FCC, FTC, Congress Escalate Telecom Customer Privacy Crackdown; New Protections and Carrier Requirements Proposed
As we have reported previously, in January the FCC commenced several actions to crack down on apparent violations of its Customer Proprietary Network Information (CPNI) rules, designed to protect the privacy of telephone subscribers by restricting a carrier’s ability to use or disclose subscribers’ personal telephone records. These actions were spurred by the profusion of Internet “data brokers” who sell personal consumer information obtained from telephone call records, and of “pretexting,” defined as the practice of pretending to be the telephone subscriber in order to obtain such data from the telephone service provider. We reported that the FCC had: (1) directed all telecommunications carriers, both wireline and wireless, to immediately file certifications demonstrating their ongoing compliance with the CPNI rules; (2) launched investigations into several carriers’ CPNI compliance efforts and into the practices of many data brokers; (3) proposed forfeitures against AT&T and AllTel of $100,000 each for alleged failures to comply with CPNI certification rules; and (4) proposed new rules to require telecom carriers to institute significant new security measures to protect the privacy of customer records.
Since our last report, there have been new developments on many fronts:
- FCC Rules. The FCC is expected to issue additional and tougher rules aimed at carrier protection of consumers’ private information by this summer. Among measures under study are the issuance of passwords that would be needed to access consumers’ private information, the encryption of stored consumer data, and a requirement that consumers give specific “opt-in” permission prior to carrier use of certain information. Industry comments generally opposed such additional obligations, arguing instead for more vigorous enforcement of existing rules and prosecutions of “pretexters.”
- FCC Enforcement. In addition to the aforementioned proposed forfeitures of $100,000 against AT&T and AllTel, on April 21 the FCC’s Enforcement Bureau proposed to assess an identical penalty against Cbeyond Communications, for the same alleged offense of failing to execute an annual certificate attesting to the company’s establishment of procedures to assure compliance with the existing CPNI rules. The FCC’s continuing activity in this regard indicates strongly that all carriers must have such CPNI protection procedures in place and execute the certifications required by the rules on an annual basis. The Bureau stressed that “there may be no more important obligation on a carrier’s part than protection of its subscribers’ proprietary information.”
- FTC Enforcement. Since the FCC’s jurisdiction is somewhat limited to service providers and its ability to penalize non-carrier data brokers and “pretexters” is limited, the Federal Trade Commission (FTC) has filled the void. On May 1, the FTC filed enforcement lawsuits against five online data brokers, alleging that they have illegally obtained and sold confidential telephone records to third parties. The FTC charged that these practices are “likely to cause substantial injury to consumers” and thus constitute “unfair practices” in violation of the FTC Act, and asked the court to issue permanent injunctions against the companies, as well as to order them to forfeit the revenues obtained from these practices. In bringing these lawsuits, the FTC cited the assistance of the FCC and of Cingular, Sprint-Nextel and Verizon. The agency also disclosed that it has issued scores of “warning letters” to other such Internet website operators.
- Proposed Legislation. Congress has also gotten into the act. Legislation to increase penalties for such consumer privacy violations, expand the FCC’s and FTC’s jurisdiction, and mandate additional regulations has been introduced in both the House of Representatives and the Senate, and has been unanimously approved by the House Energy & Commerce Committee.
In sum, it is virtually certain that new regulations and/or laws to increase service provider obligations to protect the privacy of customer telephone records will be enacted this year. In the meantime, providers should take care to ensure that they have programs and procedures in place that satisfy the existing CPNI rules, and to execute and file the required annual officer’s certificate with the FCC.
California Consumer Protection Rules
In May 2004, the California Public Utilities Commission (CPUC) adopted General Order 168 (“GO 168”) setting forth a broad new set of consumer protection rules for both wireline and wireless carriers. (D.04-05-057) The new rules would have governed many aspects of the carrier-customer relationship, including service initiation procedures and disclosures, contract modifications, format and content of bills and resolution of billing disputes.
The CPUC stayed the rules in January 2005 in order to assess their impact on carriers.
On Dec. 22, 2006, CPUC President Peevey released a proposed decision calling for the adoption of much more light-handed provisions. These would include a statement of rights and freedom of choice principles applicable to all type of carriers, an aggressive consumer education campaign and the establishment of a new Telecommunications Consumer Fraud Unit at the CPUC. The decision proposed the elimination of the more prescriptive elements of the original rules, including a repeal of the rules requiring prior customer authorization for inclusion of non-communications charges on telephone bills.
On Jan. 25, 2006, new Commissioner Dian Grueneich issued an alternate proposed decision which would have reinstated many of the more prescriptive elements of the original rules.
At its meeting on March 2, 2006, the CPUC approved the Peevey proposed decision. This decision adopts a revised GO 168 containing a more streamlined consumer protection regime as described above. Carriers must bring their operations into compliance with the new provisions within 180 days of the mailing date of the decision (March 9, 2006), which is Sept. 5, 2006.
