FCC Seeks Comment on Privacy and Security of Information Stored on Mobile Phones and Other Devices

Posted on May 29, 2012 by Steve Augustino & John Heitmann

Days before tomorrow’s Federal Trade Commission (FTC) Workshop on Mobile Disclosures, the FCC weighed in with a pair of releases on privacy and security issues raised by mobile devices.  In the first item released on Friday, the FCC is seeking to refresh its record regarding the privacy and data security practices of mobile wireless service providers in light of recent disclosures concerning software developed by CarrierIQ.  The FCC’s Public Notice seeks to update the record in a five-year-old rulemaking proceeding addressing carrier obligations in connection with devices that function on their networks.  In the second item released, the FCC released its staff report on location-based services (LBS).  Consistent with the approach of the Administration and the FTC (as was discussed at our 4th Annual Privacy Seminar), the FCC focused on ways carriers can protect information from misuse or mishandling, transparency in carrier disclosures and maximizing consumer choice in the use of LBS.

Collectively, the releases demonstrate that the FCC will continue to work cooperatively with the FTC and the Administration (including the NTIA) to address privacy issues in the mobile market. The FCC appears to believe it has sufficient statutory authority to act on mobile and device privacy, with its emphasis being on its jurisdiction over carrier practices in connection with both services and devices.

Josh Guyan contributed to this post.
 

Public Notice Seeking Comments. While the FCC has been active in protecting CPNI both from a rulemaking and enforcement perspective, it has not taken significant action on the policy/rulemaking front since its 2007 rule changes to address pretexting (pretending to be a customer or other authorized person to obtain access to that customer’s private communication records).  At that time, the FCC adopted a Further Notice of Proposed Rulemaking to address the obligations of mobile carriers to secure the privacy of customer information stored on mobile devices.  At the time, most carriers indicated that consumers control the information residing on their devices.  However, late last year several large wireless carriers responded to inquiries from Senator Al Franken and acknowledged using software embedded or pre-installed on wireless devices to collect information about the performance of the devices and the provider’s network. 

Although several large wireless carriers have stated that the information gathering is used to collect information about their networks from the perspective of users’ devices, the FCC is concerned about whether consumers are given meaningful notice and choice with respect to the collection of this data.  In the Public Notice, the FCC is seeking input from industry and consumers on a series of questions designed to refresh the record for the purpose of potentially issuing a declaratory ruling clarifying carriers’ obligations with respect to information collected from and stored on mobile devices. The specific questions the FCC on which the FCC seeks comment include a set of broad questions that carry themes reflective of recent Administration and FTC activity with respect to mobile applications privacy. These themes, include transparency, notice and consent, data security, as well as “privacy by design”.  The FCC also asks for comment on how the following factors, if at all, impact a mobile carrier’s obligations under the CPNI rules to protect the privacy of customer information:

  • Whether the device is sold by the service provider;
  • Whether the device is locked to the service provider’s network;
  • The degree of control that the service provider exercises over the software that collects or stores information from the device;
  • The service provider’s role in connection with the device’s operating system, pre-installed software or security capabilities;
  • The manner in which the information is used;
  • Whether the information pertains to voice service, data service, or both; and
  • The role of third parties in collecting and storing data.

Comments will be due 30 days after publication in the Federal Register and replies will be due 15 days later. 

FCC Staff Report on Location-Based Services. On Friday, the FCC also released its long-anticipated report on LBS. The Staff Report notes that the FCC has decades of experience in protecting consumer privacy, and that, as the expert agency on communications and broadband networks, the agency in conjunction with its federal partners in the Executive Branch and at other independent agencies, has an important role in protecting consumer privacy in the future. LBS offer many conveniences to consumers and are gaining in popularity. However, it cautions that LBS “have the inherent ability to create accurate snapshots of their users’ activities that can contain very personal information.”  As such, the Staff Report expresses caution in the use and monitoring of LBS. It identifies the FCC’s goals in monitoring LBS to be three-fold: ensuring that personal information is protected from misuse and mishandling, requiring providers to be transparent about their practices, and enabling consumer control and choice.

