FCC Flexes Muscle: T-Mobile to Pay $48 Million for Failing to Disclose Limits on ‘Unlimited’ Data

Showing that it’s not about to slow down its aggressive enforcement of its open Internet regulations, the Federal Communications Commission (FCC) announced a settlement yesterday resolving claims that T-Mobile USA Inc. (T-Mobile) failed to adequately disclose material restrictions on T-Mobile and MetroPCS data plans that were advertised as “unlimited” from August 2014 to June 2015.  Specifically, the FCC’s investigation found that T‑Mobile failed to adequately disclose that it would significantly slow the speed of its customers’ “unlimited” data after they reached preset, undisclosed thresholds for data usage.

The FCC’s settlement requires T-Mobile to pay a total of $48 million. It further requires T-Mobile to clearly and conspicuously disclose any material limitations on the amount and speed of mobile data for its “unlimited” plans, and includes reporting and training obligations.

Facts and Law Underlying Liability

According to the FCC, T-Mobile advertised “unlimited” mobile data service without adequately disclosing that during times of high network usage characterized as “contention”— defined as network stress that does not rise to the level of “congestion” (i.e., where Internet access begins failing altogether)—an algorithm would limit the data speed of its customers who had used more than a certain, preset amount of data.  Customers whose data was de-prioritized or throttled by T-Mobile experienced network speeds even slower than other users connected to the same cell site.  T-Mobile received hundreds of complaints from consumers whose data service was affected by these throttling practices. In considering whether T-Mobile violated the FCC’s 2010 Open Internet Order, the FCC pointed to the Transparency Rule that requires Internet service providers (“ISPs”) to publicly disclose accurate information about the technical and financial terms under which they offer services.  The purpose of this rule is to enable consumers to make informed choices about which services to buy and how to use them.  While ISPs may be permitted to implement data management practices (e.g., throttling) to address network congestion, the Transparency Rule requires that ISPs provide specific information related to their practices such as the types of traffic subject to practices; purposes served by practices; practices’ effects on end users’ experience; criteria used in practices, and the typical frequency of congestion usage limits and the consequences of exceeding them.  At a minimum, ISPs must prominently display or provide links to these disclosures “on a publicly available, easily accessible website that is available to current and prospective end users.”

In addition to requiring the disclosure of information related to data management practices, the FCC’s 2015 Open Internet Order made clear that the Transparency Rule requires an ISP’s advertising to be accurate and consistent with its disclosed practices.  As noted by the FCC, “a provider making an inaccurate assertion about its service performance in an advertisement, where the description is most likely seen by consumers, could not defend itself against a Transparency Rule violation by pointing to an ‘accurate’ official disclosure in some other public place.”  “Allowing such defenses,” according to the FCC, “would undermine the core purpose of the Transparency Rule.” In its investigation as to whether T‑Mobile violated the Transparency Rule, the FCC determined that several necessary disclosures were missing in T-Mobile’s advertising.  Specifically, the FCC determined that from August 2014 until June 12, 2015, T-Mobile’s disclosures did not inform consumers of (i) the specific data threshold that triggered the de-prioritization; (ii) how application of the de-prioritization could impact consumers’ ability to use data services; (iii) the specific speed reductions that consumers could face; and (iv) the types of apps and data services that could be adversely affected.

Terms of the Consent Decree

Under the terms of the settlement, T-Mobile has agreed to pay a total of at least $48 million and to adhere to certain conduct provisions. Key terms of the monetary payment include:

  • Civil Penalties: T-Mobile will pay a $7.5 million civil penalty to the FCC.
  • Consumer Benefits: T-Mobile will spend up to $35 million in consumer benefits, including (i) giving a discount of 20%, up to $20, on the price of any in-stock accessory to certain customers with “unlimited” data plans and (ii) giving a 4 GB upgrade to “unlimited” plan customers who subscribe to a mobile data service line under the T-Mobile or MetroPCS brands.
  • Broadband Service and Devices to Schools: T-Mobile will spend at least $5 million in providing mobile broadband service and devices to students at low-income schools.  To the extent that the $35 million in consumer benefits is not spent, the unspent money will be added to the $5 million in broadband service and devices to schools.