Massachusetts Proceeding on Billing and Termination Practices; Rules Potentially Extended to VoIP and Wireless Services
On April 7, 2006, the Massachusetts Department of Telecommunications and Energy opened a Notice of Inquiry into the billing and termination practices of telecommunications carriers offering local residential service (Docket 06-8). The Department intends to review and amend its current rules in this area.
The Department will evaluate whether the rules should apply to services and providers not covered currently (such as in-state long distance and pre-paid services). The Department also will consider whether minimum consumer protections should apply for voice service, regardless of how that service is delivered, and to what extent the rules should apply to emerging/alternative technologies (such as Voice Over Internet Protocol and wireless).
Opening comments are due by June 6, 2006, and reply comments by July 10, 2006. Based on the comments received, the Department may conduct technical sessions and/or hearings. The Department then expects to distribute draft rules for further comment.
New York Service Quality Proceeding
The New York Department of Public Service recently issued a notice regarding review and revision of its service quality rules in light of advances in technology and increased intermodal competition (Case 06-C-0481, April 21, 2006). The Department is seeking input through a “consultative process,” which includes meetings in Albany between Department staff and interested parties.
Based upon the input received, the Department hopes to issue a proposed revision of the existing regulations by the end of July 2006. The Department then will accept written comments on the proposal.
FCC Completes Rulemaking to Implement Junk Fax Prevention Act of 2005
The Federal Communications Commission (FCC) has completed its rulemaking to adopt regulations codifying the “established business relationship” or “EBR” exemption to the federal prohibition on unsolicited facsimile advertisements in the Telephone Consumer Protection Act (TCPA). The codification was necessary under the Junk Fax Prevention Act, which mandated that the FCC reinstate the “EBR exemption” that the agency announced it would eliminate in 2003 (after it had been in effect since 1992) in favor of requiring prior written consent for unsolicited fax ads. The new rules create a new “do-not-fax” regime for unsolicited advertisements whereby those who send such faxes must maintain an internal list of recipients who “opt out” of further faxes from the sender.
The TCPA and FCC rules basically prohibit using any device to send to a telephone facsimile machine any “unsolicited advertisement,” defined as “material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person without the person’s prior express invitation or permission, in writing or otherwise.” Unless the sender has such prior express permission, the only way to send a fax ad is under the EBR exemption. The new FCC rules and Report & Order adopting them, among other things, (1) clarify the scope of the EBR exemption; (2) require senders to provide notice and contact information that allows recipients to “opt-out” of future faxes from the sender; and (3) specify the circumstances under which a request to “opt-out” is effective. Highlights include:
- The FCC issued a reminder that faxes subject to its rules because they contain unsolicited advertising must include in the margin at the top or bottom of the first page, or on each transmitted page, the date and time sent, identification of the sender, and a telephone number of the sending machine or of the entity sending the fax.
- The FCC clarified that reference to a commercial entity does not by itself make a fax an ad—for example, company logos or slogans on a statement would not convert it into an ad as long as the primary purpose is non-advertising (e.g., to relay account information), nor does a fax contain advertising if it merely seeks to facilitate, complete, or confirm a transaction the recipient previously agreed to enter with the sender.
- The FCC defined “EBR” for purposes of the exemption as “a prior or existing relationship formed by a voluntary two-way communication between a person or entity and a business or residential subscriber with or without an exchange of consideration, on the basis of an inquiry, application, purchase or transaction…which relationship has not been previously terminated by either party.”
- The FCC established procedures whereby all unsolicited fax ads must contain a “clear and conspicuous” notice at the top or bottom of the first page stating the recipient is entitled to request that the sender not send future unsolicited ads, as well as domestic contact phone and fax numbers for recipients to make opt-out requests and at least one cost-free mechanism for doing so (e.g., website, email address, toll-free phone number, or toll-free fax number).
- The FCC determined that senders must comply with opt-out requests in the shortest reason¬able time, not to exceed thirty (30) days, or sooner if the sender has the capacity to do so.
The FCC has published the rules in the Federal Register and they accordingly have acquired an effective date of Aug. 1, 2006 (though most of the rules, except for the definitions associated with them and the right of consumers to make do-not-fax requests, are subject to approval by the Office of Budget and Management and cannot take effect until that occurs, approval is expected sufficiently in advance of Aug. 1 to allow all the rules to take effect together). For more information, see "Fax Advertising: What You Need to Know" (FCC Consumer Facts) at http://www.fcc.gov/cgb/consumerfacts/unwantedfaxes.html.
FTC Proposes to Raise National Do-Not-Call Registry Fees. Yet Again.
The FTC issued a rulemaking notice proposing that this year’s National Do-Not-Call Registry (NDNCR) fee increase will raise the cost to $62 per area code (up from $56 last year) up to a maximum of $17,050 (from last year’s $15400) for 280 area codes or more (there are approximately 300 area codes nationwide). This will be the third increase since the NDNCR originally was implemented in 2003 (the FTC imposed annual increases in 2004 and 2005 as well), and will mean that since 2003 the cost will have risen from $25 per area code with a maximum of $7,375 to the amounts currently proposed.
