BLOGS: Communications, Tech & Media Review

Friday, June 22, 2018, 12:33 PM

Are Call Blocking Tools Working? The FCC Seeks Input on The Progress of Robocalling Initiatives

By Rebecca Jacobs Goldman

The Consumer and Governmental Affairs Bureau of the FCC is seeking input on the progress of robocalling initiatives from the government, industry and consumers for a staff report that it plans to prepare in conjunction with the FTC’s Bureau of Consumer Protection. The report was mandated by the FCC in its November 2017 Call Blocking Order, which adopted rules allowing voice service providers to block calls from certain phone numbers as an effort to combat robocalling.

Specifically, the Public Notice seeks data on the types of blocking providers have been using since the Call Blocking Order took effect in 2018 and the progress of SHAKEN/STIR, an industry-developed set of protocols and operational procedures for caller ID authentication, which we’ve previously discussed here in TCPAland. In addition, the Bureau is asking for details on tools voice service providers and third parties have been developing to identify and block unlawful robocalls, such as call labelling products which purport to identify when a call is coming from an unlawful robocaller.

Outside of data on call blocking efforts, the Bureau is also seeking general data on trends in unlawful robocalling and the effectiveness of traceback — a tool intended to be used for identifying unlawful robocallers.

Comments are due: July 20, 2018

Reply Comments are due: August 20, 2018

Monday, June 18, 2018, 12:44 PM

LabMD Ruling Heralds a New Era in Data Security Regulation

By Ted Claypoole

Companies have a responsibility to protect the sensitive employee and consumer data they hold, but we do not know how much of their revenues must be spent on this effort before it is considered enough. We do not know what protections meet the legal requirements to secure the personal data of others. A new case may change the way these matters are considered, applied and litigated for data security breaches.

On June 6, the Eleventh Circuit Court of Appeals ruled that the FTC could not enforce its injunction ordering LabMD to “complete[ly] overhaul” LabMD’s data security program.The Eleventh Circuit made the ruling on technical grounds, but this decision could have far-reaching substantive implications in the field of data security. It may be read as the first US case to insist that reasonable standards be prescribed by regulators who attempt to remedy inadequate personal data protection by companies.

The Court did NOT rule on whether the FTC can force companies to improve data security as part of its UDAP enforcement power. The Third Circuit in the 2015 Wyndham case confirmed the FTC’s authority to regulate failures in data security as a UDAP violation, and that opinion was not questioned by the LabMD Court. To date, when the FTC ruled that a company’s security lapse rose to the level of a UDAP violation, the FTC has been able to resolve the matter with vague orders to make things better. But this may not be possible after the LabMD case.

The LabMD Court struck down the FTC’s current practice in these cases but did not propose or prescribe a clear alternative. In essence, the LabMD Court ruled where FTC finds that failure to plan adequate data security becomes unfair or deceptive to consumers, the FTC can’t enforce its decision by ordering broad, non-specific changes affecting security across the entire defendant’s business. Without using the term, the Eleventh Circuit decided that there must be standards for a business to follow, and those standards are best set forth by either the FTC or by Congress itself.

So where does this leave the FTC, whose previous chair, Maureen Ohlhausen, avowed to change the agency’s past practices and to only address tangible harms, to exercise regulatory humility, and to foster business innovation? Whoever is serving as Commissioners, the current administration has been clear that its priorities are for an FTC that is less aggressive in its filings against private companies. It is likely that in the next three years the FTC will only take up cases against companies experiencing major security breaches where it can be established that actual harm from security failures befell affected consumers. Even then, we may not see FTC action against companies where otherwise we would have expected it.

The LabMD case plays into this directional lean by the agency. Thus far, no court or agency has been eager to propose that a broadly defined set of data security standards was required of US businesses, and highly specific sets of standards tend to fall flat, because 1) the risks and technologies are ever-changing, and 2) each defendant company’s data and resources will vary widely. Courts have not yet been forced to rule on what adequate security standards look like for any specific business.

