Privacy Advisor

Q & A: Ask the Privacy Expert

December 1, 2006

Ronald G. London

Q When must a company start keeping an internal "do-not-fax" list, and if it's mandated to do so, what other compliance steps are required?

A The potential need for companies that send commercial faxes to keep "do-not-fax" lists of recipients who ask to not receive further faxes arises under new rules recently adopted by the Federal Communications Commission (FCC) to implement the Junk Fax Prevention Act of 2005. This new requirement, along with others that include providing notice of the do-not-fax opt-out right and establishment of cost-free mechanisms for recipients to exercise that right, apply to the transmission of "unsolicited advertisements" to fax machines. Such faxes generally are prohibited under the law and FCC rules, and can be sent only if there is prior express permission or an "established business relationship" (EBR) exists between the sender and recipient.

First Determine If the Rules Apply to Your Situation

The first question companies that send faxes as part of their business should ask in preparing to adopt policies and procedures to ensure compliance with the "junk fax" rules is whether the rules apply in the first instance. The new law and FCC rules prohibit only "unsolicited advertisements," defined as "any material advertising the commercial availability or quality of any property, goods, or services … transmitted to any person without the person's prior express invitation or permission, in writing or otherwise." If a company sends only faxes that fall outside this definition, the prohibition - and the rules requiring either prior written consent or an EBR, as well as those pertaining to notice and honoring do-not-fax rights - do not apply.

In applying the definition, reference to a commercial entity does not by itself make a fax an ad. Thus a logo or business slogan on a fax does not alone convert it into an ad, so long as the fax's primary purpose is non-advertising, such as transmitting an invoice or account data. Similarly, messages that merely facilitate, complete or confirm a transaction to which the fax recipient previously agreed are not ads; conversely coupling such messages with information about new or additional business that advertises commercial availability or quality of goods or services can turn a fax into an unsolicited ad. Faxes for free goods and services that promote them, even at no cost, such as free subscriptions, catalogs, consultations, etc. are unsolicited ads.

Understand the Exceptions to the General Prohibition on Unsolicited Fax Ads

If faxes that a company wishes to send qualify as unsolicited ads, they are prohibited unless there is prior invitation of permission from the recipient for the fax, or an EBR with the recipient exists. "Prior express invitation or permission" may be oral or written, including electronic, but must (i) be express and given prior to sending any fax ad, (ii) include the fax number to which faxes may be sent, and (iii) not be in the form of a "negative option." You may request a fax number on an application form that includes a clear statement indicating that by providing the fax number, the applicant agrees to receive fax ads from the company. Consent cannot be obtained by fax in the first instance (unless an EBR predates the request for consent), and senders opting to obtain consent orally must take reasonable steps to ensure it can be verified.

Companies that send fax ads pursuant to an EBR are responsible for demonstrating the existence of the EBR. The FCC's rules do not require any specific records to satisfy this, but the burden is on the sender to show a valid EBR with the recipient. The FCC defines an EBR for fax purposes as a "prior or existing relationship formed by a voluntary two-way communication between a person or entity and a business or residential subscriber with or without an exchange of consideration, on the basis of an inquiry, application, purchase or transaction" which "has not been previously terminated by either party." The inquiry or application must be about products or services offered by the entity, so an inquiry about store location or the identity of a fax sender, for instance, cannot alone form an EBR, nor does merely visiting a Web site without taking the further steps of requesting information or providing contact information. In addition, EBRs do not extend to affiliates of the entity with which the relationship is established.

When Relying on EBRs, Obtain Recipient Fax Numbers Properly

The other important component of relying upon the EBR exception is that senders must obtain the recipient's fax number properly. This means acquiring it directly from the recipient within the context of the EBR, or ensuring the recipient voluntarily agreed to make the number available in a directory, ad or Web site, or in other material accessible to the public. For example, fax numbers qualify if provided on applications, information requests, contact information forms, membership renewal forms, or business cards. It also is permissible to obtain the number orally over the phone or through a Web site maintained by the fax sender.

