Communications, Media & Internet

Location Data as Health Data? Precedent-Setting Lawsuit Brought Against Retailer Under Washington My Health My Data Act

An online retailer was recently hit with the first class action under Washington’s consumer health data privacy law alleging that it used advertising software attached to certain third-party mobile phone apps to unlawfully harvest the locations and online marketing identifiers of tens of millions of users. This case highlights how seemingly innocuous location data can become sensitive health information through inference and aggregation, potentially setting the stage for a flood of similar copycat lawsuits.

Quick Hits

An online retailer was hit with the first class action under Washington State’s My Health My Data Act (MHMDA), claiming that the retailer unlawfully harvested sensitive location data from users through advertising software integrated into third-party mobile apps.
The lawsuit alleges that the retailer did not obtain proper consent or provide adequate disclosure regarding the collection and sharing of consumer health data; a term that is defined incredibly broadly as personal information that is or could be linked to a specific individual and that can reveal details about an individual’s past, present, or future health status.
This case marks the first significant test of the MHMDA and could provide a roadmap for litigants in Washington and other states.

On February 10, 2025, Washington resident Cassaundra Maxwell filed a class action lawsuit in the U.S. District Court for the Western District of Washington alleging violations of Washington’s MHMDA. The suit alleged that the retailer’s advertising software, known as a “software development kit,” or SDK, is licensed to and “runs in the background of thousands of mobile apps” and “covertly withdraws sensitive location data” that cannot be completely anonymized.
“Mobile users may agree to share their location while using certain apps, such as a weather app, where location data provides the user with the prompt and accurate information they’re seeking,” the suit alleges. “But that user has no idea that [the online retailer] will have equal access to sensitive geolocation data that it can then exfiltrate and monetize.”
The suit brings claims under federal wiretap laws, federal and state consumer protection laws, and violations of the MHMDA, making it a likely test case for consumer privacy claims under the MHMDA. This case evokes parallels to the surge over the past several years of claims under the California Invasion of Privacy Act (CIPA), a criminal wiretap statute. Both involve allegations of unauthorized data collection and sharing facilitated by digital tracking technologies. These technologies, including cookies, pixels, and beacons, are often embedded in websites, apps, or marketing emails, operating in ways that consumers may not fully understand or consent to.
As we previously covered, hundreds if not thousands of lawsuits relating to similar technologies were brought pursuant to CIPA after a California district court denied a motion to dismiss such claims in Greenley v. Kochava, Inc. Given the parallels and the onslaught of litigation that CIPA entailed, the MHMDA case may set important precedents for how consumer health data privacy is interpreted and enforced in the digital age, similar to the impact CIPA litigation has had on broader privacy practices. Like CIPA, the MHMDA also allows for the recovery of attorneys’ fees, but unlike CIPA (which provides for statutory damages even without proof of actual harm), a plaintiff must prove an “injury” to his or her business or property to establish an MHMDA claim.
Consumer Health Data
As many companies working in the retail space likely know, the MHMDA imposes a host of new requirements for companies doing business in Washington or targeting Washington consumers with respect to the collection of “consumer health data.” The law broadly defines “consumer health data” as any personal information that can be linked or reasonably associated with an individual’s past, present, or future physical or mental health status. The MHMDA enumerates an entire list of data points that could constitute “health status,” including information that would not traditionally be thought of as indicative of health, such as:

biometric data;
precise location information that could suggest health-related activities (such as an attempt to obtain health services or supplies);
information about bodily functions, vital signs, and symptoms; and
mere measurements related to any one of the thirteen enumerated data points.

Critically, even inferences can become health status information in the eyes of the MHMDA, including inferences derived from nonhealth data if they can be associated with or used to identify a consumer’s health data.
For instance, Maxwell’s suit alleges the retailer collected her biometric data and precise location information that could reasonably indicate an attempt to acquire or receive health services or supplies. However, the complaint is light on factual support, alleging only that the data harvesting conducted via the retailer’s SDK couldreveal (presumably via inference in most cases) “intimate aspects of an individual’s health,” including:

visits to cancer clinics;
“health behaviors” like visiting the gym or fast food habits;
“social detriments of health,” such as where an individual lives or works; and
“social networks that may influence health, such as close contact during the COVID 19 pandemic.”

