Bill also hates lawsuits, yet here he is, on the receiving end of a demand letter from an attorney threatening to file a class action complaint on behalf of his California customers. The demand letter claims that Bill’s company recorded its customers’ telephone calls without their consent, in violation of California law. Bill’s glare says it all. I suspect he’s disappointed that I didn’t warn him about this.

And then: “Why didn’t you warn me about this!?”

“This” is the growing number of California lawsuits brought against companies—regardless of where the companies are located—for violating two California call-recording statutes that are part of California’s Invasion of Privacy Act.

Like most employees of companies that sell consumer goods, Bill’s regularly interact with customers. When first starting out, it was just Bill and his business partner handling all calls. Then it was a few dedicated employees. Now it is both in-store employees as well as a call center with extended hours in downtown Albuquerque.

Bill recognized from the beginning that increasing his sales staff and hiring customer support people would challenge one of his core principles, that of providing excellent and personal customer service. Not only did Bill realize that he would likely have a higher turnover rate for his call center employees, but he also knew that they would need to be equipped to respond to issues that were not present before he started filling online orders, such as disputes over orders, shipping, taxes, and charges. Not that the new employees don’t care—they do—but they’re not Bill. They don’t get it like he does.

So, to ensure that every customer was treated properly and to identify employees that needed additional training, Bill wanted to record the incoming customer calls. He also thought that recorded calls would help him train the call center staff by allowing him to use real examples of both well-handled and not-so-well-handled calls. As an added benefit, Bill quickly learned that recordings were useful to resolve disputes that arose when a customer disputed what was said during a call and for the few times when a call center employee needed to confirm something that was said after the call had ended.

Bill brought us his plan to record incoming calls before he implemented it. We explained the applicable law—namely, the Wiretap Act, which governs call recording under federal law and permits recording so long as at least one party to the call consented, and New Mexico law, which is similar to laws in 37 other states in following the same concept.

Because Bill’s company would be a party to the call and would be doing the actual recording, he necessarily had one-party consent. So our initial thought was that Bill was in the clear and that there was no need to do anything else.

But we knew that Bill did business in all 50 states, so just to be sure, we dug deeper. And we were glad we did.

Bill provided us with some additional information on the types of calls that came into the call center. Many of the calls were not that sensitive, as people often called to check on the status of an order or ask general questions about inventory or shipping charges. But it was not unusual for callers to provide their customer numbers, addresses, and payment details. In addition, people sometimes shared little anecdotes and other personal details with the call center staff regarding the reasons for a purchase. At times, they would tell the customer service representatives personal details about family members or friends, such as clothing preferences or their desire to keep orders secret from other family members so as not to ruin birthday or holiday surprises.

In doing our research, we learned that 12 states, as well as the District of Columbia, require all participants in a communication to provide consent before the conversation can be recorded. Some of these laws are limited to “confidential” communications, while others apply more broadly to all conversations.

Attempting to sort out the patchwork of state laws and apply them to a business like Bill’s was quite a challenge. We decided to take the practical path of developing a compliance program to address the most restrictive (or at least the most often litigated) state laws. As a result, even though Bill had no intention of ever having a physical presence in California, we eventually recognized that, in effect, California law would control Bill’s decisions with respect to recording customer calls.

The California Invasion of Privacy Act (CIPA) was enacted in 1967 to protect the right of privacy of Californians. The California legislature declared at that time that “the development of new devices and techniques for the purpose of eavesdropping upon private communications . . . has created a serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society.” In setting out to curb abuses, California enacted Penal Code section 632, which requires all-party consent for recording confidential communications.

CIPA has been amended over the years, and it now includes section 632.7, which sets out an additional prohibition of the recording of any telephone call in which at least one of the recipients is using a cordless or cellular telephone. While section 632 is limited to confidential communications, section 632.7 omits the reference to “confidential communication,” with the result that some courts and commentators have interpreted CIPA to provide greater protection to people using wireless or cordless phones.

The interplay between sections 632 and 632.7 received little attention until enterprising members of the plaintiffs’ bar identified CIPA as a potentially lucrative target. Although it is, at its core, a criminal law, CIPA permits civil claims and provides statutory damages of $5,000 per violation, or treble damages if the plaintiff can show actual damages.

The Effects of California Law

So why would a New Mexico company with no physical presence in California nonetheless need to follow California law?