Key terms of the conduct provisions of the consent decree include:

  • Update Disclosures: T-Mobile will update its disclosures to clearly explain how the “Top 3 Percent Policy” works and the impact it has on consumer data speeds.
  • Unlimited Clarification: If T-Mobile continues to advertise data service as “unlimited,” it must clearly and conspicuously disclose all material restrictions (including its “Top 3 Percent Policy”) on the amount and speed of mobile data.
  • Notice: T-Mobile must notify consumers when they are approaching the threshold before the “Top 3 Percent Policy” goes into effect.
  • Consumer Broadband Label: T-Mobile must adopt the FCC’s “Consumer Broadband Label” in conjunction with its other Open Internet disclosures within 90 days.

T-Mobile also must appoint a compliance officer and submit semiannual compliance reports to the Commission for the next four years.


This latest FCC enforcement action demonstrates the agency’s continuing commitment to aggressive and high profile enforcement in the consumer protection arena. Last June, the FCC proposed to fine AT&T $100 million for similar conduct related to unlimited data plans. Further, the FCC recently released guidance on complying with the Transparency Rule (raising challenges from industry) and consumer-facing broadband disclosures. The FCC also continues to examine the permissibility of sponsored data plans under its open Internet rules.

In the wake of the FCC’s 2015 Open Internet Order, which reclassified broadband services as common carrier services (taking those services outside the scope of the FTC’s jurisdiction), and theNinth Circuit’s recent decision in FTC v. AT&T, which found that the common carrier exception to the FTC’s jurisdiction is status based rather than activity based (eliminating the FTC’s jurisdiction over ISPs), the FCC’s role as a consumer protection watchdog is likely to continue to grow.

As a result, broadband providers should reexamine their network management practices, advertising, and transparency statements to ensure compliance with FCC rules and guidance.

John J. Heitmann, Jameson Dempsey and Ross Slutsky of Kelley Drye’s Communications Group co-authored this post. 

FTC Announces Settlement of “Made in USA” Litigation

Earlier this week, the FTC announced settlement of one of the few “Made in USA” cases the agency has litigated in recent years.  Earlier this year, we sent an update regarding the FTC’s lawsuit against Chemence, Inc., in which the FTC alleged that Chemence was deceiving consumers by claiming that their glues were “Made in the USA.”   Regular readers of our blog may know that the standard for substantiating “Made in USA” claims is fairly high – all or virtually all of the inputs must originate in the U.S.

According to the FTC, approximately 55 percent of the costs of the chemical inputs to Chemence’s glues are attributable to imported chemicals that are essential to the glues’ function, thus falling short of the “all or virtually all” standard.  The complaint also alleged that Chemence assisted others in deceiving consumers by distributing its Made-in-USA marketing materials to private-label sellers and third-party websites and storefronts.

Chemence Product Packaging:


The settlement terms prohibit the company from making unqualified “Made in USA” claims for any product unless it can show that the product’s final assembly or processing – and all significant processing – take place in the United States, and that all or virtually all ingredients or components of the product are made and sourced in the United States. The order permits Chemence to make qualified “Made in USA” claims as long as they include a clear and conspicuous disclosure about the extent to which the product contains foreign parts, ingredients, and/or processing. Chemence also is prohibited from providing others with the means to make deceptive Made-in-USA claims about its products.  In addition, Chemence must pay a $220,000 judgment.

It’s also worth noting that the settlement covers claims that are synonymous with “Made in the USA” even if they use slightly different language.  The definition of “Made in the United States” includes express or implied claims that a Product or Service (as defined), or a specified component thereof, is of U.S.-origin, including but not limited to, a representation that such Product or Service is “made,” “manufactured,” “built,” or “produced” in the United States, or any other U.S.-origin claim.  This case serves as a helpful reminder to companies marketing with “Made in USA” claims that proper substantiation for an unqualified “Made in USA” claim is a particularly high bar.

