Tag: Communications

Patent Damages: How Many Essential Features in a Smart Phone?

On March 20, 2018, the public version of Eastern District of Texas Magistrate Judge Roy Payne’s March 7, 2018 order tossing a $75 million jury verdict obtained by Ericsson against TCL Communication was released.  Ericsson Inc., et al, v. TCL Communication Technology Holdings, Ltd., et al, Case No. 2:15-cv-00011-RSP, Doc. No. 460 (redacted memorandum opinion and order) (E.D. Tex. March 7, 2018) (“Order”).  Judge Payne’s order sheds important light on the damages analysis for infringement of patents covering features of smartphone technology and potentially provides lessons to future litigants seeking damages for smartphone innovations.

After a jury verdict finding infringement, Ericsson also won a damages verdict of $75M due to TCL’s ongoing and willful infringement of U.S. Patent No. 7,149,510 (“the ’510 patent”).  Ericsson contended that the ’510 patent covers smartphone functionality that allows a user to grant or deny access to native phone functionality to a third-party application, which is a standard feature in all Android smartphones.  After trial, TCL moved for judgment as a matter of law on infringement and damages, or in the alternative new trials.  Judge Payne indicated that he was going to uphold the infringement verdict, but ordered a new trial on damages.  Order at 1.

Ericsson’s damages case relied on two experts: Dr. Wecker and Mr. Mills.  Dr. Wecker analyzed a consumer survey that attempted to approximate the apportioned value of the patented feature in the accused products.  Mr. Mills determined a royalty rate based both on that apportionment and on a hypothetical negotiation between Ericsson and TCL.  Dr. Wecker determined that 28% of TCL customers would not have purchased a TCL smartphone if the smartphone did not have the patented feature in the ’510 patent.  This would have resulted in a loss of 28% of TCL’s sales and profits.  From this, Mr. Mills determined that the at-risk profit for TCL was $3.42 per device sold by TCL, which is the average profit per device for all accused devices, after a 28% loss rate discount.  Mr. Mills determined that during the hypothetical negotiation Ericsson would have recovered nearly all of the at-risk profit, likely obtaining a rate of $3.41 per device, but in any event would have secured no less than half of the at-risk profits, or $1.72 per product.  These rates would have justified a damages award ranging from $123.6M to $245M for damages across the life of the ’510 patent.  Mr. Mills further determined that the parties would have negotiated a lump sum payment discount for both pre-trial and post-trial infringement rather than a running royalty. Based on this expert testimony, the jury awarded Ericsson a $75M lump sum.

Judge Payne threw out the jury’s award for two reasons.  First, Judge Payne found error in Ericsson’s argument that TCL would have settled up front with a lump sum covering the entire royalty for the projected future sales of 111 million smartphones during the remaining life of the ’510 patent.  According to Judge Payne these products could not be part of the infringement base because they did not exist at the time of trial and could not have been adjudicated to infringe.  These future products could not be part of a damages order.  See Order at 12-14.

But the real meat of Judge Payne’s order is in his other justification for throwing out the damages verdict.  Judge Payne faulted Ericsson for painting the consumers’ choice of whether to buy a TCL phone as a binary decision based on the presence of the accused feature.  Judge Payne noted that the case originally had five patents and consumer surveys were done which noted that if each feature of three of the asserted patents was missing from TCL products, TCL would have lost 64% of its profits due to sales lost due to the absence of those features.  Judge Payne concluded that each of these features individually could not be responsible for a quarter of TCL’s profits per phone, and noted the following:

It is not difficult to see how this lost profit number quickly becomes unrealistic. Subtracting just three features covered by a mere three implementation patents would have allegedly cut TCL’s profit by more than half. The evidence from both sides suggested that there were at least a thousand implementation patents that might cover a TCL phone.  Regardless of the number, there is no dispute that a phone with an Android-operating system has many patented features, and that, according to Dr. Wecker’s survey results, consumers would likely find numerous features essential. According to Mr. Mills, any one of these allegedly essential features could independently be worth more than a quarter of TCL’s profit on the phone. By removing even three additional features covered by an implementation patent, on top of the features allegedly covered by the ’510, ’931, and ’310 patents, TCL would have lost all its profit (conservatively), according to Mr. Mills’ theory.

Order at 10-11 (emphasis added) (internal citations omitted).  Judge Payne faulted Ericsson for not considering that a consumer’s decision to purchase or not purchase a phone would be based on whether numerous features were included, not just the ones covered by the asserted patents, and that Ericsson’s theory would erode all of TCL’s profits.  See Order at 11.  The judge further noted that:

To conclude that any one of these features—simply because it is considered essential to a consumer—could account for as much as a quarter of TCL’s total profit is unreliable and does not consider the facts of the case, particularly the nature of smartphones and the number of patents that cover smartphone features.

Order at 11.  Put simply, Judge Payne found that a single feature could not possibly account for $75M in damages for TCL’s smartphones, particularly in view of the many other features that are subject to patent protection.  Judge Payne noted that both sides agreed that Ericsson possessed potentially at least a thousand patents covering features of TCL phones.  Order at 10.  To Judge Payne, it could not possibly be the case that each of these patents accounted for 25% of the profits made by TCL.

This decision underscores the importance of securing a defensible damages analysis, especially in the context of the multifaceted technology embodied in modern smartphones.  Judge Payne’s concerns in his non-precedential opinion seemed to flow largely from unstated anxiety relating to royalty-stacking that made the logical extrapolation of the experts’ rubric unreasonable and erroneous.  In this context, it will be interesting to see how Ericsson recasts its damages theory in the next round of this litigation. We will continue to follow this case to see the approach, as we fully expect a notice of appeal to the Federal Circuit from Ericsson.

 

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

5 Business Communication Etiquette Pet Peeves

I frequently work with my children to help them understand the importance of good table manners – elbows off the table, how to set a table, which fork to use, how to hold a fork and knife (and properly use them), which glass to drink from, and to never chew with their mouths open. Let’s just say it is a work in progress.

While these lessons seem obvious, you would be surprised how frequently we get requests for etiquette training for lawyers. But it’s a fact that how we present ourselves has a significant impact on our brand. If you are seated next to a lawyer who slurps his soup, uses the wrong fork and drinks from your water glass, how likely are you to hire him?

