The FCC Establishes a Database Aimed at Reducing Robocalls: New Safe Harbor for Businesses, Additional Obligations for Telecom Providers

“Robocalling” – a term that broadly describes automatically-dialed calls, caller ID spoofing, recorded calls, and telemarketing – has become one of the biggest challenges for both callers and consumers.  According to robocall blocking service provider YouMail, 47.8 billion robocalls were placed in 2018.  Atlanta was once again the city in the U.S. receiving the most robocalls, with about 2.1 billion annually.  Rounding out the top five, were Dallas, New York, Los Angeles, and Chicago.

The Telephone Consumer Protection Act (“TCPA”) and its implementing rules restrict the making of telemarketing calls, the use of automatic telephone dialing systems, and the use of artificial or prerecorded voice messages, without the express consent of the dialed party.  A telemarketing call is also defined broadly to include text messages sent to wireless subscribers.  The requirements under the TCPA apply to all telemarketers, as well as all businesses that use automated phone equipment to interact with consumers, for example, to provide appointment reminders, account notifications, or other general business communications.

The North American Numbering Plan Administrator estimates that about 35 million numbers are disconnected and made available for reassignment to new customers each year.  This reassignment process means that a caller who previously obtained the express consent to call a given number may call that number without realizing that the number has been reassigned to a new party who has not given express consent to receive the call – which could lead to legal liability for the caller under the TCPA.

The Federal Communications Commission (“FCC”) has said that unwanted calls to reassigned numbers are a major problem.  Despite that there are existing tools available to address this issue, the FCC has determined that none are comprehensive.  Further, none appear to have adequately curbed the problem of making unwanted calls to reassigned numbers.

As a result, in December 2018, the FCC ordered the creation of a database that will enable callers to verify whether a telephone number has been reassigned before calling that number.  Those callers that rely on the reassigned numbers database will be provided a safe harbor from TCPA liability where the caller has prior express consent to make the call to the number that the database erroneously reported as not having been disconnected.  In addition, the FCC’s new rules will impose new reporting obligations on telecommunications service providers.

Businesses should look to use the reassigned numbers database because it will likely reduce both their potential liability for making unlawful calls to reassigned telephone numbers and operational costs as a result of targeted calling.  Telecommunications service providers should ensure that they are prepared to comply with the new recording and reporting obligations.

Permanent disconnection and aging. The FCC ordered the creation of a comprehensive database of numbers that have been permanently disconnected so businesses like banks and pharmacies that call customers frequently may avoid calling reassigned numbers.  Callers will be able to query the database before making a call to determine whether the number has been permanently disconnected.

“Permanent disconnection” means that a subscriber has permanently relinquished a number, or the provider has permanently reversed its assignment of the number to the subscriber so that the number is no longer associated with the subscriber for active service in the service provider’s records.  Permanent disconnection does not include instances where the phone number remains associated with the subscriber such as, for example, temporary disconnections for non-payment or when a consumer ports a number to another provider.

In the order, the FCC also adopted a minimum telephone number aging period of forty-five (45) days, establishing a minimum period of time a number must remain out of use before reassignment to a new customer.  Before this change, telecom providers could reassign telephone numbers to another consumer almost immediately.  The FCC reasoned that the more quickly a number is reassigned from one consumer to another, the less likely callers are to learn of the reassignment and the more likely a caller is to misdirect a call to the reassigned number.

Contents and use of the database.  The FCC will limit the contents of the database to the date of the most recent permanent disconnection for the affected telephone number.  The data made available to callers in response to a query will be limited to either “yes”, meaning the number has been reported as disconnected since the date the caller provides; “no”, meaning the number has not been reported as disconnected since the date the caller provides; or “no data”, meaning there is no information available for the number requested.

To ensure that the database is available to the widest number of users and accessible to any size caller, it will have the ability to process low volume queries, for example, via a website interface, or high-volume queries through a batch process or standardized application interface.  This means that a small dental office that texts their patients appointment reminders and a large outbound call center making thousands of calls each day can each use the database in a manner that works best for their respective operations. However, users of the database will be required to certify that they are using it solely to determine whether a number is permanently disconnected.

