Telephone Consumer Protection Act

In an age where providers are increasingly taking the management of their patient’s health online and out of the doctor’s office, the creation of scalable and nimble patient engagement tools can serve to improve patient experience, health care outcomes and health care costs. While the level of enthusiasm for these tools is at an all-time high, there is a growing concern about the unexpected deterrent to the adoption of these tools from an unlikely source: the Telephone Consumer Protection Act of 1991 (TCPA).

Many professionals in the health industry have come to share two misconceptions about the TCPA: first, that the TCPA only applies to marketing phone calls or text message “spam,” and second, that the TCPA does not apply to communications from HIPAA covered entities to their patients/health plan members. These misconceptions can be costly mistakes for covered entities that have designed their patient engagement outreach programs without include a TCPA compliance strategy.

Compliance Challenges

As discussed in a previous post, the TCPA was originally intended to curb abusive telemarketing calls. When applying the law to smarter and increasingly innovative technologies (especially those that we see in the patient engagement world), the TCPA poses significant compliance challenges for the users of these tools that arguably threaten to curb meaningful progress on important public health and policy goals.

Despite its initial scope of addressing robocalls, the TCPA also applies to many automated communications between health care providers and their patients, and between plans and their members. There is a diverse array of technical consent requirements that apply depending on what type of phone call you make. For instance, most auto-dialed marketing calls to cell phones require prior express written consent, meaning that the caller must first obtain written consent before making the call. To make compliance more compliance, callers remain responsible for proving consent and the accuracy of the numbers dialed.

Indeed, the TCPA presents a serious challenge for patient engagement tools, especially when violations of the TCPA can yield statutory damages of up to $1,500 per call or text message. While Federal Communications Commission orders over the past several years have added some clarity and a “safe harbor” for HIPAA-covered entities to help entities achieve compliance, there is still no “free pass” from the TCPA’s requirements. Therefore, covered entities and the business associates who work for them should not assume that compliance with HIPAA offers any security of defense against a successful claim under the TCPA.

Continue Reading The TCPA: An Unexpected Deterrent to Patient Engagement Tools

Last Friday, July 10, 2015, the Federal Communications Commission (FCC) released Declaratory Ruling and Order 15-72 (“Order 15-72”) to address more than 20 requests for clarity on FCC interpretations of the Telephone Consumer Protection Act (TCPA). The release of Order 15-72 follows a June 18th open meeting at which the FCC adopted the rulings now reflected in Order 15-72 that are intended to “close loopholes and strengthen consumer protections already on the books.”

Keys rulings in Order 15-72 include:

  • Confirming that text messages are “calls” subject to the TCPA;
  • Clarifying that consumers may revoke their consent to receive robocalls (i.e., telemarketing calls or text messages from an automated system or with a prerecorded or artificial voice) “at any time and through any reasonable means”;
  • Making telemarketers liable for robocalls made to reassigned wireless telephone numbers without consent from the current account holder, subject to “a limited,one-call exception for cases in which the caller does not have actual or constructive knowledge of the reassignment”;
  • Requiring consent for internet-to-phone text messages;
  • Clarifying that “nothing … prohibits” implementation of technology that helps consumers block unwanted robocalls;
  • Allowing certain parties an 89-day (after July 10, 2015) window to update consumer consent to “prior express written consent” as the result of an ambiguous provision in the 2012 FCC Order that established the “prior express written consent” requirement; and
  • Exempting from the consent requirement certain free “pro-consumer financial- and healthcare-related messages”.

We are reviewing the more than 135 pages of Order 15-72, as well as the separate statements of FCC Commissioners Wheeler, Clyburn, Rosenworcel (dissenting in part), Pai (dissenting) and O’Rielly (dissenting in part). Please check back soon for more information and analysis.

In a case that could shape the future of data privacy litigation, the Supreme Court recently agreed to review the decision by the U. S. Court of Appeals for the Ninth Circuit under the Fair Credit Reporting Act (FCRA) in Robins v. Spokeo, Inc.  At issue is the extent to which Congress may create statutory rights that, when violated, are actionable in court, even if the plaintiff has not otherwise suffered a legally-redressable injury.

