Antitrust Under Trump: Initial Policies and Actions
As the Trump administration’s approach to antitrust takes shape through political appointments, policy statements, speeches, and enforcement actions, our team is tracking new developments and will provide important updates on issues pertinent to clients. This client alert is not intended to be a comprehensive review of specific actions or cases, but rather an at-a-glance review of relevant policies as they are being created.
In Depth
NOMINATIONS AND CONFIRMATIONS
Appointment of Federal Trade Commission (FTC) Chairman
President Donald Trump appointed FTC Commissioner Andrew Ferguson as the new chairman of the FTC on January 20, 2025.
Ferguson views antitrust enforcement as a facilitator of innovation and believes that because markets are not self-correcting, government intervention on behalf of human flourishing and the protection of workers is necessary.
Despite his intention to “reverse” former Chair Lina Khan’s war on mergers and anti-business agenda, Ferguson has expressed concern with the market power of Big Tech and other large companies being leveraged to gain social or political control.
Confirmation Hearing for AAG Nominee Gail Slater
President Donald Trump nominated Gail Slater as the Assistant Attorney General (AAG) of the US Department of Justice’s (DOJ) Antitrust Division on December 4, 2024.
On February 12, 2025, Slater appeared before the Senate Judiciary Committee for her nomination hearing. The committee advanced her nomination on February 27 with a vote of 20-2.
Slater has expressed a desire to continue enforcement actions against Big Tech and to return to using merger remedies in the form of consent decrees and settlements to address competitive harm.
Confirmation Hearing for FTC Commissioner Nominee Mark Meador
President Trump appointed Mark Meador to the FTC on December 10, 2024.
On February 25, 2025, Meador appeared before the Senate Committee on Commerce, Science, and Transportation for his confirmation hearing.
He echoes Slater’s view that pursuit of Big Tech should remain a priority for the agencies, as should combatting noncompete agreements that overly burden workers and prevent employees from leaving to work for a competitor.
GENERAL UPDATES
Musk Supports Consolidating Antitrust Enforcement Agencies
Responding to a comment by Sen. Mike Lee (R-Utah), who expressed hope that the new administration would consider consolidating the FTC and DOJ, Elon Musk said, “Sounds logical,” appearing to agree with the idea.
Lee referenced the One Agency Act, a bill he proposed in 2021 that would strip the FTC of its antitrust authority and transfer it to the DOJ. When discussing the bill, Lee has compared the current two-agency system to having two presidents.
Agencies Keep 2023 Merger Guidelines
FTC Chairman Ferguson and Omeed Assefi, Acting Assistant Attorney General of the DOJ’s Antitrust Division, announced on February 18, 2025, that the FTC and DOJ will continue to use the 2023 Merger Guidelines as the framework for their merger review process.
Ferguson cited the time and expense associated with creating new guidelines, as well as his desire to create stability for the parties and the agencies, as the rationale for adhering to the 2023 Guidelines. He did note that “no Guidelines are perfect” and indicated portions could be revisited later.
Ferguson Supports New Hart-Scott-Rodino (HSR) Rules
FTC Chairman Ferguson expressed his support for the new HSR rules, stating that “updates were long overdue” and would “prevent unlawful deals from slipping through the cracks.”
He has previously stated his approval of the new rules, calling them a “lawful improvement over the status quo” in his concurring statement accompanying the rules’ announcement.
Holyoak Sets Out FTC Goals for New Administration
In remarks at the GCR Live conference on January 30, 2025, FTC Commissioner Melissa Holyoak outlined three areas of focus for antitrust under the Trump administration. She explained that the FTC will focus on (i) making the merger review process better and more predictable, (ii) ensuring that antitrust concerns will not impede artificial intelligence innovation, and (iii) fighting against Big Tech censorship.
In later remarks, Holyoak said that she expects the return of early termination, improving staff communication and transparency with the parties in the merger review process, bringing back remedies as a method of resolving merger issues – as well as continuing enforcement actions against Big Tech – and abandoning FTC rulemaking authority.
Meador Targets Anticompetitive Effects of Vertical Mergers
At his confirmation hearing on February 25, 2025, FTC Commissioner nominee Meador indicated that he would address the consumer welfare issues raised by vertical mergers. He noted that vertical integration can allow for increased prices, a reduction in quality, and market foreclosure. He went onto say that he would address these concerns where they arise.
FTC Will Continue to Fight Anticompetitive Behavior in Labor Markets
FTC Chairman Ferguson has emphasized a continuing priority of protecting workers using antitrust laws.
He cited no-poach, wage-fixing, and noncompete agreements, as well as deceptive or misleading hiring practices, as examples of conduct the FTC will fight against to combat labor monopsonies and general harm to workers.
The FTC will approach these issues based on individual cases, not rulemaking (like the Biden administration’s noncompete ban).
Agencies Indicate Return of Merger Remedies
Statements from FTC Commissioner Holyoak and AAG nominee Slater indicate that both the FTC and DOJ will become more open to evaluating merger remedies under the new administration.
Holyoak has stated that the agencies should consider remedies like divestitures when such remedies can successfully preserve competition lost by a merger. Similarly, Slater has stated that when merger remedies are “done right,” they can remove competitive harm from a merger.
FTC Issues Policy to Avoid Staff Participation in the American Bar Association (ABA) Antitrust Section Activities
In response to the ABA’s criticism of the new Trump administration’s recent actions, on February 14, 2025, FTC Chairman Ferguson prohibited FTC political appointees from holding leadership positions in the ABA, participating in or attending ABA events, and renewing ABA memberships.
Ferguson pointed to several historical examples of what he asserts have been ABA political partisanship and leftist advocacy to support his decision, as well as views on the ABA’s loyalty to the interests of Big Tech.
