Inside Privacy - Updates on Developments in Global Privacy & Data Security

A seller who authorizes a third-party telemarketer to market the seller’s goods or services may be held vicariously liable if the telemarketer violates the Telephone Consumer Protection Act (TCPA), the Federal Communications Commission held in a May 9 declaratory ruling.

The FCC’s ruling interprets two subsections of the TCPA. The first subsection — 47 U.S.C. § 227(b) — includes several restrictions, including a general prohibition on making calls to landline or mobile telephones using a prerecorded message without  the recipient’s prior express consent. Section 227(b)(3) allows individuals or companies to bring private lawsuits “based on a violation of this subsection” or the FCC’s implementing regulations.

A separate portion of the TCPA — 47 U.S.C. § 227(c) — authorizes the FCC to set up a national Do Not Call registry, which the FCC did in coordination with the Federal Trade Commission several years ago. Section 227(c)(5) authorizes private lawsuits by individuals who receive “more than one telephone call within any 12-month period by or on behalf of the same entity” in violation of the Do Not Call rules.

Last week’s declaratory ruling came in response to questions referred to the FCC by two federal courts in two separate TCPA-based lawsuits.

Continue Reading

The Federal Communications Commission yesterday released a Smartphone Security Checker, a tool designed to help consumers secure their smartphones against mobile security threats.  The tool provides consumers with tips that are customized for four different mobile operating systems.  Many of tips focus on security-related topics.  For instance, the tool recommends that consumers set a password or Personal Identification Number on their phones, accept updates and patches to smartphone software, and wipe phones of personal data before reselling or recycling them. 

The FCC also made recommendations that touch on the role of in-app privacy disclosures ―a topic that has received attention recently from state regulators and the Federal Trade Commission.  Specifically, the FCC recommends that users understand app permissions before accepting them.  The FCC says, “You should be cautious about granting applications access to personal information on your phone or otherwise letting the application have access to perform functions on your phone.  Make sure to also check the privacy settings for each app before installing.” 

While the FCC has not been as active as the FTC and others on mobile privacy issues that do not affect the telephone portion of the mobile service, the FCC’s announcement demonstrates that it continues to see a role for itself in helping “consumers understand and combat cyber threats and mobile device theft.”  Earlier this year, the FCC partnered with mobile operators to launch their “PROTECTS Initiative” which was designed to combat mobile device theft and trafficking. 

In follow up to our previous blog entry on the subject, comment deadlines were set for additional petitions seeking to clarify TCPA provisions and related FCC rules.  Comments on these Petitions are due on November 23, 2012, and reply comments are due on December 10, 2012.

1. The Westfax Petition asks the FCC to clarify whether “efaxes,” which are facsimile messages that are converted to e-mail, are subject to the facsimile advertising rules under the TCPA and the Junk Fact Prevention Act of 2005.
2. The iHire Petition asks the FCC to declare that a third party faxing resumes of individual job applicants in response to help wanted postings is not an “advertisement” subject to the TCPA and, therefore, is exempt from the requirement to include an opt-out provision on the first page of the fax.
3. The 3G Collect LLC Petition asks the FCC to declare that operator service providers are not subject to the TCPA prohibition on prerecorded calls to wireless phones when connecting collect callers to telephone numbers assigned to wireless telephones. 
4. The Revolution Messaging Petition asks the FCC to clarify that certain internet-to-phone text messaging technology is an “automatic telephone dialing system” within the meaning of the TCPA and thus is subject to related FCC rules.

A new bill introduced by Rep. Ed Markey, titled the Mobile Device Privacy Act, would require mobile device sellers, manufacturers, service providers, and app offerors to disclose to consumers the existence of any monitoring software.  Monitoring software is defined as "software that has the capability to monitor the usage of a mobile device or the location of the user and to transmit the information collected to another device or system."  The entities would also have to disclose what type of information is subject to monitoring, who would be collecting or transmitting the information, and how the information would be used. 

Additionally, the bill would require any entity subject to the requirements above to obtain express consumer consent before the monitoring software collects any information.  Those same entities would also be required to develop information security policies regarding the information collected.

