After potential warning signs spanning several years, on March 14, 2024, the Federal Trade Commission brought an enforcement action against two entities selling virus protection software to consumers via online and telemarketing sales. According to the FTC’s complaint, for several years the entities, Restoro Cyprus Limited and Reimage Cyprus Limited, received excessive chargebacks on purchases, numerous consumer complaints made directly to the entities, and various indirect consumer complaints made to vendors, telecoms service providers and others.
On April 28, 2022, the Federal Trade Commission published a Notice of Proposed Rulemaking (“NPRM”) and an Advance Notice of Proposed Rulemaking (“ANPRM”), proposing several updates to the Telemarketing Sale Rules (“TSR”).
On February 14, 2022 the FTC announced that, at the agency’s request, federal courts in California ordered two Voice over Internet Protocol (“VoIP”) service providers to produce information as part of ongoing investigations by the FTC into telemarketing calls and robocalls made in violation of the Telemarketing Sales Rule (“TSR”). Failure to comply with the court orders could result in the VoIP service providers being held in contempt of court.
As reported on the Hunton Retail Resource Blog, on October 20, 2021, a new wave in the fight against “robocalls” is targeting telemarketing text messages. In the past six months, there has been an uptick in activity at both the state and federal level to reign in telemarketing text messages.
On October 15, 2021, the U.S. District Court for the District of Massachusetts entered a final order approving a $14 million class action settlement resolving claims against HelloFresh for alleged violations of the Telephone Consumer Protection Act (“TCPA”), 47 U.S.C. § 227, et seq. The named plaintiffs alleged that HelloFresh violated the TCPA by (1) placing telemarketing calls to consumers whose phone numbers were listed on the federal Do Not Call registry; (2) placing telemarketing calls to consumers using an automatic telephone dialing system (“ATDS”) without prior express written consent; and (3) placing telemarketing calls to consumers who had requested to be placed on Hello Fresh’s internal Do Not Call list. According to plaintiffs’ attorneys, this settlement is the largest TCPA class action settlement in Massachusetts state history.
On April 1, 2021, the Supreme Court issued its long-awaited opinion in Facebook, Inc. v. Duguid et al., No. 19-511 (Apr. 1, 2021). At issue in Facebook, was the question of what technology constitutes an “automatic telephone dialing system” (“ATDS”) within the meaning of the Telephone Consumer Protection Act, 47 U.S.C. §227 et seq (“TCPA”). The Supreme Court’s unanimous decision is a huge win for companies who communicate with their consumers by telephone/text message.
On June 9, 2020, the Federal Communications Commission (“FCC”) announced a proposed $225 million fine, the largest in the history of the FCC, against several individuals for telemarketing violations.
On May 29, 2020, the German Federal Court of Justice (Bundesgerichtshof, “BGH”), Germany’s highest court for civil and criminal matters, issued its ruling on case Planet49 (I ZR 7/16) regarding consent requirements for the use of cookies and telemarketing activities. In October 2017, the BGH suspended its proceedings and submitted questions to the Court of Justice of the European Union (“CJEU”) for a preliminary ruling regarding the effectiveness of obtaining consent for the use of cookies through a pre-ticked checkbox. As we have previously reported, the CJEU answered these questions in its judgement in Planet49 GmbH v. Verbraucherzentrale Bundesverband e.V. (C-673/17), which was issued on October 1, 2019.
On March 2, 2020, the UK Information Commissioner’s Office (“ICO”) fined CRDNN Limited, a lead generation company, £500,000—the maximum amount available for a breach of the Electronic Communications Regulations (“PECR”). The fine was imposed after CRDNN carried out over 193 million unsolicited automated direct marketing calls relating to window scrappage, window and conservatory sales, boiler sales, and debt management between June and October 2018.
The meaning of an “automatic telephone dialing system” (“ATDS”) as defined by the Telephone Consumer Protection Act (“TCPA”) has been hotly contested since the D.C. Circuit invalidated the prior Federal Communications Commission (“FCC”) rulings interpreting the TCPA in 2018. The Ninth Circuit has held that merely calling numbers from a stored list is sufficient to meet the definition of an ATDS, while the Third Circuit has at least indicated that the ability to generate numbers randomly or sequentially is the defining characteristic.
