InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FCC chair asks Congress to act on robocalls
In December, FCC Chair Jessica Rosenworcel sent a letter to twelve senators in response to their June 2022 letter inquiring about combating robocalls. In the letter, Rosenworcel highlighted the FCC’s efforts to combat robocalls by discussing the agency’s “important” proposed rules, adopted in May, to ensure gateway providers that channel international call traffic comply with STIR/SHAKEN caller ID authentication protocols and validate the identity of the providers whose traffic they are routing to help weed out robocalls (covered by InfoBytes here). She also highlighted the FCC’s enforcement efforts, such as a December action where the FCC announced a nearly $300 million fine against an auto warranty scam robocall campaign for TCPA and Truth in Caller ID Act violations—“largest robocall operation the FCC has ever investigated” (covered by InfoBytes here).
Rosenworcel requested additional authority from Congress to combat robocalls and robotexts more effectively. Specifically, Rosenworcel asked the senators to “fix the definition of autodialer” – since robotexts are neither prerecorded nor artificial voice calls, the TCPA only provides consumers protection from robotexts if they are sent from autodialers. She further noted that the Supreme Court's decision in Facebook v. Duguid (covered by a Buckley Special Alert) narrowed the definition of autodialer under the TCPA, resulting in the law only covering equipment that generates numbers randomly and sequentially. She wrote that as a result, “equipment that simply uses lists to generate robotexts means that fewer robotexts may be subject to TCPA protections, and as a result, this decision may be responsible for the rise in robotexts.” Among other things, she also requested that Congress update the TCPA to permit for administrative subpoenas for all types of non-content customer records, and for Congress to grant the FCC the authority and resources to increase court enforcement of fines.
FCC proposes new data breach notification requirements
On January 6, the FCC announced a notice of proposed rulemaking (NPRM) to launch a formal proceeding for strengthening the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI). FCC Chairwoman Jessica Rosenworcel noted that “given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements.” She commented that the “new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.” The NPRM, which seeks to improve alignment with recent developments in federal and state data breach laws covering other sectors, would require telecommunications providers to notify impacted customers of CPNI breaches without unreasonable delay, thus eliminating the current seven business day mandatory waiting period for notifying customers of a breach.
Among other things, the FCC requests feedback on whether to establish a specific timeframe (e.g. a requirement to report breaches of customers’ data within 24 or 72 hours of discovery of a breach) or whether a disclosure deadline should vary based on a graduated scale of severity. The FCC also seeks comments on whether a carrier should “be held to have ‘reasonably determined’ a breach has occurred when it has information indicating that it is more likely than not that there was a breach,” and whether the Commission should publish guidance on what constitutes a reasonable determination or adopt a more definite standard. Feedback is also solicited on topics such as threshold triggers, what should be included in a security breach notification, the delivery method of these notifications, and whether to expand the definition of a data breach to also include inadvertent disclosures. Comments are due 30 days after publication in the Federal Register.
FCC proposes $300 million fine against auto warranty scam robocaller
On December 21, the FCC announced a nearly $300 million fine against an auto warranty scam robocall campaign for TCPA and Truth in Caller ID Act violations, “which is the largest robocall operation the FCC has ever investigated.” According to the announcement, the two individuals in charge of the operation ran a complex robocall sales lead generation scheme, which was designed to sell vehicle service contracts that were deceptively marketed as car warranties. This “scheme made more than 5 billion robocalls to more than half a billion phone numbers during a three-month span in 2021, using pre-recorded voice calls to press consumers to speak to a ‘warranty specialist’ about extending or reinstating their car’s warranty.” As previously covered by InfoBytes, in July, the FCC took initial action by ordering “phone companies to stop carrying traffic regarding a known robocall scam marketing auto warranties.” The FCC noted that the operation is also the target of an ongoing investigation by the FCC’s Enforcement Bureau and a lawsuit by the Ohio attorney general. The Ohio AG filed a complaint against multiple companies for participating in an alleged unwanted car warranty call operation (covered by InfoBytes here). The complaint, filed in the U.S. District Court for the Southern District of Ohio, alleged that the 22 named defendants “participated in an unlawful robocall operation that bombarded American consumers with billions of robocalls.” In addition to the fine, among other things, the individuals who allegedly ran the operations are prohibited from making telemarketing calls pursuant to FCC actions.
