Remote Work Compliance Considerations for H-1B, E-3, and H-1B1 Employees
Navigating Immigration and Employment Law Requirements in the Remote Work Era
The shift toward remote and hybrid work arrangements has created compliance challenges for U.S. employers sponsoring foreign workers under H-1B, E-3, and H-1B1 classifications. While remote work offers flexibility and expanded talent pools, it introduces complex legal obligations that, if overlooked, may result in substantial penalties and backpay awards, as well as possibly jeopardizing employees’ immigration status.
The Fundamental Requirement: Every Work Location Must Be Covered
Under U.S. Department of Labor (DOL) regulations, every location where an H-1B, E-3, or H-1B1 employee performs work must be listed on a Labor Condition Application (LCA) and covered by the underlying petition. This includes the employee’s home office when working remotely.
When an employee works from home, their residence becomes a “worksite” for immigration and labor law purposes. This means:
The home address must be listed as a worksite on the LCA
The prevailing wage determination must account for the geographic location of the home office
Public Access File requirements apply to the home location
LCA posting obligations are triggered
The Growing Challenge: Unreported Address Changes
A compliance gap may emerge if employees relocate during their H-1B validity period without informing their employer’s immigration team. This seemingly minor oversight may create cascading compliance complications.
When Employees Move Within the Same Metropolitan Statistical Area (MSA)
If an employee relocates within the same MSA as originally listed on their LCA:
Required Action: The employer must post a notice in two conspicuous places at the employee’s new residence, where they work remotely, for 10 business days and update the respective Public Access File.
Common Failure: HR teams update payroll records and internal systems but fail to notify immigration counsel, resulting in a lack of required postings at the new location and outdated, deficient Public Access File documentation.
Consequences:
DOL violations and potential civil fines
Wage and hour compliance deficiencies
Exposure to whistleblower complaints
Potential backpay obligations
When Employees Move Outside the Original MSA
If an employee relocates outside the MSA covered by their current LCA:
Required Action: File an amended H-1B petition with a new LCA covering the new geographic area before the employee begins work at the new location.
Common Failure: Employees relocate and continue working without the employer’s knowledge, creating an immediate status violation.
Consequences:
Employee is violating the terms of their H-1B status
Difficulty obtaining future extensions or renewals
Potential bars to future immigration benefits
Employer exposure to willful violator status
Potentially significant monetary penalties and backpay awards
Wage and Hour Compliance Risks
The DOL’s enforcement focus on prevailing wage compliance makes unreported address changes particularly precarious. Key risks include:
Prevailing Wage Violations
Different geographic areas have different prevailing wage rates that may differ greatly
Failure to obtain a new LCA containing a prevailing wage determination for the new location may result in underpayment
Backpay calculations may extend across multiple years
Record-Keeping Deficiencies
Public Access Files must be maintained and cover each worksite, including home office locations
Missing documentation for home office locations creates automatic violations
DOL and Fraud Detection and National Security (FDNS) audits often focus on remote work arrangements, including in-person visits
Case Study: The Hidden Costs of Poor Communication
Consider the following real-world scenario that illustrates the consequences of inadequate address change procedures:
The Situation: Sarah, a software engineer in H-1B status, was initially hired to work in Dallas, Texas, with a Level 4 prevailing wage determination of $156,998 annually. Her employer’s remote work policy allowed employees to work from home, and her LCA properly listed her Dallas residence as a worksite.
The Move: One year into her three-year H-1B validity period, Sarah relocated to San Francisco to be closer to family. She promptly informed HR and payroll of her address change, and her W-2 forms began reflecting California state taxes. However, the payroll team failed to notify the company’s immigration team about the relocation.
The Compliance Failure: Sarah’s move from Dallas to San Francisco represented a change to a different MSA with a substantially higher prevailing wage, approximately $213,512 for a Level 4 software engineer position in the San Francisco area, an annual difference of $56,514. Under DOL regulations, this required:
Filing a new LCA with the higher prevailing wage determination
Filing an amended H-1B petition before Sarah started working from her San Francisco residence
Adjusting Sarah’s salary to meet the new required wage (the higher of actual wage and prevailing wage level)
None of these steps were taken because the company’s immigration team was unaware of the move.
The Discovery: Two years later, when Sarah’s employer filed her H-1B extension petition, U.S. Citizenship and Immigration Services (USCIS) issued a Request for Evidence (RFE). USCIS had cross-referenced Sarah’s petition against her California state tax records and identified the discrepancy between her approved work location (Dallas) and her actual work location (San Francisco).
