On April 3, 2017, President Trump signed a repeal of new Federal Communications Commission (FCC) rules that would have subjected broadband internet service providers (ISPs) to more stringent consumer privacy regulations. Specifically, the FCC’s rule would have required ISPs to obtain opt-in consent from consumers before using and sharing sensitive information such as geo-location, web browsing history and app usage history.  This repeal allows Internet providers to compete with “edge providers” (which were not covered by the new FCC rules) in mining consumer browsing history and contributing to targeted online advertising.

This repeal, in and of itself, does not create any landmark changes in the legal landscape–the new FCC rules were only passed late last year, and had not yet taken effect. However, it is symptomatic of the Trump administration’s antipathy towards government regulation of consumer privacy.  More importantly, President Trump’s retreat has already begun to spur state legislatures and Attorneys General to strengthen their stance on privacy, concentrating scrutiny at the state level.

For example, in Massachusetts, Republican state senators introduced legislation on April 7 that would bar ISPs from selling browsing histories without customers’ explicit permission. That bill would also prohibit ISPs from charging increased rates to consumers who refuse to share their personal information.

Similarly, last week in Illinois, lawmakers introduced multiple measures that would impose new restrictions on companies that collect or use geo-location information, enable or turn on device microphones, and transfer Illinois consumers’ data to third parties. Illinois legislators are also scheduled to hear two more bills, introduced in March, that specifically target commercial website operators.  Other state legislatures that have introduced or otherwise begun to consider Internet privacy bills in the last three weeks include Connecticut, Kansas, Maryland, Montana, New York, Washington, and Wisconsin.

This shift is also becoming evident via increased executive enforcement at the state level. Advertisements and applications that use and share consumers’ location appear to be an area of particular concern.  For example, in March, the Massachusetts AG’s office obtained a settlement with an advertising company that used geofencing to send targeted anti-abortion ads to consumers in certain cities who entered reproductive health clinics.  In New York, the Office of the Attorney General (OAG) recently entered settlements with three health and fitness mobile application operators, which demand, among other things, that the app providers limit or obtain affirmative consent prior to collection of certain sensitive information.

Though the Trump administration’s laissez-faire approach toward privacy might, at first glance, appear to signal a shift towards lightening the burden of privacy regulations, it may well have the opposite effect, by creating backlash at the state level.  Accordingly, businesses, particularly those who operate online, will need to be more cognizant than ever of differing state policies moving forward.

On March 31, the U.S. Court of Appeals for the D.C. Circuit struck down a Federal Communications Commission (FCC) rule requiring that solicited fax advertisements contain a notice on how to opt out of future faxes. Following the ruling, such opt-out notices will be required only in unsolicited fax advertisements. The decision in Bais Yaakov of Spring Valley, et al. v. Federal Communications Commission, et al. will significantly impact litigation — particularly class action litigation — involving the failure to include an opt-out notice on fax advertisements.

Under the Junk Fax Prevention Act of 2005, an amendment to the Telephone Consumer Protection Act applicable to fax communications, businesses are prohibited from faxing unsolicited advertisements. “Unsolicited advertisements” are defined as advertising material “transmitted to any person without that person’s prior express invitation or permission.” The law contains an exception when three requirements are met: (1) the sender and recipient have an established business relationship; (2) the sender obtained the fax number from the recipient, through their communications or by virtue of the recipient publishing it to a directory or website; and (3) as relevant here, the advertisement contains an opt-out notice. The law goes on to require the opt-out notice to be “clear and conspicuous” and provide a free mechanism to opt out from future faxes.

In 2006, the FCC, purporting to exercise its authority to issue regulations and implement the law, issued a rule requiring that solicited fax advertisements contain opt-out notices. The law already required unsolicited fax advertisements to include an opt-out notice. Accordingly, under the FCC’s revised rules, businesses had to include opt-out notices on all fax advertisements — even if the recipient expressly consented to receive them.

This rule was challenged by a petitioner facing a $150 million class action lawsuit for failing to include opt-out notices on fax advertisements, many of which it had permission to send. The FCC argued that because the law required businesses to include opt-out notices on unsolicited fax advertisements, the FCC also had the authority to require businesses to include opt-out notices on solicited faxes.

The majority of the D.C. Circuit panel disagreed, finding nothing in the text of the law to convey such authority. Instead, the court noted that Congress had drawn a line between unsolicited and solicited fax advertisements, but the law did not require (or give the FCC authority to require) opt-out notices on solicited faxes. That was all the court needed to know to resolve the case.