The reason is that in 2006, in Kearney v. Salomon Smith Barney Inc., 137 P.3d 914 (Cal. 2006), the California Supreme Court expanded CIPA to potentially reach nationwide. In that case, the Georgia branch of Salomon Smith Barney (SSB), a nationwide stock brokerage firm, recorded customer calls consistent with what it believed was the relevant state law (Georgia), which required only one-party consent. The named plaintiffs in Kearney were California employees of a nationwide telecommunications firm that required all employees wishing to exercise stock options to do so only through SSB’s Georgia branch. Thus, the plaintiffs all needed to call SSB in Georgia, and allegedly SSB recorded these calls without obtaining permission.

The case worked its way up to the California Supreme Court, which determined that California law—not Georgia law—should apply. Thus, SSB’s Georgia branch was obligated to comply with section 632 when recording calls from California customers.

While Bill’s business was significantly different in reach than SSB’s, we read Kearney with interest. It seemed odd to Bill, and to us, that California criminal law might govern a small business operating in another state that happened to deal periodically with California customers. Indeed, SSB’s lawyers thought the same thing and argued in Kearney that California could not govern SSB’s Georgia branch without running afoul of the U.S. Constitution, in particular, the “dormant” Commerce Clause.

For those who, like me, last thought about the dormant Commerce Clause in their first year of law school, the doctrine works like this: The Commerce Clause permits Congress to regulate interstate commerce, while leaving to states the power to regulate their own intrastate commerce. The flip side to this doctrine—the “dormant” part—is that a state necessarily has no power to make laws that operate outside its own borders. In other words, a state cannot make a law that extends beyond state lines.

In effect, SSB said that if the court adopted Kearney’s argument, California law would govern the entire country. All businesses would need to comply because the burden of screening for California customers would be too high. The court disagreed, suggesting that, on its face, California call-recording laws affected only a business’s undisclosed recording of telephone conversations with people in California. The court determined that it would be feasible for businesses to determine the location of their clients and that they could either rely on “caller ID” services to screen for calls originating from area codes associated with California or simply inquire where the client was calling from.

Of course, practicalities aside, with the growing prevalence of cellular phones, telephone number porting, and voice-over-Internet-protocol telephone offerings, it is simply no longer possible to use the area code of a telephone number as a proxy for location. Thus, while the Kearney court ducked the dormant Commerce Clause issue by saying it applied only to California calls, in practice, any business that conducts business with California residents over the telephone is at risk if it does not comply with CIPA.

As a result of our research and Bill’s desire not to surprise his customers, we all agreed that the prudent course for Bill would be to set up his phone system to route all incoming calls through an automated system. Because SSB was a national company with a physical presence in California, we weren’t sure how CIPA would apply to an out-of-state business with no brick-and-mortar presence in the state. While Bill may have had an argument that he needed only to comply with New Mexico law, Kearney and its progeny convinced him to implement a system to ensure that all callers would hear an automated notice before recording began: “This call may be recorded for quality-assurance purposes.”

Perhaps it was the added incentive of statutory damages of $5,000 per violation, but whatever the reason, Kearney seemed to mark a new chapter in litigation related to business recordings of telephone calls.

In the years that followed, many businesses have faced class action lawsuits under CIPA: financial service providers (like Capital One), hotel chains (like Wyndham and Hilton), security services (like ADT), and many others. Similar to Bill, some of the companies that have been sued appear to do little more than simply ship products into California—such as Sierra Trading Post, which was hit with a CIPA suit in August 2013. As these cases are litigated, they test several key elements of CIPA, with resulting clarity in some areas and growing uncertainty in others.

For example, the Ninth Circuit in Faulkner v. ADT Security Services, Inc., 2013 U.S. App. LEXIS 1108 (9th Cir. Jan. 17, 2013), held that courts will not simply assume that a communication is necessarily confidential. Instead, plaintiffs need to plead actual facts showing that a telephone conversation was, indeed, confidential. While Faulkner is a helpful case for businesses, its reach is limited because it does not address section 632.7 of CIPA governing wireless phones. In other words, though it is a recent decision, it may have little impact other than to focus litigation on the claims arising from section 632.7.