This has had the effect of imposing nearly strict liability on any company that suffers an attack from outside forces – if no standards are set forth, then regulators can simply assume that a data breach proves that security was unlawfully inadequate. But this is the same as suggesting that the simple fact that a shopper falls in a grocery store means that the store was clearly negligent in maintaining its floors. This has never been the way US tort litigation has worked. This de facto strict liability has only been apparently applied for data breaches because none of the damage claims in these cases have been fully litigated. Each major data breach UDAP case has been settled, thrown out for lack of damages, or upheld an administrative finding with no specific standards defined and applied.

The LabMD Court has blasted this status quo, demanding that where regulators meddle in a company’s data security policy decisions, they do so with some specific standards laid out for the world to see. This will make FTC enforcement in this space even rarer and difficult. So we are likely to see movement in data security UDAP violations in the near future to arise at a state-by-state process, and likely to see more emphasis on what a company should be doing right, and not simply what it was doing wrong.

Thursday, May 17, 2018, 2:49 PM

FCC Chairman Gives Industry SHAKEN/STIR Solution “License to Kill” Spoofed Robocalls

By Marty Stern
In a Press Release earlier this week, FCC Chaiman Pai gave his blessing to a report of the North American Numbering Council on “SHAKEN/STIR”, an industry-developed set of protocols and operational procedures for the cryptographic signing of telephone calls, designed to authenticate telephone calls and mitigate Caller ID spoofing and illegal robocalling.   Basically, SHAKEN/STIR is intended to eliminate the use of illegitimate spoofed numbers from the telephone system by establishing a trust-based system for authenticating legitimate ones.

Last summer, the Commission released a Notice of Inquiry on its role in promoting SHAKEN/STIR, and tasked NANC’s Call Authentication Trust Anchor Working Group with investigating and reporting on a variety of issues associated with the SHAKEN/STIR system.

Basically, SHAKEN/STIR began as a project within the Alliance for Telecommunications Industry Solutions (ATIS).  The first system proposed by the working group was called Secure Telephone Identity Revisited, or “STIR”. This eventually led to a token-based standard, the Signature-based Handling of Asserted Information Using Tokens, or “SHAKEN.”   At a high level, the SHAKEN procedures utilize STIR protocols to allow communications service providers to attest to the legitimacy of a calling party’s number, hence the SHAKEN/STIR moniker.

To maintain its integrity, SHAKEN/STIR includes three discrete actors. The first actor is a Governance Authority, which establishes policies for the SHAKEN certificate management framework. The second actor is a Policy Administrator, which is the day-to-day administrator and primary trust anchor of the system that ensures that certificates used to authenticate and verify tokens are only available to authorized participants.  The third and final actor is the Certification Authority, which issues valid certificates.

The NANC Report, among other things: (1) recommends that industry take the lead in expeditiously selecting a Governance Authority that will coordinate stakeholders to ensure that telephone calls can be authenticated;  and (2) proposes the Governance Authority’s structure, duties, and relationship with a Policy Administrator.   It outlines the functional elements, selection process, and characteristics of the Governance Authority and Policy Administrator, in addition to recommending various milestones, metrics, and incentives to ensure robust participation in the system.

The press release noted that Chairman Pai has accepted the NANC report recommendations for industry to quickly establish a Governance Authority for implementing the SHAKEN/STIR framework, essentially authorizing  the industry to take the next steps acting on the NANC recommendations.   The NANC report suggests that within a year, the Governance Authority and Policy Administrator for SHAKEN/STIR will be operational, and some providers could be capable of signing and validating SHAKEN/STIR calls.  While the Chairman lauded SHAKEN/STIR and the NANC report as “a substantial step forward in ensuring that calls can be authenticated and verified” others have raised concern with the potential major impact that call blocking might have on industries, such as debt collection, to the extent legitimate calling activity could get blocked, expressing concern that these technologies could have big impacts but are little understood.