The D.C. Circuit also rejected the FCC’s argument that it could require opt-out notices on solicited faxes because Congress did not define the phrase “prior express invitation or permission” in the law. The court found the argument “difficult to follow,” noting that the phrase “prior express invitation or permission” went to whether a fax was solicited or unsolicited (and requiring an opt-out notice) — not the other way around. The court also found the FCC’s argument that its rule was good policy to be irrelevant because a “good policy does not change the statute’s text.”

Notably, Judge Pillard, who also serves on the panel deciding ACA International’s appeal of the FCC’s 2015 TCPA Omnibus Order, dissented. Judge Pillard determined that the FCC had the implicit authority to require opt-out notices for solicited fax advertisements stemming from Congress’ direction to the FCC to prescribe regulations to implement the law. In addition, Judge Pillard adopted the FCC’s difficult-to-follow argument that “the inclusion of an opt-out notice is part of what makes subsequent faxes ‘solicited’ at all.”

Judge Pillard’s opinion appears to be motivated by a desire to provide a uniform mechanism for opting out. She reasoned that if a fax contains an opt-out mechanism and a recipient does not opt out, then the recipient has agreed to receive future advertisements (i.e., solicited advertisements). As the panel recognized, such reasoning removes any distinction Congress drew between solicited and unsolicited advertisements in the law. Judge Pillard’s ruling in this case may suggest that she will also rule in favor of the FCC in the much-anticipated decision in the ACA International appeal.

The D.C. Circuit’s decision will impact litigation relating to the absence of an opt-out notice on fax advertisements. First, there is no longer any liability for the failure to include an opt-out notice where the recipient consented to receive the fax. Second, the decision will undoubtedly impact class certification in actions arising from the failure to include an opt-out notice because the question of whether the opt-out notice is required is now an individualized question that turns on whether the recipient consented to receive the fax.

This morning the FCC voted along party lines to adopt rules subjecting broadband internet service providers (ISPs) to new consumer privacy regulations. According to the FCC’s press release, the rules give “customers the tools they need to make informed decisions about how their information is used.”  This includes requiring ISPs to gain opt-in consent from consumers to use and share sensitive information, like geo-location, web browsing history and app usage history.  The rules make a point to exclude the privacy practices of web sites and other “edge services” where the Federal Trade Commission currently has authority. The official Report and Order is expected to be published within the next few days. Check back to Password Protected next week for an in-depth analysis of the Report detailing what impact it will have on industries and consumers.

The 3-2 vote included Chairman Wheeler and Commissioner Rosenworcel, approving, Commissioner Clyburn, approving in part and concurring in part; Commissioner Pai and Commissioner O’Rielly dissenting.

For a more detailed analysis of the privacy rules, click here.

Yesterday the Federal Communications Commission (FCC) revealed its revamped broadband privacy regulations. In March, the FCC initially proposed privacy rules which were highly criticized by everyone from the Federal Trade Commission (FTC) to small business owners. The new rules contain less regulation and they more closely resemble the FTC approach to privacy. In fact FTC Chairwoman Edith Ramirez already issued a statement regarding the FCC privacy proposal in which she applauds the FCC for listening to the FTC’s input and reiterates that the FTC has “decades” of experience in regulating privacy.

What’s Required

The rules would require internet service providers (ISPs) to explain the following to a customer when the customer signs up for service:

  • what information is collected;
  • how and for what purpose the ISP uses and/or shares the information; and
  • who the ISP shares the information with.

Compliance Guidelines

The FTC’s influence is most evident in the guidelines for protecting customer information. The regulations, which are meant to be flexible and allow for changes in technology, require the ISP to engage in “appropriately calibrated” and “reasonable” practices to protect consumer data.

Examples of appropriately calibrated practices include:

  • up-to-date and relevant industry best practices;
  • appropriate accountability and oversight of its security practices;
  • implementation of robust customer authentication tools; and
  • proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights

Opt-In:

Under the rules, ISPs would be required to obtain “opt-in” consent to use sensitive customer information including:

  • geo-location
  • children’s information
  • health information
  • financial information
  • Social Security numbers
  • web browsing history
  • app usage history
  • the content of communications

Data Breach Requirements

The FCC regulations also seek to protect consumers during a data breach by requiring ISPs to engage in “common-sense” breach practices. This breach requirement would be “triggered by the ISP’s determination that an unauthorized disclosure of a customer’s personal information has occurred, unless the ISP establishes that no harm is reasonably likely to occur.”  While there is little explanation of how the ISP should make the breach determination, or what “harm” means, the FCC does provide a breach timeline for the ISP to follow.