Ferguson Intends to Pursue Diversity, Equity, and Inclusion (DEI), Environmental, Social, and Governance (ESG) Collaborations as Section One Violations
In a document laying out his policy priorities created prior to his appointment to chairman, FTC Chairman Ferguson explained he intends the FTC to “investigate and prosecute collusion on DEI, ESG, advertiser boycotts, etc.,” suggesting the agency may focus its investigations on companies participating in industry groups or other collaborative ventures intended to address social issues or manage industry risks associated with environmental, labor, or diversity issues.
Uncertainty Prevails Over Future FTC Enforcement of the Robinson-Patman Act
FTC Commissioner nominee Meador has written favorably of federal enforcement of the Robinson-Patman Act, a statute prohibiting discriminatory pricing which was largely ignored until the last years of the Biden administration.
Meador suggested that the law should be enforced, particularly in the grocery and consumer packaged goods industries. Ferguson and Holyoak have written in recent FTC dissents that the FTC’s resources would be better served by enforcing the law in appropriate cases where the alleged price discrimination harms competition (e.g., involving actors with market power using price discrimination to monopolize).
Until Meador is confirmed, it is uncertain whether and how Robinson-Patman will be enforced.
FCC’s New Consent Revocation Rule Set to Take Effect in April 2025
The Federal Communications Commission (FCC) has a new rule under the TCPA for revocation of consent for robocalls and text messages set to go into effect on April 11, 2025. This rule is designed to give consumers greater control over their ability to withdraw consent for marketing communications. Businesses that use text messaging and robocalls to communicate with customers should be reviewing their policies to ensure readiness with the new requirements.
Key Provisions of the New Rule
The FCC’s regulation prevents businesses from requiring consumers to use a specific method to revoke consent. Instead, consumers must be able to withdraw consent using any reasonable means that clearly conveys their request to stop receiving further calls or messages.
To provide clarity, the FCC has identified several standardized keywords — including “stop,” “quit,” “revoke,” “opt out,” “cancel,” “unsubscribe,” and “end” — that must be honored as explicit revocation requests. Additionally, the regulation establishes that opt-out requests submitted via automated or interactive voice response systems are presumed valid unless proven otherwise.
Burden of Proof on Businesses
When a consumer uses a method outside of those listed in the order to revoke consent, a rebuttable presumption is created that the consumer’s request is valid unless the sender can demonstrate otherwise. If a business’s texting system does not support reply messages, it must clearly disclose this limitation in each message and offer an alternative, reasonable method for revocation.
Shortened Compliance Timeframe
Previously, companies had more flexibility in processing opt-out requests, but the new rule mandates compliance within 10 business days of receiving a revocation request. Additionally, the rule expands the definition of consent revocation, specifying that withdrawing consent for one type of robocall or text message applies to all robocalls and texts from that sender.
Confirmatory Opt-Out Texts Allowed
One aspect of the rule has already gone into effect: Businesses may send a single confirmation text acknowledging the consumer’s opt-out request, provided that it contains no promotional content and is sent within five minutes of the revocation request. In cases where consumers have signed up for multiple types of messages, businesses may ask for clarification about which messages they wish to discontinue. However, if the consumer does not respond, the request must be interpreted as revoking consent for all robocalls and texts from that sender.
What Businesses Need to Know
At the moment, there are no legal challenges to this forthcoming FCC rule. Organizations — especially those engaged in business-to-business (B2B) outreach — should start preparing for compliance with these upcoming changes. The 10-day compliance window and the broad scope of revocation requests mean that companies may need to adjust existing consent management practices to remain in compliance with TCPA regulations.
With the new rule set to take effect soon, businesses should review their opt-out procedures, update their compliance policies, and ensure their customer communication platforms can accommodate these regulatory changes to avoid potential penalties.
EPA Reopens Comment Period on Proposed Risk Management Rule for PV29
On March 4, 2025, the U.S. Environmental Protection Agency (EPA) announced that it is reopening the comment period for the January 2025 proposed rule to address the unreasonable risk of injury to human health presented by Color Index (C.I.) Pigment Violet 29 (PV29) under its conditions of use (COU) as documented in EPA’s January 2021 risk evaluation and September 2022 revised risk determination. 90 Fed. Reg. 11142. Comments are due April 29, 2025.
As reported in our January 27, 2025, memorandum, EPA proposes, under Section 6(a) of the Toxic Substances Control Act (TSCA), to:
Require use of assigned protection factor (APF) 50 respirators and equipment and area cleaning to address the risk from inhalation exposure to dry powder PV29 (also referred to as regulated PV29), where dry powder PV29 is expected to be present, for the following COUs:
Domestic manufacture;
Import;
Incorporation into formulation, mixture, or reaction products in paints and coatings;
Incorporation into formulation, mixture, or reaction products in plastic and rubber products;
Intermediate in the creation or adjustment of color of other perylene pigments;
Recycling;
Industrial and commercial use in automobile (original equipment manufacturer (OEM) and refinishing) paints and coatings;
Industrial and commercial use in coatings and basecoats paints and coatings;
Industrial and commercial use in merchant ink for commercial printing; and
Disposal.
Require manufacturers (including importers), processors, and distributors in commerce of regulated PV29 to provide downstream notification of the requirements.
Require recordkeeping.
Tougher Immigration Enforcement at the State Level: Tennessee Law Supplements the New Trump Administration’s Immigration Enforcement Policies
While much attention has been given to the Trump Administration’s early federal policy objectives to increase immigration enforcement, clients should also be aware of similar increased enforcement policies at the state level.
Last month, Tennessee Governor Bill Lee signed into law a bill passed by the state legislature during a recent special legislative session. The new Tennessee law attempts to strengthen immigration enforcement in Tennessee with the following measures:
Creates a Centralized Immigration Enforcement Division at the state level, to be led by a Chief Immigration Enforcement Officer (“CIEO”) appointed by the Governor. The CIEO will coordinate directly with the Trump Administration on federal immigration policies and implementation.
