Continuing our series of blog posts breaking down the CFPB's final debt collection rule, we now discuss the use of email and text messages, and how to qualify for a safe harbor from civil liability for unintentional third party disclosures resulting from these types of communications.

In terms of the frequency of email and text messages, the final rule does not set any hard limit. However, Section 1006.14(a) sets forth a general standard that prohibits a debt collector from engaging in conduct, the natural consequence of which is to harass, oppress, or abuse any person in connection with the collection of a debt. The rule's commentary makes clear that while not subject to a hard, numerical limitation, text messages and emails, either alone or in combination with other communication types, may result in harassment, and therefore, violate the FDCPA. Section 1006.6(e) also requires that each of a debt collector's emails and text messages include clear and conspicuous instructions for a reasonable and simple method by which a consumer can opt-out of receiving further emails or text messages.

Turning to the available safe harbors for unintentional third party disclosures, the final rule treats email and text messages separately, and the safe harbor options for text messages are much narrower than those for email. With respect to email, Sections 1006.6(d)(4)(i)-(iii) provide three "safe harbor" procedures under which a debt collector may send an email to a consumer.

Under the first procedure—communication between the consumer and the debt collector—a debt collector may send an email to an address if the consumer used the address to communicate with the debt collector about the debt (as opposed to marketing or other advertising materials) and the consumer has not opted out of communications to that email. Alternatively, the debt collector may send an email to an address if the debt collector received prior consent directly from the consumer to use the email and the consumer has not since withdrawn that consent. See  § 1006.6(d)(4)(i). The Official Commentary further states that if the consumer provides his or her email address to the debt collector through an online portal or through some other method, the debt collector may treat the provision of this address as consent to use the address for communications, but only if "the debt collector discloses clearly and conspicuously that the debt collector may use the email address to communicate with the consumer about the debt."

The second procedure—communication by the creditor—requires the creditor to send an opt-out notice that informs the consumer that the debt has been or will be transferred to the debt collector, that the collector might communicate using the consumer's email address, and that if others have access to the email address, such communications could be seen. The creditor must then provide a simple and reasonable method for opt-out and a deadline that is no sooner than 35 days after notice is sent for when the creditor or debt collector must receive the opt-out request. This opt-out notice can be sent to the email address for which transfer of consent is sought. Additionally, although the final rule does not place a time limit for when the opt-out notice must be sent, the CFPB indicates in the discussion of the rule that creditors should send the notice close in time to the placement of the debt with the debt collector. The CFPB has suggested, but not mandated, model notice language for notices sent via mail and email. Finally, consent can be transferred only for addresses that are on domains that are "available for use by the general public," unless the debt collector is informed by any person that the address is provided by the consumer's employer.

Under the third procedure—communication by the prior debt collector—a debt collector may send an email to an address if the immediately prior debt collector obtained the address under the first two procedures, the immediately prior debt collector used the email address to communicate with the consumer about the debt, and the consumer did not opt-out of such communications.

With respect to text messages, under Section 1006.6(d)(5), the rule does not provide a safe harbor for the transfer of consent for such messages from a creditor or other debt collector. Instead, the final rule states that a debt collector may qualify for one of two available safe harbors.

First, section 1006.6(d)(5)(i) provides that a debt collector may send a text message to a number the consumer used to communicate with the debt collector about the debt by text message (by telephone is not sufficient to provide consent) and the consumer has not since opted-out from receiving text message communications to that telephone number. The debt collector must also show that within the past 60 days, either the consumer sent a text message to the debt collector, or the debt collector confirmed, using a complete and accurate database, that the telephone number has not been reassigned since the date of the consumer's most recent text message. The Official Commentary provides that the database established by the FCC in In re Advanced Methods to Target & Eliminate Unlawful Robocalls (33 FCC Rcd. 12024 (Dec. 12, 2018)) qualifies as a complete and accurate database, as does any commercially available database that is substantially similar in terms of completeness and accuracy to the FCC's database (although the Commentary also notes that the FCC database was created because the existing commercial databases were not  complete).

The second option is described is Section 1006.6(d)(ii). This option allows a debt collector to send a text to a telephone number if the debt collector directly received from the consumer prior consent to use the telephone number to communicate via text, and the consumer has not withdrawn that consent. The debt collector must also show that within the past 60 days either the consumer sent a text message to the debt collector or otherwise renewed consent, or the debt collector, using a complete and accurate database, confirmed the telephone number had not been reassigned since the date of the consumer's most recent text message.

The CFPB also provided guidance in the supplementary information regarding opt-outs. In terms of timing, the CFPB explained that it was declining to impose a specific period of time in which debt collectors could update their systems to effectuate an opt-out, although it considered periods ranging from 24 hours to ten days. However, the CFPB did state that a collector that unintentionally communicates with a consumer after receiving, but before processing, an opt-out may have a bona fide error defense to civil liability. While this gives debt collectors some flexibility and accommodates the varying operational capabilities across the industry, the lack of specific guidance on this issue may result in increased litigation.

Under Section 1006.6(d)(4)(ii)(C)(4), email and text opt-out methods must be reasonable and simple. The CFPB declined to specify what, exactly, "reasonable and simple" means. Importantly, the consumer cannot be required to pay any fee to opt-out, such as by requiring opt outs to be sent via certified mail. The CFPB does provide examples in the Official Commentary that make clear that what constitutes a reasonable and simple method will, in part, be determined by the method by which the notice is sent. For example, if notice is sent in writing, providing the consumer with an opt-out form and a pre-addressed envelope would be reasonable and simple, whereas requiring the consumer to call or write to request an opt-out form would not be. If notice is sent electronically, a hyperlink or responding with the word "STOP" would be reasonable and simple, but not requiring the consumer to opt-out via mail, telephone or visiting a website without providing a link is not.

Regarding consumer consent to receive text messages and the intersection with the Telephone Consumer Protection Act, it should be noted that the CFPB specifically declined to clarify how the final rule interacts with the TCPA, particularly with respect to the transfer of consent from the creditor to the debt collector. It is possible (but not guaranteed) that the TCPA consent transfer principles may provide a platform for transferring consent from creditors to collectors. However, given that Regulation F as finalized is focused on giving consumers control over debt collection communications and does not provide for the transfer of consent for text messages, the case law interpreting the TCPA may not prove to be informative.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.