Notice and Consent
The suit further alleges that the retailer failed to provide appropriate notice of the collection and use of the putative class members’ consumer health data and did not obtain consent before collecting and sharing the data. These allegations serve as a timely reminder of the breadth and depth of the MHMDA’s notice and consent requirements.
Unlike most other state-level privacy laws, which allow different state-mandated disclosures to be combined in a single notice, the Washington attorney general has indicated in (nonbinding) guidance that the MHMDA “Consumer Health Privacy Policy must be a separate and distinct link on the regulated entity’s homepage and may not contain additional information not required under the My Health My Data Act.” Said differently, businesses in Washington cannot rely upon their standard privacy policies, or even their typical geolocation consent pop-up flows with respect to consumer health data.
Additionally, at a high-level, the MHMDA contains unusually stringent consent requirements, demanding the business obtain “freely given, specific, informed, opt-in, voluntary, and unambiguous” consent before consumer health data is collected or shared for any purpose other than the provision of the specific product or service the consumer has requested from the business, or collected, used, or shared for any purpose not identified in the business’s Consumer Health Privacy Policy.
Next Steps
The Maxwell lawsuit is significant as it is the first to be filed under Washington’s MHMDA, a law that has already spawned a copycat law in Nevada, a lookalike amendment to the Connecticut Data Privacy Act, and a whole host of similar bills in state legislatures across the country—most recently in New York, which has its own version of the MHMDA awaiting presentation to the governor for signature. The suit appears to take an expansive interpretation that could treat nearly all or essentially all location data as consumer health data, inasmuch as conclusions about an individual’s health that can be drawn from the data. And, while the MHMDA does use expansive language, the suit appears likely to answer still lingering questions about the extent of what should be considered “consumer health data” subject to the rigorous requirements of the MHMDA.
As this suit progresses, companies targeting Washington consumers or otherwise doing any business in Washington may want to review their use of SDKs or similar technologies, geolocation collection, and any other collection or usage of consumer data with an eye toward the possibility that the data could be treated as consumer health data. Also, their processors may wish to do the same (remember, the Washington attorney general has made it clear that out-of-state entities acting as processors for entities subject to MHMDA must also comply). Depending on what they find, those companies may wish to reevaluate the notice-and-consent processes applicable to the location data they collect, as well as their handling of consumer rights applicable to the same.

U.S. Senate Advances KOSMA Bill Targeting Social Media Use by Minors

Varnum Viewpoints:
KOSMA Restrictions: The Kids Off Social Media Act (KOSMA) aims to ban social media for kids under 13 and limit targeted ads for users under 17.
Bipartisan Support & Opposition: While KOSMA has bipartisan backing, critics argue it could infringe on privacy and First Amendment rights.
Business Impact: KOSMA could affect companies targeting minors, requiring compliance with new privacy regulations alongside existing laws like COPPA.

While COPPA 2.0 and KOSA are discussed more frequently when it comes to protecting the privacy of minors online, the U.S. Senate is advancing new legislation aimed at regulating social media use by those 17 and under. In early February, the Senate Committee on Commerce, Science and Transportation voted to advance the Kids Off Social Media Act (KOSMA), bringing it closer to a full Senate vote.
KOSMA Restrictions
KOSMA would prohibit children under 13 from accessing social media. Additionally, social media companies would be prohibited from leveraging algorithms to promote targeted advertising or personalized content to users under 17. Further, schools receiving federal funding would be required to limit the use of social media on their networks. The bill would also grant enforcement authority to the Federal Trade Commission and state attorneys general.
Bipartisan Support & Opposition
KOSMA has received bipartisan support, with advocates such as Senator Brian Schatz (D-HI), who introduced the bill in January, citing the growing mental health crisis amongst minors due to social media use. Supporters argue that while existing laws like COPPA protect children’s data, they do not adequately address the considerations of social media since they predate the platforms. However, much like similar state laws that have come before it, KOSMA is rife with opposition as well. Opponents argue that this type of regulation could erode privacy and impose unconstitutional restrictions on young people’s ability to engage online. Instituting a ban as opposed to mandating appropriate safeguards, opponents argue, infringes on First Amendment rights.
Business Impact
Although KOSMA only applies to “social media platforms,” the definition of this term could be interpreted broadly and potentially include many companies that publish user-generated content within the scope of KOSMA’s restrictions. KOSMA identifies specific types of companies that would be exempt from the definition of social media platforms, such as teleconferencing platforms or news outlets. If KOSMA were to go into effect, companies across the country that are knowingly collecting data from minors or targeting them with personalized content or advertising would have an additional layer of regulatory consideration when assessing their privacy practices pertaining to the processing of data related to minors—on top of existing federal and state laws.

