Last week, the US Court of Appeals for the DC Circuit issued a long-awaited decision on an omnibus challenge to the FCC’s interpretation of the TCPA. While the decision provides some relief for businesses, it does not eliminate the prospect of TCPA liability and leaves important TCPA interpretive questions unresolved. Businesses should continue to be vigilant regarding consent and opt-out procedures when sending automated text messages and automated or pre-recorded calls to consumers. Continue Reading
As one of the last states to retain highly restrictive (and arguably anti-competitive) telemedicine practice standards, health care providers, regulatory boards, technology companies, payors and other stakeholders have been actively monitoring Texas’ approach to telemedicine regulation and the related Teladoc case. Texas has eliminated its most restrictive requirement for delivering care via telemedicine in Texas, increasing opportunities for providers to reach patients using technology. Senate Bill 1107 was passed on May 11, 2017, and the House added an amendment in passing Senate Bill 1107, which was approved in the Senate on May 18. The bill was signed into law by Governor Abbott last weekend.
On March 23, 2017, the New York Attorney General’s office announced that it has settled with the developers of three mobile health (mHealth) applications (apps) for, among other things, alleged misleading commercial claims. This settlement highlights for mHealth app developers the importance of systematically gathering sufficient evidence to support their commercial claims.
In an age where providers are increasingly taking the management of their patient’s health online and out of the doctor’s office, the creation of scalable and nimble patient engagement tools can serve to improve patient experience, health care outcomes and health care costs. While the level of enthusiasm for these tools is at an all-time high, there is a growing concern about the unexpected deterrent to the adoption of these tools from an unlikely source: the Telephone Consumer Protection Act of 1991 (TCPA).
Many professionals in the health industry have come to share two misconceptions about the TCPA: first, that the TCPA only applies to marketing phone calls or text message “spam,” and second, that the TCPA does not apply to communications from HIPAA covered entities to their patients/health plan members. These misconceptions can be costly mistakes for covered entities that have designed their patient engagement outreach programs without include a TCPA compliance strategy.
As discussed in a previous post, the TCPA was originally intended to curb abusive telemarketing calls. When applying the law to smarter and increasingly innovative technologies (especially those that we see in the patient engagement world), the TCPA poses significant compliance challenges for the users of these tools that arguably threaten to curb meaningful progress on important public health and policy goals.
Despite its initial scope of addressing robocalls, the TCPA also applies to many automated communications between health care providers and their patients, and between plans and their members. There is a diverse array of technical consent requirements that apply depending on what type of phone call you make. For instance, most auto-dialed marketing calls to cell phones require prior express written consent, meaning that the caller must first obtain written consent before making the call. To make compliance more compliance, callers remain responsible for proving consent and the accuracy of the numbers dialed.
Indeed, the TCPA presents a serious challenge for patient engagement tools, especially when violations of the TCPA can yield statutory damages of up to $1,500 per call or text message. While Federal Communications Commission orders over the past several years have added some clarity and a “safe harbor” for HIPAA-covered entities to help entities achieve compliance, there is still no “free pass” from the TCPA’s requirements. Therefore, covered entities and the business associates who work for them should not assume that compliance with HIPAA offers any security of defense against a successful claim under the TCPA.
The Joint Commission (TJC) recently clarified that licensed independent providers (LIPs) or other practitioners may not utilize secure text messaging platforms to transmit patient care orders. TJC’s earlier position provided that use of secure text messaging platforms was an acceptable method to transmit such orders, provided that the use was in accordance with professional standards of practice, law and regulation, and policies and procedures.
TJC identified the rationale for the reinstated prohibition against secure text messaging for patient care orders as one of patient safety—after “weighing the pros and cons” TJC and the Centers For Medicare and Medicaid Services (CMS) concluded that as the impact of the modality on patient safety remained unclear, and determined that approving its use was premature.
Read more here about how this clarification impacts health care organizations.
Last Friday, July 10, 2015, the Federal Communications Commission (FCC) released Declaratory Ruling and Order 15-72 (“Order 15-72”) to address more than 20 requests for clarity on FCC interpretations of the Telephone Consumer Protection Act (TCPA). The release of Order 15-72 follows a June 18th open meeting at which the FCC adopted the rulings now reflected in Order 15-72 that are intended to “close loopholes and strengthen consumer protections already on the books.”
Keys rulings in Order 15-72 include:
- Confirming that text messages are “calls” subject to the TCPA;
- Clarifying that consumers may revoke their consent to receive robocalls (i.e., telemarketing calls or text messages from an automated system or with a prerecorded or artificial voice) “at any time and through any reasonable means”;
- Making telemarketers liable for robocalls made to reassigned wireless telephone numbers without consent from the current account holder, subject to “a limited,one-call exception for cases in which the caller does not have actual or constructive knowledge of the reassignment”;
- Requiring consent for internet-to-phone text messages;
- Clarifying that “nothing … prohibits” implementation of technology that helps consumers block unwanted robocalls;
- Allowing certain parties an 89-day (after July 10, 2015) window to update consumer consent to “prior express written consent” as the result of an ambiguous provision in the 2012 FCC Order that established the “prior express written consent” requirement; and
- Exempting from the consent requirement certain free “pro-consumer financial- and healthcare-related messages”.
We are reviewing the more than 135 pages of Order 15-72, as well as the separate statements of FCC Commissioners Wheeler, Clyburn, Rosenworcel (dissenting in part), Pai (dissenting) and O’Rielly (dissenting in part). Please check back soon for more information and analysis.