Labels: , ,

Where to Next? ACA International Decision Prompts FCC Request for Comment on Interpretation and Implementation of the TCPA

By Rebecca Jacobs Goldman
Comment Date: June 13, 2018
Reply Comment Date: June 28, 2018

Less than a week after the D.C. Circuit Court of Appeals issued its mandate following the ACA Int’l v. FCC Decision, the Consumer and Governmental Affairs Bureau of the FCC has released a Public Notice seeking comment on the interpretation and implementation of the Telephone Consumer Protection Act (“TCPA”), including the burning question of the hour: “What constitutes an ‘automatic telephone dialing system’?” 

Everyone is waiting with baited breath as the Commission ferrets through their clarifications on the TCPA following ACA Int’l, but what comes next is also a key question.  Will the Commission come out with a Declaratory Order clarifying the items addressed in the Public Notice or will a Notice of Proposed Rulemaking follow?   It’s a great question, and one we hope to get some further clarity on in the coming weeks.

What follows is a deep-dive into the Public Notice and some takeaways on the questions the Commission raised.

What is an Autodialer?
First up, the Public Notice tackles the question of what constitutes an “automatic telephone dialing system,” otherwise known as an autodialer, under the TCPA.    The TCPA defines an automatic telephone dialing system as equipment that has the capacity to “store or produce” phone numbers to be called “using a random or sequential number generator,” and further has the capacity to automatically dial those numbers.  Pre-ACA Int’l v. FCC, the Commission had interpreted “capacity” broadly to encompass any equipment that could meet the requirements of the definition.  The D.C. Circuit threw out this interpretation finding that the Commission had overreached by interpreting the term so expansively that it could subject every day smartphones to the TCPA. In the Public Notice, the Commission now seeks comment on how to more narrowly interpret the word “capacity,” so as to better conform to the intent of the statute.  For example, the Commission queries, does capacity simply require the “flipping of a switch”? 

The Public Notice also addresses the key question of functionality, i.e., what type of functionality in automatic telephone dialing equipment makes such equipment capable of “random or sequential number generation” and “automatic” number dialing.  In the 2015 Omnibus Order, the Commission had been less than clear on the issue of whether equipment that required some level of human intervention would be considered automatic or manual.  The courts have since been forced to tackle the issue of how much human intervention is necessary to convert an automatic dialing system into a manual one absent such clarity from the Commission.  The Public Notice now seeks comment on how human intervention should affect whether a dialing system is automatic and just how “automatic” dialing equipment must be in order to be considered an automatic telephone dialing system. 

Lastly, the Commission seeks comment on whether the ban on making calls using an automatic telephone dialing system only applies to calls made utilizing the autodialer functionality on a piece of equipment and, alternatively, would not apply if one were to use the same equipment absent the autodialer functionality.  As part of addressing the autodialer issue, the Commission also seeks comment on the petition for declaratory ruling filed at the beginning of May by the U.S. Chamber Institute for Legal Reform, which our Womble Bond Dickinson site, TCPAland, covered here at the time it was filed. 

The good news here is that the questions the Commission raises in the Public Notice are precisely the questions left open by ACA Int’l v. FCC and clarification on them would be welcome.

Reassigned Wireless Numbers
The Commission seeks comment on how to handle calls to reassigned wireless numbers in light of the D.C. Circuit’s decision to vacate the Commission’s interpretation of the term “called party” and the Commission’s one-call safe harbor, which the court deemed arbitrary.  Specifically, the Commission asks to whom the term “called party” should refer, and whether that party should be the person the caller expected, or reasonably expected, to answer the call; the person the caller actually reached; the actual subscriber answering the call; or the phone’s customer user.  The Commission also asks whether a safe harbor is necessary for reassigned numbers.