FCC affirms three-call limit but permits oral consent
On December 21, the FCC issued an order on reconsideration and declaratory ruling under the TCPA, affirming a three-call limit and opt-out requirements for exempted residential calls. According to the FCC, the ruling is in response to requests from industry trade groups related to a 2020 order implementing portions of the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act). The ruling upheld the three-call-limit for exempt calls made using automated telephone dialing systems to residential lines but revised the 2020 order’s requirement for “prior express written consent” to allow callers to obtain consent orally or in writing if they wish to make more calls than allowed. The FCC also granted a request to confirm that “prior express consent” for calls made by utility companies to wireless phones applies equally to residential landlines. The FCC noted that “limiting the number of calls that can be made to a particular residential line to three artificial or prerecorded voice calls within any consecutive thirty-day period strikes the appropriate balance between these callers reaching consumers with valuable information and reducing the number of unexpected and unwanted calls consumers currently receive.”
FCC orders companies to block student loan scam calls
On December 8, the FCC’s Enforcement Bureau ordered voice service providers to cease carrying robocalls related to known student loan scams and specifically designated a service believed to account for more than 40 percent of student loan robocalls in October. The FCC’s order provides written notice to all voice service providers regarding suspected illegal robocalls that have been made in violation of the TCPA, the Truth In Caller ID Act of 2009, or the TRACED Act. Specifically, the order “directs all U.S.-based voice service providers to take immediate steps to mitigate suspected illegal student loan-related robocall traffic.” The order further noted that if a provider fails to “take all necessary steps” to avoid carrying suspected illegal robocall traffic, the provider may be “deemed to have knowingly and willfully engaged in transmitting unlawful robocalls.” According to FCC Chairwoman Jessica Rosenworcel, the Commission is “cutting these scammers off so they can't use efforts to provide student loan debt relief as cover for fraud.”
FCC says consent is required for ringless voicemails
On November 21, the FCC issued a declaratory ruling that entities using ringless voicemail products must first obtain a consumer's consent prior to using the product to leave voicemails. According to the FCC, it receives “dozens of consumer complaints annually related to ringless voicemail.” The unanimous ruling establishes that ringless voicemails are “calls” that require consumers’ prior express consent, and further clarifies that a ringless voicemail is a form of a robocall, and therefore subject to the TCPA robocall prohibition, which prohibits making any non-emergency call with an automatic telephone dialing system or an artificial or prerecorded voice to a wireless telephone number without the prior express consent of the called party.
The FCC’s declaratory ruling denied a 2017 petition filed by a company that distributes technology that permits voicemail messages to be delivered directly to consumers’ voicemail services. The petitioner argued that ringless messages, and the process by which the ringless voicemail is deposited on a carrier’s platform, is neither a call made to a mobile telephone number nor a call for which a consumer is charged and, therefore, is a service that is not regulated. The FCC rejected the petitioner’s argument that ringless voicemail is not a TCPA call because it does not pass through a consumer’s phone line and that the TCPA protects only calls made directly to a wireless handset, and does not result in a charge to the consumer for the delivery of the voicemail message. The ruling noted that “consumers cannot block these messages and consumers experience an intrusion on their time and their privacy by being forced to spend time reviewing unwanted messages in order to delete them.” The ruling also noted that a “consumer’s phone may signal that there is a voicemail message and may ring once before the message is delivered, which is another means of intrusion. Consumers must also contend with their voicemail box filling with unwanted messages, which may prevent other callers from leaving important wanted messages.” According to a statement by FCC Chairwoman Jessica Rosenworcel, the rule makes it “crystal clear" that ringless voicemails are subject to the TCPA and that the Commission's rules "prohibit[] callers from sending this kind of junk without consumers first giving their permission to be contacted this way.”
