Paubox blog: HIPAA compliant email made easy

Laws that affect text message marketing compliance

Written by Kirsten Peremore | February 06, 2024

The convenience of text messaging requires regulation to protect consumers and ensure fair practices. Different regulatory bodies have enacted various laws to address concerns ranging from privacy and consent to preventing spam and fraud. These laws, including the Telephone Consumer Protection Act (TCPA) and HIPAA, each shape how text messaging is used by businesses and organizations. 

 

Telephone Consumer Protection Act (TCPA)

Primary purpose

The TCPA’s primary purpose is to address many consumer complaints regarding unwanted telephone solicitations and certain practices using automated telephone equipment. The TCPA restricts the use of automatic dialing systems, artificial or prerecorded voice messages, SMS text messages, and fax machines. The TCPA was enacted by the United States Congress in 1991.

 

How does it affect text messaging marketing

  1. Prior express written consent (47 CFR 64.1200(a)(2)): Businesses must obtain explicit consent from individuals before sending promotional or marketing text messages. This consent must be in writing, indicating that the person agrees to receive such messages.
  2. Autodialer restrictions (47 U.S.C. § 227(b)(1)(A)(iii)): The TCPA restricts the use of autodialers, or automatic texting systems, to send texts to cell phones without the recipient's prior express consent. This is to prevent unsolicited messages.
  3. Do-not-call registry compliance (47 CFR 64.1200(c)(2)): While primarily related to calls, the principle of respecting the Do-Not-Call Registry also indirectly affects text messaging practices, encouraging businesses to avoid contacting numbers listed on the registry without prior consent.
  4. Identification requirement (47 CFR 64.1200(d)): Text messages must clearly state the identity of the business or individual sending the message. This helps recipients understand who is contacting them and for what purpose.
  5. Opt-out mechanism (47 CFR 64.1200(a)(4)): Each text message must provide a clear and easy way for recipients to opt out of future messages. This could be a reply text option like "STOP" to prevent any further messages.
  6. Time-of-day restrictions (47 CFR 64.1200(a)(1)): Text messages should be sent only during reasonable hours, typically between 8 a.m. and 9 p.m. local time of the recipient, to avoid intrusiveness.

See also: The guide to HIPAA compliant text messaging

Health Insurance Portability and Accountability Act (HIPAA)

Primary purpose

HIPAA's primary purpose is to improve the portability and accountability of health insurance coverage for employees between jobs, leading to its name. However, it has become more widely recognized for its provisions aimed at ensuring the confidentiality, integrity, and availability of protected health information (PHI).

HIPAA establishes rigorous privacy and security standards for handling PHI and mandates compliance by covered entities, including healthcare providers, health plans, healthcare clearinghouses, and their business associates. 

 

How does it affect text messaging marketing

  1. Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164): Requires that PHI be appropriately protected while allowing the flow of health information needed to provide high-quality health care. For text messaging, this means ensuring patient consent and minimum necessary use of PHI.
  2. Security Rule (45 CFR Part 160 and Subparts A and C of Part 164): Requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect ePHI, including that sent by text messaging:

    -Access Control (§164.312(a)(1))
    -Audit Controls (§164.312(b)
    -Integrity (§164.312(c)(1)
    -Transmission Security (§164.312(e)(1))


  3. Breach Notification Rule (45 CFR §§ 164.400-414): Requires covered entities to notify affected individuals, the Secretary of HHS, and, in some cases, the media of a breach of unsecured PHI. Text messages containing unsecured PHI that are intercepted or sent to the wrong recipient could constitute a breach under this rule, necessitating notification procedures.

See also: HIPAA Compliant Email: The Definitive Guide

 

Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act

Primary purpose

The CAN- SPAM Act’s primary purpose is to set national standards for the sending of commercial email and requires the Federal Trade Commission (FTC) to enforce these rules. Specifically, the CAN-SPAM Act aims to give recipients the right to have businesses stop emailing them and outlines penalties for violations. It also prohibits deceptive email practices by requiring senders to identify their messages as advertisements, include a valid physical postal address, and provide a clear way for recipients to opt-out of future emails. The act covers all commercial messages, which the law defines as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service." It was enacted on December 16, 2003.

