Acting Chairman of the Federal Trade Commission, Maureen Ohlhausen, answered questions about the FTC’s current role in data privacy before a crowded audience at the April 2017 IAPP Global Privacy Summit in D.C. Below are some take-aways we wanted to share from Commissioner Ohlhausen’s talk:
- Even if out of ISP oversight, the FTC is actively engaged in data privacy enforcement through its consumer protection role.
Ohlhausen expressed disappointment that FTC had to step out of ISP oversight in 2015, when the FCC reclassified broadband as a common carrier service (the reclassification means the FCC, no longer the FTC, has authority over privacy and data security enforcement of ISPs). But she said that the FTC is still active through holding companies to their data privacy policies and claims: “We enforce promises. We hold companies to their promises, even in technologically advanced areas.” She noted that FTC enforcement actions derive not only from consumer complaints, but that the FTC is getting cases from computer researchers and marketplace competitors.
- FTC to present positive findings from its enforcement actions.
Ohlhausen and her staff are considering changing up what they present publicly on their investigation findings. Normally, the FTC publishes what it has found companies doing wrong, but Ohlhausen believes the public could benefit from what the FTC has found companies doing right. The FTC therefore may be bolstering its public messages on enforcement actions with this positive twist.
- How FCC and FTC oversight of ISPs differs.
Ohlhausen noted that the FCC has ended up with a different approach to data security oversight. For instances, they have taken a different view on what constitutes sensitive data and on what types of opt-ins and opt-outs are permissible. She expressed concern that, with the Open Internet Order, which revoked FTC Privacy Rules, no one is really watching the hen house. She hopes either Congress or the FCC will reconsider the FTC’s role: The FCC could rescind its reclassification or Congress could rescind the FCC’s common carrier authority of broadband services.
- The Privacy Shield and the FTC’s role in working with Europe.
Ohlhausen noted that the current Administration seems committed to the Privacy Shield. She believes that the Privacy Shield meets Europe’s needs and further that the FTC has an important role to fill in (1) ensuring how information is disseminated and (2) enforcement. For instance, the FTC can provide guidance on how to inform EU consumers on the parameters of the Privacy Shield. Moreover, the FTC will enforce Privacy Shield violations—based on deception for failure to comply. She is optimistic that the Shield will withstand court challenges, in contrast to the Safe Harbor, which was negotiated in a different environment.
- Chinese forays into privacy.
Ohlhausen, who was heading to Beijing the day after her IAPP talk, expressed interest in Chinese developments in privacy regulation: where a communist country’s government controls so much, there still can be a real interest in privacy for the consumer. She noted that some international companies have concerns over whether they will be disadvantaged by Chinese privacy laws.
- Privacy and overlap with other areas of law
When asked whether privacy laws, such as anti-discrimination provisions contained in the GDPR, are carrying more water than just privacy, Ohlhausen noted that there is some overlap, such as with the Fair Credit Reporting Act and Civil Rights Act. She took the discussion as an opportunity to highlight the importance of balancing fear of the unknown against the benefits of innovation: it is good to identify the bad things that can happen. But we also need to weigh that against the good things. While consumer protection is important, we also want a competitive marketplace, and want to encourage innovation.
 A side note on the FCC reclassification: a persistent theme in Ohlhausen’s talk was expressing hope that the FTC would get authority back over ISPs.
Over the past several years, the Federal Communications Commission (“FCC”) took an expansive view of its rules under the Telephone Consumer Protection Act of 1991 (“TCPA”). The TCPA bars certain calls, texts and faxes without prior express consent and requires disclosures and opt-out procedures. While the FCC and state attorney generals may enforce the TCPA, the law’s truth “teeth” come in the form of private lawsuits where statutory damages allow up to $1500 per call/text/fax advertisement. Organizations in every industry, including hospitality, financial services, retail, and healthcare, have settled TCPA lawsuits for millions of dollars.
