On September 17, 2015, California Attorney General Kamala Harris announced a $33 million settlement with Comcast Corp. to resolve an investigation into Comcast’s publishing of phone numbers that consumers had paid the company not to publish.1 Notably, the settlement is the largest privacy settlement on record to date, surpassing the recent $25 million settlement the Federal Communications Commission (FCC) obtained from AT&T in April 2015.2 The action is also notable for which agency brought it and which agencies did not participate—this was a California state action and not an FCC or Federal Trade Commission (FTC) enforcement proceeding. The FTC has been the leading privacy enforcer over the last twenty years, and the FCC has spent the last two years nipping at the FTC’s heels on privacy enforcement. So, why did the two leading federal privacy regulators apparently sit on the sidelines for the largest privacy settlement on record? This article examines that question and posits some theories on why the other agencies may not have proceeded. Regardless of whether federal regulators decided to act in this case, the Comcast settlement with California offers a stark reminder for companies that failing to protect consumer privacy or misleading consumers about privacy protections can land you in expensive hot water on a wide variety of regulatory fronts.
California’s Settlement with Comcast
The complaint filed by California against Comcast lays out a fairly straightforward set of facts. Comcast provides Voice over Internet Protocol (VoIP) service to California residents.3 Beginning in July 2010, Comcast began publishing online directory listings (i.e., name, address, phone number) and licensing its listings to a third party for publication and directory assistance. Comcast offered customers the option to have their numbers non-listed (for $1.25 a month) or non-published (for $1.50 a month). Because of some internal account management changes, Comcast failed to flag the non-published status of requesting customers when Comcast transmitted the records to its third-party vendor for directory publishing. As a result, from around July 2010 to December 2012, approximately 75,000 consumers who had requested non-listed or non-published status had their phone numbers published in directory listings and made available by directory assistance providers.
According to the complaint, Comcast received consumer complaints about the publishing of non-published and non-listed numbers, and in December 2012, Comcast deleted the numbers from its directory listings. Comcast also informed affected consumers that their information had been made public. A number of customers, including law enforcement officials, judges, domestic violence victims, and other crime victims raised safety concerns related to the publishing of their directory listing information.
California filed its complaint and stipulated final judgment on September 17, 2015, in California state court. Pursuant to the terms of the stipulated final judgment, Comcast was required to pay $7,909,400 in restitution to affected customers and $25 million in penalties, including $12.5 million to the California General Fund, and $12.5 million to the California attorney general’s office.4 In addition to the significant monetary payments, the stipulated final judgment imposed a number of substantial injunctive requirements.
Why Was This Not an FCC Case?
There are a number of reasons why one could rightly ask why the Comcast incident was not the subject of an FCC enforcement action. First, the incident involved information protected by a core provision of the Communications Act enforced by the FCC—Section 222, Privacy of Customer Information. Second, it involved a cable provider obligated to protect the privacy of the information in question under the Cable Communications Policy Act, which the FCC also enforces.5 Finally, the FCC has been very active on the privacy enforcement front since Travis LeBlanc assumed the reigns of the Enforcement Bureau in early 2014. In addition to a $25 million settlement with AT&T for Section 222 privacy violations, LeBlanc also obtained a $7.4 million settlement with Verizon and a $3.5 million settlement with TerraCom and YourTel for similar violations. He has publicly declared that privacy enforcement is a top priority for the agency.6 Finally, immediately prior to joining the FCC, LeBlanc worked as a senior advisor to California Attorney General Kamala Harris; it would not be surprising to learn that he and the attorney general compared notes on Comcast’s privacy troubles.
