Federal & State Regulatory

Last week, CPSC Commissioner Joseph Mohorovic, one of the two Republicans on the five-person Commission, announced that he would be ending his term as Commissioner two years early to join the Federal Regulatory and Compliance practice at the law firm Dentons.  His last day at the Commission was October 20.  Mr. Mohorovic became a Commissioner in July 2014 and had commuted from Chicago during his tenure.  He cited a desire to spend more time with his family as the basis for his resignation.

In the short term, the Commission will have a 3-1 Democrat majority, but Dana Baiocco (R) has been nominated to fill the seat of Commissioner Marietta Robinson (D) as her term ends this month.  Once that nomination is confirmed, the Commissions would have two Republicans (Ms. Baoicco and Acting Chair Ann Marie Buerkle), two Democrats (Commissioners Robert Adler and Elliot Kaye), and one open slot.

On May 9, 2017, the U.S. Court of Appeals for the Ninth Circuit issued an order granting a Federal Trade Commission (FTC) request for rehearing en banc of the court’s earlier decision to dismiss an FTC case against AT&T Mobility over allegedly “unfair and deceptive” throttling practices in connection with wireless data services provided to AT&T’s customers with unlimited data plans.  In a brief order, Chief Judge Thomas noted that “[t]he three-judge panel disposition in this case shall not be cited as precedent by or to any court of the Ninth Circuit.”

The original Ninth Circuit decision was notable because it held that the “common carrier exemption” in section 5 of the FTC Act—which excludes common carriers from FTC jurisdiction—was “status based” rather than “activity based,” and as such AT&T was not subject to the FTC’s jurisdiction even for non-common-carrier activities.  The original decision had the effect of resetting the jurisdictional boundaries between the FTC and the Federal Communications Commission (FCC) and removing a wide swath of the telecommunications and technology ecosystem from the FTC’s jurisdictional reach.

In a statement, FCC Chairman Ajit Pai applauded today’s order, noting that it will make it “easier for the FTC to protect consumers’ online privacy” and “strengthens the case for the FCC to reverse its 2015 Title II Order,” which classified broadband Internet access service (BIAS) as a common carriage “telecommunications service” and established the FCC’s current open Internet rule framework.  The 2015 Title II Order is now the subject of a draft Notice of Proposed Rulemaking scheduled for a Commission vote at its May 18, 2017 open meeting.

Western UnionLast week, California became the 50th state to join the multistate settlement with Western Union over its alleged complicity in fraud-induced wire transfers.  This followed Western Union’s $5 million agreement with 49 state and the District of Columbia for costs and fees in January, not to mention a whopping $586 million in settlement agreements with the United States DOJ and FTC.  While DOJ brought wire fraud and anti-money laundering charges against Western Union, and the FTC alleged violations of Section 5 of the FTC Act, and the Telemarketing Sales Rule, the states raised violations of their respective consumer protection laws.  California brought its complaint pursuant to the Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200-17209 (“UCL”), its analog to the FTC Act.

Some quick background on the UCL:

  • Traditionally, the UCL is thought to prohibit unfair competition, which includes unfair, deceptive, misleading, or false advertising.  § 17200; see Lavie v. Procter & Gamble Co., 105 Cal. App. 4th 496, 512 (2003) (whether “the ordinary consumer acting reasonably under the circumstances” is likely to be deceived).
  • But the UCL also forbids business activity unconnected with advertising when such activity constitutes an “unlawful” or “unfair” business practice that either violates another law or violates an established public policy.  § 17200; see e.g., In re Anthem Data Breach Litig., 162 F. Supp. 3d 953, 990 (N.D. Cal. 2016); Ballard v. Equifax Check Servs., Inc., 158 F. Supp. 2d 1163, 1176 (E.D. Cal. 2001).  Some common defenses to these claims include compliance with the underlying law, the practice is not unfair or is justified, and federal preemption.
  • The UCL provides private plaintiffs with the ability to bring claims for restitution and injunctive relief, while the government can also impose civil penalties of up to $2,500 per violation.  §§ 17203, 17206; see e.g., People v. JTH Tax, Inc., 212 Cal. App. 4th 1219, 1254 (2013) (“[T]he court could have imposed penalties of over $9 million, but only imposed penalties of $715,344 for these advertisements.”).

