DOGE Blocked from Access to Department of Treasury Payment Systems
On February 21, 2025, a federal district court judge from the Southern District of New York issued a preliminary injunction against the Department of Government Efficiency’s (DOGE), access to Treasury Department payment systems, stating access was provided in a “chaotic and haphazard manner.” The order resulted from a suit filed by 19 state Attorneys General against DOGE for unauthorized access to Americans’ data. It prevents anyone affiliated with DOGE from accessing federal payment systems until further order.
According to the 64-page opinion, the judge was critical of the “‘rushed’ process by DOGE to access Bureau of Fiscal Service’s payment systems, which stores the names, Social Security numbers, birth dates, birth places, home addresses and telephone numbers, email addresses, and bank account information of Americans who have transacted with the federal government.”
The District Court also noted that “[t]he record is silent as to what vetting or security clearance process they went through prior to their appointment” and reported being “troubled by the fact that Elez [a DOGE associate] was apparently granted full access to [Bureau of Fiscal Service] systems rather than read-only access, writing that that process was ‘rushed and undertaken under political pressure.’” We have made a similar observation.
The Court requested that the Treasury Department provide a report by March 24, 2025: (1) certifying that the DOGE associates have been vetted, have obtained proper security clearances, and have been properly trained; and (2) setting forth the mitigation measures which have been taken to minimize threats associated with the access, including the reporting chains for DOGE within the Treasury Department.
The ruling stated that “[t]he process by which the Treasury DOGE Team was appointed, brought on board, and provided with access to [Bureau of the Fiscal Service] payment systems could have been implemented in a measured, reasonable, and thoughtful way. To date, based on the record currently before the Court, it does not appear that this has been the case.”
House Leadership Announces Priorities for Congressional Review Act Action; No TSCA Rules Are in the Top Ten Targets
Much has been written about the Congressional Review Act (CRA), which Congress can use to repeal qualifying federal agency actions. The CRA was enacted as part of the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA). According to the Congressional Research Service (CRS), through 2024 the CRA was used to repeal 20 rules, including 16 during President Trump’s first term. The CRA was also used successfully one time in the 107th Congress (2001-2002) under former President G.W. Bush and three times in the 117th Congress (2021-2022) under former President Biden.
CRA actions seek to undo regulatory actions of an administration and are typically only used when there is a new President of a different party than their predecessor and a Congress where both the House of Representatives and Senate are controlled by the same party as that of the new President. Congress has a narrow window to act on a resolution of disapproval, which limits the number of CRA actions that Congress can take.
In the current 119th Congress (2025-2026), 55 resolutions of disapproval have been introduced as of February 25, 2025. Of that number, 16 address rules promulgated by the U.S. Environmental Protection Agency (EPA). Four of these relate to the Toxic Substances Control Act (TSCA), including three (essentially the same) regarding trichloroethylene (TCE). The other resolution of disapproval is regarding decabromodiphenyl ether (decaBDE) and phenol, isopropylated phosphate (3:1) (PIP 3:1), “Revision to the Regulation of Persistent, Bioaccumulative, and Toxic Chemicals Under the Toxic Substances Control Act (TSCA)” (89 Fed. Reg. 91486 (Nov. 19, 2024)). More information about the CRA action on TCE can be found in our January 24, 2025, blog item.
House Majority Leader Steve Scalise (R-LA) announced on February 20, 2025, the top ten rules that House Republicans are prioritizing for CRA action in the coming weeks. Only three rules relate to EPA; none relate to TSCA. Leader Scalise notes in the press release that there is the potential for more rules to be added to the list for CRA action.
In addition to the time constraint that limits Congress’s ability to enact CRA legislation, Congress is facing multiple deadlines on March 14, 2025, the date that government funding expires unless extended. March 14, 2025, also is the date that other programs expire, including the National Flood Insurance Program and Temporary Assistance for Needy Families (TANF), which provides benefits to families in need. See additional details in our February 21, 2025, blog item.
Given these deadlines, Congress will be challenged to equal the mark of 16 successful CRA actions in President Trump’s first term.
President Trump’s “America First” Investment Policy Memorandum
On February 21, 2025, President Trump issued a National Security Presidential Memorandum titled “America First Investment Policy,” outlining several key strategies aimed at enhancing U.S. national and economic security through investment policy. This memorandum directs several agencies and executive departments, including the U.S. Department of the Treasury, the U.S. Department of Commerce, the Committee on Foreign Investment in the United States (“CFIUS”), the Federal Bureau of Investigation, and the Securities and Exchange Commission to take specific actions to encourage investment from allies and to protect America’s national security interests from foreign adversaries, with a particular focus on the People’s Republic of China (“PRC”).
The White House released an accompanying fact sheet outlining its reasons for issuing the memorandum.
While the memorandum does not implement any immediately effective regulatory changes, it establishes an important framework and plan of action that investors should anticipate eventually coming into effect.
