Immigration Enforcement and Healthcare Facilities: Key Considerations for Providers
Recent changes in federal immigration enforcement practices have prompted renewed attention to how healthcare providers manage requests from law enforcement agencies. While federal policy continues to recognize healthcare facilities as sensitive environments, there has been increased interest in enforcement activity in or around such locations. Healthcare organizations should consider taking this opportunity to review internal protocols and confirm they are prepared to respond in a manner that is consistent with applicable federal and state law.
This post outlines key considerations related to patient privacy, facility access, and provider obligations when immigration enforcement activity intersects with clinical operations.
Patient Privacy and Requests for Information
Healthcare providers remain subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), which generally prohibits the disclosure of protected health information (PHI) without patient authorization, except in limited circumstances. One such exception is when disclosure is required by law—for example, pursuant to a valid court order or a judicial warrant.
Providers should be aware that administrative warrants issued by immigration authorities alone typically do not meet HIPAA’s “required by law” standard. In such instances, providers should consider verifying whether the request is supported by sufficient legal authority before disclosing patient information. Internal policies and staff training may help ensure that any disclosures are appropriately limited in scope and consistent with federal and state privacy laws.
Facility Access and On-Site Enforcement Activity
In some cases, immigration officials or other law enforcement personnel may seek to enter a healthcare facility to interview or take custody of an individual. Providers should consider preparing for such scenarios by identifying points of contact for handling law enforcement inquiries, establishing protocols for reviewing documentation, and confirming when legal counsel should be contacted.
Importantly, hospitals and other emergency care providers remain obligated to comply with the Emergency Medical Treatment and Labor Act, which requires the screening and stabilization of patients seeking emergency care, regardless of their background or circumstances.
Nondiscrimination and Access to Care
Providers that participate in Medicare or Medicaid are also subject to federal nondiscrimination requirements under the Civil Rights Act and Section 1557 of the Affordable Care Act, as well as state civil rights laws. These laws generally prohibit denying care on the basis of national origin or perceived immigration status. Healthcare organizations may wish to review their policies to ensure they reflect these ongoing obligations.
State and Local Considerations
In addition to federal law, healthcare providers should consider any applicable state or local requirements related to law enforcement interactions, patient rights, or data privacy. Several state attorneys general and regulatory agencies have issued advisories or guidance materials to assist providers in navigating these issues. For example, Maryland’s attorney general released guidance for Maryland providers in light of the recent policy changes on immigration enforcement. Reviewing such materials in consultation with counsel may help organizations develop compliant, well-informed operational protocols.
Conclusion
As enforcement practices evolve, healthcare providers would benefit from reviewing their procedures for responding to law enforcement activity—particularly in contexts involving patient privacy, facility access, and legal process. A proactive approach can help ensure compliance with relevant laws and support the delivery of uninterrupted, nondiscriminatory care.
Providers with questions about specific scenarios or legal requirements are encouraged to consult our team to assess how these considerations apply in their jurisdiction and operational context.
Listen to this post
FedRAMP 20x – Major Overhaul Announced to Streamline the Security Authorization Process for Government Cloud Offerings
On March 24, 2025, the Federal Risk and Authorization Management Program (“FedRAMP”) announced a major overhaul of the program, which is being called “FedRAMP 20x.” The FedRAMP 20x announcement stated there are no immediate changes to the existing authorization path based on agency sponsorship and assessment against the FedRAMP Rev 5 baseline.[1] However, once the initiative kicks off, we expect major changes to speed up and streamline that authorization path that likely will be welcomed by industry partners and cloud service providers participating in the program. Below are key points based on the recent FedRAMP 20x announcement.
The primary goals of the FedRAMP 20x initiative include:
Seeking to implement the use of automated validation for 80% of FedRAMP requirements, which would leave about 20% of narrative as opposed to the current 100% narrative explanations required in the document submission package.
Leaning on industry partners to provide continuous simple standardized machine-readable validation of continuous monitoring decisions.
Fostering trust between industry and federal agencies to promote direct relationships between cloud service providers and customers. Note, this appears to indicate that the FedRAMP Program Management Office (“PMO”) will have a much smaller role moving forward with respect to the authorization process and assessments.