California Helps Consumers Crowdsource Privacy Policy Violations

ca-attorney-generalCalifornia Attorney General Kamala Harris announced yesterday that her office has rolled out a new online form to help consumers report companies who violate California’s Online Privacy Protection Act (CalOPPA). Under the California law, a website, app or online service must have a CalOPPA compliant privacy policy that is accessible to the consumer. Moreover, these entities must adhere to the terms of their privacy policy and notify consumers of any substantial changes to the policy.

The form consists of four sections and consumers have the option of reporting one or more of the following violations to the Office of the Attorney General:

  • A Missing or Inapplicable Privacy Policy
  • A Privacy Policy That is Difficult to Locate
  • An Incomplete Privacy Policy
  • A Company that Did Not Follow its Privacy Policy
  • A Company’s Failure to Provide Notice of a Material Change

Continue Reading

Vermont Settles with B2B Software Developer over Security Practices

peopledataYesterday, the Vermont Attorney General announced a settlement with business-to-business software developer Entrinsik, Inc., resolving allegations that the company’s Informer program violated Vermont law, including the law placing restrictions on the use and disposal of data containing Social Security numbers.

The Informer program is used by businesses, including seven colleges in Vermont, to analyze and create reports of data by extracting that data from databases and presenting it in a web browser. The program also, however, creates a plain-text, unsecured file of this extraction and stores it on program users’ local hard drives, allegedly without their knowledge. According to the Attorney General, in 2013, a Vermont college used Informer to generate a report with 14,000 Social Security numbers. The text file extraction was stored on the computer’s local hard drive and backed up to an external hard drive, which was then misplaced, triggering Vermont’s data breach notification statute, and likely the investigation into Extrinsik and the Informer program.

Under the terms of the settlement agreement, Entrinsik has agreed to take the following actions:

  • Add clear and conspicuous warnings in all user and instructional materials of the functionality that creates plain-text files.
  • Add the following conspicuous warning message to the export dialog: “Note: Exporting data may result in the creation of unsecure/unencrypted temporary or permanent files on your computer. Please contact your system administrator with any questions regarding the proper safeguarding of sensitive information.
  • Issue, and strongly recommend the application of, a patch or other software update to all business consumers in Vermont that includes the new warning.

Importantly, the Attorney General noted that he was not imposing a monetary penalty because he believes the practice of creating “temporary” plain-text files is widespread, “and many companies may not even realize that [it] could violate State law.” This settlement serves as a reminder that companies should evaluate the functionalities of the programs they develop and use to confirm their compliance with applicable data security laws and regulations.

D.C. Circuit Rules that CFPB is Unconstitutionally Structured

CFPBEarlier today, the U.S. Court of Appeals for the D.C. Circuit issued a landmark decision against the CFPB, finding that the agency was unconstitutionally structured because it concentrates “enormous executive power in a single, unaccountable, unchecked Director.”  However, the court stopped short of ordering a shutdown of the Bureau and instead held that the President “now will have power to remove the Director at will, and to supervise and direct the Director,” severing a provision of the Dodd-Frank Act that provided that the CFPB Director could only be removed for cause.

Particularly given that the decision is likely to be appealed, its most immediate impact may relate to the CFPB’s interpretation of its authority to initiate administrative enforcement actions under the Dodd-Frank Act.  While the CFPB had argued that there is no statute of limitations for any CFPB administrative actions to enforce any consumer protection law, the D.C. Circuit flatly rejected this argument and held that the Dodd-Frank Act incorporates the statutes of limitations in the underlying statutes enforced by the CFPB.

