Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 28, the FCC announced a proposed fine of $20 million for two affiliated mobile carrier companies over alleged violations of FCC rules. The Commission alleged that the companies failed to protect the privacy and security of subscribers’ personal data by violating three provisions of section 64.2010 of FCC rules, which requires carriers to authenticate customers’ identity before providing online access to their network information. The alleged violations included relying on readily available information to control access to the network information, failing to establish “reasonable” data security standards. FCC Chairwoman Jessica Rosenworcel cited such failures to protect consumers’ privacy to underpin the importance of the FCC’s newly established Privacy and Data Protection Task Force (covered by InfoBytes here). The proposed sanctions are not final, and the companies will have an opportunity to respond.
On July 18, the FTC, along with over 100 federal and state law enforcement partners nationwide, including the DOJ, FCC, and attorneys general from all 50 states and the District of Columbia, announced a new initiative to combat illegal telemarketing calls, including robocalls. The joint initiative, “Operation Stop Scam Calls,” targets telemarketers and the companies that hire them, lead generators that provide consumers’ telephone numbers to robocallers and others who falsely represent that consumers consented to receive the calls. The initiative also targets Voice over Internet Protocol (VoIP) service providers that facilitate illegal robocalls, many of which originate overseas.
In connection with Operation Stop Scam Calls, the FTC has initiated five new cases against companies and individuals allegedly responsible for distributing or assisting in the distribution of illegal telemarketing calls to consumers across the country. According to the announcement, the actions reiterate the FTC’s position “that third-party lead generation for robocalls is illegal under the Telemarketing Sales Rule (TSR) and that the FTC and its partners are committed to stopping illegal calls by targeting anyone in the telemarketing ecosystem that assists and facilitates these calls, including VoIP service providers.” The announcement also states that more than 180 enforcement actions and other initiatives have been taken by 48 federal and 54 state agencies as part of Operation Stop Scam Calls.
Among the new actions announced a part of Operation Stop Scam Calls is a complaint filed against a “consent farm” lead generator, which allegedly uses “dark patterns” to collect consumers’ broad agreement to provide their personal information and receive robocalls and other marketing solicitations through a single click of a button or checkbox via its websites. Under the terms of the proposed order, the defendant would be required to pay a $2.5 million civil penalty and would be banned from engaging in, assisting, or facilitating robocalls. The defendant would also be required to implement measures to limit its lead generation practices, establish systems for monitoring its own advertising and that of its affiliates, comply with comprehensive disclosure requirements concerning the collection of consumers’ consent to the sale of their information, and delete all previously collected consumer information.
Other actions were taken against a California-based telemarketing lead generator, a telemarketing company that provides soundboard calling services to clients who use robocalls to sell a range of products and services, a New Jersey-based telemarketing outfit that placed tens of millions of calls to consumers whose numbers are listed on the National Do Not Call Registry, and Florida-based defendants accused of assisting and facilitating the transmission of roughly 37.8 million illegal robocalls by providing VoIP services to over 11 foreign telemarketers.
On June 14, FCC Chairwoman Jessica Rosenworcel announced the establishment of the Commission’s new Privacy and Data Protection Task Force. According to the announcement, the task force will coordinate efforts across the FCC on rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors. These coordinated measures, Rosenworcel said, are intended to protect against and respond to data breaches involving telecommunications providers and those related to cyber intrusions. Measures will also address supply chain vulnerabilities involving third-party vendors that service regulated communications providers. Speaking to the Center for Democracy and Technology Forum on Data Privacy, Rosenworcel commented that data monetization is big business and that “market incentives to keep our data and slice and dice it to inform commercial activity are enormous” and only increasing. She provided examples of data aggregators selling individual geolocation data and said this demonstrates how information can be monetized. Rosenworcel further explained that the task force will also provide input on Commission efforts to modernize the FCC’s data breach rules. As previously covered by InfoBytes, the FCC issued a notice of proposed rulemaking in January to launch a formal proceeding for strengthening the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information.
