It has been quite a week for Facebook’s legal team. In addition to the antitrust cases that my AEI colleague Mark Jamison discussed yesterday, the company argued in the Supreme Court over the meaning of the Telephone Consumer Protection Act (TCPA), an old anti-robocall statute. At first glance, the case seems to be an esoteric fight over statutory interpretation interesting only to nerdy law professors. But the holding has broad implications for Big Tech, especially in the cybersecurity realm.
Congress passed the TCPA in
1991 to combat robocalls, which bill sponsor Sen. Fritz Hollings (D-SC) dubbed
“the scourge of modern civilization.” The statute’s most important effect was
to outlaw calls to residential landlines using an artificial or prerecorded
voice, except in emergencies or with prior consent. But the Supreme Court case
addresses a different provision: the ban on automatic telephone dialing systems
Under the statute, “The term ‘automatic telephone dialing system’ means equipment that has the capacity — (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” The statute prohibits the use of autodialers to call emergency numbers, hospital rooms, or — importantly — cell phones. The Federal Communications Commission (FCC) has interpreted the statute to cover text messages as well.
The confusion comes in the awkward language used in part (A). The court must decide whether the phrase “using a random or sequential number generator” modifies both “store” and “produce” as Facebook argues, or merely “produce” as the plaintiffs assert. In the plaintiffs’ reading, if a device has the capacity to store telephone numbers to be called and to dial such numbers, then it should qualify as an autodialer under the statute.
What’s at stake?
Huge dollars turn on this seemingly pedantic grammar dispute. In the past decade, TCPA class actions have become big business for trial lawyers, rising tenfold from 351 cases in 2010 to 3,267 in 2019 (and even that is down from the peak of 4,638 in 2016). With an average payout of $6.6 million, it’s no surprise that both sides have pushed to capture the Supreme Court’s attention.
The broad interpretation pushed
by plaintiffs, which has won in some lower courts, has encouraged litigation
far afield of Congress’ original intent. For example, FCC Chairman Ajit Pai
highlighted a case against the Los Angeles Lakers involving a fan contest to
text messages for display on the jumbotron at a basketball game. When the team
responded to entries with an automated message explaining that not all entries
would win, it was sued for using an autodialer.
Pai’s example only hints at the potential breadth of the plaintiffs’ argument. If any device capable of storing numbers to be dialed is an autodialer, then every smartphone in America carries TCPA liability. Conceivably, every time you use a smartphone to call a cell number without prior consent, you could face a $1,500 penalty — something that troubled Justice Sonia Sotomayor at oral argument.
The irony, of course, is that
while TCPA is generating huge paydays for trial lawyers, it is doing very
little to actually combat robocalls. The statute’s primary tool — a private
right of action to punish robocallers — is ineffective. While robocalls
continue to be a scourge, generating millions of unwanted calls annually,
technology has made it harder than ever to identify their origins. These calls
mostly come from overseas using equipment that masks the true identities behind
them. This means it is nearly impossible to find and sue the perpetrators for
TCPA violations — which is why the fight against robocalls has shifted from
litigation to technological measures such as better call authentication procedures
and blocking of suspected robocalls at the point they enter the American
In fact, the plaintiffs’ theory makes the TCPA a barrier to effective cybersecurity by discouraging one of the most useful tools in the fight against hackers: two-factor authentication. This reality is exhibited by the Facebook case itself. When Facebook detects a login from an unrecognized device, it texts a notification to the user. Duguid, the plaintiff in the Supreme Court case, received several of these texts despite not owning a Facebook account (likely because his phone number had previously belonged to a Facebook user). If, as Duguid suggests, every such text carriers the potential for a $1,500 fine, companies will be less likely to rely on two-factor authentication using cell phones as a tool to verify identities or notify users of potential fraudulent activity.
Ultimately, I expect the
Supreme Court to adopt Facebook’s narrow definition, which will curtail these
harms. But the dispute illustrates how vestigial analog-era statutes can cast a
long shadow. Through sunset provisions or other mechanisms, Congress should
routinely assess whether older laws continue to benefit consumers.
For more TCPA analysis, download my Perspectives article published earlier this year by the Free State Foundation.