December 12, 2012 by Matthew Fischer

On December 6, California Attorney General Kamala Harris initiated the first enforcement action under California’s Online Privacy Protection Act (CalOPPA) in San Francisco Superior Court. The complaint filed against Delta Air Lines Inc. asserts that the airline’s operation of its mobile app called “Fly Delta” violates both CalOPPA and California’s unfair competition law (UCL).

CalOPPA requires an operator of a commercial website or online service that collects personally identifiable information (PII) through the Internet about consumers residing in California who use or visits its website to “conspicuously post” a privacy policy. The Act defines PII as: a first and last name; a home or other physical address; an email address; a telephone number; a social security number; any other identifier that permits the physical or online contacting of an individual or; information concerning a user that a website or online service collects from the user and maintains in personally identifiable form in combination with any of the aforementioned identifiers.

Under the Act, an operator must post a privacy policy within 30 days after notification of non-compliance. However, enforcement against a company that fails to comply with a posted privacy policy (either knowingly or negligently and materially) does not require a 30 day notification. On October 26, the AG’s office issued warning letters to over 100 popular mobile app developers that did not have compliant privacy policies, giving them the statutory 30 days to comply or explain why their apps are not covered by CalOPPA. Delta acknowledged receipt of the letter on October 30 and stated that it would “provide the requested information” but, for whatever reason, did not do so within the 30 day window. Delta did publish a privacy policy for the Fly Delta app shortly after the lawsuit was filed.

The complaint alleges that, while Delta maintains a privacy policy on its website, the policy “does not mention the Fly Delta app, and is not reasonably accessible to consumers of the Fly Delta app.” The Fly Delta app collects such PII as a user’s full name, telephone number, email address, frequent flyer account number and PIN code, photographs and geo-location, yet, according to the complaint, a privacy policy does not exist “in the application itself, in the platform stores from which the application may be downloaded, or on Delta’s website.” To that end, the complaint avers that “the Delta website privacy policy does not indicate that it collects geo-location data or photographs.”

CalOPPA was enacted in 2004, before the smartphone revolution, so it does not specifically target smartphones or mobile applications. While the Act does not expressly apply to mobile apps, the California AG takes the position that it does and cites to the fact that mobile applications are deemed “online services” under the federal Children’s Online Privacy Protection Act (COPPA) in support of its position.

Companies can expect more enforcement actions from California’s AG, as well as from other state AGs and federal agencies such as the Federal Trade Commission (FTC). In fact, the FTC just released a report that says a large number of mobile apps that target children collect and share PII with third parties without parental disclosure and the agency plans to launch an investigation into potential COPPA violations. California has been leading the charge with respect to privacy enforcement and Kamala Harris has clearly staked out the privacy arena as a critical part of her administration’s enforcement agenda. In February, she struck an agreement to improve privacy protections with six of the largest mobile and social app companies: Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion, and Facebook joined the settlement in June. Over the summer, Harris formed a new Privacy Enforcement and Protection Unit charged with regulating privacy issues and enforcing California’s various privacy laws.

So what does this all mean for businesses? There are a number of takeaways for companies with an online and/or mobile presence:

• Do not ignore your privacy obligations because enforcement actions will only continue to increase in the coming months. The consequences of non-compliance can be severe. The AG seeks penalties against Delta in the amount of $250,000 for each violation, which it asserts occurs each time the app has been downloaded since its launch in 2010. This could easily result in billions of dollars in fines. Delta may also find itself the target of civil class actions under California’s UCL, although class members would still have to overcome the Article III standing hurdle by showing a resulting harm.

• While the first CalOPPA enforcement action happened to be against an app developer, the statute was crafted with websites in mind and any company that maintains a website that collects PII of a California resident must have a privacy policy “conspicuously posted” on its website that complies with the Act.

• Having a CalOPPA-compliant privacy policy is only the first step, however, and a policy can actually create liability for a company if it is not followed. Under CalOPPA’s provisions, the AG’s office is not obliged to issue a 30 day warning if it determines that a company is willfully, or negligently and materially, failing to comply with its posted policy. Policies should be crafted with the involvement of technology personnel and reviewed and updated annually to ensure they mirror the company’s practices involving the collection and sharing of PII.

