Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Marketing and Consumer Privacy

Subscribe to Marketing and Consumer Privacy RSS Feed

FTC and State AGs: Political Survey Preface Does Not Allow Sales Robocalls to Avoid Do-Not-Call and Telemarketing Sales Rule Compliance

Posted in Marketing and Consumer Privacy

Cruise Line and Some of its Cohorts Settle Complaint for $500,000+ and Agree to Follow Do-Not-Call, Caller ID, Prerecorded Message, and Other Telemarketing Rules

The Federal Trade Commission (FTC) and 10 state Attorneys General announced the filing of a complaint and proposed stipulations against Caribbean Cruise Line (CCL) and several other companies that, respectively, alleged and resolved claims that the companies’ coordinated phone sales program violated the FTC’s Telemarketing Sales Rule (TSR) and state consumer protection laws. The enforcement action targeted what the regulators characterized as “billions of illegal robocalls” that allegedly sold cruise vacations in tandem with automated political surveys.  The companies settled the charges by agreeing to millions in civil penalties  – most of which were suspended under agreement to actual payments of over $500,000 by the companies – and to comply with the TSR’s do-not-call, caller ID, and other provisions, along with a duty to monitor lead generators on an ongoing basis.

Under the TSR, telemarketers may not call individuals on the national “Do-Not-Call” list or deliver prerecorded sales messages to persons who have not given their prior express written consent to receiving such calls. The TSR does not govern automated/prerecorded calls that are not for marketing, ... Continue Reading

Chairman Wheeler Says the FCC Didn’t Just Fall Off the Turnip Truck – It Has Experience with Protecting Consumer Privacy, Too

Posted in Communications/Media, Marketing and Consumer Privacy, Policy and Regulatory Positioning

Last night the Center for Democracy & Technology held its annual dinner (a.k.a. the “Tech Prom”) in Washington, D.C., where  FCC Chairman Tom Wheeler was featured as the keynote speaker.  Wheeler’s remarks came on the heels of the Commission’s vote to adopt new open Internet rules, which are expected to provide the agency with broader authority over consumer privacy, as well as the means to enforce it.  The Chairman’s message was presented in the form of a conversation with CDT’s President Nuala O’Connor, who prompted discussions about the FCC’s role in protecting consumer privacy.  While giving a nod to the “great work” that the Federal Trade Commission has done in this space, Wheeler reminded the packed ballroom that the FCC “didn’t just fall off the turnip truck.”  Through CALEA, CPNI, and the activities associated with the FCC sponsored Communications Security, Reliability and Interoperability Council (CSRIC), Wheeler said the agency has been working to protect consumer privacy in the past, and will continue to do so in the future.

Exactly what the new open Internet rules will say about consumer privacy and the FCC’s role is still unclear, as we wait for the 300+ page order to be released (and the ... Continue Reading

President Obama’s Proposed Privacy Bill of Rights

Posted in Data Protection, Marketing and Consumer Privacy

Part 6: FTC Enforcement Powers

In this post, we look at the additional powers given to the Federal Trade Commission (FTC) to enforce the Consumer Privacy Bill of Rights (CPBR) and what it may mean for the agency that already enjoys significant authority to enforce existing consumer privacy protection laws.

Enhanced Privacy Protection Role for the FTC

The CPBR would bestow enforcement power on the FTC that is consistent with its authority under Section 5 of the FTC Act.  The FTC has exercised its power under Section 5 to bring actions for “unfair or deceptive acts or practices” as the basis for consumer privacy protection.  It appears that the CPBR would add to its consumer protection arsenal by giving the FTC the authority to bring actions against “persons, partnerships, or corporations,” including certain non-profit entities, for specific violations of the CPBR and seek civil penalties in an amount not to exceed $25 million.  Similar to other enforcement actions, the determination of the penalty amount under the CPBR would take into account the degree of culpability, history of prior conduct, ability to pay, effect of a fine on ability to stay in business, and other matters as justice may require.