Continue Reading

FCC Chairman Outlines Proposal for New Broadband Privacy Rules

On October 6, 2016, Federal Communications Commission (FCC or Commission) Chairman Tom Wheeler published a blog entry on the Commission’s website outlining proposed privacy rules for broadband Internet Service Providers (ISPs). The proposed rules are scheduled to be considered by the full Commission at its monthly meeting on October 27, 2016. These rules come after the Commission received substantial public comment on its March notice of proposed rulemaking (discussed in an earlier blog post) from stakeholders representing consumer, public interest, industry, academics, and other government entities including the Federal Trade Commission (FTC). The proposed rules appear to soften several elements of the Commission’s initial proposal, which received considerable industry criticism.

The actual text of the proposed order is not available, however, a fact sheet along with the Chairman’s blog post outlines the details of the proposal. Under the proposal, mobile and fixed broadband ISPs would have the following requirements:

  • Clear Notification. ISPs would be required to notify consumers about the type of information they collect; explain how and for what purposes that information can be shared or used; and identify the types of entities with which they share information. ISPs will also be responsible for providing this information to customers when they sign up for a service and regularly informing them of any significant changes. The Commission’s Consumer Advisory Committee will be tasked with creating a standardized privacy notice format that will serve as a “safe-harbor” for those ISPs that choose to adopt it.
  • Information Sensitivity-Based Choice. ISPs must get a customer’s “opt-in” consent before using or sharing information deemed sensitive. Geo-location information, children’s information, health information, financial information, social security numbers, web browsing history, app usage history, and communications content are the broad categories of data that would be considered sensitive. All other individually identifiable customer information would be deemed non-sensitive, and will be subject to an “opt-out” approval requirement. For example, the use of service tier information to market an alarm system would be considered non-sensitive and opt-out policies would be appropriate, consistent with customer expectations.  Finally, the rules will infer consent for certain purposes identified in the Communications Act, including the provision of broadband service or billing and collection.
  • Security.
    • Protection: ISPs must take reasonable measures to protect consumer information from vulnerabilities. To help ensure reasonable data protection efforts, ISPs may: a) adopt current industry best practices; b) provide accountability and oversight for security practices; c) use robust customer authentication tools; and d) conduct data disposal consistent with FTC best practices and the Consumer Privacy Bill of Rights.
    • Breach Response: ISPs must notify customers when data is compromised in a way that results in unauthorized disclosure of personal information. ISPs must notify a) the customer no later than 30 days after discovery of the breach; b) the FCC no later than 7 business days after discovery; and c) if it affects more than 5,000 customers, the FBI and U.S. Secret Service no later than 7 business days after discovery.

The proposal addresses other issues, such as,

  • sharing and using de-identified information consistent with the FTC framework;
  • the use of take-it-or-leave-it data usage or sharing policies; and
  • heightened disclosure requirements for discount plans based on consent to data use.

The proposal emphasizes its focus on broadband services. The proposed rules will not apply to the privacy practices of websites or apps, including those operated by ISPs for their non-broadband services, as the Commission believes this is the purview of the FTC.  This is particularly notable in light of the recent 9th Circuit AT&T decision, which has further blurred the boundaries of the FCC and FTC’s jurisdiction (addressed in an earlier blog post). In that case, the Court determined that the FTC’s “common carrier exemption” is “status-based,” and as such exempts telecommunications carriers (like ISPs) from FTC jurisdiction, regardless of whether the company in question is engaging in common carrier activities. Presumably, the 9th Circuit’s reading of the common carrier exemption would extend to websites and apps provided by an ISP, although Chairman Wheeler appears to take a different reading in his privacy proposal.

In response to Chairman Wheeler’s proposal, FTC Chairwoman Ramirez expressed her pleasure with the FCC’s efforts to protect consumer privacy.

We will be tracking this proceeding as it develops, and will follow up with a client advisory when the Commission releases its final rules.

*Avonne Bell, an associate in Kelley Drye’s Communications Practice Group, co-authored this post.