Replacing annual assessments with simple automated checks.
Replacing the significant change process with an approved business process that will not require additional oversight to be developed in collaboration with industry.
FedRAMP 20x is an initiative that will be implemented in phases. The timeline for Phase 1 has not been announced but, once it is open, Phase 1 seeks to streamline the authorization process for eligible participants and authorized cloud service offerings in weeks rather than months. Phase 1 will focus on Software-as-a-Service offerings with the following characteristics:
Deployed on an existing FedRAMP Authorized cloud service offering using entirely or primarily cloud-native services;
Minimal or no third party cloud interconnections with all services handling federal information FedRAMP Authorized;
Service is provided only via the web (browser and/or APIs);
Offering supports a few standard customer configured features needed by federal agencies (or the cloud provider willing to build that capability quickly); and
Existing adoption of commercial security frameworks are a plus (SOC 2, ISO 27000, CIS Controls, HITRUST, etc.).
The practical implications of Phase 1 appear to be positive. Cloud service providers will be able to submit fewer pages for authorization submissions (i.e., less narrative, and more standard configuration choices for documentation). The documentation required for Phase 1 includes (1) documentation of security controls implemented by the cloud service provider and (2) materials demonstrating the cloud service provider’s existing commercial security framework to the extent it overlaps with FedRAMP requirements (e.g., a Security & Privacy Policy). There will be an automated validation component for Phase 1 authorizations, which may involve making configuration changes as needed to meet certain security controls. Following the assessment process, the cloud service offering will receive a score related to Confidentiality, Integrity, and Availability of federal information, and federal agencies will review this information to make risk assessments prior to adoption. Lastly, there will be changes to continuous monitoring with the replacement of annual assessments with simple automated checks and a new significant change process that will not require additional oversight.
Overall, with less documentation and narrative explanation, a more automated process with quicker authorization timelines, and less burdensome continuous monitoring activities due to enhancements through automation, the goal of FedRAMP 20x changes is to establish more efficient authorization and continuous monitoring processes. This should make it easier for cloud providers to sell their offerings to the government. Industry participation is a major focus of the new initiative. There are community engagement groups planning to begin meeting immediately and there will be opportunities for public comment as new ideas and documentation are rolled out. The community group meetings are focused on four topics: (1) Rev 5 Continuous Monitoring, (2) Automating Assessments, (3) Applying Existing Frameworks, and (4) Continuous Reporting. For those in this space, it will be important to participate to ensure industry partners are involved in shaping the program. The schedule for the meetings can be found here.
FOOTNOTES
[1] The FedRAMP Rev. 5 baseline aligns with National Institutes of Standards and Technology (“NIST”) Special Publication (“SP”) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5.
ANOTHER BIG VICARIOUS LIABILITY WIN FOR TCPA DEFENDANT: Nevada Court Holds Providing Scripts and Training Alone Insufficient for TCPA Agency Liability
Hi TCPAWorld! Another huge vicarious liability win for a TCPA defendant!
The United States District Court for the District of Nevada has dismissed with prejudice all claims alleged by Plaintiff Kelly Usanovic (“Usanovic”) against Americana LLC (DBA Berkshire Hathaway HomeServices Nevada Properties or “BHHS”). Kelly Usanovic v. Americana, L.L.C., No. 2:23-cv-01289-RFB-EJY, 2025 WL 961657 (D. Nev. Mar. 31, 2025). The court concluded that Usanovic failed to plausibly allege that BHHS could be held liable for unsolicited calls made by its affiliated real estate agents under federal agency law principles.
Kelly Usanovic filed a class action lawsuit in August 2023 against BHHS alleging violations of the TCPA. Specifically, Usanovic claimed BHHS agents repeatedly called her cell phone despite it being listed on the National DNC Registry.
Usanovic alleged that BHHS should be vicariously liable under the TCPA, arguing that the company had provided training materials encouraging agents to cold-call consumers using third-party vendors like RedX, Landvoice, Vulcan7, and Mojo—vendors who purportedly supplied phone numbers on the National DNC Registry. Usanovic alleged these materials showed BHHS’s control and authorization of agents’ unlawful calls, seeking to hold BHHS responsible via agency theories of actual authority, apparent authority, and ratification.