Safe harbor for users of the database.  Callers that use the database are granted a safe harbor from TCPA liability for calls made to numbers for which they had obtained prior express consent but, at the time of the call, relied on the database to determine that the number had not been reassigned.  The safe harbor shields the caller from liability if the database returned an inaccurate result.

Projected costs for users of the database.  Use of the database is voluntary, and those that choose to use it will be assessed a user fee.  In addition to the user fee, the FCC estimates the startup cost for callers to be one day of development and three days of testing for a single full-time engineer, resulting in about $2,160 for larger companies that would invest in the information technology resources to integrate with the reassigned numbers database.  Smaller companies are expected to have lower startup costs as a result of using an internet/web-based interface.

Service provider obligations and administration of the database. The order also requires all service providers that use the North American Numbering Plan to provide to the database administrator information about telephone number disconnections.  Those providers that do not receive their numbers directly from the North American Numbering Plan Administrator or the Pooling Administrator (for example, resellers and most VoIP providers) may delegate their reporting obligation to the service providers through which they obtain numbers.  The database administrator will be selected by the FCC through a competitive bidding process at a later time.

Similarly, toll free numbers, which are administered by the Toll Free Numbering Administrator, will also be included in the database.  The obligation to report the permanent disconnection status of toll free numbers will fall to the Toll Free Numbering Administrator.

Beginning 30 days after the rules are approved by the Office of Management and Budget, providers will be required to keep records of their permanent disconnections on a going-forward basis.   In addition, providers will be required to report their permanent disconnections to the database administrator on the 15th day of each month, with the exact start date to be announced by the FCC once the database is operational.   However, small providers (those providers with 100,000 or fewer domestic retail subscriber lines) will be granted a limited extension of six months from both the recordkeeping and reporting requirements.

While the timeframe for implementing the database and the foregoing changes is uncertain, this looks to be beneficial to all stakeholders once operational.

If you have any questions about how these recent developments may affect your liability under the TCPA or reporting obligations, please contact Joel Thomas at jthomas@fh2.com or (770) 399-9500.

Announcing our New Partner, Ben Byrd

We are pleased to announce that Ben Byrd has been named a Partner.

Ben focuses his practice on assisting businesses through litigation and regulatory advocacy compliance.  As a litigator, Ben represents his clients vigorously and professionally, and he has represented businesses in nearly every forum, from small-claims court all the way to the Georgia Supreme Court. As a regulatory attorney, he represents clients before state and federal regulatory bodies, including the Federal Communications Commission, state utility commissions and state legislatures. A substantial portion of his regulatory practice is devoted to advocating for his clients’ interests in the face of proposed telecommunications regulations or legislation. Regardless of the matter, Ben never forgets that the ultimate goal is to advance his clients’ business interests.

Ben is a graduate of the University of Georgia School of Law, cum laude, and received his undergraduate degree from the University of Georgia, summa cum laude.  He is admitted to practice in Georgia, and has been recognized as a Georgia Super Lawyer for 2017 and 2018 and chosen as a Georgia Rising Star in 2014.

Please join us in congratulating Ben!

Ben may be reached at bbyrd@fh2.com or at 770-399-9500. For more information on Ben, please click here

Susan J. Berlin Joins FH2

We are pleased to announce that Susan J. Berlin has joined our Firm as Senior Counsel.

Susan joins the FH2 telecommunications team and has an extensive background in federal and state public policy strategy and advocacy, government relations, administrative law and litigation, privacy, regulatory compliance and general telecommunications legal issues. Susan’s experience includes practicing law in-house, at a law firm, at a state agency, and as a member of industry associations.

Susan may be reached at SBerlin@fh2.com or at 770-399-9500. For more information on Susan, please click here

Laura Arredondo-Santisteban Joins FH2

We are pleased to announce that Laura Arredondo-Santisteban has joined our Firm as an associate attorney.

Laura will practice in the areas of telecommunications, advertising, marketing, advertising compliance and privacy. Laura’s experience includes representing clients in proceedings before the Federal Communications Commission, and assisting clients in the development of advertising, labeling and marketing materials, privacy policies, and customer terms and conditions.