Encouraging Allied Investment
The memorandum encourages foreign direct investment from allied nations by proposing a “fast-track” review process for investments from specified “allied and partner” countries. This is intended to facilitate investments in advanced technology and other strategic areas while ensuring these investors do not partner with U.S. adversaries. Along these lines, the memorandum provides that restrictions on foreign investors’ access to U.S. assets “will ease in proportion to their verifiable distance and independence from the predatory investment and technology-acquisition practices of the PRC” and other adversaries. The United States will also expedite environmental reviews for investments exceeding one billion dollars.
Restricting Inbound Investment Linked to Adversaries
The United States “will use all necessary legal instruments,” including CFIUS, to block PRC-affiliated investments in strategic sectors like technology, critical infrastructure, healthcare, agriculture, energy, and raw materials. This may result in CFIUS expanding its scrutiny of “covered transactions” with PRC links, potentially lowering thresholds for review and increasing mandatory filings for PRC-linked entities (although certain measures could require congressional action). The memorandum also provides that the Trump administration will consult with Congress regarding expansion of CFIUS review to cover “greenfield” and farmland investments, which are currently beyond CFIUS’s authority to review.
The memorandum also directs CFIUS to cease using mitigation agreements for U.S. investments from foreign adversaries, and describes these agreements as “overly bureaucratic, complex, and open-ended.” Any mitigation agreements “should consist of concrete actions that companies can complete within a specific time, rather than perpetual and expensive compliance obligations.” The memorandum emphasizes that the United States should direct administrative resources toward facilitating investments from key partner countries.
Restricting Outbound Investment Linked to Adversaries
The memorandum also mentions potential new restrictions on U.S. outbound investments to China in sensitive technologies like semiconductors, artificial intelligence (“AI”), biotechnology, quantum, hypersonics, aerospace, advanced manufacturing, and directed energy, and states that the United States will use all necessary legal instruments to further deter U.S. persons from investing in the PRC’s military-industrial sector. It also indicates that sanctions may be imposed under the International Emergency Economic Powers Act to address threats swiftly. The memorandum further states that the Trump administration will consider applying restrictions on various types of outbound investment, including private equity, venture capital, greenfield investments, corporate expansions, and investments in publicly traded securities, from sources such as pension funds, university endowments, and limited partner investors. Last, the memorandum notes that the Trump administration is reviewing Executive Order 14105 on outbound investment, issued by President Biden in August 2023, to assess whether it sufficiently addresses national security threats.
Passive Investments
The President’s memorandum emphasizes that the United States will continue to encourage “passive investments” from all foreign persons and entities, including non-controlling stakes and shares with no voting, board, or other governance rights and that do not confer any managerial influence, substantive decision-making, or access to sensitive technology or information.
Protecting U.S. Investors
Relevant agencies must review existing auditing standards for foreign companies on U.S. exchanges (e.g., under the Holding Foreign Companies Accountable Act), scrutinize variable interest entities often used by foreign adversary firms, and tighten fiduciary standards to exclude adversary-linked companies from pension plans.
Key Takeaways
The “America First Investment Policy” encourages the realignment and prioritization of investment flows between the United States and allied nations, provided that investors have “verifiable distance” from the PRC. As implementation unfolds, investors and businesses will need to navigate this evolving landscape with agility.
For U.S. companies, the memorandum could unlock significant opportunities and challenges. Firms in strategic sectors like semiconductors, AI, and biotechnology may benefit from increased allied investment and expedited project approvals, boosting domestic innovation and jobs. However, a broader range of transactions (such as greenfield transactions) may be subject to CFIUS review, and if a foreign investor has ties to the PRC that CFIUS considers concerning, it could face heightened scrutiny. (Notably, this already takes place, to an extent.)
For foreign investors, the impact hinges on their origin and affiliations. Investors based in allied countries (e.g., Japan, EU member states) without troubling PRC ties stand to gain from the fast-track process, potentially increasing their U.S. market presence if they comply with anti-adversary stipulations. Conversely, PRC-linked firms face heightened barriers. Investors interested in taking advantage of the fast-track process, once implemented, should consider how to best position themselves for fast-track treatment, including through any appropriate adjustments to operations and third-party relationships with China or other foreign adversaries.
WAS THE FCC HACKED?: Tenlyx Respnse to FCC $4.5M NAL Over Scam Robocalls Hits Home
So Telnyx filed its response to the FCC’s $4.5MM NAL today and it is an incredibly interesting saga.
For those of you just catching up, Telnyx is a carrier that apparently allowed an outfit known as “MarioCop” onto its network.
MarioCop was able to target major players at the FCC–we’ll get just how major in a second–with a robocall scheme pretending to be an FCC fraud detection service. Ultimately the scammers were apparently trying to convince FCC staffers to fall for a gift card scam.
WHAT EVEN IS KYC?: Telnyx LLC CEO is Fighting Back Against Proposed $4.5MM FCC Penalty–and He Kind of Has A Point
If that sounds like a longshot, it is.