 

The Staff Report does not make any specific recommendations or propose best practices for carriers.  Instead, it offers a useful overview of the FCC’s role in privacy regulation and enforcement, the LBS market, the FCC’s June 2011 Forum on LBS, and privacy issues for LBS, and provides commentary on issues it will be monitoring:

 

  • Consideration of Privacy Issues at Earliest Stages of Product Development. What are the most effective means to ensure privacy considerations become an integral part of the product design and development process for all players in the LBS industry? What should consumers be told?
  • Security of data. What are the rights, duties, and obligations of the parties that generate, aggregate, or hold LBS-related data to secure such data from unauthorized disclosure or access? Do they vary as a result of a party’s relationship with the customer?
  • Timing and sufficiency of notice. How much information should be pushed to consumers at different points in their interaction with an LBS, mobile, application or other provider and how should it be presented? Must the information be provided each time an application or service is used? Should there always be an opt out?
  • Data Minimization. Should parties be encouraged to collect the minimal amount of data technically required to provide a location-based service and retain that data for the minimum amount of time necessary?

The Staff Report concludes with the admonishment that the FCC may take action, “if privacy issues are not met as effectively and comprehensively as possible or within reasonable time frames.”
Tags: , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Prepaid Card Provider Settles Failure to Disclose Action for $2.3 Million

Posted on February 2, 2012 by Steve Augustino

In 2011, the FCC was extremely active in the prepaid calling card area, proposing $25 million in fines and investigating several other prepaid card providers.  While the FCC has exclusive jurisdiction over prepaid cards when provided by common carriers, the Federal Trade Commission also has jurisdiction over non-carrier marketers of prepaid calling cards.  This case is a reminder of the shared jurisdiction between the agencies.   

The FTC case was initiated in May of 2011 against Millennium Telecard, Inc. and related entities.  The FTC complaint alleged that Millennium made inaccurate claims about the number of minutes calling cards provided to a wide range of international locations, including Argentina, Brazil, the Dominican Republic, Ecuador, Mexico, Pakistan, Poland, Vietnam, Ghana, Nigeria, and El Salvador.  But the FTC alleged that consumers didn't receive the number of minutes advertised. Much of the FTC's case was based on test calls made by the agency, which, it claimed, showed that consumers received only 45% of the advertised minutes. 

The FTC asserted that Millennium violated the FTC act by failing to provide the advertised minutes and (in a claim similar to that made by the FCC in its section 201(b) cases) that Millennium failed to adequately disclose the fees applicable to the cards.  The FTC complaint did not explain in detail the failure to disclose claim, but its discussion of Millennium posters and cards suggested that the statements of fees were in fonts that were too small and were not prominently placed. 

In the settlement agreement, Millennium agrees to two injunctive provisions that require it to clearly and conspicuously disclose all material fees.  It also agrees to pay a fine of $2.32 million to resolve the case.  However, Millennium pays only a $500,000 installment now, and is obligated to pay the remaining $1.82 million over ten years, in ten annual installments (plus interest).  The ten year installment is quite unusual, as is the defendants' grant of a lien on property as collateral for the installment payment. 

This case serves as a reminder that prepaid calling card providers and marketers should closely review their marketing practices to ensure that all material terms are clearly and conspicuously disclosed in their marketing materials.

 
Tags: , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Comments on Telemarketing Sales Rule Due This Week

Posted on January 24, 2011 by John Heitmann

Last month, the FTC issued an “Advance Notice of Proposed Rulemaking” seeking comments on whether and how to strengthen the Caller ID provisions of its Telemarketing Sales Rule. The Rule presently requires telemarketers to provide Caller ID information to allow consumers to screen out unwanted calls. The FTC seeks comments on how to make Caller ID more useful to consumers and combat technologies that hide telemarketers’ identities. Currently, the Caller ID regulations give telemarketers flexibility in determining what telephone numbers to transmit, and in determining whether the name of the telemarketer, or the name of the seller or charity, is displayed on Caller ID services.

