Link here to read our latest edition of the Monthly TCPA Digest, providing insights and news related to the Telephone Consumer Protection Act (TCPA). This month’s issue examines four recent rulings from Seventh Circuit trial courts regarding an FCC rule under the TCPA that mandates opt-out language on solicited faxes, or those sent with the recipient’s consent. The first two district court rulings rejected the D.C. Circuit’s holding invalidating the rule, while the two most recent rulings upheld the appellate decision. In addition, we cover FCC activity related to robocalls and whether mortgage holders’ calls to borrowers in disaster-affected areas violate the TCPA’s consent requirements.

If you have suggestions for topics you’d like to see featured in the Monthly TCPA Digest, or any questions about the issue, please reach to Mintz Levin’s TCPA and Consumer Calling Practice team.



As we previewed last week, the Federal Communications Commission (FCC) has adopted new privacy rules that govern Internet service providers’ (ISPs) handling of broadband customer information.  Though the Wireline Competition Bureau stated that it expects it will be at least several days before the final Order is released to the public, the FCC released a fact sheet describing the rules as adopted.

These rules are the culmination of a process that began in 2015 with the reclassification of Broadband Internet Access Service (BIAS) as a common carrier telecommunications service regulated under Title II of the Communications Act.  As a consequence of reclassification, the obligations established under the privacy framework adopted by the Federal Trade Commission (FTC) no longer applied to ISPs due to the common carrier exception in Section 5 of the FTC Act.  Accordingly, the FCC determined that the privacy protections governing telephone customer proprietary network information (CPNI) set forth in Section 222 of the Communications Act would now apply to ISPs’ provision of BIAS.

On April 1, 2016, the Commission released a Notice of Proposed Rulemaking setting forth proposed privacy and data security rules that would govern ISPs’ provision of BIAS.  The rules originally proposed by the FCC would have subjected ISPs to significantly greater constraints on their ability to use customer data for advertising, marketing, and offering customized services and features than the FTC’s privacy framework, which continues to apply to websites, apps, and all other entities in the Internet ecosystem other than ISPs.  For example, while the FTC framework applies differing choice mechanisms (i.e., opt-in, opt-out, or implied consent) depending on the sensitivity of the data being collected and the context of its use, the FCC initially proposed to apply a default opt-in regime to virtually all data – rejecting any distinctions based on data sensitivity.

In response to comments from the FTC and others in the proceeding, the final rules adopted by the FCC align more closely with the FTC framework, though some important differences remain.  Continue reading for key elements of the proposed rules. Continue Reading What You Need to Know about the New Broadband Privacy Regulations


The FCC has voted 3-2 along party lines to require internet service providers (ISPs) to get a customer’s explicit consent before they can use or share what is termed “sensitive” personal information.  That definition raises some eyebrows: according to the FCC’s rules, “sensitive” information includes browsing history, mobile location data, TV viewing history, call and text message records, and information about what mobile apps subscribers use.

The regulation was billed by the FCC as based on transparency, consumer choice and data security.

We will have a full analysis of the new regulations tomorrow.



FCC Chairman Tom Wheeler has announced that a proposed rulemaking is being circulated among the Commissioners that would establish privacy and data security requirements applicable to providers of broadband Internet access service (BIAS).  The Notice of Proposed Rulemaking (NPRM) itself will not be released to the public until the end of March when it is scheduled for a vote, but Chairman Wheeler released a summary of his proposal on Thursday.

In adopting the Open Internet Order, which reclassified BIAS as a telecommunications service subject to Title II of the Communications Act, the FCC determined that the privacy provisions of Section 222 of the Communications Act that govern how call detail and call record information are used and protected by providers of telecommunications services also would apply to BIAS providers.  The Commission concluded, however, that its rules implementing the privacy provisions of that Title were ill-suited for broadband privacy, and opted to forbear from applying those rules to BIAS providers.  Instead, the Commission stated that it would establish a new privacy framework applicable to BIAS providers, and last week’s announcement represents the start of that process.  Print Continue Reading FCC Announces Broadband Privacy Proposal

As cyber week continues in Washington, Federal Communications Commission Chairman Tom Wheeler traveled to the west coast to speak about cybersecurity at the RSA Conference in San Francisco.  Wheeler noted that the FCC has several charges to protect against cyber-attacks and similar threats, including the agency’s responsibility to protect the safety of communications networks generally, as well as its responsibility to protect the privacy of consumer data collected by communications providers.