Like our table manners, our communication etiquette sometimes needs attention, too. After all, good relationships begin with good communication. As a communications professional, here are my five biggest communication pet peeves:

  1. Email Signatures: It is a best practice to include your telephone number in your email signature, even on the reply. In this day and age, a majority of our business is conducted without ever hearing someone’s voice. Sometimes, though, actually talking is the best way to communicate, and it is terribly frustrating to have to go digging through old emails, files and even paper notebooks to find a phone number.

If your law firm doesn’t already have a standard email signature protocol, now is the time to institute it. Use it as a way to market your law firm, being mindful not to overwhelm readers with too many ways to reach you. If you are including a graphic, make sure recipients can view it on a mobile device and that it does not make an email too large to open. Your clients will thank you!

  1. Grammar & Spelling: They’re/their, who’s/whose, you’re/your, it’s/its. Learn it, live it, love it. Sure, we all can make mistakes when using our smartphones and blame them on autocorrect, but there are some basic grammar rules that we as legal industry professionals should know.

In addition, try to tighten up your sentences. For example, “I thought I would connect with Jane to discuss,” can be rewritten as “I am going to call Jane to discuss,” or “Jane and I are going to discuss.” To put it concisely, be direct.

And take the time to ensure that you do not have any spelling errors. Readers will automatically assume the worst of you – and your intellect – if you misspell words. Spellcheck is not always accurate, so proofread your work. If you are not a great proofreader yourself, enlist the help of a colleague or a professional proofreader before you send documents to clients. With emails, take a few extra seconds before clicking send.

  1. Limit the Word “Just”: In the spirit of being direct, I want to share my dislike of the word “just.” Improper use of the word often weakens what you are communicating and implies an unspoken apology. I am certainly guilty of using it and am consciously trying to eliminate it from my vocabulary. For example, “I am just following up” suggests that I am sorry to bother you but have something that I think is important to say. “I just have to say” implies that what you have to say is somehow a side note.

Try eliminating the word “just” when you are asking someone to do something for you as well. “Can you just…” minimizes a person’s contributions. Count how many times you use the word “just” in a day, and see if eliminating it helps you become a stronger communicator.

  1. “At Your Earliest Convenience”: Be careful with this term because, when used the wrong way, it makes you seem lazy and unengaged. It is perfectly fine to ask someone to respond at their earliest convenience, but how do you feel when I tell you that I will call you back at my earliest convenience? Probably like I will get to you after I drink my coffee and check social media. For most law firm marketers, your “clients” are the attorneys in your firm. They are your most important asset. Make them feel that way, and avoid telling them that you will do something when it is convenient for you. Try “as soon as possible” instead. It feels much better!

  2. Emphasize Sparingly: When I receive an email that is filled with bold, underlined and all-caps words, I FEEL LIKE I AM BEING YELLED AT and that whatever isn’t emphasized probably isn’t important! Think about what you are emphasizing. Is it really crucial? As a general rule of thumb, focus on headers and deadlines to make sure that all of the content of your email is properly read and understood. Then think about using the signature at the bottom of the email to give the person a way to call to confirm.

All of the ways we present ourselves and communicate – both directly and indirectly – impact our personal brands. Making yourself available and easy to communicate with will boost your personal brand, make people feel good about doing business with you, and hopefully drive more business.

This post was written by Stephanie Kantor Holtzman of Jaffe Associates.,© Copyright 2008-2017
For more legal analysis, go to The National Law Review

States Deserve A Complete Picture In Evaluating FirstNet/AT&T Coverage Plans

FirstNet recently selected AT&T as its partner to build, operate and maintain the Nationwide Public Safety Broadband Network (“NPSBN”).  With AT&T leading the charge, network development appears to be on a fast track. In early June, the initial AT&T/FirstNet Radio Access Network (“RAN”) or coverage plans were made available electronically to all 50 states, the District of Columbia and territories of the United States (referred to as the “states” for purposes of this article). After a brief period for review, comment and consultations, the plans will be finalized and the Governor of each state must decide whether to accept the FirstNet plan or to seek an alternative coverage model through the state’s own Request For Proposal (“RFP”) process.

In evaluating its options, the goal of every state should be to obtain the best possible network coverage for its First Responders. The safety of First Responders and the public must be the primary concern in evaluating the AT&T/FirstNet plan. In order to conduct a reasonably thorough examination, the Governors and their teams must have access to the necessary financial, technical and legal information regarding AT&T’s commitments to deliver the NPSBN.

However, the states currently face a major obstacle in conducting their analysis. They do not have access to the underlying contract between AT&T and FirstNet. There have been numerous trade press reports and FirstNet/AT&T presentations about what the AT&T proposed roll-out will entail (e.g. access to the entire AT&T network, public safety usage targets, priority and preemption). However, no one from a state government is privy to the specific terms of the FirstNet/AT&T agreement. As with most agreements the “devil is in the details,” but the states cannot access the details.

There are countless issues involved in the review of state plans that turn on the conditions of the underlying FirstNet/AT&T contract. For example, how much of the statutory requirement for rural coverage can be satisfied through “deployables” as opposed to permanent hardened infrastructure under the terms of the contract? What is the specific long-term commitment to support discounted pricing for public safety use? Is there a mechanism in place to resolve any disputes that may arise between FirstNet and AT&T.

A fundamental question is whether there is an option for AT&T to “opt-out” of the contract with FirstNet if it fails to obtain a certain number of states “opting-in” or for any other reason. Another basic issue pertains to the penalties that AT&T may have to pay if it fails to meet certain levels of public safety use or “adoption” on the network. Without firsthand knowledge of the AT&T/FirstNet agreement, there is no way of knowing with certainty if there are caveats or conditions that could limit such a requirement?  What happens to the spectrum if there is zero public safety adoption in a given area or insufficient adoption on a nationwide basis? These are significant questions to which states are entitled to an answer.

For AT&T and FirstNet to simply address these and other critical questions an on ad hoc basis is not a prudent approach. The only way a full evaluation of whether the needs and objectives of public safety are being met is for FirstNet and AT&T to disclose the underlying contract to the states so that they can examine the specific terms of the agreement.

As things now stand, a Governor is being asked to accept a vendor to build and operate the public safety network within his or her state – impacting the lives of First Responders and the public – without firsthand knowledge of the terms under which AT&T will provide the service. FirstNet and AT&T should disclose the terms of their contract pursuant to an appropriately drafted non-disclosure agreement so the Governors and their teams will have a complete picture in reviewing the FirstNet/AT&T coverage plans.

