2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC Compliance Officers Forum – LIVE Reid HouserNick Whisler COF ChairCounsel for PACE

Disclaimer The materials in this Presentation are provided for informational purposes only and do not constitute legal advice. These materials are intended, but not promised or guaranteed to be current, complete, or up-to-date and should in no way be taken as an indication of future results. Transmission of the information is not intended to create, and the receipt does not constitute, an attorney- client relationship. You should not act or rely on any information contained in this Presentation without first seeking the advice of an attorney.

Discussion Topics FCC ruling –Legal requirement vs. compliance best practice State legislative update What’s next – Nick’s Crystal Ball Global privacy review –What’s new? –Safe Harbor and BCR –Country rules –Privacy resources 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

FCC Ruling What’s required and best practice  ATDS  Reassigned numbers  Revocation of consent  Text messages 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

FCC Ruling - ATDS Equipment can be an ATDS if it has the "potential capacity" to function as an ATDS – Rejects “present capacity” standard – Equipment can have the requisite capacity even if it requires additional software to function as an ATDS “Theoretical capacity” not sufficient – Rotary phone is not an ATDS – Stadium capacity analogy Rejects argument that ATDS must have the capacity to dial without human intervention*

FCC Ruling - ATDS Cannot avoid TCPA by dividing up ownership of dialing equipment Declined to address exact contours of definition Reiterates prior TCPA rulings – Predictive dialer is an ATDS – ATDS provisions do not apply to speed dialing – Basic functions are to dial without human intervention and to dial thousands of numbers in short period of time*

ATDS Case Law Post FCC Ruling Luna v. Shac (N.D. CA Aug 19, 2015) System must have capacity to dial without human intervention to be an ATDS References FCC’s 2015 Ruling but no discussion of “potential capacity” Did not address whether Ruling could be applied retroactively

ATDS Case Law Post FCC Ruling Derby v. AOL, Inc. (N.D. CA Sept 11, 2015) FCC Ruling merely held that a system requiring modification may fall within the scope of the TCPA “[Ruling] does not suggest that a system that never operates without human intervention constitutes an ATDS under the statute.” Ruling did not negate prior court opinions that focused on systems’ capacity to dial without human intervention

FCC Ruling - ATDS –Best practice Identify and analyze all dialing and ancillary systems Determine if the system can be altered or modified to auto-dial (you may need to speak to the vendor in some cases) –Modifications: Software, subscriptions, adding hardware and other technological changes Document findings and modifications Seek legal advice 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

FCC Ruling – Consent and Revocation of Consent Written consent must include mandatory disclosures (limited waiver provided) May revoke consent at any time and through any reasonable means – Orally or in writing – Inbound/outbound calls, in-store bill payment location – No guidance on what is not a reasonable method Cannot limit manner in which consent may be revoked Must have records to prove consent

FCC Ruling – Consent and Revocation of Consent Best practice –Consent obtained by you and an intermediary Document all consent/revocation Ensure FCC guidance for consent is used Require samples of consent used Document and maintain records Caller can’t limit how consumer revokes consent Reasonable revocation of consent –Training agents to listen to what the consumer is saying –Consider linking revocation across the consumer's accounts –Vendor management process –“Internal DNC” style record keeping process –Script changes – clarify what the consumer means by “don’t call me” Rule of thumb – if they don’t what to be called, don’t call them TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

FCC Ruling - Reassigned Numbers “Called party” means current subscriber or customary user One call “safe harbor” for calls to reassigned #s – Must have consent to call prior subscriber and no knowledge of reassignment – No notice requirement– constructive knowledge after one call No requirement for called party to notify caller or “bad faith” defense for businesses

Best practices can mitigate risk Can sue your customers if they violate a contract that requires them to give notice when a number is relinquished! FCC Ruling - Reassigned Numbers

Best practice –Train site and agents to listen to the called party –Document and communicate – Ensure calling lists are current and up to date Include written, oral and electronic sources –Document wrong number calls –Third party resources to identify reassigned numbers –The challenge is keeping current with the consumer – how do you know when their number has changed? 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC FCC Ruling - Reassigned Numbers

FCC Ruling – Text Messages Reiterated that a text message is a “call” under the TCPA TCPA applies to Internet-to-phone text messages

Ruling: o ne time text message sent immediately after consumer’s request does not violate TCPA because it is not a telemarketing text Criteria: Must be requested by consumer; Must be a one-time message sent immediately in response to the consumer’s request; and May only contain info requested by consumer (no other marketing or advertising info) FCC Ruling – Text Messages

