D.C. Circuit Rejects Portions of FCC Decision Interpreting Key TCPA Terms

The U.S. Court of Appeals for the D.C. Circuit on Friday issued a long-awaited ruling in a lawsuit challenging the Federal Communications Commission’s interpretations of key terms under the Telephone Consumer Protection Act of 1991 (“TCPA”), holding that the FCC in 2015 had adopted an unreasonably broad definition of the type of calling equipment subject to special restrictions under the TCPA — a definition so broad it would include any modern smartphone — and had failed to adequately justify its approach regarding liability for calls placed to cell phone numbers that have been reassigned to a new user.

The court upheld the FCC’s ruling that a party who has consented to receive calls may revoke that consent “through any reasonable means clearly expressing a desire to receive no further messages from the caller.”  The court also upheld the FCC’s decision to exempt from the TCPA’s consent requirements certain calls communicating urgent healthcare messages.

The D.C. Circuit’s unanimous decision addresses a consolidated set of petitions by various companies and trade associations — first filed in the summer and fall of 2015 and argued before the D.C. Circuit in 2016 — seeking review of a declaratory ruling released by the FCC in July 2015 (the “Omnibus Ruling”).  In the Omnibus Ruling, the FCC ruled on a total of 21 petitions seeking “clarification or other actions” regarding the TCPA, principally in connection with automated calls and text messages.

Petitioners sought court review of four aspects of the Omnibus Ruling: Continue Reading

Overlap Between the GDPR and PSD2

By Bruce Bennett, Carlo Kostka, Charlotte Hill, Craig Pollack, Dan Cooper, Gemma Nash, Kristof Van Quathem, Mark Young, and Sophie Bertin

The EU Payment Services Directive (PSD2), which took effect on January 13, 2018, puts an obligation on banks to give Third Party Providers (TPPs) access to a customer’s payment account data, provided the customer expressly consents to such disclosure.  The new legislation is intended to improve competition and innovation in the EU market for payment services.  The General Data Protection Regulation (GDPR), which is due to take effect from May 25, 2018, enhances individuals’ rights when it comes to protecting their personal data.  The interaction between PSD2, aimed at increasing the seamless sharing of data, and the GDPR, aimed at regulating such sharing, raises complicated compliance concerns.

For example, where banks refrain from providing TPPs access to customer payment data for fear of breaching the privacy rights of their customers under the GDPR, competition authorities may consider this a breach of competition law.  This concern is already becoming a reality for banks – on October 3, 2017, the European Commission carried out dawn raids on banking associations in Poland and the Netherlands following complaints from fintech rivals that the associations were not providing them with what they considered legitimate access to customer payment data. Continue Reading

Covington Internet of Things Update: Promise and Peril — IoT and Your Insurance

Two hundred billion IoT devices could be in use by 2020, according to one estimate cited in the World Economic Forum’s recent report, Mitigating Risk in the Innovation Economy.  This rapid integration of the digital world and the physical world presents unprecedented opportunities for businesses in a wide array of industries.  But it also creates unprecedented risks.  Despite ongoing efforts to create security standards for IoT devices — for example, the National Institute of Standards and Technology’s recent draft paper to this end — the security of such devices currently remains wanting.  With the cyber and physical worlds so closely intertwined, future hacking incidents may threaten not only electronic data, but also property and lives.

Policyholders adopting IoT and related technologies may face uncertainty over coverage for these so-called “cyber-physical” harms under commonly available insurance policy forms.  Most cyber insurance policies have expressly excluded coverage for bodily injury and property damage, while standard-form general liability and property policies may have exclusions that some insurers invoke to dispute coverage for cyber-related harms.  In recent years, however, new insurance policies and endorsements have emerged to address this coverage uncertainty by giving policyholders options for explicit coverage for physical damage from cyber attacks.

As policyholders adopt technology that links their physical systems to digital components, they should consider what potential real-world harms could result from their cyber-networked things — and whether their existing lines of insurance cover them.  Such policyholders may conclude that it is time to explore the newer insurance products specifically geared towards cyber-physical risks.  Even these purpose-built policies and endorsements call for careful scrutiny and potential negotiation, however, because they are not standardized. Not only do policy wordings vary, but so do individual policyholders’ risk exposures. For example, a policyholder that may be an especially attractive target for state-sponsored hacking may need to pay particular attention to the wording of exclusions such as the common “war” and “terrorism” exclusions.  Guidance from experienced coverage counsel and sophisticated insurance brokers is useful, if not essential, for those exploring this relatively novel territory.

FTC Grants Sears’ Petition to Reopen and Modify Consent Order Based on Changed Conditions of Fact

This week, the Federal Trade Commission (“FTC”) granted Sears Holdings Management’s (“Sears”) petition to reopen and modify a 2009 consent order regarding the tracking of personal information on Sears’ software apps.  We analyzed Sears’ petition last fall, which sought to modify the definition of “tracking application,” which triggered heightened notice and consent requirements under the order.  The FTC modified the definition such that it now excludes from the heightened notice and consent requirements mobile app tracking of that app’s configuration, functionality, and “consumers’ use of the program or application itself.”

Continue Reading

FTC Issues Report on Mobile Device Security Updates

On February 28, 2018, the Federal Trade Commission (“FTC”) issued a report discussing security updates for mobile devices.  The report stems from information the FTC collected from eight mobile device manufacturers — Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung — and from information the Federal Communications Commission (“FCC”) collected from mobile carriers in May 2016.  Continue Reading

Future of Privacy Forum: Privacy Papers for Policymakers 2018

On the heels of the Federal Trade Commission’s (“FTC”) third annual “PrivacyCon,” the Future of Privacy Forum hosted its eighth annual “Privacy Papers for Policymakers” event on Capitol Hill—a gathering in which academics present their original scholarly works on privacy-related topics to D.C. policy wonks who may have a hand in shaping laws and regulations at the local, federal, and international level. The goal of the event is, in part, to foster academic-industry collaboration in addressing the world’s current and emerging privacy issues.