This post was written by Albert J. Catalano of  Keller and Heckman LLP.

The FCC Responds to Comcast’s Negative Option

FCC ComcastOn Tuesday, October 11, the Federal Communications Commission (“FCC” or “Commission”) announced the release of an Order and Consent Decree with cable behemoth Comcast Corporation (“Comcast”) in which the company agreed to pay US$2.3M to settle an FCC investigation into whether Comcast employed negative option billing to wrongfully charge for services and equipment customers never authorized.  The settlement also requires Comcast—by some accounts the largest cable company in the country with 22.3M subscribers—to adopt a sweeping, highly detailed five-year compliance plan designed to force the company to obtain customers’ affirmative informed consent prior to adding charges to their bills.  According to the FCC’s press release, the settlement amount is the largest civil penalty the agency has ever assessed against a cable operator.

What is Negative Option Billing and How Does the FCC Regulate It?

“Negative option billing” is a practice similar to “cramming” in the telecommunications context, wherein a company places unauthorized charges on a consumer’s bill, requiring subscribers to pay for services or equipment they did not affirmatively request.  In addition to the obvious nuisance of unknowingly paying for unauthorized services and equipment, the FCC’s action is also aimed at protecting consumers from “spend[ing] significant time and effort in seeking redress for any unwanted service or equipment, which is often manifested in long telephone wait times, unreturned phone calls from customer service, unmet promises of refunds, and hours of effort wasted while pursuing corrections.”  For these and other consumer protection reasons, negative option billing is illegal; it violates both Section 623(f) of the Communications Act of 1934, as amended (the Act), and Section 76.981(a) of the Commission’s rules.  Specifically, 47 U.S.C. § 543(f) explicitly prohibits negative billing options, noting also that a failure to refuse an offer is not the equivalent of accepting the offer.

As the FCC clarified in a 2011 Declaratory Ruling, while a customer does not have to know and recite specific names of equipment or service in the course of ordering those products, the cable operator must have “adequately explained and identified” the products in order for a subscriber to “knowingly accept[] the offered services and equipment by affirmative statements or actions.”

Section 76.981(b) explains that the negative billing option does not prevent a cable operator from making certain changes without consumer consent, such as modifying the mix of channels offered in a certain tier, or increasing the rate of a particular tier (unless more substantive changes are made, such as adding a tier, which then increases the price of service).

The FCC appears to have found only one violation of the negative option billing prohibition previously, and in that context, the Commission used its discretion to refrain from imposing a penalty.  More than 20 years ago, in 1995, the Commission acted on a complaint and investigated Monmouth Cablevision for allegations that the company—which had previously rented remote controls to their subscribers—violated FCC rules when it removed the leasing fee on subscriber bills and instead included a $5 sale price for the remotes. In that case, the Commission explained that, while “in a literal sense, this is the same equipment that the customer previously rented, we cannot find that these customers affirmatively requested to purchase these remotes rather than renting them.”  The Commission went on to explain that “changing the way in which existing service and equipment is offered, e.g., from leasing to selling,” did, in fact, violate the Commission’s negative option billing prohibition.  However, due to the “de minimis difference between the $ 5.00 purchase price and the total rental price” and because of the “large number of regulatory requirements that became effective on September 1, 1993, and the associated compliance difficulties,” the then Cable Services Bureau chose not to impose a penalty.  Because state governments have concurrent jurisdiction over negative billing practices, cable companies have faced court action for these and similar allegations for decades.

The FCC Investigation

Based on “numerous” consumer complaints, the FCC’s Enforcement Bureau opened an investigation in December of 2014 into whether Comcast engaged in negative option billing.  In the course of its investigation, the FCC determined that customers were billed for “unordered services or products, such as premium channels, set-top boxes, or digital video recorders (DVRs).”  Beyond not authorizing these products, in some cases the FCC claims that subscribers specifically declined additional services or upgrades, only to be billed anyway.  In fact, the Order—which is part of the settlement but generally not subject to the non-government party’s review prior to release—details numerous complainants that claim to have been given the runaround by Comcast customer service representatives, with one customer (Subscriber A) claiming that, after three hours on the phone and multiple transfers, she was ultimately transferred to a fax machine.  Another complainant (Subscriber B) asserted that he determined Comcast had wrongfully billed him for approximately 18 months for an extra cable box he never ordered, and that he spent another year calling to request (unsuccessfully) that the company remove the charge.

The Settlement

The Order and Consent Decree are striking in terms of the level of transparency exhibited throughout.  Unlike most FCC settlements, in which facts and legal arguments are closely guarded and held confidential, this Order reads more like a Notice of Apparent Liability for Forfeiture, where the FCC explains the underlying facts and legal theories in substantially more detail.  Especially noteworthy here, is that unlike majority of the other settlements released by the FCC’s Enforcement Bureau since Travis LeBlanc took the helm, neither the Order nor the Consent Decree include a statement admitting liability.  Rather than an admission of liability by Comcast, the Consent Decree includes a lengthy discussion of the perspectives of both Comcast and the Commission.  Besides arguing that most of the services were authorized and that unauthorized services inadvertently added to consumer bills were removed, Comcast—represented by FCC regular and first Enforcement Bureau Chief David Solomon—argued that the Commission itself “has cautioned against an expansive application of the Negative Option Billing Laws, stating that a broad reading of the rule could lead to harmful consequences.”  Moreover, Comcast asserted that “the Negative Option Billing Laws are not per se prohibitions, but instead are targeted only at affirmatively deceptive conduct on the part of cable operators, and Commission enforcement requires a demonstrated pattern of violation,” rather than an erroneous charge “occasioned by employee error” that does not involve deceit or intent.  For its part, the Commission asserted that it believes “the Customer Complaints and other facts adduced during the Investigation are evidence of violations of Section 623(f) of the Act and Section 76.981 of the Commission’s Rules.”

Moreover, the settlement requires that Comcast be required to comply with the terms of the Order and Consent Decree for an uncharacteristically long term—i.e., five years instead of the three years the Bureau has normally insisted upon.