• If a business has a mobile app that collects PII (and most do) then, at a minimum, the privacy policy on the website should cover the mobile app. Yet, California’s AG seems to have an expectation that the privacy policy should be posted within the app itself, which raises a number of complexities. The limited space on the screen of a smartphone makes it difficult to post a policy “conspicuously,” especially when the prime screen space is understandably devoted to the main purpose of the app: to promote the service and/or product and drive sales. The policy should be written in plain (i.e., non-technical) language and should not be stuck at the end of lengthy text that takes forever to scroll through, nor should it be buried several pages into the app.

The tension between online behavioral advertising and the many user benefits generated through the personalization of an individual’s online experience versus mounting state and federal agency privacy concerns will only continue to grow. Companies doing business on the Internet and the mobile space should regularly assess and modify their privacy practices to avoid being the target of a future enforcement action.

A number of lawsuits have been filed (wild understatement – truly hundreds) in recent years under the Telephone Consumer Protection Act (TCPA), a federal law that regulates certain forms of direct marketing.  While the law was originally passed in the early nineties (well before the advent of cell phones), many lawsuits have been filed in recent years asserting that companies’ mobile marketing campaigns are illegal.  For instance, by now most marketers have heard about the TCPA lawsuit pending against Papa John’s in Seattle; in that case, the judge just certified the case as a class action meaning that the plaintiff can represent a class of other persons who received similar unsolicited texts from PJ’s franchisees.  Based on the ruling, all persons in the United States of America who were sent, to their cellular telephone numbers, at least one unsolicited text message that marketed a Papa John’s branded product, good, or service through OnTime4U, a text marketing vendor, could be awarded $500 or more in damages per text, a total of up to $250 million, if the lawsuit is successful.  It is important to note that PJ’s (the franchisor) contends that it had no involvement in the mobile campaign at issue.  An individual franchisee’s decision to send unsolicited texts can subject many entities to potential liability.  It can be very difficult (and expensive) for a franchisor to prove a negative – that is, that it had no involvement in a mobile campaign that was not compliant with the TCPA.

Marketers should also keep in mind that merely because consumers provide their contact information (including mobile number) that does not mean that they have consented to receive unsolicited marketing messages on their mobile devices.  For instance, in the PJ’s case, the franchisees provided their marketing company – OnTime4U – with lists of telephone numbers of individuals who had purchased pizza from them, generated out of a proprietary Papa John’s “point of sale data entry system” that tracks customer and order information.  The marketing services provider allegedly told PJ’s franchisees that it was legal to send texts without express customer consent because there was an existing business relationship as a result of the provision of the numbers in the context of ordering pizzas for delivery. 

That is not the widely accepted view of consent under the law.  However, as we will detail in a soon-to-be-published post, at least one federal judge has recently ruled that the provision of a mobile user’s number – without more – was sufficient to evidence prior express consent to receive text messages because “distributing one’s cell number is an invitation to be called.”  That case, Pinkard v. Wal-Mart, expressly put the burden on plaintiff (the subscriber) to limit the scope of consent provided by provision of her cell number.

If the PJ’s lawsuit is successful, it would result in the largest verdict to date under the TCPA.  However, high recoveries are not uncommon.  For example, in August, Jiffy Lube’s largest U.S. franchisee agreed to pay $47 million to settle a similar text messaging class action and the International Academy of Design and Technology settled a text messaging class action for $20 million.  Sallie Mae recently settled a case for $20+M as well.

Based on these lawsuits, there are a few considerations to keep in mind:

1.     Text messages are calls under the law.

2.     Unsolicited text messages ARE illegal.

3.     Express prior consent is required to send text messages – buying a pizza (or other similar business transaction) does not establish consent to receive text messages. 

4.     Express consent requires clear and conspicuous disclosure by the company, providing a short code by which a consumer can opt-in, and providing an opt-out mechanism in each and every text sent.

5.     Be cognizant of potential application of the TCPA (as well as other privacy considerations) in every proposed mobile marketing campaigns.  For example, whether an invitation to forward a text to a friend implicates the TCPA?  The friend who receives the text may complain that he or she did not consent to the text (even though coming from their friend and not the company) and thus sue under the TCPA.  Or, whether an invitation to a customer to text a particular short code to receive an immediate coupon constitutes sufficient disclosure of terms and conditions of mobile program such that the subscriber’s consent was sufficiently informed?

6.     Franchisors may be liable even if they had no involvement in the challenged text messaging campaigns – franchisees should be informed of the risks of text messaging campaigns.

7.     Consult with legal counsel before going live with any marketing campaign or providing consumer data to any third-party, including marketing services providers. 

