FDA Says Product Containing No Tobacco is a “Tobacco Product” – FDA Expands Authority to Include E-Puffing
In an effort that Food and Drug Administration (FDA) officials say was motivated by the (Big Brother?) desire “to correct a misperception by consumers that tobacco products not regulated by FDA are safe alternatives to currently regulated tobacco products,” the FDA released proposed regulations this morning that would regulate the rapidly growing e-cigarette market. (The regulations would also regulate cigars, pipe tobacco, nicotine gels, and hookahs.) The long-awaited proposal would subject the $2 billion industry to federal regulation for the first time. The full text of the proposed regulations are available here. A 75-day public comment period follows.
Calls for Regulation and Basis
Last September, 40 state attorneys general wrote to the FDA asking the agency to take all available measures to issue regulations on the advertising, ingredients, and sale to minors of e-cigs. There has been very little regulation of the industry since its inception– partially because the extent of the FDA’s authority to regulate e-cigarettes is not clearly defined. In 2010, the U.S. Court of Appeals for the D.C. Circuit issued an opinion in Sottera, Inc. v. Food & Drug Administration, affirming the district court’s decision that the FDA could not regulate e-cigarettes as a medical device under the Food, Drug & Cosmetic Act and finding that the FDA’s authority is limited to traditional tobacco products.. Specifically, the Tobacco Control Act authorizes the FDA to regulate “tobacco products,” giving the agency authority to impose restrictions on their sale, advertising and promotions, and establish other standards for their distribution and production. The term “tobacco product” means any product made or derived from tobacco that is intended for human consumption, including any component, part, or accessory of a tobacco product (except for raw materials other than tobacco used in manufacturing a component, part, or accessory of a tobacco product).
E-Cigarettes are Tobacco Products?
The FDA claims that e-cigarettes contain nicotine and thus derive from tobacco. However, the agency acknowledges in its proposed rules that “the health consequences of e-cigarettes are not well understood because of their relatively new entrance into the market.” Despite its questionable authority and a lack of evidence showing a need for regulation, the FDA nevertheless proposes to subject e-cigarettes to regulation similar to cigarettes and other regulated tobacco products. We expect commenters will urge the FDA to support its jurisdiction over the e-cigarette industry with a sufficient statutory basis. However laudable the FDA’s actions to protect the public may be, agencies may obviously only act pursuant to the specific statutory authority granted by Congress.
Under the proposed rules, companies offering e-cigarettes and the other products deemed tobacco products will now be required to register all their products and ingredients with the FDA, though they would not be required to adhere immediately to specific product or quality control standards. Companies would also be required to submit new and existing products to the FDA for approval. They would have two years from the time the rule goes into effect to submit an application to enable their products to continue to stay on the market or to submit a new product application.
The new regulations would require e-cigs to have health warnings on packaging, though initially the only health warning that will be required is a warning regarding the potential for addiction to nicotine. Manufacturers would be able to market new products only after a FDA review, and scientific evidence would need to be provided before any direct or indirect claim can be made of risk reduction associated with their product. Manufacturers would also be prohibited from selling their products at vending machines unless they are in adult-only venues. The proposed rules would prohibit the offering of free samples. The regulations would also require that the minimum age to buy the products be set at 18 years old.
FDA Showing Some Restraint?
Although the FDA proposal is not as broad as the regulations sought by tobacco-control advocates, FDA officials noted that further restrictions may come in the future. At this point the regulations do not seek to ban the use of flavored e-cigs or restrict online sales or advertising. However, the Federal Trade Commission (“FTC”) is closely monitoring marketing and advertisements from the industry and has the ability to take action against companies that it believes are engaging in deceptive advertising. The proposed rules note that the FDA would consult with the FTC to harmonize their requirements for health warnings.
The FDA proposal also leaves many unanswered questions regarding how new products would be regulated in the long term. Under current law, new tobacco products can be approved if they are “substantially equivalent” to a product that was sold prior to February 15, 2007. It is unclear whether any e-cigarettes were on sale prior to that date that can be used as a benchmark. An FDA official said that it would seek more information during the public comment period to determine whether the substantial equivalence test is valid for e-cigarettes.
