BREAKOUT SESSION “Character Flaws: Avoiding Risks When Marketing With Texts and Tweets” Thursday, October 11, 2012, 2:30 PM
BREAKOUT SESSION “Character Flaws: Avoiding Risks When Marketing With Texts and Tweets” Thursday, October 11, 2012, 2:30 PM
PRESENTERS
John Heitmann, CIPP/US – Partner and Chair, Telecommunications Group, Kelley Drye & Warren LLP, Washington, DC
Blaine Kimrey, CIPP/US – Partner in Charge and Chair, Digital Privacy & Data Protection Group, Lathrop & Gage LLP, Chicago, IL
S. Jenell Trigg, CIPP/US – Member and Chair, IP and New Media & Technology Practice Group, Lerman Senter PLLC, Washington, DC
OVERVIEW OF AGENDA
• Overview of Technology
• Rules of the Road/Compliance
• Litigation Update
• Lessons Learned & Best Practices
OVERVIEW OF TECHNOLOGY
• How do texts and tweets work and what laws apply?
– TEXTS
• Maximum 160 characters transmitted via phone-to-phone (TCPA) or computer-to-phone (CAN-SPAM Act)
- But see Joffe v. Acacia Mortgage (Ariz. App. Div. 2005)
• Short Message Service (SMS) – alphanumeric text (TCPA and CAN-SPAM)
• Multi-Media Service (MMS) – SMS with images, video or audio (TCPA and CAN-SPAM)
• Short code – 4-6 digit numeric code sent directly to wireless device (TCPA)
OVERVIEW OF TECHNOLOGY
– TWEETS
• Microblogging service with maximum 140 characters transmitted via websites, computer-to-computer (CAN-SPAM), phone-to-phone (TCPA) or computer-to-phone (CAN-SPAM)
• Includes alphanumeric message, icons, photos, and/or videos
• Can send SMS group messages via Twitter using third party software
• “Tweeters” and “Followers” must register via twitter.com
• Can send private tweets, “Direct Messages” to individuals
• Can target based on interests and re-tweets
KEY PRINCIPLES
• Both individual and bulk messages are subject to state and federal laws
• Cannot send a text/tweet to a wireless device to get consent to send a text/tweet
• Cannot contract away liability
• Type of transmission/technology will determine regulatory scheme and compliance requirements
KEY PLAYERS
• FCC and FTC Jurisdiction
– FCC has broader authority - not limited to certain industries, governs both interstate and intrastate
– FTC has no jurisdiction over common carriers, banks and financial institutions, limited to interstate only
– Interagency working group on telemarketing, mobile and DNC
• State AG and Regulatory Agency Jurisdiction
– Have concurrent authority with FCC and FTC for some statutes
• Private Litigation Impact/Influence
THE RULES OF THE ROAD/
COMPLIANCE
• Telephone Consumer Protection Act (TCPA), 47 USC 227/ 47 CFR 64.1200
– BASICS • Governs interstate and intrastate “calls” – texts and tweets
(when using SMS) are classified as calls
• Prohibits any message sent to a wireless device via equipment with the capacity to use Automatic Telephone Dialing System (ATDS) unless have secured express prior consent
• Prohibits texts and tweets that contain telemarketing or advertising message unless secured express prior consent
• Established Federal DNC Registry
• Prohibits established business relationship (EBR) exemption for calls sent to wireless device - cannot override numbers on DNC registry
THE RULES OF THE ROAD/
COMPLIANCE
– TCPA Trends and Developments
• Increased class action lawsuits
• Little, if any, FCC enforcement
• Pending Petition for Declaratory Ruling with FCC regarding “one-time” confirmatory text message compliance with TCPA
– SoundBite Communications, Inc. (CG Docket No. 02-278)
• Pending Petitions for Declaratory Rulings with FCC to address strict liability for advertisers and franchisors/parent companies
– Dish Network, LLC, et al. (CG Docket No. 11-50)
THE RULES OF THE ROAD/
COMPLIANCE
– TCPA Trends and Developments (cont’d)
• FCC released new rules in February 2012, FCC 12-21
– Requires prior express written consent for all autodialed or prerecorded telemarketing calls to wireless number and residential lines
– Written consent can be electronic in compliance with ESIGN Act
– Non-telemarketing, “purely” informational, and other non-commercial calls only subject to prior express consent
– Commercial calls that do not contain advertisements also not subject to written requirement – still need prior express consent