Here, the California Attorney General alleged that Western Union, during the course of its money transferring services, failed to scrutinize and stop complicit agents that did not comply with anti-money laundering policies, inadequately trained, vetted and reported agents, and overall did not “prevent fraudulent telemarketers, sellers, and con artists from using Western Union’s money transfer system to perpetrate their frauds.”  In other words, Western Union exposed its customers to fraud in violation of the UCL.

As part of the global settlement, Western Union agreed to implement a comprehensive anti-fraud program to detect and prevent future incidents.  California consumers who made a wire transfer through Western Union are entitled to a share of the DOJ restitution fund and may be eligible for more than $65 million in refunds.  The California Department of Justice also may recoup costs and fees from the $5 million multistate fund.

Bottom line: the UCL is a dynamic enforcement mechanism with the potential to curtail many different types of business activities that seemingly harm consumers, and provides the Attorney General with the ability to inflict stiff penalties for violations.

Please join Kelley Drye in 2017 for the Advertising and Privacy Law Webinar Series. Like our annual in-person event, this series will provide engaging speakers with extensive experience and knowledge in the fields of advertising, privacy, and consumer protection. These webinars will give key updates and provide practical tips to address issues faced by counsel.

This webinar series will commence January 25 and continue the last Wednesday of each month, as outlined below.

January 25, 2017 | February 22, 2017 | March 29, 2017 | April 26, 2017 | June 28, 2017
July 26, 2017 | September 27, 2017 | October 25, 2017 | November 29, 2017

Kicking off the series will be a one-hour webinar on “Marketing in a Multi-Device World: Update on Cross Device Tracking” on January 25, 2017 at 12 PM ET. For more information and to register, please click here. CLE credit will be offered for this program.

On Wednesday, November 2, 2016, the Federal Communications Commission (FCC) released the text of its long-awaited Broadband Privacy Order, which it adopted on October 27, 2016. For an overview of the Order, you may read our client advisory here.

The practical impact and reach of the rules will not be known for some time, but at this point we can offer a few of our key takeaways from the Order:

  • All carriers must prepare and maintain public-facing privacy notices. The Commission’s new notice rules will require all telecommunications carriers to draft and post public-facing privacy policies that describe their collection, use, and sharing of customer PI. Formerly, this obligation only applied to BIAS providers (through the Commission’s transparency rule). We expect that disclosures in these privacy policies will be a significant area of enforcement, similar to the Commission’s enforcement of annual CPNI certifications.
  • The sensitivity-based consent framework upends the existing CPNI approval framework. The Commission’s adopted rules fundamentally reshape the consent framework for telecommunications carriers, focusing on the sensitivity of the information, rather than on the particular uses and recipients of the information (as the voice CPNI rules did). As a result, all carriers should carefully review and revise their policies, procedures, and systems for obtaining and tracking customer approval.
  • The Order leaves a significant interpretive role for FCC’s Enforcement Bureau with respect to data security. Unlike the existing voice CPNI rules and the Commission’s proposed data security rules, which mandated specific data security compliance practices, the new rules simply require carriers to adopt “reasonable” data security practices. By focusing on the “reasonableness” of carriers’ privacy and data security practices, the Commission leaves significant room for its Enforcement Bureau to interpret whether particular practices are reasonable, in a manner similar to the FTC’s approach to privacy and data security enforcement. For this reason, providers should carefully review the Commission’s “exemplary” data security practices and Enforcement Bureau consent decrees in order to gauge which practices the Commission expects of providers.
  • Now is the time to begin reviewing contracts with vendors. In the Order, the Commission makes clear that carriers will be held responsible for the acts of their agents, vendors, and other third parties with whom they share customer PI. As a result, carriers should take the opportunity now to review contracts with those third parties to determine whether they include specific terms addressing privacy and security. This is particularly important for non-BIAS telecommunications carriers serving enterprise customers, who will be able to take advantage of the Commission’s expanded business customer exemption.

