FTC Beat
Archive for the ‘Communications Law’ Category
May 20
2014

Sprint Gets a Wallop of a Reminder – Company-Specific Do Not Call Lists Still Matter – $7.5 Million Record Do Not Call Consent Decree

Yesterday, the Federal Communications Commission (“FCC”) announced a consent decree with Sprint Corporation for federal do not call violations. Specifically, under the terms of the agreement, Sprint will make a $7.5 million “voluntary contribution” to the United States Treasury.  This payment represents the largest do not call settlement reached by the FCC.  Sprint also agreed to various ongoing compliance initiatives, including enhanced training and reporting requirements.  Importantly, the action also serves as an important reminder on an often overlooked section of the do not call rules – the requirement that companies maintain and abide by “company-specific” or internal do not call lists.

Under the federal do not call rules, organizations making telemarketing calls to residential customers (including mobile phones) are required to scrub the federal do not call database before initiating those calls, unless the calls meet certain exceptions – the called party has an existing business relationship (“EBR”) with the caller or has provided prior express consent for the calls or the call is from a tax-exempt non-profit.  Of course, as we have written before, there are additional requirements for autodialed or prerecorded calls to mobile mobiles and prerecorded telemarketing calls to residential lines.

Another, sometimes overlooked requirement is that companies making permissible calls (for instance, after scrubbing the do not call database or with an existing business relationship or prior express consent) must maintain an internal, company-specific do not call list where companies log individuals’ subsequent requests not to be called.  In other words, even if a consumer has an existing business relationship or has given prior express consent to be called, once the consumer tells the company not to call again, that request trumps the existing business relationship/prior consent or the do not call scrub.  This company-specific do not call request must be implemented within 30 days and  honored for five years from the date the consumer made the request.  (The federal do not call registration, in contrast, lasts indefinitely).  A company must also have a do not call policy, available upon request.

In 2009, the FCC investigated Sprint for do not call violations relating to the company-specific do not call list.  Sprint subsequently settled that enforcement action in 2011 through a consent decree (which included a $ 400,000 payment).  The decree required Sprint to report to the FCC’s Enforcement Bureau, for two years, any noncompliance with the consent decree or the FCC’s company-specific do not call rules.

In March 2012, Sprint disclosed to the FCC that it had discovered additional issues involving human error and technical malfunctions relating to Sprint’s or its vendor’s do not call processes that caused potential noncompliance with consumers’ do not call or do not text preferences, or prevented the timely capture of the preferences.  Sprint represented that it had subsequently implemented improvements in its do not call data management systems.  It had also ceased telemarketing and text campaigns to investigate the issues.  The FCC investigated Sprint’s do not call compliance and ultimately entered into this record-setting $7.5 million settlement.

Under the terms of the consent decree, in addition to the settlement payment, Sprint will designate a Compliance Officer to administer a new compliance plan and to comply with the consent decree.  Sprint also must implement a compliance manual which will instruct “covered personnel” (including Sprint personnel and independent contractors who provide telemarketing services for Sprint) on Sprint’s do not call policies.  The consent decree further requires Sprint to establish and maintain an annual compliance training program, and to file several compliance reports with the FCC at designated time frames.  Significantly, Sprint acknowledges that actions or inactions of any independent contractors, subcontractors, or agents that result in a violation of the company-specific do not call rules or the consent constitute an act or inaction by Sprint – in other words, Sprint is specifically on the hook for third parties’ actions.

The consent decree and $7.5 million payment serve as a useful reminder of the company-specific do not call rules.  Once a consumer indicates they do not wish to receive further telemarketing calls or texts, the FCC’s rules require that the telemarketer place that consumer on its internal, company-specific do not call list.  This consumer requests trumps even an established business relationship or prior express consent.  It can only be revoked by subsequent express consent – which we would recommend be in writing.  Even if a consumer does business with your company every day, if he or she has asked not to receive telemarketing calls – don’t call!  Compliance with the company-specific do not call rule means your organization does not call someone who has indicated they do not want to be called.  And, it can also save your company great time, resources, and money spent defending private litigation or an FCC enforcement action.  Further, if your organization utilizes third parties for telemarketing campaigns, your company should make sure the third party is taking do not call requests, logging them, and passing those to your company for future campaigns.