– Verified that no EBR exists for wireless numbers and eliminates previous EBR to residential lines
THE RULES OF THE ROAD/
COMPLIANCE
• Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), 15 USC 7712/ 47 CFR 64.3100
– BASICS • Governs interstate and intrastate emails sent using a wireless
domain name whose primary purpose is commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)
– Mobile Service Commercial Messages (MSCM)
– Example: [email protected]
• Prohibits any MSCM without express prior authorization
THE RULES OF THE ROAD/
COMPLIANCE
– CAN-SPAM Basics (cont’d)
• Specific disclosures required prior to securing consent – Name of entity sending message, and if different, name of entity
advertising/promoting product, service or commercial website
– Recipient may be charged a fee (standard and/or premium rate)
– Recipient has right to revoke consent at any time and must be allowed to opt-out same way opted-in
• Consent not needed for transactional/relationship or informational message (but see TCPA requirements)
• No EBR
THE RULES OF THE ROAD/
COMPLIANCE
– CAN-SPAM Basics (cont’d)
• FTC regulations for standard emails apply to wireless emails
– Identify sender (but how to include postal address?)
– Functioning opt-out requirement for 30 days
– Honor opt-out request within 10 days
– Mixed Content Rule
– Multiple-Sender Rule
– Forward-to-a-Friend Rule
– Sexually-Oriented Material Labeling Rule
THE RULES OF THE ROAD/
COMPLIANCE
– CAN-SPAM Act Trends and Developments • Little, if any, CAN-SPAM Act enforcement by FCC
• FCC initiated proceeding in May 2012 to address privacy and security of information stored on mobile devices (DA 12-818)
• Increased use of ISP statutory private right of action to prevent wireless spam
• California District Court ruled that communications involving transmission of social network pages or posts are “electronic messages” for purposes of the CAN-SPAM Act (Facebook v. Max Bounty, 2005)
THE RULES OF THE ROAD/
COMPLIANCE
• Telephone Consumer Fraud and Abuse Prevention Act (TCFAPA), 15 USC 6101/ 16 CFR Part 310 (Telemarketing Sales Rule)
– BASICS • Governs only interstate telemarketing calls
• Does not govern B2B calls, with one exception
• Governs content of telemarketing calls via mobile device
– Disclosure of material information
– Sales transactions
– Payment methods and unauthorized billing
• Established Federal Do Not Call Registry
THE RULES OF THE ROAD/
COMPLIANCE
TCFAPA/TSR Trends and Developments • Does not govern transmission of telemarketing calls to a
wireless device – exclusive domain of FCC and States
– FTC did not allege TCFAPA/TSR violations in February 2011 Complaint against Phillip A. Flora who sent millions of unauthorized text and email messages advertising mortgage loan modification programs and debt services
– Many recipients of text messages were on Federal DNC Registry
– FTC only alleged standard email violations under CAN-SPAM Act
THE RULES OF THE ROAD/
COMPLIANCE
• Children’s Online Privacy Protection Act (COPPA), 15 USC 6501/ 16 CFR Part 312
– BASICS • Generally prohibits collection of personal information from
children under the age of 13 without verifiable parental consent
– Few exceptions
• Mandatory parental notice and privacy disclosures prior to collection of personal information
• Sliding scale of consent mechanisms based on whether personal information is disclosed to a third party (subject to change)
THE RULES OF THE ROAD/
COMPLIANCE
– COPPA Trends and Developments • FTC proposed new rules in February and August 2012 to
address new technology, mobile apps and social networking
– COPPA governs mobile devices, applications, and services when connected to internet, i.e., “online service”
– Enhanced definition of operator to include integrated third party website, online service, or downloadable plug-in that collects personal information on behalf of host website or online service
– Host website or online service also responsible for parental notice and disclosures if third parties collect personal information, even if host does not own, control, or have access to information collected on its behalf
THE RULES OF THE ROAD/
COMPLIANCE
– COPPA Trends and Developments (cont’d) • Proposed new rules cont.