The recommendations from the FDA that were released today will be followed by a 75-day public comment period after which the regulations will be finalized. The exact time frame for the regulations to be finalized is unclear and the final rulemaking process could alter the regulations that were proposed today. It may be more than a year before the final regulations take effect. Of course, parties are expected to challenge the FDA’s rules in court, which could further delay any new regulations.
We expect numerous, diverse parties will submit comments, including the scientific/medical community, public interest groups, and industry. The e-cigarette industry, representing a new product, would appear to have the most power to influence the outcome of the rules, because even the FDA acknowledges the product has yet to be studied in depth.
Last week the Federal Trade Commission (“FTC”) charged the operators of Jerk.com with harvesting personal information from Facebook to create profiles for more than an estimated 73 million people, where they could not be labeled a “Jerk” or “not a Jerk.”
In the complaint, the FTC charged the defendants, Jerk, LLC and the operator of the website, John Fanning, with violating the FTC Act by allegedly misleading consumers into believing that the content on Jerk.com had been created by registered users of the site, when most of it had been harvested from Facebook. The FTC alleged that the operators of Jerk.com falsely claimed that consumers could revise their online profiles by paying a $30 membership fee. Additionally, the FTC asserted that the defendants misled consumers to believe that by paying for a membership, they would have access to the website that could allow them to change their profiles on the site.
Facebook profile pictures and profile names generally are public. Facebook rules allow for developers to upload the names and pictures in bulk. However, Jerk.com allegedly violated Facebook’s policies in the way it mined data from people’s profiles. At the time, Facebook’s rules only allowed an app developer to keep a person’s profile picture for 24 hours. The complaint stated that Fanning registered several websites with Facebook and used Facebook’s application program to download the data needed to create the fake profiles on Jerk.com. The FTC is also seeking an order barring the defendants from using the personal information that was obtained and requiring them to delete the information.
This action is another indication that the FTC is closely monitoring companies that the FTC believes are scraping data on consumers from other sites and deceiving customers in their business practices. The complaint notes how Jerk.com profiles often appear high in search engine results when a person’s name is searched. “In today’s interconnected world, people are especially concerned about their reputation online, and this deceptive scheme was a brazen attempt to exploit those concerns,” said Jessica Rich, Director of the FTC’s bureau of Consumer Protection in a statement.
Companies should monitor their practices for obtaining data from other websites to ensure that they are in compliance with the terms and conditions of websites where they obtain data. Organizations should be cautious about how they use this data, including being careful about making any representations and disclosures that could be viewed as deceptive by the FTC or a state attorney general.
By Michelle Cohen, CIPP-US
After recovering from high-profile data breaches at Target and Neiman Marcus, signing up for free credit monitoring and analyzing our credit reports, a new Internet villain recently emerged: the “Heartbleed Bug.” The Heartbleed Bug is a security flaw present on Open SSL, popular software run on most webservers. This open source software is widely used to encrypt web communications. The Heartbleed Bug affects approximately 500,000 websites, including reportedly Yahoo, OK Cupid, and Tumblr. And, in addition to websites, the Bug may impact networking devices such as video conferencing services, smartphones, and work phones.
The danger of the Heartbleed Bug lies in its ability to reveal the content of a server’s memory. Then, the Bug can grab sensitive data stored in the memory, including passwords, user names, and credit card numbers. Adding insult to injury, the Bug has existed for at least two years, giving hackers a huge head start. News reports and some websites have urged users to change their passwords. Others have warned individuals not to change their passwords until a website has indicated it has installed the security patch that “cures” the Bug. Several sites offer tools to “test” whether an indicated website is vulnerable to the Heartbleed Bug, including one by McAfee. In terms of priorities, users should focus on sites where they bank, conduct e-commerce, e-mail and use file storage accounts.
Further intrigue comes from the fact that a recent Bloomberg report alleged that the National Security Agency (“NSA”) knew about the Bug for at least two years, but may have utilized the vulnerabilities to access information. The NSA has denied it had knowledge of the Bug.
While we have yet to see a “rush to the courthouse” following the announcement of the Heartbleed Bug, we anticipate lawsuits and enforcement could follow where organizations do not act in response to the Bug by installing the necessary security patch. Companies (including our clients in the Internet marketing and I-gaming industries) should investigate whether their websites, apps, or other services (such as cloud services) use Open SSL – then take immediate efforts to oversee the installation of the security patch. Organizations should also advise users of the status of the Heartbleed Bug fix and encourage users to change their passwords, with different passwords across different services.