CFPB Issues Final Rule to Regulate Prepaid Products; Prepaid Providers Given One Year to Comply

Yesterday the CFPB released a final rule that will impose a variety of consumer protection requirements on prepaid products, such as requiring specified disclosures before product purchase and compelling financial institutions to limit consumer losses for lost or stolen cards.  The CFPB had previously released a proposed rule, which we discussed here, and the final rule leaves unchanged many of those proposals.  In announcing the rule, CFPB Director Richard Cordray acknowledged that many prepaid companies already offer some of these protections but argued that uniform requirements are necessary to ensure equal treatment and minimize consumer harm across the board.

The rule covers traditional prepaid products like general purpose reloadable cards, as well as mobile wallets, person-to-person payment products, electronic prepaid accounts, payroll cards, and certain federal, state and local government benefit cards.  The rule itself is 1,689 pages and responds to the 65,000 comments received on the proposed rule.  Highlights include the “Know Before You Owe” disclosures, general consumer protections that mirror those imposed under the Electronic Fund Transfer Act for checking account consumers, and credit-like protections when prepaid issuers extend credit to cover transactions that prepaid products would not fully cover.

“Know Before You Owe” Disclosures

The final rule requires two forms of disclosures: (1) a short form disclosure provided before a consumer acquires a prepaid account that includes information about periodic fees, per purchase fees, ATM withdrawal fees, cash reload fees, and balance inquiry fees, amongst others; and (2) a long form disclosure that includes a comprehensive list of fees and other information associated with the account.   The CFPB provided examples of each disclosure type, which are available here.

Additionally, the rule requires prepaid account issuers to post on their websites prepaid account agreements that are offered to the general public to facilitate comparison shopping.  Issuers must also submit all of their prepaid account agreements, including those not publicly posted, to the Bureau.

Prepaid Protections

The final rule requires issuers to provide a number of consumer protections similar to those imposed under the Electronic Fund Transfer Act and Regulation E, such as:

  • Access to account information.  Rather than require periodic statements as required under Regulation E for checking accounts, the final rule permits institutions to make available to consumers certain methods of accessing information about their prepaid accounts, such as free by telephone, online, or in writing upon request.  Financial institutions are also required to provide summary totals of fees assessed to the consumer on a monthly and annual basis.
  • Limited liability and error resolution.  The final rule extends Regulation E’s protections related to limited liability and error resolution to prepaid accounts.  As to limited liability, the rule limits a consumer’s responsibility for unauthorized changes to $50 so long as the consumer promptly notifies the financial institution of potentially fraudulent conduct.  As to error resolution, the rule requires financial institutions to promptly investigate and resolve incidents, including by restoring missing funds and provisionally crediting the disputed amount while it finishes its investigation.  The requirements generally apply regardless of whether the financial institution has successfully identified and verified the consumer holding the account, except that financial institutions are not required to provisionally credit disputed amounts until the consumer’s identity has been verified.

Credit Protections

The final rule also revises Regulations E and Z to regulate how prepaid accounts offer overdraft credit features.

  • Separate accounts.  For so called “hybrid prepaid-credit card” accounts where the consumer can access both a prepaid account and an overdraft credit feature, the issuer must treat the credit features as distinct from the asset account.  The issuer cannot allow a negative balance directly on the prepaid account except for specified limited circumstances (e.g., where the credit is incidental and de minimis and the issuer does not charge credit-related fees).
  • Ability to pay.  The rule requires prepaid companies to consider the consumer’s ability to pay the balance before opening a separate credit account linked to the consumer’s prepaid account.  Issuers must also wait at least 30 days after a prepaid account is registered before soliciting a consumer to link a covered credit feature to the prepaid account.
  • Limitations on fees.  The rule also extends certain protections under Regulation Z related to fee restrictions, such as limits on fees charged in the first year after account opening and limits on penalty fees.  For example, total fees for credit features cannot exceed 25 percent of the credit limit during the first year a credit account is open.  Moreover, issuers are only permitted to raise interest rates on existing balances if a cardholder misses back-to-back payments and, for new purchases, must provide at least 45 days advance notice of the change in interest rate and allow the consumer to close their account during that time.