In addition to the US$2.3M civil penalty, Comcast must implement a highly detailed compliance plan.  Although in many instances, Comcast is given until July 2017 to create and implement requisite processes, the level of detail applied to the cable company’s alleged transgressions is similar to that found in certain cramming and slamming settlements.  In those instances, however, the Commission is usually acting against less sophisticated targets with decidedly fewer resources that cannot retain compliance personnel with the expertise to design, develop, and implement their own expansive compliance plans.  Among other things, and as explained in five pages of detail in the Consent Decree, the company is required to:

obtain customers’ affirmative informed consent prior to charging them for new services or equipment; send customers an order confirmation, separate from any other bill, that clearly and conspicuously describes newly added services and equipment and their associated charges; offer mechanisms to customers that, at no cost, enable them to block the addition of new services or equipment to their accounts; implement a detailed program for redressing disputed charges in a standardized and expedient fashion; limit adverse actions (such as referring an account to collections or suspending service) while a disputed charge is being investigated; designate a senior corporate manager as a compliance officer; and implement a training program to ensure customer service personnel resolve customer complaints about unauthorized charges.

Going forward, it appears that the Commission will have a substantial amount of insight into the way the company conducts its business vis-à-vis its customer service responsibilities, in the form of annual reports and extended document retention requirements.

Lessons from the Settlement

Over the past two and a half years, it has become more apparent that the FCC is willing to apply old rules in new ways, and to continue to be an aggressive enforcer of the rules in general, but particularly when it comes to protecting consumers.  Although the Commission has issued Enforcement Advisories in the past, alerting companies that it is on the lookout for noncompliance in certain areas, this US$2M+ action is proof that regulatees should not wait for FCC warnings before ensuring they are compliant with the rules.  Companies should take heed and adopt a proactive approach to understanding the rules applicable to them based on their business operations.

ARTICLE BY Koyulyn K. Miller of Squire Patton Boggs (US) LLP

© Copyright 2016 Squire Patton Boggs (US) LLP

Nothing to See in This Story about the Electronic Communications Privacy Act

Check out this story.  In it, we learn this:electronic privacy act

Andrew Ceresney, director of the Division of Enforcement at the Securities and Exchange Commission, [told] the Senate’s Committee on the Judiciary at a hearing on Wednesday morning that the pending Electronic Communications Privacy Act Amendments Act would impede the ability of the SEC and other civil law enforcement agencies to investigate and uncover financial fraud and other unlawful conduct. Ceresney testified that the bill, intended to modernize portions of the Electronic Communications Privacy Act which became law in 1986, would frustrate the SEC’s efforts to gather evidence, including communications such as emails, directly from an Internet services provider.

So.  Let’s talk about what’s really at issue here.  We’re not talking about emails collected from companies with their own domain names and servers.  If a company maintains its own emails for its own purposes, the company is not a “provider of electronic communication service” under the ECPA and those emails are subject to SEC subpoenas just like its other documents.

But take, say, Google and Yahoo, among many others.  They are providers of electronic communication services.  Here’s what 18 U.S.C. § 2703(a) says about them:

A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.

In plainer English, the SEC may require Google to disclose the contents of its customer’s emails if the emails have been in storage for 181 days.  For newer emails, the government must have a search warrant, which the SEC can’t get as a civil enforcement authority.

For the SEC, the ECPA typically comes up when it is investigating people who are not using corporate email addresses.  For example, Ponzi schemes and prime bank frauds are often going to be run on hotmail.com, not citigroup.com.  The problem for the SEC is, people running Ponzi schemes tend to have few issues with deleting incriminating emails.  And Google isn’t obligated to keep those deleted emails for any particular time period.  So if some guy defrauds a bunch of people and then quickly deletes the emails explaining how the fraud happened, there’s not a lot the SEC can do about it.  So it is very, very rare when the SEC is successful in using the ECPA to get emails from “providers of electronic communication service.”  And so . . . when Andrew Ceresney tells the Senate Judiciary Committee that amendments to the ECPA could impede civil law enforcement’s ability to uncover financial fraud and other unlawful conduct, he’s sort of right.  I might make the same argument if I were in his shoes.  But he’s also saying something that is almost inconsequential.  If the ECPA is not amended, the SEC will have a very hard time getting a hold of useful gmails.  If the ECPA is amended, it will have a very hard time getting a hold of useful gmails.  Just about every other issue in data privacy and securities enforcement is more significant than this one.

Article By David Smyth of Brooks, Pierce, McLendon, Humphrey & Leonard, LLP

Copyright © 2015, Brooks, Pierce, McLendon, Humphrey & Leonard LLP

What You Need to Know About the FCC’s July 10th Declaratory Ruling on the Telephone Consumer Protection Act (TCPA)

A sharply divided FCC late Friday issued its anticipated TCPA Declaratory Ruling and Order (the “Declaratory Ruling”). This document sets forth a range of new statutory and policy pronouncements that have broad implications for businesses of all types that call or text consumers for informational or telemarketing purposes.  While some of its statements raise interesting and in some cases imponderable questions and practical challenges, this summary analysis captures the FCC’s actions in key areas where many petitioners sought clarification or relief.  Certainly there will be more to say about these key areas and other matters as analysis of the Declaratory Ruling and consideration of options begins in earnest.  There will undoubtedly be appeals and petitions for reconsideration filed in the coming weeks.  Notably, except for some limited relief to some callers to come into compliance on the form or content of prior written consents, the FCC’s Order states that the new interpretations of the TCPA are effective upon the release date of the Declaratory Ruling.  Requests may be lodged, however, to stay its enforcement pending review.

Scope and Definition of an Autodialer

An important threshold question that various petitioners had asked the FCC to clarify was what equipment falls within the definition of an “automatic telephone dialing system” or “ATDS.”  The TCPA defines an ATDS as:

equipment which has the capacity

(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and

(B) to dial such numbers. 47 U.S.C. § 227(a)(1) (emphasis added).

Two recurring points of disagreement have been: (1) whether “capacity” refers to present or potential capacity, i.e., whether it refers to what equipment can do today, or what some modified version of that equipment could conceivably do tomorrow; and (2) whether “using a random or sequential number generator” should be read to limit the definition in any meaningful way.

Stating that a broad definition would be consistent with Congressional intent and would help “ensure that the restriction on autodialed calls not be circumvented,” the FCC concluded that “the TCPA’s use of ‘capacity’ does not exempt equipment that lacks the ‘present ability’ to dial randomly or sequentially.”  Rather, “the capacity of an autodialer is not limited to its current configuration but also includes its potential functionalities.”

