InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FCC Enforcement Chief Touts Global Anti-Robocall Push
In an official FCC blog post published November 21, FCC Enforcement Chief Travis LeBlanc re-emphasized the agency’s efforts to work with international law enforcement partners to target fraudsters who might otherwise be outside the FCC’s reach. As explained by Mr. LeBlanc:
“Unsolicited calls and text messages are more than just a nuisance these days. They are used to perpetrate criminal fraud, phishing attacks, and identity theft schemes all around the world. These calls often overwhelm facilities, including emergency or 911 call centers. Those responsible for sending unwanted calls and texts often operate from outside of the United States, too often allowing them to evade our enforcement. Indeed, it is very easy for these scammers to operate from multiple countries, hide their locations, change their phone numbers between calls, trick caller ID systems into displaying false or trusted numbers, increasingly demand payments in hard-to-trace forms such as cash or gift cards, and move quickly to avoid detection and prosecution in our increasingly mobile world.”
Earlier this year, the FCC signed a memorandum of understanding with members of the “Unsolicited Communications Enforcement Network,” a global network of law enforcement authorities and regulatory agencies that have agreed to share intelligence, identify common threats, learn from each other’s best practices and assist each other with investigations where permissible to combat unsolicited communications.
FCC Adopts Privacy Rules for Broadband Providers
On October 27, the FCC adopted privacy rules regulating consumers’ use of broadband internet services. As previously covered in InfoBytes, the FCC issued revised proposed privacy rules for broadband internet service providers (ISPs) in early October to provide consumers with “increased choice, transparency and security online.” Like the proposed rules, the adopted rules (i) require ISPs to obtain confirmative consent to use and share sensitive information; and (ii) permit ISPs to share non-sensitive information unless a customer opts-out.
Because the scope of the rules is limited to broadband service providers and other telecommunication carriers, the FTC maintains its authority over the privacy practices of websites and other “edge services.” In support of the newly adopted FCC rules, FTC Chairwoman commented that “[t]he rules will provide robust privacy protections, including protecting sensitive information such as consumers’ social security numbers, precise geolocation data, and content of communications, and requiring reasonable data security practices.”
FCC Releases Revised Proposed Privacy Rules for Broadband Providers
On October 6, the FCC issued a fact sheet on revised privacy rules related to broadband internet services. According to the fact sheet, the proposed rules “are designed to evolve with changing technologies and encourage innovation, and are in harmony with other key privacy frameworks and principles – including those outlined by the [FTC] and the Administration’s Consumer Privacy Bill of Rights.” The FCC first issued a set of privacy rules concerning consumer rights in relation to broadband internet service providers (ISPs) in March. In Chairman Tom Wheeler’s October 6 blog post regarding the recent revisions, he noted that the revised proposal “provide[s] consumers increased choice, transparency and security online.” The proposed rules, among other things, would require ISPs to (i) let consumers know the type of information they are collecting, specify how and the extent to which the information can be used and shared, and identify with whom the information is shared; (ii) obtain consumers’ opt-in consent to use sensitive information, including, among other things, geo-location, social security numbers, and web browsing history; and (iii) provide an opt-out option, consistent with customer expectations, for the use and sharing of non-sensitive information. Notably, the proposed rules “do not apply to the privacy practices of websites or apps, over which the [FTC] has authority…even when a website or app is owned by a broadband provider.” The Commission is scheduled to vote on the proposal on October 27.
FTC Submits Comment to the FCC on Proposal Relating to Debt Collection Robocalls
On June 6, the FTC submitted a comment to the FCC on its Notice of Proposed Rulemaking (NPR) regarding the implementation of recent changes to provisions of the Telephone Consumer Protection Act (TCPA) that permit robocalls “made solely to collect a debt owed or guaranteed by the United States.” Recommending that the FCC proceed cautiously with the expansion of permissible robocalling, the FTC instructed the FCC to establish standards for the collection of government debt that are consistent with the FDCPA, Section 5 of the FTC Act, and the Telemarketing Sales Rule (TSR). Specifically, the FTC’s comment advises the FCC to limit permitted robocalls to only (i) those relating to debts in default status; (ii) persons who actually owe the debts; (iii) those relating to the collection of the government debt; and (iv) collection purposes exclusively. In addition, the FTC’s comment on the NPR suggests that the FCC (i) maintain reasonable security practices over the data collected during covered robocalls; (ii) limit robocalls to the hours of 8:00 am to 9:00 pm; and (iii) require covered callers to “transmit caller ID information that includes a caller number that connects to a live agent representing the debt collector.”