On April 11, the FTC implemented Project Point of No Entry (PoNE) in an attempt to stop foreign-based scammers and imposters from targeting U.S. consumers with illegal robocalls. The FTC warned “point of entry” or “gateway” VoIP service providers that routing or transmitting illegal call traffic may violate the Telemarketing Sales Rule, which allows the Commission to seek civil penalties, restitution, and injunctions to stop violations. Through Project PoNE, the FTC will identify violators and “pursue recalcitrant providers” by opening enforcement investigations and filing lawsuits, as appropriate. According to the FTC, “Project PoNE has uncovered the activity of 24 target point of entry service providers responsible for routing and transmitting illegal robocalls between 2021 and 2023, in connection with approximately 307 telemarketing campaigns, including government and business imposters, COVID-19 relief payment scams, and student loan debt relief and forgiveness schemes, among others.” The FTC attributed the results to its collaboration with the Industry Traceback Group, the FCC, and state attorneys general, and said it will make publicly available recordings of the robocalls that target providers have allowed into the U.S. to help consumers identify and avoid scams. The announcement highlighted that before being contacted by the FTC, “the targets had a combined total of 1,043 tracebacks,” but that after being warned about the possible illegal conduct, the number decreased to 196 tracebacks. Of these 196 tracebacks, the FTC said “147 are linked to two uncooperative providers, one of which is subject to an FCC law enforcement action.”
On March 16, the FCC adopted its first regulations specifically targeting scam text messages sent to consumers. Recognizing that robotexts are generally covered under the TCPA’s limits against unwanted calls to mobile phones, the FCC stated that the new regulations will require mobile service providers to block certain robotexts that appear to be coming from phone numbers that are unlikely to transmit text messages, including invalid, unallocated, or unused numbers, as well as “numbers that the subscriber to the number has self-identified as never sending text messages, and numbers that government agencies and other well-known entities identify as not used for texting.” Mobile service providers will also be required “to establish a point of contact for text senders, or have providers require their aggregator partners or blocking contractors to establish such a point of contact, which senders can use to inquire about blocked texts.”
The FCC’s report and order also include a further notice of proposed rulemaking, which seeks to implement additional protections to further prevent illegal text messages. The proposal would “require terminating providers to block texts from a sender after they are on notice from the Commission that the sender is sending illegal texts, to extend the National Do-Not-Call Registry’s protections to text messages, and to ban the practice of marketers purporting to have written consent for numerous parties to contact a consumer, based on one consent.”
Comments are due 30 days after publication in the Federal Register.
On January 24, the FCC’s Enforcement Bureau announced it had ordered telecommunications companies to effectively mitigate robocall traffic originating from a Florida-based real estate brokerage firm selling mortgage scams. The FCC also sent a cease-and-desist letter to a voice service provider carrying the allegedly illegal robocall traffic. According to the FCC, several state attorneys general filed lawsuits late last year against the firm for allegedly using “misleading robocalls to ‘swindle’ and ‘scam’ residents into mortgaging their homes in exchange for small cash payments.” (See state AG press releases here, here, and here.) Additionally, last month, Senate Banking Committee Chairman Sherrod Brown (D-OH), along with Senators Tina Smith (D-MN) and Ron Wyden (D-OR) sent a letter to the FTC and the CFPB requesting a review of the firm’s use of exclusive 40-year listing agreements marketed as a “loan alternative.” (Covered by InfoBytes here.) In shutting down the robocalls, FCC Chairwoman Jessica Rosenworcel stressed that sending junk calls to financially-stressed homeowners in order to offer “deceptive products and services is unconscionable.” Enforcement Bureau Chief Loyaan A. Egal added that the voice service provider should have been applying “Know Your Customer” principles before allowing the traffic on its networks.
On January 23, the FCC announced that July 20 is the compliance date for amended telephone consumer protection act rules on prerecorded calls. As previously covered by InfoBytes, President Trump signed S. 151, the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), which granted the FCC authority to promulgate rules to combat illegal robocalls and requires voice service providers to develop call authentication technologies. On December 30, 2020, the Commission released the TCPA Exemptions Order to implement section 8 of the TRACED Act. In that rulemaking, the Commission amended the TCPA rules related to exemptions for non-commercial calls to residential numbers and commercial calls to residential numbers that do not include an advertisement or constitute telemarketing, among other things. Specifically, the Commission adopted numerical limits on exempted artificial or prerecorded voice calls to residential lines and also required callers making such exempt calls to allow consumers to opt out of any future calls that they do not wish to receive. The Commission explained in the TCPA Exemptions Order that it would publish in the Federal Register a compliance date for the amended rules, which would be six months after publication.