So why did the FCC not pursue Comcast or join California’s action against Comcast? One likely reason has to do with a significant limitation built into the portion of the Communications Act authorizing the FCC to take action for violations. Section 503(b)(6) of the act states, “[n]o forfeiture penalty shall be determined or imposed against any person under this subsection if . . . the violation charged occurred more than [one] year prior to the date of issuance of the required . . . notice of apparent liability.” According to the complaint California filed against Comcast, the company ceased engaging in the problematic conduct in December 2012. Thus, the FCC would have had to issue a Notice of Apparent Liability7 by December 2013 to pursue a forfeiture under its statutory authority, and the FCC did not act within that timeframe. That timing was likely fortuitous for Comcast, as its exposure to a forfeiture here would have been quite substantial: $37,500 per violation times 75,000 violations for a maximum forfeiture of close to $3 billion.8
Even in instances like this where the conduct is beyond the reach of the FCC’s forfeiture authority, companies should remain mindful that they are not out of the woods for violations of the Communications Act. Under Sections 206-209 of the act, individuals can file complaints with the FCC or in district court for violations of the Communications Act, and the FCC and courts are authorized to award damages in such cases.9 Further, the statute of limitations under Section 503(b)(6) of the Communications Act does not apply to complaints brought under these sections of the act. Finally, for violations of the Cable Communications Policy Act, consumers are authorized to file suit in federal district court seeking actual damages, punitive damages, and reasonable attorney’s fees and litigation costs.10
Why Was This Not an FTC Case?
The FTC has been bringing privacy cases since the late 1990’s,11 and is widely regarded as the leading privacy enforcer in the United States.12 The lead count in California’s complaint against Comcast is that Comcast misled its customers regarding the privacy of their information—a count that closely resembles counts in many FTC complaints alleging deceptive conduct in violation of Section 5 of the FTC Act. So why was the FTC not in on the action here? The FTC, unlike the FCC, does not have a one-year statute of limitations, so that cannot be the reason for the apparent reticence to act.
One potential explanation for FTC caution may have to do with the common carrier exemption in the FTC Act. The FTC is authorized under Section 5 “to prevent persons, partnerships, or corporations, except . . . common carriers subject to the Acts to regulate commerce . . . from using . . . unfair or deceptive acts or practices in or affecting commerce.” The “Acts to regulate commerce” in the FTC Act include the Communications Act enforced by the FCC. The cause of action here involved telephone service so the FTC would likely have had to consider jurisdictional issues in deciding whether to look into Comcast’s behavior. And, while the FCC has not declared the precise service at issue, interconnected VoIP, to be a common carrier service under the Communications Act, the FCC has subjected interconnected VoIP to several core common carrier-related provisions of the act, including the requirements related to consumer privacy.13 Thus, the FTC might have faced a challenge by Comcast to any attempt to pursue enforcement action in this case. Comcast might have argued that the FCC’s regulation of the precise service at issue under common carrier provisions of the Communications Act renders the activity exempt from FTC oversight under Section 5 of the FTC Act. The FTC, to the extent the Comcast incident was ever on its radar screen, may have concluded that the jurisdictional fight was not worth having.
In this case, it is hard to know whether the FTC ever looked at Comcast’s practices, and, if so, what the FTC considered in determining whether and how to proceed. At this point, though, after California’s significant action against Comcast, it seems unlikely that the FTC would get involved. The FTC would likely conclude that its limited resources are best directed to other potential targets that have not already been the subject of major regulatory action.
Conclusion
Privacy enforcement actions used to be the sole province of the FTC. This is no longer the case. The FCC has become very active in this space in the past two years. More and more, state attorneys general are getting into the mix, particularly as they realize that they may help shore up tight consumer protection budgets with settlement payments in privacy cases.14 A company navigating the regulatory privacy waters has to be mindful of multiple different icebergs, and it may not be immediately obvious which iceberg poses the greatest threat to the company ship.
1 Press Release, California Attorney General, “Attorney General Kamala D. Harris Reaches $33 Million Settlement with Comcast over Privacy Violations,” September 17, 2015, https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-reaches-33-million-settlement-comcast-over.
2 See Order & Consent Decree, AT&T Services, Inc., File No. EB-TCD-14-00016243 (FCC April 8, 2015), https://transition.fcc.gov/eb/Orders/2015/DA-15-399A1.html.
3 Complaint, California v. Comcast, No. RG15789197 (Cal. Super. Ct. Alameda Cnty. September 17, 2015),https://oag.ca.gov/system/files/attachments/press_releases/People%20of%20CA%20v%20
Comcast%20complaint%20RG15786197%20Alameda%20Superior.pdf?.
