mails from that company. Accordingly, companies will either need to avoid giving consideration to those they encourage or assist in sending promotional messages or design a facilitation tool that enables compliance with the CAN-SPAM Act's opt-out and other sender compliance obligations.

The CAN-SPAM Act preempts state and local email laws, except those related to fraud or deception. This means some stricter state laws (which may have a private right of action) might still apply in specific cases.

Mail

While direct mail ads are generally allowed, the Deceptive Mail Prevention and Enforcement Act (DMPEA) bans misleading tactics. It prohibits mail that pretends to be from the government or uses false promises to get money. Additionally, sexually suggestive mailings can be stopped if recipients request it. Sweepstakes and contests in the mail must disclose key details like odds of winning and how to enter without buying anything.

Consumer protection laws

The Federal Trade Commission Act (FTC Act) prohibits unfair and deceptive acts or practices in or affecting commerce, including direct marketing solicitations. The FTC can act to stop these practices and, in certain circumstances seek compensation for consumers who are harmed (though the scope of this authority has been recently limited). Further, the FTC may prescribe trade regulation rules that specify which acts or practices are unfair or deceptive, though absent express Congressional authority, its rule-making authority is more limited than other federal agencies. Accordingly, the FTC has historically issued non-binding guidance that establishes what it believes would be deceptive or unfair regarding various practices (e.g., influencers, native advertising, certain types of claims, etc.). However, the current FTC has been more aggressive in attempting to promulgate regulations than under prior administrations and is working through its rule-making process in a number of areas, including targeted online advertising (which it calls 'surveillance capitalism').

A solicitation is deceptive if it misleads a reasonable consumer and influences their decisions. The FTC employs a three-part standard for deception:

• a representation, omission, or practice that is likely to mislead the consumer;
• that the representation, omission, or practice be likely to mislead a reasonable consumer under the circumstances; and
• that the representation, omission, or practice be material, meaning that it is likely to affect a consumer's choice or conduct regarding a product or service.

A solicitation is unfair it causes (or is likely to cause) substantial harm that outweighs any benefits and can't be easily avoided.

Ads must be truthful and avoid misleading claims, even by omission. Advertisers are responsible for all reasonable consumer interpretations of their advertising for their products and services, and the FTC applies a 'net impression' standard. Advertisers are responsible for how consumers understand their message, considering the overall impression created. Claims also need evidence to back them up. The level of proof depends on the claim and the product. Health and safety claims require competent and reliable scientific evidence to substantiate the claim. Even those indirectly involved in deceptive advertising, like designers or agencies, can be held liable.

Unfairness under the FTC Act requires evidence of harm to consumers that is not outweighed by benefits to other consumers or to competition. This balancing test was added by Congress to limit the FTC's attempts in the late 1970s and early 1980s to limit children's advertising under its unfairness authority. Following that, the FTC generally limited unfairness cases to where significant and quantifiable consumer harm was present. However, the current FTC has become far more aggressive and is bringing unfairness claims in privacy cases where the alleged consumer harm is not capable of a monetary valuation, such as the use of sensitive personal information (e.g., precise location, health information, etc.) for advertising without express affirmative consent.   

All states have unfair and deceptive trade acts and practices (UDAP) laws prohibiting misrepresentation, deception, and unfairness in advertising. Sometimes referred to as 'Little FTC Acts,' the state UDAP laws vary in the degree that they follow the FTC Act and its interpretations, with some states giving it great weight and others simply being guided by it. Many of these UDAP laws provide for expansive remedies by statute, such as discouragement and consumer restitution, as well as injunctive relief, making them powerful tools to enforce trade practices. Further, state and sometimes local enforcement agencies may recover steep civil penalties which range from a few hundred dollars to tens of thousands of dollars per violation of the UPDA law. Direct marketing campaigns must also comply with these state laws, some of which allow for a private right of action by consumers. In addition, many states have a variety of specific marketing laws, which for the most part (see above regarding CAN-SPAM) are not preempted by federal law.