Kelley Drye’s Communications and Privacy & Information Security practice groups are well-versed in privacy law at the federal and state level, and stand ready to help interested parties understand the scope of these rules and how to operationalize them. Should you have any questions, please contact any of the attorneys listed in the margin.

peopledataYesterday, the Vermont Attorney General announced a settlement with business-to-business software developer Entrinsik, Inc., resolving allegations that the company’s Informer program violated Vermont law, including the law placing restrictions on the use and disposal of data containing Social Security numbers.

The Informer program is used by businesses, including seven colleges in Vermont, to analyze and create reports of data by extracting that data from databases and presenting it in a web browser. The program also, however, creates a plain-text, unsecured file of this extraction and stores it on program users’ local hard drives, allegedly without their knowledge. According to the Attorney General, in 2013, a Vermont college used Informer to generate a report with 14,000 Social Security numbers. The text file extraction was stored on the computer’s local hard drive and backed up to an external hard drive, which was then misplaced, triggering Vermont’s data breach notification statute, and likely the investigation into Extrinsik and the Informer program.

Under the terms of the settlement agreement, Entrinsik has agreed to take the following actions:

  • Add clear and conspicuous warnings in all user and instructional materials of the functionality that creates plain-text files.
  • Add the following conspicuous warning message to the export dialog: “Note: Exporting data may result in the creation of unsecure/unencrypted temporary or permanent files on your computer. Please contact your system administrator with any questions regarding the proper safeguarding of sensitive information.
  • Issue, and strongly recommend the application of, a patch or other software update to all business consumers in Vermont that includes the new warning.

Importantly, the Attorney General noted that he was not imposing a monetary penalty because he believes the practice of creating “temporary” plain-text files is widespread, “and many companies may not even realize that [it] could violate State law.” This settlement serves as a reminder that companies should evaluate the functionalities of the programs they develop and use to confirm their compliance with applicable data security laws and regulations.

On October 6, 2016, Federal Communications Commission (FCC or Commission) Chairman Tom Wheeler published a blog entry on the Commission’s website outlining proposed privacy rules for broadband Internet Service Providers (ISPs). The proposed rules are scheduled to be considered by the full Commission at its monthly meeting on October 27, 2016. These rules come after the Commission received substantial public comment on its March notice of proposed rulemaking (discussed in an earlier blog post) from stakeholders representing consumer, public interest, industry, academics, and other government entities including the Federal Trade Commission (FTC). The proposed rules appear to soften several elements of the Commission’s initial proposal, which received considerable industry criticism.

The actual text of the proposed order is not available, however, a fact sheet along with the Chairman’s blog post outlines the details of the proposal. Under the proposal, mobile and fixed broadband ISPs would have the following requirements:

  • Clear Notification. ISPs would be required to notify consumers about the type of information they collect; explain how and for what purposes that information can be shared or used; and identify the types of entities with which they share information. ISPs will also be responsible for providing this information to customers when they sign up for a service and regularly informing them of any significant changes. The Commission’s Consumer Advisory Committee will be tasked with creating a standardized privacy notice format that will serve as a “safe-harbor” for those ISPs that choose to adopt it.
  • Information Sensitivity-Based Choice. ISPs must get a customer’s “opt-in” consent before using or sharing information deemed sensitive. Geo-location information, children’s information, health information, financial information, social security numbers, web browsing history, app usage history, and communications content are the broad categories of data that would be considered sensitive. All other individually identifiable customer information would be deemed non-sensitive, and will be subject to an “opt-out” approval requirement. For example, the use of service tier information to market an alarm system would be considered non-sensitive and opt-out policies would be appropriate, consistent with customer expectations.  Finally, the rules will infer consent for certain purposes identified in the Communications Act, including the provision of broadband service or billing and collection.
  • Security.
    • Protection: ISPs must take reasonable measures to protect consumer information from vulnerabilities. To help ensure reasonable data protection efforts, ISPs may: a) adopt current industry best practices; b) provide accountability and oversight for security practices; c) use robust customer authentication tools; and d) conduct data disposal consistent with FTC best practices and the Consumer Privacy Bill of Rights.
    • Breach Response: ISPs must notify customers when data is compromised in a way that results in unauthorized disclosure of personal information. ISPs must notify a) the customer no later than 30 days after discovery of the breach; b) the FCC no later than 7 business days after discovery; and c) if it affects more than 5,000 customers, the FBI and U.S. Secret Service no later than 7 business days after discovery.