The questions raised by the Commission with regard to the safe harbor are similar to those raised in a Notice of Proposed Rulemaking (“Reassigned Numbers NPRM”) that the Commission kicked off in March related specifically to the problem of reassigned numbers. In the Reassigned Numbers NPRM, the Commission considers establishing a database for reassigned numbers, and proposes to adopt a safe harbor from TCPA liability for calls to reassigned numbers where the caller uses the reassigned numbers database.  (Wouldn’t that be a welcome development!)  The Commission also seeks comment on when the safe harbor might be triggered and also, in lieu of a Commission-sanctioned database, whether the Commission should instead adopt a safe harbor for callers using existing commercial solutions.

Any reassigned number safe harbor would obviously be a significant positive development, but the particular details of any such safe harbor would also be important.  While the one-call “[un]safe harbor” as we like to call it, is now gone under ACA Int’l  v. FCC, it is important that the Commission act quickly, and, in particular, consider taking interim steps on a safe harbor using commercial services, while it resolves the details of the database approach. 

Notably, however, the Commission would not have to even get to the question of a safe harbor, or the need for a reassigned number databased, if it adopted the notion that the term “called party” refers to the expected recipient of the call.  If the called party were the expected recipient of the call, a caller would have consent for the call under the TCPA, so long as it had the required consent of the person who provided the number, and could continue making calls to that number until the calling party had reason to know that the number had moved to a new subscriber. 

Revocation of Prior Express Consent
The Commission also seeks comment on the methods a called party may use to revoke consent in light of the D.C. Circuit’s finding that a called party may revoke consent through “any reasonable means clearly expressing a desire to receive no further messages from the caller.”  In light of the court’s finding, the Commission seeks comment on a recommended opt-out method or methods that could be used by callers to provide called parties with a reasonable and clear way of revoking prior express consent. 

Notably, there been a number of cases where courts have tossed a TCPA action based on unreasonable revocation of consent.  The Commission’s proposal would potentially go a step further in reversing the Commission’s 2015 Omnibus Order, which had permitted revocation of consent by any reasonable means, following industry requests for clarification that certain methods of revocation of consent are clear.
The establishment by the Commission of a standardized revocation process, requiring called parties to use so-called “magic words” to revoke consent, would remove a huge burden for the industry from a revocation detection and training standpoint.

Pending Reconsideration of Petitions following the Broadnet Order
The Commission seeks comment on whether contractors acting on behalf of federal, state, and local governments are considered “persons” under the TCPA, such that they should be subject to the restrictions of the TCPA.  The comment is sought in response to two pending petition for reconsideration of the Commission’s Broadnet Declaratory Ruling, which clarified that the TCPA does not apply to calls made by or on behalf of the federal government for official government business, except if the call is made by a contractor who was acting outside the scope of his/her agency. 

2016 Federal Debt Collection Rules
In the 2016 Federal Debt Collection Order, the Commission implemented Section 301 of the Bipartisan Budget Act of 2015, which amended the TCPA by excepting from the consent requirements robocalls that were made “to collect a debt owed to or guaranteed by the United States.”  In implementing the Bipartisan Budget Act of 2015, the Commission placed strict requirements on debt collectors falling within the exemption including: limiting the number and duration of debt collection calls, capping the number of permitted calls to wireless numbers to no more than three within a thirty-day period, and providing consumers with the right to stop autodialed, artificial-voice, or pre-recorded debt collection calls to wireless numbers at any time.

The Commission now seeks comment on a pending petition for reconsideration of the rules, which asked the FCC to reconsider applying the one-call safe harbor to debt collection calls.  With the one-call safe harbor no longer in play, the Commission asks how it should treat debt collection calls made to reassigned wireless numbers.  The Commission also questions the interplay of the Broadnet Declaratory Ruling with the 2016 Debt Collection Rules and whether, if a federal contractor is not a “person” for purposes of the TCPA, the 2016 Federal Debt Collector Rules would apply to federal contractors collecting on a federal debt.

The Commission has set a comment deadline date of June 13, 2018 and a reply comment date of June 28, 2018.


