- Status check. In the recently released Corporate Directors Survey from PricewaterhouseCoopers, 41% of corporate board members reported that their companies monitor social media for adverse publicity. That’s up from 32% in 2012. One commentator suggests that a company’s entire board of directors—not just the members of its audit or risk committees—should be charged with social media oversight, given the reputational risk social media chatter poses and the medium’s potential as an effective investor relations tool.
- Fightin’ words? An Indonesian law student landed in a police detention cell for criticizing a historic city online because police in that country suspected her of running afoul of the 2008 Law on Information and Electronic Transactions, Indonesian legislation that provides prison time for anyone convicted of using electronic media—including social media networks—“to intimidate or defame others.” Many criticize the law as being inconsistent with Indonesia’s successful transition from an authoritarian state to a robust democracy.
- The wrong number. Twitter users sometimes give the social media company their cell phone numbers in order to be able to view tweets as text messages. But when a cell phone number that has been submitted to Twitter for that purpose is reassigned to a new user, do Twitter’s text messages to that number violate the Telephone Consumer Protection Act? Beverly Nunes claims they do. In a suit she filed in the U.S. District Court for the Northern District of California, Nunes is seeking class certification, and at least $500 in damages for each unsolicited Twitter text she received. In a Sept. 16 motion to dismiss Nunes’s complaint, Twitter contends that the texts do not violate the TCPA because, among other things, they were not sent using an “automatic telephone dialing system or an artificial or prerecorded voice,” as the statute requires.
With the explosive growth of social media, consumers increasingly expect to be able to interact online with the companies from which they buy goods and services. As a result, financial institutions have begun to explore the use of social media, both to strengthen relationships with existing customers and to attract new ones. Financial institutions, however, have proceeded with extreme caution in using social media, in large part due to uncertainty as to the application of financial laws and regulations to social media and, to the extent they are applicable, how a financial institution can comply.
In response to industry requests for guidance on the use of social media, on January 23, 2013, the Federal Financial Institutions Examination Council (FFIEC) requested public comment on proposed guidance (“Proposed Guidance”) for financial institutions relating to the use of social media. The Proposed Guidance is intended to help financial institutions understand potential risks associated with the use of social media and to communicate the expectations of the agencies that make up the FFIEC for how financial institutions should manage these risks. The Proposed Guidance, however, largely does not address how a financial institution may comply with any particular requirement when using social media.
The following provides an overview of the Proposed Guidance, which may be found here. Comments on the Proposed Guidance must be submitted to the FFIEC by March 25, 2013.
Background on the FFIEC
The FFIEC is a formal interagency body that is authorized to prescribe uniform principles, standards and report forms for the examination of financial institutions by the federal banking agencies, the National Credit Union Administration (NCUA) and the Bureau of Consumer Financial Protection (CFPB) (collectively, the “Agencies”). Historically, banks were the main type of financial institutions to be the focus of FFIEC supervisory guidance; however, the Dodd-Frank Act expanded the membership of the FFIEC to include not only the federal banking agencies and the NCUA, but also the CFPB. As a result, FFIEC guidance now extends to any person supervised by the CFPB, including many types of non-bank financial institutions, such as mortgage brokers, payday lenders, consumer reporting agencies and debt collectors.
The Proposed Guidance
The Proposed Guidance is intended to help financial institutions understand potential risks associated with their use of social media, including compliance, reputation and operational risks, and to communicate the Agencies’ expectations for how financial institutions should manage these risks. Although the Proposed Guidance clarifies that, if finalized, it would not impose additional obligations on financial institutions, the Agencies each intend to issue any final guidance as supervisory guidance to the institutions that they supervise. As a result, financial institutions subject to the Agencies’ supervisory authority will be expected to use the guidance in their efforts to ensure that their risk management practices adequately address the risks associated with their use of social media, including those outlined in the finalized guidance.