Businesses viewed recent FCC rulings for the most part as pro-plaintiff, encouraging additional class action lawsuits. In July 2015, for instance, the FCC issued an “omnibus” declaratory ruling in which it expanded certain definitions and interpreted the TCPA in ways seen as empowering the plaintiffs’ bar. However, the FCC’s TCPA rules do not go unchecked, as they are subject to challenge in the courts. The D.C. Circuit recently sent a message to the FCC, ruling in Bais Yaakov of Spring Valley v. Federal Communications Commission that the agency’s 2006 rule requiring an opt-out notice on “solicited” facsimile advertisements ignored clear statutory language. The D.C Circuit’s ruling demonstrates that the court will invalidate FCC rules and interpretations when the agency exceeds statutory authority, even if the FCC may think it is making good policy. It also suggests that the D.C. Circuit may be ready to give a defiant “thumbs down” to significant parts of the FCC’s July 2015 order. A decision is expected on that appeal at any time and we anticipate that the D.C. Circuit will invalidate several aspects of that ruling. This action would have a tremendous impact on pending TCPA litigation and may curb the TCPA gravy train on which several class action firms have already ridden.
The TCPA, as amended by Congress through the Junk Fax Prevention Act, prohibits (among other things) sending an unsolicited advertisement to a fax machine. An “unsolicited advertisement,” as defined in the TCPA is “any material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person without that person’s prior express invitation or permission, in writing or otherwise.” Thus, the law allows fax advertisements transmitted with permission (“solicited faxes”). The law also contains another exception to the unsolicited fax advertisement ban where there is an established business relationship with the recipient (“EBR faxes”), provided the recipient voluntarily communicated the fax number or made it available, and a conspicuous opt-out notice meeting certain statutory requirements appears on the fax.
In 2006, the FCC ruled that “solicited” faxes – i.e. those fax advertisements for which the sender received prior consent – require the opt-out notice and associated opt-out procedures. The TCPA, in contrast, only mandates the opt-out notice for the EBR faxes. The 2006 ruling resulted in litigation against companies like Anda (a generic drug seller) that had permission to fax advertisements. Anda had valid permission from pharmacies to fax advertisements regarding time-sensitive topics such as pricing information and weekly specials. Plaintiffs nevertheless sued Anda in a $150 million class action lawsuit because Anda allegedly had not included the opt-out notice. Anda subsequently sought a ruling from the FCC clarifying that solicited faxes did not require the opt-out.
In the category of “sometimes when you ask, you get the answer you don’t want,” the FCC ruled that the opt-out notice applied to solicited and EBR faxes. However, the FCC stated it would waive application for faxes sent before April 30, 2015. The two Republican commissioners (including now Chairman Pai) vigorously dissented. Anda then appealed to the D.C. Circuit.
Late last month, the D.C. Circuit vacated the 2006 solicited fax rule and remanded it to the agency. The court focused on the TCPA’s statutory language, noting that the opt-out notice requirement only appears in the EBR fax provision. “Although the Act requires an opt-out notice on unsolicited fax advertisements, the Act does not require a similar opt-out notice on solicited fax advertisements…Nor does the Act grant the FCC authority to require opt-out notices on solicited fax advertisements.” The appeals court concluded that the case was quite simple – the FCC can only take action that Congress authorized. Congress did not authorize an opt-out notice requirement for solicited fax advertisements. Under an existing rule, senders must still allow recipients to opt-out if they no longer want to receive solicited faxes. But the FCC cannot require the opt-out notice on those solicited fax advertisements. Consequently, companies should not be liable under the TCPA for not including the opt-out notice on solicited fax advertisements.
While the FCC understandably wants to protect consumers and businesses from unsolicited calls, texts, and faxed advertisements – the agency must respect its authority and the limits to that authority. In other words, the FCC cannot choose how the TCPA “should” read. Congress made that choice.