On the third anniversary of the EU Commission’s proposed new data protection regime, the UK ICO has published its thoughts on where the new regime stands. The message is mixed: progress in some areas but nothing definitive, and no real clarity as to when the new regime may come into force.
The legislative process involves the agreement of the European Commission, the European Parliament and the Council of Europe (representing the governments of the member states). So far the European Parliament has agreed its amendments to the Commission’s proposal and we are still waiting for the Council to agree it’s amendments before all three come together and try and find a mutually agreeable position.
The Council is guided by the mantra “nothing is agreed until everything is agreed”, and so even though there has been progress with the Council reaching “partial general agreement” on international transfers, risk-based obligations on controllers and processors, and the provisions relating to specific data processing situations such as research and an approach agreed on the one-stop shop principle (allowing those operating in multiple states to appointed and deal with a single authority), this progress means nothing until there is final agreement on everything. At this stage that means all informal agreements remain open to renegotiation.
It is noted that Latvia holds the presidency of the Council until June 2015. The Latvians have already noted that Anydata protection reform remains a key priority but progress has been slow and time may be against them. Where Latvia fails, Luxembourg will hopefully succeed as it takes up the presidency from June.
The ICO is urging all stakeholders to push on with the reform, although they see the proposed timetable of completion of the trilogue process by the end of 2015 as being optimistic. Instead a more reasonable timetable may be a final agreement by mid-2016 with the new regime up and running in 2018.
In 2014, regulators around the globe issued guidelines, legislation and penalties in an effort to enhance security and control within the ever-shifting field of privacy and data protection. The Federal Trade Commission confirmed its expanded reach in the United States, and Canada’s far-reaching anti-spam legislation takes full effect imminently. As European authorities grappled with the draft data protection regulation and the “right to be forgotten,” the African Union adopted the Convention on Cybersecurity and Personal Data, and China improved the security of individuals’ information in several key areas. Meanwhile, Latin America’s patchwork of data privacy laws continues to evolve as foreign business increases.
This report furnishes in-house counsel and others responsible for privacy and data protection with an overview of key action points based on these and other 2014 developments, along with advance notice of potential trends in 2015. McDermott will continue to report on future updates, so check back with us regularly.
For those Of Digital Interest readers attending the Brand Activation Association’s (BAA) 36th Annual Marketing Law Conference, please join McDermott partner – and Of Digital Interest editor – Julia Jacobson as she moderates a panel titled “New and Unexpected: Developments in Mobile Marketing – Mobile Tracking, Apps and Mobile Payments.” She will be joined by Ira Schlussel of HelloWorld, Inc., Paul Twarog of Google Inc. and co-moderator Terese Arenth. The panel session starts at 3:20 pm on Thursday, November 6. We hope to see you there.
A recent ruling by the Ninth Circuit took an expansive view of vicarious liability under the Telephone Consumer Protection Act (TCPA). Reversing the district court’s grant of summary judgment, the court in Gomez v. Campbell held that a marketing consultant could be held liable for text messages sent in violation of the TCPA, even though the marketing consultant itself had not sent the texts and even though the texts were sent on behalf of the marketing consultant’s client, not the consultant itself.
Among other things, the TCPA prohibits (with certain exceptions) the use of automatic telephone dialing systems in making calls to cellphones. Both the Federal Communications Commission (FCC) and the courts have interpreted this provision to bar the use of automated systems to send unsolicited texts to cellphones. In Gomez, the Campbell-Ewald Company had been hired by the Navy to conduct a multimedia recruiting campaign. Campbell-Ewald had then outsourced the text-messaging component of the campaign to a third party, Mindmatics. Mindmatics then allegedly sent text messages to the plaintiff and others who had not given consent.
On appeal, Campbell-Ewald raised two variations of the arguments that it should not be held liable for texts that it had not itself sent. First, Campbell-Ewald argued that it did not “make” or “initiate” any calls under the TCPA because Mindmatics had sent the texts. As the statue only provides for liability for those that “make” or “initiate” prohibited calls, Campbell-Ewald argued that it could not be held liable. Second, addressing another potential avenue of liability, Campbell-Ewald noted that the FCC had interpreted the TCPA to allow for liability against those “on whose behalf” unsolicited calls are made. But, Campbell-Ewald argued, it could not be held liable on this ground either because the texts had been sent on behalf of its client, the Navy, not Campbell-Ewald.
In the end, the Ninth Circuit sidestepped both these arguments and found Campbell-Ewald potentially liable on a third basis, “ordinary tort-related vicarious liability rules.” The court noted that where a statute is silent on vicarious liability—as the court judged the TCPA to be—traditional common law standards of vicarious liability apply. Thus, the court held, Campbell-Ewald could be liable under the TCPA based on the agency relationship between Campbell-Ewald and Mindmatics. The court further noted that FCC had stated that the TCPA imposes liability “under federal common law principles of agency,” and held that the FCC’s interpretation was entitled to deference.
Finally, the court noted that it made little sense to subject both the actual sender and the ultimate client to liability, while absolving the middleman marketing consultant, noting, “a merchant presumably hires a consultant in party due to its experience in marketing norms.”
The decision reinforces the importance for companies to closely monitor anyone sending texts or placing calls on their behalf or at their direction. Following Gomez, it is clear that any company that had a role in sending unsolicited calls or texts can potentially be held liable under the TCPA; and the company with the deepest pockets usually becomes the target, no matter home minimal its role in the alleged violation.