Congress Extends Certain Telehealth Flexibilities Through March 31, 2025

Overview

KEY UPDATE
At the close of 2024, US Congress passed a short-term extension of Medicare telehealth flexibilities as part of the American Relief Act, 2025 (ARA). The Medicare telehealth waivers, originally enacted as part of the COVID-19 public health emergency (PHE) and subsequently extended through legislation, were set to end on December 31, 2024. These flexibilities, along with the Acute Hospital Care at Home waiver program, are now set to expire March 31, 2025. The ARA failed to extend other waivers, such as the temporary safe harbor for high-deductible health plans (HDHPs) to provide first-dollar coverage of telehealth without interfering with health savings account (HSA) eligibility. While the short-term extension provides continued access to telehealth for Medicare patients, stakeholders should continue to engage with Congress for a more permanent solution.
WHY IT MATTERS
The ARA extension is limited to certain Medicare policies and is only effective through March 31, 2025. Some bipartisan policies, such as the extension of the telehealth HDHP safe harbor, were not included in the ARA. Additionally, the flexibilities related to coverage of cardiac and pulmonary rehabilitation services provided via telehealth were not extended.
The extension indicates bipartisan support for continuing coverage for telehealth services, but the short timeline warrants continued stakeholder engagement for the extension and eventual permanence of the Medicare telehealth flexibilities and reinstatement of the HDHP safe harbor. As the new administration takes office, it is unclear where telehealth will fall on the list of priorities.

In Depth

Historically, Medicare has provided coverage for telehealth services in instances where patients would otherwise be geographically distant from approved providers (e.g., physicians, nurse practitioners, and clinical psychologists). Section 1834(m) of the Social Security Act provides that telehealth services are covered if the beneficiary is seen:

At an approved “originating site” (e.g., physician office, hospital, or skilled nursing facility) that is located within a rural health professional shortage area that is either outside of a metropolitan statistical area (MSA), in a rural census tract, or in a county outside of an MSA
By an approved provider
For a defined set of services
Using certain telecommunications technologies.

Many of these Medicare restrictions regarding coverage and payment for telehealth services were waived via authority delegated in the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Congress subsequently extended the waivers in other pieces of legislation, including the Consolidated Appropriations Act (CAA) 2022 and CAA 2023, with the flexibilities most recently set to expire on December 31, 2024.
The ARA extended the following Medicare flexibilities through March 31, 2025:

Geographic restrictions and originating sites. Patients’ homes will continue to serve as eligible originating sites for all telehealth services (ARA § 3207(a)(2)). Geographic restrictions also remain waived (ARA § 3207(a)(1)).
Eligible practitioners. The expanded definition of the term “practitioner” will continue to apply. The expanded definition includes qualified occupational therapists, physical therapists, speech-language pathologists, and audiologists (ARA § 3207(b)).
Audio-only. Audio-only telehealth services remain eligible for reimbursement (ARA § 3207(e)).
Extending telehealth services for federally qualified health centers (FQHCs) and rural health clinics (RHCs). The US Department of Health and Human Services will cover telehealth services furnished via FQHCs and RHCs to eligible individuals (ARA § 3207(c)).
In-person requirements for mental health. The in-person requirement for mental health care to be reimbursed under Medicare has been delayed until April 1, 2025 (ARA § 3207(d)(1)).
Telehealth for hospice. Telehealth can continue to be used for the required face-to-face encounter prior to the recertification of a patient’s eligibility for hospice care (ARA § 3207(f)).