In ... Continue Reading

President Obama’s Proposed Privacy Bill of Rights

Posted in Data Protection, Marketing and Consumer Privacy

Part 5: Accountability

This week we have brought you a multi-part series analyzing the Obama administration’s proposed Consumer Privacy Bill of Rights  (“CPBR” or “proposal”), which would require greater transparency by businesses in their privacy practices, and grant individuals certain rights and controls over how businesses collect, use and share personal information. Part 1 examined how the CPBR defines personal data, its de-identification provisions, and its retention requirements. Part 2 examined its notice, control and context requirements. Part 3 reviewed the commercial and non-commercial entities that would be subject to the proposal (i.e., “covered entities”), and Part 4 reviewed its data security requirements.

In this post, we look at the accountability measures that covered entities would be required to take to ensure compliance with the CPBR.

Affirmative obligation to adopt privacy by design
Privacy by design” is an approach to privacy management that calls for privacy protections to be built into the design of a company’s information technology systems, business practices, and infrastructure, and factored into each stage of product and service development.  The underlying theory is that privacy measures are most effective if they are proactive components of a system from the start, rather than reactive ... Continue Reading

President Obama’s Proposed Privacy Bill of Rights

Posted in Data Protection, Marketing and Consumer Privacy

Part 4: Data Security

On Friday, Feb. 27, the Obama administration unveiled a proposed Consumer Privacy Bill of Rights that would require “covered entities” to be more transparent in privacy practices, and provide individuals certain rights aimed at helping them understand how their information is collected, used, and shared. It would also require covered entities to take certain measures to secure personal data.

As referenced in Part 1 of this series, personal data would include data that is not publicly available and linked or linkable to a specific individual or to a device associated with or routinely used by a specific individual.

Data security
Covered entities would be required to reasonably assess the existence of any risks to the privacy and security of personal data. They would also be required to put reasonable safeguards in place to prevent the compromise of personal data, and to regularly assess the sufficiency of those safeguards. The proposal would create a risk-based analysis to determine the reasonableness of the preventative safeguards. This would involve a review of the degree of privacy risk to the data, the foreseeable security threats to data, “widely accepted practices” in information security, and the cost of implementing ... Continue Reading

President Obama’s Proposed Privacy Bill of Rights

Posted in Data Protection, Marketing and Consumer Privacy

Part 3: Who’s Covered

This week we have brought you a multi-part series analyzing the Obama administration’s proposed Consumer Privacy Bill of Rights, which would require greater transparency by businesses in their privacy practices, and grant individuals certain rights and controls over how businesses collect, use and share personal information.  Part 1 examined how the proffered bill of rights defines personal data, its de-identification provisions, and its retention requirements and part 2 examined notice, control and context requirements.

In this post, we look at what commercial and non-commercial entities would be subject to the proposal.

Covered entities
The new proposal, if introduced and passed by Congress, would apply to any person that collects, creates, processes, retains, uses or discloses “personal data” in or affecting interstate commerce.  This includes public and private commercial entities and non-commercial entities (e.g., non-profits, education institutions, and community organizations). Unlike the existing sectoral approach to privacy regulation here in the United States, this would greatly expand coverage to include businesses and non-profits that collect as little as the names and postal addresses of customers for their own marketing and fundraising efforts, although certain smaller entities would be exempt.

Exempt entities... Continue Reading

President Obama’s Proposed Privacy Bill of Rights

Posted in Data Protection, Marketing and Consumer Privacy

Part 2: Notice, Consumer Control, and Context

Yesterday we brought you the first part in DWT’s series analyzing the Obama Administration’s proposed Consumer Privacy Bill of Rights, which would require greater transparency by businesses in their privacy practices, and grant individuals certain rights and controls over how businesses collect, use and share personal information. Part 1 examined how the proffered bill of rights defines personal data, its de-identification provisions, and its retention requirements.