The Consequences: The RFE created multiple serious problems:
Immediate Status Risk: Sarah’s continued work in San Francisco without proper LCA coverage violates the terms of her H-1B status
Wage Violations: Sarah had been underpaid by approximately $56,514 annually for two years relative to the San Francisco prevailing wage
Extension Jeopardy: The extension petition faced potential denial due to the compliance violations
Backpay Exposure: The employer faced potential liability of $113,028 in prevailing wage underpayments
Future Petition Risk: The violation could impact Sarah’s ability to obtain future H-1B extensions or to adjust status to permanent residence
The Resolution Costs: To address the violation, the employer had to:
Engage specialized immigration counsel for RFE response preparation
File corrective amended petitions and LCAs
Pay prevailing wage backpay to Sarah
Implement enhanced compliance procedures company-wide
Face increased scrutiny from authorities on its immigration program
This case demonstrates how a simple communication breakdown can escalate into a six-figure compliance problem with lasting immigration consequences.
How These Violations Are Discovered
The increasing sophistication of government enforcement mechanisms means that address change violations are more likely to be detected than ever before. Employers should be aware of the following discovery methods:
FDNS Site Visits
The FDNS unit conducts unannounced site visits to verify petition information. During these visits, inspecting officers may discover that employees have relocated to new addresses without proper LCA amendments or H-1B petition updates. FDNS officers are specifically trained to identify compliance gaps and will document any discrepancies between approved work locations and actual employee residences.
USCIS Cross-Referencing During Petition Adjudication
As demonstrated in the software engineer case study above, USCIS increasingly cross-references employee state tax filings against residential addresses on record during the adjudication of new H-1B filings, including amendments and extensions. This data matching has become more sophisticated and systematic, making it more likely that geographic discrepancies will be identified during routine petition processing.
Biometric RFEs and Address Verification
USCIS is issuing RFEs requiring H-1B employees to complete biometrics appointments across multiple petition types, but mostly on H-1B petitions and I-140 immigrant petitions, even though these cases do not typically require biometric collection. During these appointments, USCIS captures current address information and cross-references it against the approved petition locations. This enforcement mechanism allows USCIS to identify address changes that were never reported to immigration authorities, creating an additional layer of compliance verification that employers may not be unprepared for.
The expansion of biometric RFEs to I-140 immigrant petitions demonstrates that USCIS is using address verification as a compliance tool across the entire immigration continuum. Employees who may have had compliant H-1B petitions initially but developed violations during the validity period may find their permanent residence applications jeopardized when USCIS discovers unreported address changes during I-140 adjudication.
ICE I-9 Audits
During Form I-9 compliance audits, Immigration and Customs Enforcement (ICE) may identify H-1B deficiencies when reviewing employee documentation. While this discovery method is currently less common, employers should anticipate increased scrutiny as compliance enforcement becomes stricter and more integrated across agencies. ICE auditors are trained to spot immigration status violations that may not be immediately apparent from I-9 documentation alone.
Employee Self-Reporting
H-1B employees who become aware of prevailing wage requirements may file complaints when they realize they are being underpaid due to their employer’s failure to update LCAs for new work locations. These complaints may trigger DOL wage and hour investigations and result in significant penalties. Educated employees increasingly understand their rights and may seek legal counsel when they suspect wage violations.
Department of State Referrals
During consular visa interviews for visa renewals or family member applications, consular officers may identify discrepancies between an employee’s stated residential address and the work location listed on their H-1B petition. While currently uncommon, this discovery method may become more frequent as consular officers receive enhanced training on H-1B compliance issues and as information sharing between agencies improves.
H-1B Change of Employer Petition Complications
Another discovery method involves H-1B change of employer petitions (portability cases). When an employee transfers to a new employer, USCIS may identify prior compliance violations during the adjudication process by cross-referencing the employee’s state tax filings against the previous employer’s H-1B petition.
The Problem for New Employers: This situation creates an impossible burden for new employers because they typically do not have access to the prior employer’s complete H-1B petition file. The new employer cannot reasonably identify potential compliance issues before filing their change of employer petition, yet they may face petition denials or RFEs based on the prior employer’s failures.