Establishes a new driver’s license that distinguishes U.S. citizens from legal permanent residents.
As Tennessee law already prohibits sanctuary cities, the law now makes it a felony for local officials to adopt or maintain sanctuary city policies.
Through provision of grants, encourages local governments to participate in enforcing federal immigration policies by entering into agreements with federal authorities. The grants may be used for training, operational expenses, investment in law enforcement equipment to be used for enforcement of immigration laws or other activities and programs deemed appropriate by the CIEO. The law also establishes penalties for local officials who do not comply with enforcement mandates.
It is expected that the constitutionality of the new law will be quickly challenged. Consequently, Epstein Becker Green will continue to monitor these developments and provide updates should this happen. The new law took effect February 2025 so clients should be prepared for the implementation of these new measures in the coming weeks. It is also expected that other states may follow suit with similar enforcement measures.
Revised HSR Thresholds Now in Effect
Each year, the minimum jurisdictional thresholds associated with the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (HSR) are adjusted by the Federal Trade Commission (FTC). The 2025 adjustments went into effect on February 21, 2025.
The size-of-transaction threshold increased to $126.4 million, which is up from $119.5 million in 2024. Any transaction valued at $126.4 million or above is reportable if the size-of-party thresholds are met. Those size-of-party thresholds increased to $25.3 million (from $23.9 million) and $252.9 million (from $239 million). Finally, in 2025, any transaction that is valued at more than $505.8 million will be reportable regardless of the size of the parties.
In addition to the increases in the HSR reporting thresholds described above, the FTC adjusted its tier-based HSR filing fee structure. The lowest filing fee remains $30,000 and applies to all transactions valued at less than $179.4 million. The filing fees associated with the remaining five tiers increased, now ranging from $105,000 (applicable to transactions valued at $179.4 million but less than $555.5 million) to $2,390,000 (applicable to transactions valued at $5.555 billion or more).
TIME OUT!: NFL Team Tampa Bay Buccaneers Hit With Latest in A Series of Time Restriction TCPA Class Action
So TCPAWorld has been reporting on the clear trend of TCPA class action suits against companies (primarily retailers) that deploy text clubs and particularly those arising out of timing limitations in the TCPA and state statutes.
Well, the NFL’s Tampa Bay Buccaneers are the latest to fall victim to this trend with a new TCPA class action filed in Florida against the team’s ownership today.
Plaintiff Andrew Leech claims he was texted by the Buccaneers at 9:24 pm his time– he claims to live in Palm Beach County, Florida so not sure what happened there.
Plaintiff seeks to represent a class consisting of:
All persons in the United States who from four years prior to thefiling of this action through the date of class certification (1)Defendant, or anyone on Defendant’s behalf, (2) placed more thanone marketing text message within any 12-month period; (3) wheresuch marketing text messages were initiated before the hour of 8a.m. or after 9 p.m. (local time at the called party’s location)
Notably the Plaintiff does not say whether he agreed to be texted by the Buccaneers to begin with. As I have previously reported the TCPA’s timing regulations likely do NOT apply to consented calls, but there is very little case law on the issue.
The case is brought by the Law Offices of Jibrael S. Hindi– the same firm behind a number of similar timing cases. (He is apparently a Dolphins fan…)
Again until this trend abates companies deploying SMS need to be EXTREMELY cautious to assure timing limitations are complied with!
The BR Privacy & Security Download: March 2025
STATE & LOCAL LAWS & REGULATIONS
Virginia Legislature Passes Bill Regulating High-risk AI: The Virginia legislature passed HB 2094, the High-Risk Artificial Intelligence Developer and Deployer Act (the “Act”). Using a similar approach to the Colorado AI Act passed in 2023 and California’s proposed regulations for automated decision-making technology, the Act defines “high-risk AI systems” as AI systems that make consequential decisions, which are decisions that have material legal or similarly significant effects on a consumer’s ability to obtain things such as housing, healthcare services, financial services, access to employment, and education. The Act would require developers to use reasonable care to prevent algorithmic discrimination and to provide detailed documentation on an AI system’s purpose, limitations, and risk mitigation measures. Deployers of AI systems would be required to implement risk management policies, conduct impact assessments before deploying high-risk AI systems, disclose AI system use to consumers, and provide opportunities for correction and appeal. The bill is currently with Virginia Governor Glenn Youngkin, and it is unclear if he will sign it.
Connecticut Introduces AI Bill: After an effort to pass AI legislation stalled last year in the Connecticut House of Representatives, another AI bill was introduced in the Connecticut Senate in February. SB-2 would establish regulations for the development, integration, and deployment of high-risk AI systems designed to prevent algorithmic discrimination and promote transparency and accountability. SB-2 would specifically regulate high-risk AI systems, defined as AI systems making consequential decisions affecting areas like employment, education, and healthcare. The bill includes similar requirements as the Connecticut AI bill considered in 2024 and would require developers to use reasonable care to prevent algorithmic discrimination and provide documentation on an AI system’s purpose, limitations, and risk mitigation measures. Deployers of high-risk AI systems would be required to implement risk management policies, conduct impact assessments before deployment of high-risk AI systems, disclose AI system use to consumers, and provide opportunities for appeal and correction.
New York Governor Signs Several Privacy Bills: New York Governor Kathy Hochul signed a series of bills expanding compliance obligations for social media platforms, debt collectors who use social media platforms, and dating applications. Senate Bill 895B—effective 180 days after becoming law—requires social media platforms operating in New York to post terms of service explaining how users may flag content they believe violates the platform’s terms. Senate Bill 5703B—effective immediately—prohibits the use of social media platforms for debt collection purposes. Senate Bill 2376B—effective 90 days after becoming law—expands the scope of New York’s identity theft protection law by including in its scope the theft of medical and health insurance information. Finally, Senate Bill 1759B—effective 60 days after becoming law—requires online dating services to notify individuals who were contacted by members who were banned for using a false identity, providing them with specific information to help users prevent being defrauded. Importantly, the New York Health Information Privacy Act, which would significantly expand the obligations of businesses that may collect broadly defined “health information” through their websites, has not yet been signed.