Wheeler centered his remarks on information sharing and accountability by the private sector.  He suggested that the communications industry’s approach to 911 calls – a combination of industry best practices and rules requiring that network outages be reported to the government – could serve as a model for cybersecurity information sharing.  Cyber-attacks should be subject to similar reporting requirements.

He praised the work of the National Institute of Standards and Technology for its Critical Infrastructure Framework, and the FCC’s cybersecurity advisory committee, the Communications Security, Reliability and Interoperability Council (“CSRIC”) for its recommendations, released last month, to assist and encourage communications providers with implementing NIST’s voluntary framework.  He focused specifically on one of CSRIC’s accountability proposals – that members of the communications sector periodically meet with the FCC to discuss their companies’ cyber-risk management efforts.  He acknowledged that the FCC’s goal is not to micromanage implementation of the NIST framework by communications companies, but instead to learn whether the framework and companies’ efforts are actually working to mitigate risk.  He stated that the meetings will not be framed as depositions and sensitive information shared would be protected from public disclosure, but that many of the details regarding the meetings still need to be worked out.  The FCC is seeking comment on this and the other CSRIC recommendations until June 26, 2015.

And, back in Washington, the House of Representatives passed the Protecting Cyber Networks Act on a 307-116 vote over the concerns of civil liberties groups.  Read more:


PC World

New York Times

The Federal Communications Commission’s (“FCC”) net neutrality proceeding culminated this month with the release of an Order reclassifying broadband Internet access service as a common carrier Telecommunications Service subject to regulation under Title II of the Communications Act. Previously, the FCC classified broadband service as a lightly regulated Title I Information Service, while Title II was primarily used to regulate telephone service. This decision by the FCC has two major privacy implications for broadband customers and Internet Service Providers (“ISPs”).

First, as previously reported on this blog, the FCC’s reclassification decision puts in flux the federal agency that has authority to enforce ISP’s privacy policies. Until now, the Federal Trade Commission (“FTC”) has asserted its Section 5 authority over “unfair or deceptive” practices to bring enforcement actions against companies that violate their own privacy policies or fail to adequately safeguard customer data. The FTC has brought dozens of actions over privacy policy violations, and previously declared that it has the authority to do so specifically against broadband providers that violate their published policies. In fact, though not a privacy allegation, the FTC recently used its Section 5 authority to bring an enforcement action against AT&T in its capacity as an ISP for allegedly “throttling” data throughput even when a customer signed up for an unlimited data plan.

But Section 5 of the FTC Act exempts common carriers from FTC oversight of “unfair methods of competition… and unfair or deceptive acts or practices.” With broadband service soon to be regulated as common carriage in light of the FCC’s Order, and broadband ISPs regulatedas common carriers, the FTC will likely lose its enforcement authority over that service to the FCC. In the fall of 2014, FTC Commissioner Maureen Ohlhausen expressed concern over the FTC’s continued ability to protect consumers should the FCC decide to pursue reclassification, and FTC officials, including FTC Chairwoman Edith Ramirez and Consumer Protection Director Jessica Rich, recently reiterated those concerns and called on Congress to eliminate the common carrier exemption. One data security and breach notification bill currently before the House Subcommittee on Commerce, Manufacturing, and Trade would do just that in the limited context of privacy.

Second, broadband service is now subject to the privacy provisions of Title II that protect Customer Proprietary Network Information (“CPNI”) – which includes information related to the quantity, location, and amount of use of a telecommunications service. However, the FCC’s rules implementing those provisions are mostly inapplicable to broadband service as they specifically focus on protecting information related to telephone calls, such as phone numbers dialed and the duration of calls. To resolve this dilemma, the FCC’s Order applies Section 222 of the Communications Act to broadband providers, which prohibits carriers from using or disclosing individually identifiable CPNI without consent except as needed for providing service, but forbears from applying the FCC’s current implementing rules pending further proceedings to adopt new rules that apply specifically to broadband.

Written by Ernie Cooper

Businesses that engage in fax advertising and solicitation should pay careful attention to the recent ruling by the Federal Communications Commission clarifying that even fax advertisements sent with the prior express invitation or permission of the recipient must include an opt-out notice that: (1) is clear and conspicuous and on the first page of the ad; (2) states that the recipient may request the sender not send any future ads and that failure to comply with an opt-out request within 30 days is unlawful; and (3) contains a telephone number and fax number for the recipient to transmit an opt-out request.