8.     Maintain any and all information regarding a proposed mobile campaign.  Specifically, do NOT instruct vendor or franchisees to destroy lists previously used or to delete information – this only causes more problems if and when litigation ensues

For additional information regarding TCPA lawsuits, please see:

http://www.sdma.com/mobile-marketing-class-actions-20-novel-tcpa-claims-08-08-2012/

We wanted to take a minute amidst all of the recent flurry of TCPA activity (don’t worry, we will return to it in the next post) to mention yet another privacy bill introduced in Congress recently.  Below is a post from Meg Daday, an associate in our Chicago office, regarding the Mobile Device Privacy Act.

* * * * *  

Hailing a taxi, depositing a check, losing weight – you name it, there’s an app for it.  However, according to Rep. Ed Markey (D – Mass.) these apps “very commonly access our sensitive information – our location, our photos, Web browsing, history” and “do this without prior notice and even when the app isn’t currently being used.”

 On September 12, 2012, Markey, the co-chair of the Bi-Partisan Congressional Privacy Caucus, introduced the Mobile Device Privacy Act, H.R. 6377, which requires the Federal Trade Commission, in consultation with the Federal Communications Commission, to require that mobile phone manufacturers, service providers, operating systems, and application developers make disclosures in a “clear and conspicuous manner” at the point of sale or download about any “monitoring software” the entity installs on a mobile device.  “Monitoring software” is defined as software that “has the capability to monitor the usage” of the mobile device or the location of its user, and to transmit that information to another device or system.  The bill requires device sellers and app developers to obtain the user’s “express consent” before monitoring or transmitting any information collected.  Consumers must be allowed to terminate the collection and transmission of data at any time.

The legislation requires first and third parties that collect personal information to have policies in place to secure the data and a process for disposing of or permanently deleting such information.  It further requires all third-party agreements for the transmission of information to be filed with the FTC and/or FCC and allows the FTC, FCC, and state attorneys general to take actions against mobile companies that violate the regulations.  Notably, it also allows consumers to file private rights of action against mobile companies to obtain injunctive relief, actual monetary loss from the violation and/or up to $1000 in damages for each violation, treble damages for “wilful and knowing” violations, costs and attorney’s fees.

 The bill is a result of controversy last year over Carrier IQ, software that wireless operators installed on smartphones in order to help track network congestion and end-user quality problems.  Although the software was intended to improve service, Android developer Trevor Eckhart posted a video showing how the software logged text messages, web searches and other activities without the user’s knowledge or permission.  Wireless carriers have stated that they have disabled Carrier IQ so that diagnostic information and data are no longer being collected.

There has been a tremendous amount of media attention in recent days on the class certification decision in Agne v. Papa John’s International, Inc., Case No. 2:10-cv-01139. 

The facts are relatively straightforward and sadly not uncommon (the decision is available here: PapaJohn’sClassCert[1]).  Plaintiff Agne (2 other plaintiffs were subsequently added but the Court did not consider their claims for purposes of the motion for class certification) alleges that she received unsolicited telephone calls on her cellular telephones in April 2010.   According to the complaint, when these calls connected, plaintiffs received unsolicited visual text messages.  Plaintiffs allege the text messages were sent using a device that made automated calls.

 The complaint further alleges that, beginning in about October 2009, Papa John’s and its Washington-based franchisees engaged OnTime4U to send pre-recorded, unsolicited text messages to cellular telephones.  Specifically, it alleges that the Washington-based franchisees paid OnTime4U to send approximately 30,000 unsolicited text messages in November 2009 and at least 35,000 text messages in April 2010.  Evidence was presented that OnTime4U told Papa John’s franchisees that it was legal to send texts without express customer consent because there was an existing business relationship between the customers and the Papa John’s restaurants. 

Additionally, although Papa John’s did not contract with OnTime4U, there is significant evidence that Papa John’s Franchise Business Directors (“FBDs”) encouraged its franchisees to utilize its services.  For example, there is evidence that OnTime4U made a presentation promoting its services at the fall 2009 Papa John’s “Operator’s Summit” in Las Vegas.  Papa John’s eventually disavowed the program by sending a memorandum to its corporate stores and franchisees on April 27, 2010.  The memorandum directed that “all franchisees … who have shared customer data (particularly telephone numbers) with OnTime4U … take all necessary steps to reclaim this data and/or have the vendor permanently delete it from the vendors [sic] system as well as demand that the vendor not share the data with anyone.”  OnTime4U informed Plaintiff’s counsel that it destroyed the call lists at the behest of Papa John’s.