 According to the FTC, not all businesses abide by the these Caller ID requirements. Recent FTC cases have charged telemarketers pitching fraudulent extended auto warranties and credit card interest rate reduction programs with violating the Caller ID requirements. The FTC’s request for comments notes that “spoofing” or manipulating Caller ID names and numbers may become more common as telemarketers increasingly use advanced telecommunications technologies. The FTC’s Notice details specific areas of inquiry but does not propose specific rule changes. It can be found here. Those interested in filing public comments on the issue must do so by Friday, January 28, 2011.
Tags: , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Rules Against Caller ID Spoofing to Tighten

Posted on January 3, 2011 by Steve Augustino

Two developments last month portend a more difficult time for entities "spoofing" caller ID information.  On December 22, President Obama signed into law the Truth in Caller ID Act of 2009 [sic], which makes it unlawful for a person to transmit misleading or inaccurate caller ID information with an intent to defraud.  In addition, the FTC is seeking comment on rule changes to strengthen the caller ID provisions of its Telemarketing Sales Rule (TSR). 

Descriptions of both developments are provided below.

Truth in Caller ID Act.  On December 22, President Obama signed into law the Truth in Caller ID Act of 2009 [sic].  The Act makes it unlawful for any person to cause any caller ID system "to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value."  The prohibition applies to caller ID used in connection with both telecommunications services and IP-enabled services (VoIP).

The FCC has 6 months to enact regulations to implement the prohibition.  In addition, the FCC must submit a recommendation whether additional legislation is necessary to prohibit the provision of inaccurate caller ID information in technologies that are successors to traditional telecommunications or VoIP.

FTC Rulemaking to Strengthen Caller ID.  On December 7, the FTC released a public notice seeking comment on ways to strengthen the caller ID provisions of its Telemarketing Sales Rule (TSR).  According to the FTC, "spoofing" has become more common and it is seeking comment on ways to strengthen the rules to prohibit the practice.  The FTC specifically identified the following issues for comment:

* How widespread is consumer use of Caller ID services to screen unwanted calls, and do consumers use other services that rely on the transmission of calling party numbers (CPN), such as call-blocking equipment, to avoid unwelcome telemarketing calls?
* Would changes to the Telemarketing Sales Rule improve the ability of Caller ID services to accurately disclose the source of telemarketing calls or improve the ability of service providers to block calls in which information on the source of the call is not available, or has been spoofed?
* Should the FTC amend the Caller ID provisions of the Rule to recognize or anticipate specific developments in telecommunications technologies relating to the transmission and use of Caller ID information, and if so, how?
* Should the FTC amend the Caller ID provisions of the Rule to further specify the characteristics of the phone number that a telemarketer must transmit to a Caller ID service? For example, should the Rule require that the phone number transmitted be one that is listed in publicly available phone directories, a number with an area code and prefix that are associated with the physical location of the telemarketer’s place of business, a number that is answered by a live representative, or automated service that identifies the telemarketer by name?
* Should the FTC amend the Caller ID provisions to allow a seller or telemarketer to use trade names or product names, rather than the actual name of the seller or telemarketer, in the name information displayed by Caller ID services?
 

Comments are due before the FTC by January 28.  Links to relevant FTC sites are available in our Resource Center.

 
Tags: , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

FTC Seeks to Bring Telecom Carriers within the Scope of New Data Security and Data Breach Legislation

Posted on September 23, 2010 by Steve Augustino

This entry was drafted by Telecom Partner John Heitmann

Yesterday, the FTC testified before a Senate Subcommittee and recommended that proposed data security legislation introduced by Senators Pryor (D., AR) and Rockefeller (D., WV) (The Data Security and Breach Notification Act of 2010, S.3742) be modified so that its requirements and the FTC’s enforcement authority thereunder be extended to telecommunications common carriers.  

