Certified Information Privacy Professional (CIPP): US - Marketing and Telemarketing, CAN-SPAM Act, Telemarketing Sales Rule, Do-Not-Call Registry

CIPP/US – Marketing & Telemarketing
(CAN?SPAM Act, Telemarketing Sales Rule, Do?Not?Call Registry)

What This Is

Marketing and telemarketing in the United States are governed by a patchwork of federal statutes that protect consumers from unwanted electronic messages and phone calls. The CAN?SPAM Act regulates commercial email, the Telemarketing Sales Rule (TSR) governs outbound sales calls and the use of automatic dialing equipment, and the National Do?Not?Call (DNC) Registry gives consumers a simple way to block unsolicited calls. For a privacy professional, mastering these rules is essential because non?compliance can trigger FTC enforcement actions, state?level penalties, and costly class?action lawsuits.

Real?world scenario: A U.S.?based e?commerce retailer launches a holiday promotion. It plans to (1) email 500,000 customers with a “30?% off” coupon, (2) call a purchased list of leads to upsell, and (3) place a “call?back” button on its website that automatically dials the visitor’s number. The compliance team must ensure every email, call, and auto?dial meets CAN?SPAM, TSR, and DNC requirements before the campaign goes live.

Key Terms & Provisions

• CAN?SPAM Act (2003, U.S.) – Federal law that sets rules for commercial email, requires clear identification, a physical address, and an easy unsubscribe mechanism; violations can incur up to $43,792 per email (inflation?adjusted).
• Commercial Email – Any email whose primary purpose is to advertise or promote a commercial product or service; “transactional” messages (e.g., order confirmations) are exempt.
• Opt?Out (Unsubscribe) Mechanism – A functional, free method for recipients to stop future emails; must be honored within 10 business days.
• Telemarketing Sales Rule (TSR) (FTC, U.S.) – Prohibits deceptive or abusive telemarketing practices, requires scripts to be truthful, and limits the use of automatic dialing systems (ADS) and prerecorded messages.
• Automatic Dialing System (ADS) – Any equipment that can store or produce a telephone number and dial it automatically without human intervention; use is restricted unless the called party has given prior express written consent.
• National Do?Not?Call Registry (DNC) (FTC, U.S.) – A database where consumers can register their phone numbers to block telemarketing calls; telemarketers must scrub their call lists against the registry every 31 days.
• Prior Express Written Consent – The consumer’s signed permission (paper or electronic) that specifically authorizes the telemarketer to place calls using an ADS or prerecorded message.
• Robocall – A call that delivers a prerecorded message; under the TSR, robocalls to consumers without prior express written consent are prohibited.
• Caller ID Spoofing – Falsely presenting the caller’s number; the TRACED Act (2019) makes spoofing for illegal purposes a federal crime.
• State “Do?Not?Call” Laws – Many states (e.g., California, New York) have additional restrictions that may be stricter than the federal DNC rules; compliance must consider the most protective standard.

Step?by?Step / Process Flow

For a Commercial Email Campaign (CAN?SPAM)

1. Identify the Message Type – Confirm the email is “commercial” (advertising) and not purely transactional.
2. Verify Header & Subject Accuracy – Ensure the “From,” “Reply?To,” and subject line are not deceptive.
3. Include Required Disclosures – Add a clear identification that the email is an advertisement, a valid physical mailing address, and an easy “unsubscribe” link.
4. Test the Unsubscribe Process – Click the link; confirm the request is processed within 10 business days and the address is removed from all future mailings.
5. Document Compliance – Keep records of the email content, consent (if any), and unsubscribe logs for at least 2 years (FTC recommendation).

For a Telemarketing Call List (TSR + DNC)

1. Obtain the Call List – Ensure the list is not sourced from a prohibited “do?not?call” list.
2. Scrub Against the DNC Registry – Run the list through the national DNC database and remove any numbers that appear (must be refreshed every 31 days).
3. Check for Prior Express Written Consent – If you plan to use an ADS or prerecorded message, verify you have a signed consent for each number.
4. Script Review – Confirm the script is truthful, includes the company name, and provides a clear “do?not?call” opt?out option (“press 1 to be removed”).
5. Call?Monitoring & Record?Keeping – Record calls (where legally permissible), maintain consent files, and retain DNC scrubbing logs for 2 years.

Common Mistakes

CIPP Exam Insights

1. “Opt?Out vs. Opt?In” – The CAN?SPAM Act is opt?out (unsubscribes), while the TSR’s ADS rules are opt?in (prior express written consent). Expect a question that asks which law requires a consumer to actively give permission before a call.
2. Scope of the DNC Registry – The FTC’s DNC rule applies to all consumer telephone lines, including cell phones, unless the call is a solely informational call (e.g., debt collection). A common trap is confusing “business numbers” with “consumer numbers.”
3. State vs. Federal DNC – If a state law is more protective (e.g., California’s “Do?Not?Call” law), you must follow the stricter rule. Exam questions may present a scenario where a state law overrides the federal standard.
4. Robocall Definition – The TSR treats any prerecorded message as a robocall, even if the caller says “press 1 to speak with a live agent.” Remember that the TRACED Act adds criminal penalties for spoofing.

Quick Check Questions

1. Scenario: A retailer sends an email that says “Your order has shipped – enjoy 15?% off your next purchase!” to 10,000 customers.
   Answer: This is a commercial email under CAN?SPAM because it contains a promotional offer. The retailer must include an unsubscribe link, a physical address, and truthful header information.

2. Scenario: A telemarketing firm wants to use an autodialer to call a list of 5,000 cell?phone numbers that it purchased from a data broker. The list includes numbers that are on the national DNC registry.
   Answer: The firm must scrub the list against the DNC registry and obtain prior express written consent for each number before using an autodialer; otherwise, the call violates the TSR and can result in FTC enforcement.

3. Scenario: A company receives a consumer request to stop all future calls. The consumer’s number is not on the DNC list. What must the company do?
   Answer: The company must honor the request immediately (within the call) and add the number to its internal “do?not?call” list, regardless of DNC status. Failure to do so is a TSR violation.

Last?Minute Cram Sheet (10 One?Liners)

1. CAN?SPAM Opt?Out Deadline: Unsubscribe requests must be processed within 10 business days.
2. CAN?SPAM Fine Cap: Up to $43,792 per violation (inflation?adjusted).
3. TSR ADS Consent: Prior express written consent is required before any autodialed or prerecorded call.
4. DNC Scrub Frequency: Must be refreshed every 31 days.
5. Robocall Definition: Any prerecorded message delivered via telephone, even if followed by a live?agent option.
6. TRACED Act Penalty: Up to 5?years imprisonment for willful caller ID spoofing used in a fraudulent call.
7. State DNC Supremacy: When a state law is more protective, it preempts the federal DNC rule.
8. Transactional vs. Commercial Email: Adding a promotional element (discount, upsell) converts a transactional email into a commercial one.
9. FTC Enforcement Tool: The FTC can seek injunctive relief, civil penalties, and consumer restitution for CAN?SPAM/TSR violations.
10. Exam Trap: “All business?to?business calls are exempt from the DNC Registry” – FALSE; only calls to verified business lines not listed on the DNC are permissible.

Use this guide to audit your email and call campaigns, reinforce your compliance checklist, and ace the CIPP/US exam.