May 19
2014

TCPA Plaintiff Loses—Express Consent Given to Health Insurance Plan Trumps Claim

In a recent case in the U.S. District Court for the Eastern District of Missouri, the district court held that the plaintiff’s Telephone Consumer Protection Act (“TCPA”) claim should be dismissed. The court ruled that the plaintiff gave prior express consent when she agreed to the terms of her health insurance plan, which stated that the company could share her number with other businesses who work for the plan.

The plaintiff Suzy Elkins enrolled to receive prescription benefit management services through a group plan offered by her employer. The plaintiff then reenrolled after her employer changed plans to receive prescription management services from the Defendant, Medco Health Solutions, Inc. (“Medco”) through Coventry Health of Missouri (“Coventry”). On the reenrollment form, Elkins provided her cell phone number as her home phone number and certified that the information she provided was true and accurate. Ms. Elkins refilled several prescriptions using Medco’s retail pharmacy network.

Elkins filed a complaint alleging that the automated and prerecorded calls she received from Medco through her enrollment in her employer’s health insurance plan, Coventry, violated the TCPA’s prohibition on autodialed/prerecorded calls to mobile phones and the federal “do not call” rules. Elkins had registered her number in the federal do not call database. Elkins alleged that Medco called her cell phone twice utilizing autodialed, prerecorded calls in an attempt to sell prescription medications. Medco claimed that it was attempting to make Elkins aware of certain pharmacy benefits, such as obtaining refills at reduced prices. Both parties disputed whether the calls were actually autodialed or prerecorded, and the court did not address that issue.

Instead, the district court found that the plaintiff’s TCPA claim was barred because she gave her express prior consent to be called at the number she provided when she gave that number at the time of enrollment as hercontact number related to healthcare benefits. The court noted that the Certificate of Coverage that the plaintiff agreed to with Coventry stated that Coventry could use or share her personal information with “other businesses who work for the Plan . . . [t]o tell you about treatment options or health related services.” The Certificate of Coverage also provided that members have certain rights including the right to ask for restrictions.However, the plaintiff never provided notice requesting that she not be contacted at that number with respect to her health benefits.

The court concluded that the calls that were the basis of the complaint were made by a pharmacy benefits specialist on behalf of her existing health plan regarding the pharmacy benefits she was receiving on an ongoing basis. The court reasoned that the provision of her cell phone number reasonably evidenced prior express consent by the plaintiff to be contacted at that number regarding pharmacy benefits.

The district court also found that the plaintiff had an established business relationship with the defendant which barred liability under the “do not call” rules. The court held that it was uncontroverted that there was an established business relationship since the plaintiff had utilized Medco’s prescription benefit management services to fill twelve prescriptions in a six month period before the calls that served as the basis for the complaint.

This decision represents a victory for TCPA defendantsin that the court found that prior express consent was given by the plaintiff when she gave her phone number and agreed to the terms of the Certificate of Coverage, which authorized Coventry to share her phone number. TCPA litigation has been increasing significantly in the past few years. While this court did not address the recent changes that have gone into effect that placed stricter requirements on businesses that engage in marketing via mobile messaging and prerecorded telephone calls, this decision does serve as guidance for consent, at least to non-telemarketing calls.

It is unclear whether the consent in this case would pass muster as “prior express written” consent for prerecorded or autodialed telemarketing calls to mobile phones and residential lines under the new rules, but since the calls at issue in this case predated the new rules the court did not need to address that point. We recommend businesses obtain “prior express written” consent for TCPA-covered calls and texts, consistent with the requirements under the new rules. It is important to note, however, this this court acknowledged that express consent can be extended to third parties through the plaintiff’s agreement to the terms if those terms are sufficiently broad to cover third parties. Finally, for non-autodialed or prerecorded telemarketing calls to mobile phone and live telemarketing calls to residential lines, this case is a useful reminder that an existing business relationship still constitutes a valid defense.