The Declaratory Ruling stated that “little or no modern dialing equipment would fit the statutory definition of an autodialer” if it adopted a less expansive reading of the word “capacity.”  But as for whether any “modern dialing equipment” does not have the requisite “capacity,” the agency declined to say:

[W]e do not at this time address the exact contours of the “autodialer” definition or seek to determine comprehensively each type of equipment that falls within that definition that would be administrable industry-wide….  How the human intervention element applies to a particular piece of equipment is specific to each individual piece of equipment, based on how the equipment functions and depends on human intervention, and is therefore a case-by-case determination.

Indeed, although the Declaratory Ruling insisted that this interpretation has “outer limits” and does not “extend to every piece of malleable and modifiable dialing equipment,” the only example that that Declaratory Ruling offered was anything but “modern”:

[F]or example, it might be theoretically possible to modify a rotary-dial phone to such an extreme that it would satisfy the definition of “autodialer,” but such a possibility is too attenuated for us to find that a rotary-dial phone has the requisite “capacity” and therefore is an autodialer.

Finally, the FCC majority brushed off petitioners’ concerns that such a broad definition would apply to smartphones—not because it would be impossible to read that way, but because “there is no evidence in the record that individual consumers have been sued….”

Commissioner Pai’s dissent expressed concern that the FCC’s interpretation of the ATDS definition “transforms the TCPA from a statutory rifle-shot targeting specific companies that market their services through automated random or sequential dialing into an unpredictable shotgun blast covering virtually all communications devices.”  He also noted that even if smartphone owners have yet to be sued, such suits “are sure to follow….  Having opened the door wide, the agency cannot then stipulate restraint among those who would have a financial incentive to walk through it.”

Commissioner O’Rielly took issue with the FCC’s “refusal to acknowledge” the other half of the statutory definition, specifically that equipment “store or produce telephone numbers to be called, using a random or sequential number generator.”  47 U.S.C. § 227(a)(1).  “Calling off a list or from a database of customers … does not fit the definition,” he explained.  And as for the reading of the word “capacity,” the Commissioner stated that the FCC majority’s “real concern seems to be that … companies would game the system” by “claim[ing] that they aren’t using the equipment as an autodialer” but “secretly flipping a switch to convert it into one for purposes of making the calls.”  He explained that even if there had been examples of this in the regulatory record, “this could be handled as an evidentiary matter.  If a company can provide evidence that the equipment was not functioning as an autodialer at the time a call was made, then that should end the matter.”

Given the breadth of the FCC’s purported interpretation of ATDS, which clashes with the views of a number of courts in recent litigation and is replete with ambiguity, this portion of the Declaratory Ruling will most certainly be challenged.

Consent and Revocation of Consent

The Declaratory Ruling addressed the question of whether a person who has previously given consent to be called may revoke that consent and indicated that consumers have the ability to revoke consent in any “reasonable manner.”  As dissenting Commissioner Pai noted, this can lead to absurd results if consumers are entirely free to individually and idiosyncratically select their mode and manner of revocation, particularly for any such oral, in-store communication.  The Commissioner’s dissent asked ruefully whether the new regime would cause businesses to “have to record and review every single conversation between customers and employees….Would a harried cashier at McDonald’s have to be trained in the nuances of customer consent for TCPA purposes?……the prospects make one grimace.”

FCC Petitioner Santander had sought clarification of the ability of a consumer to revoke consent and alternatively, to allow the calling party to designate the methods to be used by a consumer to revoke previously provided consent.  In considering the TCPA’s overall purpose as a consumer protection statute, the FCC determined that the silence in the statute on the issue of revocation is most reasonably interpreted in favor of allowing consumers to revoke their consent to receive covered calls or texts.  The Declaratory Ruling found comfort both in other FCC decisions and in the common law right to revoke consent, which is not overridden by the TCPA.  The Declaratory Ruling stated that this interpretation imposes no new restriction on speech and established no new law.

The FCC noted that its prior precedent on the question of revocation was in favor of allowing consumer revocation “in any manner that clearly expresses a desire not to receive further messages, and that callers may not infringe on that ability by designating an exclusive means to revoke.”  Stating that consumers can revoke consent by “using any reasonable method,” the FCC determined that a caller seeking to provide exclusive means to register revocation requests would “place a significant burden on the called party.”  The Declaratory Ruling contains no serious discussion of the burdens placed on businesses by one-off individual revocations.   The FCC majority also rejected the argument that oral revocation would unnecessarily create many avoidable factual disputes, instead stating that “the well-established evidentiary value of business records means that callers have reasonable ways to carry their burden of proving consent.”

Reassigned Number “Safe Harbor”

There is perhaps no issue that garners more frustration among parties engaged in calling activities than potential TCPA liability for calls to reassigned numbers.  No matter how vigilant a caller is with respect to compliance, under the FCC’s preexisting and now expanded statements, it is impossible to eliminate the risk of exposure short of not calling anyone.  As explained in Commissioner O’Rielly’s Separate Statement: “numerous companies, acting in good faith to contact consumers that have consented to receive calls or texts, are exposed to liability when it turns out that numbers have been reassigned without their knowledge.”  This portion of the Declaratory Ruling will also most certainly be subject to challenges.

While relying on a number of flawed assumptions, the FCC: (1) rejected the sensible “intended recipient” interpretation of “called party”; (2) disregarded the fact that comprehensive solutions to addressing reassigned numbers do not exist; (3) adopted an unworkable and ambiguous “one-call exemption” for determining if a wireless number has been reassigned (a rule that constitutes “fake relief instead of a solution,” as explained by Commissioner O’Rielly); and (4) encouraged companies to include certain language in their agreements with consumers so that they can take legal action against consumers if they do not notify the companies when they relinquish their wireless phone numbers.

First, the FCC purported to clarify that the TCPA requires the consent of the “current subscriber” or “the non-subscriber customary user of the phone.”  It found that consent provided by the customary user of a cell phone may bind the subscriber.  The FCC declined to interpret “called party” as the “intended recipient,” as urged by a number of petitioners and commenters and held by some courts.