Heightened Risk During Grace Periods: This issue is particularly acute for employees in the 60-day grace period following termination. USCIS has significantly increased its use of Notices to Appear (NTAs) for individuals found to be no longer maintaining legal status. When a compliance violation from a prior employer is discovered during a change of employer petition, it may trigger NTA issuance even if:
The current employee had little to no control over the prior employer’s compliance failures
The new employer performed reasonable due diligence but could not access the relevant information
The violation may have occurred years earlier and remained undetected
Practical Implications:
New employers may unknowingly inherit compliance problems caused by an employee’s prior employer
Employees face increased risk of removal proceedings for violations beyond their control
The traditional assumption that change of employer petitions are routine filings no longer holds
Employers should consider enhancing due diligence and vetting processes despite limited access to prior petition information
Risk to Prior Employers: The compliance violations don’t disappear when an employee changes employers. Former employers remain exposed to liability when H-1B deficiencies are discovered during change of employer adjudications. Once a former employee learns that their previous H-1B petition was deficient due to an unreported address change with a higher prevailing wage, they may pursue backpay claims against their former employer. These claims can extend back several years and involve substantial amounts, particularly when the wage differential between geographic areas is significant. The former employer cannot cure the violation since the employee has already departed, leaving them fully exposed to the financial consequences of their compliance failure.
Whistleblower Reports
Current or former employees, competitors, or other third parties may report suspected violations to DOL or USCIS. The anonymous nature of many reporting mechanisms makes this an ongoing risk for noncompliant employers.
The key takeaway is that these violations are no longer hidden in administrative silos. Government agencies are increasingly sharing information and using sophisticated data matching techniques that make discovery more likely and more systematic than in the past.
Beyond Geography: Wage Level Classification Risks
While geographic-based prevailing wage violations represent a significant compliance risk, employers face additional exposure from incorrectly classifying the job classification and the wage level for H-1B positions. This issue, compounded with the address change problem, may create further liability.
The Four-Level System Challenge
The prevailing wage system classifies positions into four levels based on experience, education, and job complexity:
Level 1: Entry-level positions requiring basic understanding
Level 2: Qualified positions requiring sound understanding
Level 3: Experienced positions requiring good understanding
Level 4: Fully competent positions requiring excellent understanding
Common Misclassification Scenarios
Many employers face two distinct types of classification errors that may result in significant compliance violations:
Wage Level Misclassification
Employers may under-classify positions to reduce labor costs, selecting Level 1 or Level 2 wages when the position actually requires Level 3 or Level 4 compensation.
Job Classification Misclassification
Beyond wage levels, employers often select incorrect job classifications entirely. The duties and responsibilities of different positions carry substantially different prevailing wages, even within similar fields. For example:
Similar but Distinct Classifications:
A “Systems Analyst” classification carries a lower prevailing wage than a “Software Engineer” classification, despite overlapping responsibilities
“Computer Programmer” wages differ significantly from “Software Developer” wages
“Database Administrator” and “Computer Systems Analyst” have different wage requirements
Bachelor’s Degree Requirement Violations: The H-1B category fundamentally requires that the proposed U.S. assignment necessitate at least a bachelor’s-level education. Selecting job classifications that require only an associate’s degree creates an immediate compliance concern. For example, selecting “Computer Network Support Specialists” for an employee performing bachelor’s-level work, even though DOL data indicates the position requires an associate’s degree, may result in:
Denial of the H-1B petition for failing to meet specialty occupation requirements
Significant backpay awards if the misclassification is discovered during employment
Potential willful violator findings if the pattern is systemic
Review of an employer’s entire immigration program
These job classification errors may create several compounding problems.
Compounding Geographic Issues: When an employee moves to a higher-wage area and the employer has made both wage level and job classification errors, the underpayment exposure multiplies. An employee initially classified as a Level 1 “Computer Network Support Specialist” in Dallas who should have been a Level 4 “Software Engineer,” then moves to San Francisco, faces a triple violation (geographic change, incorrect wage level, and incorrect job classification) potentially creating enormous backpay liability.
Audit Vulnerability: DOL audits specifically examine whether both the job classification and wage level selection match the actual job requirements. Auditors review:
Job descriptions and actual duties performed against standard occupational classifications
Required qualifications versus employee credentials and degree requirements
Supervision levels and decision-making authority
Comparison with similar positions at the employer and industry standards
Systematic Violations: Unlike address changes that affect individual employees, both job classification and wage level misclassification often reflect company-wide practices, potentially affecting multiple H-1B employees simultaneously and creating backpay exposure across entire departments or job categories.