The proposal addresses other issues, such as,

  • sharing and using de-identified information consistent with the FTC framework;
  • the use of take-it-or-leave-it data usage or sharing policies; and
  • heightened disclosure requirements for discount plans based on consent to data use.

The proposal emphasizes its focus on broadband services. The proposed rules will not apply to the privacy practices of websites or apps, including those operated by ISPs for their non-broadband services, as the Commission believes this is the purview of the FTC.  This is particularly notable in light of the recent 9th Circuit AT&T decision, which has further blurred the boundaries of the FCC and FTC’s jurisdiction (addressed in an earlier blog post). In that case, the Court determined that the FTC’s “common carrier exemption” is “status-based,” and as such exempts telecommunications carriers (like ISPs) from FTC jurisdiction, regardless of whether the company in question is engaging in common carrier activities. Presumably, the 9th Circuit’s reading of the common carrier exemption would extend to websites and apps provided by an ISP, although Chairman Wheeler appears to take a different reading in his privacy proposal.

In response to Chairman Wheeler’s proposal, FTC Chairwoman Ramirez expressed her pleasure with the FCC’s efforts to protect consumer privacy.

We will be tracking this proceeding as it develops, and will follow up with a client advisory when the Commission releases its final rules.

*Avonne Bell, an associate in Kelley Drye’s Communications Practice Group, co-authored this post.

This content is password protected. To view it please enter your password below:

On Monday, August 29, 2016, the Ninth Circuit Court of Appeals issued an opinion that may dramatically alter the boundaries between the Federal Trade Commission’s (FTC) and Federal Communications Commission’s (FCC) authority over phone companies, broadband providers, and other common carriers.  The Ninth Circuit dismissed a case that the FTC brought against AT&T over its practices in connection with wireless data services provided to AT&T’s customers with unlimited data plans.  The FTC had filed a complaint against AT&T for “throttling” the data usage of customers grandfathered into unlimited data plans.  Once customers had used a certain level of data, AT&T would dramatically reduce their data speed, regardless of network congestion.  The FTC asserted that AT&T’s imposition of the data speed restrictions was an “unfair act or practice,” and that AT&T’s failure to adequately disclose the policy was a “deceptive act or practice.”

The Ninth Circuit’s decision is the latest in a series of actions attempting to identify the jurisdiction over Internet access services and Internet-based services.  As providers and regulators have struggled to identify the proper regulations applicable to such services, the Ninth Circuit’s decision could force significant shifts by both the FTC and FCC for at least a large segment of the industry.

Background

At issue before the Ninth Circuit was the scope of the FTC Act’s exemption of “common carriers” from the FTC’s authority.  The FTC argued, and the trial court held, that the common carrier exemption only applied to the extent that the service in question is a common carrier service (i.e., an “activity-based” test that precluded FTC jurisdiction only where a common carrier is engaging in common carrier activities).  Because the service that the FTC challenged (wireless broadband Internet access service (“BIAS”)) was not a common carrier service at the time that the FTC brought its action against AT&T, the trial court held AT&T was not engaging in common carrier activity and therefore the FTC had authority to bring its lawsuit.

AT&T appealed the decision, arguing that the FTC Act’s exemption of common carriers should be based on their status, and thus telecommunications service providers like itself are exempt from the FTC’s authority regardless of whether the activity at issue is a common carrier service.