The bill charges the FTC with promulgating regulations to effect its requirements.  The FTC and FCC would have shared enforcement authority, and the bill also confers a private right of action on injured consumers.

Rep. Markey introduced the bill on September 12th, stating that mobile device tracking is a “significant societal issue that has to be discussed.”

The full text of the bill is available here.

The Federal Communications Commission ("FCC") has released a Public Notice seeking comments on the steps wireless phone carriers are taking to protect the privacy and data security of customer information that is stored on consumers' mobile devices and on how existing laws apply to the carriers' information practices. 

Section 222 of the Communications Act and the FCC's implementing regulations restrict how phone carriers may use and disclose customer proprietary network information (the so-called "CPNI Rules").  These carriers also must take reasonable steps to protect their customers' private information. 

The FCC considered this issue five years ago in 2007, but noted that carriers' more recent use of software embedded or preinstalled on wireless devices to collect information about the performance of the device and the carriers' networks created a "need to refresh [the] record." 

Comments are due 30 days after the Public Notice is published in the Federal Register, and reply comments are due 15 days later. 

Last week, a district court declined to stay a lawsuit against Google Inc. and group-texting service Slide, Inc. alleging a violation of the Telephone Consumer Protection Act (“TCPA”).  The court found that a related, ongoing proceeding at the Federal Communications Commission relating to the scope of the definitions of “consent” and “automatic telephone dialing system” under the Act did not compel the court to stay the case.  Applying the doctrine of primary jurisdiction, the court concluded that it was as competent to determine the scope of the definitions of these terms as the FCC.

In a separate, but related proceeding, the FCC has requested public comments on the question of whether a company violates the TCPA when it sends a text message to a subscriber’s mobile device to confirm that the subscriber has opted out of receiving text messages ― a practice that is endorsed under the Mobile Marketing Association’s best practices guidelines.  This issue is also the subject of ongoing court proceedings:  there are more than a dozen lawsuits pending against companies for sending such confirmation messages.

The FCC received initial comments yesterday, including comments from industry participants, such as the Mobile Marketing Association and the CTIA―The Wireless Association, urging the Commission to find that one-time, precise opt-out confirmation text messages are not prohibited by the TCPA.  While the National Association of Consumer Advocates argued that even one-time confirmatory text messages should be understood to violate the TCPA, the Future of Privacy Forum agreed with industry commenters, stating that one-time opt-out confirmation text messages help protect individual privacy.  Reply comments are due to the FCC May 15, 2012. 

As we previously have reported, Congress also is considering the need for legislation to amend the TCPA to clarify the scope of limitations under the Act.

Today, the Federal Communications Commission adopted new rules that strengthen its restrictions on autodialed or prerecorded telemarketing calls.  The FCC billed the new rules as an effort to maintain consistency with the Federal Trade Commission’s telemarketing sales rule, which also governs telemarketing calls, and to give consumers control over the calls that they receive.

Under the new rules, companies will need to obtain prior express written consent from consumers before making prerecorded or autodialed telemarketing calls to consumers.  The FCC’s rule changes also eliminate the “established business relationship” exemption in its existing rule, which allows these calls to residential “landline” phones without consent.  The new restrictions will require written consent even for companies that have done business with the call recipient in the past. 

One area of dispute over the new rules related to whether the “written” consent requirement could be satisfied electronically and what steps were necessary to make the consent effective.  Consistent with the FTC’s approach, the FCC concluded that “written” consent can be provided electronically, such as through a website form.  However it is provided, though, the FCC requires “clear and conspicuous disclosure” about what the consumer is consenting to and an “unambiguous” agreement to receive calls at a phone number designated in the consent document.  Like the FTC, the FCC also warned that consents would not be effective if the consent is a condition of purchasing goods or services.

An additional change to maintain consistency with the FTC’s rule is a requirement that telemarketing calls that use a prerecorded voice include an interactive “opt-out” mechanism, which would allow the call recipient to opt out of future calls by pressing a button.  Finally, the FCC imposed new restrictions on so-called “call abandonment,” which occurs when there is no live telemarketer available to take an autodialed call.