The ARA also extended the Acute Hospital Care at Home waiver program through March 31, 2025. In the midst of the PHE, the Centers for Medicare & Medicaid Services (CMS) used its PHE flexibilities to issue waivers to certain Medicare hospital conditions of participation (CoPs). These waivers, along with the PHE-related telehealth flexibilities, allowed Medicare-certified hospitals to furnish inpatient-level care in patients’ homes. Addressing hospital bed capacity during the pandemic was a high priority for CMS. These waivers and flexibilities, collectively referred to as the AHCAH Initiative, included:

Waiver of the CoP requiring nursing services to be provided on-premises 24 hours a day, seven days a week.
Waiver of the CoP requiring immediate on-premises availability of a registered nurse for care of any patient.
Waiver of CoPs that define structural and physical environment criteria specific to the hospital setting.
Telehealth flexibility allowing the home or temporary residence of an individual to serve as an originating telehealth site.
Telehealth flexibility allowing a hospital to use remote clinician services in combination with in-home nursing services to provide inpatient-level care in the patient’s home.

As with the Medicare telehealth flexibilities, these had been previously extended through December 31, 2024.
Notable flexibilities that expired or were absent from the ARA include the following:

The telehealth safe harbor for HDHPs. The CARES Act created a temporary safe harbor that permitted HDHPs to cover telehealth and remote care services on a first-dollar basis without jeopardizing eligibility for HSA contributions. By permitting health plans to provide HDHP participants coverage for telehealth services without requiring them to first meet the minimum required deductible, the safe harbor increased access to telehealth services. Additionally, covered individuals who received these services were still able to make or receive contributions to their HSAs because telehealth services were temporarily disregarded in determining eligibility for HSA contributions. Previously, the telehealth HDHP safe harbor ceased for three months from January 1, 2022, to March 31, 2022, before the CAA 2022 renewed it. Most recently extended by the CAA 2023, the telehealth safe harbor for HDHPs expired on December 31, 2024. Starting on January 1, 2025, health plans, insurers, and health plan vendors that previously relied on the telehealth HDHP safe harbor may need to update telehealth coverage for HDHP participants, such as updating plan design and/or cost sharing, to prevent disqualifying HDHP participants from making or receiving HSA contributions.
The SPEAK Act, which would establish a task force to improve access to health IT for non-English speakers.
The PREVENT DIABETES Act, which would broaden access to diabetes prevention services through the Medicare Diabetes Prevention Program.
The Sustainable Cardiopulmonary Rehabilitation Services in the Home Act, which would permanently codify cardiopulmonary rehabilitation Medicare telehealth flexibilities.

With the March 31, 2025, deadline in the not-too-distant future, stakeholders should continue to engage with Congress regarding an extension and permanent solution for the telehealth flexibilities, reinstatement of flexibilities that expired, and inclusion of the other bipartisan telehealth policies that were not included in the final ARA.

Lisa Mazur, Sarah G. Raaii, and Dale C. Van Demark contributed to this article.

Indiana Department of Revenue Determines that Video Game Enhancement Offerings are Not Subject to Sales Tax

The Indiana Department of Revenue (“Department”) determined last month that a video game publishing company’s sales from optional video game enhancement features were not subject to sales tax in Indiana. Ind. Rev. Rul. No. 2024-04-RST (Jan. 7, 2025).
The Facts: A non-Indiana video game publisher (the “Company”) sells optional video game features that enhance gameplay experience. The Company does not sell video games itself; rather, video game sales are made by a related entity of the Company. After a video game is purchased, the Company offers three optional features to the video game purchaser: (1) a monthly online subscription that allows the purchaser to play the video game online and in a multi-player setting; (2) in-game items, such as character costumes and weapons; and (3) virtual currency that the purchaser can use to pay for a monthly subscription or in-game items.
The Company requested that the Department issue a revenue ruling regarding the applicability of Indiana’s sales tax on its offerings. The Department did and determined that the Company’s offerings are not subject to the State’s sales tax.
The Law: Indiana imposes a sales tax on retail transactions made in the State and on certain specified services delivered in the State. Indiana tax law generally defines a retail transaction as a transfer of tangible personal property in the ordinary course of business and also sets forth specific examples of “retail transactions.”
Relevant here, transfers of prewritten computer software, whether delivered electronically or in a tangible medium, are retail transactions subject to sales tax. Sales tax is not imposed, however, on transactions that merely provide a right to remotely access prewritten computer software over the Internet or on sales of software as a service. Thus, if the transaction does not result in the purchaser having a possessory or ownership interest in the software, then sales tax does not apply.
In addition to transfers of prewritten computer software, electronic transfers—which grant a right of permanent use to an end user—of digital audio works, digital audiovisual works, and digital books are subject to sales tax. “Digital audio works” include works such as songs and ringtones, “digital audiovisual works” include works such as movies, and “digital books” include works that are generally recognized in the ordinary and usual sense as books. These are the only digital products on which Indiana imposes sales tax.
The Ruling: In determining whether the Company’s sales were subject to sales tax, the Department analyzed the Company’s offerings under the above provisions. Ultimately, the Department ruled that the Company’s sales of monthly subscriptions, in-game items, and virtual currency are not subject to sales tax because the sale of such items do not fit into Indiana’s definition of a “retail transaction,” and the items do not fall within the enumerated services on which Indiana imposes sales tax. The Department reasoned that the Company’s offerings are neither tangible personal property nor do they fall within the definitions of digital audio works, digital audiovisual works, or digital books.
The Takeaway: This revenue ruling is helpful for taxpayers to better understand how the Department interprets Indiana’s sales tax law to apply to these digital transactions. While the revenue ruling applies only to the Company’s facts and circumstances as described, the ruling expressly states that other taxpayers with substantially identical factual situations may rely on the ruling in preparing returns and making tax decisions. Furthermore, taxpayers can and should use revenue rulings to try to persuade taxing authorities that their position is the correct one.