Mar 06
2014

Electronic Cigarette Advertising Practices Draw Legislative Attention – Will Regulations Follow?

Advertisements for electronic cigarettes, or “e-cigarettes,” are increasingly drawing scrutiny from consumer advocates and public health groups who are calling for the federal government to regulate these advertisements in the same manner that traditional cigarette advertisements are regulated.

The e-cigarette industry is growing at a rapid pace, particularly among younger people. Last year, the industry generated roughly $2 billion and industry sources estimate sales are on pace to hit $5 billion this year.

Currently, there are no regulations governing advertisements of e-cigarettes. In contrast, advertisements of traditional cigarettes are heavily regulated. For instance, various federal laws and regulations prohibit cigarette manufacturers from sponsoring sporting events, and advertising cigarettes on television is also barred. Under the terms of a settlement from a lawsuit in 1998, tobacco companies agreed to not use cartoon characters to market cigarettes.

For roughly 10 years, the marketing team at R. J. Reynolds used the cartoon character “Joe Camel” to promote cigarettes. After years of pushback and under pressure from a pending lawsuit, Congress and various consumer groups, R.J. Reynolds announced that it would settle the pending lawsuit out of court and voluntarily end its use of Joe Camel.

BlueCigs, a leading manufacturer of e-cigarettes, uses a cartoon character named Mr. Cool in a television advertising campaign. Industry watchdogs have criticized the television ads, particularly given the growth of the industry and the regulations faced by traditional tobacco manufacturers. Some in the industry have noted the similarity between Mr. Cool and Joe Camel and worry that these advertisements will have the same effect of luring young people to try e-cigarettes that many believe Joe Camel had with traditional cigarettes.

Last month, a group of Senate Democrats introduced legislation to prohibit e-cigarette producers from marketing their products to children. This bill marked the first legislative attempt to regulate the e-cig industry. The bill would ban marketing e-cigarettes to children based on standards promulgated by the Federal Trade Commission (FTC), and would empower the FTC and state attorneys general to enforce the advertising ban.

Additionally, the White House Office of Management and Budget has been reviewing a rule proposed by the U.S. Food and Drug Administration that would bring e-cigarettes under its jurisdiction. The regulations have been under review since October. We have previously written about FDA plans to regulate the e-cigarette industry here.

The e-cigarette industry should be aware that their marketing and advertisements are being closely monitored. Regulation and potential lawsuits could be on the horizon and companies should review their policies and practices to make sure they are prepared. The use of cartoon characters may be one advertising method to forego at this point, instead focusing on mature individuals using the product.

Feb 06
2014

TCPA Not Violated When Consumer Voluntarily Provided Number to Business

A federal court in California recently ruled that a plaintiff who was required to enter her phone number to purchase a plane ticket online had consented to receive a text message, and dismissed her claim under the Telephone Consumer Protection Act (TCPA). A plaintiff’s prior express consent is a major issue in TCPA litigation and this decision represents a victory for companies that obtain phone numbers from consumers who are purchasing goods or services from them.

The plaintiff, Shaya Baird, booked flights online for herself and her family on the Hawaiian Airlines website. During the purchase, Baird was required to enter her contact information. The website required at least one phone number, which Baird provided by entering her mobile phone number.  A few weeks later Baird received a text message inviting her to reply “yes” if she wanted to receive flight notification services. Baird did not respond and she did not receive any more text messages.

Baird then filed suit alleging that Sabre, which contracted with Hawaiian Airlines to provide traveler notification services to passengers, violated the TCPA by sending her the unsolicited text message. The TCPA bars the sending of autodialed or prerecorded “calls” (which the Federal Communications Commission (“FCC”) has interpreted to include text messages) to mobile numbers without “prior express consent.” An individual’s granting of consent to receive texts constitutes an affirmative defense in a TCPA lawsuit.

Sabre moved for summary judgment on the ground that Baird consented to receive its text message when she made her flight reservation on the Hawaiian Airlines website. Baird responded that she did not voluntarily provide her cell phone number, but was instead told that she was required to enter a phone number. She further argued that she was not informed that by providing her cell phone number she was consenting to receiving text messages.