And Telnyx CEO David Casem has suggested his company was intentionally “swatted” by MarioCop who brought the FCC heat down on it.
But in this company’s NAL response–out today– Telnyx raises another issue that is jut fascinating– how did MarioCop have the personal cell phone numbers of so many FCC staffers to begin with?
As the NAL response says:
Commission employees (current and past) and their families were the primary and intentional targets of the calls placed by MarioCop. The persons reached include the current Chairman of the Commission, the Chairman of the Commission during President Trump’s first term, one current commissioner, numerous chiefs of staff, legal and policy advisors in the offices of all of the current commissioners and the last two Commission chairs, members of the front offices of the Enforcement Bureau, the Office of General Counsel, the Wireline Competition Bureau, the Office of the Managing Director, and staff attorneys of such bureaus and divisions, family members of Commission personnel, and other government officials and industry participants in the telecom policy ecosystem.
Wow.
As the response points out, “personal cell phone numbers of Commission personnel are not made publicly available by the agency, and the identities and personal cell phone numbers of their family members are not, either.”
So how in the world did MarioCop get all those phone numbers?
Hmmmm.
The answer to that question is just one of many lurking behind the FCC’s actions against Telnyx. And while it is tempting to say Telnyx must have done something wrong because ipso facto when the FCC gets targeted with a robocall scam the carrier is to blame, thee is more here than meets the eye.
Full response here: Telnyx Response
Press release here: Telnyx Press Release
SEC Withdraws from Prominent Crypto Enforcement Amid Regulatory Shift
Just over one month into the second Trump Administration, the crypto industry appears poised to notch yet another victory in its longstanding tug-of-war with regulators — perhaps its most significant to date. On February 21, Coinbase Chief Legal Officer Paul Grewal announced via blog post that the U.S. Securities and Exchange Commission (“SEC”) is set to drop its enforcement action against the company. The lawsuit, which claimed that the company had failed to fulfill registration requirements, has been one of the SEC’s highest-profile crypto cases.
The post stated that the SEC had “agreed in principle” to dismiss the case. The action must still be approved by the three sitting SEC commissioners, including Commissioner Hester Peirce and Acting Chair Mark Uyeda, both of whom have previously expressed crypto-friendly views.
This development comes on the heels of announcements from other crypto companies revealing that the SEC has voluntarily closed investigations into their activities. On February 21, OpenSea, the largest NFT marketplace, announced via a post on X that the SEC had closed an investigation into its operations. On February 24, the crypto arm of trading platform Robinhood announced that the SEC had closed its investigation into the company.
Background of the Case
The SEC filed its enforcement action against Coinbase in June 2023 under former-Chair Gary Gensler, alleging that the crypto platform violated securities laws by failing to register itself as a broker, exchange and clearing agency, as well as certain purported offers and sales of securities through its Staking Program. The case centered on the longstanding debate over whether and when digital assets should be classified as securities. Although the company was in the process of pursuing interlocutory review of this question in the U.S. Court of Appeals for the Second Circuit, the SEC’s apparent decision to drop the case would preclude an appellate showdown.
A Shift in Regulatory Approach
Acting Chair Mark Uyeda has stated his goal of developing a “sensible regulatory path” for digital assets, moving away from the aggressive enforcement tactics seen under former-Chair Gensler. Uyeda’s reforms include:
Establishing a “Crypto Task Force” led by Commissioner Peirce to address digital asset policies and pursue greater regulatory clarity. For more details on the Crypto Task Force’s initiatives, see our previous discussion here.
Replacing the SEC’s Crypto Assets and Cyber Unit with the Cyber and Emerging Technologies Unit, a smaller team targeting cyber-related misconduct. Commissioner Peirce indicated in a recent statement that while the SEC aims to provide greater legal clarity, it will not be giving crypto projects a free pass. She expressed that the agency’s aim is to “travel to a destination where people have great freedom to experiment and build interesting things” with no tolerance for “liars, cheaters, and scammers.”
Pausing or reviewing several ongoing crypto cases, indicating that the agency is open to halting certain active enforcement matters or pursuing constructive resolutions.
Looking Ahead
The SEC’s willingness to step away from ongoing enforcement investigations and actions underscores the changing regulatory landscape for crypto under the current administration. Rather than “slamming on the enforcement brakes,” as Commissioner Peirce put it, the agency now appears committed to working with stakeholders to develop forward-looking legislation and a clearer regulatory framework for the burgeoning industry.
For crypto companies navigating uncertain regulatory waters, this development may signal the beginning of a more collaborative era – but not one without scrutiny. Commissioner Peirce has cautioned that “SEC rules will not let you do whatever you want, whenever you want, however you want. Some of these rules will impose costs and other compliance burdens . . . and the Commission will use its enforcement tools when necessary to pursue noncompliance.” As the Crypto Task Force advances its work, further developments in crypto regulation and enforcement are expected in the months ahead.