Laura may be reached at LArredondo@fh2.com or at 770-399-9500. For more information on Laura, please click here

IoT and Connected Devices: Before Rushing In, Be Mindful of the Risks

If your business manufactures or uses a connected device or simply collects and stores user data, it may be exposed to legal liability.  Despite the transformative effects of such Internet of Things (“IoT”) technologies, the reality is that IoT will increase your business risk – know its sources and manage it.

What is IoT?

IoT is a concept that has existed for decades.  However, due to deep declines in the cost of sensors, computing and related technologies, IoT is now influencing the physical world in transformative ways.  To start, IoT describes a ubiquitous connection of devices or objects (“things”) that can be monitored, controlled or interacted with by Internet-connected electronic devices, allowing people to interact seamlessly with both the digital and physical world.  IoT centers on machine-to-machine communications and the idea that more information (i.e., data) leads to a deeper understanding of the physical world.  In turn, this deeper understanding creates greater value for the end-user.  On a small scale, IoT includes wearable technologies that, in real-time, allow a user to track how far she has run and to share this information with friends.  IoT technology also includes an array of conveniences in home automation and security.  For example, when a homeowner pulls into his driveway, IoT can automatically open the garage door, turn on lights inside the home, and disable the home security system.  On a much larger scale, IoT will maximize efficiencies in the way that cities consume power, manage traffic, and prepare for natural disasters.  Experts at Cisco and Ericsson estimate that there will be 50 billion connected devices by 2020.  Moreover, the McKinsey Global Institute values the IoT market somewhere between $3.9 trillion and $11 trillion by 2025.

Despite the countless opportunities that IoT presents, businesses should be wary of its major legal concerns: the capture and use of consumer data, and cybersecurity threats.  Further, businesses should have actionable plans for the governance and protection of consumers’ personally identifiable information.

Whose Data is it?

When things are always on – as is the case with IoT – data is continuously shared.  And although IoT creates new opportunities to solve existing problems, it raises new issues between private citizens and businesses operating in the digital space.  At present, there is much debate over the ownership of data that consumers disclose while using products and services: Do consumers retain ownership over their personal data or do businesses take ownership over such disclosures?  Consumer disclosures are often a necessary component of the utility of products and services.  These disclosures also aid the improvement to such products and services, thereby creating long-term benefits for the consumer.  Businesses that take care in drafting their terms and conditions contract for rights in these consumer disclosures.

Still, businesses must consider consumer privacy laws and the ethical concerns of collecting and storing consumers’ personal data.  Broadly, the FTC enforces consumer protection laws that protect consumers against unfair methods of competition or deceptive acts or practices.  But businesses should also be cognizant of the applicable regulatory frameworks for the industries in which they operate.  For instance, the Communications Act, as amended, and the FCC impose additional requirements for telecommunications carriers’ use of consumer information.  In addition, state laws and regulations may impose added responsibilities.  Also, U.S. companies that engage in cross-border data flows should be aware of additional data transfer laws and data sovereignty issues.  Similarly, ethical concerns for data privacy often arise out of the representations that businesses make concerning their use of data or the overbroad bulk collection of data, where either instance exceeds consumers’ reasonable expectations.  In recent proceedings, the FTC has brought enforcement actions against technology companies like Snapchat, Yelp, Google, and Facebook for violating their user privacy agreements.  There, the FTC found the companies to have deceived consumers over the amount of personal data the companies collected and made misrepresentations on how certain products or product features actually worked.

Businesses should always provide notice and obtain consent before collecting consumer information, and they must market truthfully and ensure their public commitments match actual practices for the collection, scope, retention, expressed purpose, and confidentiality of data.  Further, businesses should also be aware that private actions concerning the ownership of consumer data could arise in a number of ways – privacy, contract, or tort.