Because there had been some confusion about whether the opt-out requirement applied to solicited fax advertisements, the FCC granted a retroactive waiver of the requirement to 24 companies that had asked for the clarification, allowing them until April 30, 2015, to come into full compliance with the opt-out requirement.

The FCC also said that it would entertain similar requests from other parties for retroactive waiver of the rule, but warned that it expected those parties “to make every effort to file such requests prior to April 30, 2015.”  It said that such requests would be adjudicated on a case-by-case basis.  The FCC recently asked for public comment on retroactive waiver petitions filed in November by eight additional fax advertisers.

There has been no confusion about the requirement to include an opt-out notice in unsolicited fax advertisements sent to persons with whom the sender has an existing business relationship or “EBR,” and the FCC window for waiver requests does not apply to any violation of those rules.  Sending an unsolicited fax advertisement to a person with no EBR remains prohibited.

Fax advertising and telemarketing calling campaigns have increasingly been the subject of class action suits filed under the Telephone Consumer Protection Act (TCPA), underscoring the importance of understanding and applying the rules – even where apparent permission to send the fax or make the call has been obtained.

Questions of Authority – who will be the federal regulatory cop on the privacy beat?  FTC?   FCC?  Privacy, Data Security Jurisdiction Questions to the Forefront in 2015

Written by Christopher Harvie

As privacy and data security gain more visibility among policy-makers, questions of federal agency authority and jurisdiction are also gaining a higher profile.

Since 2002, the Federal Trade Commission (FTC) has brought 50 enforcement actions under Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices,” against companies alleged to have put consumers’ personal data at unreasonable risk. Earlier this year, in response to a court challenge brought by Wyndham Hotels, a Federal court in New Jersey upheld the FTC’s authority under Section 5 to bring enforcement actions to remedy unreasonable data security practices that lead to data breaches that cause consumer harm.    The court ruled that Congress need not explicitly grant the FTC authority to bring Section 5 actions against companies that cause consumer harm through inadequate data security practices and that the FTC does not need to adopt prior data security regulations detailing permissible and impermissible data security practices.  Instead, the court determined that the FTC complaint against Wyndham adequately plead “substantial injury to consumers” caused by data breaches linked to Wyndham’s “failure to implement reasonable and appropriate security measures” – including the failure to require use of complex passwords, erect adequate firewalls to prevent access by 3rd parties and insecure devices to enterprise servers, utilize up-to-date operating systems that could receive security patches and upgrades, or adequately inventory its computers in order to readily locate compromised device.  Issued in response to a Wyndham motion to dismiss for lack of jurisdiction, the courts’ decision does not constitute a ruling on the merits of the FTC complaint.  The jurisdictional issue is the subject of an interlocutory appeal to the 3rd Circuit, which remains pending while the parties engage in court-ordered mediation. Read our posts here and here for more information on the Wyndham case. Continue Reading On the Seventh Day of Privacy, federal agencies gave to me…..

Written by Ernest C. Cooper

Should retailers be required to obtain written consent before sending a consumer a text message with information or a coupon that was specifically requested?  The Retail Industry Leaders Association (RILA) thinks not, and has filed a petition asking the Federal Communications Commission to clarify that sending a one-time text message in response to a consumer request does not violate FCC telemarketing rules requiring prior written consent for marketing text messages.  The FCC has issued a public notice asking for comments on the petition, which must be submitted by February 21, 2014, with reply comments due by March 10, 2014.

FCC telemarketing rules that went into effect on October 16, 2013, require prior written consent of the called party to send marketing or advertising messages, including text messages.  The RILA petition argues that those rules do not sensibly apply to an “on-demand” text service that provides one-time text message replies to consumer requests for offers.  For example, a consumer might respond to a retailer’s advertising display by texting “discount” to the retailer, which then sends a reply text message to the consumer with a coupon or other discount information.  RILA is concerned that because the reply message is arguably marketing or advertising and is sent without the consumer’s written consent, some persons might charge the retailer is violating the FCC’s telemarketing rules, despite the fact that the reply message was specifically requested by the consumer.

To ensure retailers can send these types of reply messages without risking lawsuits for violation of FCC rules, RILA asks the FCC to clarify that its telemarketing rules do not apply to an “on-demand” text service sending reply messages because the text communications are: (1) initiated by the consumer; (2) one-time messages sent in response to a specific consumer request; and (3) include only specific information requested by the consumer.

The RILA petition is available here.

The FCC’s public notice can be found here.