READ ALL ABOUT IT: Reuters Faces Privacy Lawsuit But The Court Finds No Story To Tell

Greetings CIPAWorld!
Buckle up because this one’s a big deal. If you’ve been keeping an eye on data privacy litigation, you know courts have been drawing a hard line when it comes to proving harm. The Southern District of New York just handed Reuters a win in Zhizhi Xu v. Reuters News & Media Inc., No. 24 Civ. 2466 (PAE), 2025 U.S. Dist. LEXIS 26013 (S.D.N.Y. Feb. 13, 2025), dismissing a lawsuit accusing the media giant of unlawfully collecting users’ IP addresses through web trackers. Here, the case centered around alleged violations of the California Invasion of Privacy Act (“CIPA”), which ultimately fell apart due to a lack of standing. The Court ruled that Plaintiff failed to show any concrete harm—essential for a lawsuit to survive in federal court. If there’s one thing federal courts don’t have time for, it’s speculative injury.
So, what’s the news flash? Plaintiff, a California resident, filed a putative class action against Reuters, alleging that the company embedded web trackers—Sharethrough, Oinnitag, and TripleLift—on its news website. According to Plaintiff, these trackers automatically install on users’ browsers, collect their IP addresses, and transmit that information to third parties for advertising and analytics purposes. Think of it like an invisible footprint—Plaintiff asserted that Reuters tracked him without his consent, leaving behind digital breadcrumbs that were quietly collected and shared. Plaintiff claimed this amounted to a violation of CIPA Section 638.51(a), which prohibits the installation of a “pen register or trap and trace device” without a court order. In response, Reuters quickly moved to dismiss the case, arguing that Plaintiff lacked standing because he had not suffered any tangible injury. The company maintained that collecting an IP address alone—without any evidence of targeted ads or misuse—did not meet the threshold for a privacy violation. In other words, if a tree falls in the digital forest and no one hears it, does it really make a sound? Well, it depends. Like any good law school exam answer, context is everything. Are we talking about mere data collection, or has someone actually suffered harm? Courts don’t deal in hypotheticals—they want to see real, measurable impact. Without proof that Reuters’ data collection led to some kind of concrete harm, the Court wasn’t willing to entertain a privacy violation claim based on mere technicalities.
As such, Judge Paul A. Engelmayer sided with Reuters and dismissed the lawsuit under Rule 12(b)(1) for lack of Article III standing. The ruling echoes a growing trend in data privacy cases: collecting an IP address without more doesn’t trigger a legally recognizable harm. In TransUnion L.L.C. v. Ramirez, 594 U.S. 413, 424 (2021), the Court reaffirmed that a plaintiff must demonstrate a concrete injury to establish standing in federal court. The Court emphasized that IP addresses are not inherently sensitive or private information. It functions primarily as routing data rather than revealing the contents of a user’s communication. The Court relied on Heeger v. Facebook, Inc., 509 F. Supp. 3d 1182, 1188 (N.D. Cal. 2020), which held that collecting IP addresses alone does not constitute a privacy invasion. Plaintiff did not allege that he received targeted ads, suffered financial harm, or compromised his identity due to Reuters’ data collection.
Conversely, the Court noted cases like McClung v. AddShopper, Inc., No. 23-cv-01996-VC, 2024 WL 189006, at *1 (N.D. Cal. Jan. 17, 2024), where the defendant’s data collection led to unwanted marketing. That’s the key difference—Plaintiff’s data was allegedly collected, but nothing really happened as a result. Compare that to cases where companies have blasted users with personalized ads based on the data they grabbed. The Court found no historical or legal precedent equating collecting an IP address to a recognized harm like defamation, intrusion upon seclusion, or public disclosure of private facts, noting Liau v. Weed Inc., No. 23 Civ. 1177 (S.D.N.Y. Feb. 22, 2024), which found that an IP address does not constitute “personal information” for privacy claims.
This ruling isn’t just a one-off—it’s part of a larger judicial pattern I’m seeing increasingly. The courts send a message: statutory violations alone won’t cut it in federal court. This aligns with decisions like Lightoller v. JetBlue Airways Corp., No.: 23-cv-00361-H-KSC, 2023 WL 3963823, at *3 (S.D. Cal. June 12, 2023), where the Court held that a mere statutory violation under CIPA does not establish standing without an actual, concrete harm. Plaintiff’s attempt to claim a privacy right over his IP address fell flat, as the Court reiterated that voluntarily conveyed addressing information does not trigger constitutional standing concerns. If plaintiffs want to bring CIPA or similar claims in federal court, they must show tangible harm—like unwanted targeted ads, identity theft, or direct financial consequences.
Law school lecture 101: Federal standing isn’t just some procedural hurdle—it’s the gatekeeper to the courtroom, and judges are making it clear that not all claims get past the front door. Just because a statute grants a right doesn’t mean plaintiffs automatically have standing in federal court. That’s the real kicker here. Courts are increasingly skeptical of claims that hinge on technical violations without real-world consequences. If the only harm is theoretical, don’t expect a federal judge to bite. This ruling doubles down on that message: if you want your case to survive, show the court some real, measurable damage. Otherwise, your complaint might as well be a hypothetical from law school.
What is more, this case aligns with other recent dismissals of privacy lawsuits that fail to show real harm. There’s a growing judicial skepticism of privacy claims that rest on bare statutory violations. Courts are signaling that mere technical violations of privacy statutes won’t cut it—plaintiffs must demonstrate how they were harmed. And this makes sense. Privacy is a big deal, but without actual damage, courts don’t want to police every instance of data collection. It’s the legal equivalent of “no harm, no foul.”
So, where do we go from here? The battle over what qualifies as ‘concrete injury’ in data privacy cases isn’t going away anytime soon. Expect more lawsuits, more motions to dismiss, and more courts refining the boundaries of what actually constitutes harm in data privacy.
As always,
Keep it legal, keep it smart, and stay ahead of the game.
Talk soon!