Spokeo is a data broker that provides online “people search capabilities” and “business information search” (i.e., business contacts, emails, titles, etc.).   Thomas Robins (Robins) sued Spokeo in federal district court for publishing data about Robins that incorrectly represented him as married and having a graduate degree and more professional experience and money than he actually had.  Robins alleged that Spokeo’s inaccurate data caused him actual harm by (among other alleged harms) damaging his employment prospects.

After some initial indecision, the district court dismissed the case in 2011 on the grounds that Robins had not sufficiently alleged any actual or imminent harm traceable to Spokeo’s data.  Without evidence of actual or imminent harm, Robins did not have standing to bring suit under Article III of the U.S. Constitution.  Robins appealed.

On February 4, 2014, the Court of Appeals for the Ninth Circuit announced its decision to reverse the district court, holding that the FCRA allowed Robins to sue for a statutory violation: “When, as here, the statutory cause of action does not require proof of actual damages, a plaintiff can suffer a violation of the statutory right without suffering actual damages.” The Court of Appeals acknowledged limits on Congress’ ability to create redressable statutory causes of action but held that Congress did not exceed those limits in this case.  The court held that “the interests protected” by the FCRA were “sufficiently concrete and particularized” such that Congress could create a statutory cause of action, even for individuals who could not show actual damages.

Why Spokeo Matters

If the Supreme Court reverses the Ninth Circuit’s decision, the decision could dramatically redraw the landscape of data privacy protection litigation in favor of businesses by requiring plaintiffs to allege and eventually prove actual damages.  Such a ruling could severely limit lawsuits brought under several privacy-related statutes, in which plaintiffs typically seek statutory damages on behalf of a class without needing to show actual damages suffered by the class members.  Litigation under the FCRA, the Telephone Consumer Protection Act and the Video Privacy Protection Act (among others statutes) all could be affected.

A recent ruling by the Ninth Circuit took an expansive view of vicarious liability under the Telephone Consumer Protection Act (TCPA).  Reversing the district court’s grant of summary judgment, the court in Gomez v. Campbell held that a marketing consultant could be held liable for text messages sent in violation of the TCPA, even though the marketing consultant itself had not sent the texts and even though the texts were sent on behalf of the marketing consultant’s client, not the consultant itself.

Among other things, the TCPA prohibits (with certain exceptions) the use of automatic telephone dialing systems in making calls to cellphones.  Both the Federal Communications Commission (FCC) and the courts have interpreted this provision to bar the use of automated systems to send unsolicited texts to cellphones.  In Gomez, the Campbell-Ewald Company had been hired by the Navy to conduct a multimedia recruiting campaign.  Campbell-Ewald had then outsourced the text-messaging component of the campaign to a third party, Mindmatics.  Mindmatics then allegedly sent text messages to the plaintiff and others who had not given consent.

On appeal, Campbell-Ewald raised two variations of the arguments that it should not be held liable for texts that it had not itself sent.  First, Campbell-Ewald argued that it did not “make” or “initiate” any calls under the TCPA because Mindmatics had sent the texts.  As the statue only provides for liability for those that “make” or “initiate” prohibited calls, Campbell-Ewald argued that it could not be held liable.  Second, addressing another potential avenue of liability, Campbell-Ewald noted that the FCC had interpreted the TCPA to allow for liability against those “on whose behalf” unsolicited calls are made.  But, Campbell-Ewald argued, it could not be held liable on this ground either because the texts had been sent on behalf of its client, the Navy, not Campbell-Ewald.

In the end, the Ninth Circuit sidestepped both these arguments and found Campbell-Ewald potentially liable on a third basis, “ordinary tort-related vicarious liability rules.”  The court noted that where a statute is silent on vicarious liability—as the court judged the TCPA to be—traditional common law standards of vicarious liability apply.  Thus, the court held, Campbell-Ewald could be liable under the TCPA based on the agency relationship between Campbell-Ewald and Mindmatics.  The court further noted that FCC had stated that the TCPA imposes liability “under federal common law principles of agency,” and held that the FCC’s interpretation was entitled to deference.

Finally, the court noted that it made little sense to subject both the actual sender and the ultimate client to liability, while absolving the middleman marketing consultant, noting, “a merchant presumably hires a consultant in party due to its experience in marketing norms.”

The decision reinforces the importance for companies to closely monitor anyone sending texts or placing calls on their behalf or at their direction.  Following Gomez, it is clear that any company that had a role in sending unsolicited calls or texts can potentially be held liable under the TCPA; and the company with the deepest pockets usually becomes the target, no matter home minimal its role in the alleged violation.

