InfoBytes Blog

FCC Cites Two Companies over Unauthorized Telemarketing Allegations

On September 11, the FCC issued citations against a Pennsylvania-based financial institution and a transportation network company (TNC), alleging that both companies engaged in unlawful business practices by infringing consumers’ rights to be free of unauthorized telemarketing robocalls to residential and wireless phones. The financial institution’s citation alleges that the bank required customers to agree to receive autodialed telemarketing texts in order to use its online banking and Apple Pay services. The TNC’s citation alleges that, although it allows consumers who sign up for ride-sharing service to opt out of receiving autodialed or prerecorded telemarketing calls and texts, the TNC does not allow users to access the service if they exercise these opt out rights. Both citations allege that these practices violate the FCC’s rules implementing the Telephone Consumer Protection Act (TCPA), and direct the companies to take immediate steps to come into compliance with the FCC’s rules, orders, and the TCPA prohibition against unlawful marketing and advertising calls. The FCC also warned that future violations may result in monetary forfeitures.

TCPA FCC Enforcement

District Court Finds that Texts Sent Via Mobile App Not Subject to TCPA Due to Users' "Affirmative Choices" to Send Messages

On August 24, a California district court ruled in favor of a rewards-based app company, rejecting plaintiffs’ arguments that the company violated the Telephone Consumer Protection Act (TCPA). Huricks v. Shopkick, Inc., No. c-14-2464-mmc (N.D. Cal. Aug. 24, 2015). In Huricks, plaintiffs brought a putative class action, arguing that the company’s mobile app sent spam text messages with links to the company’s website to mobile phones without consumers’ consent in violation of the TCPA and a derivative claim under the California Business and Professions Code. In rejecting plaintiffs’ claims and granting summary judgment on all counts, the court relied on a recent FCC Order where the FCC ruled, among other matters, that a company was not the maker or initiator of invitational text messages subject to the TCPA’s requirements when users of the app make a series of “affirmative choices” in order for the text messages to be sent. The court ruled that, even though the company controlled the text message’s content, the company’s evidence established that a user of its app “must [have] proceed[ed] through a multi-step invitation flow within the app” to cause text messages to be sent to the user’s contacts. The court noted that users of the app had to (i) tap a button to invite friends, (ii) choose which contacts to invite, and (iii) choose to send the text message by selecting another button.  The court concluded the company was not the initiator of these texts under the TCPA and granted the company’s motion for summary judgment.

TCPA FCC

FCC Announces $3.5 Million Settlement with Carriers to Resolve Consumer Privacy Investigation

On July 9, the FCC announced a $3.5 million settlement with carriers TerraCom, Inc. and YourTel America, Inc. to resolve an investigation into the exposure of personal information of over 300,000 of their customers online via unprotected servers used by their vendors to store customer information.  The exposed information included names, addresses, Social Security numbers, driver’s licenses, and other pieces of sensitive information that were viewable by anyone with access to a search engine.  Section 222(a) of the Communications Act imposes on carriers a duty to protect the confidentiality of “proprietary information of… customers” and the FCC Enforcement Bureau viewed this incident as a violation of that duty, as well as its duty under Section 201(b) to employ “just and reasonable” data security practices to protect the confidentiality of consumers’ proprietary information. Under the settlement, TerraCom and YourTel are required to (i) designate a senior corporate manager with certified privacy expertise, (ii) conduct a privacy risk assessment, (iii) put in place a written information security program and data breach response plan, (iv) maintain “reasonable oversight” of third-party vendors, and (v) offer privacy and security training.  FCC-regulated entities should review their privacy and data security practices to ensure that they are taking appropriate steps to protect their customers’ proprietary information.

FCC Enforcement Privacy/Cyber Risk & Data Security

FCC Adopts Chairman Wheeler's Proposal to Strengthen Consumer Protection Under the TCPA

On June 18, the FCC held an Open Commission Meeting, during which the Commission adopted Chairman Wheeler’s proposal to strengthen consumer protection under the TCPA. The set of declaratory rulings included in the proposal affirms consumers’ rights to revoke their consent to receive robocalls or robotexts at any reasonable time an in any reasonable way, and gives carriers the ability to provide consumers with “Do Not Disturb” technology. The Commission’s June 18 Action by Declaratory Ruling and Order was described as an effort to close “loopholes and [strengthens] consumer protections already on the books.”