California Reintroduces Bill Requiring Browser-Based Opt-Out Preference Signals: For the second year in a row, the California Legislature has introduced a bill requiring browsers and mobile operating systems to provide a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the browser or mobile operating system. The California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), provides California residents with the ability to opt out of the sale or sharing of their personal data, including through an opt-out preference signal. AB 566 would amend the CCPA to ensure that consumers have the ability to do so. AB 566 requires the opt-out preference signal setting to be easy for a reasonable person to locate and configure. The bill further gives the California Privacy Protection Agency (“CPPA”), the agency charged with enforcing the CCPA, the authority to adopt regulations to implement and administer the bill. The CPPA has sponsored AB 566.
Virginia Senate Passes Amendments to Virginia Consumer Protection Act: Virginia’s Senate Bill 1023 (“SB 1023”) amends the Virginia Consumer Data Protection Act by banning the sale of precise geolocation data. The bill defines precise location data as anything that can locate a person within 1,750 feet. Introduced by Democratic State Senator Russet Perry, the bill has garnered bipartisan support in the Virginia Senate, passing with a 35-5 vote on February 4, 2025. Perry stated that the type of data the bill intends to ban has been used to target people in domestic violence and stalking cases, as well as for scams.
Task Force Publishes Recommendations for Improvement of Colorado AI Act: The Colorado Artificial Intelligence Impact Task Force published its Report of Recommendations for Improvement of the Colorado AI Act. The Act, which was signed into law in May 2024, has faced significant pushback from a broad range of interest groups regarding ambiguity in its definitions, scope, and obligations. The Report is designed to help lawmakers identify and implement amendments to the Act prior to its February 1, 2026, effective date. The Report does not provide substantive recommendations regarding content but instead categorizes topics of potential changes based on how likely they are to receive consensus. The report identified four topics in which consensus “appears achievable with additional time,” four topics where “achieving consensus likely depends on whether and how to implement changes to multiple interconnected sections,” and seven topics facing “firm disagreement on approach where creativity will be needed.” These topics range from key definitions under the Act to the scope of its application and exemptions.
AI Legislation on Kids Privacy and Bias Introduced in California: California Assembly Member Bauer-Kahan introduced yet another California bill targeting Artificial Intelligence (“AI”). The Leading Ethical AI Development for Kids Act (“LEAD Act”) would establish the LEAD for Kids Standards Board in the Government Operations Agency. The Board would then be required to adopt regulations governing—among other things—the criteria for conducting risk assessments for “covered products.” Covered products include an artificial intelligence system that is intended to, or highly likely to, be used by children. The Act would also require covered developers to conduct and submit risk assessments to the board. Finally, the Act would authorize a private right of action for parents and guardians of children to recover actual damages resulting from breaches of the law.
FEDERAL LAWS & REGULATIONS
House Committee Working Group Organized to Discuss Federal Privacy Law: Congressman Brett Guthrie, Chairman of the House Committee on Energy and Commerce (the “Committee”), and Congressman John Joyce, M.D., Vice Chairman of the Committee, announced the establishment of a working group to explore comprehensive data privacy legislation. The working group is made up entirely of Republican members and is the first action in this new Congressional session on comprehensive data privacy legislation.
Kids Off Social Media Act Advances to Senate Floor: The Senate Commerce Committee advanced the Kids Off Social Media Act. The Act would prohibit social media platforms from allowing children under 13 to create accounts, prohibit platforms from algorithmically recommending content to teens under 17, and require schools to limit social media use on their networks as a condition of receiving certain funding. The Act is facing significant pushback from digital rights groups, including the Electronic Frontier Foundation and the American Civil Liberties Union, which claim that the Act would violate the First Amendment.
Business Groups Oppose Proposed Updates to HIPAA Security Rule: As previously reported, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued a Notice of Proposed Rulemaking (“NPRM”) to amend the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule to strengthen cybersecurity protections for electronic protected health information (“ePHI”). See Blank Rome’s Client Alert on the proposed rule. A coalition of business groups, including the College of Healthcare Information Management Executives, America’s Essential Hospitals, American Health Care Association, Association of American Medical Colleges, Federation of American Hospitals, Health Innovation Alliance, Medical Group Management Association and National Center for Assisted Living, have written to President Trump and HHS Secretary Robert F. Kennedy, Jr. opposing the proposed rule. The business groups argue that the proposed rule imposes great financial burdens on the healthcare sector, including on rural hospitals, which would divert attention and funds away from other critical areas. The business groups also argue that the proposed rule contradicts Public Law 116-321, which explicitly requires HHS to consider a regulated entity’s adoption of recognized security practices when enforcing the HIPAA Security Rule, by not addressing or incorporating this legal requirement.
National Artificial Intelligence Advisory Committee Adopts List of 10 AI Priorities: The National Artificial Intelligence Advisory Committee (“NAIC”), which was established under the 2020 National Artificial Intelligence Initiative Act, approved a draft report for the Trump administration with 10 recommendations to address AI policy issues. The recommendations cover AI issues in employment, AI awareness and literacy, and AI in education, science, health, government, and law enforcement, as well as recommendations for empowering small businesses and AI governance and supporting AI innovation in a way that would benefit Americans.