The new rule generally becomes effective October 1, 2017 and financial institutions are not required to pull and replace prepaid account packaging materials prior to that date to comply with disclosure requirements.  Moreover, issuers are not required to submit prepaid account agreements to the Bureau until October 1, 2018.

We expect that the Bureau will issue additional materials to facilitate compliance with the prepaid rule in the coming months and will continue to monitor and post about developments here.

Protected: 2016 Advertising and Privacy Law Summit Attendee Follow up

This content is password protected. To view it please enter your password below:

Senate Commerce Committee Members Air Laundry List of Pressing Issues Including Privacy, Data Security, and FTC Enforcement

On September 27th, the Senate Committee on Commerce, Science, and Transportation held a general oversight hearing of the FTC, which covered a multitude of major policy issues and included testimony from Chairwoman Edith Ramirez, Commissioner Maureen Ohlhausen, and Commissioner Terrell McSweeny.  Chairman John Thune (R-SD) convened the hearing, joined by Senator Richard Blumenthal (D-CT) who sat in for Ranking Member Bill Nelson (D-FL), who was not in attendance.  Several other Committee members also participated in the hearing, cycling through as schedules permitted on what appeared to be a jam-packed day.  Members in attendance included: Senators Dean Heller (R-NV), Amy Klobuchar (D-MN), Brian Shatz (D-HI), Jerry Moran (R-KS), Steve Daines (R-MT), Dan Sullivan (R-AK), Edward Markey (D-MA), Tom Udall (D-NM), Kelly Ayotte (R-NH), Maria Cantwell (D-WA), and Deb Fischer (R-NE).

The CommSenate Committeeissioners’ opening statements focused on key issues related to the agency’s mandate including enforcement, policy development, business education, and competition promotion.  But for members and Commissioners alike, privacy and data security were the clear headline issues of the day.  A variety of related topics were also raised, including protecting children online, the Internet of Things (IOT), tourism, credit reports, telecommunications, and deceptive claims.  A brief summary of these issues follows.  Continue Reading

FTC Bureau Director Highlights Continuing Health-Related Enforcement, Homeopathic Guidance, and ROSCA at NAD Conference

1Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, highlighted the agency’s enforcement priorities at the National Advertising Division’s annual conference earlier this week.  Key mentions included the following:

  • Health Claims and Sensitive Populations – With health claims being a constant enforcement priority, Ms. Rich referenced cases involving cognition claims, alleged diabetes cures, and products that featured “gene-altering” claims.  She noted that more cases involving products targeted to sensitive populations – including older consumers – are in the pipeline.
  • Health Apps, Privacy and Data Security – As she has in prior testimony, Bureau Director Rich expressed concern about false cures featured on health apps and consumers’ growing interest in and use of health technology, and said that such products are a growing part of the FTC’s advertising program.  Consistent with these statements, Ms. Rich also encouraged companies offering fitness devices, wearable technology, and other internet of things (IoT) products to figure out how to provide adequate privacy choices for consumers.  Related to this, Ms. Rich highlighted the TrendNet and ASUSTek cases involving data security breaches and IoT products.  She also noted that there are a number of investigations underway.
  • Homeopathics – In September 2015, the FTC hosted a workshop on homeopathic products and claims.  Ms. Rich stated that substantive guidance on this topic will be released in the near future.
  • ROSCA – Consistent with the FTC’s interest in ensuring adequate disclosures in advertising, Ms. Rich noted that enforcement of the Restore Online Shoppers Confidence Act (ROSCA) is ongoing and that more cases are in the pipeline.  One of these is the FTC’s case against DIRECTV, which we wrote about here, in which the court recently found a triable issue of fact relative to the use of hyperlinks and info-hovers.

We will be following all of these developments closely.