TCPA FCC

FCC Chairman Circulates Proposal to Strengthen Consumer Protection Under the TCPA; Open Meeting Scheduled For June 18

On May 27, the FCC released a fact sheet outlining Chairman Wheeler’s proposal for a series of rulings under the Telephone Consumer Protection Act (TCPA) that he asserts will better protect American consumers from unsolicited robocalls, spam text messages, and telemarketing calls. If adopted, the proposal would, among other things: (i) give consumers the right to revoke their consent to receive robocalls and robotexts at any reasonable time and in any reasonable way; (ii) authorize carriers to offer robocall-blocking or “Do Not Disturb” technologies to consumers; and (iii) require robocallers to stop calling a number when it has been reassigned to a new subscriber. Responding to multiple petitions that “sought clarity on how the Commission enforces” the TCPA, the proposal aims to “close loopholes and strengthen consumer protections already on the books.” The Chairman’s proposal is scheduled to be voted on at the Open Commission Meeting on June 18.

TCPA FCC Agency Rule-Making & Guidance

FCC Releases Enforcement Advisory Regarding Privacy and Internet Service Providers

On May 20, the FCC released an enforcement advisory regarding the enforcement of Section 222 of the Communications Act as it relates to providers of broadband Internet access service (BIAS). The advisory bulletin indicates that, until the FCC implements new BIAS-specific privacy regulations, the Enforcement Bureau will “focus on whether broadband providers are taking reasonable, good-faith steps to comply with Section 222, rather than focusing on technical details.” Thus, “the Enforcement Bureau intends that broadband providers should employ effective privacy protections in line with their privacy policies and core tenets of basic privacy protections.”

FCC Enforcement

Spotlight on Vendor Management: "Brother's Keeper" Enforcement Pattern Becoming the Norm

Two regulatory enforcement matters announced in April offer a view into the current mindset of regulators in the ever-evolving world of vendor management.  First, the Federal Communications Commission (FCC) announced a $25 million settlement with a telecommunications carrier related to the unauthorized release of personal information of more than a quarter-million customers.  The identified cause of the data breach were employees of the carrier’s service providers based in Mexico, Columbia, and the Philippines, who confessed to selling customer information to unauthorized third parties.  In holding the carrier responsible, the FCC issued its largest data security enforcement action to date.  Although severe in its punishment, the FCC action did not break new ground, as regulators have shown an increasing willingness in recent years to assess monetary penalties against supervised institutions for legal violations committed by vendors.

“This approach is entirely consistent with the FCC’s past enforcement actions related to data security breaches, as well as those of other regulatory bodies where consumer harm has resulted,” advises Elizabeth McGinn, Partner in the D.C. office of BuckleySandler.  “In the current environment, virtually every regulator has made accountability a fundamental axiom of its vendor management guidance.”   

In the second action, the Consumer Financial Protection Bureau (CFPB) announced that it had filed a lawsuit in the United States District Court for the Northern District of Georgia in connection with an allegedly illegal debt collection operation whereby a group of individuals and companies based in New York and Georgia attempted to collect debts that consumers did not owe or that collectors were not authorized to collect.  Specifically, the collectors allegedly placed “robo-calls” to millions of consumers stating that the consumers had engaged in check fraud and threatening them with legal action if they did not provide payment information. The CFPB asserts that, as a result, the debt collectors received millions of dollars in profits from the targeted consumers.

In addition, several service providers were named as defendants in the case because, according to the CFPB, the illegal scheme depended upon the participation of the service providers.  Specifically, the CFPB charged payment processors and a telephone broadcast provider hired by the debt collectors, because these service providers, in pertinent part, (i) “failed to conduct reasonable due diligence to detect unlawful conduct,” which helped to facilitate millions of dollars in ill-gotten profits, and (ii) transmitted robo-call messages created by the debt collectors that the service providers “knew or should have known … contributed to unlawful debt collection.”