The Ninth Circuit noted two things related to the dispute.  First, the court noted that “it is undisputed that AT&T is and was a ‘common carrier[] subject to the Acts to regulate commerce’ for a substantial part of its activity.”  Further, the court noted that, during the time period in question, AT&T’s mobile data service “was not identified and regulated by the FCC as a common carrier service” although, since the FCC’s 2015 Open Internet Order, the FCC has classified the service as a common carrier service.

The Ninth Circuit sided with AT&T, and remanded the case for an entry of an order for dismissal. The court held that under the plain language of the statute, the exemption is based on a company’s status and applies regardless of the activity at issue.  The “literal reading of the words Congress selected,” the court wrote, “simply does not comport with an activity-based approach [to the common carrier exemption].”  The court compared the common carrier exemption to the other exemptions in the statute (for banks, savings and loan institutions, federal credit unions, air carriers and foreign air carriers) that are admitted by the FTC to be status-based, and to the exemption for meatpackers “insofar as they are subject to the Packers and Stockyards Act,” which the court found to be activity-based.  The court held that amendments enacted in 1958 to Section 5 – which added the “insofar as” language – indicated an activity-based exemption for that provision but affirmed status-based exemptions for the remainder “then and now.”

Notably, the Ninth Circuit chose to address the status question, rather than addressing a more narrow issue of whether the FCC’s 2015 reclassification of BIAS as a telecommunications service applied to AT&T’s service retroactively.

Implications

The FTC issued a statement that it is “disappointed” and “considering [its] options,” but it is unclear whether it will appeal the ruling to the Supreme Court.   It is worth noting that, although the Ninth Circuit did not discuss the decisions, this is the third time that a court of appeals has faced status-based arguments relating to the common carrier exemption.  The Seventh Circuit’s 1977 decision in U.S. v. Miller, and the Second Circuit’s 2006 decision in FTC v. Verity Int’l, Ltd., both involved entities claiming common carrier status, although neither decision brought finality to the question.  If the FTC pursues the issue further, industry and practitioners could receive welcome guidance on the issue.

More broadly, the FTC has openly called for the end of the common carrier exemption in the past few years.  This decision may add fuel to the agency’s efforts in that regard.

As is, the decision makes it more difficult for the FTC to bring an action against a company that can claim to be a common carrier.  The Ninth Circuit’s decision noted that AT&T unquestionably was a common carrier “for a substantial part of its activity” and at one point distinguished a case, noting that AT&T’s status “is not based on its acquisition of some minor division unrelated to the company’s core activities.”  Nevertheless, the court’s analysis leaves open the possibility that even providing only a small amount of common carrier service may be enough to qualify all of a company’s activities for the common carrier exemption.

On the FCC side, there are equally broad questions raised by the decision.  The FCC recently has broadly construed its own authority under Section 201(b), to a fair degree of controversy, to address practices of common carriers “for or in connection with” their services, such as advertising and billing.  Presumably, these efforts will continue after the Ninth Circuit’s ruling.  The Ninth Circuit’s ruling, however, may encourage the FCC to fill any potential gap in coverage by taking a broader view of its own authority to regulate non-common carrier services that common carriers offer to consumers.  This could have significant implications for a number of ongoing FCC proceedings, including a proceeding to overhaul the FCC’s privacy rules after the Open Internet Order and requests to classify SMS messaging and interconnected voice-over-Internet-Protocol (VoIP) service as telecommunications services subject to common carrier regulation.  This also might color the FCC’s approach to regulation of over-the-top services provided by non-carrier entities using telecommunications or Internet services.

Time will tell how this plays out, but for now, the Ninth Circuit appears to have significantly reset the boundaries between the agencies’ jurisdictions.  AT&T is not off the hook yet, however, as it faces a parallel action from the FCC, which has issued a Notice of Apparent Liability to AT&T, alleging that its disclosures in connection with its unlimited data plans violated the FCC’s “transparency” rules.  The FCC proposed $100 million in forfeitures for the violation, which sparked vigorous dissent by the two Republican commissioners and was opposed by AT&T in a strongly-worded response.  The FCC forfeiture proceeding remains pending.

Steve Augustino and Jameson Dempsey, of Kelley Drye’s Communication Group, co-authored this post.