The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Washington State Judge Rules that Robocalls Are “Conversations”

The Telephone Consumer Protection Act (TCPA) of 1991, 47 U.S.C. § 227, regulates these pesky “robocalls” that you may have deleted more than once in your voice mail, unconvinced by the suave prerecorded messages informing you about an upcoming sale or a new line of products.

Under the TCPA, it is unlawful for any person… to initiate any telephone call to any residential telephone line using an artificial or prerecorded voice to deliver a message without the prior express consent of the called party, unless the call is initiated for emergency purposes or is exempted by rule or order by the Federal Communication Commission under paragraph (2)(B).


One of these exemptions is the “established business relationship” exemption (EBR). An EBR is defined by the Code of Federal Regulations, 47 C.F.R. § 64.1200 as a ”voluntary two-way communication between a person or entity and a residential subscriber with or without an exchange of consideration, on the basis of the subscriber’s purchase or transaction with the entity within the eighteen months immediately preceding the date of the telephone call or on the basis of the subscriber’s inquiry or application regarding products or services offered by the entity within the three months immediately preceding the date of the call, which relationship has not been previously terminated by either party.” 

In April 2009, the retailer Talbots left a prerecorded message on the answering machine of one of its Washington State customers, informing her about some upcoming sales. Her husband, Mr. Cubbage, was annoyed by the message, and sued the retailer, asserting that Talbots had violated the TCPA and the Washington Automatic Dialing and Answering Devices Act, RCW 80. 36.400 (WADAD). Defendant moved for summary judgment, and the United States District Court of Washington granted it in July 2010. The case is Cubbage v. The Talbots, Inc., 2010 WL 2710628 (W.D. Wa. 2010).  

Talbots had argued that the call made to Mr.Cubbage’s wife was permissible because it had an established business relationship with her. Indeed, she had made a purchase at one of the Talbots stores eighteen months before the April 2009 call. Mr. Cubbage argued that since he is the one who listened to the message, the EBR exception did not apply. The Court however disagreed, holding that if a member of a household creates an EBR, that consent extends to calls made to that person’s telephone number.

Mr. Cubbage also argued that the FCC lacked the authority to enact the EBR exemption, but the Court considered that it lacked jurisdiction to consider the validity of the EBR as a rule.


Mr. Cubbage also asserted a state claim pursuant to WADAD. The statute defines “commercial solicitation” as “the unsolicited initiation of a telephone conversation for the purpose of encouraging a person to purchase property, goods, or services.” Under the statute, “no person may use an automatic dialing and announcing device for purposes of commercial solicitation. This [statute] applies to all commercial solicitation intended to be received by telephone customers within the state.”

Talbots argued that it had not violated the WADAD as the call was not intended to be a “telephone conversation.” Therefore, a distinction may be made between prerecorded calls that initiate a conversation and calls that simply convey information without conversation. The Court agreed, after quoting several definitions of “conversations” as a spoken exchange between two or more people.

Plaintiff asserted that such an interpretation eviscerates the statute, in essence striping it from its power to protect Washington State residents from unwanted calls. He is not alone : Assistant Attorney General Shannon Smith is quoted in an article of The Seattle Times as saying that this “very narrow interpretation of the statute… eviscerates the whole intent of the Legislature.” Her office may file a brief as amicus curia in support to Mr. Cubbage’s appeal to the Ninth Circuit Court of Appeals. 

Leave a comment

Will corporations be recognized as having a right to privacy?


The U.S. Supreme Court agreed on September 28, 2010, to review whether Exemption 7(C) of the Freedom of Information Act (FOIA), protecting “personal privacy,” protects not only the privacy of individuals, but also the privacy of corporate entities. The case is Federal Communications Commission v. AT&T, Inc. Docket No. 09-1279.

The facts of the case are as follows. AT&T had provided equipment and services to a federal program administered by the Federal Communications Commission (FCC) geared at increasing schools’ access to advanced telecommunications technology. AT&T found out in 2004 that it may have overcharged the Government for some work, and voluntarily reported that fact to the FCC. The FCC Enforcement Bureau (Bureau) then conducted an investigation. As part of this investigation, AT&T produced various documents to the Bureau. In April 2005, a trade association representing some of AT&T’s competitors submitted a FOIA request for documents in this investigation file. AT&T submitted an objection to disclosure, arguing that FOIA’s exemptions prohibited disclosure.

FOIA, U.S.C. § 552, was enacted by Congress in 1966 in order to improve public access to information controlled by federal agencies. Congress wanted FOIA to reflect "a general philosophy of full agency disclosure unless information is exempted under clearly delineated statutory language." S.Rep. No. 89-813, at 3 (1965). Indeed, there are nine enumerated statutory exemptions allowing an agency to withhold documents responsive to a FOIA request. One of these exemptions is codified at § 552(b)(7)(C) (Exemption 7(C)): FOIA does not apply to “records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information could reasonably be expected to constitute an unwarranted invasion of personal privacy.”

FOIA does not define “personal,” but “person” is defined by the Administrative Procedure Act (APA), 5 U.S.C. § 551(2), as “includ[ing] an individual, partnership, corporation, association, or public or private organization other than an agency.” The FOIA was enacted as an amendment to the APA, so it can be argued that this definition applies to FOIA as well.