Specifically, the FCC says that if the ISP determines there has been a breach, a provider is required to notify:

  • customers no later than 30 days after discovery;
  • the FCC no later than 7 business days after discovery; and
  • the FBI and the U.S. Secret Service no later than 7 business days after discovery of the breach if the breach affects more than 5,000 customers.

The proposed regulations make a point of noting they do not regulate the privacy practices of websites or apps (where the FTC is currently regulating) and they do not address government surveillance or encryption.

The FCC is scheduled to vote on the proposed regulations on October 27th.

Since its release on July 6, 2016, Pokémon Go has unofficially become the most successful mobile app to date.  Generating over 2 million dollars in revenue per day, it already has more daily users than Twitter, and the highest average time spent per day– more than WhatsApp, Instagram and Snapchat.  But that level of success does not come without data challenges. MediatedReality_on_iPhone2009_07_13_21_33_39

Pokémon Go is a free, location based augmented mobile reality game developed by Niantic and published by The Pokémon Company. To play the game, a user downloads the app, creates an account, logs in, and based on their physical location the app alerts the user to nearby Pokémon available for capture. The app accesses a user’s camera and GPS to allow a player to capture and battle Pokémon in virtual reality.

It was not long after its release that Pokémon Go was caught up in its first data privacy problem. By downloading the app, Pokémon Go users had given the app full access to their personal Google account, meaning the app was granted access to see and modify Google user account information, including everything stored in Google Drive.

When this error came to light, just six days after the app was released, the Pokémon Company and Niantic released a joint statement that the app “erroneously request[ed] full access permission for the user’s Google account.” The statement went on to say that the app “only accesses basic Google profile information (specifically, your User ID and e-mail address) and no other Google account information is or has been accessed or collected.”

After discovering the problem, Niantic released a security patch to correct the problem and limit the data collection to the more basic e-mail and User ID information. A review of Pokémon Go’s current Privacy Policy and Terms of Use do not reveal any unusual or unexpected data collection policies. In fact, the data security concerns were pushed aside as the app, which forces the user to physically move around to find and capture Pokémon, has been applauded for successfully intergrading mobile phones with physical activity. Nevertheless, the app’s unprecedented popularity has opened it up to extreme scrutiny, including catching the attention of Senator Al Franken, ranking member on the Senate Privacy, Technology, and the Law Subcommittee.

Senator Franken sent a letter to Niantic about the app’s privacy policy. The letter outlines seven specific questions about the app’s privacy policy including why Pokémon Go collects location data and asks for a list of Pokémon Go service providers with access to user information. The Senator requested a response by August 12, 2016.

While there are no official investigations into the app’s data policies, given the Federal Trade Commission’s interest in mobile privacy, location tracking and consumer protection, it is likely the agency will be keeping a close eye on the app to ensure Pokémon Go has followed appropriate consumer protection measures. There is also an opportunity for the Federal Communication Commission to get involved.  Using Pokémon Go can quickly consume a user’s data plan.  In response to that concern, telecommunication carriers are already considering a new kind of data plan – offering customers unlimited, or free data plans for a period time while using Pokémon Go. The practice of not charging a customer for specific data is known as zero-rating. The FCC’s net neutrality rules prevent access providers from prioritizing content but they do not ban zero-rating policies. Zero-rating is not new to telecommunications, but its application to Pokémon Go comes at an interesting time because of its similarity to net neutrality.

Despite the questions surrounding the app’s data policies, there is no obvious damage to Pokémon Go’s success. Within a week of release Pokémon Go faced, and arguably recovered from, its first major privacy data problem. But that is just the beginning for Pokémon Go.  Internet hackers have already targeted the app as a potential target, claiming to have shut down the app for a period of time on July 16th and July 17th.  Nevertheless, nothing seems to be slowing down the growth of Pokémon Go, which has caught the attention of millions of users worldwide and a few lawmakers as well.

The Federal Communications Commission (FCC) has faced intense opposition to its proposed privacy rules for internet service providers (ISPs) – and debate is expected to escalate very soon. The U.S. Senate Committee on the Judiciary begins its review of the proposal tomorrow.