The LWDA: There’s a New Sheriff in Town
In a sharply worded notice, the Labor & Workforce Development Agency (LWDA) recently demanded that a plaintiff-side law firm amend over 100 Private Attorneys General Act (PAGA) notices it had filed. The LWDA warned that failure to amend would risk a finding that they are insufficient to satisfy PAGA’s administrative notice requirement.
Before an allegedly “aggrieved” employee can commence a PAGA lawsuit, the employee must give written notice to the LWDA and the employer of the specific labor code provisions alleged to have been violated, including the facts and theories to support the alleged violations. This pre-litigation notice obligation has been described as an “administrative exhaustion” requirement.
The LWDA’s letter explains that a PAGA notice must include sufficient factual detail to apprise both the LWDA and the employer of the nature of the violations alleged. The purpose of this requirement is twofold. First, the LWDA needs enough specifics to intelligently assess the seriousness of the alleged violations and determine whether to devote government resources to an investigation. Second, the employer receiving the notice needs enough information to understand the nature of the violations, so it may decide whether to “fold or fight.” Importantly, none of this is new—this has always been the standard.
According to the LWDA, the PAGA notices this law firm filed, which the LWDA characterized as “boilerplate,” generally failed to demonstrate any applicability or relevance to a particular claimant, or their unique circumstances in terms of their employment with their current or former employee in any specific case. The LWDA commented that, based on a sampling of the notices, they appeared to be a “template form” prepared without regard to any individual claimant’s particular experiences or employment with their respective employer.
The LWDA then directed the law firm to amend over 100 notices it had filed. The LWDA commented that absent amendment, the notices appeared insufficient to satisfy PAGA’s administrative notice requirements. The LWDA directed that the amended notices set forth specific violations each particular claimant personally suffered and describe the particular facts and theories supporting the specific violations in each case.
While the LWDA pointed to the PAGA reforms enacted last year as evidence of a legislative intent to increase its oversight of PAGA matters, one has to wonder whether a trial court ruling about which we wrote last year, Whose Case Is It Anyway? Trial Court Orders State of California to Pay Court Costs in PAGA Action, might have also inspired the LWDA. In that case, an Alameda Superior Court judge awarded costs to a victorious employer in a PAGA matter and against the LWDA. That matter is now on appeal.
With the LWDA seemingly becoming more involved in reviewing PAGA filings, it remains to be seen how this may impact PAGA litigation in California.
Florida Appellate Court Rules Hookah Products are Taxable OTP
The First District Court of Appeal upheld a ruling that hookah products are “loose tobacco suitable for smoking” and therefore taxable as Other Tobacco Products (OTP) under Florida law. The hookah products in question are made from tobacco leaves combined with a binding mixture.
In the 2-1 decision, the majority opinion claimed the statutory phrase is unambiguous while focusing on the common understanding of what “smoking” means, the physical state of the tobacco leaves in hookah products, and the ultimate consumption of nicotine during use.
The dissenting opinion took a more technical approach to defining “smoking.” The dissent reasoned that for a product to qualify as “loose tobacco suitable for smoking,” the tobacco itself must be ignited—a position consistent with precedent from other states. While acknowledging the Florida Legislature likely intended to include hookah products under the tax, the dissent argued that tax statutes must be narrowly construed, and courts should not expand statutory language to align with presumed legislative intent.
The full opinion is available here.
This ruling represents a significant shift in interpreting the relevant statutory language. Businesses operating in the tobacco product market should carefully review this decision to determine how it might affect their products and practices under current regulations.
Medicare Payment Model Trends and Economic Drivers – Awaiting Direction from Trump Administration
The Medicare program continues to face long term financial pressures associated with inflationary effects on health care costs and the growing wave of aging baby boomers. The Medicare Trust Fund, which is often viewed as a foil for health care affordability, has long faced a proverbial financing question. The fund covers Medicare Part A services, including inpatient hospital services and hospice care and skilled nursing services following a hospital stay. Projected solvency risks of the fund improved with the passage of the Affordable Care Act of 2010 (ACA), which, among other things, reduced Medicare payments to Medicare Advantage Organizations and implemented medical loss ratios. However, the fund faced acute short term solvency risks between 2018 to 2023. The fund is currently expected to be depleted in 2036.[1]
Under that economic drop back, the past two decades have seen incredible growth in value-based care reimbursement arrangements, including the rapid growth of the Medicare Shared Savings Program (MSSP) following passage of the ACA, the development of the Center for Medicare and Medicaid Innovation (CMMI) under the Centers for Medicare & Medicaid Services (CMS), and development of narrower alternative payment models (APMs) tested by the CMMI in subsequent years (such as the soon-to-be expiring Accountable Care Organization Realizing Equity, Access, and Community Health (ACO REACH) Model and the latest episode-based payment model Transforming Episode Accountability Model (TEAM)). Those payment models have improved quality and efficiency of care, while reducing overall cost to the Medicare program.
