Privacy & Information Security Law Blog

Bloomberg Law reported that the Federal Communications Commission adopted rules creating a voluntary cybersecurity labeling program for wireless consumer Internet of Things products, as well as a further notice of proposed rulemaking that seeks comments addressing additional disclosure requirements for program participants with respect to national security.

On March 13, 2024, the Federal Communications Commission’s updates to the FCC data breach notification rules (the “Rules”) went into effect. They were adopted in December 2023 pursuant to an FCC Report and Order (the “Order”).

On February 8, 2024, the Federal Communications Commission declared that calls using AI- generated, cloned voices fall under the category of “artificial or prerecorded voice” within the Telephone Consumer Protection Act (“TCPA”) and therefore are generally prohibited without prior express consent, effective immediately. Callers must obtain prior express consent from the recipient before making a call using an artificial or prerecorded voice, absent an applicable statutory exemption or emergency.

On December 13, 2023, the Federal Communications Commission (FCC) voted to update its 16-year old data breach notification rules (the “Rules”). Pursuant to the FCC update, providers of telecommunications, Voice over Internet Protocol (VoIP) and telecommunications relay services (TRS) are now required to notify the FCC of a data breach, in addition to existing obligations to notify affected customers, the FBI and the U.S. Secret Service.

On September 21, 2022, the Federal Communications Commission (“FCC”) announced a proposed combined fine of $3.4 million against Sinclair Broadcast Group, Nexstar Media Group and 19 other broadcast television licensees for violations of rules limiting commercial matter in children's television programming.

As reported on the Hunton Retail Resource Blog, on October 20, 2021, a new wave in the fight against “robocalls” is targeting telemarketing text messages. In the past six months, there has been an uptick in activity at both the state and federal level to reign in telemarketing text messages.

On July 27, 2020, the Enforcement Bureau of the Federal Communications Commission (the “FCC”) designated the Industry Traceback Group (“ITG”) as the FCC’s official consortium for coordinating efforts to trace illegal robocalls. The ITG is a collaboration of wireline, wireless, VoIP and cable industry companies, led by USTelecom, with the mission of tracing and identifying the source of illegal robocalls. According to the ITG, it conducted more than 1,000 trace-back operations in 2019 and unmasked the source of more than 10 million robocalls.

The meaning of an “automatic telephone dialing system” (“ATDS”) as defined by the Telephone Consumer Protection Act (“TCPA”) has been hotly contested since the D.C. Circuit invalidated the prior Federal Communications Commission (“FCC”) rulings interpreting the TCPA in 2018. The Ninth Circuit has held that merely calling numbers from a stored list is sufficient to meet the definition of an ATDS, while the Third Circuit has at least indicated that the ability to generate numbers randomly or sequentially is the defining characteristic.

On May 8, 2018, Senator Ron Wyden (D–OR) demanded that the Federal Communications Commission investigate the alleged unauthorized tracking of Americans’ locations by Securus Technologies, a company that provides phone services to prisons, jails and other correctional facilities. Securus allegedly purchases real-time location data from a third-party location aggregator and provides the data to law enforcement without obtaining judicial authorization for the disclosure of the data. In turn, the third-party location aggregator obtains the data from wireless carriers. Federal law restricts how and when wireless carriers can share certain customer information with third parties, including law enforcement. Wireless carriers are prohibited from sharing certain customer information, including location data, unless the carrier has obtained the customer’s consent or the sharing is otherwise required by law.

On February 28, 2018, the Federal Trade Commission issued a report, titled Mobile Security Updates: Understanding the Issues (the “Report”), that analyzes the process by which mobile devices sold in the U.S. receive security updates and provides recommendations for improvement. The Report is based on information the FTC obtained from eight mobile device manufacturers, and from information the Federal Communications Commission collected from six wireless carriers.