9th Circuit says district court must reassess statutory damages in TCPA class action
On October 20, the U.S. Court of Appeals for the Ninth Circuit ordered a district court to reassess the constitutionality of a statutory damages award in a TCPA class action. Class members alleged the defendant (a multi-level marketing company) made more than 1.8 million unsolicited automated telemarketing calls featuring artificial or prerecorded voices without receiving prior express consent. The district court certified a class of consumers who received such a call made by or on behalf of the defendant, and agreed with the jury’s verdict that the defendant was responsible for the prerecorded calls at the statutorily mandated damages of $500 per call, resulting in total damages of more than $925 million. Two months later, the FCC granted the defendant a retroactive waiver of the heightened written consent and disclosure requirements, and the defendant filed post-trial motions with the district court seeking to “decertify the class, grant judgment as a matter of law, or grant a new trial on the ground that the FCC’s waiver necessarily meant [defendant] had consent for the calls made.” In the alternative, the defendant challenged the damages award as being “unconstitutionally excessive” under the Due Process Clause of the Fifth Amendment.
On appeal, the 9th Circuit affirmed most of the district court’s ruling, including upholding its decision to certify the class. Among other things, the appellate court determined that the district court correctly held that the defendant waived its express consent defense based on the retroactive FCC waiver because “no intervening change in law excused this waiver of an affirmative defense.” The appellate court found that the defendant “made no effort to assert the defense, develop a record on consent, or seek a stay pending the FCC’s decision,” even though it knew the FCC was likely to grant its petition for a waiver. While the 9th Circuit did not take issue with the $500 congressionally-mandated per call damages figure, and did not disagree with the total number of calls, it stressed that the “due process test applies to aggregated statutory damages awards even where the prescribed per-violation award is constitutionally sound.” Recognizing that Congress “set a floor of statutory damages at $500 for each violation of the TCPA but no ceiling for cumulative damages, in a class action or otherwise,” the appellate court explained that such damages “are subject to constitutional limitation in extreme situations,” and “in the mass communications class action context, vast cumulative damages can be easily incurred, because modern technology permits hundreds of thousands of automated calls and triggers minimum statutory damages with the push of a button.” Accordingly, the 9th Circuit ordered the district court to reassess the damages in light of these concerns.
9th Circuit says telemarketing texts sent to mixed-use cells phones fall under TCPA
On October 12, a split U.S. Court of Appeals for the Ninth Circuit reversed a district court’s dismissal of a TCPA complaint, disagreeing with the argument that the statute does not cover unwanted text messages sent to businesses. Plaintiffs (who are home improvement contractors) alleged that the defendants used an autodialer to send text messages to sell client leads to plaintiffs' cell phones, including numbers registered on the national do-not-call (DNC) registry. The plaintiffs contented they never provided their numbers to the defendants, nor did they consent to receiving text messages. The defendants countered that the plaintiffs lacked Article III and statutory standing because the TCPA only protects individuals from unwanted calls. The district court agreed, ruling that the plaintiffs lacked statutory standing and dismissed the complaint with prejudice.