The FTC’s testimony – available here – is the latest in a series of FTC actions signaling the agency’s concern regarding the amount of personal information telecom common carriers handle and the FTC's ability – or inability – to take enforcement action against such carriers.

The proposed legislation is one of several pieces of proposed data security legislation in play on the Hill.  It would require a broad array of commercial and nonprofit entities to (a) implement reasonable data security policies and procedures, and (b) notify consumers of a security breach involving electronic records. It also would require covered entities to offer credit reports and monitoring services to consumers impacted by a data breach.  The proposed legislation also would give general concurrent enforcement authority to the FTC and state attorneys general.

At yesterday’s hearing, subcommittee members and hearing witnesses discussed the proposed legislation’s “exemption” provision and the manner in which it might address potential redundancy with other federal data protection statutes such as the HIPPA, FCRA and the Gramm-Leach-Bliley Act.  The FTC proposed the following revision:

Second, as the proposed legislation is currently drafted, its requirements do not apply to telecommunications common carriers, many of which maintain significant quantities of highly personal information.  The Commission believes that the legislation should cover these entities and that the Commission should have authority to enforce the legislation as to them.

Notably, in making its recommendation to extend the reach of the proposed legislation to telecommunications common carriers, the FTC made no mention of Section 222 of the Communications Act and the FCC’s related CPNI rules which require such entities to comply with a complex data security requirements and also require breach notification to consumers, as well as to the FBI and Secret Service.

For more information on the scope of FTC jurisdiction over broadband service providers, see this earlier post on broadband provider privacy obligations.
Tags: , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Enforcement Alert: Prepaid Card Marketing Investigations Opened

Posted on April 7, 2010 by Steve Augustino

 

Late last week, the FCC sent inquiry letters to a number of prepaid calling card providers concerning their marketing practices.  This action represents the first significant entry by the FCC into prepaid calling card marketing practices.  Prior to this action, prepaid card enforcement activities have been conducted in private litigation brought by a large prepaid carrier, before a handful of state attorneys general and, in the case of non-carrier distributors, before the Federal Trade Commission.  However, the FTC is barred from taking action against common carriers.  The FCC's action suggests that the Commission is attempting to close the gap in compliance within the prepaid industry by acting directly against carriers that offer prepaid cards.

Details about the FCC requests are available after the jump.

FCC investigations are not disclosed publicly, so I cannot publish any documents for this entry.  However, we understand that identical letters were sent to several carriers that provide prepaid calling card services.  The letters seek broad classes of documents, including advertisements for prepaid cards, contracts with distributors and rate decks for the carrier's services. The letters also ask for detailed information about the provisioning of prepaid card services, and an identification of which entities perform certain functions related to the marketing, distribution and use of prepaid calling cards.  Carriers are given 30 days from the date of the letter to provide the requested documents and information.  All responses must include a sworn declaration from an officer confirming that all requested information was provided.

It is clear from the letters that the FCC seeks to examine the content and sufficiency of a carrier's disclosures to prepaid card consumers.  While FCC enforcement of misleading carrier marketing is rare, the Commission has asserted jurisdiction over marketing practices under Section 201's requirement that carrier practices be "just and reasonable."   Notably, however, the investigation letters do not cite to this line of cases, nor do they rely on the Commission's Truth in Billing regulations.   The letters cite only to the Communications Act as a whole for the agency's authority.
Tags: , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Hearing on Calling Card Consumer Protection Bill Today

Posted on December 3, 2009 by Steve Augustino

The House Energy and Commerce Committee, Subcommittee on Commerce, Trade and Consumer Protection, will hold a hearing today on the "Calling Card Consumer Protection Act of 2009" (HR 3993).  The bill would require prepaid calling card providers and their distributors to disclose all applicable rates and other terms and conditions to consumers.  The FTC would be empowered to enforce the requirements, including against common carrier prepaid card providers.

