In the July 10, 2015 Order, the FCC considered whether to allow an exemption to the prior express consent requirement for financial and health care alerts (i.e., autodialed calls to cell phones and text messages) and, if so, under what circumstances. The FCC attempted to strike a balance between consumers’ legitimate needs for time-sensitive information against potential invasions of their privacy rights. In the end, the petitioners—the American Bankers Association (ABA), on the one hand, and the American Association of Healthcare Administrative Management (AAHAM), on the other—got some, but not all, of the relief they had requested.
Financial Alerts: The FCC accepted the ABA’s request to exempt alerts concerning: “(1) transactions and events that suggest a risk of fraud or identity theft; (2) possible breaches of the security of customers’ personal information; (3) steps consumers can take to prevent or remedy harm caused by data security breaches; and (4) actions needed to arrange for receipt of pending money transfers.” The ABA argued that “98 percent of text messages are opened within three minutes of delivery, and that this can ‘enabl[e] consumers and financial institutions to react promptly to time-critical information and contain any potential damage that might be caused by a fraudulent transaction, data security breach or other event.” The FCC found this compelling, and noted that, with respect to the various alerts at issue, “seconds count” in terms of providing the necessary information to consumers, along with the opportunity to mitigate harm (or, in the case of money transfers, to receive funds quickly).
However, the FCC determined that limitations were necessary to protect consumers’ privacy rights. Thus, the alerts are exempt, except that: (1) the alerts must be sent to the cell number provided by the customer; (2) the alerts must state the name and contact information of the financial institution (and, on calls, the disclosure must be made at the beginning); (3) the alerts are strictly limited to the four purposes stated above and must not contain any “telemarketing, cross-marketing, solicitation, debt collection or advertising content”; (4) the alerts must be concise (one minute or less for voice messages, unless more time is needed for customer responses or questions, and texts must be 160 characters or less); (5) no more than three alerts may be sent per event over a three-day period for an impacted account; (6) the financial institution must provide specific opt-out mechanisms for calls and texts; and (7) opt out requests must be honored immediately. Also, and importantly, the exemption applies only if the alerts are not charged to the recipient in any fashion, including being counted against any carrier plan limits.
Health care Alerts: The AAHAM raised several unique issues, including that a person might be incapacitated and, thus, unable to provide consent, and a third-party intermediary might then seek to act for that person. AAHAM also asked the FCC to find that, for alerts subject to the Health Insurance Portability and Accountability Act (HIPAA), a consent provided to the health care provider also would extend to alerts “by or on behalf of the ‘covered entity’ as well as its ‘business associates.’”
The FCC provided a circumspect clarification on the HIPAA issue: “[P]rovision of a phone number to a healthcare provider constitutes prior express consent for healthcare calls subject to HIPAA by a HIPAA-covered entity and business associates acting on its behalf, as defined by HIPAA, if the covered entities and business associates are making calls with the scope of the consent given, and absent instructions to the contrary.” The FCC also found that consent “to make healthcare calls subject to HIPAA” may be obtained through an intermediary for an incapacitated person, but only until the person is capable of providing his own consent.
Further, as with financial alerts, the FCC granted an exemption to the prior express consent requirement for certain alerts where “there is exigency and . . . a healthcare treatment purpose,” as follows: “appointment and exam confirmations and reminders, wellness checkups, hospital pre-registration instructions, pre-operative instructions, lab results, post-discharge follow-up intended to prevent readmission, prescription notifications and home healthcare instructions.” At the same time, though, the FCC warned that HIPAA privacy rules will control the content of alerts, noting a statement from a commenter that “‘the information provided in these exempted [alerts] must not be of such a personal nature that it would violate the privacy’ of the patient if, for example, another person received the message.” In addition, and importantly, the exemption is subject to a set of limitations parallel to those discussed above with respect to financial alerts.
* * *
Overall, in the Order, the FCC gave important tools to financial institutions and health care providers in conveying information that consumers need on a time-sensitive basis. However, the burden of compliance from the detailed requirements of the limitations on the exemption will be significant. In particular, the value of the Order will be determined based on the companies’ ability to work with carriers to ensure that the alerts are free to the end user. On this, as with many other issues addressed by the Order, time will tell.