On February 26, 2018, the United States Court of Appeals for the Ninth Circuit ruled in an en banc decision that the “common carrier” exception in the Federal Trade Commission Act is “activity-based,” and therefore applies only to the extent a common carrier is engaging in common carrier services. The decision has implications for FTC authority over Internet service providers, indicating that the FTC has authority to bring consumer protection actions against such providers to the extent they are engaging in non-common carrier activities. The Federal Communications Commission (“FCC”) has previously ruled that Internet access service is not a common carrier service subject to that agency’s jurisdiction.

Recently, the FTC and FCC announced their intent to enter into a Memorandum of Understanding (“MOU”) under which the agencies would coordinate their efforts following the adoption of the Restoring Internet Freedom Order (the “Order”). As we previously reported, if adopted, the Order would repeal the rules put in place by the FCC in 2015 that prohibit high-speed internet service providers (“ISPs”) from stopping or slowing down the delivery of websites and from charging customers extra fees for high-quality streaming and other services. 

Recently, FCC Chairman Ajit Pai released a draft of the Restoring Internet Freedom Order (the “Order”). If adopted, the Order would repeal the rules put in place by the FCC in 2015 that prohibit high-speed internet service providers (“ISPs”) from stopping or slowing down the delivery of websites and from charging customers extra fees for high-quality streaming and other services.

On March 1, 2017, the Federal Communications Commission (“FCC”), under the new leadership of Chairman Ajit Pai, voted 2-1 to issue a temporary stay of the data security obligations of the FCC’s Broadband Consumer Privacy Rules (the “Rules”), which were to go into effect March 2, 2017. The temporary stay will remain in place until the FCC is able to act on pending petitions for reconsideration.

This post has been updated. 

On October 27, 2016, the Federal Communications Commission (“FCC”) announced the adoption of rules that require broadband Internet Service Providers (“ISPs”) to take steps to protect consumer privacy (the “Rules”). According to the FCC’s press release, the Rules are intended to “ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs.” 

On October 27, 2016, the Federal Communications Commission (“FCC”) will vote on whether to finalize proposed rules (the "Proposed Rules”) concerning new privacy restrictions for Internet Service Providers (“ISPs”). The Proposed Rules, which revise previous versions introduced earlier this year, would require customers’ explicit (or “opt-in”) consent before an ISP can use or share a customer’s personal data, including web browsing and app usage history, geolocation data, children’s information, health information, financial information, email and other message contents and Social Security numbers.

On November 5, 2015, the Enforcement Bureau of the Federal Communications Commission (“FCC”) entered into a Consent Decree with cable operator Cox Communications to settle allegations that the company failed to properly protect customer information when the company’s electronic data systems were breached in August 2014 by a hacker. The FCC alleged that Cox failed to properly protect the confidentiality of its customers’ proprietary network information (“CPNI”) and personally identifiable information, and failed to promptly notify law enforcement authorities of security breaches involving CPNI in violation of the Communications Act of 1934 and FCC’s rules.

On November 2, 2015, Federal Communications Commission (“FCC”) Chairman, Tom Wheeler, indicated in an interview that the agency would take on the issue of broadband privacy within the next several months, most likely in the form of a notice of proposed rulemaking. Chairman Wheeler said that the FCC’s inquiry would look at the privacy practices of “those who provide the networks” (i.e., Internet service providers (“ISPs”)) and how such businesses are protecting their customers’ information.

On September 11, 2015, the Federal Communications Commission (“FCC”) announced that Lyft Inc. (“Lyft”) and First National Bank Corporation (“FNB”) violated the Telephone Consumer Protection Act (“TCPA”) by forcing their users to consent to receive automated text messages as a condition of using their services. The FCC warned that these violations could result in fines if they continue.

On July 10, 2015, the Federal Communications Commission (“FCC”) released a Declaratory Ruling and Order that provides guidance with respect to several sections of the Telephone Consumer Protection Act (“TCPA”). The Declaratory Ruling and Order responds to 21 separate requests from industry, government and others seeking clarifications regarding the TCPA and related FCC rules.