CFPB Acting Director Instructs Agency Staff to Stop Work: Consumer Financial Protection Bureau (“CFPB”) Acting Director Russel Vought instructed agency staff to “stand down” and refrain from doing any work. The communication to CFPB employees followed an instruction to suspend regulatory activities and halt CFPB rulemaking. Vought also suspended CFPB’s supervision and examination activities. This freeze would impact the CFPB’s rule on its oversight of digital payment apps as well as the CFPB’s privacy rule that created a right of data portability for customers of financial institutions.
U.S. LITIGATION
First Washington My Health My Data Lawsuit Filed: Amazon is facing a class action lawsuit alleging violations of Washington’s My Health My Data Act (“MHMDA”), along with federal wiretap laws and state privacy laws. The suit is the first one brought under MHMDA’s private right of action and centers on Amazon’s software development kit (“SDK”) embedded in third-party mobile apps. The plaintiff’s complaint alleges Amazon collected location data of users without their consent for targeted advertising. The complaint also alleges that the SDK collected time-stamped location data, mobile advertising IDs, and other information that could reveal sensitive health details. According to the lawsuit, this data could expose insights into a user’s health status, such as visits to healthcare facilities or health behaviors, without users knowing Amazon was also obtaining and monetizing this data. The lawsuit seeks injunctive relief, damages, and disgorgement of profits related to the alleged unlawful behavior. The outcome could clarify how broadly courts interpret “consumer health data” under the MHMDA.
NetChoice Files Lawsuit to Challenge Maryland Age-Appropriate Design Act: NetChoice—a tech industry group—filed a complaint in federal court in Maryland challenging the Maryland Age-Appropriate Design Code Act as violating the First Amendment. The Act was signed into law in May and became effective in October 2024. It requires online services that are likely to be accessed by children under the age of 18 to provide enhanced safeguards for, and limit the collection of data from, minors. In its Complaint, NetChoice alleges that the Act will not meaningfully improve online safety and will burden online platforms with the “impossible choice” of either proactively censoring categories of constitutionally protected speech or implementing privacy-invasive age verification systems that create serious cybersecurity risks. NetChoice has been active in challenging similar Acts across the country, including in California, where it has successfully delayed the implementation of the eponymous California Age-Appropriate Design Code Act.
Kochava Settles Privacy Class Action; Unable to Dismiss FTC Lawsuit: Kochava Inc. (“Kochava”), a mobile app analytics provider and data broker, has settled the class action lawsuits alleging Kochava collected and sold precise geolocation data of consumers that originated from mobile applications. The settlement requires Kochava to pay damages of up to $17,500 for the lead plaintiffs and attorneys’ fees of up to $1.5 million. Among other changes to its privacy practices Kochava must make, the settlement requires Kochava to implement a feature aimed at blocking the sharing or use of raw location data associated with health care facilities, schools, jails, and other sensitive venues. Relatedly, U.S. District Judge B. Lynn Winmill of the District of Idaho denied Kochava’s motion to dismiss the lawsuit brought by the Federal Trade Commission (“FTC”) for Kochava’s alleged violations of Section 5 of the FTC Act. The FTC alleges that Kochava’s data practices are unfair and deceptive under Section 5 of the FTC Act, as it sells the sensitive personal information collected through its Mobile Advertising ID system (“MAIDs”) to its customers, providing customers a “360-degree perspective” on consumers’ behavior through subscriptions to its data feeds, without the consumer’s knowledge or consent. In the order denying Kochava’s motion to dismiss, Winmill rejected Kochava’s argument that Section 5 of the FTC Act is limited to tangible injuries and wrote that the “FTC has plausibly pled that Kochava’s practices are unfair within the meaning of the FTC Act.”
Texas District Court Blocks Enforcement of Texas SCOPE Act: The U.S. District Court for the Western District of Texas (“Texas District Court”) granted a preliminary injunction blocking enforcement of Texas’ Securing Children Online through Parental Empowerment Act (“SCOPE Act”). The SCOPE Act requires digital service providers to protect children under 18 from harmful content and data collection practices. In Students Engaged in Advancing Texas v. Paxton, plaintiffs sued the Texas Attorney General to block enforcement of the SCOPE Act, arguing the law is an unconstitutional restriction of free speech. The Texas District Court ruled that the SCOPE Act is a content-based statute subject to strict scrutiny, and that with respect to certain of the SCOPE Act’s monitoring-and-filtering, targeted advertising and content monitoring and age-verification requirements, the law’s restrictions on speech failed strict scrutiny and should be facially invalidated. Accordingly, the Texas District Court issued a preliminary injunction halting the enforcement of such provisions. The remaining provisions of the law remain in effect.
California Attorney General Agrees to Narrowing of Its Social Media Law: The California Attorney General has agreed to not enforce certain parts of AB 587, now codified in the Business & Professions Code, sections 22675-22681, which set forth content moderation requirements for social media platforms (the “Social Media Law”). X Corp. (“X”) filed suit against the California Attorney General, alleging that the Social Media Law was unconstitutional, censoring speech based on what the state sees as objectionable. While the U.S. District Court for the Eastern District of California (“California District Court”) initially denied X’s request for a preliminary injunction to block the California Attorney General from enforcing the Social Media Law, the Ninth Circuit overturned that decision, holding that certain provisions of the law regarding extreme content failed the strict-scrutiny test for content-based restrictions on speech, violating the First Amendment. X and the California Attorney General have asked the California District Court to enter a final judgment based on the Ninth Circuit decision. The California Attorney General has also agreed to pay $345,576 in attorney fees and costs.
U.S. ENFORCEMENT
Arkansas Attorney General Sues Automaker over Data Privacy Practices: Arkansas Attorney General Tim Griffin announced that his office filed a lawsuit against General Motors (“GM”) and its subsidiary OnStar for allegedly deceiving Arkansans and selling data collected through OnStar from more than 100,000 Arkansas drivers’ vehicles to third parties, who then sold the data to insurance companies that used the data to deny insurance coverage and increase rates. The lawsuit alleges that GM advertised OnStar as offering the benefits of better driving, safety, and operability of its vehicles, but violated the Arkansas Deceptive Trade Practices Act by misleading consumers about how driving data was used. The lawsuit was filed in the Circuit Court of Phillips County, Arkansas.
