Does Two-Factor Authentication Violate the TCPA?–Duguid v. Facebook
Plaintiff sued Facebook alleging TCPA claims on behalf of a putative class. Facebook sends text messages when someone logs in to their account via a new or unrecognized device. Plaintiff was a non-Facebook user who received these messages. Unfortunately, despite his efforts to get Facebook to stop sending such messages, including responding to the messages with opt-out requests, and contacting Facebook through other means, the messages did not stop.
The key question is whether plaintiff adequately alleges use of an “automatic telephone dialing system” (ATDS). The court says it’s often difficult for plaintiff to make specific allegations about the use of ATDSs, because the plaintiff would not have any information regarding the specific systems utilized by a TCPA defendant. Some courts give plaintiffs leeway in satisfying their pleading obligation, but courts are slightly more permissive when the allegations suggest the sending of mass texts, in contrast to what plaintiff alleged here. Where a plaintiff’s allegations suggest more “direct targeting,” as plaintiff did here, courts often find insufficient an unsupported pleading that an ATDS was used. Plaintiff tried to rely on a 2003 FCC order that the capacity to produce or store random or sequential numbers is not a necessary feature of an ATDS, but the court rejects this argument.
The TCPA is a strict statute that many companies have paid for running afoul of. As Eric notes below, the messages here are useful, and can hardly be characterized as marketing messages. That did not stop plaintiff from suing. Plaintiffs have gone so far as to sue over confirmatory opt-out messages, but as the court notes here, the majority of courts find those are not actionable.
Drafters sought to define the universe of actionable texts by reference to the equipment used to send it, but that definition turned out to be clunky at best. Courts have recently gone back and forth at the pleading stage on the topic of whether a plaintiff adequately alleges the use of an ATDS, and this is the most recent example.
Eric’s Comment: This case never mentions two-factor authentication, but that’s the clear implication of the case. Facebook’s text message sought to increase the security of Facebook accounts by sending a login notice to a physical item–the cellphone–presumably in the accountholder’s possession. (The fact that the notification got misdirected in this case may raise other issues about the efficacy of Facebook’s implementation). If the TCPA makes it illegal to send those kinds of security notices, it could undermine some of the most widely used two-factor authentication techniques. Fortunately, the court rejects the effort; unfortunately, the TCPA’s poor drafting and massive footprint in the mobile world means we probably haven’t heard the last word on this topic. So I see this as an indication of how an overreaching sloppy attempt to protect “privacy” like the TCPA may ultimately hamper much-needed and socially beneficial security measures.
Case citation: Duguid v. Facebook, 2016 WL 1169365 (N.D. Cal. Mar. 24, 2016). The complaint.