Well, Judge Richard F. Boulware II disagreed and granted BHHS’s motion to dismiss WITH PREJUDICE reasoning that vicarious liability under the TCPA requires establishing a true agency relationship under federal common-law agency principles.
The court found that although BHHS was alleged to have provided general scripts, training, and recommendations on dialers and vendors, these actions alone were insufficient to establish an agency relationship. Critically, the Court underscored that Usanovic failed to allege essential elements of agency, such as BHHS’s direct control over the agents’ day-to-day call activities, the agents’ working hours, or their choice of leads. Simply offering resources and optional training sessions does not establish the requisite control necessary for vicarious liability under the TCPA.
On actual authority, the Court concluded that merely providing guidance to agents does not demonstrate authorization or instruction to call numbers listed on the Do Not Call Registry.
Regarding apparent authority, the Court stated that Usanovic did not plead any statements from BHHS that could reasonably lead her to believe the agents were authorized to violate the TCPA. The mere identification of agents as affiliated with BHHS was deemed insufficient.
Finally, for ratification, the Court found no allegations that BHHS knowingly accepted benefits from agents’ unauthorized calls or acted with willful ignorance.
Thus, because Usanovic’s complaint lacked plausible facts to support any of these common law agency theories, the court dismissed the TCPA claims with prejudice—denying further amendment due to prior opportunities to correct these deficiencies.
There you have it! Another court ruling that knowledge of illegality is required for vicarious liability to attach!
KEYS TO THE CASTLE: Castle Credit Stuck in TCPA Class Action Over Debt Collection Calls
TCPA class actions can be incredibly scary and pose a massive risk to callers of all sorts.
While the statute has generally been enforced against marketers as of late, servicers and collectors or debts may also find themselves in TCPA hot water, particularly if they are using prerecorded calls or ringless voicemail.
This is true even when a calling party originally has consent–that consent can burst like a bubble anytime a consumer asks for calls to stop. And it can be VERY difficult to prove a negative unless every call is recorded.
For instance in Cannon v. Castle Credit, 2025 WL 975805 (N.D. Ill April 1, 2025) a Defendant’s motion for summary judgment was denied–i.e. the collector must face trial–because the plaintiff claims he revoked his consent.
In Cannon Castle allegedly called Plaintif hundreds of times, including through the use of a ringless voicemail system (VoApps.)
Plaintiff claimed that he asked not to be called on several of those calls. However the Defendant’s records did not reflect the do not call request and calls continued.
Defendant moved for summary judgment arguing the Plaintiff’s inability to provide the specifics around his revocation coupled with the numerous call recordings of calls in which Plaintiff did not revoke consent demonstrated he never actually revoked as he claimed.
But the Court sided with Plaintiff finding his testimony that he revoked consent was sufficient admissible evidence to require a jury to figure out what really happened.
Making matters worse, although Defendant argued it had not used an ATDS the Court determined that did not matter– Castle’s concession it had used VoApps (a prerecorded RVM) meant it was potentially liable under 227(b) regardless of whether an ATDS was ued.
This last point is an important one to drive home. Even if calls are placed manually leaving a prerecorded voicemail will automatically trigger the TCPA. So be careful!
Also worth noting, this case arises out of a REVOCATION that allegedly went unheeded. Will in just 9 days the scope of revocation rules is about to EXPLODE. If you’re not ready for this you need to be! (The FCC has taken no action to stay the rule as of yet, although many are hoping it will.)
B2B BLUES: Residential Usage of Business Phone Continues to Trap Marketers
In Ortega v. Sienna 2025 WL 899970 (W.D. Tex. March 4, 2025) a company calling to offer inventory loans to businesses dialed a number that was being “held out” as a business. Yet the Plaintiff suing over those calls claimed the number was residential in nature.