Automatic renewal and negative option laws

Negative-option contracts contain a term or condition that allows the seller to interpret a customer's failure to act, or silence, as acceptance of an offer. Negative options come in many forms, but automatic renewal plans in particular have caught the attention of state regulators. Several federal statutes and regulations and an increasing number of state laws specifically address negative option contracts and automatic renewals. These laws and regulations to varying extents impose disclosure, consumer consent, and easy cancellation requirements on businesses offering negative option programs.

Federal data privacy laws

Although the US does not have a national comprehensive privacy law, some targeted federal legislation related to data protection could impact direct marketers, including the Drivers Privacy Protection Act (DPPA), the Children's Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act (GLBA), and the Fair Credit Reporting Act (FCRA). Comprehensive consumer privacy legislation is under consideration by Congress.

Drivers Privacy Protection Act

The DPPA restricts the sale or release of a driver's personal information, permits sharing only for official purposes (e.g., law enforcement, government agencies, insurance underwrites, etc.), and generally prevents the receiving entity from distributing information for direct marketing and other uses. State law has also restricted the use of such data.

Children's Online Privacy Protection Act

The COPPA authorizes the FTC to prescribe rules governing the online collection of information from children under 13 (e.g. the COPPA Rule). An operator of a website, mobile app, or online service that it should know is directed at children, or an operator that has actual knowledge that it is collecting information from a child, may not collect personal information from a child in a way that violates the COPPA Rule. Other requirements include collection, use, and disclosure notices. Subject to certain exceptions, the operator must generally obtain verifiable parental consent for the collection, use, or disclosure of personal information from children. Age gating for separate child and non-child experiences is permitted at sites that children may visit, but are not primarily directed to children (e.g., family entertainment), though special rules apply. The COPPA Rule outlines appropriate parental consent requirements and exceptions.

Gramm-Leach-Bliley Act

The GLBA regulates the collection, use, and disclosure of non-public personal information by 'financial institutions.' If a direct marketer falls within the GLBA's definition of a financial institution, the GLBA would require it to provide a clear and conspicuous written privacy notice describing its privacy practices to its customers at the time the customer relationship is established and thereafter through an annual notice, and consent may be required for certain types of sharing of personal data for marketing purposes. Federal and state authorities enforce the GLBA and, in most cases, issue their own regulations promulgated under it, with respect to financial institutions over which they have jurisdiction. Some state laws (e.g., California) have stricter rules regarding financial institutions sharing of personal information for marketing purposes.

Fair Credit Reporting Act

A direct marketer may also be regulated by the FCRA if it uses a consumer report. At a high level, its material obligations are to use the consumer report only for permitted reasons (e.g., credit checks), notify consumers of negative actions based on the report, and provide a disclosure to the consumer if the marketer is obtaining an 'investigative consumer report.'

The FTC and the Consumer Financial Protection Bureau (CFPB) are the two federal agencies charged with overseeing and enforcing the provisions of the FCRA, though the CFPB typically is much more active in enforcing the FCRA. Many states also have their own laws relating to credit reporting that can be more restrictive with fewer exceptions than the FCRA.

State data privacy and protection laws

As of the publication date, 16 states have enacted consumer data privacy laws that affect how direct marketers can collect, use, and share personal information of consumers, including regarding targeted advertising. All US states and territories have laws requiring reasonable security of personal data, and in the event of a security compromise provide for data subject notice, often require regulatory notice, and provide for penalties.  

California Consumer Privacy Act

California became the first US state with a comprehensive consumer privacy law when it enacted the California Consumer Privacy Act of 2018 (CCPA). The CCPA was subsequently amended by the California Privacy Rights Act (CPRA).   

The CCPA grants California residents strong control over their personal information. Personal information is broadly defined and includes any information that either directly or indirectly identifies a particular consumer or household, or is reasonably capable of being associated with a particular consumer or household. The CCPA considers human resources and B2B data subjects to be consumers, which makes California unique among the state consumer privacy laws. Identifiers like IP addresses and mobile ad IDs are considered personal information. Certain information is exempted from the CCPA, including exemptions tied to the Health Insurance Portability and Accountability Act (HIPAA), GLBA, and FCRA. Unlike some other state consumer privacy laws, California does not treat these three federal laws as blanket exemptions, but instead only exempts information collected or used in certain ways. 