The court rejected Baird’s argument and found that although she was required to provide her phone number to book a flight on the Hawaiian Airlines website, the act of providing her phone number was a voluntary act. Baird was not forced to book a flight on the Hawaiian Airlines website. The court found that under the FCC’s interpretation of the TCPA, Baird had consented to be contacted on her cell phone about flight related matters. The court looked to the FCC’s 1992 Order implementing the TCPA to determine if the act of providing a cell phone number in connection with a transaction constitutes the required consent under the TCPA to receive autodialed calls. The court found that since it was undisputed that Baird “knowingly released” her cell phone number when she booked her tickets, under the FCC’s 1992 TCPA Order she had consented to receiving text messages.

This decision represents a victory for TCPA defendants. TCPA litigation has been increasing significantly in the past few years and recent changes have gone into effect that placed stricter requirements on businesses that engage in marketing via mobile messaging and prerecorded telephone calls. While we recommend businesses obtain “prior express written” consent for TCPA-covered calls and texts, now at least one court has recognized the knowing provision of a mobile number as consent. However, companies engaging in text messaging should proceed cautiously as the new rules do impose strict requirements when it comes to telemarketing messages in particular, different from the informational text messages Ms. Baird received here. Under the new TCPA rules purely informational calls/texts and calls/texts to mobile phones for non-commercial purposes require prior express consent – oral or written. “Telemarketing” calls/texts to mobile phones require prior express written consent. Covered telemarketing calls include those made by advertisers that offer or market products or services to consumers and calls that are generally not purely informational (such as “mixed messages” containing both informational content and offering a product, good, or service for sale).

Dec 16
2013

Parameters of CDA Immunity Being Tested by Appeals Court in Jones v. Dirty World Entertainment

The U.S. Court of Appeals for the Sixth Circuit is currently hearing an appeal of a district court decision, which if upheld would have enormous ramifications for freedom of speech and the online service provider safe harbor under the Communications Decency Act (CDA).

TheDirty.com is a website run by Nik Lamas-Richie. The site allows users to submit gossip about anyone or anything and the site currently features hundreds of thousands of comments on a wide range of topics and users can also freely post comments on stories that are published on the website. Lamas-Richie then selects some of the user posts, and sometimes adds a little commentary to the user submission, which he then posts to the site. Sarah Jones, a former Cincinnati Bengals cheerleader, was featured twice on TheDirty.com including allegations that she was promiscuous and that she had a sexually-transmitted disease.

Jones then sued TheDirty.com and Lamas-Richie alleging defamation, libel and invasion of privacy. The first trial resulted in a hung jury, but in the second trial in July a jury of eight women and two men in a Kentucky federal court awarded Jones $338,000 in damages.

Typically, cases involving claims like Jones’ against websites are quickly dismissed under the CDA, which provides websites immunity from third party content. TheDirty.com filed a pre-trial motion to dismiss the case on the basis that the suit was barred by the CDA that was rejected by the district court, which held that the CDA did not offer protection because “the very name of the site, the manner in which it is managed, and the personal comments of defendant Richie, the defendants have specifically encouraged development of what is offensive about the content of the site.” The court reasoned that since the site served to encourage the comments then it was not entitled to immunity under the CDA. The CDA typically immunizes providers of interactive computer services against liability arising from content created by third parties if the provider is not also responsible in whole or in part or the creation or development of the offending content.

In August, after the jury verdict, the judge wrote a supplemental opinion reiterating the views expressed in the earlier opinion. In particular Judge William Bertelsman said that because Richie “played a significant role in developing the offensive content such that he has no immunity under the CDA.”

Richie appealed the decision to the Sixth Circuit, arguing that the case should have been dismissed because the CDA immunizes liability for users’ comments. Congress enacted the CDA to encourage website owners to actively screen, review, and moderate third party posts and to allow website operators to have the ability to remove offensive content when necessary without fear of liability. Richie argued that under the CDA website operators are free to edit, alter, or modify user-created content without losing immunity, as long as their edits do not materially alter the content’s original meaning.