– Inclusion of persistent identifiers (e.g., IP Address and Unique Device ID) under definition of personal information when not used for operational support
– Modification of definition of website or online service “directed to children”
THE RULES OF THE ROAD/
COMPLIANCE
– More Trends and Developments Related to Children and Minors
• FTC “Mobile Apps for Kids: Current Privacy Disclosures are
Disappointing” Report (February 2012)
- http://www.ftc.gov/opa/2012/02/mobileapps_kids.shtm
• FTC Privacy Report “Protecting Consumer Privacy in an Era of Rapid Change” (March 2012) – collection of personal information from children deemed sensitive
• White House “Privacy Bill of Rights” (February 2012)
• Legal issues with securing enforceable consent from a minor – capacity to consent
THE RULES OF THE ROAD/
COMPLIANCE
• State Statutes and Regulations
– BASICS • States can have more restrictive laws under TCPA but not
under CAN-SPAM Act (pre-empts all but consumer fraud laws)
• States have own telemarketing and mobile marketing laws
– Example: California Bus & Prof Code§17538.41
Prohibits TMs to number assigned to mobile telephony services handset, pager or two-way messaging services,
with certain exceptions
• Utah and Michigan Child Protection Registries impose criminal and civil penalties on any advertising message for certain adult-oriented products/services sent to any minor’s contact point on state registry
THE RULES OF THE ROAD/
COMPLIANCE
• Industry and Self-Regulatory Guidelines
– Several organizations provide compliance guidance to members and impose self-regulatory requirements to help forestall new legislation/regulations and increased government enforcement • Direct Marketing Association (DMA)
– Knowledge Center industry guidance on Mobile
dma.sclivelearningcenter.com/index.aspx?PID=7269
• Mobile Marketing Association (MMA)
– U.S. Consumer Best Practices, Version 6.1, effective April 1, 2011,
www.mmaglobal.com/files/bestpractices.pdf
• CTIA – The Wireless Association®
– Best Practices & Guidelines for Location Based Services, www.ctia.org/business_resources/wic/index.cfm/AID/11300
LITIGATION UPDATE
• Vicarious Liability
– Thomas v. Taco Bell Corporation, et al., Case No. 09-cv-01097 (C.D. Cal.)
• Summary judgment for defendant
• “[Plaintiff] has not shown that Taco Bell controlled the matter and means by which the text message was created and distributed.”
– Anderson v. Domino’s Pizza, Inc., Case No. 11-cv-902 (W.D. Wash.)
LITIGATION UPDATE
• Confirmatory Messages/Opt-Outs
– Mixed results
– Ibey v. Taco Bell Corp., Case No. 12-cv-0583 (S.D. Cal.): Dismissal where case was based on single, confirmatory text
– Ryabyshchuk v. Citibank (South Dakota) N.A., Case No. 11-cv-1236, (S.D. Cal.): Denying motion to dismiss where case was based on single, confirmatory text
LITIGATION UPDATE
• Forward to a Friend/Group Texting
– Pimental, et al. v. Google, Inc., et al., Case No. 11-cv-02585 (N.D. Cal.)
– Glauser v. Twilio, Inc., et al., Case No. 11-cv-02584 (N.D. Cal.)