The defendant moved to dismiss but the Court refused to throw out the case crediting the plaintiff’s allegation of residential usage:
At this stage in the litigation where the Court is limited to evaluating the pleadings and does not have an evidentiary record, it would not be proper to decide whether Mr. Ortega’s phone number is a business number or a personal/residential number for TCPA purposes. As the FCC has acknowledged, whether a cell phone is “residential” is a “fact intensive” inquiry. See id. This is a summary-judgment issue
Get it?
Even though Defendant claimed to have evidence of Plaintiff’s use of the number for business purposes that issue cannot be resolved at the pleadings stage. So the case lives on.
Plus although the court suggests a summary judgment might be appropriate here, past cases have found a question of fact where the plaintiff testifies to residential usage but the evidence shows otherwise. This means the issue might end up at trial!
The Court went on to find Plaintiff’s allegations his DNC request was not heeded demonstrated the caller may not have a DNC policy, which is a separate violation.
Last the Court determined a claim had been stated under under Texas Business and Commerce Code § 302.101 and § 305.053. Section 302.101 because the caller was allegedly marketing without a license, as required in Texas.
So there you go.
B2B callers need to heed the TCPA and particular the DNC requirements. Do NOT think you are exempt merely because you’re not calling residences or for a consumer purpose. You are not!
Plus state marketing registration requirements DO apply to you. Don’t get confused!
Alternative Paths: Court Denies Motion to Dismiss Quiet Hours Provision Claim
Many lawsuits in the past few months have claimed violations of 47 C.F.R. § 64.1200(c)(1) and 47 U.S.C. § 227(c)(2) (the “Quiet Hours Provision”) of the TCPA. Previously, the Quiet Hours Provision saw very few filings, meaning there is currently very little case law interpreting this area of law. On March 28, 2025, the District of New Jersey denied a motion to dismiss a Quiet Hours Provision claim—and potentially gave a preview of how the cases will be adjudicated in a practical manner.
In Jubb v. CHW Group Inc., No. 23CV23382 (EP) (MAH), 2025 WL 942961 (D.N.J. Mar. 28, 2025), the court denied a motion to dismiss which argued that the Quiet Hours Provision claim was duplicative of the plaintiff’s Do Not Call (“DNC”) claim. Id. at *7. The defendant in Jubb argued that the Quiet Hours Provision claim should be dismissed as duplicative of the DNC claim, because both claims arise from 47 U.S.C. § 227(c).
There is no doubt that both claims arise out of Section 227(c). Section 227(c)(5) of the TCPA is where we see a lot of claims—this is the DNC provision. The DNC provision provides that, when an individual whose phone number has been registered on the national DNC registry for more than thirty days receives more than one telephone solicitations in a twelve-month period, that individual has a private right of action. See 47 U.S.C. § 227(c)(5). Section 227(c)(2), on the other hand, implements additional regulations, including the Quiet Hours Provision, which provides the same private right of action for telephone solicitations made either before 8 a.m. or after 9 p.m., in the recipient’s local time. See 47 U.S.C. § 227(c)(2); C.F.R. § 64.1200(c)(1).
Ultimately, there is no doubt that post-trial recovery is limited to one violation of Section 227(c) per call, a point which neither party contested. Jubb, 2025 WL 942961, at *6. However, post-trial recovery is not the issue on a motion to dismiss. The Jubb court found that a plaintiff may plead multiple claims in the alternative—then limit recovery at the time of trial. See id.
Pleading alternative claims under Section 227(c) allows a plaintiff to seek certification of two different types of classes, either in the alternative or as part of a subclass, presenting a greater risk of liability for defendants. These alternative claims have always been permitted, even under Section 227(c), for instance with internal DNC list violations and external DNC violations. The Quiet Hours Provision now offers a new option for plaintiffs.
In a silver lining here for defendants, the court seemed to take heed of a recent petition made to the Federal Communications Commission. The Petition for Declaratory Ruling and/or Waiver of the Ecommerce Innovation Alliance and Other Petitioners, CG Docket Nos. 02-278, 21-402 (filed Mar. 3, 2025) seeks a declaratory ruling that the time zone of the recipient’s area code—rather than the recipient’s actual location—should be used to determine which time zone is the “recipient’s local time” under the Quiet Hours Provision.