Congress enacted the Telephone Consumer Protection Act (“TCPA”) to protect consumers from unwanted telemarketing, fax marketing, and prerecorded/auto-dialed phone calls. Recently, there has been an explosion in TCPA litigation, including class action litigation. In response, several parties have asked the Federal Communications Commission (“FCC”) to clarify certain of the agency’s TCPA rules to provide relief from TCPA liability in certain enumerated circumstances. Two recent FCC rulings allow certain business communications under the TCPA.
The Cargo Airline Association (“CAA”), a trade association representing companies that deliver packages, filed a petition seeking clarification of the TCPA’s application to auto-dialed or prerecorded package delivery notification calls made to consumers’ wireless phones. The CAA asserted that the FCC should recognize the public interest in receiving time sensitive package notifications. Revised FCC rules that went into effect in October generally require that the sender of prerecorded or auto-dialed calls and text messages to mobile numbers have prior consent from the recipient to receive such calls and texts. If the calls or texts constitute telemarketing, prior express written consent is required.
The FCC granted the CAA’s request to exempt its notifications to consumers subject to certain conditions. In the order, the FCC observed that these notifications “are the types of normal, expedited communications the TCPA was not designed to hinder . . . we believe that consumers generally desire, expect, and benefit from, package delivery notifications.” The FCC order requires that the text messages must be sent only to the telephone number provided by the package recipient, and identify the name and include the contact information of the delivery company sending the message. Furthermore, the FCC’s order limits companies to sending one text message per package per delivery attempt. The notifications also cannot contain any advertising content and must provide consumers the ability and information on how to easily opt out of receiving future notifications.
In the second ruling, the FCC granted a petition by GroupMe concerning how consent is obtained. GroupMe is an app that allows users to create text message based group chats. A user who wants to create a group chat using GroupMe’s service must register with GroupMe and agree to its terms of service. The terms of service require the group creator to represent that each individual added to the group chat has consented to receive the text messages. In its petition to the FCC, GroupMe asked the FCC to clarify that consent to receive certain calls or text messages could be given through an intermediary, such as a group chat organizer.
The FCC granted GroupMe’s petition allowing for consent to be obtained through an intermediary. Interestingly, the FCC acknowledged in its order that “the TCPA is ambiguous as to how a consumer’s consent to receive an auto-dialed or prerecorded non-emergency call should be obtained.” However, the FCC stressed that this ruling does not mitigate the duty to obtain prior express consent of the called party. Further, a company can still be held liable even when relying on the assertion of an intermediary that a consumer has consented. The order states that, “[w]e further clarify that where the consumer has agreed to participate in a GroupMe group, agreed to receive associated calls and texts, and provided his or her wireless telephone number to the group organizer for that purpose, the TCPA’s prior express consent requirement is satisfied with respect to both GroupMe and the group members regarding that particular group, but only regarding that particular group.” Companies seeking to obtain consent through an intermediary should consider this potential liability when deciding if, or how to, rely on consent given by an intermediary. Companies may want to consider contractual representations and warranties and indemnifications where a third party obtains consent.
These two orders by the FCC represent positive news for businesses that utilize texts and prerecorded/auto-dialed communications. The orders eliminate some of the uncertainty surrounding compliance with the TCPA in the circumstances addressed by the FCC. While the agency has taken numerous enforcement actions against TCPA violators and promulgated strict rules, these recent rulings indicate that the FCC recognizes that there are circumstances in which strict interpretations of the TCPA and/or FCC rules do not comport with the realities of business communications. Companies should note, however, that these rulings are limited to the particular situations presented by the petitioners. Due to the enormous potential liability for violating the TCPA, companies should continue to review their policies and practices and make sure they are in compliance with all regulations before initiating any covered TCPA communications, including prerecorded and auto-dialed calls and texts to mobile phones, prerecorded telemarketing to residential lines, facsimile advertising, and live telemarketing.
Mobile payments have become so commonplace that consumers rarely stop to think about whether their online payment is secure. Mobile app developers can fall into a similar trap of assuming that the necessary security measures are enabled without performing the necessary audits to assure security on a regular basis. A recent settlement between the FTC and two companies offering unsecured mobile application products gives cause to think again.