Legal Effects Remain Uncertain

Although connected products and services may amplify products liability concerns, cybersecurity must also be addressed.  It is clear that product and service providers who do not meet reasonable expectations in the cybersecurity of their product and service offerings will face liability.  But these requirements are still imprecise, as regulators have abstained from creating formal rules and have instead decided matters on a case-by-case basis.  For example, in separate proceedings, the FTC brought enforcement actions against Wyndham Hotels and Resorts and IP-camera maker Trendnet, alleging that the companies engaged in deceptive and unfair acts because of their failure to take reasonable security measures.  In both cases, the FTC alleged, among other things, that the companies unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft, because they stored personally identifiable consumer data in clear readable text and failed to use readily available security measures, like firewalls or software that would secure data transmissions.  Further, the FTC alleged that neither company regularly tested or monitored the security of its network.  Both cases carry twenty year settlement obligations.  In another case, the FCC held companies YourTel and TerraCom jointly and severally liable for fines totaling $10 million due to poor data security practices, where the companies stored personally identifiable consumer data online, without firewalls, encryption or password protection.  More recently, the Consumer Financial Protection Bureau fined financial-technology firm Dwolla for misrepresentations made concerning its data security practices.  Notably, in this case no data breach actually occurred.

Still, the effect of law becomes even more unpredictable when we begin to use existing technologies in disruptive ways that touch multiple industries.  For example, the advent of a “digital wallet” has created gaps, overlaps and ambiguities in applicable payments laws.     In the face of such ambiguity, many businesses unwittingly take on extreme risk as they add connectivity to products, introducing poorly designed, vulnerable hardware or software to the marketplace.

Businesses should build products with safety in mind to address cybersecurity concerns, designing their products or services around the possibility of hacks or breaks in the communication chain.  They should regularly monitor and update the security of their products and services as needed.  One of the greatest benefits of IoT is that updates, or patches, can be pushed from the manufacturer directly to the consumer without consumer involvement, which is not only convenient for the consumer, but also limits the business’s prolonged exposure to liability.  Even if a business does not offer ongoing support, it should notify consumers of security risks and available updates.  Larger businesses may want to implement bug bounty programs, which provide recognition or compensation to individuals that report bugs or find system vulnerabilities.

Take Time to Contract Thoroughly with Corporate Partners

Does your business collect or share data with corporate partners absent a formal contract?  Businesses should appreciate the danger for potential liability as the number of stakeholders who play a part in the value chain increases.  The Target and Home Depot data breaches occurring in December 2013 and September 2014, respectively, provide retail examples of the importance of security practices among corporate partners and finding a balance in the amount of access afforded to vendors.  In both instances, point-of-sale systems were compromised when third-party vendor credentials were stolen for back office systems.

Along with internal security measures, businesses should look to standardize security across the many stakeholders involved in their distribution chain.  If security cannot be standardized, businesses should work only with service providers who are capable of maintaining adequate security over the data for which they are responsible.  When contracting with corporate partners, a business should implement strong indemnity provisions that protect it against damages caused by the other party.  Further, businesses should maintain licensing and supply agreements between them and their corporate partners that clearly define: the scope of the data collected; the ownership of such data; the custodian of the data; the acceptable uses for the data; whether any third-parties will have access to the data; how to determine liability in the event of a breach; the side of the point of demarcation on which responsibilities lie; and how compliance will be verified.

Plan for a Breach before It Occurs

Lastly, businesses should have actionable plans for the governance and protection of data that contains consumers’ personally identifiable information.  Many companies maintain information of a wide scope under a false impression that more data is always more valuable.  But collecting and retaining large stores of information can actually make it more difficult for companies to realize a breach has occurred.

Businesses should follow these tips: limit the scope of data collected; do not retain data for longer than needed; anonymize data where possible; and be reasonable in the disposal of confidential documents.  Further, businesses that are custodians of large amounts of data that contain personally identifiable information should maintain cyber risk insurance.  Cyber risk insurance policies generally indemnify first party and third party losses that result from disruption to the company’s own network, data breaches of personally identifiable information, cyber extortion, and media liability.  (For a more in depth discussion on insurance coverage, be sure to read Michael Stewart’s post, “Insurance for Technology Businesses: Are You Covered?”)

Managing the Risks

As businesses release innovative products and services, they are faced with policymakers’ unclear expectations for security practices and uncertain applications of existing legal standards.  Businesses can reduce their legal exposure by marketing truthfully; knowing the consumer protection and data security laws and regulations that govern their industry; creating comprehensive data security programs that are verified through regularly scheduled audits; using reasonable security measures and addressing failures or opportunities for breach before a system is compromised; and having a plan in place to deal with a breach, including knowledge of the requirements for reporting it.

