On June 1, the Northern District of California dismissed a putative TCPA class action against AOL, finding that the plaintiff had failed to allege that AOL utilized an automated telephone dialing system (ATDS), as required to state a cause of action under the TCPA.  In dismissing the plaintiff’s complaint in Derby v. AOL, the court rejected the plaintiff’s arguments that AOL Instant Messenger (AIM), which allows individuals to send instant messages as text messages to cell phones, constitutes an ATDS.  Instead, the court agreed with AOL’s argument that AIM relied on “human intervention” to send the messages at issue, which foreclosed the possibility of potential TCPA liability.  (Covington represented AOL in this case.)  The decision should be beneficial to a variety of services that enable their users to send text messages to cell phones.

The TCPA’s prohibitions include a ban on using an ATDS to call cellular telephones for informational purposes without the prior express consent of the recipient.  The FCC and courts have extended the reach of the statute to include text messages.  However, the FCC has stated that only equipment that has the capacity to operate “without human intervention” may qualify as an ATDS.  The plaintiff in Derby alleged that he received three text messages from an AIM user that were intended for another individual, which the court recognized were “presumably . . . the result of the sender inputting an incorrect phone number.”  After the receiving the third message, the plaintiff alleged that he sent a text message to AIM to block future texts from the AIM user, and that he received back a text confirmation of his request.

In analyzing TCPA liability for the first three text messages, the court noted that the plaintiff’s complaint “affirmatively alleges that AIM relies on human intervention to transmit text messages to recipients’ cell phones.”  The court followed precedent from other Ninth Circuit district courts rejecting ATDS arguments where the equipment at issue relied on humans to press buttons on phones or manually enter telephone numbers into the system.  Since the complaint demonstrated that “extensive human intervention is required to send text messages through defendant’s AIM service,” the court held that the complaint failed to state a claim under the TCPA with respect to the three text messages sent by an AIM user.

The court also analyzed potential TCPA liability for the separate confirmation text message that Derby alleged he had received from AIM.  Again citing relevant authority, the court held that “a single message sent in response to plaintiff’s text . . . is not the kind of intrusive, nuisance call that the TCPA prohibits.”  The court concluded that Derby, having sent the “block” request from his cell phone, had “knowingly released” his number to AIM and consented to receive a confirmation text from AIM at that number.  The court’s opinion advocated for a “common sense” approach to TCPA liability, finding that the statute should not be utilized to “punish the consumer-friendly practice of confirming requests to block future unwanted texts.”  Accordingly, the court also dismissed the TCPA claim based on the confirmation text message for failure to state a claim.

Tags: Class Action, Litigation, Mobile, mobile apps, TCPA, Telephone Consumer Protection Act
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less