Boston-based litigation partner Matt Turnell shares his predictions about class action litigation under the Telephone Consumer Protection Act (TCPA) and Electronic Communications Privacy Act (ECPA) in 2014 and Boston-based white-collar criminal defense and government investigations partner David Gacioch shares his predictions about government responses to data breaches.

Class Action Litigation Predictions

2014 is already shaping up to be an explosive year for privacy- and data-security-related class actions.  Last December’s data breach at Target has already led to more than 70 putative class actions being filed against the retailer.  With recently disclosed data breaches at Neiman Marcus and Michaels Stores—and possibly more to come at other major retailers—court dockets will be flooded with these suits this year.  And consumers are not the only ones filing class actions; banks that have incurred extra costs as a result of the data breaches are headed to court as well, with at least two putative class actions on behalf of banks filed so far against Target.

That volume of litigation related to the Target data breaches likely will be matched by a steady stream of class actions filed under the TCPA.  2013 was a busy year for the TCPA docket and I expect that the Federal Communications Commission’s (FCC) stricter rules requiring express prior written consent from the called party, which took effect in October 2013, means that 2014 will be just as busy since the majority of TCPA class actions seek statutory damages for companies’ failure to obtain consent before making autodialed or prerecorded voice calls or sending unsolicited text messages or faxes. 

In 2014, I expect to see key decisions under the ECPA related to social media platforms and email providers capturing and using content from customers’ emails and other messages for targeted advertising or other purposes.  One district court has already denied a motion to dismiss an ECPA claim challenging this conduct and I predict that other decisions are forthcoming this year.  Needless to say, decisions in favor of class-action plaintiffs in this area could have major implications for how social media sites and email providers do business.

Matt Turnell, Partner

Government Responses to Data Breaches

As significant data breaches continue to dominate the news, public awareness of data privacy and security issues will increase, as will their political appeal.  I expect to see in 2014:

  • Record numbers of breach reports to state and federal regulators, as awareness of reporting obligations spreads further and further across data owner, licensee, broker and transmitter groups;
  • More states committing more enforcement resources to data privacy and security, including budget dollars and dedicated attorney general’s office units;
  • More state/federal and multi-state coordination of investigations, leading to increased settlement leverage by enforcement authorities vis-à-vis firms under investigation; and
  • Greater numbers and dollar values of settlements by the Federal Trade Commission (FTC) and state attorneys general than ever before.

Similarly, with the HIPAA Omnibus Final Rule going into effect on September 23, 2013, coupled with the late-2013 Department of Health and Human Services (HHS) Office of Inspector General Report decrying HHS Office for Civil Rights’ (OCR) recent pace of HIPAA-related auditing and enforcement will lead to a jump in HIPAA breach reporting and harder lines taken by OCR with respect to investigation dispositions.  Therefore, expect increased settlement counts and dollar values in the OCR enforcement during 2014, too.

Substantively, expect enforcement agencies to continue focusing their greatest attention on companies that they perceive as foot-dragging or stone-walling on notification obligations in the aftermath of breaches.

David Gacioch, Partner

Last week’s Seventh Circuit ruling in Patriotic Veterans v. State of Indiana  confirms that businesses should check both federal and state laws before using automatic dialing systems (ATDS) to deliver prerecorded or synthetic voice messages known as “robocalls”.

The Telephone Consumer Protection Act (TCPA) is a federal law that generally prohibits robocalls to residential telephone lines without the prior express consent of the party receiving the call.  However, calls that are not made for a commercial purpose, including calls made for political purposes, are exempt from the TCPA.

The TCPA contains a preemption clause that states “nothing in this section . . . shall preempt any State law that imposes more restrictive intrastate requirements or regulations on, or which prohibits:

  • the use of automatic telephone dialing systems;
  • the of artificial or prerecorded or prerecorded voice messages;” (emphasis added)

Notably, the State of Indiana’s Automated Dialing Machine Statute imposes “more restrictive” requirements, because while it does have some limited exemptions, it does not contain the TCPA’s exemption for political calls.

In Patriotic Veterans, an Illinois based non-profit sought to make robocalls for political purposes across state lines to Indiana residents.  Not wanting to pay for the live callers that would be required under the Indiana law, Patriotic Veterans filed a complaint in federal court against the State of Indiana and the Indiana Attorney General, seeking a declaration that the Indiana law was, among other things, pre-empted by the TCPA.