Although the FCC’s rule changes have a broad impact on the telemarketing business, they do not impact non-telemarketing calls, even if they are made using an autodialer or include a prerecorded voice.  As a result, prior written consent is not required for autodialed calls that do not advertise a product or service, including calls by nonprofits or for political purposes.  Also, the new restrictions do not apply to informational calls that may be commercial in nature, such as calls from an airline informing passengers that their flights have been delayed or calls from a bank informing a customer of fraudulent charges to her account, and exclude certain health care-related calls that are regulated under HIPAA, which already imposes a written consent requirement.

The new FCC rules will not be effective until they are approved by the Office of Management and Budget.  Once that happens, companies will have a year to obtain prior written consent to covered telemarketing calls and to stop covered calls to consumers with whom they have established business relationships.  The other rule changes have shorter timetables:  the interactive opt-out requirement will go into effect after 90 days, and the abandonment restrictions after 30 days.

The Federal Communications Commission has adopted rules implementing the Protecting Children in the 21st Century Act. Like the Act, the FCC's rules require elementary and secondary schools that have applied for discounted Internet access services through the FCC's E-rate program to certify that the school's Internet safety policy provides for the education of minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms and increasing cyberbullying awareness.

This requirement builds off existing rules that schools participating in the E-rate program certify that their Internet safety policy includes a technology protection measure, such as filtering software, that protects against Internet access through the school's facilities to visual depictions that are (1) obscene, (2) child pornography, or (3) harmful to minors.  An earlier audit administered by the Universal Service Administrative Company (which administers the E-rate program) had found that a school violated this requirement by allowing access to certain social networking websites.  In its Order, the FCC clarified that social networking websites are not per se "harmful to minors," noting that a contrary conclusion would be inconsistent with the Protecting Children in the 21st Century Act's focus on educating minors about how to interact with others on social networking websites.  The FCC also quoted a recent U.S. Department of Education report, which found that social networking websites have the potential to support student learning. 

On Thursday, July 14, 2011 two Subcommittees of the House Energy and Commerce Committee (Commerce, Manufacturing, and Trade and Communications and Technology) will hold a joint hearing entitled “Internet Privacy:  The Views of the FTC, the FCC, and NTIA."  The hearing, which is the first in a series of anticipated dialogues aimed at examining how information is collected, protected, and utilized in the online ecosystem, will feature witness testimony from FCC Chairman Julius Genachowski, FTC Commissioner Edith Ramirez, and NTIA Assistant Secretary Lawrence Strickling.  These federal regulators were called to testify about existing federal laws and practices to protect online consumer privacy and are expected to provide an overview of the existing federal privacy framework and help identify key issues to address.

On March 16, 2011, FTC Chairman Jon Leibowitz and Strickling testified in a Senate Commerce Committee hearing on “The State of Online Consumer Privacy.”  As we wrote about here, Strickling made news at the last hearing by stating that Obama administration supports comprehensive privacy legislation, which represented a shift in Administration policy.  Given the topic of this week’s hearing, we would expect Strickling to discuss the Administration’s position in the context of the current federal framework.

Check back after Thursday’s hearing for Inside Privacy’s summary and analysis of the discussion.

The Federal Communications Commission is seeking public comment on the use of location-based services in connection with a forthcoming staff report.  Comments are due to the FCC by July 8, 2011.

The agency also is teaming up with the Federal Trade Commission to host an educational forum on June 28, 2011, to help consumers understand the privacy implications of location-based services.  Representatives from mobile phone carriers, technology companies, consumer advocacy groups, and academia will discuss how these services work; their benefits and risks; industry best practices; and what parents should know about location tracking when their children use mobile devices.  

Location-based services have been the topic of a number of recent Congressional hearings.  Part of the focus at the most recent of these hearings was on children’s privacy.  Senator Rockefeller, Chairman of the Senate Commerce Committee, has sent letters to Apple, Google, and the Association for Competitive Technology with questions to help determine whether the applications running on their mobile platforms comply which the Children's Online Privacy Protection Act (COPPA).