Finally, Clarity on Telemarketing and Text Messaging to Reassigned Mobile Numbers

Today, the U.S. Court of Appeals for the District of Columbia Circuit gave some clarity to companies that send marketing messages to consumers. The ruling addresses four issues, but this post will focus on one: text (SMS or MMS) messages to reassigned numbers.

For the past couple of years, companies have been fretting over how to deal with mobile phone numbers that have been reassigned from consumers who have agreed to receive robocalls or text messages to new consumers who have not agreed to receive them. The FCC said in 2015 that companies that inadvertently send these messages to reassigned numbers get one free pass, but after that, whether or not the company knows or should know that the number has been reassigned, all other messages will result in liability.

The case is ACA Int'l v. FCC (2018 WL 1352922, No. 15-1211), and was the result of several organizations and trade groups who sued the FCC soon after the 2015 declaratory ruling, arguing that the FCC’s position on this issue was unfair and so removed from reality as to be “arbitrary and capricious.” The suit focused on four issues covered by the FCC’s order:

1. Which types of automated dialing equipment are subject to the Telephone Consumer Protection Act’s restrictions;
2. Does a call violate the TCPA if, unbeknownst to the caller, the intended recipient's mobile phone number has been reassigned to a different person who has not consented;
3. What methods can a consumer use to revoke a prior consent to receive text messages; and
4. Is the FCC's exception for healthcare-related calls too narrow?

For this post, I am focusing only on the issue of text messages to reassigned numbers.  [Note that the FCC’s ruling focused on robocalls (autodialed or pre-recorded voice messages), but the rules applicable to robocalls apply equally to text messages.] 

Background 

In 2015, the FCC issued a declaratory ruling which indicated that if a mobile telephone number is reassigned from one consumer to a new consumer, an organization that previously was allowed to solicit that number gets only one “free” solicitation to that number (in the hands of the new consumer). After that, the calling organization risks strict liability for further solicitations. The calling organization is required to verify that the number has not been re-assigned during that one “free” call. The problem is that there may be no way for the calling organization to know that the number has been reassigned, for example, if the consumer doesn’t respond at all to the message.  If the new owner of the number does not object (following the first message), the calling organization will naturally continue to send messages, and the FCC took the position that the organization would be liable if the new owner of the number had not consented to receive messages--whether or not the calling organization knew or could have known.  

Millions of mobile phone numbers are reassigned every year in the US, and while some mobile phone carriers have begun sharing lists of reassigned numbers with certain telemarketing firms, not all have agreed to do so.  The FCC's ruling had effectively created a legal risk that was impossible to avoid entirely.  

The Risks

The stakes here are high. The TCPA contains a private right of action, which means consumers can sue for at least $500 for each call made (or text message sent) in violation of the statute, and up to three times that amount for each “willful or knowing” violation. (47 U.S.C. § 227(b)(3))  

The Case 

Organizations and trade groups also objected to the FCC's position, and quickly filed a lawsuit arguing that the FCC's decision was arbitrary and capricious and fundamentally unfair.  That case had been pending before the D.C. Circuit for quite some time (oral arguments were held more than a year ago), and as we learned today, the Court rejected the FCC’s “one call” standard, and rather than modifying the FCC's ruling, the Court invalidated the FCC's entire approach to reassigned numbers.  The FCC will have to start over to create new rules for dealing with reassigned numbers.

What Is Next?

If the FCC's position seemed unfair to you, you are not alone.  When the 2015 declaratory ruling was issued, Commissioner Pai, among others, strongly dissented, saying that organizations should have the right to continue to assume, until actually notified to the contrary, that a number has not been re-assigned. As you may know, Pai has very recently become the Chair of the FCC.  Accordingly, the FCC was already working to design rules that would avoid the problems of the 2015 ruling’s one-call safe harbor. The Commission recently solicited input on potential methods for requiring mobile phone carriers to report reassignments. [32 FCC Rcd. 6007 (2017)]. The FCC was also considering a "safe harbor" for calling organizations that inadvertently message reassigned numbers after consulting the most recently updated information. 

This decision, and the FCC's recent attempts under Chairman Pai, should give organizations comfort that their telemarketing and text messaging compliance efforts will be viewed more fairly by the FCC in the future.  

The FCC Creates Privacy, Data Protection, and Data Breach Rules for Internet Service Providers





The Federal Communications Commission is venturing into new areas of privacy regulation.  By a narrow vote, the FCC has approved new rules that govern how internet service providers ("ISPs") use consumers' information.

 

ISPs long ago realized that customer data is valuable, and are continuing to develop ways to monetize that information.  For example, last month, AT&T explained that a major factor in its decision to bid on Time Warner was the lure of new possibilities in targeted advertising.  Last year, Comcast bought targeted advertising firm Visible World for similar reasons.

 

Efforts by ISPs to monetize user data have triggered concerns among privacy watchdogs and the FCC.  On October 27, 2016, the FCC adopted new rules to control when and how this information can be used and shared.  "It's the consumers' information.  How it is used should be the consumers' choice" said FCC Chairman Tom Wheeler. 

 

According to the FCC, the rules "do not prohibit ISPs from using or sharing their customers’ information – they simply require ISPs to put their customers into the driver’s seat when it comes to those decisions.”  The new rules require specific notices to consumers about:

• The types of information the ISP collects from them


• How the ISP uses and shares the information


• The types of entities with whom the ISP shares the information

The rules also require ISPs to give a degree of control to the consumer.  ISPs will be required to obtain consumer consent (an "opt-in") before sharing certain categories of "sensitive" information, including:

• Health information


• Financial information


• Geo-location


• Children’s information


• Social Security numbers


• Web browsing history


• App usage history


• Content of communications

For other categories of information (those not deemed “sensitive," such as an email address or service level), ISPs must still offer users the opportunity to “opt-out” of the use and sharing of their information, with some exceptions.  Customer consent can be inferred for certain uses, such as providing services and for billing and collection activities.

 

ISPs are prohibited from rejecting a customer for refusing to provide a requested consent.  Because it is more profitable for the ISP if the customers permit data use and sharing, the rules permit an ISP to give customers a discount or other financial incentive to provide a requested consent.

 

The FCC has made it clear that its rules “do not regulate the privacy practices of websites or apps, like Twitter or Facebook, over which the FTC has authority.”  Websites and apps currently collect much more data than ISPs, so the practical impact of the rules on consumer privacy is likely to be limited.

 

The new rules impose a requirement that ISPs implement reasonable data security practices, including robust customer authentication and data disposal practices.  The rules also include a data breach notification requirement, which preempts those in existence in 47 states, but only to the extent that the FCC rules are inconsistent with a state's requirements.   

 

The rules become effective with respect to different sections at different times, with all of the rules likely becoming enforceable within one year. 

 

This action by the FCC creates just one more piece in the mosaic of statues, regulations, and treaties that together comprise privacy and data security law.