The District Court agreed with Patriotic Veterans, holding that the TCPA preempted the Indiana statute and granting Patriotic Veteran’s request for an injunction against enforcement of Indiana’s law with respect to political messages, but stayed the injunction pending the appeal.

The Seventh Circuit Court of Appeals reversed.  The Court concluded that there was no express preemption in the statutory language because “the TCPA says nothing about preempting laws that regulate the interstate use of automatic dialing systems. Therefore, we must conclude that they are not preempted. The plain language of the text reinforced by the presumption against preemption prevents this court from looking any further[.]”  The Court further concluded that there was no implied preemption for two reasons: (1) the federal regulatory scheme is not so pervasive or dominant as to make clear that Congress intended to occupy the entire legislative field, and (2) it is possible to comply with both laws (even if inconvenient or expensive for Patriotic Veterans).

What Does This Mean for Businesses?

The ruling in Patriotic Veterans further confirms that mere compliance with the TCPA is not enough.  Courts are unlikely to strike down state laws that are more restrictive than the TCPA, so it is important for businesses that are developing a robocalling strategy to check the laws of the states where they plan to contact residents.  Any such strategy should include a plan to comply with both the TCPA and the applicable state law requirements.

The Federal Communications Commission (FCC)’s Report and Order 12-21 (Order 12-21), issued in February 2012, describes revised telemarketing rules that became effective during the past 12 months.

The FCC’s telemarketing rules are issued under the Telephone Consumer Protection Act (TCPA) and apply to a telephone call to a residential landline or wireless number or a text message that is initiated for advertising or telemarketing purposes and uses an “automatic telephone dialer system” (ATDS) or an “artificial or prerecorded” voice message.

The three major changes implemented during the past year are:

(i) Abandoned calls rule effective November 16, 2012: Telemarketers must ensure that no more than three percent of calls answered by a person are “abandoned” (i.e., not answered by the telemarketer within two (2) seconds after the called person answers) during a 30-day calling campaign period;

(ii) Opt-out mechanism effective January 14, 2013: Artificial or prerecorded telemarketing messages must include an automated, interactive mechanism that enables the called person to opt out of receiving future prerecorded messages; and

(iii) Prior express written consent rule effective October 16, 2013: “Prior express written consent” (as described below) of the called person is required[i] for:

  • telemarketing calls to a wireless telephone number when an artificial or prerecorded message or ATDS is used;
  • telemarketing text messages sent using an ATDS; or
  • telemarketing calls to a residential landline telephone number using an artificial or prerecorded message.

“Prior express written consent” means a written agreement signed by the called person that clearly authorizes delivery of advertising or telemarketing messages using an ATDS or an artificial or prerecorded voice message and clearly states that agreeing is not a condition of buying any product or service.  A written agreement may be “signed” electronically using any method recognized under the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act) or applicable state contract law.  The E-SIGN Act recognizes a signature as an “electronic sound, symbol or process” that is “attached or logically associated with” an agreement and “adopted by a person with the intent to sign.”

Although industry standards have required express opt-in consent for recurring text messaging programs prior to implementation of the FCC’s prior express written consent rule, consent obtained under the old regulatory framework is not sufficient under the new FCC consent rule because (among other requirements) the “agreement” to which the consumer consents (i) must include reference to use of automated technology and (ii) “must be obtained without requiring, directly or indirectly, that the agreement be executed as a condition of purchasing any good or service.”

Action Step for Marketers: Obtain New Opt-in Consent for Telemarketing and Mobile Marketing

Obtaining new opt-in consent consistent with the requirements of the new FCC consent rule is best practice because the sender bears the burden of proving that it has obtained prior express written consent that meets the FCC standards.  Relatedly, implementation of a record-keeping system through which evidence of compliant consent is retained for at least three years (i.e., the statute of limitations for contract claims) after the consumer opts out or after sending the last text message related to the consumer consent.

Read “Part 1:  Children’s Online Privacy Protection Act Amendments.”


[i] The FCC does not require prior express written consent for non-telemarketing calls and health-care-related calls subject to the Health Insurance Portability and Accountability Act (HIPAA) that are made to residential lines but prior express consent is required for such calls or text messages made/sent to wireless telephone numbers.