Four separate amicus briefs were filed with signatories that included many of the biggest names on the Internet including Facebook, Google, Amazon, Microsoft, Yahoo, Twitter and eBay. The briefs argue that the district court ruling wrongly interpreted the CDA and that the consequences of upholding the district court’s decision would be enormous. The amicus brief submitted on behalf of Google, Facebook and others states that aspects of the district court decision “significantly depart from the settled interpretation of [the CDA] and, if adopted by this Court, would not only contravene Congress’s policies as declared in the statute, but also introduce substantial uncertainty regarding a law that has been a pillar for the growth and success of America’s Internet industry.” \

This case will be closely watched because of the far reaching consequences it would have if the district court ruling imposing liability of the website is upheld. A ruling from the Sixth Circuit that affirmed the district court’s ruling could chill the operation of online businesses that are open for users to create content. There is a long line of cases that have held that conduct similar to TheDirty.com’s in this case is protected by the CDA, but a decision from the Sixth Circuit finding TheDirty.com liable would uproot the well-established jurisprudence under the CDA.

 

Nov 07
2013

New Job? Think Twice Before Announcing it via Social Media

A lawsuit filed in Massachusetts state court recently raised the issue of whether a former employee’s LinkedIn post announcing a new job could violate an anti-solicitation clause of a non-compete contract with the former employer.

In KNF&T Inc. v. Muller, staffing company KNF&T filed suit against its former vice president, Charlotte Muller, for violating a non-compete contract in a number of ways, one of which was a LinkedIn update which notified Ms. Muller’s 500+ contacts of her new job.  Among those contacts were Ms. Muller’s former clients at KNF&T.  KNF&T filed suit alleging that the update notification violated her one year non-compete contract by soliciting business from current KNF&T clients.

The court issued a narrow ruling stating that the posting did not violate the non-compete agreement because Ms. Muller’s new position in information technology recruiting did not directly compete with KNF&T’s work in recruiting administrative support specialists.

Since the court was able to resolve the case based on a differentiation in practice areas, it did not have to resolve the issue of whether a LinkedIn notification could violate the terms of a non-competition agreement.  Such a determination will always depend of the particular facts of the case, such as whether the new position directly competes with the former employer, whether the individual is connected with former clients on LinkedIn, and the content of the notification.

Employees subject to a non-competition agreement should exercise caution when using social media to announce a new position.  If they do make an announcement, they should consult the terms of their non-compete agreement to determine what could constitute a violation.  For instance, if the non-compete only prohibits solicitation of the former employer’s current clients, the employee should be sure to exclude any such clients from the notification by selecting which groups receive the message.  The time spent paring down the list of recipients is well worth avoiding a potential lawsuit.

Sep 16
2013

Appeals Court Rules TCPA Does Not Violate First Amendment

The U.S. Court of Appeals for the Fourth Circuit recently ruled that the Telephone Consumer Protection Act (TCPA) does not violate the First Amendment by requiring robocallers to identify themselves when making calls.

Three months before the Maryland gubernatorial election in 2010, political consultant Julius Henson and his company Universal Elections, Inc., were hired to assist with efforts for the Republican candidate. On Election Day, Universal Elections made 112,000 robocalls to voters that did not identify the campaign as the source of the message, nor did the calls include the campaign’s phone number. The State of Maryland filed a civil suit against Henson and Universal Elections for violating the TCPA. The state alleged that the defendants violated the TCPA by failing to identify the campaign as the sponsor of the message as required under the statute.

The TCPA and its implementing regulations require that automated and prerecorded messages state clearly at the beginning of the message the identity of the business, individual, or other entity that is responsible for initiating the call. If a business or other corporate entity is responsible, the prerecorded voice message must contain that entity’s official business name. In addition, the telephone number of the business must be provided either during or after the prerecorded voice message. This disclosure applies regardless of the content of the message.

Political calls are exempt from some of the TCPA’s requirements, but other requirements do apply — including the disclosure requirement at issue here and the restrictions on autodialed or prerecorded calls or texts to wireless phones, which require prior express consent. Last year the Federal Communications Commission issued an enforcement advisory regarding political robocalls to cellphones and cited two marketing companies for making millions of illegal robocalls.