Mixed Messages

Many courts have said that CIPA has no confidentiality requirement for wireless phones . . . except when it does. In a 2012 case against Hilton Hotels, the plaintiffs alleged violations of both the corded and wireless sections of CIPA. There, the Central District of California granted Hilton’s motion to dismiss the complaint in its entirety, on the basis that a call to discuss a routine billing matter is not confidential. The court ignored the plaintiffs’ protestations that section 632.7 does not by its terms require confidentiality. While the Hilton court didn’t buy that argument, other courts have, including those overseeing cases against Best Western International and Vantage Hospitality Group. And plaintiffs continue to focus on section 632.7 as the statute with the best potential, as evidenced by recent complaints such as the one filed in the Southern District of California against Capella Hotel Group (a luxury hotel group with no properties in California), relying solely on CIPA’s cordless/wireless/mobile phone statute.

In addition to the uncertainty over confidentiality, some courts, such as the Southern District of California in a 2012 case, Sajfr v. BBG Communications, Inc., have held that CIPA contains an implied exception for service observation: the use of call recording by businesses to observe or monitor internal communications or customer service calls. The basic gist of this argument is that CIPA was intended to prohibit eavesdropping and not legitimate uses of call recording by businesses. But other courts, such as the Central District of California in Sentz v. Euromarket Designs, Inc., have not agreed.

Similarly confusing is that sometimes a business may be able to get consent for future recording in writing in a customer service agreement. For example, in White v. FIA Card Services, N.A., the plaintiff sued a banking association under section 632 for recording inbound and outbound calls without providing any warning. The calls captured sensitive personal information—such as credit card and Social Security numbers and home addresses—and the plaintiff alleged as much in the complaint.

However, FIA required all customers to sign a customer service agreement, which included a provision stating that FIA could monitor all telephone calls. In a 2013 opinion dismissing the complaint, the Southern District of California noted that this language was sufficient to put plaintiffs on notice that calls might be recorded, meaning that the calls were no longer confidential communications and that the plaintiffs had therefore consented. The court’s conflation of confidential communications and consent muddies the water and also creates uncertainty as to whether a terms of service agreement would be sufficient to obtain consent for section 632.7 as well.

And despite the pronouncement of the Kearney court, businesses continue to mount federalism objections as well, to no avail. In McCabe v. InterContinental Hotels Group Resources, Inc., for example, the defendant, a Georgia business, unsuccessfully argued that the federal Wiretap Act preempted California law because it was intended to create a federal regulatory scheme for call interception. Capital One made a similar argument in Nader v. Capital One Bank USA, stressing that the Communications Act was intended to regulate interstate phone calls, therefore preempting California law as it applied to Capital One because all of its recordings were made out of state. The Central District of California rejected Capital One’s argument on a motion to dismiss because the plaintiffs’ complaint never alleged that the recording took place outside California. The court was not prepared simply to accept Capital One’s assertion without more evidence, and it rejected its argument because, at least at the pleading stage, there was no interstate issue.

In other words, our research led us to conclude that the law is still developing in this area and that much uncertainty remains.

Dealing with Uncertainty

At least in part because of all the uncertainty, Bill had taken a belt-and-suspenders approach to compliance and thought that he was adequately protected from the risks of litigation. He considered not recording calls, and although that was an option, it would have meant forgoing the quality-assurance, training, and dispute-resolution benefits provided by recording call centers. (Certain types of businesses, like some financial services, are required to record certain calls, so they do not have the same option that Bill had of simply forgoing recording.)

Obviously, providing notice is a great way to comply with the law. Indeed, for a call center, it’s the only reasonable way. It is interesting, though: many businesses resist. And as we were about to learn, there are many areas where a business that wants to comply can come up short.

It seems like a simple, customer-friendly proposition—say the magic words and enter the golden world of lawsuit-free bliss. There is a cost, in terms of customer relations, customer service, and money. Implementing a system that ensures notice is always given is cumbersome, can detract from a business’s image, and takes time, all of which prolong the time required to address callers’ concerns and the length of the call. Businesses pay for usage, and even a seemingly small increase in the average length of a call can translate into increased labor and connection costs. After all, a business, such as a national hotel chain or cable provider, may receive tens, or even hundreds, of millions of calls per year. That’s millions of seconds of usage time. Thousands of hours. And hundreds if not thousands of days of usage. Suffice to say, it’s real money. And businesses need to decide whether their recordings will also capture the notice so as to eliminate a claim that the notice was not actually given. But doing so can also translate into thousands of hours of extra storage.

Overall, this simple solution of providing notice is not so simple.

And it doesn’t entirely remove the bull’s-eye. Case in point: Bill.

Because we had been diligent in identifying the risks up front and Bill had agreed to provide notice to callers, we were confident that the demand letter was a mistake. We nevertheless reviewed Bill’s business to determine what prompted the potential suit. We then set out to meet with counsel.