Best practice –All of the wireless rules apply to texts –Develop policies and procedures –Develop review and approval process –Develop monitoring process –Ensure opt-out requests are honored 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC FCC Ruling – Text Messages

FCC Ruling – General Best Practices Alert and educate corporate leaders Train your sites/agents - manual dialing –Reassigned numbers –Consent revocation –Updating contact lists Develop compliance monitoring reports Develop vendor standards, monitor and sign amended agreements Notify your clients/sign amended agreements Scrub wireless numbers; identify alternate dialing method(s) Ensure your manual dialing process complies with: 1) call time restrictions; 2) caller ID; 3) DNC lists; 4) agent monitoring 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

TCPA Resources FCC - Protection Against Telemarketing Robocalls - Consent FCC 2015 Ruling 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

State Legislative Update New Jersey- clarified that the prohibition against calling cell phones only applies to unsolicited telemarketing calls (calls to existing customers are exempt) Indiana- adopted “assisting and facilitating” liability under telemarketing laws Oregon- expanded definition of telephone solicitor to include anyone offering a business opportunity 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

State Legislative Update Utah- enacted caller ID spoofing law (largely mirrors federal law) Wisconsin- updated DNC regulations to reflect prior changes to DNC law (including no state DNC list) 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

State Legislative Update Several states amended data breach notification laws −CT, MT, NV, ND, OR, RI, WA and WY −Expand definition of PII −Must report breach to AG −Provision of identity theft services −Timelines for sending breach notifications −Additional contents for breach notifications −WA exemption for PII secured through encryption methods that meet or exceed those adopted by the National Institute of Standards and Technology Pending legislation in other states (most notably CA and IL) 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

What’s next – Nick’s Crystal Ball More TCPA lawsuits Increased TCPA enforcement by FCC Important appellate court rulings –Appeal of FCC’s Declaratory Ruling –Spokeo v. Robins –Campbell-Ewald Co. v. Gomez 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

What’s next – Nick’s Crystal Ball More privacy lawsuits and enforcement –Neiman Marcus ruling (7 th Circuit) –Wyndham ruling (3 rd Circuit) More state privacy legislation and enforcement 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Global Privacy Review What’s new? Safe Harbor and BCR Country rules Privacy resources 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Privacy – What's New Delaware privacy act introduces 'unique requirements‘ –The Governor of Delaware signed into law, on 8 August 2015, the Internet Privacy and Safety Agenda 2015, a four-part legislative package to enhance privacy and protect online activities ('the Agenda'). The Agenda includes: The Online Privacy and Protection Act 2015 ('the Privacy Act'); The Student Data Privacy Protection Act 2015; The Victim Online Privacy Act 2015; and t The Employee/Applicant Protection for Social Media Act –The Agenda introduces a range of measures to protect school children and also to prevent employers from inappropriately demanding access to the social media accounts of employees or job applicants. –The Agenda also introduces a requirement for data collectors to clearly disclose on their websites how they are using the personal data they collect about users, including how they track individuals online TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Privacy – What's New FTC’s Authority to Regulate Companies’ Data Security Practices –On August 24, 2015, the United States Court of Appeals for the Third Circuit issued its opinion in Federal Trade Commission v. Wyndham Worldwide Corporation (“Wyndham”), affirming a district court holding that the Federal Trade Commission has the authority to regulate companies’ data security practices TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Privacy - Safe Harbor and BCR Binding Corporate Rules are the EU's response to all of the down sides of the currently-existing solutions and attempt to overcome Safe Harbor issues by providing the kind of accountability the EU approves of Because EU data protection and privacy laws are so strict, complying with the BCR likely means your organization complies with data protection laws globally BCR are designed by, and tailored for, the applicant organization so they reflect and respect your culture, processes, and business – they are not a regulatory- imposed solution, unlike model clauses TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Privacy - Countries USA Argentina Austria Belgium Brazil Bulgaria Canada Chile Colombia Czech Republic Denmark Estonia European Union 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC Finland France Germany Greece Guernsey Hong Kong Hungary Iceland Ireland India Italy Japan Korea Latvia Lithuania Luxembourg Malaysia Malta Mexico Morocco Netherlands New Zealand Norway Philippines Romania Poland Portugal Singapore Slovak Republic Slovenia South Africa South Korea Switzerland Sweden Taiwan Thailand United Kingdom Vietnam

Privacy Resources The International Association of Privacy Professionals (IAPP) Data Guidance News Information Commissioner’s Office (ISO) Information Shield Mondaq Data Privacy Laws 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC