California Attorney General Flexes Muscle on Mobile Privacy: AG Sues Delta for Lack of Privacy Policy on Mobile Application

Yesterday, California’s Attorney General Kamala Harris filed the state’s first suit under California’s Online Privacy Protection Act.  The lawsuit, against Delta Air Lines, followed the Attorney General’s warning letters to Delta and many other companies in October to post privacy policies with their mobile apps to inform users of what personally identifiable information is being collected and how the information is used by the company (previously covered by FTC Beat here).

California’s Online Privacy Protection Act mandates that commercial operators of websites and online services, including mobile and social apps, conspicuously post a privacy policy if they collect personally identifiable information from California residents.  In addition to posting a privacy policy, operators must abide by the promises and representations made in those policies.

In the complaint against Delta, the AG contends that Delta has operated a mobile app called “Fly Delta” since at least 2010.  Individuals can use the Fly Delta app to check in for flights, view reservations, rebook  flights, pay for checked baggage, and access a user’s frequent flyer account, among other actions.  The California AG alleges that the Fly Delta app lacks a privacy policy, despite the fact that
Delta’s app collects substantial amounts of personal information, including full names, telephone numbers, email addresses, photographs, and geo-locations.  According to the complaint, “Users of the Fly Delta application do not know what personally identifiable information Delta collects about them, how Delta uses that information, or to whom that information is shared, disclosed, or sold.”  The AG asserts that Delta’s conduct violates the Online Privacy Protection Act and California’s Unfair Competition Law.

Delta will, of course, have a chance to defend itself and could argue that its general website policy covers its mobile applications.  Many companies maintain a general privacy policy that covers their website, their mobile applications, and even their social networks.   The complaint acknowledges Delta’s website privacy policy though contends that it is not “reasonably accessible to consumers of the Fly Delta app” and that the app collects different information than is collected through the website.

The lawsuit seeks an injunction to prevent Delta from distributing its application and requests penalties of up to $2,500 for each violation (in other words, each time the app is downloaded).   According to the complaint, the Fly Delta app “has been downloaded by consumers millions of times since October of 2010 without the conspicuously posted privacy policy required by” the Online Privacy Protection Act. The Attorney General’s action in filing the lawsuit demonstrates that she intends to follow through on her earlier warnings to companies to ensure their compliance with the Online Privacy Protection Act.  Other companies who received similar warning letters included Open Table and United Continental.

Companies offering mobile apps and commercial websites should ensure that they post and abide by privacy policies when they are collecting personal information.  Further, if a general privacy policy is meant to cover a company’s app, it should so state and it would be prudent for it to be easily accessible through the mobile app.   The California Attorney General’s lawsuit against Delta is a sure sign that California will continue to follow through on its efforts to mandate compliance with its Online Privacy Protection Act, and other states may follow California’s lead.

FCC Ruling Permits Confirmation Text Messages for ‘Opt-Out’ Customers

The Federal Communications Commission recently ruled that companies may send a one-time text message confirming a consumer’s opt-out of texts without violating the Telephone Consumer Protection Act (“TCPA”), and potentially facing large class action lawsuits.

This pro-business ruling represents a victory for SoundBite, the company that sought a declaratory ruling from the FCC, as well as for other businesses that use mobile texting to communicate with customers. Many businesses (including SoundBite) are facing class actions under the TCPA for sending this type of confirmatory message.

The TCPA prohibits, among other things, autodialed calls to mobile phones, unless the sender has received prior express consent from the recipient for such calls. The FCC has ruled that text “calls” are covered by this prohibition. Thus, under the TCPA, an autodialed call that sends a text to a mobile phone without prior express consent (irrespective of the type of message) is prohibited. The TCPA provides for FCC and state attorney general enforcement as well as private litigation. Plaintiffs’ lawyers have latched onto the TCPA for several years and have recovered substantial amounts in judgments and settlements.

SoundBite sends text messages on behalf of a number of companies that have obtained express consent to send texts to particular wireless subscribers, including banks, utilities, and retailers. SoundBite follows the Mobile Marketing Association’s best practices which include the transmission of a text message to a subscriber confirming that subscriber’s request to opt-out of receiving future messages. When a consumer opts-out of receiving future text messages, a one-time reply is sent back (usually within minutes) via text confirming receipt.

While many of the FCC’s rulings on the TCPA have not been viewed as business-friendly, this latest ruling represents a victory for businesses. Several large associations and businesses filed in support of SoundBite’s petition, including the American Bankers Association and the Consumer Bankers Association. SoundBite also had the support of the National Association of Consumer Advocates. The parties argued that confirmation messages are, in fact, consumer-friendly as they provide important information to the consumer to let him or her know that the opt-out was received and the messages will stop.

The FCC concluded that, as long as prior express consent of the receiving party exists before sending any messages, a one-time text confirming an opt-out request does not violate the TCPA: “We conclude that a consumer’s prior express consent to receive text messages from an entity can be reasonably construed to include consent to receive a final, one-time text message confirming that such consent is being revoked at the request of the consumer.”

Importantly, the FCC stated that these opt-out texts may only confirm the opt-out request and may not include any marketing or promotional information (or an attempt to convince the consumer to reconsider his or her opt-out) and can be the only additional message sent to the consumer after the receipt of the opt-out request. In addition, if the confirmation message is sent more than five minutes after the opt-out, the burden will fall on the sender to demonstrate that the delay was reasonable. The FCC also asserted that it will monitor consumer complaints and take action if senders are using confirmation texts as an additional opportunity.

Businesses that receive threats of TCPA lawsuits for confirmatory texts will now be able to use this FCC ruling in their defense. Plaintiffs may challenge the FCC’s interpretation of the strict statutory language, however, as they have done in other instances. Organizations wishing to use confirmatory opt-out texts should review the FCC’s ruling and ensure that their confirmations comport with the FCC’s guidance, especially regarding timing and ban on advertising and promotional messages

FTC Sues DISH Network for Violating ‘Do-Not-Call’ Rules in Telemarketing

The FTC recently sued satellite television service operator DISH Network in federal district court in Illinois for violations of the Telemarketing and Consumer Fraud and Abuse Act. The agency claims DISH violated “company-specific do-not-call rules” – in other words, the FTC claims that DISH called consumers who had previously asked DISH not to call them again. DISH disputes the FTC’s claims.

Under the FTC (and FCC’s) telemarketing rules, there are two do-not-call regimes. First is the national do-not-call registry. With certain exceptions, telemarketers and sellers may not telemarket to residential phone lines and wireless numbers unless they have first “scrubbed” their calling lists against the federal do-not-call registry. The exceptions include calling customers with whom an organization has an “existing business relationship” or who have given prior consent for the calls. However, even those customers to whom telemarketing calls might be permitted because of an existing business relationship or other reasons can always ask a telemarketer not to call again and to put the consumer on the company-specific do-not-call list. This company-specific request must be implemented promptly and maintained for five years.

This part of the federal telemarketing rules thus puts the power in the hands of the consumer who can decide if he or she wishes to receive telephone solicitations from a particular company. It does not matter if the consumer continues to do business with a particular seller – once the consumer asks not to be called again, telemarketing must cease.

The FTC’s complaint against DISH contends that, since September 2007, DISH had initiated – either on its own or through outside telemarketers working on its behalf –millions of outbound telephone calls to phone numbers of people who previously indicated that they did not want to receive telemarketing calls from DISH. The complaint seeks civil penalties and a permanent injunction to stop DISH from future violations of the telemarketing rules.

Indeed, the penalties could be steep. For violations before February 9, 2009, the specified penalties are $11,000 per violation. Those penalties were increased to $16,000 for each violation of the FTC’s Telemarketing Sales Rule occurring after that date. DISH is already litigating against the Department of Justice in another case for allegedly calling consumers on the national do-not-call registry or purportedly causing its dealers to make calls to those consumers. It was information developed in that litigation that led to this latest complaint, according to the FTC’s public statements.