“Social Media” Defined
The Proposed Guidance casts a wide net in defining “social media” as any “form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” From the Agencies’ perspective, it is social media’s interactive nature that distinguishes it from other online media. The Proposed Guidance includes the following non-exhaustive examples of media that the Agencies believe to fall within the definition:
- micro-blogging sites (e.g., Facebook and Twitter);
- forums, blogs, customer review websites and bulletin boards (e.g., Yelp);
- photo and video sites (e.g., Flickr and YouTube);
- professional networking sites (e.g., LinkedIn);
- virtual worlds (e.g., Second Life); and
- social games (e.g., FarmVille).
Risk Management Programs
A cornerstone of the Proposed Guidance is the expectation that a financial institution will maintain a risk management program through which it identifies, measures, monitors and controls risks related to its use of social media. The Proposed Guidance provides that a financial institution’s risk management program should include the following seven components:
- A governance structure with clear roles and responsibilities whereby the institution’s board or senior management directs how the use of social media contributes to the institution’s strategic goals and that establishes controls and ongoing risk assessments.
- Policies and procedures regarding the use and monitoring of social media and compliance with applicable consumer protection laws.
- An employee training program regarding the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities.
- An oversight process for monitoring information posted to proprietary social media sites administered by, or on behalf of, the financial institution.
- A due diligence process for selecting and managing third-party service provider relationships in connection with social media.
- Audit and compliance functions to ensure ongoing compliance with internal policies and applicable law.
- Parameters for reporting to the institution’s board or senior management that will enable periodic evaluations of the social media program.
As in other areas of financial law and regulation, the expectation would be that the size and complexity of a financial institution’s risk management program would be commensurate with the breadth of the institution’s involvement in social media. For example, a financial institution that relies heavily on social media should have a more detailed program than a financial institution that uses social media only in a limited manner. Nonetheless, the Proposed Guidance indicates that a financial institution that does not use social media should still be prepared to address the potential for negative comments or complaints related to the institution that may arise within social media and also to provide guidance for employee use of social media.
Risk Areas Generally
The majority of the Proposed Guidance focuses on identifying potential risks related to a financial institution’s use of social media, including risk of harm to consumers. In particular, the Proposed Guidance identifies potential risks within three broad categories: (1) compliance and legal risk; (2) reputational risk; and (3) operational risk. While the Proposed Guidance catalogs the many risks presented by the use of social media, the focus is on the risks associated with compliance with consumer protection requirements. Nonetheless, the lengthy identification of risk areas would put financial institutions on notice of the broad scope of their responsibilities with respect to the use of social media.
Compliance and Legal Risk Areas
Compliance and legal risk relates to the risks associated with the failure to comply with laws, rules, regulations, prescribed practices, internal policies and procedures, and ethical standards and the related exposure to enforcement actions and/or private rights of action. The Proposed Guidance cautions that these risks are “particularly pertinent” for an emerging medium like social media where a financial institution’s policies and procedures may not have kept pace with changes in the marketplace.
Although a financial institution would be expected to ensure that it periodically evaluates and controls its use of social media to ensure compliance with all applicable legal obligations, the Proposed Guidance identifies examples of more than 15 federal laws where a financial institution may be exposed to compliance and legal risk. These examples are broken down into five general categories: (1) privacy; (2) deposit and lending products; (3) payment systems; (4) anti-money laundering; and (5) community reinvestment. Of note, none of these includes any exception regarding the use of social media. As a result, the Proposed Guidance cautions that, to the extent a financial institution uses social media to engage in covered activity (e.g., advertising a credit product), it would be required to comply with any applicable legal requirement that may relate to that covered activity.
We highlight below certain compliance risks identified in the Proposed Guidance that may be relevant to many financial institutions:
- A financial institution using social media should clearly disclose its privacy policies where required by the Gramm-Leach-Bliley Act.
- A financial institution maintaining its own social media site should ensure that it maintains and follows policies restricting access to the site to users 13 or older in a manner consistent with the Children’s Online Privacy Protection Act.