– Both complaints allege TCPA violations related to group texting services; although one recipient may have opted in, other members of the group created by that party have not
LITIGATION UPDATE
• Class Actions – Standing/Harm
– Mixed results
– Smith v. Microsoft Corp., Case No. 11-cv-1958 (S.D. Cal.): denying motion to dismiss based on argument that plaintiff was not harmed
– In re iPhone Application Litigation, Case No. 11-MD-02250 (N.D. Cal.): granting in part and denying in part motion to dismiss based on argument that plaintiff was not harmed
LITIGATION UPDATE
• Class Actions - Preemption
– Impact of Mims v. Arrow Financial Services, LLC, Case No. 10-cv-1195, SCOTUS decision on TCPA class actions in Second Circuit
– Possible CAN-SPAM Act preemption issues related to certain types of text messages
LITIGATION UPDATE
• Hobbs Act interpretation
– Can you challenge an FCC regulation in a private lawsuit?
– Leyse v. Clear Channel Broadcasting, Inc. (6th Cir.) takes a narrow view of Hobbs Act and indicates that in certain instances, a defendant can raise a challenge to an FCC regulation without running afoul of the Hobbs Act
LESSONS LEARNED &
BEST PRACTICES
• Forms of and Mechanisms for Consent
– Obtain written consent before sending any tweet/text using a system capable of autodialing or sending a pre-recorded message, or commercial related tweet/text – regardless of transmission type
• Include CAN-SPAM Act prior disclosures for all texts/tweets, even those subject to TCPA
• Consent obtained in accordance with ESIGN Act satisfies “written consent” requirement
– ESIGN consent includes email, website form, telephone key press, etc.
– Although transactional/relationship and informational wireless emails not subject to FCC CAN-SPAM rules, secure prior express consent as a precaution, when possible
LESSONS LEARNED &
BEST PRACTICES
• Established Business Relationship
– Cannot rely on prior business relationships as express prior consent to receive telemarketing texts/tweets via any transmission mode
• If text/tweet is subscription-based, provide clear and conspicuous disclosures prior to securing consent - how often message will be sent
- what type of messages will be sent
- identification of sender(s) and advertiser/promotional partners
LESSONS LEARNED &
BEST PRACTICES
• Text to win contest/sweepstakes
– Paid entries could violate state gambling and lottery laws
– Provide an online or mail-in alternative method of entry for those who do not purchase a text message entry
– Provide something of value in return for paid entries
LESSONS LEARNED &
BEST PRACTICES
• Confirmatory Bounce Back Messages
– Law is unsettled
• Conflict in courts whether confirmatory text after an opt-out request constitutes a violation of the TCPA
• Increased risk for commercial bounce back messages
– Pending Petition for Declaratory Ruling before the FCC but no timeframe for final decision
– Include statement in call-to-action and service rules that user consents to receive confirmatory bounce back message if invokes opt-out request – manage user expectations when possible
LESSONS LEARNED &
BEST PRACTICES
• Requirements to override DNC registry
– Standard EBR exemptions do not apply to mobile telephone numbers • Customer has purchased, rented or leased the seller’s goods,
or some other financial transaction has occurred between customer and seller, within 18 months preceding the telemarketing call
• Customer inquired or applied in relation to a seller’s goods or services within the 3 months preceding the telemarketing call, provided that the call is related to the inquiry or application
– Need express written consent from the user, including telephone number
– Express written consent requirement also applies to company-specific DNC lists
LESSONS LEARNED &
BEST PRACTICES
• Location-based services
– Ensure that users are informed about how their location information will be used, disclosed and protected
– Obtain user consent to the use or disclosure of location information before initiating an location-based services
– Employ reasonable administrative, physical and/or technical safeguards to protect a user’s location information from unauthorized access, alteration, destruction, use or disclosure
– Retain location information only as long as necessary to provide services
– Know what your third party vendors are doing
and be aware of indemnity issues
LESSONS LEARNED &
BEST PRACTICES
• Privacy notices on small screen and ESIGN requirements
– The law is evolving • Guidance available; see Future of Privacy Forum’s Best
Practices for Mobile App Developers: www.applicationprivacy.org
– ESIGN is a complicated statute • When the FCC says compliance with ESIGN is required, how
far does this go?