With TCPA litigation continuing to explode, this ruling provides some comfort that the FCC will not go unchecked in its recent, broad TCPA interpretations. And, with the high stakes appeal of the 2015 Omnibus Ruling pending before the same court, there are strong signs that the D. C. Circuit will push the FCC back on its expansive interpretations of autodialer and liability for calls to reassigned numbers, among other challenged rules. Companies involved in ongoing TCPA litigation involving the challenged interpretations may want to seek stays from their courts or arbitrators pending the outcome of the next appeal.
TCPA Trouble Continues: FCC Slams Lyft and First National Bank for Terms of Service Requiring Consent
Most of the attention involving the Telephone Consumer Protection Act (“TCPA”) has centered on the stream of class actions around the country. It is important to remember that the Federal Communications Commission (“FCC”) and state attorney generals can, and do, enforce the TCPA. In fact, the FCC recently issued citations to Lyft, the ride-sharing service, and First National Bank (“FNB”). Under the Communications Act, before the FCC may issue monetary penalties against a company or person that does not hold an FCC license or authorization, it must first issue a citation warning the company or person.
The TCPA requires prior express written consent for telemarketing calls/texts to mobile phones utilizing an autodialer or prerecorded call and for prerecorded telemarketing calls to residential lines. FCC rules mandate that the “prior written consent” contain certain key features. Among these requirements is the disclosure informing the consenting person that “the person is not required to sign the agreement – directly or indirectly – or agree to enter into an agreement as a condition of purchasing any property, goods, or services.”
For years, the FCC focused on actual consumer complaints of having received telemarketing calls/texts without the required prior express written consent. Interestingly, here, the FCC did not allege that either Lyft or FNB sent texts/robocalls without the required consent. The FCC’s accompanying press release indicates that its Enforcement Bureau initiated the two investigations after becoming aware of “violative provisions in those companies’ service agreements.” The citations issued to Lyft and FNB, along with recent correspondence by the FCC to Paypal concerning similar issues, represent new FCC attention on terms/conditions of service in the TCPA context, particularly on “blanket take it or leave it” agreements. The FCC Enforcement Bureau Chief, Travis LeBlanc, put all companies on notice, urging “any company that unlawfully conditions its service on consent to unwanted marketing calls and texts to act swiftly to change its policies.” The FCC directed Lyft and FNB to take “immediate steps” to comply with FCC rules and the TCPA – presumably meaning that the companies should immediately revise their terms and practices.
According to the FCC, Lyft’s terms require customers to expressly consent to receive communications from Lyft to customer’s mobile numbers, including text messages, calls, and push notifications. The messages could include Lyft-provided promotions and those of third party partners. The terms advise customers that they can opt-out by following the “unsubscribe” option, and that customers are not required to consent to receive promotional messages as a condition of using the Lyft platform or the services.
However, the FCC found that contrary to Lyft’s terms of service, Lyft does not actually provide “unsubscribe options” for consumers. If a consumer independently searches and gets to Lyft’s “help center,” the only option to opt-out subsequently prevents consumers from using Lyft’s service. Thus, per the FCC, “Lyft effectively requires all consumers to agree to receive marketing text messages and calls on their mobile phones in order to use services.”
The FCC concluded that while Lyft’s terms of service stated that consumers were not required to consent as a condition to using Lyft, in actuality, consumers could not refuse consent and remain Lyft users. Thus, the FCC cited Lyft, warning that it would be liable for any advertising text messages for which it did not collect proper, prior express written consent. The agency further stated that it would continue to monitor Lyft’s practices.
In FNB’s investigation, the FCC noted that consumers wishing to use FNB’s online banking services are required to agree to receive text messages and emails for marketing purposes at consumer-provided phone numbers. FNB customers wishing to enroll in the Apply Pay service are similarly required to consent to receive marketing-related text messages and emails. The FCC objected to FNB requiring consumers to agree to receive marketing text messages in order to use the online banking and Apple Pay services, and failing to inform consumers that they have the option to refuse consent. The agency reiterated that under FCC rules, prior express written consent to receive telemarketing messages requires that, among other things, consumers receive a clear and conspicuous disclosure informing the consumer of his or her right to refuse to provide consent.