The Jubb court did not directly cite the petition. However, the court did note that the Plaintiff had an area code that corresponded with the pacific time zone. Jubb, 2025 WL 942961, at *2. This is a much more practical and workable way to determine the recipient’s local time than looking to the recipient’s actual location.
Currently, the language of the Quiet Hours Provision requires a telemarketer to restrict telephone solicitations to between 8 a.m. and 9 p.m., based on “local time at the called party’s location.” C.F.R. § 64.1200(c)(1). Realistically, there is no way for a telemarketer to know the precise location of the individuals they contact. Even if a telemarketer knows and actively monitors the current physical address of their leads, the recipient could be on vacation or an extended business trip in Taiwan, changing the hours of the recipient’s local time. Using the recipient’s area code rather than their actual, physical location makes the most sense—but there is an argument that this reading is not directly supported by the plain language of the Quiet Hours Provision.
Even if the FCC petition is unsuccessful, the Jubb ruling provides some support for arguing that a recipient’s area code determines the recipient’s time zone, making the Quiet Hours Provision more workable from a compliance perspective.
We have seen many cases around the Quiet Hours Provision and have seen many voluntary dismissals of those same cases since then, likely from settlements. As case law begins to come out in this area, there are sure to be more updates to follow.
More States Ban Foreign AI Tools on Government Devices
Alabama and Oklahoma have become the latest states to ban from state-owned devices and networks certain AI tools with links to foreign governments.
In a memorandum issued to all state agencies on March 26, 2025, Alabama Governor Kay Ivey announced new policies banning from the state’s IT network and devices the AI platforms DeepSeek and Manus due to “their affiliation with the Chinese government and vast data-collection capabilities.” The Alabama memo also addressed a new framework for identifying and blocking “other harmful software programs and websites,” focusing on protecting state infrastructure from “foreign countr[ies] of concern,” including China (but not Taiwan), Iran, North Korea, and Russia.
Similarly, on March 21, 2025, Oklahoma Governor Kevin Stitt announced a policy banning DeepSeek on all state-owned devices due to concerns regarding security risks, regulatory compliance issues, susceptibility to adversarial manipulation, and lack of robust security safeguards.
These actions are part of a larger trend, with multiple states and agencies having announced similar policies banning or at least limiting the use of DeepSeek on state devices. In addition, 21 state attorneys general recently urged Congress to pass the “No DeepSeek on Government Devices Act.”
As AI technologies continue to evolve, we can expect more government agencies at all levels to conduct further reviews, issue policies or guidance, and/or enact legislation regarding the use of such technologies with potentially harmful or risky affiliations. Likewise, private businesses should consider undertaking similar reviews of their own policies (particularly if they contract with any government agencies) to protect themselves from potential risks.
ICO Fines Advanced Computer Software Group £3 Million Following Ransomware Attack
On March 27, 2025, the UK Information Commissioner’s Office (“ICO”) announced that it had issued a fine against Advanced Computer Software Group (“Advanced”) for £3.07 million (approx. $4 million) for non-compliance with security rules identified through an investigation following a ransomware attack which occurred in 2022.
The ICO’s investigation found that personal data belonging to 79,404 people was compromised, including details of how to gain entry into the homes of 890 people who were receiving care at home. According to the ICO, hackers accessed certain systems of a group subsidiary via a customer account that did not have multi-factor authentication. The ICO also noted that it was widely reported that the security incident let to the disruption of critical services. The ICO concluded that the group subsidiary had not implemented adequate technical and organization measures to keep its systems secure.
Initially, the ICO intended to issue a higher fine against Advanced. However, it took into consideration Advanced’s proactive engagement with the UK National Cyber Security Centre, the UK National Crime Agency and the UK National Health Service in the wake of the attack, along with other steps taken to mitigate the risk to those impacted. The final fine represents a voluntary settlement agreed between the ICO and Advanced.