LESSONS LEARNED &
BEST PRACTICES
• Group Text Services
– Law is unsettled
• Courts have permitted actions to proceed (denied Motion to Dismiss) or stayed pending FCC action on related Petitions
– If using wireless numbers obtained from group text services to send telemarketing texts, confirm written consent from consumers prior to sending texts
– Include strict reps and warranties and indemnities in contract with provider that express prior consent to use wireless number has been obtained, where possible
LESSONS LEARNED &
BEST PRACTICES
• State Regulations
– Regulations can be more restrictive than TCPA but not more restrictive than CAN-SPAM Act – conduct due diligence on state requirements and weigh risk of compliance with only federal law • May need to defer to more restrictive state law if “doing
business” in a particular state and whether non-compliance will revoke telemarketing license
• Industry Guidelines
– Need to reconcile industry guidelines with regulations and court decisions, e.g., confirmatory opt-out recommended by MMA Guidelines may conflict with FCC or court interpretation of TCPA
LESSONS LEARNED &
BEST PRACTICES
• Third Party Telemarketing Service Providers – High risk involved with the purchase and use of third party
texts/tweets lists
– Due diligence requirements for sender
• Sender’s control over “matter and means” of text message creation and distribution is a key factor in liability determinations
– Review privacy policy and DNC policy
– Review state and federal enforcement actions
– Review whether provider is subject to class action lawsuits
LESSONS LEARNED &
BEST PRACTICES
• Third Party Telemarketing Service Providers (cont’d)
– Suggested contractual clauses
• Include detailed reps and warranties – generic “comply with any applicable law” insufficient
• Include indemnification provisions in the event of non-compliance with laws
– Include coverage for governmental inquiry and investigation
– Pending FCC petitions regarding third party liability could impact need for and use of indemnification provisions
– Purchase mobile marketing professional liability insurance coverage
SUMMARY
• Know how the technology works
• Know the relevant laws, regulations and litigation developments
• Follow industry guidelines, consistent with law
• Secure adequate consent
• Protect yourself in third party contracts when possible
• Consider insurance options
HELPFUL RESOURCES
• FCC: www.fcc.gov – CAN-SPAM Act and TCPA: http://www.fcc.gov/cgb/consumerfacts/canspam.html
• FTC: www.ftc.gov – Staff Privacy Report “Protecting Consumer Privacy in an Era of Rapid Change,”
March 2012: http://ftc.gov/opa/2012/03/privacyframework.shtm
– Telemarketer Compliance: http://www.ftc.gov/bcp/edu/pubs/business/marketing/bus27.shtm
– Federal Do Not Call Registry, Business Alert “Q&A”: http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt129.shtm
– Children’s Online Privacy Protection Act: http://www.ftc.gov/privacy/coppafaqs.shtm
– CAN-SPAM Act: http://business.ftc.gov/documents/bus61-can-spam-act-Compliance-Guide-for-Business
HELPFUL RESOURCES (cont’d)
• White House Consumer Privacy Bill of Rights, February 2012: http://www.whitehouse.gov/the-press-office/2012/02/23/we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill-rights
• State Child Protection Registries – Utah Child Protection Registry: https://donotcontact.utah.gov
– Michigan Child Protection Registry: https://www.protectmichild.com
• Direct Marketing Association: www.dma.org
• Mobile Marketing Association: www.mmaglobal.com
• CTIA – The Wireless Association®: www.ctia.org
• The Roadmap for Privacy by Design in Mobile Communications: A Practical Tool for Developers, Service Providers, and Users, Information and Privacy Commissioner, Ontario, Canada: www.privacybydesign.ca/content/uploads/2011/02/pbd-asu-mobile.pdf
CONTACT US
John Heitmann, CIPP/US – Partner and Chair, Telecommunications Group, Kelley Drye & Warren LLP, Washington, DC
Blaine Kimrey, CIPP/US – Partner in Charge and Chair, Digital Privacy & Data Protection Group, Lathrop & Gage LLP, Chicago, IL
S. Jenell Trigg, CIPP/US – Member and Chair, IP and New Media & Technology Practice Group, Lerman Senter PLLC, Washington, DC