- A financial institution should consider whether any unsolicited communication sent to consumers via social media complies with the limitations of the CAN-SPAM Act and the Telephone Consumer Protection Act.
Deposit and Lending Products
- A lender should ensure that its use of social media does not violate the Equal Credit Opportunity Act prohibition on making statements in advertising that would discourage, on a prohibited basis, a reasonable person from applying for credit.
- A lender that advertises credit products in any form of social media communication should ensure that it does so in a manner that complies with Regulation Z’s advertising requirements.
- A debt collector must comply with Fair Debt Collection Practices Act limitations when conducting covered activities through social media, including, for example, being cognizant that that any social media communication does not disclose the existence of a debt or harass or embarrass consumers about their debts (e.g., a debt collector writing about a debt on a Facebook wall).
- A financial institution using social media to facilitate an electronic fund transfer for a consumer should consider whether it is required by Regulation E to, for example, provide any required disclosures to the consumer.
- Financial institutions should be aware of emerging areas of Bank Secrecy Act and anti-money laundering risk in connection with social media, including, for example, the fact that virtual world Internet games and digital currencies present a high risk for money laundering and terrorist financing and should be monitored accordingly.
- A depository institution subject to the Community Reinvestment Act should ensure that its policies and procedures for its own social media properties address the appropriate monitoring of public comments.
Reputational Risk Areas
For purposes of the Proposed Guidance, reputational risk relates to the risks arising from negative public opinion. A financial institution engaged in social media activities would be expected to be sensitive to and properly manage the reputational risks that may arise from its social media activities. The Proposed Guidance provides a number of considerations for financial institutions related to reputational risk in the context of social media use, including that a financial institution should:
- have appropriate policies in place to monitor and address in a timely manner the fraudulent use of its brand, such as through phishing or spoofing attacks;
- have procedures to address risks associated with members of the public posting confidential or sensitive information (e.g., an account number) on the institution’s social media page or site;
- weigh the risks and the benefits of using a third party to conduct social media activities, including, for example, the ability of a financial institution to control content on a site owned or administered by a third party; and
- consider the feasibility of monitoring question and complaint forums on social media sites to ensure that customer inquiries, complaints or comments are addressed in a timely and appropriate manner.
Operational Risk Areas
For purposes of the Proposed Guidance, operational risk relates to the risk of loss resulting from inadequate or failed processes, people or systems. These include the risks posed by a financial institution’s use of information technology, including social media. In light of the vulnerability of social media platforms, the Proposed Guidance indicates that a financial institution should ensure that its internal controls designed to protect its information technology systems and to safeguard customer information from malicious software adequately address social media usage. And, in a related point, a financial institution’s incident response program should extend to security incidents involving social media.
* * * *
If the FFIEC finalizes the Proposed Guidance, financial institutions should expect that the Agencies will independently issue the finalized guidance as supervisory guidance to the institutions that they supervise. In such a case, financial institutions will be expected to use the guidance as part of their efforts to address the risks associated with the use of social media and to ensure that their risk management programs provide effective oversight and controls related to the use of social media. Until final guidance is in place, it is important for financial institutions to be cognizant of and consider the extent of their usage of social media and the risks associated with that use and whether existing controls address the types of risks identified in the Proposed Guidance. Finally, financial institutions may also wish to consider whether they will provide comments to the FFIEC on the Proposed Guidance, including, for example, identifying any technological or other impediments to compliance with otherwise applicable law when using social media.
In the latest issue of Socially Aware, our Burton Award-winning guide to the law and business of social media, we look at recent First Amendment, intellectual property, labor and privacy law developments affecting corporate users of social media and the Internet. We also recap major events from 2012 that have had a substantial impact on social media law, and we take a look at some of the big numbers racked up by social media companies over the past year.
To read the latest issue of our newsletter, click here.