On November 26, 2019, the French Data Protection Authority (the “CNIL”) announced that it had levied a fine of €500,000 on Futura Internationale, a French SME specializing in thermal insulation of private buildings, for various infringements of the EU General Data Protection Regulation (“GDPR”). The infringements related to the company’s direct marketing voice-to-voice calls include failure to (1) comply with the individuals’ objection to the processing of their personal data for direct marketing; (2) process only relevant personal data (by recording excessive comments in the CRM software); (3) provide sufficient notice regarding the recording of phone calls and data processing; (4) cooperate with the CNIL; and (5) implement appropriate data transfer mechanisms for the data transfers to non-EU call center providers.
The UK Information Commissioner’s Office (“ICO”) has issued a Monetary Penalty Notice to pensions release provider Grove Pensions Solutions Ltd (“Grove”), fining it £40,000 after the company used contact details collected by a third party for its direct marketing campaign. Grove used a specialist third-party marketing agency to send emails on its behalf to mailing lists, negligently failing to obtain valid consent from individuals who received the marketing emails. Despite seeking external advice (including legal advice), the ICO decided that Grove should have known of the risk that its conduct would breach rules on direct marketing, particularly given recent widespread publicity of this issue in the UK. The fine was imposed under the Data Protection Act 1998.
The UK’s Information Commissioner’s Office (“ICO”) has fined Vote Leave Limited (the UK’s official Brexit campaign) £40,000 for sending almost 200,000 unsolicited texts promoting the aims of the campaign. In an unrelated action, the ICO has carried out searches of a business believed to have been responsible for initiating nuisance telephone calls. The ICO has highlighted nuisance calls, spam texts and unsolicited direct marketing as areas of “significant public concern,” and is increasingly imposing sanctions on businesses that infringe the Privacy and Electronic Communications Regulations 2003 (“PEC Regulations”), which prohibit these practices. In its view, the monetary penalty imposed on Vote Leave should act as a “deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices.”
On June 5, 2017, an Illinois federal court ordered satellite television provider Dish Network LLC (“Dish”) to pay a record $280 million in civil penalties for violations of the FTC’s Telemarketing Sales Rule (“TSR”), the Telephone Consumer Protection Act (“TCPA”) and state law. In its complaint, the FTC alleged that Dish initiated, or caused a telemarketer to initiate, outbound telephone calls to phone numbers listed on the Do Not Call Registry, in violation of the TSR. The complaint further alleged that Dish violated the TSR’s prohibition on abandoned calls and assisted and facilitated telemarketers when it knew or consciously avoided knowing that telemarketers were breaking the law.
On November 1, 2016, the FTC announced that a group of entities known as the Consumer Education Group (“CEG”) settled FTC charges that, between late 2013 and 2015, it made millions of telemarketing calls, including pre-recorded robocalls, to consumers on the national Do Not Call (“DNC”) Registry, in violation of the Telemarketing Sales Rule (“TSR”).
On September 22, 2016, Korean law firm Bae, Kim & Lee LLC released a Legal Update outlining amendments to Korea’s Personal Information Protection Act (“PIPA”) and the Act on the Promotion of IT Network Use and Information Protection (“IT Network Act”).
On June 1, 2016, a new do-not-call list (the “BLOCTEL list”) was implemented in France. French residents who do not wish to receive marketing phone calls may register their landline or mobile phone number online at www.bloctel.gouv.fr.
On April 26, 2016, Korean law firm Bae, Kim & Lee LLC released a Privacy News Alert outlining amendments to Korea’s Personal Information Protection Act (“PIPA”) and the Act on the Promotion of IT Network Use and Information Protection (“IT Network Act”). According to Tae Uk Kang, partner at Bae, Kim & Lee and author of the alert, these amendments to PIPA and the IT Network Act “reflect the general trend concerning the Korean data privacy policy, which is intended to achieve more stringent regulation (and sanctions) of processing personal information.”
On October 2, 2015, California Attorney General Kamala D. Harris announced that her office settled a lawsuit against home design website, Houzz Inc. (“Houzz”). Houzz was charged with secretly recording incoming and outgoing telephone calls for training and quality assurance purposes without notifying its customers, employees or call recipients, in violation of California eavesdropping and wiretapping laws. As part of the settlement, the Attorney General required Houzz to destroy the recordings, pay a fine of $175,000 and hire a Chief Privacy Officer to supervise its compliance with privacy laws and conduct privacy risk evaluations to assess Houzz’s privacy practices. This is the first time that the Attorney General has required the hiring of a Chief Privacy Officer as part of a settlement.