Healthcare Companies Settle FCA Claims over Cybersecurity Requirements: Health Net and its parent company, Centene Corp. (collectively, “Health Net”), have settled with the United States Department of Justice (“DOJ”) for allegations that Health Net falsely certified compliance with cybersecurity requirements under a U.S. Department of Defense contract. Health Net had contracted with the Defense Health Agency of the U.S. Department of Defense (“DHA”) to provide managed healthcare support services for DHA’s TRICARE health benefits program. The DOJ alleged that Health Net failed to comply with its contractual obligations to implement and maintain certain federal cybersecurity and privacy controls. The DOJ alleged that Health Net violated the False Claims Act by falsely stating its compliance in related annual certifications to the DHA. The DOJ further alleged that Health Net ignored reports from internal and third-party auditors about cybersecurity risks on its systems and networks. Under the settlement, Health Net must pay the DOJ and DHA $11.25 million.
Eyewear Provider Fined $1.5M for HIPAA Violations: The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) imposed a $1,500,000 civil money penalty against Warby Parker for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. The penalty resulted from a cyberattack involving unauthorized access to customer accounts, affecting nearly 200,000 individuals. An OCR investigation resulted from a 2018 security incident. Between September 25, 2018, and November 30, 2018, third parties accessed customer accounts using usernames and passwords obtained from breaches of other websites, a method known as “credential stuffing.” The compromised data included names, addresses, email addresses, payment card information, and eyewear prescriptions. OCR found that Warby Parker failed to conduct an accurate risk analysis, implement sufficient security measures, and regularly review information system activity.
CPPA Finalizes Sixth Data Broker Registration Enforcement Action: The California Privacy Protection Agency announced that it is seeking a $46,000 penalty against Jerico Pictures, Inc., d/b/a National Public Data, a Florida-based data broker, for allegedly failing to register and pay an annual fee as required by the California Delete Act. The Delete Act requires data brokers to register and pay an annual fee that funds the California Data Broker Registry. This action comes following a 2024 data breach in which National Public Data reportedly exposed 2.9 billion records, including names and Social Security Numbers. This is the sixth action taken by the CPPA against data brokers, with the first five actions resulting in settlements.
INTERNATIONAL LAWS & REGULATIONS
First EU AI Act Provisions Become Effective; Guidelines on Prohibited AI Adopted: The first EU AI Act (the “Act”) provisions to become effective came into force on February 2, 2025. The Act’s provisions prohibiting certain types of AI systems deemed to pose an unacceptable risk and rules on AI literacy are now applicable in the EU. Prohibited AI systems are those that present unacceptable risks to the fundamental rights and freedoms of individuals and include social scoring for public and private purposes, exploitation of vulnerable individuals with subliminal techniques, biometric categorization of natural persons based on biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs or sexual orientation, and emotion recognition in the workplace and education institutions, unless for medical or safety reasons, among other uses. The new AI literacy obligations will require organizations to put in place robust AI training programs to ensure a sufficient level of AI literacy for their staff and other persons working with AI systems. Certain obligations related to general-purpose AI models will become effective August 2, 2025. Most other obligations under the Act will become effective August 2, 2026.
UK Introduces AI Cyber Code of Practice: The UK government has introduced a voluntary Code of Practice to address cybersecurity risks in AI systems, with the aim of establishing a global standard via the European Telecommunications Standards Institute (“ETSI”). This code is deemed necessary due to the unique security risks associated with AI, such as data poisoning and prompt injection. It offers baseline security requirements for stakeholders in the AI supply chain, emphasizing secure design, development, deployment, maintenance, and end-of-life. The Code of Practice is intended as an addendum to the Software Code of Practice. It provides guidelines for developers, system operators, data custodians, end-users, and affected entities involved in AI systems. Principles within the code include raising awareness of AI security threats, designing AI systems for security, evaluating and managing risks, and enabling human responsibility for AI systems. The code also emphasizes the importance of documenting data, models, and prompts, as well as conducting appropriate testing and evaluation.
CJEU Issues Opinion on Pseudonymized Data: The Court of Justice of the European Union (“CJEU”) issued a decision in a case involving an appeal by the European Data Protection Supervisor (“EDPS”) against a General Court decision that annulled the EDPS’s decision regarding the processing of personal data by the Single Resolution Board (“SRB”) during the resolution of Banco Popular Español SA during insolvency proceedings. The case reviewed whether data transmitted by the SRB to Deloitte constituted personal data. Personal data consisted of comments from parties interested in the proceedings that had been pseudonymized by assigning a random alphanumeric code, as well as aggregated and filtered, so that individual comments could not be distinguished within specific commentary themes. Deloitte did not have access to the codes or the original database. The court held that the data was personal data in the hands of the SRB. However, the court ruled that the EDPS was incorrect in determining that the pseudonymized data was personal data to Deloitte without analyzing whether it was reasonably possible that Deloitte could identify individuals from the data. As a takeaway, the CJEU left open the possibility that pseudonymized data could be organized and protected in such a way as to remove any reasonable possibility of re-identification with respect to a particular party, resulting in the data not constituting personal data under the GDPR.
European Commission Withdraws AI Liability Directive from Consideration; European Parliament Committee Votes to Press On: The European Commission announced it plans to withdraw the proposed EU AI Liability Directive, a draft legislation for addressing harms caused by artificial intelligence. The decision was announced in the Commission’s 2025 Work Program stating that there is no foreseeable agreement on the legislation. However, the proposed legislation has not yet been officially withdrawn. Despite the announcement, members of the European Parliament on the body’s Internal Market and Consumer Protection Committee voted to keep working on liability rules for artificial intelligence products. It remains to be seen whether the European Parliament and the EU Council can make continued progress in negotiating the proposal in the coming year.
