Last week, the Federal Communications Commission (FCC) released the text of its long-awaited order addressing certain aspects of the Telephone Consumer Protection Act (TCPA) and related FCC rules.  The order addressed a total of 21 petitions seeking “clarification or other actions” regarding the TCPA, principally in connection with automated calls and text messages.

Although the order purports only to “clarify” existing FCC precedent, there is widespread debate over whether the order imposed new requirements on entities that transmit automated calls and text messages.  The order already has been appealed by one party and other appeals are expected.  Nevertheless, because the FCC claims the order only clarifies existing precedent, its provisions became effective when the order was released on July 10, 2015.

The order focuses on ten key areas, which are summarized after the jump.

1. Definition of Autodialer:  Absent an emergency, the TCPA prohibits the “mak[ing]” of a call (which the FCC defines to include a text message) using an “automated telephone dialing system” (“autodialer”) or a prerecorded voice without the “prior express consent” of the “called party.”  If the call or text message contains an advertisement or other form of telemarketing, this “prior express consent” must be in writing (or its electronic equivalent) and incorporate certain FCC-prescribed disclosures.  The TCPA defines an “autodialer” as equipment “which has the capacity . . . to store or produce telephone numbers to be called, using a random or sequential number generator” and “to dial such numbers.”  Although several courts have held that such equipment must have the “present” capacity to store, produce, and dial such numbers to meet the TCPA’s definition, the FCC’s order states that “the capacity of an autodialer is not limited to its current configuration but also includes its potential functionalities.”

The order acknowledges that there are “outer limits” to this interpretation of “capacity,” and that “the outer contours of the definition of ‘autodialer’ do not extend to every piece of malleable and modifiable dialing equipment that conceivably could be considered to have some capacity.”  However, the order does not elaborate much beyond this statement, except to note that the theoretical  modification of a rotary phone would be “too attenuated” to support a finding that the device could have the requisite capacity to meet the “autodialer” definition.  The order declines to address whether a smartphone can qualify as an “autodialer,” claiming that “there is no evidence in the record that individual consumers have been sued based on typical use of smartphone technology.”

2. “Make” or “Initiate” a Call or Text Message:  The autodialer prohibition applies only to a person or entity that “makes” or “initiates” a call or text message.  According to the FCC, to identify that person or entity, “we must look to the totality of the facts and circumstances surrounding the placing of a particular call to determine: (1) who took the steps necessary to physically place the call; and (2) whether another person or entity was so involved in placing the call as to be deemed to have initiated it, considering the goals and purposes of the TCPA.”

The FCC applied this framework to determine that an app developer “does not make or initiate a call when one of its app users uses its service to send an automatic text in response to a voicemail left by someone who called the . . . app user.”  Using the same framework, the FCC also determined that an app developer “does not make or initiate a call when one of its app users sends an invitational text message” using the app platform.  However, where an app developer accesses the contacts in an app user’s mobile telephone to “automatically send[]” invitational text messages to the individuals in that contact list, the FCC found the app developer to be the maker or initiator of those messages because those transmissions involved “little or no obvious control by the user.”

The order employed a similar analysis to find that “collect calling service providers that use prerecorded messages, on a single call-by-call basis, to provide call set-up information when attempting to connect a call to a residential or wireless telephone number” do not require “prior express consent” from the called party.  The FCC based this finding on the theory that “a person who dials the number of the called party or the number of a collect calling service provider in order to reach the called party . . . ‘makes’ the call for purposes of the TCPA.”

3. Establishing and Revoking Consent:  The order confirms earlier guidance that “persons who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instructions to the contrary.”  However, the order clarifies that a “wireless telephone number . . . in the contact list on a wireless phone, standing alone, does not demonstrate that the person whose number is so listed has granted prior express consent as required by the TCPA.”  The order also confirms “that porting a telephone number from wireline service to wireless service does not revoke prior express consent,” though it cautions that the earlier-obtained consent has to meet the requirements of the “prior express consent” or “prior express written consent” standard, as the case may be, in order to be relied upon today in the wireless context.

Separately, the order appears to set a new standard for revoking consent, though it claims to ground its thinking in recent FCC precedent and common law principles.  Specifically, the order purports to clarify that “consumers may revoke consent through any reasonable means.”  Although the FCC’s order does not describe in detail what that means other than to ascribe to it a “totality of the facts and circumstances” test, it states, by way of example, that consent can be revoked through “a consumer-initiated call, directly in response to a call initiated or made by a caller, or at an in-store bill payment location.”  It also notes that designating an exclusive means of revocation can, “in some circumstances, materially impair” the consumer’s ability to revoke consent.