 

How does it affect text messaging marketing

  1. Prohibition of false or misleading header information (15 U.S.C. § 7704(a)(1)): This section requires that the "From," "To," and routing information, including the originating domain name and email address, be accurate and identify the person who initiated the email. For text messages, this translates to the requirement that any commercial text must clearly and accurately identify the sender.
  2. Requirement of clear and conspicuous identification that the message is an advertisement (15 U.S.C. § 7704(a)(5)): This requires that emails clearly disclose if they are advertising. Although text messaging is not explicitly mentioned, the principle of clear disclosure applies, necessitating that commercial texts identify themselves as advertisements.
  3. Requirement to provide an opt-out mechanism (15 U.S.C. § 7704(a)(3)): The Act requires that emails include a mechanism for recipients to opt-out of future emails. For texts, this means providing a clear way for recipients to stop receiving messages, such as texting "STOP."
  4. Requirement to honor opt-out requests promptly (15 U.S.C. § 7704(a)(4)): Senders must process opt-out requests within 10 business days. This requirement also applies to text messaging campaigns, where senders must ensure that opt-out requests are honored in a timely manner.
  5. Prohibition on sending messages to harvested email addresses (15 U.S.C. § 7704(b)(1)): While this section specifically addresses email, the underlying principle of not using automatically generated or harvested numbers for sending unsolicited messages can extend to text messaging practices.

See also: What is the CAN-SPAM Act and how does it impact healthcare email?

 

Children’s Online Privacy Protection Act (COPPA)

Primary purpose

The primary purpose of the Children's Online Privacy Protection Act (COPPA) is to protect the privacy of children under the age of 13 who use the internet. Specifically, COPPA aims to give parents control over what information websites and online services can collect from their young children. The Act requires operators of websites and online services, including apps, that are either directed to children under 13 or have actual knowledge that they are collecting personal information from children under 13, to obtain verifiable parental consent before collecting, using, or disclosing any personal information from children. It was enacted on October 21, 1998.

How does it affect text messaging marketing

  1. COPPA Rule 312.3 (Requirement for parental consent): Before collecting personal information from children, operators must obtain verifiable parental consent.
  2. COPPA Rule 312.4 (Notice to parents): Operators must provide direct notice to parents about their practices regarding the collection, use, or disclosure of personal information from children, including any information collected through text messaging.
  3. COPPA Rule 312.5 (Parental rights): Parents have the right to review the personal information collected from their children and to revoke consent, requiring the operator to stop further collection and use of the child's information.
  4. COPPA Rule 312.6 (Access to personal information): Operators must allow parents to review the personal information collected from their child and to request its deletion.
  5. COPPA Rule 312.8 (Security requirements): Operators must maintain the confidentiality, security, and integrity of personal information collected from children, including data collected through text messaging.

 

Federal Trade Commission (FTC) Regulations

Primary purpose

The primary purpose of the FTC Act is to prevent unfair methods of competition and unfair or deceptive acts or practices in the marketplace. It established the Federal Trade Commission on September 26, 1914, granting it the authority to enforce antitrust laws and promote consumer protection. The FTC Act ensures the nation's markets function competitively and are free of undue restrictions. It also protects consumers from misleading advertisements, fraudulent practices, and other deceptive business practices. 

 

How does it affect text messaging marketing

  1. Section 5(a) of the FTC Act (15 U.S.C. § 45(a)) prohibits "unfair or deceptive acts or practices in or affecting commerce." The FTC has used this broad provision to address deceptive marketing practices through text messages, including false claims, misleading advertisements, and scams.
  2. Section 5(m)(1)(A) of the FTC Act (15 U.S.C. § 45(m)(1)(A)) gives the FTC authority to seek civil penalties for violations of rules that define acts or practices as unfair or deceptive. This can include rules related to text messaging practices that are found to be deceptive or unfair.

The FTC has also used its authority under the FTC Act to enforce other laws that directly impact text messaging practices, such as:

  • The CAN-SPAM Act: While primarily focused on email, the CAN-SPAM Act's provisions on commercial messaging have been extended by the FTC to include commercial text messages. The FTC's regulations under the CAN-SPAM Act require clear labeling of messages, opt-out mechanisms, and other consumer protections that apply to text messaging.
  • The Telemarketing Sales Rule (TSR): Although the TSR mainly addresses telephone calls, its principles against deceptive and abusive telemarketing practices have implications for text messaging, especially when texts are used for telemarketing purposes.

FAQs

Can businesses send text messages to anyone who has provided their phone number?

Under the TCPA, merely providing a phone number is not consent for promotional text messages. Explicit permission must be obtained, indicating that the individual agrees to receive marketing texts.

 

What are the penalties for violating these text messaging laws?

Penalties vary by law but can include fines ranging from hundreds to thousands of dollars per violation. For example, TCPA violations can result in fines of $500 to $1,500 per unsolicited message.

 

Are there exceptions to these laws for certain types of messages?

Yes, informational messages, such as appointment reminders or service notifications, may not require prior consent under certain laws like the TCPA. However, businesses must still comply with privacy and security requirements under laws like HIPAA.