The CFPB’s final debt collection rule covers email communications with consumers. In this first article of a three-part series, we break down the relevant provisions on email requirements. Editor’s note: This article is available for members only.
2/17/2021 15:00
The Consumer Financial Protection Bureau’s final rule (Regulation F) provides welcome guidance on email communications with consumers. And while it certainly doesn’t solve every problem facing the industry when it comes to email, there’s no doubt that for debt collectors who want to communicate with consumers via this medium, the rule provides some direction.
This three-part series provides a breakdown of the final rule’s “safe harbor” email procedures, which will be codified at 12 C.F.R. Section 1006.6(d)(3) and (d)(4)(i)-(iii). Here, we cover the general principles, requirements, and prohibitions that apply to all emails sent under the Reg F “safe harbor” email procedures.
As a general principle, debt collectors should note that the CFPB used Reg F to give consumers the power of choice when it comes to communication methods. With respect to email, this means the power to expressly or impliedly opt in to email communications to certain email addresses. By the same token, as discussed below, the CFPB has required debt collectors to include in every email communication a clear and conspicuous, reasonable and simple method by which the consumer can opt out of continued communications to that email address.
Big Principle: The So-Called “Safe Harbor”
As part of the electronic communications provisions in Reg F, the CFPB has provided a “safe harbor” to protect debt collectors in the event of inadvertent third-party disclosures when using email in accordance with the three sets of email “safe harbor procedures” specified in Reg F.
But debt collectors need to know up front that this isn’t a true safe harbor.
Rather, as the CFPB states in a footnote right at the beginning of the October final rule, the so-called safe harbor for emails merely provides that a debt collector who uses the email procedures specified in the rule “may have bona fide error defense to civil liability” under FDCPA Section 813(c), codified at 15 U.S.C. 1692k(c). Accordingly, “for ease of reference,” the bureau refers to these email procedures as “safe harbor procedures.”
So it’s important to understand that the Reg F “safe harbor” email procedures provide limited cover only for inadvertent third-party disclosures—i.e., only for inadvertent violations of FDCPA Section 805(b), codified at 15 U.S.C. 1692c(b)—that may occur when communicating with a consumer via email. That’s it.
To take advantage of the limited bona fide error protection that the Reg F “safe harbor” email procedures offer, a debt collector must adopt its own procedures to “reasonably confirm and document” the debt collector’s compliance with Section 1006.6(d)(3). Under that provision of the rule, in the event of an inadvertent third-party disclosure, the debt collector’s policies and procedures must “confirm and document” that the email giving rise to the claim:
- was sent to an email address authorized via one of the three Reg F email procedures set forth at Section 1006.6(d)(4)(i)-(iii); and
- was not directed to an email address that the debt collector knows has led to a prohibited third-party disclosure in the past.
The three Reg F email procedures referred to above appear at Section 1006.6(d)(4)(i), (ii), and (iii). They are, respectively:
- Procedures based on communication between the consumer and the debt collector;
- Procedures based on communication by the creditor, which requires a detailed notice from the creditor to the consumer that meets specific requirements set forth in the rule; and
- Procedures based on communication between the consumer and the prior debt collector.
Each of these email procedures give the consumer an opportunity, either expressly or impliedly, to opt in to receiving email communications from a debt collector via a specific email address. (And, as discussed above, they all come with the requirement of a reasonable and simple way to opt out of receiving additional emails at that specified email address.)
Big Requirement: An Opt-Out Mechanism
The opt-out requirement applies to all communications and attempts to communicate about a debt with a consumer via email. The rule states, at Section 1006.6(e), that debt collectors must include in every email to a consumer about a debt “a clear and conspicuous statement describing a reasonable and simple method by which the consumer can opt out of further electronic communications or attempts to communicate by the debt collector to that [email] address . . . .”
So the rule tells us that the opt-out mechanism must be “reasonable and simple,” but what does that mean? According to the official interpretations, it means that the opt-out can be a hyperlink in the footer, e.g., “Click here to opt out of further emails to this email address,” or it can be an instruction in the email that the consumer can opt-out by replying with the word “STOP” in the subject line. But it cannot be a mechanism that requires a consumer to opt out via mail, telephone, or a website—unless the email includes a hyperlink to that website. For more information, including the CFPB’s examples, see the comments 6(e)-1.i-iii at Supplement I.
In short, you need to make your opt-out mechanism as simple as possible for the consumer.
Whatever the exact mechanics of your opt-out mechanism, that mechanism must be communicated in every email to the consumer via a “clear and conspicuous statement.” The CFPB has defined “clear and conspicuous” to mean not only “readily understandable” but also—when applied to written communications like emails— “readily noticeable and legible to the consumer.” And while the rule doesn’t specify a minimum font size here, it’s best to keep it simple.
Note that the opt-out mechanism in the email cannot require—directly or indirectly—that consumer “pay any fee” to opt out, nor can it require that consumer “provide any information other than the consumer’s opt-out preferences,” which expressly include the email address to which the opt-out request applies.