When it comes to autodialed/prerecorded telemarketing calls and texts to mobile phones and prerecorded telemarketing calls to residential lines, companies need to be diligent in ensuring they have proper, defensible prior express written consent. The FCC’s citations to Lyft and FNB make clear that organizations may not rely on blanket mandatory opt-in agreements. While it may be acceptable to seek consent in terms of service, consumers must be informed of their opt-out abilities, and must be able to access the opt-out and still use the service or make the purchase.
Companies should review their service agreements and the operational mechanisms to make sure consumers have information on opting-out. Further, any opt-out mechanisms must work as promised. A user’s opt-out should not block services/purchases. Of course, the best way to obtain consent is to seek a separate, prior express written consent in an agreement that contains all the required elements, as follows:
- Is in writing (can be electronic);
- Has the signature (can be electronic) of the person who will receive the advertisement/telemarketing calls or texts;
- Authorizes the caller to deliver advertisements or telemarketing messages via autodialed calls, texts, or robocalls;
- Includes the telephone number to which the person signing authorizes advertisements or telemarketing messages to be delivered;
- Contains a clear and conspicuous disclosure informing the person signing that:
- By executing the agreement, the person signing authorizes the caller to deliver ads or telemarketing messages via autodialed calls, texts or robocalls; and
- The person signing the agreement is not required to sign the agreement (directly or indirectly) or agree to enter into such an agreement as a condition of purchasing any property, goods, or services.
As a reminder, the FCC repeatedly takes the position that the company claiming prior express written consent will bear the burden of providing that consent.
A federal court in California recently ruled that a plaintiff who was required to enter her phone number to purchase a plane ticket online had consented to receive a text message, and dismissed her claim under the Telephone Consumer Protection Act (TCPA). A plaintiff’s prior express consent is a major issue in TCPA litigation and this decision represents a victory for companies that obtain phone numbers from consumers who are purchasing goods or services from them.
The plaintiff, Shaya Baird, booked flights online for herself and her family on the Hawaiian Airlines website. During the purchase, Baird was required to enter her contact information. The website required at least one phone number, which Baird provided by entering her mobile phone number. A few weeks later Baird received a text message inviting her to reply “yes” if she wanted to receive flight notification services. Baird did not respond and she did not receive any more text messages.
Baird then filed suit alleging that Sabre, which contracted with Hawaiian Airlines to provide traveler notification services to passengers, violated the TCPA by sending her the unsolicited text message. The TCPA bars the sending of autodialed or prerecorded “calls” (which the Federal Communications Commission (“FCC”) has interpreted to include text messages) to mobile numbers without “prior express consent.” An individual’s granting of consent to receive texts constitutes an affirmative defense in a TCPA lawsuit.
Sabre moved for summary judgment on the ground that Baird consented to receive its text message when she made her flight reservation on the Hawaiian Airlines website. Baird responded that she did not voluntarily provide her cell phone number, but was instead told that she was required to enter a phone number. She further argued that she was not informed that by providing her cell phone number she was consenting to receiving text messages.
The court rejected Baird’s argument and found that although she was required to provide her phone number to book a flight on the Hawaiian Airlines website, the act of providing her phone number was a voluntary act. Baird was not forced to book a flight on the Hawaiian Airlines website. The court found that under the FCC’s interpretation of the TCPA, Baird had consented to be contacted on her cell phone about flight related matters. The court looked to the FCC’s 1992 Order implementing the TCPA to determine if the act of providing a cell phone number in connection with a transaction constitutes the required consent under the TCPA to receive autodialed calls. The court found that since it was undisputed that Baird “knowingly released” her cell phone number when she booked her tickets, under the FCC’s 1992 TCPA Order she had consented to receiving text messages.