Additional Authors: Daniel R. Saeedi, Rachel L. Schaller, Gabrielle N. Ganze, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Adam J. Landy, Amanda M. Noonan and Karen H. Shin.
Blocked DOL Overtime Rule Set for Review in the Fifth Circuit (US)
On February 28, 2025, the US Department of Labor (DOL) appealed a December 2024 Texas federal trial court’s decision that blocked a Biden-era overtime rule promulgated by the DOL. This is the DOL’s second appeal following an appeal in November by the then Biden-led DOL of another Texas district court’s ruling that similarly vacated and set aside the overtime rule nationwide. Both cases were appealed to the Fifth Circuit Court of Appeals.
The DOL’s revised overtime rule went into effect in July 2024 and expanded overtime eligibility for employees by raising the salary threshold required for an employee to qualify for an overtime exemption under the Fair Labor Standards Act (FLSA). To be exempt from overtime requirements under the FLSA (time-and-one-half the regular rate of pay for hours worked in excess of 40 hours in a work week), employees must primarily perform certain job duties, be paid on a salary, not hourly, basis, and earn at least a minimum threshold salary.
Under the DOL’s 2024 rule, the annual salary threshold initially increased from $35,568 to $43,888 on July 1, 2024, and was set to increase again on January 1, 2025 to $58,656 prior to the decision by the US District Court for the Eastern District of Texas to vacate the rule in November. The rule also provided for a mechanism to increase the threshold level every three years, beginning on July 1, 2027. In November, District Court Judge Sean D. Jordan granted summary judgment, thereby blocking the rule nationwide, stating that the DOL’s “changes to the minimum salary level in the 2024 Rule exceed its statutory jurisdiction.” By setting the minimum salary threshold so high, Judge Jordan wrote, the 2024 rule “effectively eliminates” the other considerations required under the FLSA, like job duties, “in favor of what amounts to a salary-only test.”
The decision by the Trump Administration to appeal the most recent District Court decision came as a surprise to some, as it is believed by many that the Trump Administration will look to review the 2024 overtime rule and possibly get rid of it all together. However, the decision by the Trump Administration to appeal allows the DOL to defend its longstanding practice to set a salary threshold for overtime eligibility, although it appears likely the Trump DOL would set the threshold minimum much lower—closer to the $35,500 threshold minimum set by the DOL during the first Trump Administration.
We expect and will continue to monitor changes to the overtime rule as it moves through the courts under the new Trump Administration.
Supreme Court Says EPA Has No Authority to Impose “End-Result” Requirements in Clean Water Act Permits
On Tuesday, March 4, 2025, the Supreme Court issued an opinion in City and County of San Francisco, California v. Environmental Protection Agency, U.S. No. 23-753 in which the City and County of San Francisco (San Francisco) challenged certain provisions in the Clean Water Act (CWA) National Pollution Discharge Elimination System (NPDES) permit for its Oceanside wastewater treatment plant (WWTP) that conditioned compliance on whether the receiving water body met certain water quality standards. Among other requirements and restrictions, the NPDES permit at issue prohibited the WWTP from 1) making any discharge that “contribute[s] to a violation of any applicable water quality standard,” and 2) performing any treatment or making any discharge that “create[s] pollution, contamination, or nuisance as defined by California Water Code section 13050.”
According to San Francisco, these permit requirements created significant uncertainty for the compliance status of its Oceanside WWTP by holding petitioner responsible for a condition it could not directly control—the quality of the oceanwater into which the WWTP discharges. The EPA, on the other hand, argued that it needs the authority to impose these “end-result” permit requirements when the regulated entity does not provide the agency with adequate information to craft more specific requirements that will be adequately protective of receiving water quality.
Justice Samuel Alito delivered the opinion of the Court, which held in a 5-4 opinion that the CWA provisions authorizing the EPA to impose “effluent limitations” (33 U.S.C. § 1311) in NPDES permits do not authorize such “end-result” requirements that “condition [permittees’] compliance on whether receiving waters meet applicable water quality standards.” In other words, the EPA cannot impose requirements that “simply tell[] a permittee that a particular end result must be achieved and that it is up to the permittee to figure out what it should do.” Justice Amy Coney Barrett, joined by three justices (Sotomayor, Kagan and Jackson), argued in dissent that there is nothing in the “straightforward statutory language” of the CWA that distinguishes “end-result” permit requirements from other requirements the majority found to be acceptable.
A driving concern for the majority was the potential hole that “end-result” requirements could create in CWA Section 1342(k), which deems a permittee to be in compliance with the CWA if it is in compliance with its permit. This “permit shield” provision offers certain legal assurances to permittees that would otherwise be exposed to harsh civil and even criminal penalties for violations of the CWA that are ultimately outside of their control. The Court found that “end-result” permit requirements, by “making the permittee responsible for any drop in water quality below the acceptable standard,” would potentially swallow the protections offered by Section 1342(k) and result in significant civil and criminal exposure for permittees, even when they comply with all the other terms of their permits.
A second key issue for the Court was the lack of any mechanism in the CWA for apportioning liability where multiple permittees, each with “end-result” permit requirements, discharge into the same water body. In such a case, the EPA would have to “unscramble the polluted eggs after the fact” to determine which permittee was liable. According to the Court, it was exactly this backwards-looking convoluted enforcement scheme that Congress sought to abandon when it amended the Water Pollution Control Act in 1972 to create the modern Clean Water Act.
Notably, the Court upheld “narrative” permit terms, such as requirements to implement best management practices without specifying the exact practices to implement in every given situation. In doing so, the Court rejected San Francisco’s argument that “all limitations” imposed under CWA Section 1311 must qualify as “effluent limitations” and upheld conditions that “do not directly restrict the quantities, rates, or concentration” of pollutants that a permittee may discharge.