Originally released April 1, 2016, the 147-page Notice of Proposed Rulemaking requires ISPs to acquire customer consent before using customers’ data for certain purposes and mandates that ISPs take additional steps to protect customers’ personal information. According to FCC Chairman Tom Wheeler, “[the] proposal would give all consumers the tools we need to make informed decisions about how our ISPs use and share our data, and confidence that ISPs are keeping their customers’ data secure.”

Under the proposed rule, customers’ data is separated into three categories with each category requiring a different type of consent from a customer in order for the ISP to share or use the information. According to the proposed rule, consumers inherently consent to allowing ISPs to use data necessary for the use and marketing of broadband services by creating a customer-ISP relationship. However, all other customer data would be subject to an opt-out or an opt-in consent. Specifically, ISPs would be allowed to share consumer data with its affiliates and use the data to market communications-related services unless the customer affirmatively opted out. But ISPs would be barred from using or sharing the customers’ data for all other purposes unless the customer affirmatively opted in.

Additionally, if enacted, the rule would also require ISPs to adopt reasonable safeguards to protect consumers’ information including mandatory reporting obligation for data breaches. Under the proposed rule, if a data breach occurs, ISPs would be required to inform the FCC within 7 days and the affected customers within 10 days of discovery. If the breach affected more than 5,000 customers, the ISP must inform the FBI and Secret Service with 7 days.

Since the FCC announced the proposed rule, the FCC has faced strong opposition from members of the telecommunications industry who believe the proposed rule undercuts ISPs’ ability to create and market new projects. Additionally, the proposed rule is seen as putting ISPs at a competitive disadvantage by requiring ISPs to obtain affirmative consent to use data when companies who host websites are not required to follow the same rules. According to a press release by the CTIA-The Wireless Association, “The FCC’s desired approach would distort competition, confuse consumers and undermine consumer privacy in the mobile economy.”

The debate over the FCC proposed rules is likely to intensify in the coming weeks. The U.S. Senate Committee on the Judiciary will be hosting a session examining the new rules on Wednesday, May 11, 2016, and the FCC will continue to accept comments on the proposed rule until May 27, 2016.

handshake-220233_1280The Federal Trade Commission (FTC) and Federal Communications Commission (FCC) recently formalized an agreement to cooperate when regulating the “deceptive, unfair, unjust and/or unreasonable” acts and practices of common carriers.  In addition to outlining the scope of the agencies’ enforcement authorities, the FCC-FTC Consumer Protection Memorandum of Understanding (MOU) details a commitment to information sharing, agency coordination, and joint enforcement when overlap occurs.

The MOU follows the FCC’s controversial net neutrality rulemaking earlier this year which eliminated the authority of the FTC—oft-billed as the nation’s top privacy cop—to regulate the privacy and security practices of broadband Internet service providers (ISPs).  The FCC’s Open Internet Order reclassified the delivery of broadband Internet access as a “telecommunications service” under Title II of the Communications Act of 1934, as amended by the Telecommunications Act of 1996.  ISPs, in turn, became telecommunications service providers exempt from enforcement actions as “common carriers” under Section 5 of the FTC Act.

Whether the reclassification of ISPs reflects a serious challenge to the FTC’s primacy in data privacy and security enforcement remains to be seen.  FTC Commissioner Julie Brill downplayed the impact of reclassification in recent comments citing the FTC’s continuing Section 5 authority over Internet-based companies such as “apps, edge services, ad networks, advertisers, publishers, data brokers, [and] analytics firms.”  The FTC also has argued, and at least one court has agreed, the FTC can continue enforcement of its Section 5 authority against common carriers engaged in non-common carrier activities—a position the FCC joined in the MOU.

The potential interplay between the FTC and FCC under the MOU may present opportunities for both agencies.  The FTC has long called for a repeal of the statutory exemption preventing its regulation of common carriers.  By demonstrating increased effectiveness through deployment of the agencies’ complementary powers, the FTC may make its case for dual enforcement of data privacy and security issues across the common carrier industries.  The FCC, on the other hand, will have time to overcome detractors’ claims that it lacks experience.  Barring a statutory overhaul, the FCC’s increasingly aggressive approach suggests the agency is poised to engage in significant consumer privacy rulemaking and enforcement actions in the coming years.

The MOU sets a trial period of sorts while Congress and the courts decide the contours of consumer data privacy protections.  Industry stakeholders should take note: success or failure, the MOU is likely to drive future legislation and regulation.