For directories, Web sites, etc., the number must come from the recipient's own directory, ad or Web site, and may come from the recipient's own letterhead or fax coversheet (unless the directory, Web site, etc., states the recipient does not accept unsolicited fax ads at the number). If the sender obtains the number from information compiled by third parties - i.e. membership directories, commercial databases or Internet listings - the sender must take reasonable steps to verify the recipient consented to have the number listed, such as calling or emailing the recipient. However, fax numbers in membership directories that require a fee to use do not qualify. In addition, the FCC has emphasized that senders must have an EBR with the recipient in order to send a fax ad - the mere fact that a recipient's fax number was available in a directory, Web site, etc., does not alone allow unsolicited fax ads, but rather is only a means of showing the number was provided "voluntarily by the recipient."

Adherence to FCC Rules for Fax Cover Sheets and Opt-Outs

Once a sender clears the written consent and/or EBR hurdle, the fax itself and company procedures related to it must adhere to FCC rules. At the outset, this means faxes subject to the rules, i.e., those constituting unsolicited ads, must include in the margin at the top or bottom of the first page, or on each transmitted page, the date and time sent, identification of the sender, and a telephone number of the sending machine or of the entity sending the fax. In addition, fax ads must contain a "clear and conspicuous" notice on the first page stating the recipient is entitled to request that the sender not send any future unsolicited ads and that failure to honor such requests within 30 days is unlawful. To be "clear and conspicuous," the notice must be apparent to a reasonable recipient, separate from ad copy or other disclosures at the top or bottom of the fax, distinguishable from ad content by, i.e. bold, italics, a different font, etc. For multi-page faxes, the first page must contain the opt-out notice, and if there is a cover page the FCC "encourages" inclusion of notice there as well.

The notice also must include domestic phone and fax numbers for recipients to make an opt-out request and at least one cost-free mechanism for doing so as well. The "cost free" opt-out mechanism may be a Web site address, email address, toll-free phone number, or toll-free fax number. A local number is deemed cost-free so long as the fax is sent only to local consumers for whom a call to the number would not result in long distance or other charges. For Web sites, the site must describe the opt-out mechanism and procedures on the first page. Senders must make the phone and/or fax number(s) available to accept opt-out requests 24 hours, 7 days a week. It also should be noted that, along with the cost-free mechanism, the opt-out notice must contain a domestic contact phone number and fax number as noted above, so if the cost-free mechanism is either a domestic toll-free phone number or toll-free fax number, the sender can satisfy both requirements. However, if the cost-free opt-out mechanism is a fax number, it must be separate and distinct from the (voice) phone number to reduce the likelihood that the line will be busy when opt-out requests come in.

The Recipient's Role and Honoring Do-Not-Fax Requests

Admittedly the foregoing involves quite a bit of minutia, but recipients must comply with certain requirements as well in order to have their "do-not-fax" opt-out requests honored. All opt-out requests must identify the phone number(s) of the fax machines to which the request relates, and must use the mechanism provided by the sender's opt-out notice. If an opt-out request fails to meet these criteria and/or comes in through a means other than that set out in a company's opt-out notice, there is no requirement to place the fax number on the do-not-fax list (although good customer relations probably favor adding the number anyway).

Where a fax recipient properly follows the requirements for stating an opt-out preference, the sender must comply within the shortest reasonable time, which in any case cannot exceed 30 days, and this effectively requires senders of unsolicited fax ads to start, maintain and update a "do-not-fax" list. It also means that senders able to honor do-not-fax requests in less than 30 days must do so. In addition, the sender must remove the fax number from its fax lists within the 30-day period, regardless of whether it believes the number may be used by more than one individual, and must honor opt-out requests made by a business even if doing so restricts faxes sent to all its employees. Once made, opt-out requests are effective indefinitely, even if the recipient who opted out continues to do business with or otherwise maintains an EBR with the sender, unless the recipient subse-quently provides express consent to resume faxing.

Ronald G. London is Of Counsel in the Washington, D.C., office of Davis Wright Tremaine LLP and is a contributor to the firm's Privacy and Security Law Blog. He has extensive experience providing compliance counsel and litigation support under federal and state law with respect to commercial and non-commercial telemarketing, fax and email campaigns. His practice focuses on Privacy & Security, First Amendment, and Communications Law.

This response represents the personal opinion of our expert (and not that of his/her employer), and cannot be considered to be legal advice. If you need legal advice on the issues raised by this question, we recommend that you seek legal guidance from an attorney familiar with these laws.