For an archive of previous issues of Socially Aware, click here.
Waves of class actions have recently alleged that the delivery of an opt-out confirmation text message violates the Telephone Consumer Protection Act (TCPA). Thus, a Federal Communications Commission (“Commission”) Declaratory Ruling finding that a single opt-out confirmation text does not violate the TCPA comes at a crucial time. The Commission’s decision, issued on November 29, 2012, is a welcome relief to companies facing these cases.
The TCPA generally permits the delivery of text messages to consumers after receiving prior express consent to do so. Numerous plaintiffs have taken the position that an opt-out confirmation message violates the TCPA because it is delivered after consent has been revoked. In its ruling, however, the Commission found that a consumer’s prior express consent to receive a text message can be reasonably construed to include consent to receive a final, one-time message confirming that the consumer has revoked such consent. Specifically, delivery of an opt-out confirmation text message does not violate the TCPA provided that it: 1) merely confirms the consumer’s opt-out request and does not include any marketing or promotional information; and 2) is the only message sent to the consumer after receipt of his or her opt-out request. In addition, the Commission explained that if the opt-out confirmation text is sent within five minutes of receipt of the opt-out, it will be presumed to fall within the consumer’s prior express consent. If it takes longer, however, “the sender will have to make a showing that such delay was reasonable and the longer this delay, the more difficult it will be to demonstrate that such messages fall within the original prior consent.”
The Commission’s ruling brings the TCPA into harmony with widely followed self-regulatory guidelines issued by the Mobile Marketing Association, which affirmatively recommend that a confirmation text be sent to the subscriber after receiving an opt-out request. The ruling also comes on the heels of, and is consistent with, at least two recent decisions in putative class action cases filed in the Southern District of California. In Ryabyshchuck v. Citibank (South Dakota) N.A., the court held that Citibank did not violate the TCPA by sending a text message confirming that it had received the customer’s opt-out request. The court went as far as to say that “common sense renders the [opt-out] text inactionable under the TCPA.” The court reasoned that the TCPA was intended to shield consumers from the proliferation of intrusive, nuisance communications, and “[s]uch simple, confirmatory responses to plaintiff-initiated contact can hardly be termed an invasion of privacy under the TCPA.” Likewise, in Ibey v. Taco Bell Corp., the court dismissed a lawsuit alleging that Taco Bell had violated the TCPA by sending an opt-out confirmation message. Noting that the TCPA was enacted to prevent unsolicited and mass communications, the court held, “[to] impose liability … for a single, confirmatory text message would contravene public policy and the spirit of the statute—prevention of unsolicited telemarketing in a bulk format.”
The Commission’s ruling should bring an end to the rash of class actions brought in recent months challenging the legality of confirmatory opt-out messages.
Plaintiffs’ attorneys seeking to cash in on grande class action lawsuits against companies that launch text message advertising campaigns suffered a setback in June as the U.S. District Court in the Southern District of California granted Taco Bell summary judgment in a lawsuit for Taco Bell’s alleged violation of the Telephone Consumer Protection Act (TCPA). The case, Thomas v. Taco Bell, was brought on behalf of a number of the 17,000 mobile phone owners in the Chicago area who received a text message in October 2005 encouraging them to purchase an order of delicious Nachos Bellgrande from their local Taco Bell franchises. As unsolicited text message advertisements are often found to violate the TCPA, there may have been a case against the marketing company that actually sent the text messages, but the plaintiffs instead asserted their claim against the local Chicago franchisee association that ordered the advertisement and Taco Bell itself. The case against the association was dropped for a lack of personal jurisdiction, while the court granted summary judgment to Taco Bell based on a finding that Taco Bell was not vicariously liable for the franchisee association’s texting campaign.