In this post, we look at the proposal’s notice, consumer choice and control, and context requirements.

Notice
The proposal would require a covered entity to provide accurate, clear, timely and conspicuous notice to individuals about the entity’s privacy and security practices. The notice would have to be in concise and easily understandable language, be “reasonable in light of context,” and include extensive information regarding the entity’s personal data collection, use, retention, disclosure, and security practices and purposes.

The President’s proposal appears to have incorporated the Federal Trade Commission’s past suggestions that companies should use flexible and innovative methods to provide consumers with concise notice, particularly in the Internet of Things (IoT) space. Unfortunately the notification provision in the proposal here is troublingly vague and gives ... Continue Reading

President Obama’s Proposed Privacy Bill of Rights

Posted in Data Protection, Marketing and Consumer Privacy

Part 1: Personal Data, De-Identification, and Retention Requirements

On Friday, Feb. 27, the Obama administration unveiled a proposed Consumer Privacy Bill of Rights that would require businesses to be more transparent in privacy practices, and provide individuals certain rights aimed at helping individuals understand how businesses collect, use, and share personal information.

Unlike the EU and other regions, the U.S. has sectoral privacy laws, arguably leaving significant gaps in the regulation of how businesses collect, use, and disclose personal information and rights afforded to individuals. This proposal, if introduced and passed by Congress, would provide a baseline privacy law within the U.S. The proposal provides for industry-created codes of conduct – just one provision that has already drawn sharp criticism from consumer advocates.

In this first post, as part of a DWT series analyzing the proposed legislation, we look at the proposed definition of personal data, de-identification provisions, and retention requirements.

Personal data
Under the President’s proposal, “personal data” would include data that is not publicly available and linked or linkable to a specific individual or to a device associated with or routinely used by a specific individual. The proposed definition excludes: de-identified data, deleted data, certain employee information (... Continue Reading

PCI Council: SSL Will No Longer Be Sufficient for E-Commerce

Posted in Data Protection, Deals and Technology, Marketing and Consumer Privacy

In the latest edition of the PCI Council’s Assessor Newsletter, the Council previewed a proposed change related to the use of Secure Socket Layer (SSL) protocol for encrypting communications between your website’s e-commerce shopping cart and your customers’ computers.

In talking about this proposed revision, which should be expected in version 3.1 of the PCI DSS and PA-DSS (version 3.0 is currently in effect), the newsletter said the following:

“In order to address a few minor updates and clarifications and one impacting change, there will be a revision for PCI DSS and PA-DSS v3.0 in the very near future. The impacting change is related to several vulnerabilities in the SSL protocol. Because of this, no version of SSL meets PCI SSC’s definition of “strong cryptography,” and updates to the standards are needed to address this issue.”

(emphasis added)

The newsletter goes on to state that the Council is currently working with industry stakeholders to determine the impact of this proposed change.  A date for the release of the new version has not yet been set but, in a bulletin published on February 13, the PCI Council said that the change, when made, will become effective immediately but will be ... Continue Reading

New Jersey Amends “Do Not Call” Law, Eases Prohibition on Telemarketing to Cell Phones

Posted in Marketing and Consumer Privacy

In a somewhat significant departure from prior law, New Jersey Governor Chris Christie signed into law a bill to immediately amend the state’s telemarketing sales call rules to expand the ability of companies to make telemarketing calls to consumers’ mobile devices. Prior to the enactment of S. 1382, New Jersey’s “do not call” law for telemarketing mobile devices (N.J. Stat. § 56:8-130) prohibited “telemarketing sales calls” to consumers on their mobile devices, unless the call was made by a commercial mobile services company to its users, and even then only if the call was directly related to the company’s mobile services and the users do not incur charges.  The definition of “telemarketing sales call” was broad and did not have any exceptions for specific types of sales calls (though it did expressly exclude calls made for the sole purpose of collecting on accounts or following up on contractual obligations).