Indeed, on the heels of those early economic successes, CMS under the Biden Administration set a goal that by 2030 all Medicare fee-for-service beneficiaries with Medicare Parts A and Part B and a vast majority of Medicaid beneficiaries will be in an accountable care relationship for quality and total cost of care.[2] That transition is expected to generate large savings which could shore up the Fund. CMS reported 2.1BN in net savings under the Medicare Shared Savings Program in 2023.[3] Further, Medicare Advantage enrollment is shifting in this direction – as of September 2024, 50.5% of people enrolled in Medicare were participating in a Part C Medicare Advantage Program, up from 39% in 2019.[4]
The payment models package several features and innovations, but generally seek to support the “quadruple aim” – a modification of the “triple aim”, which was highly publicized during the passage of the ACA, to address provider satisfaction. One recent evolution from that policy underpinning is the expansion of population health initiatives to address health inequities.
In recent years, CMS has elevated awareness of the health inequities as a way to address systemic health disparities found in underserviced communities with shared characteristics (e.g., disability or race). Drawing on a substantial body of evidence, CMS has linked health equity with those health disparities in underserved communities which are impacted by preventable health conditions more frequently or severely than individuals outside of those communities. Beginning in 2023, CMS offered health equity adjustments under the Medicare Shared Savings Program to encourage providers to serve and improve care for underserved populations or dually eligible beneficiaries.[5] Beginning in 2025, CMMI offered accountable care organizations (ACOs) participating in the ACO REACH Model a benchmark adjustment for health equity tied to socioeconomic data for specific regions.
Relatedly, CMS has increasingly been recognizing the importance of providing coverage for non-medical aspects of health care services to reduce health inequities. CMS has encouraged providers to address social determinants of health (SDOH) and the specific health-related social needs (HRSN) that impact individuals to promote better health outcomes. For example, from its outset, CMMI’s Enhancing Oncology Model actively incorporated SDOH by requiring participants to screen for HRSNs, report patient demographic data (e.g., race, ethnicity, language, gender identify), and develop plans to implement evidence-based strategies to address health equity gaps in assigned patient populations.
While Dr. Mehmet Oz, the current nominee to lead CMS, is a staunch advocate of Medicare Advantage, it is unclear how the new Trump Administration will view and react to these trends as it retakes the helm at CMS. However, we would expect CMS to consider the economic back drop under which these trends evolved and the resulting data showing that total expenditures for the Medicare Program can be reduced without sacrificing coverage or quality. The payment models – whether the MSSP and CMMI-initiated APMs – are implemented by CMS under contractual arrangements with private insurers, ACOs and health care providers and frequently operate on calendar year periods. Accordingly, we anticipate meaningful changes will be delayed to 2026, giving stakeholders time to prepare.
[1] 2024 Annual Report, Boards of Trustees of the Federal Hospital Insurance and Federal Supplementary Medical Insurance Trust Funds (May 6, 2024) at https://www.cms.gov/oact/tr/2024 (also noting that the assets of the fund were $208.8 billion at the start of 2024, which was only expected to cover 50% of the anticipated spend in 2024, failing the trustee’s recommended minimum of 100%).
[2] Chiquita Brooks-LaSure and Daniel Tsai, A Strategic Vision for Medicaid and the Children’s Health Insurance Program (CHIP), Health Affairs (November 16, 2021) at https://www.healthaffairs.org/content/forefront/strategic-vision-medicaid-and-children-s-health-insurance-program-chip.
[3] Press Release: Medicare Shared Savings Program Continues to Deliver Meaningful Savings and High-Quality Health Care, Centers for Medicare & Medicaid Services (Oct. 29, 2024) at https://www.cms.gov/newsroom/press-releases/medicare-shared-savings-program-continues-deliver-meaningful-savings-and-high-quality-health-care (lasted accessed Feb. 8, 2025).
[4] 2024 Annual Report, of the Boards of Trustees of the Federal Hospital Insurance and Federal Supplementary Medical Insurance Trust Funds (May 6, 2024) at https://www.cms.gov/oact/tr/2024; Medicare Advantage 2020 Spotlight: First Look, Kaiser Family Foundation (October 2019) at https://files.kff.org/attachment/Data-Note-Medicare-Advantage-2020-Spotlight-First-Look.
[5] Press Release: Medicare Shared Savings Program Saves Medicare More Than $1.6 Billion in 2021 and Continues to Deliver High-quality Care, Health and Human Services (Aug. 30, 2022) at https://www.hhs.gov/about/news/2022/08/30/medicare-shared-savings-program-saves-medicare-more-than-1-6-billion-in-2021-and-continues-to-deliver-high-quality-care.html.
CAUGHT WITH THEIR HAND IN THE COOKIE JAR?: CNN’s Privacy Lawsuit is Served Fresh and the Court is Taking a Bite
Greetings CIPAWorld!