On May 20, 2015, the Federal Communications Commission (“FCC”) released an Enforcement Advisory announcing that its previously-released Open Internet Order “applies the core customer privacy protections of Section 222 of the Communications Act to providers of broadband Internet access service” and that the statutory provisions of Section 222, which historically have been used to protect Consumer Proprietary Network Information on telephone networks, will apply to broadband providers when the Open Internet Order goes into effect on June 12, 2015. This approach will expand broadband providers’ requirements to protect consumer privacy and limit their use of consumer data.

On April 15, 2015, the Federal Communications Commission (“FCC”) announced that it has joined the Asia Pacific Privacy Authorities (“APPA”), the principal forum for privacy authorities in the Asia-Pacific Region. APPA members meet twice a year to discuss recent developments, issues of common interest and cooperation. The FCC now joins the Federal Trade Commission as the U.S. representatives to APPA.

On April 8, 2015, the Federal Communications Commission announced a $25 million settlement with AT&T Services, Inc. (“AT&T”) stemming from allegations that AT&T failed to protect the confidentiality of consumers’ personal information, resulting in data breaches at AT&T call centers in Mexico, Colombia and the Philippines. The breaches, which took place over 168 days from November 2013 to April 2014, involved unauthorized access to customers’ names, full or partial Social Security numbers and certain protected account-related data, affecting almost 280,000 U.S. customers.

On April 1, 2015, the Global Privacy Enforcement Network (“GPEN”) released its 2014 annual report (the “Report”). This Report marks the first time that GPEN has issued an annual report highlighting the network’s accomplishments throughout the year. GPEN is a network of approximately 50 privacy enforcement authorities from around the world, including the Federal Trade Commission and the Federal Communications Commission.

On December 19, 2014, the Federal Trade Commission announced a settlement of at least $90 million with mobile phone carrier T-Mobile USA, Inc. (“T-Mobile”) stemming from allegations related to mobile cramming. This settlement amount will primarily be used to provide refunds to affected customers who were charged by T-Mobile for unauthorized third party charges. As part of the settlement, T-Mobile also will pay $18 million in fines and penalties to the attorneys general of all 50 states and the District of Columbia, and $4.5 million to the Federal Communications Commission.

On November 18, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including a report on the International Conference of Data Protection and Privacy Commissioners, highlights on the Council of the European Union’s proposed revisions to the compliance obligations of data controllers and data processors included in Chapter IV of the forthcoming EU General Data Protection Regulation, and U.S. highlights on California’s breach report and Federal Communications Commission enforcement actions.

On November 1, 2014, the Global Privacy Enforcement Network (“GPEN”) posted a media release on their workshop held on October 12, 2014, in Mauritius on the use of publicity as a regulatory compliance technique. The workshop, attended by 44 commissioners and staff from around the world, focused on different issues concerning privacy enforcement, including the effectiveness of monetary penalties in enforcing data protection laws and the diverse approaches to enforcement publicity. In addition, there was a public demonstration of the recently expanded World Legal Information Institute’s International Privacy Law Library, which is said to be the largest freely accessible and searchable database of privacy law materials in the world.

On October 24, 2014, the Federal Communications Commission announced that it intends to impose a $10 million fine on TerraCom, Inc. (“TerraCom”) and YourTel America, Inc. (“YourTel”) for violating privacy laws relating to their customers’ personal information. This announcement marks the FCC’s first enforcement action in the data security arena as well as its largest privacy action to date.

On October 28, 2014, the Federal Communications Commission announced that it has joined the Global Privacy Enforcement Network (“GPEN”), a network of approximately 50 privacy enforcement authorities from around the world. The FCC is the second U.S. privacy enforcement authority to join GPEN. The other U.S. member, the Federal Trade Commission, helped establish the network in 2010.