Under the statute’s revised language, only “unsolicited telemarketing sales calls” to consumers’ mobile phones in the state are prohibited. While seemingly not a drastic change on its face, the statute defines “unsolicited telemarketing sales calls” as those made other than in response to the consumer’s express written consent, or ... Continue Reading

Advisory Alert: FTC Staff Report on Internet of Things

Posted in Marketing and Consumer Privacy, Technology

The Federal Trade Commission released its much anticipated staff report on January 27 regarding consumer privacy and data security concerns arising from the emerging market for connected devices known as the Internet of Things (“IoT”). Titled “The Internet of Things: Privacy and Security in a Connected World,” the FTC’s report (the “Report”) builds on the FTC’s November 2013 IoT Workshop and focuses on issues arising from the estimated 25 billion consumer-facing IoT devices expected to be connected by the end of this year. The Report presents the FTC staff’s recommendations and best practices for enhancing privacy and security in the consumer IoT space, but does not resolve some of the most significant issues presented by this emerging sector, including how to reconcile the growing tension between Fair Information Practice Principles or “FIPPs”— such as notice, choice and data minimization – with technology that often lacks screens for notice and contains sensors designed to collect multiple streams of data at all times.

Continue reading here.... Continue Reading

When Try, Try Again Does Not Succeed: FTC Denies AgeCheq, Inc.’s Second Parental Consent Application Under COPPA

Posted in Marketing and Consumer Privacy

The Federal Trade Commission announced that is has denied AgeCheq, Inc.’s second proposed verifiable parental consent method under the FTC’s Children’s Online Privacy Protection Act (COPPA) Rule.  After trying but failing last year to gain FTC approval for a third-party common consent administrator mechanism, AgeCheq offered a new proposal, which would have allowed parents to access and submit an online “sign and send” form to a third party intermediary’s online verification portal. But the FTC once again turned AgeCheq away.

Under COPPA and the FTC’s COPPA Rule, websites and online services that collect personal information online from children under 13 must obtain verifiable parental consent for the collection, use and/or disclosure of the information.  The Rule allows limited collection of personal information from the child in the first instance in order to allow consent to be obtained, including the child’s name or online contact information, and/or the parent’s name or online contact information.  The Rule also specifies several means of obtaining parental consent, and allows parties to submit and seek FTC approval of additional means for obtaining consent not presently permitted by the Rule.

AgeCheq submitted its proposed “Device-Sign Parental Consent Form” (DSPCF) method to the FTC in October 2014. ... Continue Reading

FTC Director Rich: Greater Transparency Needed in Post-Mad Men Era of Online Advertising

Posted in Marketing and Consumer Privacy

The world of the popular television show Mad Men may be glamorous, but according to the Director of the Federal Trade Commission’s Bureau of Consumer Protection, Jessica Rich, it depicts more fiction than fact about modern advertising practices which has moved online and depends on vast amount of customer data.  While speaking at the AdExchanger Industry Preview 2015 on January 21st, Ms. Rich cautioned that online advertisers must be more open and transparent with consumers on how they use, collect, and share consumers’ information in this new marketing paradigm, and warned advertisers that failing to sufficiently disclose or attempting to deceive customers about their data collection and use practices could lead to FTC enforcement actions and a loss of consumer trust.

In noting the vast benefits that targeted advertising holds for consumers, Director Rich stated that consumer privacy has grown from being just an issue of matter of legal compliance “to a C-suite issue – part of a [company’s] broader bottom line strategy as consumer awareness and demand for privacy continues to grow.”  Indeed, Ms. Rich stated that “providing transparency and choices about privacy is increasingly a selling point for businesses” as more consumers are becoming aware of and concerned ... Continue Reading

State AGs Looking to Crack Down on Telemarketers Press FCC and FTC

Posted in Communications/Media, Marketing and Consumer Privacy

A majority of the nation’s state and territorial Attorneys General have collectively urged the Federal Communications Commission and Federal Trade Commission to revisit rules and policies in ways that would help law enforcement crack down on telemarketing practices.

