In the July 10, 2015 Order, the FCC considered whether to allow an exemption to the prior express consent requirement for financial and health care alerts (i.e., autodialed calls to cell phones and text messages) and, if so, under what circumstances. The FCC attempted to strike a balance between consumers’ legitimate needs for time-sensitive information against potential invasions of their privacy rights. In the end, the petitioners—the American Bankers Association (ABA), on the one hand, and the American Association of Healthcare Administrative Management (AAHAM), on the other—got some, but not all, of the relief they had requested.

Financial Alerts: The FCC accepted the ABA’s request to exempt alerts concerning: “(1) transactions and events that suggest a risk of fraud or identity theft; (2) possible breaches of the security of customers’ personal information; (3) steps consumers can take to prevent or remedy harm caused by data security breaches; and (4) actions needed to arrange for receipt of pending money transfers.” The ABA argued that “98 percent of text messages are opened within three minutes of delivery, and that this can ‘enabl[e] consumers and financial institutions to react promptly to time-critical information and contain any potential damage that might be caused by a fraudulent transaction, data security breach or other event.” The FCC found this compelling, and noted that, with respect to the various alerts at issue, “seconds count” in terms of providing the necessary information to consumers, along with the opportunity to mitigate harm (or, in the case of money transfers, to receive funds quickly).

However, the FCC determined that limitations were necessary to protect consumers’ privacy rights. Thus, the alerts are exempt, except that: (1) the alerts must be sent to the cell number provided by the customer; (2) the alerts must state the name and contact information of the financial institution (and, on calls, the disclosure must be made at the beginning); (3) the alerts are strictly limited to the four purposes stated above and must not contain any “telemarketing, cross-marketing, solicitation, debt collection or advertising content”; (4) the alerts must be concise (one minute or less for voice messages, unless more time is needed for customer responses or questions, and texts must be 160 characters or less); (5) no more than three alerts may be sent per event over a three-day period for an impacted account; (6) the financial institution must provide specific opt-out mechanisms for calls and texts; and (7) opt out requests must be honored immediately. Also, and importantly, the exemption applies only if the alerts are not charged to the recipient in any fashion, including being counted against any carrier plan limits.

Health care Alerts: The AAHAM raised several unique issues, including that a person might be incapacitated and, thus, unable to provide consent, and a third-party intermediary might then seek to act for that person. AAHAM also asked the FCC to find that, for alerts subject to the Health Insurance Portability and Accountability Act (HIPAA), a consent provided to the health care provider also would extend to alerts “by or on behalf of the ‘covered entity’ as well as its ‘business associates.’”

The FCC provided a circumspect clarification on the HIPAA issue: “[P]rovision of a phone number to a healthcare provider constitutes prior express consent for healthcare calls subject to HIPAA by a HIPAA-covered entity and business associates acting on its behalf, as defined by HIPAA, if the covered entities and business associates are making calls with the scope of the consent given, and absent instructions to the contrary.” The FCC also found that consent “to make healthcare calls subject to HIPAA” may be obtained through an intermediary for an incapacitated person, but only until the person is capable of providing his own consent.

Further, as with financial alerts, the FCC granted an exemption to the prior express consent requirement for certain alerts where “there is exigency and . . . a healthcare treatment purpose,” as follows: “appointment and exam confirmations and reminders, wellness checkups, hospital pre-registration instructions, pre-operative instructions, lab results, post-discharge follow-up intended to prevent readmission, prescription notifications and home healthcare instructions.” At the same time, though, the FCC warned that HIPAA privacy rules will control the content of alerts, noting a statement from a commenter that “‘the information provided in these exempted [alerts] must not be of such a personal nature that it would violate the privacy’ of the patient if, for example, another person received the message.” In addition, and importantly, the exemption is subject to a set of limitations parallel to those discussed above with respect to financial alerts.

*          *          *

Overall, in the Order, the FCC gave important tools to financial institutions and health care providers in conveying information that consumers need on a time-sensitive basis. However, the burden of compliance from the detailed requirements of the limitations on the exemption will be significant. In particular, the value of the Order will be determined based on the companies’ ability to work with carriers to ensure that the alerts are free to the end user. On this, as with many other issues addressed by the Order, time will tell.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Blaine C. Kimrey Blaine C. Kimrey

Blaine C. Kimrey is a Shareholder at Vedder Price, Chair of the Media & Entertainment Litigation practice group, and a member of the Privacy, CyberSecurity, & Media practice group.  A former journalist at two daily newspapers (the Austin American-Statesman and the Arkansas Democrat-Gazette

Blaine C. Kimrey is a Shareholder at Vedder Price, Chair of the Media & Entertainment Litigation practice group, and a member of the Privacy, CyberSecurity, & Media practice group.  A former journalist at two daily newspapers (the Austin American-Statesman and the Arkansas Democrat-Gazette), Mr. Kimrey is a trial lawyer who has dedicated more than 20 years to working for and defending media entities. Mr. Kimrey’s practice, however, extends well beyond media defense, focusing on a broad range of direct and class action litigation involving topics as diverse as privacy, consumer deception, intellectual property, entertainment, insurance, banking, real estate, civil rights, telecommunications, and mass catastrophes and torts.  Among other accolades, Mr. Kimrey is Chambers USA Band 2 rated for Media & Entertainment Litigation in the state of Illinois, is listed in Best Lawyers in America for Intellectual Property Litigation, and is AV-rated by Martindale-Hubbell.

Photo of Bryan K. Clark Bryan K. Clark

Bryan K. Clark is a Shareholder at Vedder Price and a member of the Privacy, CyberSecurity & Media practice group.  He has an extensive media and privacy practice that includes privacy class action defense, mobile-marketing litigation, class action TCPA litigation, copyright litigation, right…

Bryan K. Clark is a Shareholder at Vedder Price and a member of the Privacy, CyberSecurity & Media practice group.  He has an extensive media and privacy practice that includes privacy class action defense, mobile-marketing litigation, class action TCPA litigation, copyright litigation, right of publicity litigation, data breach response, FOIA issues, reporter’s privilege issues and prepublication review.