4. Reassigned Telephone Numbers:  Because of the way the TCPA was drafted, there has been debate in TCPA circles over whether a call to a telephone number that had been reassigned (without the knowledge of the caller) from a consenting consumer to a new consumer can be actionable under the statute.  The FCC addressed a number of petitions that raised this question by “clarify[ing] that the TCPA requires the consent not of the intended recipient of the call, but of the current subscriber (or non-subscriber customary user of the phone)” that actually receives the call.  The FCC acknowledged, however, that because callers cannot always know that a telephone number has been reassigned, liability for the first call to a reassigned number does not necessarily lead to TCPA liability.  In so finding, the FCC acknowledged that it “do[es] not presume that a single call to a reassigned number will always be sufficient for callers to gain actual knowledge of the reassignment,” but it nevertheless found “that the one-call window provides a reasonable opportunity to learn of the reassignment.”  Callers “may reasonably be considered to have constructive knowledge” of the reassignment if “the caller makes the first call without reaching that original subscriber.”

5. Prior Express Written Consent:  In a previous TCPA order released in October 2013, the FCC held that automated telemarketing calls and text messages to mobile telephone numbers require the “prior express written consent” of the call recipient.  In last week’s order, the FCC rejected arguments that consents secured before the effective date of this October 2013 order should be considered valid even if they did not meet the “prior express written consent” standard.  Instead, the FCC clarified that  “telemarketers should not rely on a consumer’s written consent obtained before the current [October 2013] rule took effect if that consent does satisfy the current rule.”  Since the FCC recognized that its October 2013 order led to some confusion regarding this issue, the agency granted the petitioners that raised this issue a 90-day grace period to come into compliance with the “prior express written consent” rule.

6. Immediate One-Time Text Messages.  The FCC clarified that a one-time automated text message sent immediately after a consumer’s request for information as part of an ad campaign does not violate the TCPA.  According to the FCC, this sort of text message is not a “telemarketing” or “advertisement” message but instead merely the “fulfillment of the consumer’s request” for information.  The FCC clarified that in order to qualify for this exception, the one-time automated text message must (1) be requested by the consumer, (2) be sent immediately in response to a specific consumer request; and (3) contain only the information requested by the consumer with no other marketing or advertising information.

7. Internet-to-Phone Messaging:  The FCC addressed the status of Internet-to-phone text messaging, which allows a party to send an email to an address that combines a recipient’s mobile telephone number with the provider’s domain name (e.g., 5551212@randomcarrierdomain.com) and results in the delivery of the e-mailed message as a text message to the recipient’s mobile telephone.  According to the FCC order, this technology (as specifically described in the petition in which the issue was presented) qualifies as an autodialer under the TCPA.

8. Exception for Certain Free “Pro Consumer” Financial Messages:  The FCC’s order granted limited exceptions to TCPA liability for certain free “pro-consumer” calls or text messages about time-sensitive financial issues.  Under these exceptions, financial institutions may transmit free fraud and security alerts, as well as money transfer notifications, to recipients in the absence of “prior express consent,” subject to certain specified limitations.  These limitations specify that (1) the messages may be sent only to the wireless telephone number provided by the customer of the financial institution; (2) the messages must state (at the beginning of the call for voice calls) the name and contact information of the financial institution; (3) the messages must be limited strictly to specific fraud, security and money transfer purposes and may not include any telemarketing, cross-marketing, solicitation, debt collection or advertising content; (4) the messages must be concise, generally one minute in length for voice calls and 160 characters or less for text messages; (5) no more than three messages per event over a three-day period may be sent to the owner of an affected account; (6) the messages must offer an easy means of opting out of future messages; and (7) opt-out requests must be honored immediately.  The FCC’s order presumes that financial institutions will work with mobile phone carriers to ensure that these types of messages will be delivered free of charge to consumers.

9. Exceptions for Certain Healthcare Providers and Free “Pro Consumer” Healthcare Messages.  The order purports to make three clarifications for healthcare messages.  First, it clarifies that the “provision of a phone number to a healthcare provider constitutes prior express consent for healthcare calls subject to HIPAA by a HIPAA-covered entity and business associates acting on its behalf, as defined by HIPAA, if the covered entities and business associates are making calls within the scope of the consent given, and absent instructions to the contrary.”

Second, the order clarifies “that where a party is unable to consent because of medical incapacity, prior express consent to make healthcare calls subject to HIPAA may be obtained from a third party — much as a third party may consent to medical treatment on an incapacitated party’s behalf.”