Recently, the FCC issued a public notice seeking comment on a request by the National Association of Attorneys General and 39 undersigned state law enforcement executives (referred to collectively here as “NAAG”).  The petition seeks a formal FCC opinion on the legal ability of telephone providers to implement call-blocking technology to combat unwanted telemarketing. In their request, NAAG noted that while call-blocking technology such as “NoMoRobo,” “Call Control,” and “Telemarketing Guard” currently exist on the market, telecom companies are reluctant to employ such devices to stop unwanted telemarketing from reaching consumers due to perceived legal barriers. According to telecom industry representatives, “phone companies have a legal obligation to complete phone calls” and the current legal framework “does not allow [them] to decide for the consumer which calls should be allowed to go through and which should be blocked.”

The FCC’s notice asks for public comment on three major issues raised by NAAG and the Attorneys General:

  • The legal and/or regulatory prohibitions, if
... Continue Reading

Advisory Alert: Refill Reminders and the TCPA

Posted in Healthcare, Marketing and Consumer Privacy

The Telephone Consumer Protection Act (“TCPA”) presents another challenge as health care providers continue to engage patients and seek to meet Meaningful Use reminder objectives. Over the past year, there have been several class action suits alleging pharmacies’ prescription refill reminders violated TCPA. One federal trial court recently opined that if the plaintiff provided his cell phone number only for verification purposes, that provision of the cell number cannot be equated to consent to receive automated refill reminders on his cell phone.

Click here to continue reading.... Continue Reading

Is Your Website Ready for California’s “Minor Eraser” Law?

Posted in Communications/Media, Marketing and Consumer Privacy, Technology

Starting on Jan. 1, 2015, California’s new “Minor Eraser” law goes into effect and allows minors in California to remove content or information that they have posted as a registered user on a website, online service, online application or mobile application (collectively, an “online service”).

Does this new law apply to your website? 

This new law will apply to online services in two instances – if your online service is directed to minors or if the operator has actual knowledge that a minor is using the online service.  This law defines “minor” as any person under 18 years old who resides in California.

The statute defines “directed to minors” as an online service, or any part thereof, that is “created for the purpose of reaching an audience that is predominately comprised of minors, and is not intended for a more general audience comprised of adults” (emphasis added); however, an online service is not “directed to minors” solely because it refers or links to another online service that is directed to minors, see Cal. Bus. & Prof. Code §22580(e).  It is important to note that a portion of an online service can be directed to minors if it ... Continue Reading

AgeCheq, Inc. Looking for Second Bite at the Parental Consent Apple

Posted in Marketing and Consumer Privacy

FTC Denies Company’s First Proposed COPPA Parental Consent Method, Seeks Public Comment on Second Proposal

The Federal Trade Commission announced that it has denied AgeCheq, Inc.’s proposed verifiable parental consent method application, which relied on existing verifiable consent methods but also utilized a third-party common consent administrator to allow for consent across multiple devices (see our discussion here). Under the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule, interested parties can propose and request FTC approval for additional methods for obtaining verified parental consent not presently permitted by the Rule.  In its letter to AgeCheq, the FTC explained that its denial of AgeCheq’s application was because AgeCheq’s proposed method is already recognized by the Commission “as a valid means of obtaining verifiable parental consent in the Rule, and AgeCheq is free to pursue the development of a common consent mechanism without Commission approval.”

Meanwhile, the FTC announced that it is seeking public comment on a second proposed verifiable parental consent method from AgeCheq.  According to AgeCheq’s latest application, its newest proposed method would augment the traditional paper “sign and send” parental notification method for the mobile space, allowing parents to access and submit an online “sign and ... Continue Reading

Advisory Alert: California’s “Online Eraser” Law for Minors to Take Effect Jan. 1, 2015

Posted in Marketing and Consumer Privacy

On Jan. 1, 2015, California’s “Online Eraser” law will take effect, requiring websites and other online service operators to delete on demand any content posted by minors.  The law also prohibits such operators from sharing minors’ personal information with third parties for the purpose of marketing particular products or services to them.  The new law, however, is ambiguous and possibly unconstitutional.