4 Final Judgment and Permanent Injunction, California v. Comcast, No. RG15789197 (Cal. Super. Ct. Alameda Cnty. September 17, 2015),https://oag.ca.gov/system/files/attachments/press_releases/Comcast%20final%20
judgment%20and%20permanent%20injunction.pdf? (hereinafter Final Judgment).
5 Indeed, California’s complaint cites the violation of the Cable Communications Policy Act as a basis for its cause of action alleging a violation of the California’s Unfair Competition law.
6 Mike Swift, “Privacy Will Be A Key Enforcement Issue For FCC under Open Internet Rules, Enforcement Chief Says,” MLEX, March 13, 2015,http://mlexmarketinsight.com/landing-pages/privacy-will-be-a-key-enforcement-issue-
for-fcc-under-open-internet-rules-enforcement-chief-says/; Brandon Ross, “FCC Enforcement Chief Outlines New Focus: Consumers, Prevention, Efficiency,” BNA.COM, July 23, 2014, http://www.bna.com/fcc-enforcement-chief-n17179892750/.
7 A Notice of Apparent Liability (NAL) is the first step that the FCC must take to order a commission licensee to pay a forfeiture. In an NAL, the FCC concludes that a company is “apparently” liable for violations of the Communications Act and or commission rules and that it should pay a forfeiture of a specified amount. The recipient of the NAL has an opportunity to respond, challenging the factual basis of the NAL, the legal conclusions stated in the NAL, and the proposed forfeiture amount. The commission then determines whether to proceed with a forfeiture order.
8 Of course, it is very unlikely that the FCC would propose a forfeiture this significant. It would, however, use this maximum exposure amount to justify a very high proposed forfeiture amount or required settlement payment. In its NAL against TerraCom and YourTel, for example, the FCC arrived at a proposed forfeiture amount of $10 million after noting that the potential exposure of the companies for privacy violations was close to $9 billion under the statutory forfeiture provisions. See Notice of Apparent Liability for Forfeiture, TerraCom, Inc. and YourTel America, Inc., File No. EB-TCD-13-00009175, at ¶ 52 (FCC October 24, 2014), https://apps.fcc.gov/edocs_public/attachmatch/FCC-14-173A1.pdf.
9 These provisions of the Communications Act apply only to common carrier violations of the act. As noted infra, the FCC has not declared interconnected VoIP providers to be common carriers. The FCC, has, however, required interconnected VoIP providers to meet basic common carrier obligations of the Communications Act and has invited consumers to submit complaints against VoIP providers for violations of those provisions. Thus, it seems likely that the FCC would subject interconnected VoIP providers to the complaint provisions in the act.
10 47 U.S.C. § 551(f).
11 Press Release, FTC, “Internet Site Agrees to Settle FTC Charges of Deceptively Collecting Personal Information in Agency’s First Internet Privacy Case,” August 13, 1998,https://www.ftc.gov/news-events/press-releases/1998/08/internet-site-agrees-settle-ftc-charges-deceptively-collecting.
12 See, e.g., Brendan Sasso, “FTC Steps In As Obama’s Chief Enforcer on Internet Privacy,” The Hill, May 13, 2012, http://thehill.com/policy/technology/227037-ftc-steps-in-as-obamas-chief-enforcer-on-internet-privacy; Stephen Cobb, “America’s Privacy and Security Enforcer,” SCMagazine.com, July 6, 2012, http://www.scmagazine.com/americas-privacy-and-security-enforcer/article/249082/2/.
13 In re Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, IP-Enabled Services, FCC 07-22, at ¶¶ 54-59 (April 2, 2007),https://apps.fcc.gov/edocs_public/attachmatch/FCC-07-22A1.pdf.
14 The stipulated final judgment in the Comcast case provides that $3 million of the penalty amount is allocated “for the exclusive use of the Office of the California Attorney General for the investigation, prosecution, and education of the public regarding privacy issues.”See Final Judgment supra note 4, at ¶ 13.