We first investigated whether the call center’s automated notification worked properly and consistently. As part of this process, we placed many calls and tried numerous methods to see if we could “evade” the notice, as we’d heard a few (perhaps apocryphal) stories in which customers sought to do so. We were relieved to confirm that no matter the sequence of buttons pressed, we always heard the notice before the call was connected to a customer service representative.

We next examined whether call center staff were properly providing notice on outbound calls, as we imagined there could be instances in which a staff member was distracted or forgot to provide notice. In so doing, we reviewed a sample of recorded calls, none of which revealed a failure to provide notice. Again, no apparent issues, but we realized that this was a weak link because we would not be able to prove that notices were always given in outbound calls.

Bill’s call center appeared fully compliant. So either the plaintiffs’ counsel was wrong or we were missing something. Because counsel proved through and through to be a consummate professional, we learned in early settlement discussions that the plaintiffs believed their calls placed directly with the brick-and-mortar store employees were being recorded without notice.

Sure enough, on further investigation, we discovered that Bill failed to ensure consistency across all telephone numbers associated with his business. For all its e-commerce success, Bill’s was also a brick-and-mortar store, and Bill had retained several local phone numbers, which bypassed the call center system and were routed directly to the store.

Because a customer is a customer, regardless of which line he or she calls, Bill records all calls to ensure consistency. But the automated notice wasn’t set up on the store lines. In addition, we discovered that even though Bill had instructed call center and store employees to notify customers that the call was being recorded whenever they made outbound calls, there were times when that procedure was not followed.

Bill also had concerns about other risks that might result from a lawsuit. For example, we suggested that we could argue, in a motion to dismiss, that customer service calls were not “confidential communications” and Bill’s company therefore could not have violated California Penal Code section 632. In addition, we believed that we could show that only a very small number of callers had not been provided with notice that their calls were being recorded. But we knew that a “lack of confidentiality” defense remained unsettled with respect to calls coming from a wireless phone and that identifying the number of cellular calls as well as those for which we could show that notice had been given would be a very time-consuming and expensive endeavor. Bill worried that making a blanket assertion that calls were not confidential might harm his firm’s reputation.

Bill was also rightly concerned about cost—not just the cost of fighting the lawsuit but also the cost of losing. At $5,000 per violation, it would not take many noncompliant calls to add up to significant liability. And we were simultaneously dealing with Bill’s insurer, who was disputing coverage under Bill’s general liability policies. Protracted litigation would be a drain on Bill’s finances as well as a diversion from running his business.

Narrowing the Exposure

Fortunately for Bill, it was relatively easy to narrow down the potential number of possibly noncompliant calls. While still larger than a full investigation would have likely uncovered, narrowing the universe to incoming calls to his local numbers and applying a reasonable factor to account for the proportion of California customers resulted in a significant reduction in exposure. In addition, Bill quickly implemented two steps to remedy the identified shortcoming: He used automated notice on inbound calls to speak with an in-store customer service representative, and he ceased recording outbound calls.

We explained Bill’s proposed changes to counsel, who, after some initial posturing, agreed that these changes addressed the issues at hand. Counsel also knew that he might struggle to ascertain a class as we’ve come a long way since Kearney. With the increase in number portability, area codes no longer serve as reasonable proxies for residence, so he would need to find some other mechanism to figure out which of the many customers who called Bill’s company did so from California. Of course, we also knew that figuring this out would likely involve burdensome and expensive discovery related to Bill’s recording practices and records.

It took quite a bit of convincing, and a few late night phone calls, to convince Bill to settle. In the end, it was an expensive lesson for Bill, but we reminded him that it could have been much worse.

A week later, we had the chance to share a beer with Bill, and he summarized his experience this way:

I had the best intentions and tried to do everything right. I just forgot about the local numbers and didn’t think it was important to review all points of communication with customers that may be recorded, not just the “call center.” I also didn’t pay as much attention as I should to outbound calls. I learned my lesson, though—I should have asked you to take a look at things earlier because it would have saved me money and stress, had I done so. It might be a little late, but I want you to come in and audit operations to identify any other areas of potential exposure in our call-recording operations. Maybe take a look at our agreements and privacy policy to see if there are other areas where we can shore up our practices and customer notice. After all, you know my motto: Lawyers are worth the investment because it saves money in the long run.

Yes, Bill really is the ideal client.