Congress Advances KOSMA Bill Targeting Social Media Use by Minors

NewsBank Hit with Class Action over Employee Data Breach

Last week, a class action was filed against NewsBank, Inc., a Florida-based news database company, related to a 2024 breach of employee personal information.
NewsBank provides a database of archived news publications utilized by libraries, higher education institutions, and other organizations. NewsBank suffered a security incident affecting its employees’ personal information between June and July 2024.
The lead plaintiff claims that, as an employee of NewsBank from January 2023 to November 2024, they were required to provide their personal information (i.e., name, date of birth, Social Security number, and financial account information) as part of their employment.
The lead plaintiff alleges they now face a heightened risk of identity theft due to the breach. The complaint states, “Plaintiff and class members must now and for years into the future closely monitor their medical and financial accounts to guard against identity theft. The risk of identity theft is not speculative or hypothetical but is impending and has materialized as there is evidence that the plaintiff’s and class members’ private information was targeted, accessed, has been misused, and disseminated on the dark web.” The lawsuit alleges claims of negligence, breach of implied contract, and breach of fiduciary duty.
Additionally, the lawsuit alleges that NewsBank failed to follow its policies, including those outlined in its website Privacy Policy, stating that NewsBank had implemented security procedures to protect personal information from unauthorized access, use, and disclosure.
The class seeks over $5 million in damages and injunctive relief, requiring NewsBank to implement enhanced security measures and provide affected individuals with lifetime identity theft protection services. The complaint alleges that “[o]nce private information is exposed, there is virtually no way to ensure that the exposed information has been fully recovered or contained against future misuse [. . . ] For this reason, plaintiff and class members will need to maintain these heightened measures for years, and possibly their entire lives, as a result of defendant’s conduct.”