The FTC alleges that the movie ticketing service Fandango and credit monitoring company Credit Karma failed to adequately protect consumers’ sensitive personal information in their mobile apps because they failed to use Secure Sockets Layer (“SSL”) protocol to establish authentic, encrypted connections with consumers. Generally, an online service will present an SSL certificate to the app on the consumer’s device to vouch for its identity. The app then verifies the certificate to ensure that it is connecting to the genuine online service. When companies fail to use this protocol—especially if consumers use the app over a public wi-fi system—third party attackers can substitute an invalid certificate to the app, thus establishing a connection between the app and the attacker rather than the online service. As a result, any information that the consumer enters into the app will be sent directly to the attacker, including credit card numbers and other sensitive and personally identifying information.
The FTC alleged that Fandango and Credit Karma left their applications vulnerable to interception by third parties by failing to use SSL protocol. The FTC alleged that Fandango misrepresented the security of its application by stating that consumers’ credit card information would be stored and transmitted securely, despite the fact that the SSL protocol was disabled on the app from March 2009 to March 2013. The FTC alleged that Credit Karma’s app failed to validate SSL certificates from July 2012 to January 2013, leaving the app susceptible to attackers which could gather personal identifying information such as passwords, security questions and answers, birthdates, and “out of wallet” verification answers regarding things like mortgages and loan amounts.
In both cases, the online services received warnings of the vulnerabilities from both users and the FTC. In December 2012 a security researcher used Fandango’s online customer service form to submit a warning regarding the vulnerability. However, Fandango mistakenly flagged the email as a password reset request and sent the researcher a stock response on password resetting, then marked the complaint as resolved. A user sent a similar notice to Credit Karma about the SSL certificates in January 2013. Credit Karma responded by issuing a fix in the update to the iOS operating system that same month, however, one month later Credit Karma issued an Android app which contained the same vulnerability.
In both cases, the online services performed a more thorough internal audit of the apps only when issued a warning by the FTC. The FTC issued complaints against the companies for their deceptive representations regarding the security of their systems. While the complaints noted that the apps were vulnerable to third party attacks, they did not allege that any such attacks were made or that any consumer information was in fact compromised. Perhaps due to the lack of consumer harm, the FTC entered into consent agreements with Fandango and Credit Karma in which the services did not have to pay a monetary judgment, but did agree to establish comprehensive security programs and undergo security assessments every other year for the next 20 years. Fandango and Credit Karma are additionally prohibited from misrepresenting the level of privacy and security in their products or services.
SSL certificates are the default validation process that iOS and Android operating systems provide developers using the application programming interface. Therefore, mobile app developers can protect themselves and their users from this vulnerability simply by leaving the default SSL protocol enabled. What’s more, app developers can test for and identify SSL certificate validation vulnerabilities using free or very low cost tools. Therefore, all app developers should take the necessary precautions to ensure the security of their systems, and prevent harm to consumers (and potential lawsuits) down the road.
Herbalife Hit with Civil Investigative Demand – Is the FTC Finally Turning up the Heat on Multi-Level Marketers?
For many, the announcement two weeks ago that the Federal Trade Commission has commenced a formal investigation into Herbalife was not terribly interesting. After all, nutritional supplement company Herbalife has been the focus of intermittent media attention since December 2012 when Wall Street hedge fund manager Bill Ackman claimed that it was an illegal pyramid scheme, and its business practices have already drawn the scrutiny of the Securities and Exchange Commission.
On the other hand, because the FTC focuses on deceptive trade practices, its investigation into Herbalife– and the allegation that it constitutes a pyramid scheme – may offer a valuable opportunity for the FTC to clarify its rules on what constitutes a pyramid scheme and what a multi-level marketing (MLM) company can or must do to protect itself from the accusation.
The MLM industry has been an established networking sales model for several decades. The FTC defines “multi-level marketing” as networking that uses individuals to sell products by word of mouth or direct sales where distributors typically earn commissions not only for their own sales, but for sales made by the people they recruit. MLM has become increasingly popular in recent years – and for good reason given that it has become extremely profitable: A 2012 study reported the MLM industry was worth approximately $30 billion.