Written by Ernie Cooper 

Aiming to “address the real privacy and security risks that consumers face when telecommunications carriers use their control of customers’ mobile devices to collect information about their customers’ use of the network,” the Federal Communications Commission (FCC) has adopted a Declaratory Ruling holding that the existing rules requiring carriers to protect customer proprietary network information (CPNI) apply to CPNI collected by mobile devices when such collection is undertaken at the carrier’s direction and the carrier has access to or control over that information. The FCC further clarified that this obligation applies even while the CPNI resides on the handset prior to transmission to the carrier’s servers.  The Declaratory Ruling does not restrict carriers’ ability to collect CPNI using customer handsets, but holds that if the carrier chooses to do so, it must protect the CPNI it collects.

The Declaratory Ruling applies only to the providers of common carrier and interconnected VoIP services covered by the CPNI rules, although the ruling could raise expectations that other wireless broadband providers engaged in device-based data collection will also protect that data against unauthorized disclosure and use.

Following is a summary of the main points of the Declaratory Ruling.

Many Data Elements Collected by Mobile Devices Fit the Definition of CPNI.  The statutory definition of CPNI is “information that [1] relates to the quantity, technical configuration, type, destination, location, and amount of use of a [customer’s] telecommunications service . . . [2] that is made available to the carrier by the customer [3] solely by virtue of the carrier-customer relationship.”  The FCC concluded that this type of information, even when collected or stored on a mobile device, falls within the definition of CPNI and is therefore subject to the rules governing such information.  Using the 2011 controversy over certain carriers’ use of the Carrier IQ diagnostic software as an example, the FCC explained that when software installed on a handset to collect this information for carriers is not properly secured, other entities or applications may access the CPNI, resulting in the potential disclosure of location and other data.

The Declaratory Ruling acknowledges that some information collected by Carrier IQ-type network diagnostic software, such as information on access to the carrier’s data network or URLs visited by a handset’s browser, may fall outside of the definition of CPNI.  According to the FCC, however, that fact does invalidate the principle that data that does meet the definition of CPNI must be protected as such.

The FCC explained that CPNI collected by a handset at the carrier’s direction is “made available” to the carrier even while it is stored on the handset prior to transmission to the carrier’s own servers.  Even if the information has not yet been transmitted, the configuration of the device puts the data “under the carrier’s control for all practical purposes,” and therefore “made available” to the carrier.  Thus the CPNI must be protected while resident on the customer’s handset, as well as during transmission and while on the carrier’s own servers.

CPNI collected on handsets is also “made available to the carrier by the customer solely by virtue of the carrier-customer relationship” because the carrier “is in a unique position with respect to its customers when it configures a mobile device to collect the information before the device is sold to a customer.”  The same is not true for information collected and stored on the handset by third-party applications installed on the handset by the consumer – even when the data might otherwise fit the definition of CPNI – because in that case the information is not under the carrier’s control and not intended to be transmitted to the carrier.

Carriers Must Take Reasonable Precautions to Prevent Unauthorized Disclosure of CPNI Collected on Handsets.  Obligations carriers have under FCC rules to protect and prevent misuse of their customers’ CPNI applies equally to CPNI collected on customer handsets.

Thus, if a carrier chooses to collect or store CPNI on a handset, the carrier must take reasonable precautions to prevent unauthorized access and disclosure, including access that might be obtained by third-party applications the customer may have installed on the handset.  The Commission recognizes, however, that given the openness of modern smartphones it cannot require carriers to protect customers against “all possible privacy and security risks . . . , including risks created by third-party applications.”

As with other CPNI a carrier may have access to, carriers are free to use CPNI collected from handsets to “assess and improve the performance of its network and to provide information to customer-support representatives without the customer’s specific approval.”  Similarly, as with CPNI collected by other means, carriers are not restricted in using CPNI collected from handsets if the data has been aggregated, with individual customer identities and characteristics removed.

Consistency with Other Privacy Laws and Initiatives.  In response to an argument raised by CTIA,  the nonprofit organization that represents the wireless industry, the FCC explained that the clarifications made in the Declaratory Ruling are consistent with the Stored Communications Act.  Further, while noting that mobile privacy issues are also being addressed through industry best practice development efforts by standards-development organization ATIS, and in the NTIA-led multistakeholder process to develop a privacy code of conduct for mobile apps, the FCC concluded that neither of these initiatives is a substitute for the FCC’s obligation to fulfill its statutory role” to ensure appropriate protection of CPNI.