Friend, Hudak & Harris, LLP is at the forefront of inspecting and assessing the potential impact of IoT across a number of industries. This leaves us well positioned to guide clients through varied complexities, helping them to avoid or reduce technology related risks.

$500 In Damages for Using a Smartphone to Send a Text Message?

Most businesses that engage in telemarketing or fax marketing are aware of the Telephone Consumer Protection Act (TCPA), the federal Do Not Call list (and state Do Not Call lists in many states), and the importance of complying with their requirements when marketing their goods or services. But did you know that federal law limits the ways in which almost anyone can place calls or send text messages to residential and wireless telephone numbers even when they are not engaged in marketing? The Federal Communications Commission (FCC) recently issued a Declaratory Ruling clarifying several provisions of the TCPA. Review of the FCC’s order emphasizes the importance, and the difficulty, of complying with this law when using automatic dialing equipment—which may include any smartphone—or artificial or prerecorded voice messages.

What the TCPA Prohibits

In general and subject to limited exemptions, the TCPA and the FCC’s implementing regulations prohibit:

  • Making any marketing call to a telephone number included in the national Do Not Call database or to any residential telephone customer who has requested to be placed on the calling party’s do not call list
  • Initiating any non-emergency call using an automated telephone dialing system or an artificial or prerecorded voice to (i) any emergency telephone line, (ii) the telephone line of any guest room or patient room of a hospital, health care facility, elderly home or similar establishment, or (iii) any telephone number assigned to a wireless service or any service for which the called party is charged for the call, in each case, without the prior express consent of the called party (which must be written consent if the call is for a marketing purpose)
  • Initiating any commercial marketing call to a residential line using an artificial or prerecorded voice without the prior express written consent of the called party
  • Sending an unsolicited fax advertisement to anyone with whom the sender does not have an established business relationship or who has requested not to receive fax advertisements from the sender
  • Sending any fax advertisement (solicited or unsolicited) to anyone without including on the first page a notice advising the recipient how to opt out of receiving any further fax advertisements from the sender
  • Using an automatic telephone dialing system in such a way that two or more lines of a multi-line business are engaged simultaneously
  • Disconnecting an unanswered telemarketing call prior to at least 15 seconds or four rings
  • Abandoning more than 3% of telemarketing calls that are answered live by a person
  • “Spoofing” the Caller ID of any call with the intent to defraud, cause harm, or wrongfully obtain anything of value
  • Dialing any telephone number for the purpose of determining whether the line is a fax or voice line

The FCC’s Declaratory Ruling

The focus of the FCC’s recent Declaratory Ruling is on calls to wireless numbers using automated telephone dialing systems or artificial or prerecorded voice messages and calls to residential lines using artificial or prerecorded voice messages, which the FCC referred to collectively as “robocalls.” Alongside the increasing use of wireless phones, robocalls have become pervasive. One source estimates that approximately 1.45 billion robocalls were placed in the United States in December 2015. According to the source, more robocalls were placed to Atlanta residents in December than to residents of any other city, and the Atlanta 404 and 678 area codes were two of the three most robocalled area codes in America. And this count includes only voice calls, not text messages, which are also covered by the TCPA.

Text Messages as Calls

The FCC ruled in 2003 that Short Message Service (SMS) text messages are “calls” for purposes of the TCPA. In its recent order, it clarified that ruling, holding that any text message that is sent to a North American telephone number is a TCPA “call,” even if it originates as an email and is converted to a text message by an intermediate function.

Autodialers – Every Smartphone May Be an Autodialer

The first issue addressed in the FCC’s order, and possibly its most important aspect, is its clarification of what it means to “make a call … using any automated telephone dialing system,” or “ATDS.” The statute defines an ATDS as “equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” Citing dictionary definitions, the FCC ruled that the term “capacity” does not refer only to the capability of a device at the time that a call is made, but to the potential capability of using the device to dial stored or produced numbers randomly or in sequence, even if doing so would require the use of additional software or equipment to enable that capability. The only example the FCC provided of a device that can make a telephone call but is not at least potentially an ATDS was a rotary dial telephone. And as long as a device has the “capacity” to be an ATDS, it is irrelevant whether its autodialing function is used for a particular call; a manually dialed call using an ATDS is subject to the same rules as an autodialed call.