Banking Agencies Begin Publishing Updated Crypto Guidance
On March 28, the Federal Deposit Insurance Corporation (FDIC) rescinded Biden administration guidance1 related to state-chartered banks’ participation in “crypto-related activities” and published a new interpretation of the scope of permissible crypto activity for the insured depository institutions for which it is the primary regulator (the Crypto Letter).2 As discussed below, while similar to guidance issued by the Office of the Comptroller of the Currency (OCC) on March 7 with respect to national banks and federal savings banks,3 the Crypto Letter reflects a seismic shift in the scope of enumerated crypto-related activities permitted to state-chartered banks across the United States, assuming that such activities are performed in a manner that is otherwise consistent with bank regulation.
The Crypto Letter
Notably, the Crypto Letter defines “crypto-related activities” to include “acting as crypto-asset custodians; maintaining stablecoin reserves; issuing crypto and other digital assets; acting as market makers or exchange or redemption agents; participating in blockchain- and distributed ledger-based settlement or payment systems, including performing node functions; as well as related activities such as finder activities and lending.” Some of these powers are consistent with what the banking industry believed likely to be newly permitted by the Trump administration, such as acting as a cryptoasset custodian.
Custodial powers have long been permitted to insured depository institutions that satisfy certain statutory and procedural requirements. Other powers enumerated in the definition, however, such as issuing crypto and other digital assets, represent a breadth of authority that had not been widely anticipated in the banking industry given that such activities provide the potential for FDIC-supervised institutions to publicly offer payment mechanisms that could, potentially, compete with the US dollar. For example, if Bank of X issues a hypothetical “X coin” that can be used at merchants much like a credit or debit card (whether in an open-loop or closed-loop environment), such coin will function as a medium of exchange that could either be fully backed by US dollars (i.e., a payment stablecoin), or potentially backed by other assets, introducing a new form of privately issued currency into the payment ecosystem.
It is worth noting that Congress is currently considering several bills on payment stablecoins. These bills would create regulatory pathways for banks to issue payment stablecoins under appropriate regulatory oversight.
However, the Crypto Letter further provides that traditional concepts underpinning bank supervision continue to apply to a bank that pursues participation in a crypto-related activity: namely, such activities must be performed in a manner that is consistent with safety and soundness principles as well as applicable laws and regulations. While the Crypto Letter is clear that prior approval from the FDIC is not required to engage in a crypto-related activity, before undertaking such activities, the insured depository institution must consider the existing risk rubric that governs all bank activities, including, but not limited to, “market and liquidity risk; operational and cybersecurity risks; consumer protection requirements; and anti-money laundering requirements.”
Finally, the Crypto Letter notes that new interagency guidance related to crypto activities by insured depository institutions will be forthcoming from the federal banking regulators with respect to prior guidance issued by the Biden administration. This is consistent with action taken by the OCC in its publication of the OCC Crypto Letter that rescinded prior OCC guidance with respect to crypto activity and affirmed that national banks and federal savings banks may engage in cryptoasset custody, distributed ledger and stablecoin activities.
What This Means
While the Crypto Letter reflects a policy to permit broad participation in the crypto market by FDIC-supervised banks, there is no expectation that such banks will immediately enter the market with crypto-related products and services. Rather, policies, procedures and testing methodologies must be created to reflect safe and sound banking principles. Clearly, certain activities that “mirror” products currently offered by insured depository institutions, such as the custodying of crypto assets, will be the first activities retail and commercial customers are likely to see, given that the pivot to offering this type of additional fiduciary activity will not present significant operational and procedural hurdles assuming an institution currently offers such services. Lending against the value of a customer’s crypto likely falls within the same analytical framework: banks have long loaned against the value of assets, including assets whose values fluctuate in the market.
Other enumerated activities, however, will require a longer “lead time” before they are brought to the market. In particular, building a blockchain-based payment system will require significant investment and effort given the multiple layers between consumer/customer, merchant, and payment system. For example, in order for a consumer to use crypto held at Bank X to buy coffee in the morning from the merchant in the office lobby, Bank X must build the technical infrastructure to connect its banking systems with blockchain networks. This infrastructure will need to allow the consumer to initiate payments, enable the bank to verify balances and process transfers and ensure that such crypto can be moved from the customer’s account held at Bank X to the merchant’s account held at Bank Y.
1 The Biden administration guidance requiring prior FDIC notification before engaging in crypto-related activities was set forth at FDIC FIL-16-2022.