The court certified the following two classes:

National Class:

All persons in the United States of America who were sent, to their cellular telephone numbers, at least one unsolicited text message that marketed a Papa John’s branded product, good, or service through OnTime4U.

Washington Sub-class:

All persons in Washington State who were sent, to their cellular telephone numbers, at least one unsolicited text message that marketed a Papa John’s branded product, good, or service through OnTime4U. 

In its opposing the motion for class certification, Papa John’s challenged Plaintiff’s standing in several respects.  First, Papa John’s argued that Plaintiff’s injury is not fairly traceable to any Papa John’s franchisees other than the Washington-area franchisees.  However, the court held that Plaintiff’s lack of standing to sue non-named franchisees does not defeat her standing to sue on behalf of either of her proposed classes. 

Papa John’s also argued that Plaintiff lacks standing because Plaintiff’s only contacts with Defendants arose from a franchisee-level decision to engage OnTime4U.  However, the court held that whether Papa John’s had any involvement in the franchise-level decisions to contract with OnTime4U and the extent of the involvement is a central disputed issue in the case that was not ripe for resolution at the class certification stage. 

The Washington-area franchisees argued that class certification was inappropriate because the majority of the two proposed classes suffered no injury by these franchisees and therefore lack standing to be included in any class certified as to them.  However, according to the Court, there is conflicting case law as to whether a putative class representative is required to show only that she has standing or must also show that all members of the class have standing.  However, the court stated that it need not reach this issue because every proposed class member has standing to sue OnTime4U, so the Article III standing requirement was satisfied.

Turning to the Rule 23(a) prerequisites, the court easily found that the requirements of (1) numerosity; (3) typicality; and (4) adequacy, and the implied prerequisite that the class be ascertainable, were met.

With respect to the commonality requirement, the court identified the following common questions of law and fact:

(1)   Whether OnTime4U’s contention that buying a pizza is sufficient to establish a business relationship is valid as a matter of law;

(2)   Whether an established business relationship is a defense to sending text messages to a cellular phone without express consent under the TCPA;

(3)   Whether OnTime4U’s system of transmission qualifies as an “automatic dialing system” under the TCPA;

(4)   Whether Papa John’s controlled, participated in, or authorized OnTime4U’s text blast campaign; and

(5)   Whether Papa John’s is vicariously liable for the acts of its franchisees.

Citing Dukes v. Wal-mart, Papa John’s argued that whether it was sufficiently involved in marketing decisions of various franchisees to establish its liability would require individual inquiries that undermine commonality.  However, the court held that, unlike in Dukes, the Papa John’s plaintiffs alleged that Papa John’s FBDs encouraged franchisees to enlist OnTime4U to send text messages to their customers.

The court similarly overruled Papa John’s arguments with respect to the Rule 23(b) requirements of predominance and superiority.  The Court rejected Papa John’s argument that individualized inquiries predominated over common issues.  It stated that Papa John’s is in the best position to present evidence of individual consent and will not be precluded from presenting admissible evidence of individual consent if and when individual class members are permitted to present claims.  With respect to superiority, the court disagreed that the $500 in statutory damages provides sufficient incentive for individuals to bring claims in small claims courts.

The Payment Card Industry Security Standards Council (PCI SSC) recently issued guidelines for mobile payment acceptance security.  The “PCI Mobile Payment Acceptance Security Guidelines” provide smart phone manufacturers and mobile app developers’ best practices on security controls to help facilitate consumer mobile payment transactions.  The PCI SSC oversees the Payment Card Industry data-security standards (PCI DSS), which include standards for secure payments software and PIN-based transaction devices.   The Council previously published related guidelines such as the application of data standards to mobile payment acceptance using the Payment Application Data Security Standard (PA-DSS), leveraging the PIN Transaction Security (PTS) and Point-to-Point Encryption (P2PE) standards to secure payments on smart phones.  The latest guidelines are intended to address software security problems that have started to creep into the plethora of new programs and apps designed to process payments on smart phones.  

The three main objectives delineated in the guidelines include:

1. Protect sensitive account data from being intercepted when entered into a mobile device used for payment processing.  Viable protection options include encryption or establishing a secure path between the data entry mechanism (i.e., the keypad) and the mobile unit that stores memory.