FTC Commissioner Terrell McSweeny kicked off the program with a reminder of the unique challenge that has always faced the world of tech policy: the rapid acceleration of the Digital Age and the need for consumer rights to catch up. Commissioner McSweeny opined that the challenge may require some solutions that go beyond privacy—such as individual control over personal data, data portability, and governance by design—and pointed out several ways in which the honored papers may help spur the evolution of existing privacy frameworks: Continue Reading

SEC Adopts New Guidance on Public Company Cybersecurity Disclosures and Insider Trading

Earlier today, our colleagues David Engvall, Keir Gumbs, Reid Hooper, and Matthew Wood in the Securities and Capital Markets practice group posted the below article on the SEC’s new statement and interpretive guidance on public company cybersecurity disclosures and insider trading on the Cov Financial Services blog.  The original article can be read here.

On February 21, 2018, the U.S. Securities and Exchange Commission (the “Commission”) approved a statement and interpretive guidance that provides the Commission’s views on a public company’s disclosure obligations concerning cybersecurity risks and incidents (the “2018 Commission Guidance”). This guidance reinforces and expands upon previous cybersecurity disclosure guidance issued by the Division of Corporation Finance (the “Staff”) in October 2011  (the “2011 Staff Guidance”).  The 2018 Commission Guidance also focuses on two additional issues: (i) maintenance of comprehensive policies and procedures related to cybersecurity, including sufficient disclosure controls and procedures, and (ii) insider trading in the cybersecurity context.

Continue Reading

Ninth Circuit Decision Provides Critical Win to FTC in its Authority over Internet Service Providers

In a ruling with implications for both net neutrality and privacy, the Ninth Circuit ruled en banc today that the common carrier exemption in Section 5 of the FTC Act is activity-based, reversing a 2016 panel ruling that the exemption was status-based.  Today’s decision bolsters the FTC’s authority to bring consumer protection (including privacy) and competition actions against providers of Internet access service, which the FCC has ruled is not a common carrier service in connection with that agency’s repeal of net neutrality rules.

This appeal arises from the FTC’s lawsuit against AT&T alleging that AT&T’s practice of throttling the speed of customers with unlimited data plans once they reached a certain data usage threshold violated Section 5 of the FTC Act.  AT&T had challenged the FTC’s authority to bring the case, arguing that the company was immune from FTC oversight because it also offers common carrier (e.g., voice telephone) service.  Although the district court sided with the FTC on this question, a 2016 Ninth Circuit panel went the other way and, in doing so, created what the FTC and FCC agreed was a potential ‘gap’ in authority in which neither agency would have the right to police many actions by telecommunications companies.  Continue Reading

FTC Enters Into COPPA Settlement With Online Talent Search Company

On Monday, the Federal Trade Commission (FTC) entered into a settlement with Nevada-based Prime Sites, Inc., doing business as Explore Talent, related to charges that Explore Talent violated the Children’s Online Privacy Protection Act (COPPA).  Explore Talent, an online talent search company, will pay $235,000 in civil penalties.

According to the FTC’s complaint, Explore Talent violated COPPA by collecting and disclosing children’s personal information without obtaining parental consent and by failing to represent accurately its collection, use, and disclosure practices.  Specifically, the FTC alleged that Explore Talent required that users—including children under 13—submit personal information, such as their names, email addresses, and telephone numbers and further requested that users provide mailing addresses and photographs.  Much of the personal information users provided became publicly available on users’ profiles on ExploreTalent.com.  Explore Talent did not provide notice to parents or obtain verifiable parental consent prior to such collection and disclosure.  In addition, Explore Talent did not place any restrictions on users who indicated they were under 13, nor did it take any steps to verify whether a profile was being created by a legal guardian, notwithstanding the instruction in its Privacy Policy that users under 13 must have a parent or legal guardian create their account.  As a result, the complaint alleged that Explore Talent falsely stated in its Privacy Policy that it did not knowingly collect personal information from children under the age of 13.

Separately, the complaint also alleged violations of the FTC Act related to Explore Talent’s claims regarding its premium services.

President Trump Nominates Four New Commissioners to FTC

Last week, President Trump nominated four new commissioners to the Federal Trade Commission (“FTC”):  Joseph J. Simons, an antitrust attorney, as Chairman; Noah Joshua Phillips, chief counsel for Senate Majority Whip John Cornyn (R-Texas), for the second Republican seat; Christine Wilson, an executive for Delta Air Lines, for the third Republican seat; and Rohit Chopra, a senior fellow at the Consumer Federation of America, for a Democratic seat.  By statute, no more than three commissioners may be members of the same political party.  The fifth spot on the Commission would remain vacant pending an additional nomination by the President.

If confirmed by the Senate, these four nominees would establish a Republican majority at the FTC.  Since early last year, the agency has been operating with just one Commissioner from each party – Acting Chairman Maureen Ohlhausen and Democratic Commissioner Terrell McSweeny.  Earlier in the week, President Trump also announced his intent to nominate Acting Chairman Ohlhausen for a seat on the U.S. Court of Federal Claims.  Therefore, these new nominations would completely change the composition of the Commission.

Continue Reading