The sole FTC guidelines for MLM arose from litigation in 1979 when the FTC accused the MLM Amway of operating an illegal pyramid scheme. (Amway ultimately prevailed four years later.) The case gave rise to what is known as the “Amway Safeguard Rules”– a set of rules relating to distributors that Amway had in place that protected itself from the FTC accusation that the company was a pyramid scheme. As described in the administrative law judge’s decision, these three critical criteria provided an “umbrella of legal protection”:
1. Amway required its representatives to engage in retail selling, under the “ten retail customer police,” which appeared in the agreement that representatives signed upon enrollment. This rule required that representatives make 10 sales to retain customers as a qualification for eligibility to receive commission and bonuses on sales/purchases made by other representatives in their personal sales organization.
2. Amway required its representatives to sell a minimum of 70 % of previously purchased products before placing a new order. (Amays’ rules recognize “personal use” for purposes of the 70% rule.)
3. Amway had an official “buy-back” policy for unsold, unopened inventory. This policy had some reasonable restrictions, including a specified maximum length of time since the item was originally purchased by the representative and that the item was still current in the company’s product offerings to consumers. The policy also included a minimal “restocking” fee. (Buy-back policies are significant especially for protection of representatives who choose to terminate their affiliation with a company, and do not want to be “stuck” with unsold inventory.)
By adhering to these rules, MLM companies gain some protection from pyramid scheme accusations. And, aside from a staff advisory opinion in 2004, the FTC has offered little or no further guidance on what it perceives as a pyramid scheme and what companies can or must do to show that their businesses are legitimate and legal.
Will the FTC use the Herbalife investigation to provide greater guidance for MLM companies? To do so would be in the interests of MLM companies, the regulators themselves, and those in the financial services industry who have taken great interest – and large financial positions – in MLM companies.
After the FTC secured a $163MM judgment against Kristy Ross in the US District Court of Maryland, the 4th Circuit affirmed, and so ends the FTC’s six-year “scareware” enforcement action. From beginning to end, this odyssey has been quite colorful, to say the least. The nine-figure judgment against Ross is no exception.
Originally, there were eight codefendants: Innovative Marketing, Inc., ByteHosting Internet Services, LLC, and five of the companies’ officers and directors, including Ms. Ross. The case was based on FTC allegations that their massive “scareware” scheme was deceptive in violation of Section 5 of the FTC Act. Specifically, the FTC alleged that the defendants falsely warned consumers that (imaginary) scans of their computers detected security or privacy issues (e.g., viruses, spyware, system errors, and pornography). After receiving the fraudulent security alerts, the consumers were prompted to purchase the Defendants’ software to remedy the (imaginary) problems. More than one million consumers purchased the scareware – of them, roughly three thousand filed complaints with the FTC.
Ross was the only co-defendant remaining at trial, and the judgment was entered against her individually and as a member of Innovative Marketing, Inc. (IMI). Four of the eight original defendants settled with the FTC in February 2010. The same month, the trial court entered default judgments against the remaining three – IMI, Mr. Jain, and Mr. Sundin – for their failure to appear and participate in the litigation. Ross retained counsel but failed to file an answer, respond to the FTC’s discovery requests, or appear at trial. As such, the lone defendant Ross was tried in absentia. Though not explicitly expressed in the trial judge’s opinion, one can only imagine that the optics did not bode well for Ms. Ross at trial.
Before trial, the FTC moved for summary judgment. In her opposition, Ross argued that she was just an employee at IMI (not a “control person”) without requisite knowledge of the misconduct and that she could not therefore be held individually liable under the FTC Act. The court found there to be no issues of material fact with regard to whether the scareware scheme was deceptive in violation of the FTC Act. And a bench trial was ordered to determine the extent of Ross’ control over, participation in, and knowledge of IMI’s deceptive practices.
At trial, Judge Bennett found that Ross had actual knowledge of the marketing scheme, was fully aware of many of the complaints from customers, and was in charge of remedying the problems. The court issued a permanent injunction (as authorized by the FTC Act) and held her individually liable for the total amount of consumer injury (calculated by the FTC $163,167,539.95), finding that to be the proper measure for consumer redress.