On October 8, 2014, the Federal Trade Commission announced an $80 million settlement with mobile phone carrier AT&T Mobility, LLC (“AT&T”) stemming from allegations related to mobile cramming. The $80 million payment to the FTC is part of a larger $105 million settlement between AT&T and various federal and state regulators, including the Federal Communications Commission and the attorneys general of all 50 states and the District of Columbia. According to the FCC, “[t]he settlement is the largest enforcement action in FCC history.”

On September 3, 2014, the Federal Communications Commission announced that Verizon has agreed to pay $7.4 million to settle an FCC Enforcement Bureau investigation into Verizon’s use of personal information for marketing. The investigation revealed that Verizon had used customers’ personal information for marketing purposes over a multiyear period before notifying the customers of their right to opt out of such marketing.

On July 31, 2014, the Federal Trade Commission published a notice in the Federal Register indicating that it is seeking public comment on its Telemarketing Sales Rule (“TSR”) as “part of the FTC’s systematic review of all current Commission regulations and guides.” In the press release accompanying the Federal Register notice, the FTC stated that its questions for the public focus on (1) the use and sharing of pre-acquired account information in telemarketing, and (2) issues raised by the use of negative-option and free-trial offers in combination with general media ads designed to generate inbound telemarketing calls from consumers. The FTC’s review process comes less than a year after the Federal Communications Commission’s revisions to its Telephone Consumer Protection Act rules became effective.

On May 19, 2014, the Federal Communications Commission announced that Sprint Corporation agreed to pay $7.5 million to settle an FCC Enforcement Bureau investigation stemming from allegations that the company failed to honor consumers’ requests to opt out of telemarketing calls and texts. Sprint also agreed to implement a two-year plan to help ensure future compliance with Do-Not-Call registry rules.

On October 16, 2013, the Federal Communications Commission’s revisions to its Telephone Consumer Protection Act rules go into effect. As we previously reported, the revisions require that businesses obtain “express written consent” prior to advertising or telemarketing through (1) autodialed calls or text messages, or prerecorded calls to consumers’ mobile numbers, and (2) prerecorded calls to consumers’ residential lines. In addition, the FCC’s revisions eliminate the exemption that allowed businesses to place prerecorded advertising or telemarketing calls to a consumer’s residential phone line if the business had a pre-existing business relationship with the consumer.

The Obama Administration is in the process of finalizing its review of a statutory electronic surveillance proposal initially developed by the FBI, and is expected to support the introduction of a modified version as legislation. The proposal addresses concerns raised by law enforcement and national security agencies regarding the widening gap between their legal authority to intercept real-time electronic communications pursuant to a court order, and the practical difficulties associated with actually intercepting those communications. According to the government, this gap increasingly prevents the agencies from collecting Internet-based phone calls, emails, chats, text messages and other communications of terrorists, spies, organized crime groups, child pornography distributors and other dangerous actors. The FBI refers to this as the “going dark” problem.

On September 12, 2012, Congressman Edward Markey (D-MA) released a bill that would require companies to tell customers about monitoring software installed on their mobile devices and obtain customers’ express consent before engaging in monitoring. These requirements would apply to mobile phone makers, network providers and application developers.

• Best practices for privacy disclosures on mobile platforms and how they can be short, effective and accessible to consumers;
• how to put disclosures in proximity to offers on mobile platforms;
• social media disclosures; and
• the placement of material information on webpages.

On June 11, 2012, the Federal Communications Commission published in the Federal Register its final revised rules requiring prior express written consent for all autodialed or prerecorded telemarketing “calls” to wireless phones, and for prerecorded telemarking calls to residential lines. The FCC takes the position that the “calls” covered by this written consent requirement include essentially all marketing-oriented text messages. The FCC’s rules implement the findings of the Commission’s February 2012 Report and Order.