Software (“apps”) is available for smartphones that enables them to store telephone numbers and dial them. A dissenting commissioner pointed out that the FCC’s reasoning dictates the conclusion that every smartphone is an ATDS. The majority did not disagree, but only stated that it was not aware of smartphone users being sued by their friends and families or the companies with which they do business for calling them or sending them texts. And because it doesn’t matter whether the autodialing capability of an ATDS is used for a particular call, potentially (and somewhat absurdly) any call or text message using a smartphone to a wireless number requires the prior express consent of the called party.

The FCC also ruled that any Internet-based service that places calls or sends text messages to North American telephone numbers is an ATDS. Whether the user of the service or the service provider is the calling party who must have obtained the consent of the called party depends upon the totality of the circumstances. In most cases the user of the service is considered the calling party, but the service provider may also need the requisite consent if it controls part of the content of the call or text message or chooses some of the recipients.

Consent of the Called Party

The FCC also addressed how a caller may obtain the consent of the called party. Although written consent is required for robocalls that contain or link to advertising or constitute telemarketing, the FCC confirmed that no particular method of consent is required for non-marketing robocalls. In most cases, the fact that someone provides a wireless number as a contact number in connection with a relationship with another party constitutes consent to receive non-marketing robocalls to that number. A robocaller may obtain the consent of called parties through an intermediary, such as the organizer of a group, but the caller is liable for a violation if the intermediary did not actually obtain the consent of a called party. And the fact that someone is listed in the contact database of someone else who has provided consent does not constitute consent to receive robocalls.

Can I Include a Consent Requirement in My Terms of Service?

The FCC also emphasized that a residential or wireless telephone customer cannot be required to consent to receive robocalls as a condition of purchasing goods or services or otherwise doing business with the robocaller. Shortly before the FCC issued its Declaratory Ruling, PayPal revised its User Agreement to state “You consent to receive autodialed or prerecorded calls and text messages from PayPal at any telephone number that you have provided us or that we have otherwise obtained.” The FCC’s Enforcement Bureau sent PayPal a letter advising it that the new User Agreement violated the TCPA. It has also cited other businesses for seeking to impose similar consent requirements as part of their terms of service.

What if the Person Who Provided Consent Changes Phones?

A particular problem for anyone making robocalls to wireless numbers is the difficulty of being certain that the person who consented to receive the calls or texts still has the telephone number to which that consent applies. Some parties argued that the “prior express consent of the called party” should mean the consent of the “intended recipient,” so that consent to receive autodialed or recorded calls to a particular wireless number would remain valid after the wireless number was assigned to a different customer, as long as the caller intended such calls or texts for the customer who had provided the consent. The FCC rejected this argument, ruling that “the ‘called party’ is the subscriber, i.e., the consumer assigned the telephone number dialed and billed for the call, or the non-subscriber customary user of a telephone number included in a family or business calling plan.” Mitigating the basic problem only somewhat, the FCC adopted a “safe harbor” permitting one autodialed or recorded call to a reassigned wireless number as long as the caller had the prior express consent (written consent for marketing) of the previous subscriber or customary user of that number and has no knowledge of the reassignment of the number. Acknowledging that a single call to a reassigned number often will be insufficient to make a caller aware of the reassignment, the FCC said only that it could have interpreted the statute to prohibit even a single autodialed or recorded call to a reassigned number. The FCC also noted that misdialed calls and calls to numbers that were incorrectly entered into a dialing system enjoy no such safe harbor.

The risk associated with autodialed or recorded calls to misdialed or potentially reassigned numbers is enhanced by the FCC’s conclusion that a called party has no good faith obligation to advise the calling party that the number has been reassigned. “[T]he TCPA places no affirmative obligation on a called party to opt out of calls to which he or she never consented.” Even when the content of a call clearly indicates that it is intended for someone else, the FCC’s order almost encourages the called party to wait and sue after receiving several misdirected calls rather than tell the calling party that it has reached a wrong number.