Privacy Tip #432 – DOGE Sued for Unauthorized Access to Our Personal Information

The Department of Government Efficiency’s (DOGE) staggering unfettered access to all Americans’ personal information is highly concerning. DOGE employees’ access includes databases at the Office of Personnel Management, the Department of Education, the Department of Health and Human Services, and the U.S. Treasury.
If you want more information about the DOGE employees who have access to this highly sensitive data, Wired and KrebsOnSecurity have provided fascinating but disturbing accounts.
Meanwhile, New York and other states have filed suit against DOGE, alleging that the unfettered access to the federal databases is a privacy violation. On February 14, 2025, a New York federal judge found “good cause to extend a temporary restraining order” stopping DOGE employees from accessing U.S. Treasury Department databases. However, the next day, another federal judge in Washington, D.C., denied a request to stop DOGE from accessing the databases of the Department of Labor, the Department of Health and Human Services, and the Consumer Financial Protection Bureau. That means that DOGE employees now have access to the sensitive health and claims information of Medicare recipients, as well as the identities of individuals who have made workplace health and safety complaints. NBC News has reported that “the Labor Department authorized DOGE employees to use software to remotely transfer large data sets.”
Currently, 11 lawsuits have been filed against DOGE over access to sensitive information in federal databases, alleging that the access violates privacy laws. The databases include student loan applications at the Department of Education, taxpayer information at the Department of the Treasury, and the personnel records of all federal employees contained in the database of the Office of Personnel Management, the Department of Labor, the Social Security Administration, FEMA, and USAID.
According to a plaintiff, the potential to misuse Americans’ personally identifiable information “is serious and irrevocable….The risks are staggering: identity theft, fraud, and political targeting. Once your data is exposed, it’s virtually impossible to undo the damage.” We will be closely watching the progress of these suits and their impact on the protection of our personal information.

Texas AG Investigates DeepSeek + List of Banned Countries Expands

Texas Attorney General Ken Paxton announced on February 14, 2024, that his office has opened an investigation into DeepSeek’s privacy practices. DeepSeek, an artificial intelligence company with ties to the People’s Republic of China, has been banned on state owned devices in Texas, New York, and Virginia. The Pentagon, NASA, and the U.S. Navy have also prohibited employees from using DeepSeek.
According to Paxton’s press release, he has notified DeepSeek “that its platform violates the Texas Data Privacy and Security Act.” He sent civil investigative demands to tech companies to obtain information about their analysis of the application and any documentation DeepSeek forwarded to the tech companies before they were offered to consumers.
DeepSeek has been banned in Italy, South Korea, Australia, Taiwan, and India.

Joint Cybersecurity Advisory Released on Ghost (Cring) Ransomware

The Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center released an advisory on February 19, 2025, providing information on Ghost ransomware activity.
According to the advisory, “Ghost actors conduct these widespread attacks targeting and compromising organizations with outdated versions of software and firmware on their internet facing services.” They use publicly available code to exploit Common Vulnerability Exposures (CVE) that have not been patched. The CVEs used by Ghost include CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.
The advisory urges organizations to:

Maintain regular system backups stored separately from the source systems, which cannot be altered or encrypted by potentially compromised network devices [CPG 2.R].
Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 2.F].
Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.

The advisory details how Ghost (Cring) is gaining initial access, executing applications, escalating privileges, obtaining credentials, evading defenses, moving laterally, and exfiltrating data. It also provides indicators of compromise and email addresses used by the threat actors.
Patching continues to be a crucial block-and-tackle technique, and timely patching is critical for mitigating exploitation. Blocking known malicious emails is a proven tactic to mitigate access. Review the advisory to ensure the applicable patches have been applied and the malicious emails associated with Ghost have been blocked.