On July 14, 2011, the U.S. House of Representatives Energy and Commerce Committee convened a joint hearing of the Subcommittee on Commerce, Manufacturing and Trade (chaired by Rep. Mary Bono Mack (R-CA)), and the Subcommittee on Communications and Technology (chaired by Rep. Greg Walden (R-OR)), to launch a comprehensive review of Internet privacy.  The series of hearings began with testimony from officials representing three agencies with jurisdiction over consumer privacy issues: FTC Commissioner Edith Ramirez, FCC Chairman Julius Genachowski, and Department of Commerce Assistant Secretary for Communications and Information Lawrence Strickling.

On June 28, 2011, the Federal Communications Commission and the Federal Trade Commission convened a public education forum entitled “Helping Consumers Harness the Potential of Location-Based Services.”  Representatives of telecommunications carriers, technology companies and consumer advocacy organizations discussed technological developments and how best to realize the benefits of location-based services without compromising privacy.

On June 29, 2011, the Senate Committee on Commerce, Science and Transportation convened a hearing entitled “Privacy and Data Security: Protecting Consumers in the Online World.”  In opening remarks, Committee Chair Senator Jay Rockefeller (D-WV) highlighted that the hearing would consider both privacy and data security and discussed three bills focused on these issues.  First, Senator Rockefeller noted S. 917, the Do-Not-Track Online Act of 2011, a bill he introduced that would allow consumers to tell online companies that they do not want their personal information collected and require companies to honor those requests.  Second, the Senator referenced S. 799, the Commercial Privacy Bill of Rights Act of 2011, legislation introduced by Senators John Kerry (D-MA) and John McCain (R-AZ) that would comprehensively address privacy protection.  Finally, Senator Rockefeller spoke about S. 1207, the Data Security and Breach Notification Act of 2011, which he and Senator Mark Pryor (D-AR) reintroduced.  That bill would impose an obligation on companies to adopt basic security measures to protect sensitive consumer data and require companies to notify affected consumers in the event of a breach.  Senator Rockefeller emphasized several times his committee’s jurisdiction over privacy and data security issues.

In a pair of lawsuits filed against Twitter, Inc. and American Express Centurion Bank, plaintiffs in a California federal court are seeking class-action status to assert claims that the defendants violated the Telephone Consumer Protection Act (“TCPA”) by sending each plaintiff a single text message to confirm that they had processed the plaintiff’s request to opt-out of receiving further text messages.  This litigation highlights a potential vulnerability in the mobile marketing programs of companies that have not fully considered how telemarketing law should inform their implementation of the Mobile Marketing Association’s U.S. Consumer Best Practices (the “MMA’s Best Practices”), the authoritative compilation of policies enforced by the major wireless carriers.

“LOANMOD TXT MSGS VIOL8 LAW, SEZ FTC.”  So reads the headline on the Federal Trade Commission’s Bureau of Consumer Protection’s Business Center Blog.  The posting announced the FTC’s complaint against a marketer who sent more than 5.5 million spam text messages at a “mind boggling” rate of about 85 per minute, every minute of every day.  Allegedly, most or all of the messages were unsolicited, and, like most text messages, they caused many recipients to incur standard text messaging charges.

On March 1, 2011, the United States Supreme Court issued a unanimous ruling in Federal Communications Commission v. AT&T Inc., finding that corporations are not entitled to “personal privacy” and therefore may not invoke Exemption 7(C) of the Freedom of Information Act (“FOIA”).  AT&T sought to employ this exemption, which prevents the disclosure of law enforcement records that “could reasonably be expected to constitute an unwarranted invasion of personal privacy,” to prohibit the Federal Communications Commission (the “FCC”) from turning over documents in response to a trade association’s FOIA request.  Applicable federal law defines “person” to include “an individual, partnership, corporation, association, or public or private organization other than an agency;” AT&T contended that the adjective “personal” is a derivative of the noun “person,” giving it “personal privacy” rights as a “private corporate citizen.”