2. Prevent sensitive account data from being compromised while stored inside the mobile device. The guidelines recommend a strategy that allows for: secure distribution of account data; secure access to and storage of account data; controls over account data while in use and; prevention of unintentional data disclosures.  Account data should be temporarily stored in a secured environment before processing and authorization and should not be accessible to third parties. If data is stored on the mobile device after authentication, data should be rendered unreadable or encrypted.  Other means to prevent unauthorized access are the implementation of design features such as secure lock screens and time-sensitive sessions requiring logins.  Server-side control options include an access control list, the ability to monitor system events and distinguish normal from abnormal events and the ability to report abnormal events that may indicate a system breach or data leak (e.g., encryption key changes, invalid login attempts and app updates). 

3. Protect sensitive account data during transmission out of the mobile device, usually through encryption.  One way to do so is to prevent unauthorized logical device access by implementing design features that prevent unauthorized access, including secure lock screens and time-sensitive sessions requiring logins.

Another security measure identified in the guidelines is the remote disablement of stolen or lost devices, which will become a significant feature over time as tablet computers are increasingly used by merchants in lieu of the more conventional point-of-sale (POS) terminals in retail store and restaurants.  As merchants increase their usage of mobile devices in the POS process, the potential for those devices to go missing will correspondingly increase but, unlike a standard POS terminal at a fixed check-out location, a missing mobile device may not be detected for hours, which greatly enhances the potential damage since that mobile device can then be used as a skimmer if a thief is able to access the credit and debit card numbers entered from past sales.   

Some in the industry have criticized the guidelines as being too summary in nature and thin on substance, but that is the reality when offering general guidelines.  Specific security solutions will be dependent upon the particular software, app and/or mobile device in use. 

On May 30th, the FTC will host a one day public workshop to consider the need for new guidance for for online advertisers about making disclosures.  As loyal readers of this blog know, the disclosure obligations created by the FTC’s Revised Guides (and from other sources) are complicated by the size of the “third screen” (query whether mobile is truly the third screen anymore; many would contend it is the first screen).

In any event, details of the Workshop are accessible here: Preliminary Agenda for FTC Mobile Disclosure Workshop.

Couple of interesting articles and news stories of late about the proliferation of unsolicited text messaging and Twitter’s efforts to curb spam.  Regarding the former, expect the recent media attention to result in an uptick in the number of Telephone Consumer Protection Act (TCPA) class actions filed.  An interesting aspect of the NY Times story is that unsolicited texts are being used to drive traffic to sites where various personal information is being requested in order to claim prize, gift card or discount – and, in turn, that PI is used to compile a more robust composite of the consumer which is then sold, rented or otherwise used by marketing cos to send targeted messaging.

Regarding its recently filed lawsuits against 5 of its most prolific spammers, Twitter stated that “[w]ith this suit, we’re going straight to the source. By shutting down tool providers, we will prevent other spammers from having these services at their disposal. Further, we hope the suit acts as a deterrent to other spammers, demonstrating the strength of our commitment to keep them off Twitter.”

NY Times article re: proliferation of unsolicited text messages

Twitter Statement re Spam Lawsuits

Now that the speaking engagements have quieted down for a bit, it’s time to refocus efforts on the blog as many interesting developments on the privacy, marketing and legal fronts have occurred in recent weeks.

Jumping right in, Judge Lucy Koh (of the ND of Cal.) recently issued a significant decision in In Re IPhone Application Litigation, Case No. 11-MD-02250-LHK (iPhoneMTDOrder), which has considerable implications for all privacy cases generally and for mobile and application-based ones specifically.  The case consisted of several consolidated class actions filed on behalf of users of applications on various iOS devices, including iPhones and iPads.  Basically, the Court dismissed all claims because it found that Plaintiffs had not adequately alleged injury-in-fact; that is, even accepting all of Plaintiffs’ allegations as true (for purposes of the motion to dismiss), there were no allegations of sufficient injury to confer standing.  The Court – although it expressed some skepticism about their ability to do so – did grant Plaintiffs leave to re-plead their claims, if possible.

The underpinning of Plaintiffs’ claims is not novel; they asserted that Apple (and certain affiliate marketing and app developer companies) – through various mobile devices – collected and disclosed their personal information without their knowledge or permission in violation of various federal and state laws, including the Computer Fraud and Abuse Act, California’s Comprehensive Computer Data Access and Fraud Act and California’s Unfair Competition Law.  Plaintiffs also contended that Apple violated its Terms of Service by allowing certain applications to access PI despite representations (in its ToS) that it would not allow such behavior. 