In its supplemental motion to dismiss, the defendants asserted a First Amendment defense, arguing that the TCPA is a content-based burden on political speech that cannot withstand a high strict-scrutiny standard of review. The United States intervened to defend the constitutionality of the TCPA. The district court ruled in favor of Maryland, holding that the TCPA withstands First Amendment challenges, and granted a $1 million judgment in favor of the state.

The Fourth Circuit affirmed the district court. The appeals court had previously issued the opinion in July, but as an unpublished opinion. The court issued an order amending its previous opinion to change it to a published opinion after a request from the government that it be published.

The Fourth Circuit held that the TCPA provisions requiring all automated and prerecorded telephone messages to disclose the source of the message are content-neutral and thus subject to an intermediate scrutiny level of review. Content-neutral laws that regulate speech are valid if they further a substantial governmental interest. The Fourth Circuit noted that at least three important governmental interests are advanced by the TCPA’s identity disclosure provision, including protecting residential privacy, promoting disclosure to avoid misleading recipients of recorded calls, and promoting effective law enforcement. Since the TCPA advances important governmental interests and the appellants did not raise an argument to the contrary, the Fourth Circuit affirmed that the TCPA’s identity disclosure provisions are constitutional.

TCPA litigation continues to increase, and potential liability can be significant. All businesses should review their TCPA compliance policies carefully to ensure that their procedures and scripts comply with all requirements. In addition to the identification requirements that have been in effect for many years, companies should make sure that they are prepared for the upcoming TCPA rule changes. These changes will require a called party’s prior express written consent for autodialed or prerecorded calls to wireless phone numbers and for prerecorded telemarketing calls to residential lines, among other requirements.

Aug 28
2013

Appeals Court Rules Consumers Can Revoke Consent Under TCPA

On August 22, 2013, the U.S. Court of Appeals for the Third Circuit ruled unanimously that under the Telephone Consumer Protection Act (TCPA), consumers may withdraw their consent to have robo-callers call them. The full text of the opinion is available here.

The appeals court ruled in favor of Ashley Gager, who was contacted by Dell Financial Services after she revoked her prior express consent to be contacted. In 2007, Gager applied for a line of credit from Dell, which she received and upon which she later defaulted. Gager’s application for a credit line required that she provide her home phone number. In that place in the application she listed her cell phone number. After she defaulted on her credit line, Dell began calling Gager from an automated telephone dialing system. In 2010, Gager sent Dell a letter listing her phone number, which she did not indicate was a cell number, asking Dell not to call her anymore. Gager alleged that after receiving her letter, Dell called her cell phone using an automated dialing system approximately 40 times over a three week period. The TCPA, among other things, bars companies from using an automatic telephone dialing system or a prerecorded voice to call mobile phones, absent prior express consent or an emergency.

The district court granted Dell’s motion to dismiss the complaint for failure to state a claim, holding that Gager could not revoke her prior express consent to receive calls. The district court held that because Dell did not qualify as a “debt collector,” the revocation rules under the Fair Debt Collection Practices Act (FDCPA) did not apply. Thus, the court reasoned that since the revocation rules were inapplicable and the TCPA is silent on revocation of consent, such a right did not exist. The court also noted that the Federal Communications Commission, which has the power to implement rules and regulations under the TCPA, had not issued any advisory opinions at the time that specifically addressed the right to revoke consent.

The Third Circuit reversed the district court’s ruling and found that consumers do have a right to revoke consent. The court rejected Dell’s argument that because the TCPA is silent as to whether a consumer may revoke consent to be contacted via an autodialing system, such a right to revoke did not exist. The Third Circuit’s opinion emphasized that the TCPA is a remedial statute that was passed to protect consumers from unwanted calls and should be construed to benefit consumers. Preventing consumers from revoking their consent to receive calls would not be consistent with the purpose of the statute.