At the same time, the rule does not expressly prohibit a request (as opposed to a requirement) in the opt-out mechanism that the consumer provide optional information about his or her communications preferences. But given the prohibition against requiring the consumer to “provide any information other than the consumer’s opt-out preferences,” debt collectors will want to be crystal clear about the fact that any request for the consumer’s communication preferences in an opt-out mechanism does not need to be completed in order for the consumer to opt out and that the consumer can complete the opt out without providing the requested optional information.
We’ll dive into the three Reg F email procedures in depth in the next installment of this series, but before we do, let’s cover one big twist in these procedures: emails to a consumer’s employer-provided email address.
Emails to a Consumer’s Workplace
As a general matter, Reg F prohibits debt collectors from directing emails to a consumer’s workplace by means of a general prohibition on emails to employer-provided email addresses. That may sound simple enough but there is more to the requirement. The general prohibition appears in Section 1006.6(b)(3), but it’s not mentioned explicitly in the provisions pertaining to the “safe-harbor” email procedures.
The bureau does, however, provide an explicit cross reference in the official interpretations at comment 6(b)(3)-2, regarding prohibitions on communications directed to a consumer at his or her place of employment, to ensure that you don’t miss this potential trap.
That cross reference at comment 6(b)(3)-2 directs you to comment 22(f)(3), which states that under the “unfair and unconscionable” provisions of 1006.22, the general prohibition on sending an email to a consumer’s employer-provided email address does not apply—even if the debt collector knows the email address to be an employer-provided email address—if the debt collector uses an email address described in the email procedures based on communications between the consumer and the debt collector (i.e., Section 1006.6(d)(4)(i)) or the email procedures based on communication by the prior debt collector (i.e., Section 1006.6(d)(4)(iii)).
The bureau’s theory here goes like this: Under 1006.6(d)(4)(i), the consumer has either impliedly consented to the use of the employer-provided email address for communications with the debt collector by sending the debt collector an email from that address or has affirmatively consented to the use of the employer-provided email address by granting the debt collector express permission to send an email to that email address.
Likewise, if the debt collector’s proceeding under 1006.6(d)(4)(iii), relying on procedures based on the consumer’s communication with the prior debt collector, the prior debt collector would have satisfied one or the other of these same implied or the express consent requirements.
Procedures based on communication by the creditor (i.e., 1006.6(d)(4)(ii)), are not included in this exemption for emails to consumers’ employer-provided email addresses.
In fact, those email procedures based on communications by a creditor expressly prohibit a debt collector from sending emails to consumer’s email addresses that the debt collector knows to be employer-provided. See Section 1006.6(d)(ii)(E) (prohibiting emails based on the “communication by creditor” procedure where the email address “has a domain name that is available for use by the general public, unless the debt collector knows the address is provided by the consumer’s employer.”)
And again, nothing’s easy: The rule provides two comments about the employer-provided email provision of Section 1006.6(d)(ii). First, it specifies that a “domain name of an email address . . . available for use by the general public” means that multiple members of the general public can use that email domain, either for free or via paid subscription.
But an email domain available for use by the general public does not include one “reserved for use by specific registrants, such as a domain name branded for use by a particular commercial entity (e.g., [email protected]) or one reserved for particular types of institutions like government agencies, educational institutions, or nonprofits (e.g., [email protected], [email protected], or [email protected]).” See comment 6(d)(4)(ii)(E)-1.
Comment 6(d)(4)(ii)(E)-2 provides—quite obviously—that a debt collector knows that a consumer’s email address is employer-provided if the consumer has told the debt collector that information. But, comfortingly, it additionally clarifies that Section 1006(d)(4)(ii)(E) “does not require a debt collector to conduct a manual review of consumer accounts to determine whether an email address might be employer provided.”
So, when communicating with a consumer by email, go ahead and use that employer-provided email address if you’re relying on either of the procedures for express or implied consent from the consumer to the debt collector or to a prior debt collector, but not if you’re relying on the procedure in which the consent to send an email to a consumer at an employer-provided email address arises from communications with the creditor.
Effective Date
These email procedures and the attendant “safe harbor” technically take effect, like the rest of the rule, on Nov. 30, 2021. But because the email procedures do not reflect hard requirements, agencies may begin relying on them prior to that date—understanding, of course, that the “safe harbor” provided is not a pure safe harbor but rather sets the foundation for asserting a bona fide error defense.
It seems just as likely that a court will “bless” the safe-harbor procedures before the rule’s effective date as after, provided that the debt collector has undertaken the appropriate steps to create a policy and procedure that accords with Section 1006.6(d)(3).
Members can read more about the communication requirements in the CFPB’s final debt collection rule here as well as news and archived ACA Huddle recordings on the CFPB Rule Resource Center. ACA International also developed a comparison chart on part one of the rule as well as part two.
In the next installment of this series, we’ll take a closer look at the two “safe harbor” email procedures that rely on communications between a consumer and a debt collector, set forth in Section 1006.6(d)(4)(i) and (iii).