Civil Penalty Exposure
Wage level violations carry the same penalty structure as geographic wage violations under 20 CFR 655.810 (2025 penalty amounts as adjusted by Federal Register, Vol. 90, No. 8, Jan. 10, 2025):
Willful Violations: Up to $67,367 per violation plus backpay
Substantial Failure: Up to $9,624 per violation plus backpay
Technical Violations: Up to $2,364 per violation plus backpay
When combined with multi-year underpayments across multiple employees, these penalties can reach seven figures for employers with systematic misclassification practices.
Program Debarment
For employers with systemic, widespread violations, the DOL can impose the most severe penalty available: debarment from the H-1B program under INA § 212(n)(2). This sanction prohibits an employer from filing any H-1B petitions for up to three years.
Debarment Requirements: Under DOL Fact Sheet #62S, debarment requires formal enforcement proceedings with specific findings:
A finding of violation must be entered in either a DOL proceeding under INA §212(n)(2) or a Department of Justice proceeding under INA §212(n)(5)
The agency must find that the employer committed either a willful failure or misrepresentation of material fact involving at least two Labor Condition Application attestations
The violation must have occurred after Oct. 21, 1998
Additional Consequences:
Debarred employers are subject to random DOL investigations for up to five years from the date of willful violator determination
Complete prohibition on filing new H-1B petitions during the debarment period
Business Impact: For technology companies, consulting firms, health care organizations, and other employers that rely heavily on H-1B workers, debarment can be business-threatening. The consequences include:
Complete inability to hire new international talent
Loss of competitive advantage in global talent acquisition
Potential departure of existing H-1B employees who cannot obtain extensions
Damage to employer brand and reputation in international markets
Disruption of long-term business planning and growth strategies
No Workarounds: Unlike monetary penalties that can be paid, debarment cannot be cured through compliance efforts during the prohibition period. Employers facing debarment must demonstrate extraordinary circumstances to avoid or reduce the sanction period.
Inadequate documentation makes it difficult to defend wage level selections during audits and increases the likelihood of violations being classified as “willful” rather than technical.
Additional Compliance Considerations for Employers
Establish Clear Policies
Require employees to report any address changes immediately
Include address change obligations in employment agreements and handbook policies
Create specific procedures for remote work approvals
Implement Monitoring Systems
Regular audits of employee addresses across HR, payroll, and immigration systems
Quarterly compliance reviews to identify discrepancies
Technology solutions to flag address changes automatically
Coordinate Across Departments
Ensure HR, payroll, immigration, and legal teams communicate regularly
Designate a point person responsible for address change compliance
Create checklists and workflows for processing address changes
Proactive LCA Management
File LCAs for anticipated remote work locations before employees relocate
Consider broader geographic coverage in initial LCA filings where appropriate
Maintain updated prevailing wage determinations for common relocation areas
Employee Education
Train employees on their reporting obligations
Explain the serious consequences of unreported moves
Provide clear instructions on how to report address changes
Immediate Actions
Employers should consider taking the following steps to help address potential compliance gaps:
Conduct an Audit: Review current employee addresses across all systems to identify discrepancies
Implement Reporting Procedures: Establish clear processes for employees to report address changes
Update Policies: Revise employment agreements and handbooks to include specific address change obligations
Train Teams: Educate HR, payroll, and management on immigration compliance requirements for remote work
Engage Immigration Counsel: Work with experienced immigration attorneys to assess current compliance and develop remediation strategies where necessary
Conclusion
The intersection of remote work flexibility and immigration compliance creates challenges for U.S. employers. While remote work offers benefits, it also comes with legal obligations. Employers who proactively address these compliance requirements may avoid costly penalties while maintaining the flexibility that makes them competitive in today’s talent market.
A strategy for maintaining compliance is treating address changes as immigration events requiring immediate attention, not merely administrative updates. By implementing robust monitoring and reporting systems, employers may be able to harness the benefits of remote work while complying with their immigration and labor law obligations.
This article provides general guidance on immigration compliance matters. Employers should consult with experienced immigration counsel to address specific situations and ensure compliance with current regulations.