Well folks, it looks like CNN is about to get a course in the ABC’s of CIPA! If you’ve ever wondered what happens behind the scenes when you visit a news website, a recent court case might make you think twice before clicking on your next headline. A federal judge in New York just rejected CNN’s Motion to Dismiss a class action lawsuit, putting the media giant on the defensive in what’s shaping up to be a significant showdown over digital privacy rights. CNN might be in the business of breaking news, but now they’re possibly breaking privacy laws too—allegedly, of course. It sounds like they need Troutman Amin on the speed dial. The case can potentially expose how the invisible machinery of web tracking operates—and whether it violates California privacy law.
Remember our CIPA queen, Queenie, who first broke the news on this case back in January 2024? She predicted this wave of pen register litigation after the Greenley v. Kochava ruling opened the floodgates. Well, her crystal ball was spot-on once again!
What started as a lesser-known facet of CIPA has become the next major battleground in privacy litigation. For those keeping score at home, Queenie’s batting a thousand on predicting CIPA litigation trends—from chat box cases to web session recording and now these pen register claims. If I were a betting person, I’d put my money on whatever she predicts next.
For a refresher on Queenie’s original deep dive into this case and its significance, check out her blog post here: CNN BREAKING NEWS: CNN Targeted In Massive CIPA Case Involving A NEW Theory Under Section 638.51!
So let’s get into the update. In Lesh v. CNN, Inc., No. 24 Civ. 03132 (VM), 2025 U.S. Dist. LEXIS 30743 (S.D.N.Y. Feb. 20, 2025), pits a seemingly routine website visit against a state privacy law initially designed for telephone surveillance. Plaintiff, an ordinary visitor to CNN.com, found herself the lead plaintiff in a lawsuit alleging that CNN secretly installed tracking software on her browser without consent. But this isn’t just about one person’s browsing habits—it’s about whether companies can legally monitor users in ways most people never realize.
Of course, we are dealing with a CIPA claim here. Specifically, Section 638.51 prohibits installing or using what’s called a “pen register” without a court order. For those new to CIPA litigation, let’s break it down. I think it’s important to first break down the basics for aspiring future lawyers in this space or just for your own general knowledge to brush up on.
Originally, pen registers were devices used to record telephone numbers dialed from a specific phone line without capturing the actual conversations. Think of those old spy movies where agents track which numbers a suspect is calling. However, Judge Victor Marrero didn’t let the outdated terminology limit his interpretation. He ruled that how CNN’s trackers collect and transmit user data might qualify as a modern equivalent of a pen register. In other words, what once applied to landlines may now apply to websites silently gathering data behind the scenes.
Next, let’s talk about what CNN’s website actually does when you visit it (at least allegedly, according to the court documents). When your browser sends a request to CNN’s server, the server doesn’t just send back news articles. It also allegedly sends instructions that result in the installation of trackers from third-party companies like PubMatic, Magnite, and Antiview. These trackers, developed by third-party software companies that sell technology to help businesses place advertisements on their websites, then collect users’ IP addresses—a unique identifier that reveals their approximate location—and store cookies on their browsers to recognize them on future visits. The Court noted that these trackers don’t just passively log visits—they actively gather and transmit data about users, allegedly without their explicit consent.
What’s particularly clever about Judge Marrero’s analysis is how he breathes new life into an old statute. He rejected CNN’s argument that CIPA only applies to telephones, reasoning that “the plain text of Section 638.50 clearly does not limit the application of pen registers to telephones.” Lesh, 2025 U.S. Dist. LEXIS 30743, at *11. He continued, “[T]he Court cannot ignore the expansive language in the California Legislature’s chosen definition [of pen register],” which is “specific as to the type of data [collected],” but “vague and inclusive as to the form of the collection tool.” Lesh, 2025 U.S. Dist. LEXIS 30743, at *11-12 (quoting Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024, 1050 (S.D. Cal. 2023)).
In other words, the law wasn’t designed to protect telephones—it was designed to protect information. And if a website tracker is secretly capturing addressing information, the court says that’s fair game for regulation under CIPA. Judge Marrero’s reasoning builds on the framework established in Greenley, where another court applied CIPA to modern digital tracking tools, rejecting the idea that pen registers are limited to phone lines.
It is refreshing to see courts adapting old laws to new technologies rather than throwing up their hands and waiting for legislatures to catch up. Judge Marrero found that IP addresses qualify as “addressing information” under the statute, citing the Ninth Circuit’s observation that “IP addresses constitute addressing information and do not necessarily reveal any more about the underlying contents of the communication than do phone numbers.” In re Zynga Litig., 750 F.3d 1098, 1108 (9th Cir. 2014).
