Despite new laws, don’t expect robocalls to stop anytime soon

Californians spending the vast majority of their daily hours at home to avoid the infections from the COVID-19 virus are a target for a different pestilence -- robocalling.

Every year, billions of auto-dialed robocalls are placed to consumers, some of which are legitimate calls with recorded announcements from law enforcement, charities or political campaigns. An increasing number, however, are "spoofed" calls whereby the caller falsifies caller ID information to deceive the recipient into thinking the call is from government agencies, vendors or someone else that they know. Reported examples include spoofers masquerading as representatives from the Internal Revenue Service, Social Security Administration, local electrical and gas utilities, and law enforcement offices. The spoofed calls use pre-recorded messages that instruct the recipient to press a certain number to speak to an agent who attempts to scam the consumer out of money or sensitive personal information.

The Federal Trade Commission reports that 70% of fraudulent schemes perpetrated against consumers utilize telephone calls and in 2019, fraudulent spoofed calls reportedly resulted in the loss of more than $10 billion dollars to American consumers. California receives the second highest number of robocalls in the nation (Texas receives the most robocalls of any state). Los Angeles, San Francisco, San Diego and Riverside are listed in the top 20 cities receiving the highest volume of robocalls in the United States. Experts estimate that this year, as much as 40% of all calls received in the United States are fraudulent calls.

The Federal Communications Commission has tried to stop robocalls with reactive regulations designed to stop calls after the fact such an allowing voice service providers to block calls they believe are fraudulent. See Advanced Methods to Target and Eliminate Unlawful Robocalls, CG Docket No. 17-59, Report and Order and Further Notice of Proposed Rulemaking, 32 FCC Rcd 9706, 9709, para. 9 (2017). The FCC has also imposed penalties on robocallers. In 2018, the FCC fined Adrian Abramovich and his companies Marketing Strategy Leaders, Inc., and Marketing Leaders, Inc., $120 million for placing 96,758,223 illegal spoofed robocalls during a three-month period in 2016. FCC-18-58, 33 FCC Rcd 4663 (2018).

In response to the runaway problem of robocalls, the California Legislature passed, and Gov. Gavin Newsom signed into law in October 2019, the California Call Protection Act. The CCPA adds a brief section to the California Public Utilities Code requiring voice service providers to implement by Jan. 1, 2021, the boozy sounding STIR/SHAKEN technology. Secure Telephony Identity Revisited (STIR) and Secure Handling of Asserted information using toKENs (SHAKEN) protocols ensure that the caller ID information transmitted with a call over an internet protocol network matches the actual caller's number so that the caller cannot masquerade as someone else.

While well intended, the CCPA is likely to cause confusion. For starters, it has an identical acronym to the 2018 California Consumer Privacy Act, which enables California consumers to determine what personal information is collected by companies, how that data will be used and to block the sale of such data. There's also the similar CPRA, the California Public Records Act, which entitles California consumers to obtain information held by government agencies.

The new CCPA also raises questions about enforcement and effectiveness. The statute will be enforced by the California attorney general, with assistance from the California Public Utilities Commission. Unlike the other CCPA, there is no private right of action for a customer who has received robocalls to file a lawsuit to enforce the new CCPA. California Public Utilities Code Section 2893.5(c). So a consumer must wait for the California attorney general to bring an enforcement action, but a voice service provider may raise a defense by demonstrating that it made a "good faith effort" to comply. California Public Utilities Code Section 2893.5(d). The statute does not define what constitutes a good faith effort.

To be effective, the STIR/SHAKEN technology must be implemented throughout a voice provider's network nationwide because the spoofer could be calling from another state. If STIR/SHAKEN were implemented only in the California portion of the network, it will be minimally effective and only against intrastate calls.

The FCC has also issued an order requiring communications companies to implement the STIR/SHAKEN protocols. FCC Order 20-42. The problem is that the FCC rules don't take effect until June 30, 2021, six months later than the CCPA. The FCC set the June 2021 deadline after conducting a comprehensive assessment of the status of STIR/SHAKEN implementation across a diverse set of large and small, rural and urban providers and concluded that it was not technically feasible for many smaller service providers to meet an earlier deadline.

To be effective, all communications companies need to implement the technology so that spoofers can't simply move to a different network to evade the STIR/SHAKEN technology. It is dubious that the CCPA will actually benefit California consumers by requiring the anti-spoofing technology six months earlier than federal rules. Neither the California AG nor the CPUC have issued rules on how they plan to enforce the CCPA or any guidance to communications providers grappling with inconsistent regulatory requirements.

So for now, Californians should assume that the Caller ID on a call may be fraudulent and never give out personal information or money in response to an incoming call. Always ask the caller for a number and call the person back. If the caller hesitates, let Mr. Dial Tone or Dead Air do the talking. 