The Third Circuit also noted that the FCC issued a declaratory ruling In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, SoundBite Communications Inc., after the district court dismissed Gager’s claim, which primarily addresses other issues under the TCPA, but also touched on the issue of the right of consumers to revoke express consent. The SoundBite decision notes that neither the text of the TCPA, nor the legislative history, directly addresses how prior express consent can be revoked, but also notes that “consumer consent to receive . . . messages is not unlimited.” The Third Circuit relied on the SoundBite decision in finding that a consumer may revoke informed consent after it has been given and that there is no temporal limitation on the revocation period.

Dell will still be able to call Gager regarding her delinquent account, but the TCPA prohibits Dell from using an automated dialing system to do so, since the TCPA prohibits autodialed or prerecorded calls to mobile phones without express written consent (or in an emergency). Presumably, Dell can still contact Gager via live calls or through technology that does not amount to an automatic telephone dialing system.

In light of this decision in the Third Circuit, businesses should review their TCPA policies to ensure that they are complying with all rules and regulations. Additionally, on October 16, two additional changes to the TCPA rules will go into effect that impose stricter requirements on claiming exceptions to TCPA liability and all TCPA policies should be reviewed to account for these changes. Businesses should also specifically review their TCPA policies to endure that there is a procedure in place for consumers to opt out of receiving calls and text messages, even if they have previously provided consent. Taking and respecting opt-out requests is an important compliance practice that, if not followed, can lead to significant litigation — and potential damages and penalties.

Dec 07
2012

California Attorney General Flexes Muscle on Mobile Privacy: AG Sues Delta for Lack of Privacy Policy on Mobile Application

Yesterday, California’s Attorney General Kamala Harris filed the state’s first suit under California’s Online Privacy Protection Act.  The lawsuit, against Delta Air Lines, followed the Attorney General’s warning letters to Delta and many other companies in October to post privacy policies with their mobile apps to inform users of what personally identifiable information is being collected and how the information is used by the company (previously covered by FTC Beat here).

California’s Online Privacy Protection Act mandates that commercial operators of websites and online services, including mobile and social apps, conspicuously post a privacy policy if they collect personally identifiable information from California residents.  In addition to posting a privacy policy, operators must abide by the promises and representations made in those policies.

In the complaint against Delta, the AG contends that Delta has operated a mobile app called “Fly Delta” since at least 2010.  Individuals can use the Fly Delta app to check in for flights, view reservations, rebook  flights, pay for checked baggage, and access a user’s frequent flyer account, among other actions.  The California AG alleges that the Fly Delta app lacks a privacy policy, despite the fact that
Delta’s app collects substantial amounts of personal information, including full names, telephone numbers, email addresses, photographs, and geo-locations.  According to the complaint, “Users of the Fly Delta application do not know what personally identifiable information Delta collects about them, how Delta uses that information, or to whom that information is shared, disclosed, or sold.”  The AG asserts that Delta’s conduct violates the Online Privacy Protection Act and California’s Unfair Competition Law.

Delta will, of course, have a chance to defend itself and could argue that its general website policy covers its mobile applications.  Many companies maintain a general privacy policy that covers their website, their mobile applications, and even their social networks.   The complaint acknowledges Delta’s website privacy policy though contends that it is not “reasonably accessible to consumers of the Fly Delta app” and that the app collects different information than is collected through the website.

The lawsuit seeks an injunction to prevent Delta from distributing its application and requests penalties of up to $2,500 for each violation (in other words, each time the app is downloaded).   According to the complaint, the Fly Delta app “has been downloaded by consumers millions of times since October of 2010 without the conspicuously posted privacy policy required by” the Online Privacy Protection Act. The Attorney General’s action in filing the lawsuit demonstrates that she intends to follow through on her earlier warnings to companies to ensure their compliance with the Online Privacy Protection Act.  Other companies who received similar warning letters included Open Table and United Continental.

Companies offering mobile apps and commercial websites should ensure that they post and abide by privacy policies when they are collecting personal information.  Further, if a general privacy policy is meant to cover a company’s app, it should so state and it would be prudent for it to be easily accessible through the mobile app.   The California Attorney General’s lawsuit against Delta is a sure sign that California will continue to follow through on its efforts to mandate compliance with its Online Privacy Protection Act, and other states may follow California’s lead.