Businesses are required to provide notices regarding the collection, use, and disclosure of personal information and provide consumers with specific information rights (e.g., access, correction, deletion). Residents can also opt out of 'selling' (broadly defined to include most transfers other than to service providers subject to limitations, including no processing for targeted advertising) their information or its sharing for targeted advertising, limit the processing of sensitive personal information, and avoid being discriminated against for exercising these rights (excepting price or service differences reasonably related to the value of the data. Special rules apply to marketing financial incentive programs. The CCPA also provides for the regulation of automated decision-making and data retention and minimization requirements and requires documented assessments of high-risk activities such as targeted advertising. California has been very active in bringing enforcement actions, including seeking civil penalties.

Other state consumer privacy laws

As of April 24, 2024, several other states have enacted CCPA-inspired privacy laws that impact direct marketing, including Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia (note Maryland has also passed a similar law but it has not been signed by the Governor). These state laws impose some of the same obligations as the CCPA but do differ in material ways, including as to whether prior consent is required for certain processing activities, which impact some marketing activities. These states have opt-outs of data sales and targeted advertising, some of which differ from each other and from the CCPA. Florida has passed a more limited law that requires all controllers to obtain prior consent from a consumer before selling that consumer's sensitive data. In addition, some states (e.g., Washington and Nevada) have passed health-specific consumer privacy laws, which impose far more burdensome obligations on businesses than traditional consumer privacy laws and impact health-related marketing. The legislatures of several other states are considering consumer data privacy laws. Direct marketers should ensure that they track the developments in this evolving area of the law. See also, supra, regarding current federal consumer privacy legislation efforts.

Self-regulation and codes of practice

Direct marketers have voluntary guidelines to follow besides legal regulations. These guidelines help build consumer trust and avoid government intervention.

Industry watchdogs

• BBB National Programs (BBBNP): Oversees self-regulatory programs ensuring truth and accuracy in advertising like the National Advertising Division (NAD) and the Children's Advertising Review Unit (CARU), which focuses on advertising to children. NAD's decisions on challenged advertising can offer best practices within the direct marketing industry. CARU creates advertising and privacy guidelines to ensure that ads directed to children are age-appropriate and not unfair or deceptive, and further offers an FTC-approved safe harbor program that helps businesses comply with COPPA. The programs can refer non-compliant cases to the FTC.
• The Association of National Advertisers (ANA): Enforces Guidelines for Ethical Business Practice applicable to all direct marketers (formerly administered by the Direct Marketing Association).
• CITA-The Wireless Associates (CTIA): Provides best practices for wireless marketing messages, with carriers potentially revoking access for non-compliance. These include obtaining a consumer's clear and verifiable consent prior to sending text messages, providing clear opt-out options, identifying yourself, adhering to frequency disclosures and time restrictions, and informing consumers of data charges. Individual carriers also have their own rules.

Digital advertising-specific groups

• Network Advertising Initiative (NAI): Promotes responsible data use in digital advertising. The NAI's code requires member companies to offer consumers choices about targeted advertising and restricts data collection practices; however, due to more stringent state consumer privacy laws, as of the publication date, it has suspended its rules and plans to develop new rules that reflect current legal requirements. It also maintains an opt-out program, which is not sufficient to comply with various state-targeted advertising and data sale opt-out requirements.
• Digital Advertising Alliance (DAA): Focuses on transparency and consumer control in online behavioral advertising. It offers opt-out options similar to the NAI and has self-regulatory principles for data collection. Like the NAI, its approach is not consistent with state consumer privacy laws. As of the publication date, it was currently reworking its rules and opt-out program. Unlike the NAI, it does not seek to align itself with state consumer privacy laws but offers more granular marketing choices for consumers.

Conclusion

While direct marketing offers benefits like low entry costs and targeted outreach, it is crucial to navigate the maze of state and federal direct marketing and privacy laws and regulations, as well as industry self-regulation, to avoid legal trouble and maintain consumer trust. This ever-evolving landscape requires ongoing vigilance to ensure compliant and ethical marketing practices.

Alan Friel Partner
[email protected]
Kyle Dull Senior Associate
[email protected]
Squire Patton Boggs (US) LLP, California, Miami