FTC Continues Its Pursuit of "Robocalling" Platforms

With its latest settlement, the Federal Trade Commission shows that its prior targeting of prerecorded voice dialing platforms, as opposed to those who use them to place “robocalls,” was no one-off initiative, and that it has teeth.  On April 17 the FTC announced it settled a two-year long action against Joseph Turpel, a marketer who the FTC alleged assisted telemarking firms in conducting illegal prerecorded sales calls, concealing Caller ID information, and contacting numbers on the National Do Not Call Registry.  As part of the settlement Turpel is banned not just from continuing operations that violate the FTC’s rules, as is typical, but from all telemarketing and prerecorded sales messaging.

In 2011, the FTC filed a complaint against Turpel, alleging he sold “robocalling” services to telemarketing firms through Sonkei Communications, Inc., and provided clients “the means to hide their identity by transmitting inaccurate caller names, such as ‘SERVICE MESSAGE’ or ‘SERVICE ANNOUNCEMENT’, on caller ID displays.”  In addition to helping its clients hide their identities, the FTC alleged “Turpel knew, or consciously avoided knowing, that clients used his services while calling numbers on the National Do Not Call Registry … and making illegal prerecorded telemarketing solicitations.”

As part of its settlement, the FTC fined Turpel $395,000 and banned him from directly engaging in or assisting others in telemarketing and prerecorded marketing for life.  The monetary payment is suspended based on Turpel’s inability to pay.

The settlement marks the latest effort by the FTC to target prerecorded messaging platforms and not their clients who may misuse them.  In February 2012 the FTC filed complaints against Brian Ebersole, Voice Marketing, Inc., and B2B Voice Broadcasting, Inc.,  alleging they sold prerecorded call services and “provided clients with access to computers, telecommunications services, and automated dialers” to make over one million calls a day.  The FTC also more recently settled an action against Skyy Consulting, Inc., in May 2013, which allegedly “assisted and facilitated its clients in placing outbound pre-recorded telemarketing calls to consumers without their written consent.”


FCC Reinforces that Those Who Knowingly Release Cell Numbers Grant Permission to be Called Under the TCPA--But Companies May Still Be Required to be Sure They Get the Number Directly from the Person to be Called

By Ronald G. London

We recently reported on two FCC declaratory rulings interpreting the Telephone Consumer Protection Act (TCPA), in the context of social-network text messages and package-delivery calls, that included broad, business-friendly statements that should help clarify TCPA rules for prior express consent to autodial, prerecorded-call and text cell phones. We noted that in one ruling, the FCC in some respects revived  a position staked out in 1992, in originally implementing the TCPA, that “persons who knowingly release their [cell] phone numbers have … given their invitation or permission to be called” there, an allowance whose viability had become less clear as TCPA precedent evolved. Shortly after the declaratory rulings, we also advised on the Eleventh Circuit’s Osorio v. State Farm decision, which increased the number of states in which the TCPA is interpreted as imposing strict liability on those who direct automated and/or prerecorded calls to cell phones under a mistaken belief they have prior express consent to do so. Now another case extends the Osorio analysis to potentially up the ante again. 

Continue Reading...

Acquisitions Don't Nullify Prior Privacy Promises--FTC's Letter to Facebook & WhatsApp Gives Caution to All to Honor Privacy Protections in Mergers

Social networking site Facebook announced in February its plans to acquire WhatsApp—a “rapidly growing cross-platform mobile messaging company”—for the princely sum of $19 billion. While Facebook and WhatsApp are looking forward to a bright future together, the Federal Trade Commission is keeping a watchful eye on both companies regarding the privacy protections that WhatsApp promised its users in the past.
On April 10, 2014, the Director of the FTC’s Bureau of Consumer Protection Jessica Rich wrote executives at Facebook and WhatsApp and made clear that both companies must continue to honor WhatsApp’s prior policies and statements against collecting and sharing user data with advertisers—policies that, as Director Rich notes, exceed Facebook’s current privacy protections for its users. 
Continue Reading...