Using precedent from the Ninth Circuit, the court stated that vicarious liability for the text message campaign would have existed only if Taco Bell controlled the “manner and means” of the text message campaign. Although the franchisee association did need to secure Taco Bell’s approval in order to receive reimbursement from Taco Bell for the campaign, the court held that control of the “purse strings” in this case did not constitute Taco Bell’s control of the manner and means of the advertising, particularly because the franchisee association could have launched the campaign with alternative funding without Taco Bell’s permission or any repercussions from the franchisor. The court also rejected the plaintiffs’ argument that Taco Bell having one member on the franchisee association’s board (out of four) established control, as this minority interest was not controlling, and further stressed that approval by a company of an advertising campaign is not the same as the control required for liability.
This decision allows a little more breathing room for large franchisor companies, as it suggests that a franchisor-franchisee relationship does not automatically lead to vicarious liability for violations of the TCPA, which can carry penalties of up to $500 for each violation (a vast increase in cost over the usual five or so cents per text). However, since the Ninth Circuit declared in Scatterfield v. Simon & Schuster, Inc. that text messages are tantamount to phone calls for the purposes of the TCPA, plaintiffs’ attorneys have been relentless in their attacks on companies that employ text message ad campaigns (as we previously pointed out in this blog, hockey fans are now suing their own beloved team for text-related TCPA violations). In fact, the Thomas summary judgment was Taco Bell’s second favorable TCPA decision in a month, with a California District Court dismissing a claim that Taco Bell’s confirmatory opt-out messages violated the TCPA just one week earlier. Despite these two victories for Taco Bell, with hundreds of companies launching thousands of advertising campaigns and promotions leading to the sending of millions of text messages, it seems unlikely that plaintiffs will have a shortage of TCPA claims any time soon.
Earlier this year, Fred Weiss, a Pittsburgh Penguins hockey team fan, responded to an offer to receive text messages alerting him to team news and special offers. Although the terms pertaining to the call-to-action apparently promised Weiss that he would receive no more than three messages per week, he alleges that he received five messages the first week and four the following week. Instead of simply following the alerts’ unsubscribe instructions, Weiss filed a putative class action lawsuit against the hockey team, alleging that its delivery of more messages than promised violated the federal Telephone Consumer Protection Act (TCPA).
The TCPA generally prohibits the delivery of a text message without the recipient’s express consent. In his complaint, Weiss has alleged that the delivery of messages in excess of those to which he had agreed (i.e., three per week) was without his express consent, and, for each of those violating messages, he says that he—and his fellow class members—should therefore receive the prescribed statutory damages of at least $500. Statutory damages per violating message could go up to as much as $1,500 if the Penguins are found to have willfully or knowingly violated the law.
Some may wonder why the Penguins would have made a message frequency promise in the first place. Widely followed industry guidelines issued by the Mobile Marketing Association (MMA) state that a marketer should provide certain information to consumers when seeking their consent to receive recurring text messages—including the fact that the consumer’s mobile carrier’s message and data rates apply, as well as how many messages the consumer can expect to receive. These disclosures give the consumer the information that he or she needs to make an informed decision regarding whether to sign up. The MMA guidelines do not have the force of law, but they are intended to help ensure that marketers comply with mobile carrier requirements. Moreover, while a message frequency disclosure is not expressly prescribed by law, the Federal Trade Commission (FTC) or a state regulator could take the position that a failure to tell a consumer, before he or she subscribes, how many messages to expect is an omission of material information and therefore deceptive. Marketers are therefore advised to make the disclosures imposed by the MMA guidelines.
As the ongoing Penguins litigation highlights, however, making the disclosures is not enough: the marketer must also take care to abide by its own promises. A failure to do so may give rise not only to a private cause of action under the TCPA—a very hot area for plaintiffs’ attorneys over the past couple of years—but could also lead to an enforcement action by the FTC or a state regulator, charging that the marketer’s failure to follow its own promises was deceptive. The bottom line is that companies sending text messages to consumers need to ensure that they are in compliance with their own representations regarding such messages, or they may find themselves in the penalty box.