Second, the FCC quickly acknowledged and then set aside the significant fact that there exists no comprehensive public directory of reassigned number data provided by the carriers.  Instead, it seemed flummoxed by the purported scope of information accessible to companies to address the reassigned number issue.  The FCC suggested  that companies could improvise ways to screen for reassigned numbers (e.g., by manually dialing numbers and listening to voicemail messages to confirm identities or by emailing consumers first to confirm their current wireless phone numbers) and explained that “caller best practices can facilitate detection of reassignment before calls.”  Ignoring the reality of TCPA liability, the FCC explained that “[c]allers have a number of options available to them that, over time, may permit them to learn of reassigned numbers.” (emphasis added).

Third, the FCC purported to create an untenable “one-call exemption.”  The Declaratory Ruling explained “that callers who make calls without knowledge of reassignment and with a reasonable basis to believe they have valid consent to make the call should be able to initiate one call after reassignment as an additional opportunity to gain actual or constructive knowledge of the reassignment and cease future calls to the new subscriber.  If this one additional call does not yield actual knowledge of reassignment, we deem the caller to have constructive knowledge of such.”

One potentially helpful clarification made was the determination that porting a number from wireline to a wireless service is not to be treated as an action that revokes prior express consent, and thus the FCC stated that that prior consent may continue to be relied upon so long it is the same type of call for which consent was initially given.  The FCC agreed with commenters who had observed that if a consumer no longer wishes to get calls, then it is her right and responsibility to revoke that consent.  Unless and until that happens, however, the FCC stated that a caller may rely on previously provided consent to continue to make that same type of call.  Valid consent to be called as to a specified type of call continues, “absent indication from the consumer that he wishes to revoke consent.”   As wireline callers need not provide express consent to be autodialed, any party calling consumers would have to still be aware of the nature of the called number to determine whether appropriate consent to be called was present.

Finally, the FCC – which claims to be driven by consumer interests throughout its Declaratory Ruling – makes the suggestion that companies should require customers, through agreement, to notify them when they relinquish their wireless phone numbers and then initiate legal action against the prior holders of reassigned numbers if they fail to do so.  “Nothing in the TCPA or our rules prevents parties from creating, through a contract or other private agreement, an obligation for the person giving consent to notify the caller when the number has been relinquished.  The failure of the original consenting party to satisfy a contractual obligation to notify a caller about such a change [of a cell phone number] does not preserve the previously existing consent to call that number, but instead creates a situation in which the caller may wish to seek legal remedies for violation of that agreement.”

Treatment of Text Messaging and Internet-to-Phone Messaging

The Declaratory Ruling also addressed a number of issues that specifically affect text messaging under the TCPA.   First, the FCC addressed the status of SMS text messages in response to a petition that asked the FCC to make a distinction between text messages and voice calls.  The FCC reiterated that SMS text messages are subject to the same consumer protections under the TCPA as voice calls and rejected the argument that they are more akin to instant messages or emails.

Second, the FCC addressed the treatment of Internet-to-phone text messages under the TCPA.  These messages differ from phone-to-phone SMS messages in that they originate as e-mails and are sent to an e-mail address composed of the recipient’s wireless number and the carrier’s domain name.  The FCC explained that Internet-to-phone text messaging is the functional equivalent of phone-to-phone SMS text messaging and is therefore covered by the TCPA.  The FCC also found that the equipment used to send Internet-to-phone text messages is an automatic telephone dialing system for purposes of the TCPA.  In so doing, the FCC expressly rejected the notion that only the CAN-SPAM Act applies to these messages to the exclusion of the TCPA.

Finally, the FCC did provide some clarity as to one issue that had created significant confusion since the adoption of the current TCPA rules in 2012: whether a one-time text message sent in response to a consumer’s specific request for information constitutes a telemarketing message under the TCPA.  The specific scenario that was presented to the FCC is one confronted by many businesses: they display or publish a call-to-action, they receive a specific request from a consumer in response to that call-to-action, and they wish to send a text message to the consumer with the information requested without violating the TCPA and the FCC’s rules.

The FCC brought clarity to this question by finding that a one-time text message does not violate the TCPA or the FCC’s rules as long as it is sent immediately to a consumer in response to a specific request and contains only the information requested by the consumer without any other marketing or advertising information.  The FCC explained that such messages were not telemarketing, but “instead fulfillment of the consumer’s request to receive the text.”  Businesses may voluntarily provide the TCPA disclosures in their calls-to-action, as the FCC noted in the Declaratory Ruling, but a single text message to consumers who responded to the call-to-action or otherwise requested that specific information be sent to them would not be considered a telemarketing message and, as such, would not require the advance procurement of express written consent.

Limited Exemptions for Bank Fraud and Exigent Healthcare Calls and Texts

The TCPA empowers the agency to “exempt . . . calls to a telephone number assigned to a cellular telephone service that are not charged to the called party, subject to such conditions as the Commission may prescribe as necessary in the interest of the privacy rights [the TCPA] is intended to protect.”  47 U.S.C. § 227(b)(2)(C).  In March 2014, the FCC invoked this authority to grant an exemption from the TCPA’s prior express consent requirement for certain package-delivery related communications to cellular phones, requiring that for such communications to be exempt, they must (among other things) be free to the end user.

The Declaratory Ruling invoked that same provision and followed that same framework in granting exemptions for “messages about time-sensitive financial and healthcare issues” so long as the messages (whether voice calls or texts) are, among other things discussed below, free to the end user.  Oddly, the Declaratory Ruling referred to these two types of messages as “pro-consumer messages,” showcasing an apparent view that automated/autodialed calls are “anti-consumer” by default.

The FCC first addressed a petition from the American Bankers Association (ABA), seeking an exemption for four types of financial-related calls: messages about (1) potential fraud or identity theft, (2) data security breaches, (3) steps to take to prevent identity theft following a data breach, and (4) money transfers.  After analyzing the record before it regarding the exigency and consumer interest in receiving these types of communications, and finding that “the requirement to obtain prior express consent could make it impossible for effective communications of this sort to take place,” the FCC imposed the following very specific requirements in addition to the requirement that the messages be free to the end user: (1) the messages must be sent only to the number provided by the consumer to the financial institution; (2) the messages must state the name and contact information for the financial institution (for calls, at the outset); (3) the messages must be strictly limited in purpose to the four exempted types of messages and not contain any “telemarketing, cross-marketing, solicitation, debt collection, or advertising content;” (4) the messages must be concise (for calls generally one minute or less, “unless more time is needed to obtain customer responses or answer customer questions,” and for texts, 160 characters or less); (5) the messages must be limited to three per event over a three-day period for an affected account; (6) the messages must include “an easy means to opt out” (an interactive voice and/or key-press activated option for answered calls, a toll-free number for voicemail, and instructions to use “STOP” for texts); and (7) the opt-out requests must be honored “immediately.”