To read the full article, click here.... Continue Reading

FCC Reaffirms Fax Ads Sent With Recipients’ Prior Permission Require Opt-Out Notice

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

But Grants Retroactive Waivers to Petitioners Who Sent Permission-Based Faxes Without Opt-Out Notices

The Federal Communications Commission has issued an Order sustaining its rule that even ads faxed with the permission of the recipient must include a notice with instructions for how to opt out of future faxes. The Order responds to a passel of petitions that argued the Telephone Consumer Protection Act’s (TCPA) “junk fax” provision and attendant opt-out requirement apply only to “unsolicited” fax advertisements, and thus do not cover faxes “solicited” by those who consent to receive the faxed ads.

However, while staunchly defending its statutory authority to adopt an opt-out notice rule for permission-based faxes, and that it was a logical outgrowth of its rulemaking notice, the FCC recognized that its order adopting the rule may have been confusing on this point. It accordingly granted retroactive waivers to petitioners with temporary relief from any past obligation to have opt-out notices on permission-based faxes. The waivers give petitioners who received them a six-month window to come into compliance with the opt-out requirement, and the FCC invited similarly situated parties to seek similar waivers, strongly suggesting that such requests must be on file within the next six months.... Continue Reading

California Attorney General Releases Breach Report with Key Findings and Recommendations for Retailers, Financial Institutions and Health Care Sectors

Posted in Data Protection, Marketing and Consumer Privacy

California Attorney General Kamala D. Harris has released a “California Data Breach Report,” which presents a series of findings and recommendations based on a review of breaches reported to the Attorney General’s office in 2012 and 2013.  It should come as no surprise that breaches are on the rise, but the Attorney General’s analysis of the reported breaches outlines the root causes of these breaches on an industry basis and recommends best practices to address the sources of those breaches.  For instance, the vast majority of retail breaches were the result of computer intrusions (malware and hacking), leading to recommendations such as the implementation of chip-and-pin technology, end-to-end encryption and tokenization of payment card data.  Similarly, in the healthcare industry, where 70% of the reported breaches were the result of physical loss or theft of hardware or portable media containing unencrypted data, the Attorney General recommends health care providers and institutions use strong encryption to protect covered information on laptops and other portable devices.

Key Findings

  • 28% year-over-year increase in breaches reported to the California Attorney General.
  • Excluding Target and LivingSocial breaches: a 35% year-over-year increase in the number of records breached.
  • Including Target and LivingSocial breaches:
... Continue Reading

Improving Data Breach Security, from the Customer’s Wallet on Up: In Wake of Massive Breaches, It May be Time to Consider Enhancing Customer Security with Chip-Embedded Payment Cards

Posted in Data Protection, Marketing and Consumer Privacy

In early September, Home Depot announced that it had suffered a severe security incident, which resulted in a massive data breach that exposed the payment card information of Home Depot customers across the United States and Canada. The home improvement retailer later confirmed that the breach was the result of malware designed by hackers to evade the company’s security measures, and which subsequently compromised the integrity of its sales register systems. Once compromised, hackers were able to “scrape” customer payment information from the registers’ memory and transmit customer payment card data overseas.

All told, the breach exposed the payment card information of 56 million customers, making it one of the largest known retail data breaches to date. Home Depot’s announcement and the resulting disclosure of the number of customers affected adds the home improvement giant the ever-expanding list of major retailers that have found themselves victimized by cyber criminals.