On September 25, 2015, the UK Information Commissioner’s Office (the “ICO”) issued a fine of £200,000 (approximately $303,000) to Home Energy & Lifestyle Management Ltd. (“HELM”) for making a large number of automated marketing calls in violation of the UK’s direct marketing laws. This is the largest fine that the ICO has issued to date in connection with automated marketing calls.
On January 21, 2015, the Federal Trade Commission announced that the U.S. District Court for the Central District of Illinois granted partial summary judgment on December 12, 2014, to the federal government in its action against Dish Network LLC (“Dish”), alleging that Dish violated certain aspects of the Telemarketing Sales Rule (“TSR”) that restrict placing calls to numbers on the National Do-Not-Call Registry and an entity’s internal Do-Not-Call list. The federal government is joined in the action against Dish by four state attorneys general alleging violations of the Telephone Consumer Protection Act and certain state laws related to telemarketing.
On October 24, 2014, the Federal Communications Commission announced that it intends to impose a $10 million fine on TerraCom, Inc. (“TerraCom”) and YourTel America, Inc. (“YourTel”) for violating privacy laws relating to their customers’ personal information. This announcement marks the FCC’s first enforcement action in the data security arena as well as its largest privacy action to date.
The UK government has announced proposals designed to make it easier for the Information Commissioner’s Office (“ICO”) to fine companies responsible for nuisance calls and text messages. Under the proposals, the current maximum fine of £500,000 would remain unchanged, but the threshold for imposing fines would be lowered.
On September 3, 2014, the Federal Communications Commission announced that Verizon has agreed to pay $7.4 million to settle an FCC Enforcement Bureau investigation into Verizon’s use of personal information for marketing. The investigation revealed that Verizon had used customers’ personal information for marketing purposes over a multiyear period before notifying the customers of their right to opt out of such marketing.
On July 31, 2014, the Federal Trade Commission published a notice in the Federal Register indicating that it is seeking public comment on its Telemarketing Sales Rule (“TSR”) as “part of the FTC’s systematic review of all current Commission regulations and guides.” In the press release accompanying the Federal Register notice, the FTC stated that its questions for the public focus on (1) the use and sharing of pre-acquired account information in telemarketing, and (2) issues raised by the use of negative-option and free-trial offers in combination with general media ads designed to generate inbound telemarketing calls from consumers. The FTC’s review process comes less than a year after the Federal Communications Commission’s revisions to its Telephone Consumer Protection Act rules became effective.
On May 19, 2014, the Federal Communications Commission announced that Sprint Corporation agreed to pay $7.5 million to settle an FCC Enforcement Bureau investigation stemming from allegations that the company failed to honor consumers’ requests to opt out of telemarketing calls and texts. Sprint also agreed to implement a two-year plan to help ensure future compliance with Do-Not-Call registry rules.
On October 16, 2013, the Federal Communications Commission’s revisions to its Telephone Consumer Protection Act rules go into effect. As we previously reported, the revisions require that businesses obtain “express written consent” prior to advertising or telemarketing through (1) autodialed calls or text messages, or prerecorded calls to consumers’ mobile numbers, and (2) prerecorded calls to consumers’ residential lines. In addition, the FCC’s revisions eliminate the exemption that allowed businesses to place prerecorded advertising or telemarketing calls to a consumer’s residential phone line if the business had a pre-existing business relationship with the consumer.
On June 20, 2013, the UK Information Commissioner’s Office (“ICO”) launched its Annual Report and Financial Statements for 2012/13 (the “Report”). Introducing the Report, Information Commissioner Christopher Graham strongly emphasized that, as consumers become increasingly aware of their information rights, good privacy practices will become a commercial benefit and a business differentiator. He outlined the seven key “e”s of the ICO’s role: enforce, educate, empower, enable, engage, and to be effective and efficient.