2 FDIC Clarifies Process for Banks to Engage in Crypto-Related Activities, March 28, 2025, available at https://www.fdic.gov/news/financial-institution-letters/2025/fdic-clarifies-process-banks-engage-crypto-related?source=govdelivery&utm_medium=email&utm_source=govdelivery
3 OCC Letter Addressing Certain Crypto-Asset Activities, March 7, 2025, available at https://www.occ.treas.gov/topics/charters-and-licensing/interpretations-and-actions/2025/int1183.pdf (the “OCC Crypto Letter”).
CFTC Withdraws Pair of Advisories on Heightened Review Approach to Digital Asset Derivatives [Video]
On March 28, the staff of the Commodity Futures Trading Commission (CFTC) issued two press releases announcing the withdrawal of two previous advisories that reflected the agency’s heightened review approach to digital asset derivatives.
These announcements appear to mark the end of the CFTC’s heightened review of digital asset products. The CFTC rules certainly still apply, but this seems to be a deliberate move by the CFTC to start treating digital asset derivatives like other CFTC-regulated products. It also gives a glimpse of how the CFTC would regulate digital asset spot transactions if Congress gives it the authority to do so.
The first advisory the CFTC withdrew was Staff Advisory No. 18-14, Advisory with Respect to Virtual Currency Derivative Product Listings, which was issued on May 21, 2018. The withdrawal is effective immediately. That advisory provided certain enhancements that CFTC-regulated entities were asked to follow when listing digital asset derivatives. These included enhanced market surveillance, closer coordination with the CFTC, reporting obligations, risk management and outreach to members and market participants. That advisory was withdrawn in its entirety, with the CFTC staff citing its increased experience with digital asset derivatives and that the digital asset industry has increased in market growth and maturity.
The second advisory the CFTC staff withdrew was Staff Advisory No. 23-07, Review of Risks Associated with Expansion of DCO Clearing of Digital Assets, issued on May 30, 2023. It stated that CFTC staff would focus on the heightened risks of digital asset derivatives to system safeguards, fiscal settlement procedures and conflicts of interest.
United States: House Committee on Financial Services Urges the SEC to Withdraw Final and Proposed Rules
On 31 March 2025, the House Committee on Financial Services (Committee), in a letter to Acting Chairman of the US Securities and Exchange Commission (SEC), Mark Uyeda, identified a series of proposed and adopted rules that the SEC should withdraw or rescind. The letter notes the Committee’s view that the SEC, under the prior Chair, had lost sight of its mission. The identified proposals and rules represent significant rulemaking efforts on the part of the SEC, many of which were controversial and subject to significant industry opposition. The specific proposals identified are the following:
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure;
Short Position and Short Activity Reporting by Institutional Investment Managers;
Reporting of Securities Loans;
Pay Versus Performance;
Investment Company Names;
Form N-PORT and Form N-CEN Reporting; Guidance on Open-End Fund Liquidity Risk Management Programs;
Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker Dealers and Investment Advisers;
Open-End Fund Liquidity Risk Management Programs and Swing Pricing;
Regulation Best Execution;
Order Competition;
Position Reporting of Large Security-Based Swap Positions;
Regulation Systems Compliance and Integrity;
Outsourcing by Investment Advisers; and
Enhanced Disclosures by Certain Investment Advisers and Investment Companies about Environmental, Social, and Governance Investment Practices.
While the Committee does not have the authority to compel the SEC to take action on any if these final or proposed rules, the letter is a strong indication of support for an overall deregulatory environment and could provide a blueprint for SEC regulatory policy once Paul Atkins is confirmed.
EU: New European Consumer Protection Guidelines for Virtual Currencies in Video Games
On March 21, 2025, ahead of a consultation and call for evidence on the EU’s Digital Fairness Act, the Consumer Protection Cooperation (CPC) Network[1] highlighted the pressing need for improved consumer protection in the European Union, particularly regarding virtual currencies in video games. This move comes in response to growing concerns about the impact of gaming practices on consumers, including vulnerable groups such as children. The CPC Network has defined a series of key principles and recommendations aimed at ensuring a fairer and more transparent gaming environment. These recommendations are not binding and without prejudice to applicable European consumer protection laws[2] but they will likely guide and inform the enforcement of consumer protection agencies on national level across the EU.