Wednesday, May 16, 2018, 2:17 PM

Marty Stern & Artin Betpera in Radio Ink: Is Your Texting Promotion Legal?

A federal court in Louisiana ruled that Marketron Broadcast Solutions did not violate the Telephone Consumer Protection Act (TCPA) by texting a radio listener about an upcoming concert. Womble Bond Dickinson attorneys Marty Stern and Artin Betpera write about the case in the latest edition of Radio Ink.

The listener sued Marketron after responding to a radio ad inviting listeners to text the station in order to win concert tickets. She did, and in response, received a confirmation text that included a web link to purchase tickets.

The listener sued, claiming a violation of the TCPA. But the court granted Marketron’s motion to dismiss, ruling that the listener had provided consent and that the reply message was “a permissible one-time informational text sent in direct response to a consumer’s inquiry.”

However, Stern and Betpera say the line between permissible and impermissible can be a fine one. “Broadcasters should remain particularly cautious regarding any additional information included in these type of text-backs beyond that explicitly covered in the call-to-action and requested by the consumer,” they write.

For much more coverage of TCPA issues, go to Womble Bond Dickinson’s

Labels: ,

Friday, April 6, 2018, 4:07 PM

Jeff Tarkenton in Radio World: How iHeart Media Chapter 11 Bankruptcy Will Work

Questions abound surrounding iHeartMedia’s voluntary Chapter 11 bankruptcy filing. Womble Bond Dickinson attorney Jeff Tarkenton provided some possible answers in a recent interview with Radio World.

Tarkenton’s thoughts on the filing include:

  • iHeartMedia can continue to operate as normal during its reorganization. “The purpose of iHeartMedia’s reorganization is to convert much of its debt to equity and fix the balance sheet,” Tarkenton tells Radio World. “The broadcaster says the deal will reduce its debt by about $10 billion. That’s substantial.”
  • The company faces three possible outcomes: 1. It successfully reorganizes, exits bankruptcy and resumes business as usual. 2. The company cannot continue and is forced to liquidate its assets in Chapter 11. 3. The case is converted to a Chapter 7 case, “in which a trustee is appointed to liquidate the assets, and the debtor company ceases operations.”
  • Financial and/or legal complications may arise during the bankruptcy proceedings.
  • To emerge from Chapter 11, iHeartMedia must file a plan that is approved by the court and, in all likelihood, by each class of creditors whose claims have been impaired.

Monday, March 19, 2018, 9:15 AM

Unclear Billing Charges Violate FCC Truth-in-Billing Rules and the Act

By Marjorie Spivak

The FCC has issued a Declaratory Ruling in response to a petition filed by parties involved in litigation over a billing dispute, declaring that unclear billing information violates the FCC’s Truth-in-Billing rules and the Communications Act of 1934, as amended (the Act).

The petitioners posed questions as directed by a court that determined the FCC never ruled on whether a violation of the Truth-in-Billing rules is also a violation of Section 201(b) of the Act, which prohibits unjust and unreasonable practices by telecommunications carriers. In response, the FCC states that unclear billing information under Rule Section 64.2401(b) also violates Section 201(b) of the Act.

The FCC also clarifies that charges with no description also violate the rules and the Act, except where context and name of the charge make it obvious. For instance, the FCC states that a charge labeled “recurring fee” or “other fees” without a description violates the rules and the Act because both terms are so unclear that the customer cannot understand the reason for the charge. However, the FCC states that a charge labeled “late fee” without description does not violate the rules or the Act because the term itself is sufficiently clear. Finally, because the Truth-in-Billing rules focus on format and clarity of a bill, and not the actual charges, a carrier that wrongly collects a late fee or incorrectly calculates charges, does not violate the Truth-in-Billing rules because a customer has enough information to seek clarification. The FCC notes, however, that it was not asked, and it has not determined, whether such practices violate any other FCC rule or provision of the Act.

Final determination in the law suit requires the court to apply the FCC’s finding to the facts.
back to top