In December, FCC Chair Jessica Rosenworcel sent a letter to twelve senators in response to their June 2022 letter inquiring about combating robocalls. In the letter, Rosenworcel highlighted the FCC’s efforts to combat robocalls by discussing the agency’s “important” proposed rules, adopted in May, to ensure gateway providers that channel international call traffic comply with STIR/SHAKEN caller ID authentication protocols and validate the identity of the providers whose traffic they are routing to help weed out robocalls (covered by InfoBytes here). She also highlighted the FCC’s enforcement efforts, such as a December action where the FCC announced a nearly $300 million fine against an auto warranty scam robocall campaign for TCPA and Truth in Caller ID Act violations—“largest robocall operation the FCC has ever investigated” (covered by InfoBytes here).
Rosenworcel requested additional authority from Congress to combat robocalls and robotexts more effectively. Specifically, Rosenworcel asked the senators to “fix the definition of autodialer” – since robotexts are neither prerecorded nor artificial voice calls, the TCPA only provides consumers protection from robotexts if they are sent from autodialers. She further noted that the Supreme Court's decision in Facebook v. Duguid (covered by a Buckley Special Alert) narrowed the definition of autodialer under the TCPA, resulting in the law only covering equipment that generates numbers randomly and sequentially. She wrote that as a result, “equipment that simply uses lists to generate robotexts means that fewer robotexts may be subject to TCPA protections, and as a result, this decision may be responsible for the rise in robotexts.” Among other things, she also requested that Congress update the TCPA to permit for administrative subpoenas for all types of non-content customer records, and for Congress to grant the FCC the authority and resources to increase court enforcement of fines.
On January 6, the FCC announced a notice of proposed rulemaking (NPRM) to launch a formal proceeding for strengthening the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI). FCC Chairwoman Jessica Rosenworcel noted that “given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements.” She commented that the “new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.” The NPRM, which seeks to improve alignment with recent developments in federal and state data breach laws covering other sectors, would require telecommunications providers to notify impacted customers of CPNI breaches without unreasonable delay, thus eliminating the current seven business day mandatory waiting period for notifying customers of a breach.
Among other things, the FCC requests feedback on whether to establish a specific timeframe (e.g. a requirement to report breaches of customers’ data within 24 or 72 hours of discovery of a breach) or whether a disclosure deadline should vary based on a graduated scale of severity. The FCC also seeks comments on whether a carrier should “be held to have ‘reasonably determined’ a breach has occurred when it has information indicating that it is more likely than not that there was a breach,” and whether the Commission should publish guidance on what constitutes a reasonable determination or adopt a more definite standard. Feedback is also solicited on topics such as threshold triggers, what should be included in a security breach notification, the delivery method of these notifications, and whether to expand the definition of a data breach to also include inadvertent disclosures. Comments are due 30 days after publication in the Federal Register.
On December 21, the FCC announced a nearly $300 million fine against an auto warranty scam robocall campaign for TCPA and Truth in Caller ID Act violations, “which is the largest robocall operation the FCC has ever investigated.” According to the announcement, the two individuals in charge of the operation ran a complex robocall sales lead generation scheme, which was designed to sell vehicle service contracts that were deceptively marketed as car warranties. This “scheme made more than 5 billion robocalls to more than half a billion phone numbers during a three-month span in 2021, using pre-recorded voice calls to press consumers to speak to a ‘warranty specialist’ about extending or reinstating their car’s warranty.” As previously covered by InfoBytes, in July, the FCC took initial action by ordering “phone companies to stop carrying traffic regarding a known robocall scam marketing auto warranties.” The FCC noted that the operation is also the target of an ongoing investigation by the FCC’s Enforcement Bureau and a lawsuit by the Ohio attorney general. The Ohio AG filed a complaint against multiple companies for participating in an alleged unwanted car warranty call operation (covered by InfoBytes here). The complaint, filed in the U.S. District Court for the Southern District of Ohio, alleged that the 22 named defendants “participated in an unlawful robocall operation that bombarded American consumers with billions of robocalls.” In addition to the fine, among other things, the individuals who allegedly ran the operations are prohibited from making telemarketing calls pursuant to FCC actions.