Is Your Business Trapped? The Rise of “Trap and Trace” Litigation

Almost every business has a website; every website should have a privacy policy, terms of use, and, in some cases, a consumer privacy rights notice—if certain state consumer privacy rights laws apply to your business, such as the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively CCPA). What about a cookie policy? Or a cookie consent banner? Or a cookie preferences pop-up? If you haven’t looked at what types of ad tech your website uses—i.e., cookies, pixel tags, device IDs, and browser fingerprinting technologies that collect data about user behavior across multiple devices and platforms, which are essential for targeted advertising online—now is the time.
“Trap and trace” litigation and private demands for damages related to online tracking have risen significantly. “Trap and trace” litigation is related to the ad tech used on websites involving online trackers that plaintiffs’ attorneys liken to “pen registers” under state wiretap laws. These technologies allegedly collect website users’ device information and activities without their consent, which plaintiffs’ attorneys argue constitutes unauthorized interception of electronic communications under various wiretap laws. Here are some key considerations to assess your company’s website and ad tech:

Unauthorized Interception: the use of third-party trackers in ad tech is being construed as an intentional interception of electronic communications, similar to how pen registers and trap and trace devices operate by capturing dialing, routing, addressing, or signaling information.
Unauthorized Interception: the use of third-party trackers in ad tech is being construed as an intentional interception of electronic communications, similar to how pen registers and trap and trace devices operate by capturing dialing, routing, addressing, or signaling information.
Legal Risks: the use of such technologies without clear consent or transparency can lead to legal and reputational risks for your business, not to mention demands from plaintiffs’ attorneys seeking quick settlement in this unsettled area of the law, as well as class actions seeking millions of dollars in damages.
State Wiretap Laws: state wiretap laws, such as California’s Invasion of Privacy Act and Massachusetts’s Wiretap Act , have been adapted to address online tracking methods. These laws prohibit unauthorized interception of electronic communications, and plaintiffs’ attorneys are alleging that using online trackers could potentially violate these laws.
Privacy Rights: the use of certain ad tech may also constitute a privacy rights violation under state consumer privacy rights laws, like the CCPA.
Impossibility of Obtaining Prior Consent: the way most ad tech is set up to function means that website users’ data and activity are tracked instantaneously upon visiting the website, which prevents the business from obtaining prior consent (i.e., acceptance of website cookies) before the tracking begins. Knowing how to program your website’s ad tech properly is vital in steering clear of these claims and lawsuits.

Overall, the intersection of ad tech and “trap and trace” demands and litigation highlights the importance of understanding and complying with privacy laws and obtaining explicit consent from website users when collecting and using their data. Now is the time to evaluate your website, privacy policy, terms of use, and consumer privacy rights notices to confirm compliance with the ever-changing landscape of state and federal laws, while also finding balance between meeting your marketing team’s needs and your website users’ experience. Take action to avoid this trap.

SOUR MORNING?: For Love and Lemons Faces TCPA Lawsuit Over Timing Violations

Hi TCPAWorld! The Baroness here. And we’ve got a new filing. This time, we’re taking a look at a case involving a popular clothing brand: For Love and Lemons.
Let’s start with the allegations.
The plaintiff Michelle Huang alleges that on November 28 and 29, 2024, she received two text messages from For Love and Lemons.
However, this case isn’t about the typical Do Not Call (DNC) Registry violation you might expect.
This case is actually brought under the time restrictions provisions of the TCPA.
Here’s where it gets interesting: Huang asserts that she received the messages at 7:14 a.m. and 7:45 a.m. — times she says are outside the window in which businesses are allowed to send marketing messages. Specifically, she contends she never authorized For Love and Lemons to send texts before 8 a.m. or after 9 p.m. local time.
This is significant because under 64.1200(c)(1), “[n]o person or entity shall initiate any telephone solicitation” to “[a]ny residential telephone subscriber before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).” 47 C.F.R. § 64.1200(c)(1).
Based on this alleged violation, Plaintiff sued For Love and Lemons for violations of Section 227(c) of the TCPA and 64.1200(c)(1).
In addition, she seeks to represent a class of individuals who received similar marketing texts outside the permissible hours:
All persons in the United States who from four years prior to the filing of this action through the date of class certification (1) Defendant, or anyone on Defendant’s behalf, (2) placed more than one marketing text message within any 12-month period; (3) where such marketing text messages were initiated before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).
It is not often that we see cases being filed pursuant to 64.1200(c)(1). But this is reminder that this provision exists!
Since this case was just filed, there is not much to report. But we will of course keep you folks updated as the case progresses.
Huang v. Love And Lemons LLC, Case No.: 2:25-CV-01391 (C.D. Cal).