This decision aligns with a broader legal trend recognizing that digital tracking implicates privacy rights. In Carpenter v. United States, 585 U.S. 296, 138 (2018), the Supreme Court held that historical cell site data collection constitutes a search under the Fourth Amendment. Similarly, the Lesh ruling suggests that collecting and transmitting IP addresses without consent could be an unlawful invasion of privacy under CIPA.
CNN also attempted to argue that collecting an IP address does not violate privacy rights, citing Fourth Amendment case law. Specifically, CNN relied on cases like United States v. Ulbricht, 858 F.3d 71, 96 (2d Cir. 2017), which held that individuals do not have a reasonable expectation of privacy in their IP addresses under the Fourth Amendment. However, the Court swiftly rejected this argument, noting that CIPA imposes broader privacy protections than the constitutional floor set by the Fourth Amendment. As Judge Marrero explained, the fact that the Fourth Amendment does not recognize an expectation of privacy in IP addresses does not mean that California law cannot provide greater protections. The Court emphasized that CIPA ‘extends beyond constitutional constraints’ and is an independent statutory safeguard against unauthorized tracking. This means that even if the government could collect IP addresses without violating the Constitution, private companies might still run afoul of CIPA when doing the same thing.
What is more, CNN asserted that it was entitled to an exception in the law for situations where “the consent of the user of that service has been obtained.” But Judge Marrero wasn’t buying it, noting that it would be “illogical to allow CNN’s consent to the installation of Trackers to bar claims from users like Lesh who did not give their consent.” Lesh, 2025 U.S. Dist. LEXIS 30743, at *13. Clearly, CNN cannot simply consent to its data collection practices and then claim immunity from privacy violations.
The Court also analyzed whether CNN’s Terms of Use were enforceable under a clickwrap or browsewrap framework. CNN argued that Lesh had agreed to its Terms of Use, which supposedly disclosed the use of trackers. To prove it, they submitted screenshots from the Wayback Machine (an internet archive). But the Court refused to consider these screenshots, finding they weren’t properly authenticated. Even beyond the evidentiary issue, the Court found that CNN’s agreement wasn’t a traditional “clickwrap” contract—where users affirmatively click “I agree” before using the site. Instead, the Court characterized it as a “hybrid clickwrap-browsewrap” agreement, meaning users were presented with a pop-up but were not required to take affirmative action beyond dismissing it. Courts have repeatedly rejected these types of passive consent mechanisms when determining enforceability. See Nguyen v. Barnes & Noble Inc., 763 F.3d 1171, 1176 (9th Cir. 2014) (rejecting website terms where “users were not required to affirmatively agree”).
What strikes me about this case is how it exposes the fiction of consent in our modern digital age. How many of us have actually read those terms of service pop-ups that appear when we visit websites? Be honest—when was the last time you did more than glance at one before clicking “X” to make it go away?
This decision joins other recent cases like Vishal Shah v. Fandom, Inc., No. 24-cv-01062-RFL, 2024 U.S. Dist. LEXIS 193032 (N.D. Cal. Oct. 21, 2024) and Mirmalek v. L.A. Times Commc’ns L.L.C., No. 24-cv-01797-CRB, 2024 U.S. Dist. LEXIS 227378 (N.D. Cal. Dec. 12, 2024), which have similarly found that website trackers collecting IP addresses may violate CIPA.
In both cases, Courts held that these tracking tools gather ‘addressing information’ and function similarly to pen registers, a key issue in Lesh. This interpretation of CIPA could force a significant shift in how websites operate, as it directly contradicts the assumption that IP tracking is legally harmless.
If this interpretation holds up, it could force a massive shift in how websites collect data. Nearly every major website uses similar tracking technologies to gather visitor information, often for advertising purposes. Are they all potentially violating California law? The implications of this case extend far beyond CNN—any website using third-party trackers may now face legal scrutiny.
For now, CNN must answer Lesh’s Complaint within 21 days of the Court’s order.
The internet has evolved faster than our laws, and companies may have exploited that gap. But if this case is any indication, the courts are finally starting to close it.
As always,
Keep it legal, keep it smart, and stay ahead of the game.
Talk soon!
Department of State Updates Interview Waiver Policy to Restrict the Categories of Qualifying Non-Immigrant Visa Applicants
Effective February 18, 2025, the Department of State has changed the categories of applicants that are eligible to waive the in-person non-immigrant visa interview appointment when applying for a non-immigrant visa stamp for travel to the United States. More applicants must now attend an in-person interview appointment.
Under the prior policy, U.S. Consulates were permitted to waive the in-person visa interview requirement for non-immigrant visa applicants that were previously issued any non-immigrant visa, provided the applicant was applying for a new non-immigrant visa within 48 months of the expiration date of the applicant’s previously issued non-immigrant visa. (However, this policy did not apply if the only visa ever issued to the applicant was a B visa).