The Bureau issued a letter-ruling in August 2005, rejecting AT&T’s argument that Exemption 7 (C) prohibited disclosure because corporations lack “personal privacy.” AT&T asked the FCC to review this ruling, and in October 2008 the FCC issued an order compelling disclosure, arguing that Exemption 7 (C) does not apply to corporations. AT&T then filed a petition to review the FCC’s order, arguing that an incorrect interpretation of Exemption 7 (C) prevented a corporation to claim a personal privacy interest.

The Third Circuit reviewed the FCC’s order, and granted AT&T’s petition for review on September 22, 2009, and remanded for further agency proceedings. The Court held that FOIA “unambiguously indicates that a corporation may have a “personal privacy” interest within the meaning of Exemption 7 (C).“ The Third Circuit reasoned that Exemption 7(F) of FOIA prohibits disclosure of information that, if released, “could reasonably be expected to endanger the life or physical safety of any individual”(emphasis in the Third Circuit decision), thus indicating that Congress wanted only human beings to benefit from Exemption 7(F). Since Congress did not use the same language in Exemption 7 (C), it indicates that Congress wanted it to have a broader protective scope. Also, it reasoned that “personal” is the adjectival form of “person” and that “it would be very odd indeed for an adjectival form of a defined term not to refer back to that defined term.”

The FCC and the Government petitioned the Supreme Court for a writ of certiorari, and the Supreme Court granted it on September 28.

The Government argued in the petition that “the law ordinarily protects personal privacy to safeguard human dignity and preserve individual autonomy,” and “such concepts do not comfortably extend to a corporation.” The Third Circuit noted in footnote 5 of the ruling that “corporations, like human beings, face public embarrassment, harassment, and stigma “if they are involved in law enforcement investigations.” The government shunned “this attempted personification of an entity.”

However, in Citizen United v. Federal Election Commission, 558 U.S. 50 (2010), the Supreme Court held corporations cannot be prevented by the government to spend money in order to support or to denounce a political candidate, as corporate spending is a form of political speech. The Supreme Court cited the precedent of First Nat. Bank of Boston v. Bellotti, 435 U. S. 765 (1978), to state that “the First Amendment does not allow political speech restrictions based on a speaker’s corporate identity.” Will corporations now have a right to privacy? 

The government also argued that if the APA defines “person” as including public organizations other than a federal government agency, state, local, foreign governments and governmental components would then be given a right to privacy, and thus federal agencies answering a FOIA request may have to balance the public interest in disclosure against the privacy interests of corporations and governments. This may jeopardize public disclosure of government records. Indeed, Public Citizen, the Electronic Frontier Foundation and other nonprofit organizations have filed a brief of Amici Curiae, stating that the Third Circuit’s decision undermines the core purpose of the FOIA, and would prevent that records concerning government oversight of industry would be available to the public.  Once again, the delicate balance between the right of privacy, if there is such a right for corporations, and freedom of information, will have to be assessed by the Supreme Court.


Leave a comment

Health Care Organizations Comment on Proposed Modifications to HIPAA Privacy, Security and Enforcement Rules

The Department of Health and Human Services (“HHS”) received numerous comments on its proposed modifications to the Health Insurance Portability and Accountability Act Privacy, Security and Enforcement Rules, which were issued on July 8, 2010. Some highlights from the comments are outlined below.

Enforcement Rule

The American Hospital Association (“AHA”) suggested that HHS should continue to require the Secretary of HHS to attempt to resolve a complaint or compliance review through informal means, instead of making the informal resolution process optional. According to the AHA, making “resolution via informal means optional, regardless of the perceived level of culpability of a particular entity” would not be appropriate or effective. The Coalition for Patient Privacy, on the other hand, recommended stricter enforcement so that “the only category of violators that should not be penalized with fines are those who despite due diligence could not discover the violation, who reported the violation immediately when discovered, and fully corrected the problems within 30 days of discovery.”

Privacy Rule

The AHA requested that HHS “consider modifying the Privacy Rule to make clear which provisions are directly applicable to business associates and to specify business associates’ compliance obligations associated with each of these provisions” in order to “provide greater clarity and better facilitate compliance” with the Privacy Rule. The Association of American Medical Colleges recommended that the exception to the rule prohibiting the sale of protected health information (“PHI”) for research purposes be expanded to included PHI that is provided to a data registry for the benefit of providing researchers with access to a larger pool of data for their research.

Security Rule

The American Health Information Management Association expressed concern that the modifications to the Security Rule “appear to suggest that Covered Entities do not need to make as many specific requirements of a Business Associate as in the pre-HITECH agreements because the Business Associate becomes directly subject to HIPAA.” The Coalition for Patient Privacy went further and recommended that HHS require all business associates and covered entities to “undergo meaningful and comprehensive security and privacy audits annually, to establish and prove that their methods of operation do in fact safeguard patient information.”

HHS will accept or reject the submitted comments to the modifications to the HIPAA Rules and decide whether to incorporate them into the Final Rule, which is expected to be published by the end of 2010.