Revocation of Consent

The TCPA provisions concerning fax advertisements include requirements for an opt-out notice and expressly permit someone who has invited or consented to fax advertisements to withdraw consent, but there is no similar provision with respect to autodialed or recorded calls. Some parties and a dissenting commissioner argued that this meant that once consent has been provided for the receipt of robocalls, that consent cannot be revoked. Others argued that the sender should be permitted to establish an exclusive method of revoking consent to receive robocalls, similar to the requirements for withdrawing consent to receive fax advertisements. The FCC rejected both arguments, ruling that residential and wireless customers may revoke their consent to receive robocalls at any time, by “any reasonable means,” including orally. The FCC stated that callers cannot limit in any way the method by which a called party may revoke consent.

The ability of a consumer to revoke consent by any reasonable means raises questions such as whether a national retail chain must honor a “stop robocalling me” request made orally to a cashier at a local store, or a technology company must honor such a request made in the midst of a technical support call. While someone engaged in robocalling cannot limit the methods by which called parties may revoke consent, however, there is no reason that the robocaller cannot publicize one or more simple, readily available ways to revoke consent to receiving its calls, thus potentially reducing the risk of receiving consent revocations by other means and possibly establishing an argument that a method by which someone claims to have revoked consent was unreasonable.

Robocall Blocking

In response to a request by the National Association of Attorneys General, the FCC ruled that there is nothing that prohibits telephone service providers or third parties from offering services that attempt to block robocalls. Any such services must be offered on an opt-in basis with adequate disclosure that they are imperfect and may inadvertently block other calls as well. But the FCC encouraged providers to offer such blocking services and hinted that it could require them to do so in the future. The Federal Trade Commission had previously granted a substantial award to the developer of one such service that works only for customers of some interconnected VoIP providers.

Liability

The TCPA authorizes a “person or entity” to sue the calling party for a violation of the robocall or fax advertising prohibitions, authorizes any person who has received more than one call in 12 months from the same entity in violation of the Do Not Call rules to sue that entity, and authorizes states to sue violators of any of the TCPA provisions. The statute provides that private actions may be brought in appropriate state courts and state enforcement actions must be brought in federal courts, but federal courts have held that they also have jurisdiction over private TCPA lawsuits. The plaintiff in a private action may recover the greater of $500 or actual damages for each violation (i.e., each prohibited call or fax), or up to three times that amount if the court determines that the violation was willful, and a state may recover $500 per violation. Some of the FCC’s interpretations of the TCPA are expressly based in part upon the difficulty that a consumer would face in pleading or proving a violation if it interpreted the TCPA differently.

Most private lawsuits for TCPA violations are filed as class actions, and many of them proceed as such, although some courts have ruled that class actions for robocalling violations cannot be certified because of the difficulty of identifying individuals who did not provide prior express consent to receive such calls or texts. Failure to stop robocalling upon request, however, can give rise to substantial liability even without a class action. Yahoo, for example, faces potential liability for damages of over $15,000,000 for sending over 24,000 text messages to a wireless number that had been reassigned to a different customer despite the new customer’s numerous, reasonable requests (including a conference call with representatives of Yahoo and the FCC) that it stop doing so. The trial court in that case initially ruled for Yahoo on the ground that it had not used an ATDS, but the appellate court recently sent the case back for reconsideration based upon the FCC’s ruling concerning what constitutes making a call using an ATDS.

Conclusion

As the FCC repeatedly stated in its order, the TCPA does not prohibit anyone from making any non-marketing call to anyone else without prior consent, as long as the call is not dialed using an ATDS or an artificial or prerecorded voice. And finally, with very limited exceptions, the TCPA expressly permits states to further restrict or prohibit altogether calls that are otherwise permitted by the TCPA.

Joel L. Thomas Joins FH2

We are pleased to announce that Joel L. Thomas has joined our Firm as an associate attorney.  Joel joins the FH2 telecommunications practice group and focuses on state, federal and local regulatory matters, as well as legislative and public policy advocacy. Joel began his career serving as a law clerk in the Cybersecurity and Communications Reliability Division and Policy and Licensing Division of the Federal Communications Commission. He received an undergraduate degree in Marketing, with a Logistics Minor and a Finance Collateral, from the University of Tennessee.  He earned his law degree from the University of Georgia in 2014.

Joel may be reached at jthomas@fh2.com or at 770-399-9500.  For more information on Joel, please Click Here.