Rep. Engel (D-NY) introduced the bill on November 3, 2009.  This is the first hearing on the bill.

Scheduled witnesses today will be:

  • Lois Greisman, Director, Division of Marketing Practices, Federal Trade Commission
  • Sally Greenberg, Executive Director, National Consumers League
  • Patricia Acampora, Commissioner, New York State Public Service Commission, National Association of Regulatory Utility Commissioners
  • Alie Kabba, Executive Director, United African Organization
  • Scott Ramminger, President, American Wholesale Marketers Association
Tags: , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

FTC Red Flag Rule Effective Date Set for November 1

Posted on September 16, 2009 by Danny Adams

The enforcement date for the FTC "Red Flag Rule" to prevent identity theft  has been extended until November 1, 2009 in order to give businesses more time to understand the rule and take steps to comply.  The rule applies to any entity under FTC jurisdiction that is a "creditor" or "financial institution" and which maintains customer accounts which extend credit through post-paid arrangement.  This would include a VoIP provider that bills monthly after the fact, for example.  For those subject to the rule, they must take steps outlined by the FTC to allow them to look for "red flags" which might indicate identity theft from their customer information.  Click here for more information.  The rule should be taken seriously, both because FTC enforcement action can be taken against companies who fail to comply, and because failure to comply might create follow-on civil liability in class action or consumer lawsuits.  Additional information about the Red Flag Rule is also available on Kelley Drye's Advertising Law blog.

Tags: , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

FTC BringsThird Prepaid Card Case This Year

Posted on September 16, 2009 by Danny Adams

The Federal Trade Commission has sued Diamond Phone Card and two individuals for allegedly(1) misrepresenting the number of minutes provided by the cards and (2) failing to disclose adequately the effect of fees on the number of minutes available.  Federal Trade Commission v. Diamond Phone Card, Inc. (U.S.E.D.N.Y. No. 09-3257).  The Complaint asks for a permanent injunction to prevent future violations, refunds and restitution for consumers, and the agency's costs of investigation. 

This case was announced on August 5, and follows the FTC's June settlement with Clifton Telecard Alliance (paid $1.3 million) and the February settlement with Alternatel and Mystic Prepaid (paid $2.25 million).   All three cases have been brought against card distributors, not telecom carriers, in deference to the "common carrier" exclusion from the FTC's enforcement jurisdiction.  Diamond Phone is based in the New York City area.  The FTC News Release announcing the suit thanked authorities in El Salvador, Colombia, Egypt, Mexico, Panama and Peru for their help in investigating the case.  The news release and a link to the Complaint can be found here

It is noteworthy that the Diamond Phone cards included written disclosures on their posters and on the cards themselves, as described in the FTC Complaint.  Diamond also had voice prompts.  However, the FTC lawsuit alleges the disclosures are inadequate because they are too small (10 point font on posters), are too separated from the larger rate claims (at the bottom of the poster) and were too vague ("connection fee may apply").  The disclosures on the cards themselves were said to be in 5 point font that is "nearly impossible to read" and appear on a portion of the card which is below a perforation and discardable.  The FTC said it tested several cards and the initial prompts stated different numbers of minutes than that stated on the cards and posters, and that even those minutes were not actually delivered. For example, the FTC said that a 50 minute card initially prompted 37 minutes and then delivered only 20 minutes in a single call.   Another card was said to be for 400 minutes to Mexico, but prompted 391 minutes and delivered only 106 minutes in a series of five calls of about 20 minutes each.