The new policy gives U.S. Consulates authority to waive in-person non-immigrant visa interviews only for the following categories of visa applicants:
Applicants who previously held a visa in the same visa category, and this visa expired less than 12 months before the date of the new visa application;
Applicants for A-1, A-2, C-3 (except attendants, servants, or personal employees of accredited officials), G-1, G-2, G-3, G-4, NATO-1 through NATO-6, or TECRO E-1 visas;
Applicants for diplomatic- or official-type visas.
Applicants are eligible for an interview waiver only if they also:
Apply for a non-immigrant visa at a U.S. Consulate in the applicant’s country of nationality or residence;
Have never been refused a visa, unless such refusal was overcome or waived; and
Have no apparent or potential ineligibility.
As with the prior policy, the authority to waive an in-person non-immigrant visa interview is discretionary, and consular officers may still require in-person non-immigrant visa interviews for applicants who otherwise qualify for such a waiver.
This new policy presents unwelcome news and longer wait times for many visa applicants. The prior policy allowed waivers for applicants who were previously issued any type of visa (unless the previously issued visa was a B visa) and made available interview waivers to applicants whose previously held non-immigrant visa expired within the past 48 months.
Non-immigrant visa applicants should expect longer wait times when applying for non-immigrant visas at U.S. Consulates abroad and may experience a cancellation of an already existing drop-box appointment if the applicant does not meet the new policy’s interview waiver criteria. Employers and non-immigrant workers inside the United States should consider this new policy and plan accordingly if non-immigrant visa processing is required following any international travel, especially during the summer travel season.
For more information on these interview waiver policies, please visit the Department of State’s webpage at https://travel.state.gov/content/travel/en/News/visas-news/interview-waiver-update-feb-18-2025.html .
A Regulatory Haze of Uncertainty Continues as the Clock Ticks Toward Phase One of FDA’s LDT Final Rule
Clinical laboratories still face uncertainty and the difficult decision of whether to start the work needed to comply with the with Phase 1 expectations under FDA’s Laboratory Developed Tests Final Rule (the “LDT Final Rule”), which remain set to go into effect on May 6, 2025.
To be sure, the shift in priorities of the new administration has kept the health care industry on its toes for the last few weeks, especially as the leadership and messaging of the Department of Health and Human Services (“HHS”) has started to come into sharper focus. The theme of ‘deregulation’, particularly when it comes to the activities of the Food and Drug Administration (“FDA”), has sparked interest and discussion among stakeholders in the life sciences industry – including clinical laboratories that are weighing how to approach the upcoming May 6 deadline for compliance.
We discussed the details of the LDT Final Rule in a previous Insight, explaining that as of the May 6, 2025 Phase 1 deadline FDA will expect all laboratories that manufacture LDTs to comply with medical device reporting (“MDR”) requirements, correction and removal reporting requirements, and quality system (“QS”) requirements regarding complaint files.
As is often the case with a major regulatory landscape change, the LDT Final Rule has been subject to scrutiny and legal challenges since its publication in May 2024. Perhaps the most watched of these is the ongoing litigation in which the American Clinical Laboratories Association (“ACLA”) and the Association for Molecular Pathology (“AMP”) have challenged the FDA’s authority to regulate LDTs by way of the LDT Final Rule. The presiding federal district court just heard arguments on the parties cross-motions for summary judgment, and noted a decision on those motions would be issued soon, likely before the Phase 1 deadline. The outcome will have significant implications for labs in the U.S.
In addition to the ongoing litigation, there is a growing possibility that FDA could be instructed, whether by Congress or by leadership at HHS, to retract the LDT Final Rule or delay the implementation of Phase 1. Of note, during the previous Trump administration there was resistance to FDA’s authority to regulate LDTs, in that HHS publicly required continued enforcement discretion for LDTs during the beginning of the COVID-19 pandemic. Now, with the touted theme of deregulation and public calls by trade associations like ACLA to mitigate the impact of the LDT Final Rule, there is a chance that HHS under the new Trump administration could take a similar approach. All of this is coupled with currently mounting pressure on all federal agencies to reduce spending and regulatory oversight, which may make it increasingly difficult for FDA to enforce the rule as originally written.
Nonetheless, unless there is a definitive ruling that the LDT Final Rule is retracted, or that its implementation is delayed, laboratories developing LDTs remain subject to the Final Rule’s Phase 1 requirements at this time. Arguably, even if the outcome results in removal, delay, or a change to the LDT Final Rule, the political cycle could flip again with reinvigorated efforts to bring more regulation around LDTs, whether through Congress or again through the rulemaking process.
EBG will continue to monitor these developments closely, as well as the forthcoming court ruling, and any potential administrative actions that could significantly reshape the regulatory landscape for LDTs.
Update of German Law Aspects of Crypto Assets
Our recently updated article considers how EU and German civil and regulatory law approach crypto assets with a particular focus on how those types of crypto assets are dealt with in an insolvency.
In this article we explore the different types of crypto assets there are, the legal nature of them, how crypto assets are dealt with in insolvency proceedings and the recovery of such assets.