What Are the Key Recommendations for In-Game Virtual Currency?
The CPC Network’s recommendations are designed to enhance transparency, prevent unfair practices, and protect consumers’ financial well-being. These principles are not exhaustive but cover several crucial areas:
Clear and Transparent Price Indication: The price of in-game content or services must be shown in both in-game currency and real-world money, ensuring players can make informed decisions about their purchases. (Articles 6(1)(d) and 7 of the UCPD, and Article 6 (1) (e) of the CRD)
Avoiding Practices That Obscure Pricing: Game developers should not engage in tactics that obscure the true cost of digital content. This includes practices like mixing different in-game currencies or requiring multiple exchanges to make purchases. The goal is to avoid confusing or misleading players.(Articles 6 (1) (d) and 7 of the UCPD, and Article 6 (1) (e) of the CRD)
No Forced Purchases: Developers should not design games that force consumers to spend more money on in-game currencies than necessary. Players should be able to choose the exact amount of currency they wish to purchase.(Articles 5, 8 and 9 of the UCPD)
Clear Pre-Contractual Information: Prior to purchasing virtual currencies, consumers must be given clear, easy-to-understand information about what they are buying. This is particularly important for ensuring informed choices.(Article 6 of the CRD)
Respecting the Right of Withdrawal: Players must be informed about their right to withdraw from a purchase within 14 days, particularly for unused in-game currency. This is crucial for ensuring consumers’ ability to cancel transactions if they change their mind.(Articles 9 to 16 of the CRD)
Fair and Transparent Contractual Terms: The terms and conditions for purchasing in-game virtual currencies should be written clearly, using plain language to ensure consumers fully understand their rights and obligations.(Article 3 (1) and (3) of the UCTD)
Respect for Consumer Vulnerabilities: Game developers must consider the vulnerabilities of players, particularly minors, and ensure that game design does not exploit these weaknesses. This includes providing parental controls to prevent unauthorized purchases and ensuring that any communication with minors is carefully scrutinized.(Articles 5-8 and Point 28 of Annex I of the UCPD)
These principles reflect the growing concern by European regulators of exploitation of consumers, particularly vulnerable groups such as children, in the gaming world. The European Consumer Organisation (BEUC) has strongly supported these measures, which aim to provide a safer, more transparent gaming experience for players.
Enforcement Actions and Legal Proceedings
On the same day, coordinated by the European Commission the CPC Network initiated legal proceedings against the developer of on online game. This action, driven by a complaint from the Swedish Consumers’ Association, addresses concerns about the company’s marketing practices, particularly those targeting children. Allegations include misleading advertisements urging children to purchase in-game currency, aggressive sales tactics such as time-limited offers, and a failure to provide clear pricing information.
A Safer Gaming Future
This enforcement action, along with the introduction of new principles, is part of the European Commission’s stated objective to ensure better consumer protection within the gaming industry. The Commission aims to emphasize the importance of transparency, fairness, and the protection of minors within gaming platforms.
What Should Video Game Companies and Gambling Operators Do Next?
In light of these new developments, video game companies and gambling operators especially those offering virtual currencies are well advised to review their practices to ensure ongoing compliance with existing EU consumer protection laws.
Failure to align with the above principles does not automatically mean that consumer laws are infringed but as the recent enforcement action shows could result in investigations and enforcement actions under the CPC Regulation or national laws. If gaming content is available across multiple EU countries, a coordinated investigation may be triggered, with the possibility of fines up to 4% of a company’s annual turnover.
To further support the industry, the European Commission is organising a workshop to allow gaming companies to present their strategies for aligning with the new consumer protection standards. This will provide a valuable opportunity for companies to share their plans and address any concerns related to these proposed changes. If you would like to know more, please get in touch.
FOOTNOTES
[1] The CPC Network is formed by national authorities responsible for enforcing EU consumer protection legislation under the coordination of the European Commission.
[2] Reference is made to Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 on unfair commercial practices (UCPD); the Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights (CRD); the Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (UCTD).