On November 29, 2012, the Federal Communications Commission (“FCC”) issued a declaratory ruling finding that certain text messages businesses send to confirm a consumer’s request to opt out of text message programs do not violate a federal prohibition on sending text messages without prior express consent. This prohibition has spawned class actions against companies that have followed the provisions in the Mobile Marketing Association’s U.S. Consumer Best Practices and other industry guidelines that require companies to send a confirmatory text message in response to a consumer’s opt-out request. The FCC’s finding is limited to sending confirmatory text messages under the following conditions:
On October 15, 2012, the Singapore Parliament passed the Personal Data Protection Act 2012. Though a law has been under discussion for quite some time, this bill was introduced before Parliament only recently, in September of this year. The new law will apply only to data processing in the private sector as data processing by public agencies (or organizations acting on behalf of public agencies) are already subject to internal government rules. Reportedly, the bill will become law in January 2013, enforceable after 18 months, in mid-2014.
On August 23, 2012, the Federal Trade Commission announced that it had filed suit against DISH Network LLC (“DISH Network”) alleging violations of the FTC’s Telemarketing Sales Rule (“TSR”). The FTC’s complaint claims that DISH Network is a “seller” and “telemarketer” as such terms are defined by the TSR because the company sells satellite television programming to consumers and also markets its programming through a variety of methods, including telemarketing. According to the complaint, since September 2007, DISH Network has engaged in initiating ...
In recent months we have seen a dismissal and two settlements in class action suits alleging violations of the Telephone Consumer Protection Act (“TCPA”) by companies that used text messaging as part of advertising campaigns. The TCPA is a federal privacy law that imposes restrictions on telephone solicitations, including telemarketing calls and text messages.
On June 11, 2012, the Federal Communications Commission published in the Federal Register its final revised rules requiring prior express written consent for all autodialed or prerecorded telemarketing “calls” to wireless phones, and for prerecorded telemarking calls to residential lines. The FCC takes the position that the “calls” covered by this written consent requirement include essentially all marketing-oriented text messages. The FCC’s rules implement the findings of the Commission’s February 2012 Report and Order.
In a pair of lawsuits filed against Twitter, Inc. and American Express Centurion Bank, plaintiffs in a California federal court are seeking class-action status to assert claims that the defendants violated the Telephone Consumer Protection Act (“TCPA”) by sending each plaintiff a single text message to confirm that they had processed the plaintiff’s request to opt-out of receiving further text messages. This litigation highlights a potential vulnerability in the mobile marketing programs of companies that have not fully considered how telemarketing law should inform their implementation of the Mobile Marketing Association’s U.S. Consumer Best Practices (the “MMA’s Best Practices”), the authoritative compilation of policies enforced by the major wireless carriers.
“LOANMOD TXT MSGS VIOL8 LAW, SEZ FTC.” So reads the headline on the Federal Trade Commission’s Bureau of Consumer Protection’s Business Center Blog. The posting announced the FTC’s complaint against a marketer who sent more than 5.5 million spam text messages at a “mind boggling” rate of about 85 per minute, every minute of every day. Allegedly, most or all of the messages were unsolicited, and, like most text messages, they caused many recipients to incur standard text messaging charges.
On July 27, 2010, the German Federal Network Agency, the Bundesnetzagentur (or “BNetzA”), issued a press release stating that it had recently levied €194,000 in administrative fines in two cases against companies accused of violating a ban on cold calling. The cases involved consumer complaints implicating the companies in several illegal acts. The companies claimed they had obtained prior consent from the consumers they contacted. The BNetzA, which is the regulatory office for electricity, gas, telecommunications, post and railway markets in Germany, rejected the companies’ argument on the grounds that the “consent” was based on the consumers’ implicit acceptance of the terms of use associated with certain Internet games. The terms of use included a provision regarding a participant’s consent to telemarketing by partners, sponsors and other companies. The BNetzA stated that, because these terms of use did not satisfy the legal requirements for consent, the company had not obtained valid consent to call the consumers.
Provisions of the FTC’s revised rule that regulate advertisements for free credit reports become effective April 2, 2010. As required by the Credit CARD Act of 2009, the FTC promulgated the revised rule on February 22, 2010, to prevent the deceptive marketing of free credit reports by companies that required consumers to sign up for paid products and services such as credit monitoring in order to receive the reports.
The Federal Trade Commission ("FTC") recently settled complaints against two telemarketing companies that allegedly called numbers listed on the National Do Not Call Registry. The companies will pay a combined total of nearly $1.2 million dollars in civil penalties to settle charges that their marketing practices ran afoul of the Telemarketing Sales Rule ("TSR").
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code