Third, similar to financial institutions, healthcare providers were granted an exemption from the “prior express consent” requirement for free automated “pro consumer” calls and text messages to mobile phones “for which there is an exigency and that have a healthcare treatment purpose, specifically:  appointment and exam confirmations and reminders, wellness checkups, hospital pre-registration instructions, pre-operative instructions, lab results, post-discharge follow-up intended to prevent re-admission, prescription notifications, and home healthcare instructions.”  However, these calls and text messages are subject to the following limitations:  (1) they must be sent only to the wireless telephone number provided by the patient; (2) they must state (at the beginning of the call for voice calls) the name and contact number of the healthcare provider; (3) they must be limited strictly to the above-described purposes and cannot include any telemarketing, solicitation or advertising; may not include accounting, billing, debt-collection or other financial content; and must comply with HIPAA privacy rules; (4) they must be concise, generally one minute in length for voice calls and 160 characters or less for text messages; (5) they must be limited to one message per day, and up to a maximum of three messages per week from a specific healthcare provider; (6) they must offer an easy means of opting out of future messages; and (7) opt-out requests must be honored immediately.

10. Call-Blocking Technology:  The order clarifies that there is no legal prohibition on telephone carriers offering call-blocking technology that allows a consumer to direct which incoming calls he or she wishes to block.  It is not clear whether or to what extent carriers will make these technologies available.

Correction (March 16, 2018): An earlier version of this post misstated the release date of the FCC’s order.

Tags: Advertising, Class Action, FCC, Federal Communications Commission, HIPAA, Litigation, Mobile, mobile apps, TCPA, Telephone Consumer Protection Act
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yaron Dori Yaron Dori

Yaron Dori has over 25 years of experience advising technology, telecommunications, media, life sciences, and other types of companies on their most pressing business challenges. He is a former chair of the firm’s technology, communications and media practices and currently serves on the…

Yaron Dori has over 25 years of experience advising technology, telecommunications, media, life sciences, and other types of companies on their most pressing business challenges. He is a former chair of the firm’s technology, communications and media practices and currently serves on the firm’s eight-person Management Committee.

Yaron’s practice advises clients on strategic planning, policy development, transactions, investigations and enforcement, and regulatory compliance.

Early in his career, Yaron advised telecommunications companies and investors on regulatory policy and frameworks that led to the development of broadband networks. When those networks became bidirectional and enabled companies to collect consumer data, he advised those companies on their data privacy and consumer protection obligations. Today, as new technologies such as Artificial Intelligence (AI) are being used to enhance the applications and services offered by such companies, he advises them on associated legal and regulatory obligations and risks. It is this varied background – which tracks the evolution of the technology industry – that enables Yaron to provide clients with a holistic, 360-degree view of technology policy, regulation, compliance, and enforcement.

Yaron represents clients before federal regulatory agencies—including the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), and the Department of Commerce (DOC)—and the U.S. Congress in connection with a range of issues under the Communications Act, the Federal Trade Commission Act, and similar statutes. He also represents clients on state regulatory and enforcement matters, including those that pertain to telecommunications, data privacy, and consumer protection regulation. His deep experience in each of these areas enables him to advise clients on a wide range of technology regulations and key business issues in which these areas intersect.

With respect to technology and telecommunications matters, Yaron advises clients on a broad range of business, policy and consumer-facing issues, including:

Artificial Intelligence and the Internet of Things;
Broadband deployment and regulation;

IP-enabled applications, services and content;
Section 230 and digital safety considerations;
Equipment and device authorization procedures;
The Communications Assistance for Law Enforcement Act (CALEA);

Customer Proprietary Network Information (CPNI) requirements;

The Cable Privacy Act
Net Neutrality; and
Local competition, universal service, and intercarrier compensation.

Yaron also has extensive experience in structuring transactions and securing regulatory approvals at both the federal and state levels for mergers, asset acquisitions and similar transactions involving large and small FCC and state communication licensees.

With respect to privacy and consumer protection matters, Yaron advises clients on a range of business, strategic, policy and compliance issues, including those that pertain to:

The FTC Act and related agency guidance and regulations;
State privacy laws, such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, and the Utah Consumer Privacy Act;
The Electronic Communications Privacy Act (ECPA);
Location-based services that use WiFi, beacons or similar technologies;
Digital advertising practices, including native advertising and endorsements and testimonials; and

The application of federal and state telemarketing, commercial fax, and other consumer protection laws, such as the Telephone Consumer Protection Act (TCPA), to voice, text, and video transmissions.

Yaron also has experience advising companies on congressional, FCC, FTC and state attorney general investigations into various consumer protection and communications matters, including those pertaining to social media influencers, digital disclosures, product discontinuance, and advertising claims.

Read more about Yaron DoriEmail
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less