On appeal, Ross asked the court to apply the SEC standard for individual liability, which essentially requires a showing of specific intent/subjective knowledge. The Fourth Circuit declined, finding that such a standard would leave the FTC “with a futile gesture of obtaining an order directed to the lifeless entity of a corporation, while exempting from its operation the living individuals who were responsible for the illegal practices in the first place.” The appeals court also rejected Ross’ arguments that district courts do not have authority to award consumer redress, noting that “[a] ruling in favor of Ross would forsake almost thirty years of federal appellate decisions and create a circuit split,” an outcome that it refused to countenance.
The factual and procedural history of this case are pretty outlandish, and it is not clear why Ross opted to take the FTC to the mat (in absentia) on case with so much weighing against her. Had she settled with the others back in 2010, maybe she would have only been on the hook for the gross revenues she received from the alleged scam. Then, almost certainly the FTC would have followed its common practice of suspending all but the amount she was able to pay. But, alas, she did not.
Advertisements for electronic cigarettes, or “e-cigarettes,” are increasingly drawing scrutiny from consumer advocates and public health groups who are calling for the federal government to regulate these advertisements in the same manner that traditional cigarette advertisements are regulated.
The e-cigarette industry is growing at a rapid pace, particularly among younger people. Last year, the industry generated roughly $2 billion and industry sources estimate sales are on pace to hit $5 billion this year.
Currently, there are no regulations governing advertisements of e-cigarettes. In contrast, advertisements of traditional cigarettes are heavily regulated. For instance, various federal laws and regulations prohibit cigarette manufacturers from sponsoring sporting events, and advertising cigarettes on television is also barred. Under the terms of a settlement from a lawsuit in 1998, tobacco companies agreed to not use cartoon characters to market cigarettes.
For roughly 10 years, the marketing team at R. J. Reynolds used the cartoon character “Joe Camel” to promote cigarettes. After years of pushback and under pressure from a pending lawsuit, Congress and various consumer groups, R.J. Reynolds announced that it would settle the pending lawsuit out of court and voluntarily end its use of Joe Camel.
BlueCigs, a leading manufacturer of e-cigarettes, uses a cartoon character named Mr. Cool in a television advertising campaign. Industry watchdogs have criticized the television ads, particularly given the growth of the industry and the regulations faced by traditional tobacco manufacturers. Some in the industry have noted the similarity between Mr. Cool and Joe Camel and worry that these advertisements will have the same effect of luring young people to try e-cigarettes that many believe Joe Camel had with traditional cigarettes.
Last month, a group of Senate Democrats introduced legislation to prohibit e-cigarette producers from marketing their products to children. This bill marked the first legislative attempt to regulate the e-cig industry. The bill would ban marketing e-cigarettes to children based on standards promulgated by the Federal Trade Commission (FTC), and would empower the FTC and state attorneys general to enforce the advertising ban.
Additionally, the White House Office of Management and Budget has been reviewing a rule proposed by the U.S. Food and Drug Administration that would bring e-cigarettes under its jurisdiction. The regulations have been under review since October. We have previously written about FDA plans to regulate the e-cigarette industry here.
The e-cigarette industry should be aware that their marketing and advertisements are being closely monitored. Regulation and potential lawsuits could be on the horizon and companies should review their policies and practices to make sure they are prepared. The use of cartoon characters may be one advertising method to forego at this point, instead focusing on mature individuals using the product.
Attorney General Holder Calls on Congress to Establish Strong National Data Breach Notification Standard
By Michelle Cohen, CIPP-US
Yesterday, in his weekly video address, Attorney General Eric Holder urged Congress to create a national data breach notification standard requiring companies to quickly notify consumers of a breach of their personal or financial information. In the wake of the high profile holiday season data breaches at retailers Target and Neiman Marcus, Holder stated that the Department of Justice and the U.S. Secret Service continue to work to investigate hacking and cybercrimes. However, Holder believes that Congress should act to establish a federal notification requirement to protect consumers. Holder’s video address is available here .
Currently, at least forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information. As might be expected, the laws vary widely from state to state, particularly in the timing requirement for the breach notifications. Most laws allow delay to accommodate a law enforcement investigation.
Some states require notification as soon as reasonably practicable. Others require notification within 45 days. Yet organizations have faced lawsuits for failing to notify on a timely basis, even where there is no set standard. This presents a difficult situation for companies. Organizations need to investigate a data breach and determine the type of information affected, who was affected (and thus needs to be notified), and importantly, whether the breach is ongoing such that the company must immediately implement remedial measures.