Part III: Has Congress Spoken and Does It Really Matter? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

In the first and second parts of this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp. and then focused on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable. Today, we take a slightly different view of the FTC’s Section 5 history and revisit whether Brown v. Williamson actually supports the position that Congress has granted the Commission the authority to regulate data security under Section 5. But in the end, such analysis may not matter—the FTC is not the sole source of data security responsibilities for “unregulated” industries and one way or another, data security accountability is coming….
Continue Reading...

New Advisory on Joint FTC/DOJ Statement Encouraging Private Sharing of Cybersecurity Information

Be sure to check out our new advisory examining the joint policy statement that the Federal Trade Commission and Department of Justice issued to facilitate companies’ sharing of cybersecurity information.  The policy statement seeks to reduce uncertainty under antitrust laws for companies wishing to share strategies for preventing and combating cyber-attacks, by stating the agencies’ analytical framework for such information sharing under their longstanding Antitrust Guidelines for Collaborations Among Competitors.  As explained in the advisory, the new policy statement should be helpful as far as it goes, but companies should still proceed cautiously so as not to stray into the area of prohibited concerted activity, and should keep in mind that the new statement does not reduce potential liability under electronic privacy laws for the disclosure of communications or personal information related to cyber threats.  You can read the advisory here.

Part II: Fair Notice or No Notice? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

In our first blog in this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp., in which Judge Salas confirmed the FTC’s authority to bring enforcement actions to redress deficient corporate data security practices, even in the absence of formal rules or regulations setting forth what practices are unreasonable. Today we begin to explore the ramifications of that ruling, focusing on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable.
Continue Reading...

OCR Releases Information on What Phase 2 HIPAA Audits Will Look Like

By Adam H. Greene

The new audits will look little like the old ones, with OCR conducting the audits itself and focusing on more high-risk areas, abandoning on-site visits, and potentially integrating audits into OCR's formal enforcement program.  To prepare, we suggest that covered entities and business associates consider the following steps:  



EU High Court Overturns Telecom Data Retention Requirements

The Court of Justice of the European Union, the highest court in the EU, declared the EU’s 2006 Data Retention Directive invalid in a judgment issued on April 8, 2014. The directive, which has been implemented via national legislation by most EU member states, requires telecommunications and Internet providers to collect and retain traffic and location data regarding users’ calls and Internet activity for up to two years in order to assist law enforcement in the prevention of “serious crime” (such as organized crime and terrorism). The Court of Justice, however, determined that the directive interferes with European citizens’ fundamental rights to privacy.
Continue Reading...

Part I: The Elephant Emerges From the Mousehole: The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

In support of its motion to dismiss the FTC’s complaint alleging data security deficiencies in violation of Section 5 of the FTC Act, Wyndham Worldwide Corporation cited the Supreme Court’s opinion in Whitman v. American Trucking Ass’ns, which cautioned against agencies utilizing vague statutory provisions to alter “fundamental details of a regulatory scheme”, and colorfully stating that “[Congress] does not, one might say, hide elephants in mouseholes.” See 531 U.S. 457, 468 (2001).
Continue Reading...

Social Networking for Jerks: FTC Goes After Site for Scraping Facebook Content

In the 1979 Carl Reiner film The Jerk, a new phonebook is delivered and Steve Martin, playing the title character, rejoices that “I'm somebody now! Millions of people look at this book every day! This is the kind of spontaneous publicity - your name in print - that makes people. I'm in print! Things are going to start happening to me now.”
As we all know, a quarter-century later, things have changed. Getting one’s name publicized takes only a few seconds—if not to millions of people, at least to whomever we’re connected on social media. But, according to the Federal Trade Commission, jerks still abound.
Continue Reading...