 

Tags: , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Senate Subcommittee Holds Hearing on Advertising Trends and Consumer Protection

Posted on July 27, 2009 by Danny Adams

On July 22, 2009, the Senate Commerce, Science, and Transportation Committee’s Subcommittee on Consumer Protection, Product Safety, and Insurance held a hearing on advertising trends and consumer protection. David Vladeck, Director of the Federal Trade Commission’s Bureau of Consumer Protection testified before the Subcommittee, as well as various industry and consumer advocacy representatives.  The hearing focused primarily on Vladeck’s testimony, in which he outlined the FTC’s proposed revisions to its guidelines for testimonials, endorsements, and green marketing. 

Those speaking on behalf of consumer advocate groups applauded the FTC’s plans to strengthen its advertising guidelines, while industry representatives raised concerns about the burdens imposed by the revisions, specifically those related to the safe harbor provision for atypical result testimonials. Subcommittee members generally agreed with the FTC and consumer advocacy representatives that consumers need more protection from deceptive marketing practices, but they have not reached a consensus on the extent to which the FTC should regulate advertisers. More details on each of these issues are provided in this advisory, authored by Kelley Drye partner Reed Freeman and associate Alysa Z. Hutnik.

 

 

Tags: , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Card Distributors Agree to Pay $2.25 Million as Part of FTC Crackdown on Fraud in the Prepaid Calling Card Industry

Posted on February 10, 2009 by Steve Augustino

Major prepaid calling card distributors have agreed to pay $2.25 million as part of a settlement to resolve Federal Trade Commission charges that they made false claims to consumers about the number of minutes of talk time their prepaid calling cards would provide. The companies targeted their advertising at recent immigrants, who the FTC said depend on the cards to stay in touch with friends and family in other countries. The defendants’ cards, which retail for $2 to $10, are sold through small retailers such as grocery and convenience stores, gas stations, and newsstands in Florida, Massachusetts, New Jersey, New Hampshire, and Rhode Island.

The settlement resolves charges brought by the FTC last May against Alternatel, Inc., Voice Prepaid, Inc., G.F.G. Enterprises, LLC, also d/b/a Mystic Prepaid, Voice Distributors, Inc., Telecom Express, Inc., and their individual principals, Nickolas Gulakos, Moses Greenfield, Lucas Friedlander, and Frank Wendorff. The Commission vote to approve the settlement was 4-0. The proposed settlement was filed in the U.S. District Court for the Southern District of Florida in Miami.

In its lawsuit, the FTC charged that the companies misled consumers about the number of minutes of talk time their prepaid calling cards provided. The FTC said its testing showed that consumers received only about half the advertised minutes. In addition, the FTC alleged that the defendants’ cards carried hidden fees. For example, while the defendants’ ads for their cards often prominently claimed “no connection fees;” they then failed to clearly disclose a host of fees, such as “hang-up” and “maintenance” fees and “destination surcharges” that could wipe out the value of the cards. Such fees were said to be disclosed in a font size that was too small and stated in confusing language. At the request of the FTC, shortly after the case was filed, the court issued a temporary injunction against the companies.

In addition to the payment of $2.25 million, as part of the settlement announced today the defendants have agreed to a Consent Decree barring them from misrepresenting the number of minutes of talk time consumers will receive from prepaid calling cards, and requiring them to disclose any applicable material limitations, such as any fees or charges.

The settlement is part of an ongoing FTC crackdown on disclosures in the prepaid calling card industry. The FTC has brought similar charges against Clifton Telecard Alliance, another major prepaid calling card distributor. The FTC has also established a joint federal-state task force concerning deceptive marketing practices in the prepaid calling card industry and has other active prepaid calling card investigations. So far, the FTC has limited its actions to card distributors and has not sought to challenge prepaid carriers themselves; carriers are exempt from FTC authority as they are regulated as common carriers by the FCC. In recent times, however, the FTC has expressed frustration over the limitation on its powers and Congress has considered legislation to remove the common carrier exemption from FTC enforcement authority.

Tags: , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link