The FTC continues to report that the vast majority of companies (58,300) that access the NDNCR do so under a five-area-codes-or-fewer-for-free allowance, and that 1,300 are exempt entities that are not required to access the NDNCR but do so voluntarily and, accordingly, without cost under FTC rules. Consequently, the full cost of the registry is shouldered by 6,500 entities, less than 1,000 of which are paying the full price to access 280 or more area codes. Nevertheless, the FTC proposes to continue to exempt from NDNCR fees all entities that access five or fewer area codes and that access the registry voluntarily. Though the FTC states that it is open to comment on these exemptions, it has said the same thing each of the past years it has raised the fee (and has received comments seeking a more equitable distribution of the registry’s costs) but never has revised the rules. Comments on this point, as well as on the fee increase generally, must be filed by June 1, 2006.
The Perils of an Appeal: PSC Increases Slamming Fine to Over $55,000
The Michigan Public Service Commission (PCS) imposed a $55,000 fine on a California company for slamming a single customer. In the Matter of Home Instead Senior Care against Silv Communication Inc., U-14584, 2006 WL 287149 ( Mich. P.S.C. Jan. 31, 2006).
After an initial hearing, in which Silv did not appear, the ALJ issued a Proposal for Decision recommending a fine of $20,000 (the minimum penalty for a first offense under Michigan law), plus an additional $5,055 for expenses.
Before the PCS Silv argued that the ALJ’s proposed fine was disproportionate because it exceeded Silv’s net per annum account receipts in Michigan and inappropriate because Silv had relied on the services of a third-party marketing firm. Silv requested the penalty be reduced to $250 an amount based on an unsolicited settlement offer it had made to the customer upon learning of the error.
The PSC held that Silv’s defenses did not qualify under the statute. PSC also increased the fine to from $20,000 to $50,000 (the maximum amount allowed) because, in light of an early disposition, this matter was not a first-time violation. In addition, it affirmed the $5,055 of costs previously recommended by the ALJ.
Texas High Court Bars TCPA Claims Prior to Legislative Opt-In
The Texas Supreme Court adopted a distinctly minority view in its interpretation of the private right of action provision of the federal junk fax statute. Chair King, Inc. v. GTE Mobilnet of Houston, Inc. 184 S.W.3d 707 (Tex. 2006). In a recent decision, the court held that the statute, more formally known as the Telephone Consumer Protection Act, 47 U.S.C. § 227 (TCPA), was not effective until the State enacted legislation eight years later allowing claimants to assert such claims.
Congress enacted TCPA in 1991 to create a federal private right of action because although many states had promulgated regulations limiting unsolicited telemarketing, constitutional constraints prevented them from using state law to reach interstate communications. The Texas courts describe the resulting federal law as containing an “unusual constellation of statutory features.” Indeed, although TCPA provides a federal private right of action for recipients of junk faxes, it confers almost exclusive jurisdiction on the state courts to entertain it (the exception being that attorney generals may seek injunctive relief in federal court).
TCPA grants those who receive illegal faxes a private cause of action in state court “if otherwise permitted by the laws or rules of court of a State.” 47 U.S.C. § 227(b)(3). Following its enactment, courts throughout the United States have considered whether the statutory language “if otherwise permitted by the laws...of a State” means that state legislatures must affirmatively act by passing new laws allowing TCPA claims before any private right of action can be asserted.
Most courts reading this provision have adopted an “opt-out” approach, which interprets the TCPA to immediately authorize private rights of action in state court, while recognizing that states have the right to legislatively opt out by prohibiting such claims. The Chair King opinion collects decisions from many of these jurisdictions.
The Texas Supreme Court recent opinion charts new ground, however, by adopting an “opt-in” approach to TCPA, which requires affirmative state action. In Texas such affirmative action was not taken for almost eight years when the legislature amended the Business and Commerce Code to allow parties to bring suit in state court for TCPA violations. Under the court’s Chair King ruling, illegal faxes sent prior to the opt-in date are not actionable under TCPA in Texas state courts.
Enforcement Corner
In addition to the enforcement actions discussed above, the FCC or its Enforcement Bureau have recently taken the following consumer-oriented actions:
- Universal Service: The FCC issued a final forfeiture of $715,031 against Globcom, Inc. for failing to contribute to the federal Universal Service Fund (USF). The Commission stated that “Globcom’s violations strike at the core of the Commission’s mission to promote access to affordable, quality telecommunications services for all Americans."
- E-Rate: The FCC’s Enforcement Bureau suspended two companies, NextiraOne LLC and Premio, Inc. from the “E-Rate” federal schools and libraries universal service program, following their separate convictions on fraud and related charges stemming from their participation in the E-Rate program, and initiated proceedings to debar both companies from participation in the program.
- Wireless E911: The FCC issued a proposed forfeiture of $750,000 against Dobson Cellular Systems and its affiliate American Cellular Corp. for alleged “egregious” failures to provide E911 services within six months of valid requests by relevant Public Safety Answering Points (PSAPs). The FCC cited 50 separate instances of the companies’ failures to respond to PSAP requests.