The Court’s holding impacts NPDES permits throughout California and across the country. “End-result” permit requirements in the form of receiving water limitations are commonly found in general NPDES permits, including California’s Construction General Permit and Industrial General Permit, as well as site-specific NPDES permits. The Court’s holding also may impact pending regulatory and citizen-suit enforcement actions, at least to the extent such actions are based on “end-result” permit requirements similar to the ones rejected by the Supreme Court.
While FTC Non-Compete Appeals Linger, Ohio Poses Ban on Non-Competes, Forum Selection, and Other Restrictive Covenants
The Federal Trade Commission (FTC) implemented its 2024 rule banning non-compete agreements on April 23, 2024. The rule gained some life at first as a U.S. District Court in Pennsylvania ruled in its favor and denied a request to implement a permanent injunction. Since then, however, employers have won multiple arguments supporting the enforcement of non-compete agreements in front of the National Labor Relations Board and U.S. District Courts in Texas and Florida. The rule was vacated by a permanent injunction from the court in Texas on Aug. 20, 2024.
While the FTC rule goes through the appeals process, non-compete agreements remain a state law issue. To date, 33 states have implemented restrictions requiring the agreements to be reasonable in relation to the time, scope, and geographical area of the restriction. In January 2025, New York’s legislature reintroduced a bill that would make it the 34th state to restrict non-compete agreements.
Ohio introduced a bill in February 2025 that would make it the fifth state to ban non-compete agreements. Currently, California, Oklahoma, Minnesota, and North Dakota have outright bans on non-compete agreements. That said, Ohio’s proposed legislation would go beyond non-compete agreements for all employees, volunteers, and independent contractors.
Specifically, the Ohio law would prohibit any agreement that contains a forum selection clause requiring an Ohio employee to litigate a claim outside the state. The potential law would also prohibit an “agreement that imposes a fee or cost” on an employee “for terminating the work relationship” for various scenarios. Further, it would prohibit any agreement requiring “a worker who terminates the work relationship to reimburse the employer for an expense incurred” during the relationship for “training, orientation, evaluation, or other service intended to provide the worker with skills to perform the work or to improve performance.” Finally, the law would give courts the option to award punitive damages when an employer violates the law.
While state law determines whether agreements with restrictive covenants are enforceable, the laws are constantly changing. Based on this, employers should consider reviewing agreements with counsel to ensure they comply with various state laws.
OFCCP Proposes Plan to Satisfy Workforce Reduction Mandate
On February 25, 2025, Acting Director Michael Schloss of the Office of Federal Contract Compliance Programs (OFCCP) issued a memorandum addressing the OFCCP’s proposed strategy for reducing its workforce by 90 percent, as instructed by the Office of the Secretary.
The proposed strategy aims to shift the OFCCP’s focus to the work required by Section 503 of the Rehabilitation Act (“Section 503”) and the Vietnam Era Veterans Readjustment Assistance Act (“VEVRAA”). Federal contractors are still obligated to comply with these statutes, the outline requirements related to veterans and individuals with disabilities, following President Trump’s revocation of Executive Order 11246.
As part of its proposed reduction, the OFCCP will close 51 of its current 55 offices, keeping one office in four designated regions. The proposal also cuts the OFCCP’s staff down to 50 employees. Those 50 employees would prioritize carrying out the Section 503 and VEVRAA compliance requirements.
Further, the OFCCP’s National Office, which establishes all policy and program operations implemented by the regions, would be reduced to 14 employees. Those remaining employees would be scattered across four divisions: the Front Office, the Policy Division, the Operations and Enforcement Division, and the Administrative Division.
Finally, to achieve its desired reduction, the OFCCP used the proposal memorandum to ask permission to use the Voluntary Early Retirement Authority (“VERA”) and the Voluntary Separation Incentive Program (“VSIP”). The OFCCP proposed offering VSIP to all retirement eligible and early retirement eligible employees.
The OFCCP’s proposal will surely see movement in the coming weeks as it seeks to abide by the Office of the Secretary’s mandate to reduce its workforce, which could have big implications for federal contractors. Employers should work with their counsel to assess compliance strategies in response to the myriad of changes and enforcement priorities at federal agencies.
TCPA CLASS ACTION FILINGS EXPLODE: The MASSIVE Final Numbers Are In for 2024–And January, 2025 Numbers Are INSANE
These numbers are just insane.
85.3% of all TCPA filings in December, 2024 were class actions.
85.3%.
I can pretty much guarantee that is the highest percentage of cases to be filed as a class action under any statute at any point in the history of our country.
Oh wait, I lied.
In November, 2024 an INSANE 95.5% —95.5%!!!–of TCPA filings were class actions.
Welcome to TCPAWorld.
To add to the fun, a total of 2788 TCPA cases were filed last year UP 67% from 2023.
A 67% rise in TCPA suits year-over-year folks.
And considering that class actions now account for over 80% of those filings 2024 saw the highest number of TCPA class actions in history!
Insanity.
Want more fun?
The numbers for January, 2025 are also in.
172 TCPA class actions in January, 2025!
In January, 2024 there were 64.
64 to 172.
That’s a 268% rise in TCPA class actions to start 2025 over 2024!!!!!
Yes, it is only one month but considering how steep a rise 2024 saw the fact that 2025 is already SMOKING 2024 filings is real cause for concern.
So to summarize:
TCPA cases were up 67% last year;
Over 80% of filings are now class actions;
TCPA class action filings were up over 250% in January, 2025 YOY.
Wow.
And each one of these lawsuits has the ability to END a company. No wonder I have dedicated my career to keeping people safe in the TCPAWorld!
My goodness.
Credit to WebRecon for all the stats!