Of course, various defenses are available to DISH and others facing similar lawsuits or enforcement actions. These defenses include the possibility that a number called was a business (rather than residential) telephone number; or that the company-specific do-not-call request had not been made to DISH in the first place. Written consent to receive telemarketing calls provided after a company-specific do-not-call request would also allow such calls prospectively (at least until the consent were revoked subsequently).

Companies engaging in telemarketing – either on their own or through outside telemarketing firms, affiliated dealers, or other third parties – should take note that the FTC is continuing to enforce its do-not-call rules. FTC Chairman Jon Leibowitz stated that the agency will continue to enforce the do-not-call rules “to protect consumers’ right to be left alone in the privacy of their own homes.”

While the FTC (and the FCC) have focused on compliance with the federal registry requirements, this latest case against DISH demonstrates that the agency will also initiate enforcement action against those it contends to be violating the “company-specific” do-not-call requirements. Companies using telemarketing should review their written and operational policies to ensure compliance with both the federal and company-specific do-not-call requirements. Customer service representatives, in particular, should receiving periodic training that when a consumer says, “No more calls,” no really does mean, “No more, Mr. Telemarketer, you’re done.”

High Court Tosses Out Indecency Cases, Finds FCC Didn’t Give Proper Notice to Broadcasters

On June 21, 2012, in FCC v. Fox Television Stations Inc., the U.S. Supreme Court struck down the Federal Communications Commission’s effort to apply its indecency standard to brief broadcasts of nudity and “fleeting expletives.” But the Court relied not on the First Amendment’s free-speech guarantees but rather on the Fifth Amendment’s due process clause.

The Court held that Fox and ABC were not given fair advance notice that their broadcasts, which occurred prior to the announcement of the new indecency policy, were covered. This retroactive application violated their due process rights.

Broadcasters were hoping for a much broader First Amendment ruling that would have permanently hamstrung efforts by the agency to police indecency on the air. Instead, although a $1.4 million fine against ABC and its affiliates and a declaration by the FCC that Fox could be fined as well were both overturned, the agency remains free to create new indecency policies and case law under 18 USC 1464, which bans the broadcast of any” obscene, indecent, or profane language.”

In ABC’s case, the transgression was showing a seven-second shot of an actress’s buttocks and the side of her breast on NYPD Blue in 2003, and in Fox’s case, it was some isolated indecent words uttered by Cher and Nicole Richie on awards shows.

Prior FCC policy stressed the difference between isolated indecent material (which was not punished) and repeated broadcasts (which resulted in enforcement action). The Court held that Fox and ABC did not have sufficient notice that these brief moments, which occurred before the new policy went into effect, could be targeted.

The U.S. government tried to argue that a 1960 statement by the FCC gave ABC notice that broadcasting a nude body part could be contrary to the prohibition on indecency. The Supreme Court said “no dice,” as FCC had in other, later decisions declined to find brief moments of nudity actionable. If the FCC is going to fine ABC and its affiliates $1.24 million, it had better provide clear, fair notice of its indecency policies.

Since the case doesn’t affect the enforceability of the FCC’s current standard, as applied to current (rather than past) broadcasts, however, broadcasters still live in fear of the possibility of big fines levied against them for a couple of obscenities or a few seconds of nudity.

We agree with longtime public interest advocate Andrew Schwartzman, who said of this ruling, “The decision quite correctly faults the FCC for its failure to give effective guidance to broadcasters. It is, however, unfortunate that the justices ducked the core 1st Amendment issues. The resulting uncertainty will continue to chill artistic expression.”

The courts can certainly review challenges to the FCC’s indecency standards, and related issues will continue to come before the courts, including the issue of whether the current indecency standard violates the First Amendment rights of broadcasters and whether any changes the FCC may make will survive First Amendment scrutiny.

Meanwhile, with this case resolved, the FCC can finally move forward with a backlog of indecency complaints pending before it. FCC Commissioner Robert M. McDowell said in response to the Supreme Court ruling that there are now nearly 1.5 million such complaints, involving 9,700 television broadcasts, and that “as a matter of good governance, it is now time for the FCC to get back to work so that we can process the backlog of pending indecency complaints.”