On October 2, 2019, California Governor Gavin Newsom signed the Consumer Call Protection Act of 2019 (the “Act”). The Act aims to identify and prevent those engaging in deceptive robocalls from defrauding Californians. To achieve this goal, the California legislature has put the onus on telecommunications service providers. Although other states have also recently passed robocall legislation, the California law is significant because it puts the burden of compliance on service providers as opposed to dialers.
The Act requires service providers (on or before January 1, 2021) to implement “alternative technology that provides comparable or superior capability to verify and authenticate caller identification for calls carried over an internet protocol network.” A “good faith effort” to comply with this requirement will be a defense to a claim for violating the Act. See Public Utilities Code Section 2893.5(d). For example, if a service provider implements Secure Telephony Identity Revisited (STIR) protocols and Secure Handling of Asserted information using toKENs (SHAKEN) protocols on or before January 1, 2021, the statute considers this to be a “good faith effort.” Id. STIR/SHAKEN protocols use digital certificates to ensure that the calling number is accurate and has not been spoofed.
The Act’s authentication requirement is similar to the proposed federal legislation set forth in United States Senate Bill 151, the TRACED Act. The TRACED Act proposes to vest the FCC with the authority to provide a “call authentication framework” and “help protect a subscriber from receiving unwanted calls or texts from a caller using an unauthenticated number.” See Senate Bill 151. However, after passing the Senate, the TRACED Act is still sitting with the House Committee on Energy and Commerce. Therefore, the California Act resembles its federal counterpart but will be the first to take effect.
The Act does not contain a private right of action, and therefore, individual consumers cannot file lawsuits against service providers. This does not bar the possibility that a subsequent bill may seek to amend the law to create a private right of action. [As some may recall, California legislators recently sought to expand the scope of the California Consumer Privacy Act (“CCPA”) by creating a private right of action in Senate Bill 561.]
The Act enables the California Public Utilities Commission (CPUC) and the Attorney General (AG) of California to “take all appropriate actions to enforce that section and any regulation promulgated under that section.” In addition, the law provides that the CPUC may, at the request of the AG, work with the AG for the purposes of enforcing the TCPA provisions that specifically provide state authority (i.e., 47 U.S.C. §227(e), (g)). Finally, the new law specifically provides that it does not (a) require a telecommunications service provider to employ call blocking, (b) limit any right otherwise permitted by law and (c) otherwise expand the power of the CPUC.
Telecommunication service providers should take adequate precautions to avoid enforcement actions from the CPUC or the AG. By implementing STIR and SHAKEN protocols by January 1, 2021, service providers can avoid liability under the Act.