This decision represents a victory for TCPA defendants. TCPA litigation has been increasing significantly in the past few years and recent changes have gone into effect that placed stricter requirements on businesses that engage in marketing via mobile messaging and prerecorded telephone calls. While we recommend businesses obtain “prior express written” consent for TCPA-covered calls and texts, now at least one court has recognized the knowing provision of a mobile number as consent. However, companies engaging in text messaging should proceed cautiously as the new rules do impose strict requirements when it comes to telemarketing messages in particular, different from the informational text messages Ms. Baird received here. Under the new TCPA rules purely informational calls/texts and calls/texts to mobile phones for non-commercial purposes require prior express consent – oral or written. “Telemarketing” calls/texts to mobile phones require prior express written consent. Covered telemarketing calls include those made by advertisers that offer or market products or services to consumers and calls that are generally not purely informational (such as “mixed messages” containing both informational content and offering a product, good, or service for sale).
On October 16, 2013, two changes will go into effect in the rules implementing the federal Telephone Consumer Protection Act (TCPA). Importantly, these rules impose stricter requirements on mobile messaging and prerecorded telemarketing calls. The rule changes, announced back in February 2012, may spur further litigation concerning the scope of the TCPA. All businesses should review the new requirements to ensure compliance or risk significant potential litigation expenses and negative publicity.
TCPA litigation has been increasing significantly in recent years. The number of TCPA-related cases filed in 2012 increased by 34 percent compared to 2011 and was more than three times the number of cases brought in 2010. Part of the reason fueling the uptick in TCPA litigation is the increasing use of mobile messaging, combined with the enormous potential damages possible under the statute. Every individual text, call or fax that is found to be in violation of the TCPA can result in damages from $500 to $1,500 and there is no limit on the number of violations that can be included in an individual suit. The Federal Communications Commission (FCC) and state attorney generals, as well as private litigants, may also enforce the TCPA.
Some major companies have been hit with significant penalties under the TCPA. In May, Papa John’s International agreed to pay $16.5 million as part of a settlement of a TCPA class action stemming from claims that the company sent unsolicited text messages to more than 200,000 people through a third-party marketer. Steve Madden and Domino’s Pizza have also both reached settlements this year agreeing to fines of nearly $10 million to settle TCPA claims.
The two changes going into effect in October are as follows. One exception from liability under the TCPA for phone calls or text messages using an autodialer or a prerecorded message is for those that are made with “prior express consent.” Under the new interpretation from the FCC of the prior consent exception, with limited exceptions, a business can only invoke the prior express consent exception for autodialed or prerecorded calls to a mobile phone or for prerecorded telemarketing calls to a residential line if the called party has physically or electronically signed an agreement that clearly authorizes calls or texts to be made to their phone number by that particular sender. Additionally, a recipient’s signing the agreement must be optional and cannot be tied to the purchase of any goods or services.
The other significant change to the TCPA rules is the elimination of the “established business relationship” exception for prerecorded telemarketing calls to residences. Previously, businesses could avoid TCPA liability for prerecorded telemarketing calls that otherwise were prohibited by claiming that they had an established business relationship with the consumer by virtue of a previous purchase or other business interactions. The new regulations have eliminated this exemption, meaning businesses are now required to obtain written consent for all prerecorded telemarketing to residential phone numbers, even those that are for previous customers. With this change, the FCC followed the Federal Trade Commission (FTC), which made a similar express consent requirement under the Telemarketing Sales Rule for prerecorded telemarketing calls a few years ago.
As some of the recent cases have shown, businesses can face enormous potential liability under the TCPA, including liability for actions of third-party marketers acting on behalf of them. The statistics demonstrate that plaintiffs’ lawyers are aggressively pursuing TCPA actions, and the changes in the rules may lead to yet more TCPA cases. Given the changes that will go into effect in October, businesses should review their TCPA policies to ensure that they are in compliance, so that they can avoid the possibility of paying onerous penalties.