The FCC then addressed a petition from the American Association of Healthcare Administrative Management (AAHAM) seeking similar relief for healthcare messages.  Relying on its prior rulings regarding the scope of consent and the ability to provide consent via an intermediary, the FCC stated that (1) the “provision of a phone number to a healthcare provider constitutes prior express consent for healthcare calls subject to HIPAA by a HIPAA-covered entity and business associates acting on its behalf, as defined by HIPAA, if the covered entities and business associates are making calls within the scope of the consent given, and absent instructions to the contrary”; and, (2) such consent may be obtained through a third-party when the patient is medically incapacitated, but that “ just as a third party’s ability to consent to medical treatment on behalf of another ends at the time the patient is capable of consenting on his own behalf, the prior express consent provided by the third party is no longer valid once the period of incapacity ends.”

The FCC also granted a free-to-end-user exemption for certain calls “for which there is exigency and that have a healthcare treatment purpose”: (1) appointment and exam confirmations and reminders; (2) wellness checkups; (3) hospital pre-registration instructions; (4) pre-operative instructions; (5) lab results;(6) post-discharge follow-up intended to prevent readmission; (7) prescription notifications; and (8) home healthcare instructions.  The FCC specifically excluded from the exemption messages regarding “account communications and payment notifications, or Social Security disability eligibility.”

The Declaratory Ruling imposed mostly the same additional restrictions on free-to-end-user health-care related calls as it did with free-to-end-user financial calls: (1) the messages must be sent only to the number provided by the patient; (2) the messages must state the name and contact information for the healthcare provider (for calls, at the outset); (3) the messages must be strictly limited in purpose to the eight exempted types of messages, be HIPAA-compliant, and may not include “telemarketing, solicitation, or advertising content, or . . .  billing, debt-collection, or other financial content”; (4) the messages must be concise (for calls generally one minute or less, and for texts, 160 characters or less); (5) the messages must be limited to one per day and three per week from a specific healthcare provider; (6) the messages must include “an easy means to opt out” (an interactive voice and/or key-press activated option for answered calls, a toll-free number for voicemail, and instructions to use “STOP” for texts); and (7) the opt-out requests must be honored “immediately.”

Service Provider Offering of Call Blocking Technology

A number of state Attorneys General had sought clarification on the legal or regulatory prohibitions on carriers and VoIP providers to implement call blocking technologies.   While declining to specifically analyze in detail the capabilities and functions of particular call blocking technologies, the FCC nevertheless granted the request for clarification and stated that there is no legal barrier to service providers offering consumers the ability to block calls – using an “informed opt-in process” at the individual consumer’s direction.   Blocking categories of calls or individual calls was seen as providing consumers with enhanced tools to stop unwanted robocalls.

Service provider groups, which expressed concern that any blocking technology could be either over or under-inclusive from an individual consumer’s perspective, were provided the assurance that while both the FCC and the FTC recognize that no technology is “perfect,” accurate disclosures to consumers at the time they opt-in for these services should suffice to allay these concerns.  The Declaratory Ruling also noted that consumers are free to drop these services if they wish, and encouraged providers to offer technologies that have features that allow solicited  mass calling, such as a municipal or school alerts, to not be blocked, as well as to develop protocols to ensure public safety calls or other emergency calls are not blocked.

ARTICLE BY Laura H. Phillips & Eduardo R. Guzman of Drinker Biddle & Reath LLP
©2015 Drinker Biddle & Reath LLP. All Rights Reserved

FCC’s Enforcement Bureau Commends PayPal for Modifying its User Agreement

We previously advised that the FCC’s Enforcement Bureau, in an unusual move, on June 11 published a letter it sent to PayPal warning that PayPal’s proposed changes to its User Agreement that contained robocall contact provisions might violate the TCPA.

FCC_LogoThese proposed revisions conveyed user consent for PayPal to contact its users via “autodialed or prerecorded calls and text messages … at any telephone number provided … or otherwise obtained” to notify consumers about their accounts, to troubleshoot problems, resolve disputes, collect debts, and poll for opinions, among other things. The Bureau’s letter highlighted concerns with the broad consent specified for the receipt of autodialed or prerecorded telemarketing messages and the apparent lack of notice as to a consumer’s right to refuse to provide consent to receive these types of calls.

On June 29, prior to the revisions coming into effect, PayPal posted a notice on its blog stating: “In sending our customers a notice about upcoming changes to our User Agreement we used language that did not clearly communicate how we intend to contact them.” PayPal clarified that it would modify its User Agreement to specify the circumstances under which it would make robocalls to its users, including for important non-marketing reasons relating to misuse of an account, as well as to specify that continued use of PayPal products and services would not require users to consent to receive robocalls.

The FCC’s Enforcement Bureau immediately put out a statement commending PayPal for its decision to modify its proposed contact language, noting that these changes to the User Agreement represented “significant and welcome improvements.” The Bureau’s very public actions on this matter signal to businesses everywhere of the need to review existing “consent to contact” policies. Certainly the FCC’s yet to be released Declaratory Ruling on TCPA matters that was voted on during a contentious FCC Open Meeting on June 18 may also invite that opportunity.

ARTICLE BY Laura H. Phillips of Drinker Biddle & Reath LLP

©2015 Drinker Biddle & Reath LLP. All Rights Reserved

NLRB Shows Some Restraint in its Protection of Employee Social Media Communications: Employee Termination Arising From “Egregious” and “Insubordinate” Facebook Posts Was Legal Under the NLRA

Mintz Levin Law Firm

In the wake of the NLRB’s aggressive crackdown on social media policies, many employers have asked: “Is there any limit to what employees can post on social media about their employers?”  It appears that there is.  Just last week, a former employee of the Richmond District Neighborhood Teen Center in San Francisco learned this the hard way when the Board dismissed his complaint that the Center violated Section 8(a)(1) of the National Labor Relations Act after it pulled a rehire offer after it discovered that he particpated in an inappropriate Facebook exchange.