“The CFPB is holding the vendors accountable in this case on the theory that the vendors had a duty to vet the business practices used by the debt collectors to determine if they were unfair or deceptive or violate the debt collections laws,” according to Moorari Shah, Counsel in BuckleySandler’s Los Angeles office. “Having to take responsibility for another entity’s wrongdoing is likely a wake-up call for many vendors, but the CFPB has now shown on several occasions that it intends to cast a wide net when it comes to protecting consumers from unwarranted harm, including over entities that may not have known they were subject to this type of supervision.”

The bottom line:  Compliance continues to be a significant outsourcing challenge for regulated institutions and their service providers.  Thorough due diligence and ongoing oversight are becoming an imperative to avoid guilt-by-association predicaments such as was the case in the recent FCC and CFPB actions.

McGinn and Shah suggest the following steps supervised institutions and service providers can take to adapt and comply with a rapidly changing regulatory and enforcement environment:

• Commit to developing or enhancing compliance management systems to:
  • Establish compliance responsibilities;
  • Communicate those responsibilities to employees;
  • Ensure that responsibilities for meeting legal requirements and internal policies are incorporated into business processes;
  • Review operations to ensure responsibilities are carried out and legal requirements are met; and
  • Take corrective action and update tools, systems, and materials;
• Review written policies and procedures including responsibilities for documenting compliance-related activities and regular reporting to senior management and the board of directors;
• Monitor training for service provider employees to ensure that contractual responsibilities align with operational realities, including procedures to identify legal and regulatory issues for escalation and resolution;
• Conduct regular on-site compliance audits of service provider operations, and proactively address issues discovered when reviewing service provider controls, performance, and information systems; and
• Dedicate sufficient resources and personnel to vendor management and compliance activities especially with respect to pre-contract due diligence and ongoing monitoring during the term of the contract.

As data security, privacy, and vendor management issues continue to intersect, there are a number of new focal points that will be particularly relevant to service providers. 

CFPB Vendors FCC Elizabeth McGinn

FCC Enters Into $25 Million Settlement Following Cell Phone Carrier Data Breach

On April 8, the Federal Communications Commission (FCC) announced a $25 million settlement with an international telecommunications carrier concerning the unauthorized release of the personal information of nearly 280,000 customers by certain employees. The alleged data breach took place over a 168-day period at carrier call centers in Mexico, Columbia, and the Philippines where employees of the carrier allegedly were paid by unauthorized third parties to disclose confidential customer information. The third parties appear to have sought the information to unlock and traffic stolen cell phones. The FCC Enforcement Bureau found that the data breach violated a carrier’s duty under Section 222 of the Communications Act and also constituted “an unjust and unreasonable practice” under Section 201. In addition to paying the $25 million civil money penalty, terms of the settlement require the carrier to (i) notify all affected customers and reimburse them for any subsequent credit monitoring services; and (ii) implement new internal policies to improve the carrier’s privacy and data security practices. For more information on the latest regulatory guidance on data security and evolving best practices, please visit the Privacy, Cyber Risk, and Data Security Resource Center.

Vendors FCC Enforcement

FCC Joins Global Privacy Enforcement Network

On October 28, amid growing threats to consumer privacy, the FCC announced that it has joined the Global Privacy Enforcement Network (GPEN), an international group of privacy regulators and enforcers. The move will allow the FCC to more easily collect and share data among approximately 50 privacy and data protection authorities from around the world. The FCC joins the FTC as the only two agencies representing the United States in cross-border GPEN proceedings.

FCC Privacy/Cyber Risk & Data Security

ABA Petitions FCC To Allow Security And Fraud Alerts To Customers Without Consent

On October 14, the ABA submitted a petition to the FCC requesting that it exercise its statutory authority to allow financial institutions to send consumers certain security and fraud alerts without the consumers’ prior consent. Specifically, the consumers would receive alerts regarding: (i) transactions suggesting a risk of identity theft or fraud; (ii) potential security breaches involving personal information; (iii) preventative steps consumers can take to decrease their chances of falling victim to security breaches, in addition to steps they can take to remedy harm already caused by a breach; and (iv) actions required to receive a receipt for money transfers. The petition notes that the most effective way to ensure that consumers receive these important messages is through automated texts and calls to mobile devices and accordingly requests that the FCC allow for an exemption to the Telephone Consumer Protection Act to ensure that customers receive security and fraud notifications in a timely manner.

Fraud TCPA FCC