Senate Judiciary Committee Holds Hearing to Discuss FCC's Proposed Privacy Rules
On May 11, the Subcommittee on Privacy, Technology and the Law of the Senate Judiciary Committee held a hearing titled “Examining the Proposed FCC Privacy Rules.” Present at the hearing were witnesses FCC Chairman Thomas Wheeler, FCC Commissioner Ajit Pai, FTC Chairwoman Edith Ramirez, and FTC Commissioner Maureen Ohlhausen. The focal point of the hearing was the FCC’s proposed rule (which comes after its Open Internet Order released in February 2015, designed to preserve net neutrality) on broadband internet services, which is, according to proponents of the proposal, intended to ensure that consumers’ personal information is adequately protected when Internet Service Providers (ISP) collect information on consumers using their products. According to FCC Chairman Wheeler’s opening remarks, the FCC’s proposed rule governing the privacy and security of consumer data is built on “transparency, choice, and security.” Commission members Pai and O’Reilly oppose the proposal, with Commissioner Pai commenting at the hearing that the proposal imposes “stringent regulation” on ISPs, in spite of Commissioner Wheeler’s November 2015 statement before the House Energy and Commerce Committee’s Subcommittee on Communications and Technology that the FCC “would ‘not be regulating the edge providers differently’ from ISPs.” In contrast to the FCC’s proposal, the FTC maintains a unified approach toward regulating ISPs and other online actors. Speaking to the FTC’s efforts to protect consumer information, Chairwoman Ramirez’s and Commissioner Ohlhausen’s joint testimony summarized the FTC’s enforcement, policy, and education work related to consumer privacy and highlighted recent FTC and FCC joint enforcement actions. According to Senator Leahy’s (D-VT) opening remarks, the FCC’s recent proposal raises the question as to whether FCC regulation of specialized broadband privacy issues is “unnecessary in light of the FTC’s general enforcement power.” Advocates of the FCC’s proposal, such as Senator Leahy, maintain that the FTC’s case-specific enforcement power cannot be a substitute for the FCC’s “expert rulemaking process”; while those in opposition, such as FCC Commissioner Pai, argue that the proposal “makes little, if any, sense.” Comments on the FCC’s proposal are due by May 27, 2016, with the reply comment period ending June 27, 2016.
FCC Reveals Consumer Broadband Labels; CFPB Director Cordray Weighs In
On April 4, the FCC released new broadband disclosure labels for Internet services. According to the FCC, consumers submit more than 2,000 complaints annually related to surprise fees associated with consumers’ Internet service bills. Specifically designed for mobile broadband services and fixed broadband services, the newly released labels “will provide consumers with more information on service speed and reliability and greater clarity regarding the costs of broadband services, including fees and other add-on charges that may appear on their bills.”
In coordination with the FCC to provide greater transparency to consumers using broadband services, CFPB Director Cordray likened the broadband disclosure labels to the CFPB’s “know before you owe” initiative, noting that, “[c]onsumers must be able to understand the terms of the agreement, and if there are options, they need to be able to comparison shop for the best deal.”
FCC Releases Broadband Consumer Privacy Proposal Fact Sheet
On March 10, the FCC released a fact sheet regarding consumers’ rights in relation to broadband internet services. Significantly, the fact sheet highlights FCC Chairman Tom Wheeler’s proposed rule, which was recently circulated to the Commission for consideration, to ensure consumers have the tools necessary “to make informed choices about how and whether their data is used and shared by their broadband providers.” According to the fact sheet, Chairman Wheeler’s proposed rule “separates the use and sharing of information into three categories, and proposes adoption of clear guidance for both ISPs and customers about transparency, choice and security requirements for that information.” The Commission will vote on the proposal on March 31; if adopted, a period of public comment will follow the Commission’s approval.
State AGs Urge Senate to Pass Bill Banning Debt Collection Robocalls
On February 10, Indiana Attorney General Greg Zoeller and Missouri Attorney General Chris Koster, along with 23 other state attorneys general, wrote to the Senate Committee on Commerce, Science, and Transportation (Committee) urging it to pass legislation repealing a recent amendment to the Telephone Consumer Protection Act (TCPA) that allows debt collection robocalls to consumers’ cellphones. According to the AGs’ letter, the TCPA currently “permits citizens to be bombarded by unwanted and previously illegal robocalls to their cell phones if the calls are made pursuant to the collection of debt owed to or guaranteed by the United States.” The letter references the FCC’s efforts to slow the proliferation of robocalling and calls the recent amendment to the TCPA a “step backward in our law enforcement efforts” to protect consumers from “unwanted and unwelcome robocalls.”
FCC and FTC Issue MOU for Continued Cooperation on Consumer Protection Matters
On November 16, the FCC and the FTC executed a Memorandum of Understanding (MOU) on continued cooperative efforts to protect consumers from unfair or deceptive acts or practices involving telecommunications services. In an effort to formalize existing cooperation among the agencies, the MOU outlines the ways in which the two agencies will continue to work together, including: (i) coordinating agency initiatives where one agency’s action will significantly impact the other agency’s authority or programs; (ii) sharing investigative techniques and tools, intelligence, technical and legal expertise, as necessary, in addition to best practices in response to reasonable requests for such assistance; and (iii) collaborating on consumer and industry outreach and education efforts, as appropriate. Moreover, the MOU identifies the scope of each agency’s enforcement authority with respect to common carriers, and confirms that the 2003 MOU regarding Telemarketing Enforcement between the two agencies remains effective, stating that the most recent MOU should not “be construed as altering, amending, or invalidating that [2003] MOU.”
FCC Settles with Company Over Alleged Data Protection Failures
On November 5, the FCC resolved its first ever data security action against a cable company with a $595,000 settlement. According to the FCC, the company did not have adequate data security measures in place for employees and contractors with access to the company’s electronic data systems. In 2014, the company’s electronic data systems were breached by a third party who, by pretending to be from the company’s IT department, convinced a customer service representative and a contractor to enter their account information into a fake website. The third party hacker allegedly used the information to gain access to customers’ personally identifiable information, subsequently sharing the information with another hacker and posting the information on social media sites. The cable company did not use the FCC’s breach-reporting portal to report the breaches. In addition to the civil money penalty, the settlement requires the company to: (i) identify and notify all customers affected by the breach and provide them with one year of free credit report monitoring; (ii) designate a senior corporate manager who is a certified privacy professional; (iii) conduct privacy risk assessments; (iv) implement a written information security program; (v) maintain reasonable oversight of third party vendors and implement multi-factor authentication; (vi) implement a more robust data breach response plan; (vii) provide privacy and security training to third party vendors and employees; and (viii) regularly file compliance reports with the FCC.