Dec 03
2012

FCC Ruling Permits Confirmation Text Messages for ‘Opt-Out’ Customers

The Federal Communications Commission recently ruled that companies may send a one-time text message confirming a consumer’s opt-out of texts without violating the Telephone Consumer Protection Act (“TCPA”), and potentially facing large class action lawsuits.

This pro-business ruling represents a victory for SoundBite, the company that sought a declaratory ruling from the FCC, as well as for other businesses that use mobile texting to communicate with customers. Many businesses (including SoundBite) are facing class actions under the TCPA for sending this type of confirmatory message.

The TCPA prohibits, among other things, autodialed calls to mobile phones, unless the sender has received prior express consent from the recipient for such calls. The FCC has ruled that text “calls” are covered by this prohibition. Thus, under the TCPA, an autodialed call that sends a text to a mobile phone without prior express consent (irrespective of the type of message) is prohibited. The TCPA provides for FCC and state attorney general enforcement as well as private litigation. Plaintiffs’ lawyers have latched onto the TCPA for several years and have recovered substantial amounts in judgments and settlements.

SoundBite sends text messages on behalf of a number of companies that have obtained express consent to send texts to particular wireless subscribers, including banks, utilities, and retailers. SoundBite follows the Mobile Marketing Association’s best practices which include the transmission of a text message to a subscriber confirming that subscriber’s request to opt-out of receiving future messages. When a consumer opts-out of receiving future text messages, a one-time reply is sent back (usually within minutes) via text confirming receipt.

While many of the FCC’s rulings on the TCPA have not been viewed as business-friendly, this latest ruling represents a victory for businesses. Several large associations and businesses filed in support of SoundBite’s petition, including the American Bankers Association and the Consumer Bankers Association. SoundBite also had the support of the National Association of Consumer Advocates. The parties argued that confirmation messages are, in fact, consumer-friendly as they provide important information to the consumer to let him or her know that the opt-out was received and the messages will stop.

The FCC concluded that, as long as prior express consent of the receiving party exists before sending any messages, a one-time text confirming an opt-out request does not violate the TCPA: “We conclude that a consumer’s prior express consent to receive text messages from an entity can be reasonably construed to include consent to receive a final, one-time text message confirming that such consent is being revoked at the request of the consumer.”

Importantly, the FCC stated that these opt-out texts may only confirm the opt-out request and may not include any marketing or promotional information (or an attempt to convince the consumer to reconsider his or her opt-out) and can be the only additional message sent to the consumer after the receipt of the opt-out request. In addition, if the confirmation message is sent more than five minutes after the opt-out, the burden will fall on the sender to demonstrate that the delay was reasonable. The FCC also asserted that it will monitor consumer complaints and take action if senders are using confirmation texts as an additional opportunity.

Businesses that receive threats of TCPA lawsuits for confirmatory texts will now be able to use this FCC ruling in their defense. Plaintiffs may challenge the FCC’s interpretation of the strict statutory language, however, as they have done in other instances. Organizations wishing to use confirmatory opt-out texts should review the FCC’s ruling and ensure that their confirmations comport with the FCC’s guidance, especially regarding timing and ban on advertising and promotional messages

Connect with Us Share

About Ifrah Law

Crime in the Suites is authored by the Ifrah Law Firm, a Washington DC-based law firm specializing in the defense of government investigations and litigation. Our client base spans many regulated industries, particularly e-business, e-commerce, government contracts, gaming and healthcare.

Ifrah Law focuses on federal criminal defense, government contract defense and procurement, healthcare, and financial services litigation and fraud defense. Further, the firm's E-Commerce attorneys and internet marketing attorneys are leaders in internet advertising, data privacy, online fraud and abuse law, iGaming law.

The commentary and cases included in this blog are contributed by founding partner Jeff Ifrah, partners Michelle Cohen, David Deitch, and associates Rachel Hirsch, Jeff Hamlin, Steven Eichorn, Sarah Coffey, Nicole Kardell, Casselle Smith, and Griffin Finan. These posts are edited by Jeff Ifrah. We look forward to hearing your thoughts and comments!

Visit the Ifrah Law Firm website

Popular Posts