Updated Location Privacy Protection Act Introduced

On March 27, 2014, Senator Al Franken (D.-Minn.) introduced the Location Privacy Protection Act of 2014, a bill that addresses so-called “stalking apps.” While Senator Franken’s intent is to target those apps designed to maliciously track individuals without their knowledge, the legislation (an updated version of a bill we discussed three years ago) would require all companies to get users’ permission before collecting and sharing location data from smartphones, tablets, and in-car navigation devices. To obtain consent, entities subject to the law (if passed) would have to provide “clear, prominent, and accurate notice” that tells the user that his or her geolocation information will be collected. The notice must also identify the categories of entities to which the geolocation information may be disclosed, and provide a link or some other easy means for users to access publicly available information about the geolocation data to be collected. The bill includes several exceptions to the consent requirement, allowing the collection or use of geolocation data without the requisite notice and consent for purposes such as allowing parents to locate children, and enabling the provision of emergency services.
Continue Reading...

Google "Street View" case may be headed for SCOTUS Review

By John D. Seiver

Google held true to its promise to seek SCOTUS review of the Ninth Circuit’s interpretation of the term “radio communications” in the Wiretap Act when it filed its Petition for Certiorari last week. Google had argued in the Ninth Circuit that intercepting unencrypted Wi-Fi transmissions is within a specific exemption, but the Ninth Circuit (initially and on rehearing) held instead that unencrypted Wi-Fi is protected from interception by the Wiretap Act. Absent an extension, oppositions are due April 30, 2014.
Continue Reading...

Caution: Your Company's Biggest Privacy Threat is...the FTC

By Sanjay Nangia

Technology companies—from startups to megacorporations—should not overlook an old privacy foe: the Federal Trade Commission (FTC). Since its inception in 2002, the FTC’s data security program has significantly picked up steam. In the last two years, the FTC has made headlines for its hefty privacy-related fines against Google and photo-sharing social network, Path. In January 2014 alone, the agency settled with a whopping 15 companies for privacy violations. What is more, many of these companies’ practices were not purposefully deceptive or unfair; rather the violations stem from mere failure to invest the time and security resources needed to protect data.
Continue Reading...

Eleventh Circuit Adopts Seventh Circuit Jurisprudence Imposing Strict TCPA Liability on Autodialed and Prerecorded Calls and Texts

By Ronald G. London

The United States Court of Appeals for the Eleventh Circuit issued a decision in Osorio v. State Farm Bank aligning that court with the Seventh Circuit on how Telephone Consumer Protection Act (TCPA) restrictions on automated and/or prerecorded calls and texts to cell phones can effectively impose strict liability, even if a calling party believed it had consent for the calls. 

As reported in Spring 2012, the Seventh Circuit case of Soppet v. Enhanced Recovery held that, where a company gets prior express consent to prerecorded-call and/or to auto-dial or auto-text a cell phone, as the TCPA requires, the caller can still be liable, if at the time the call is made the cell number has been reassigned to a new subscriber who did not consent.  This ups the ante considerably for companies who use automated dialing systems to reach customers, as does the new Eleventh Circuit Osorio decision, which holds, relying on Soppet, that “the consent must come from the current subscriber.”  Osorio is as concerning as Soppet given that TCPA limits on calls to cells encompass autodialed live-agent calls, prerecorded calls, and texts via autodialer, all without regard to the content of a call – i.e., whether it is marketing, or only for customer-care, debt-collection, or other informational purposes.

Continue Reading...

New Advisory on FCC TCPA Declaratory Rulings

Be sure to check out our recent advisory discussing two new Federal Communications Commission (FCC) declaratory rulings that involve communicating with cell phones via autodialed calls and texts, and by prerecorded call.  The rulings respectively allow the consent necessary for such calls to come from intermediaries for text-based social networks, and for package-delivery services to rely on assurances by package sender that addressees consent to autodialed/prerecorded calls/texts with delivery information.  Along the way, the FCC makes several broad and business-friendly statements that should help clarify current uncertainty surrounding the TCPA, and hopefully serve as a defense for some in what has become a booming TCPA class action practice.  You can access the advisory here.