During the 2011-2012 school year, Ian Callaghan and Kenya Moore both worked for the Center’s afterschool program—Callaghan as a teen activity leader and Moore as the teen center program leader.  In May 2012, the Center held a staff meeting during which it solicited and received both positive and negative feedback from its staff, including Callaghan and Moore.  In July 2012, Callaghan and Moore received letters inviting them to return to the Center for the 2012-2013 school year; this time both as activity leaders.

The following month, Callaghan and Moore communicated over Facebook about (i) refusing to obtain permission before organizing youth activities (“ordering sh*t, having crazy events at the Beacon all the time.  I don’t want to ask permission…”; “Let’s do some cool sh*t and let them figure out the money”; “field trips all the time to wherever the f#@! we want!”), (ii) disregarding specific school district rules (“play music loud”; “teach the kids how to graffiti up the walls…”), (iii) undermining leadership (“we’ll take advantage”), (iv) neglecting their duties (“I ain’t go[]never be there”), and (v) jeopardizing the safety of participating youth and the program overall (“they start loosn kids I aint helpin”; “Let’s f#@! it up”).  When the Center’s administration became aware of the postings, it revoked the offers to rehire, and Callaghan filed a charge with the Board.

Under Section 7 of the Act, employees have the right to engage in concerted activities for their mutual aid and protection, including complaining to one another about the terms and conditions of their employment.  In that vein, an employer may not take adverse action against employees for exercising their Section 7 rights without violating Section 8(a)(1) of the Act.  That said, employees can take it too far and lose the protection of Section 7 when their conduct is particularly egregious or of such a character as to render the employees unfit for further service.

Here, although Callaghan and Moore previously had engaged in protected activity during the May 2012 staff meeting when they offered negative feedback about the Center, and although neither Callaghan nor Moore had ever engaged in any acts of insubordination, the Board held that they lost the Act’s protection because “[t]he magnitude and detail of insubordinate acts advocated in the [Facebook] posts reasonably gave [the Center] concern that Callaghan and Moore would act on their plans, a risk a reasonable employer would refuse to take.”

Several years ago, the Richmond District Neighborhood Center decision may have been a foregone conclusion.  But in light of the current Board’s aggressive approach to Section 7 protections, the decision provides employers with reassurance that Section 7 has retained at least some outer bounds.  The decision provides some guidance for defining “insubordination” in social media policies, for example, to include communications pervaded by detailed plans to jeopardize the employer’s very existence, violate legally enforceable employer policies, or neglect job duties.

For a full discussion of the Board’s recent approach to social media policies, see George Patterson’s September 3, 2014 posting “NLRB Continues Aggressive Crackdown on Social Media Polices.”

ARTICLE BY

Erin Cornell Horton
OF
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

New Federal Communication Commission (FCC) Rules to Protect Telephone Consumers from Autodial/Robocalls

Lewis & Roca

On October 16, 2013, new Federal Communication Commission rules took effect to further protect consumers under the Telephone Consumer Protection Act of 1991 (TCPA). See 47 U.S.C. § 227; 47 C.F.R. § 64.1200. The changes ordered by the FCC are designed to protect consumers from unwanted autodialed or pre-recorded telemarketing calls, also known as “telemarketing robocalls.” The new TCPA rules accomplish four main things: (1) require prior written consent for all autodialed or pre-recorded telemarketing calls to wireless numbers and residential lines; (2) require mechanisms to be in place that allow consumers to opt out of future robocalls even if during the middle of a current robocall; (3) limit permissible abandoned calls on a per-calling campaign basis in order to discourage intrusive calling campaigns; and (4) exempt from TCPA requirements calls made to residential lines by health care related entities governed by the Health Insurance Portability and Accountability Act of 1996. None of the FCC’s actions change the requirements for prerecorded messages that are non-telemarketing, informational calls such as calls by or on behalf of tax-exempt organizations, calls for political purposes, and calls for other non-commercial purposes including those to people in emergency situations.

Under the FCC’s new rules, “prior written consent” will require two things: a clear and conspicuous disclosure that by providing consent the consumer will receive auto-dialed or prerecorded calls on behalf of a specific seller, and a clear an unambiguous acknowledgement that the consumer agrees to receive such calls at the mobile number. The content and form of consent may include an electronic or digital form of signature such as the FTC has recognized under the E-SIGN Act. See Electronic Signatures in Global and National Commerce Act, 15 U.S.C. § 7001 et seq. However, prior written consent may be terminated at any time. In addition, the written agreement must be obtained “without requiring, directly or indirectly, that the agreement be executed as a condition of purchasing any good or service.” 16 C.F.R. § 310.4(b)(v)(A)(ii).

Read the full rule here.

Article By:

Federal Trade Commission (FTC) Settles with HTC America Over Charges it Failed to Secure Smartphone Software

RaymondBannerMED

Smartphone manufacturer HTC agreed in February to settle Federal Trade Commission (FTC) charges that the company failed to take reasonable steps to secure software it developed for its mobile devices including smartphones and tablet computers. In its complaint, the FTC charged HTC with violations of the Federal Trade Commission Act.  On July 2 the FTC approved a final order settling these charges.

trade FTC smartphone HTC

The FTC alleged HTC failed to employ reasonable security measures in its software which led to the potential exposure of consumer’s sensitive information. Specifically, the FTC alleged HTC failed to implement adequate privacy and security guidance or training for engineering staff, failed to follow well-known and commonly accepted secure programming practices which would have ensured that applications only had access to users’ information with their consent. Further, the FTC alleged the security flaws exposed consumers to malware which could steal their personal information stored on the device, the user’s geolocation information and the contents of the user’s text messages.

HTC is a manufacturer of smartphones but it also installs its own proprietary software on each device. It is this software that the FTC targeted. While HTC smartphones run Google’s Android operating system, the HTC software allegedly introduced significant vulnerabilities which circumvented some of Android’s security measures.

As part of the settlement consent order, HTC agreed to issue security patches to eliminate the vulnerabilities. HTC also agreed to establish a comprehensive security program to address the security risks identified by the FTC and to protect the security and confidentiality of consumer information stored on or transmitted through a HTC device. HTC further agreed to hire a third party to evaluate its data and privacy security program and to issue reports every two years for the consent order’s 20 year term. The implication of the FTC’s policy makes it clear that companies must affirmatively address both privacy and data security issues in their custom applications and software for consumer use.