Attorney General Holder believes Congress should set a national standard that will better protect consumers. Holder asserts that a federal requirement should enable law enforcement to investigate the data breaches quickly and to hold organizations accountable when they fail to protect personal and financial information. Holder’s video message did include a reference that this requirement should create “reasonable exemptions” for companies to avoid creating unnecessary burdens.
The Target and Neiman Marcus data breaches have certainly raised the profile of cybersecurity issues on Capitol Hill, with several bills having been introduced in recent weeks addressing data breaches. While the states certainly took the lead in protecting consumers by enacting data breach laws over the past several years, a properly-crafted national standard could provide more consistent guidance for industry and a uniform rule for consumers irrespective of their home states. Should Congress move forward on a data breach law, reasonable accommodations need to be made for companies to have time to investigate data breaches, to determine scope, persons affected, and the type of information affected. A national standard setting forth a notification deadline would also presumably alleviate the “rush to the courthouse” from the plaintiff’s bar with data breach notification timing allegations.
A federal court in California recently ruled that a plaintiff who was required to enter her phone number to purchase a plane ticket online had consented to receive a text message, and dismissed her claim under the Telephone Consumer Protection Act (TCPA). A plaintiff’s prior express consent is a major issue in TCPA litigation and this decision represents a victory for companies that obtain phone numbers from consumers who are purchasing goods or services from them.
The plaintiff, Shaya Baird, booked flights online for herself and her family on the Hawaiian Airlines website. During the purchase, Baird was required to enter her contact information. The website required at least one phone number, which Baird provided by entering her mobile phone number. A few weeks later Baird received a text message inviting her to reply “yes” if she wanted to receive flight notification services. Baird did not respond and she did not receive any more text messages.
Baird then filed suit alleging that Sabre, which contracted with Hawaiian Airlines to provide traveler notification services to passengers, violated the TCPA by sending her the unsolicited text message. The TCPA bars the sending of autodialed or prerecorded “calls” (which the Federal Communications Commission (“FCC”) has interpreted to include text messages) to mobile numbers without “prior express consent.” An individual’s granting of consent to receive texts constitutes an affirmative defense in a TCPA lawsuit.
Sabre moved for summary judgment on the ground that Baird consented to receive its text message when she made her flight reservation on the Hawaiian Airlines website. Baird responded that she did not voluntarily provide her cell phone number, but was instead told that she was required to enter a phone number. She further argued that she was not informed that by providing her cell phone number she was consenting to receiving text messages.
The court rejected Baird’s argument and found that although she was required to provide her phone number to book a flight on the Hawaiian Airlines website, the act of providing her phone number was a voluntary act. Baird was not forced to book a flight on the Hawaiian Airlines website. The court found that under the FCC’s interpretation of the TCPA, Baird had consented to be contacted on her cell phone about flight related matters. The court looked to the FCC’s 1992 Order implementing the TCPA to determine if the act of providing a cell phone number in connection with a transaction constitutes the required consent under the TCPA to receive autodialed calls. The court found that since it was undisputed that Baird “knowingly released” her cell phone number when she booked her tickets, under the FCC’s 1992 TCPA Order she had consented to receiving text messages.
This decision represents a victory for TCPA defendants. TCPA litigation has been increasing significantly in the past few years and recent changes have gone into effect that placed stricter requirements on businesses that engage in marketing via mobile messaging and prerecorded telephone calls. While we recommend businesses obtain “prior express written” consent for TCPA-covered calls and texts, now at least one court has recognized the knowing provision of a mobile number as consent. However, companies engaging in text messaging should proceed cautiously as the new rules do impose strict requirements when it comes to telemarketing messages in particular, different from the informational text messages Ms. Baird received here. Under the new TCPA rules purely informational calls/texts and calls/texts to mobile phones for non-commercial purposes require prior express consent – oral or written. “Telemarketing” calls/texts to mobile phones require prior express written consent. Covered telemarketing calls include those made by advertisers that offer or market products or services to consumers and calls that are generally not purely informational (such as “mixed messages” containing both informational content and offering a product, good, or service for sale).