As this blog noted earlier this summer, credit card and debit card fraud caused $11.27 billion in losses in 2012. Secured PoS devices are critically important for stemming the tide of payment card fraud, as they are the point where customer payment card information is commonly gathered. Accordingly, businesses that use ... Continue Reading

“Th-th-th-that’s All, Folks!” Federal Judge Dismisses Class Action against Cartoon Network, Finds Anonymous User IDs Don’t Qualify as Personal Information under VPPA

Posted in Communications/Media, Data Protection, Marketing and Consumer Privacy

On October 8, Georgia Federal District Judge Thomas Thrash, Jr., dismissed a putative class action against The Cartoon Network, Inc., where the plaintiff alleged that the animation company violated the Video Privacy Protection Act (“VPPA”) by sharing its mobile app users’ data with third parties without consent. Specifically, the plaintiff in Ellis v. The Cartoon Network claimed that the Cartoon Network shared the viewing histories and Android mobile device IDs (“Android IDs”) of individuals who used the company’s mobile Cartoon Network App (“CN App”) with Bango, a United Kingdom-based data analytics firm. Once Bango had this information, it was able to reverse engineer users’ true identities by using data collected from other unrelated sources. At the heart of his claim, the plaintiff alleged that the Android IDs by themselves that the Cartoon Network transmitted to Bango constituted Personally Identifiable Information (“PII”) under the VPPA, and that the Cartoon Network violated the statute by sharing it with Bango without users’ consent.

What is PII under the VPPA?

While Judge Thrash agreed that the plaintiff was a “consumer” under the VPPA as he was subscriber of the Cartoon Network’s services, the judge took issue with the plaintiff’s assertion that an Android ... Continue Reading

Second Circuit Adopts FCC’s Narrow Construction of “Implied” Express Consent for Autodialed Calls to Cell Phones

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

This updates our report last summer on a Federal Communications Commission (FCC) letter brief filed at the invitation of the U.S. Court of Appeals for the Second Circuit in Nigro v. Mercantile Adjustment Bureau, which observed the FCC taking a noticeably less generous view of its then-recent declaratory rulings on whether consumer provision of a cell number is deemed consent to autodial it under the Telephone Consumer Protection Act (TCPA). We noted at that time that, “It would be a shame if, in the FCC’s view, calls in the course of ‘normal, expected and desired business communications’ are permissible only if no one objects after-the-fact.” The Second Circuit has now issued an opinion adopting the view in the FCC’s letter brief, holding that because Nigro did not provide his phone number directly to the creditor in the context of the debt incurred (in respect to which Mercantile called), the TCPA prohibited the calls.

To recap, when Nigro contacted his recently deceased mother-in-law’s electric utility to stop service, he gave them a cell number, which Mercantile later called using an automatic dialing system to collect a remaining balance on the mother-in-law’s account. Nigro sued on grounds the calls violated the ... Continue Reading

Eleventh Circuit Reverses Refusal to Honor FCC’s TCPA Debt Collection Declaratory Ruling, Fosters Uniformity on TCPA’s Autodialing Exception

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

The U.S. Court of Appeals for the Eleventh Circuit has brought a bit of legal balance back to automated debt collection calls, and reminded lower courts that when it comes to claims under the Telephone Consumer Protection Act (TCPA), they must honor the validity of FCC rulings.

The Eleventh Circuit’s decision implicates a 2008 declaratory ruling by the FCC regarding automated debt collection calls under the TCPA.  The TCPA and FCC rules implementing it prohibit autodialed and/or prerecorded calls to cell phones, unless there is prior express consent from the call recipient.  The FCC’s Debt Collection Declaratory Ruling from early 2008 held that prior express consent exists where a consumer gives a company his/her cell phone number as part of a transaction, and the company later autodials/prerecorded-calls or texts the consumer in connection with a debt arising from that transaction.

In Mais v. Gulf Coast Collection Bureau, Mais alleged that defendants placed autodialed and/or prerecorded calls to his cellphone without consent, in violation of the TCPA.  The calls followed from Mais’ emergency room treatment, during which his wife completed hospital admission documents and provided her husband’s cellphone number and other information.  Defendants maintained before the U.S. District Court for ... Continue Reading