Privacy Law Roundup: Supreme Court Weighs in on TCPA, U.S. Privacy Legislation Updates

In this privacy law roundup:

• Supreme Court limits scope of the TCPA in in Facebook v. Duguid Decision
• Virginia passes the Consumer Data Protection Act, California appoints CPPA board members
• On the horizon: Multiple states and federal legislators consider new privacy legislation

Supreme Court limits application of the TCPA

Decision in Facebook, Inc. v. Duguid clarifies definition of an autodialer under the Telephone Consumer Privacy Act (“TCPA”), potentially excluding many common SMS texting platforms and services.

On April 1, 2021, the Supreme Court unanimously ruled that the TCPA’s restrictions on communications made through an “automatic telephone dialing system,” or “ATDS,” do not apply unless the technology uses a random or sequential number generator to either produce or store a telephone number.  The decision resolves longstanding confusion as to whether platforms used to send text messages to a list of stored telephone numbers would be subject to some of the TCPA’s most stringent rules.

With limited exceptions, the TCPA prohibits communications made to a wireless phone number using an ATDS unless the caller has obtained either “prior express consent” for informational calls or “prior express written consent” for telemarketing calls.  An ATDS is “equipment which has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator; and to dial such numbers.”

In the Facebook case, the plaintiff received numerous security text messages from Facebook alerting him of attempts to log into his Facebook account, despite never having created a Facebook account or providing his phone number to Facebook.  The plaintiff filed a putative class action lawsuit claiming that Facebook violated the TCPA by using an ATDS to dial his phone number without his prior express consent.

Facebook, however, argued that the company’s texting platform was not an ATDS under the TCPA because it only had the capacity to dial phone numbers from a stored list; it could not generate numbers randomly or sequentially.  The Ninth Circuit ruled for the plaintiff, but on appeal the Supreme Court reversed in favor of Facebook.  The Court found that the texting platform used by Facebook did not qualify as an ATDS because it did not use a random or sequential number generator—instead, it merely sent automated text messages to a stored list of phone numbers.

The Supreme Court’s decision could significantly reduce the compliance burdens and regulatory risks facing companies that use automated text messaging platforms to communicate with their customer lists, including the need to establish either prior express consent or prior express written consent under the TCPA.

Nonetheless, while this decision may stem the flow of some TCPA litigation, businesses may still find themselves subject to ATDS-related lawsuits.  For example, less than a week after this decision, a federal court in Colorado denied a motion to dismiss in a “blast” text messaging case, saying that discovery was needed to determine whether a random or sequential generator was utilized.

Businesses should also keep in mind that the Supreme Court’s ruling does not eliminate other TCPA requirements, such as prohibitions on “artificial or prerecorded voice” calls and Do-Not-Call restrictions.  Several states have also passed “mini-TCPA” statutes that may still apply to your messaging system.

Business can consider the following steps to assess risk when using text messaging platforms and services to communicate with customers and other contacts:

1. Assess whether your automated messaging platform uses random or sequential number generation, as automatic text messages sent from these platforms are still subject to the TCPA prior consent rules.
2. Evaluate whether there are any state laws that impact your direct marketing practices and ensure that those laws are reflected in your internal policies.
3. Continue to maintain TCPA best practices and follow industry practices, such as the CTIA guidelines, where applicable.
4. Keep abiding by Do-Not-Call restrictions and other telemarketing rules.
5. Not everyone is happy with this decision. With this significantly narrowed definition of an ATDS, keep an eye out for additional TCPA legislation.

State Law Updates: Virginia and California Consumer Data Protection 

Virginia passes the Consumer Data Protection Act.

On March 2, 2021, Virginia joined California as the second state to enact comprehensive privacy legislation. Like California’s amended privacy law, the California Privacy Rights Act (“CPRA”), the Virginia Consumer Data Protection Act (“CDPA”) will impose additional obligations on covered businesses and becomes operative on January 1, 2023.

The CDPA will apply all entities “who conduct business in the commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth” and, during a calendar year, either:

• control or process personal data of at least 100,000 Virginia residents, or
• control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.

Notably, the CDPA does not have a strict annual gross revenue threshold, as seen in the CPRA.

The CDPA provides for a number of exemptions, including regulated financial institutions, non-profits, covered entities under the Health Insurance Portability and Accountability Act (HIPAA), higher education institutions, and Virginia state bodies and agencies.

Once enacted, businesses subject to the CDPA will be required to comply with a new set of privacy obligations in connection with Virginian’s personal data, some of which may not align with current compliance requirements under current privacy laws.  Highlights include:

• Expanded consumer rights to personal data, including rights of access, correction, deletion, data portability, and anti-discrimination;
• Consumer right to opt-out of personal data sales, targeted advertising, and profiling related to decisions that produce legal or similarly significant effects concerning Virginia residents;
• Consumer right to appeal a business’s failure to respond to consumer requests to exercise their rights within the statutory time limit (45 days, with an optional 45-day extension following notice to the consumer);
• New obligations and consent requirements for businesses processing sensitive personal data;
• Requirements relating to data security;
• Obligations to conduct data protection assessments for certain processing activities;
• Required data processing agreements with processors and subprocessors that include certain provisions set out in the CDPA; and
• Specific privacy policy requirements.

The Virginia Attorney General has the authority to enforce the CDPA. Subject to a 30-day “cure” period, the Attorney General may seek injunctive relief and impose fines of up to $7,500 per violation. The CDPA does not grant consumers a private right of action.

California appoints board members to the California Privacy Protection Agency (“CPPA”).

On March 17, 2021, California announced that five board members had been appointed to lead the CPPA, the body charged with rulemaking and administrative enforcement under California’s amended privacy law, the CPRA.  The CPPA is the first regulatory agency in the U.S. dedicated solely to the regulation of consumer data privacy.

Over the next year, the CPPA will adopt final regulations under the CPRA, a job that was previously held by the California Attorney General.  The CPPA will issue its final regulations by no later than July 1, 2022.  After the CPRA becomes operative on January 1, 2023, the CPPA will take up enforcement of the CPRA after a 6-month delay on July 1, 2023.  Due to the global applicability of the CPRA, the CPPA will undoubtedly play a key role in setting privacy enforcement priorities moving forward.

Additional privacy legislation on the horizon.

As of May 1, 2021, legislators in multiple states in addition to California and Virginia have proposed similar state privacy bills, including Alabama, Alaska, Colorado, Connecticut, Illinois, Massachusetts, Minnesota, New Jersey, New York, and Texas. Multiple privacy bills have also been proposed at the federal level, although no additional laws have been enacted to date.

The KO privacy team will continue to monitor these developments.

Questions? Please reach out to Chris Achatz, Erin Locker, or Charu Ganesh.