In dismissing the case, Judge Koh ruled that Plaintiffs lacked Article III standing because they had failed to plead “an ‘injury in fact’ that [was] (i) concrete and particularized and (ii) actual or imminent, [and not merely] conjectural or hypothetical.”  As in other recent privacy cases (RockYou_MTD_decision), Plaintiffs asserted that although they were not able to demonstrate any monetary damage as a result of the disclosure of PI, they had suffered a diminution in the value of their PI as a result of the unlawful disclosures.  The Court rejected this (and other) abstract concepts put forth by Plaintiffs and concluded that they needed to allege (and ultimately prove) tangible economic harm.  Judge Koh also ruled that Plaintiffs failed to plead causation – that is, that any alleged injury was “fairly traceable” to Apple’s alleged conduct.  Specifically, Judge Koh stated that:

• “[i]n the Consolidated Complaint, Plaintiffs do not identify what [Apple devices] they used, do not identify which Defendant (if any) accessed or tracked their personal information, do not identify which apps they downloaded that access/track their personal information, and do not identify what harm (if any) resulted from the access or tracking of their personal information.”
• “Plaintiffs [had] not identified a concrete harm from the alleged collection and tracking of their personal information sufficient to create injury in fact.”
• plaintiffs “had not alleged any ‘particularized example’ of economic injury or harm to their computers, but instead offered only abstract concepts, such as ‘opportunity costs,’ ‘value-for-value exchanges,’ ‘consumer choice,’ and ‘diminished performance.’”
• Plaintiffs “have stated general allegations about the Mobile Industry Defendants, the market for apps, and similar abstract concepts (e.g., lost opportunity costs, value-for-value exchanges), but Plaintiffs have not identified an actual injury to themselves sufficient for Article III standing.”

Judge Koh also rejected Plaintiffs’ contention that Apple’s ToS – by which it disclaimed any liability for the acts of third parties, including application developers – were unconscionable contracts of adhesion because the applications involved “non-essential recreational activity.”  That is, the Court ruled that the terms of the ToS were not unfairly forced upon Plaintiffs because it did not involve a necessity; “when the challenged term is in a contract concerning a nonessential recreational activity, the consumer always has the option of simply forgoing the activity.”  Tellingly, the Court noted that if Plaintiffs attempt to re-plead their claims, they must, among other things, “explain why Apple should be held responsible for privacy violations despite Apple’s apparent privacy agreements with its customers, including Plaintiffs.”

I was honored to be invited to be on a panel discussing legal issues facing companies operating in the daily deal space.  Brief summary of the discussion can be accessed here. 

Many legal issues and challenges in this nascent field – more in coming days about how to mitigate risk for these companies. 

Also, Day 2 of the Daily Deal conference is tmrw.

The benefits of mobile marketing are undeniable.  Among other things, SMS and MMS campaigns create a personalized interaction between brand and consumer and foster brand loyalty.  However, with great opportunity comes great peril.  As you likely know if you are reading this blog, mobile marketing is regulated by federal law – the Telephone Consumer Protection Act, and claims can be brought under various state laws regulating unfair or deceptive business practices (not to mention under common law theories as well).  But, as much as it pains me as a lawyer to leave the legal issues aside for a minute, more troubling than the legal exposure is the attendant loss of goodwill and customer loyalty that comes with unsolicited text messages.  Just as other marketing channels – calls, faxes & emails – are increasingly considered nuisances more than anything else, text messaging is in danger of going down a similar path.  In part, that is due to the effectiveness of mobile campaigns – they work, therefore everybody – so you’re told – should be doing it and there are many (less than ideal) outfits that will design and implement a text campaign for you.  Having defended many TCPA class actions, I can tell you that the way you get into trouble is by outsourcing mobile campaigns to third-parties and not ensuring the validity of the data they are using, particularly the effectiveness and scope of consent.  Finally, it is imperative to review carefully any and all agreements with affiliate marketers to ensure appropriate indemnification, as well as to review insurance policies to determine whether your marketing campaigns come within their purview.

Check out this interesting infographic created by SMS marketing provider Tatango (and published on Mobile Marketing Watch).  Of particular interest to me (can never get the lawyer out of me), is the last graphic about some of the bigger ticket settlements for TCPA text cases in recent years.  To my above point about reviewing your insurance policies, you should also take a look at this recent article by Katherine Mast (of our LA office) regarding a recent insurance coverage decision in a TCPA case.