On appeal, the majority disagreed, stating that the plaintiffs did not expressly consent to receiving texts messages from the defendants and that their alleged injuries are particularized. In determining that the plaintiffs had statutory standing under sections 227(b) and (c) of the TCPA, the majority rejected the defendants’ argument that the TCPA only protects individuals from unwanted calls. While the defendants claimed that by operating as home improvement contractors the plaintiffs fall outside of the TCPA’s reach, the majority determined that all of the plaintiffs had standing to sue under § 227(b), “[b]ecause the statutory text includes not only ‘person[s]’ but also ‘entit[ies].’” With respect to the § 227(c) claims, which only apply to “residential” telephone subscribers, the appellate court reviewed whether a cell phone that is used for both business and personal reasons can qualify as a “residential” phone. Relying on the FCC’s view that “a subscriber’s use of a residential phone (including a presumptively residential cell phone) in connection with a homebased business does not necessarily take an otherwise residential subscriber outside the protection of § 227(c),” and “in the absence of FCC guidance on this precise point,” the majority concluded that a mixed-use phone is “presumptively ‘residential’ within the meaning of § 227(c).”
Writing in a partial dissent, one judge warned that the majority’s opinion “usurps the role of the FCC and creates its own regulatory framework for determining when a cell phone is actually a ‘residential telephone,’ instead of deferring to the FCC’s narrower and more careful test.” The judge added that rather than “deferring to the 2003 TCPA Order which extended the protections of the national DNC registry to wireless telephones only to the extent they were similar to residential telephones, a reasonable interpretation of the TCPA, the majority has leaped over the FCC’s limitations to provide its own, much laxer, regulatory framework and procedures that broadly allow anybody who owns a cell phone to sue telemarketers under the TCPA.”
FCC proposes rulemaking to combat unlawful text messages
On September 27, the FCC announced a notice of proposed rulemaking (NPRM) to target and eliminate unlawful text messages. According to the FCC, the number of consumer complaints received related to unwanted text messages has increased by 146 percent between 2019 and 2020, and continues to grow in 2022. The Commission warns that these text messages present harms beyond that of unwanted phone calls, as text messages can include phishing and malware links. More than $86 million was stolen in 2020 through spam texting fraud schemes, the FCC reports. The NPRM seeks feedback on several topics, including whether providers should follow the STIR/SHAKEN authentication protocols for text messages as they do for phone calls, whether providers should block texts from invalid phone numbers, and how it can ensure that emergency text messages or other appropriate texts are not erroneously blocked. The NPRM also proposes requiring providers to block texts that appear to originate from phone numbers that are invalid, unallocated, or unused as well as numbers on the “Do-Not-Originate” list.
The Commission is also seeking input on the extent to which spoofing is a problem in texting, and if caller ID authentication standards should be applied to texting. Spoofing is when a sender deliberately disguises their number to trick a recipient into thinking the message is trustworthy. A working group of the Internet Engineering Task Force is currently considering a draft standard that would apply parts of the STIR/SHAKEN framework to text messages, the FCC stated, adding that it is asking stakeholders for suggestions on an ideal timeline and feedback on whether the current framework’s governance system would be able to accommodate authentication for text messages or if the framework would require more comprehensive technology network upgrades.
Comments on the NPRM are due 30 days after publication in the Federal Register.
FCC signs robocall enforcement MOU with Canada
Recently, the FCC announced that it entered into a memorandum of understanding (MOU) with the Canadian Radio-television and Telecommunications Commission (CRTC) to develop a global and coordinated approach for addressing unlawful automated telephone calls. According to the MOU, the FCC and CRTC understand that it is in their common public interest to, among other things: (i) “cooperate with respect to the enforcement against Covered Violations, including sharing complaints and other relevant information and providing investigative assistance”; (ii) “facilitate research and education related to unlawful robocalls and caller ID spoofing”; (iii) “facilitate mutual exchange of knowledge and expertise through training programs and staff exchanges”: (iv) encourage awareness of economic and legal conditions and theories related to the enforcement of applicable laws as identified in Annex 1 to the MOU; and (v) update each other regarding developments related to the MOU in their respective countries in a timely manner. In a related statement, FCC acting Chairwoman Rosenworcel noted that robocall scamming is an “international problem,” and that it is “critical that we work closely with partners like our colleagues in Canada who share our commitment to fighting robocall scams and unmasking the bad actors behind them.”