What’s New in Wireless – August 2025
The wireless industry has revolutionized the way we connect, from facilitating teleworking, distance learning, and telemedicine to allowing the American public to interact virtually in almost all other aspects of their daily lives. Leading policymakers – federal regulators and legislators – are making it a top priority to ensure that the wireless industry has the tools and resources it needs to keep pace with this evolving landscape. This blog provides monthly updates on actions by federal regulatory bodies responsible for communications policy and Congressional efforts to support wireless connectivity. And this month we highlight the FCC’s proposals to streamline and accelerate wireless infrastructure deployments as part of its “Build America” agenda.
Regulatory Actions and Initiatives
Wireless Networks, Equipment, and Infrastructure
The FCC Takes Steps to Accelerate Infrastructure Deployment. As part of its “Build America” agenda, the FCC adopted a Notice of Proposed Rulemaking that re-examines the agency’s environmental rules to ensure that they comport with the National Environmental Policy Act (“NEPA”), as amended, and promotes greater and faster infrastructure deployment. The Notice also takes a fresh look at the Commission’s National Historic Preservation Act (“NHPA”) requirements. According to the News Release issued about the Notice, the FCC’s Build America agenda “aims to unleash new infrastructure projects in communities all across the country.”
The FCC Initiates a Re-examination of its Emergency Alert System. In addition to reviewing its NEPA and NHPA requirements, the FCC adopted a Notice of Proposed Rulemaking that initiates a review of the FCC’s Emergency Alert System and Wireless Emergency Alerts. The Notice, in particular, evaluates the goals of the systems, whether the systems are achieving those goals, and the steps the Commission should take to modernize the systems.
The FCC Seeks to Update its Disaster Information Reporting System (“DIRS”). The FCC adopted a Third Further Notice of Proposed Rulemaking and Order on Reconsideration ahead of its August meeting that seeks to modernize the Commission’s DIRS. Among other things, the Further Notice proposes to streamline and simplify DIRS reporting requirements for wireless service providers and others. It also proposes to eliminate DIRS reporting requirements for resellers and mobile virtual network operators. The accompanying Order clarifies the requirements for outage reporting when the outage occurs right before a DIRS activation, and it maintains requirements to send outage notifications to 911 and 988 special facilities during DIRS activations. The News Release about the FCC’s adoption of the item highlights that the item “will pave the way for reforms” to DIRS so that “its benefits outweigh its burdens.”
Comment Deadlines Established on the FCC’s “Bad Labs” Proposals. The FCC’s Report and Order adopting rules that prohibit the use of any Telecommunications Certification Body, test lab, or laboratory accreditation body owned by, controlled by, or subject to the direction of a “prohibited entity” – i.e., “bad labs” – in the FCC’s equipment authorization process was published in the Federal Register on August 7, 2025. Accordingly, the rules will become effective September 8, 2025, except for those requiring approval by the Office of Management and Budget under the Paperwork Reduction Act. In addition, the FCC’s Further Notice of Proposed Rulemaking seeking comment on further measures to safeguard the integrity of the Commission’s equipment authorization program was published in the Federal Register on July 16, 2025. Accordingly, comments and reply comments on the Further Notice will be due August 15, 2025, and September 15, 2025, respectively.
The FCC Reminds Rip-and-Replace Support Recipients of Their Spending Report Deadline. The FCC’s Wireline Competition Bureau released a Public Notice on July 10, 2025, reminding all rip-and-replace support recipients of their obligation to file their next spending reports with the FCC by August 10, 2025.
Spectrum
The FCC Solicits Comments on Airspan’s Use of Spectrum in the 3 GHz Band. On July 17, 2025, the FCC’s Wireless Telecommunications Bureau and Office of Engineering and Technology released a Public Notice seeking comment on a petition filed by Airspan Networks, Inc. (“Airspan”) that seeks a waiver of the Commission’s out-of-band emission limits for the 3.45 GHz band. Airspan requests a waiver in order to “facilitate the marketing and operation of base station radios that would be operated in the 3.45 GHz and 3.7 GHz Services, either simultaneously or on a stand-alone basis.” Comments and reply comments on the petition are due August 18, 2025, and September 2, 2025, respectively.
The GAO Sends Recommendations to NTIA on Spectrum Sharing. The Government Accountability Office (“GAO”) sent a letter to the National Telecommunications and Information Administration (“NTIA”) on July 14, 2025, to highlight certain “priority recommendations” related to: (i) spectrum; (ii) cybersecurity risks and IT; and (iii) federal broadband programs. With respect to spectrum, in particular, the GAO identified two priority recommendations to improve NTIA’s management of federal spectrum use, both of which relate to a 2021 GAO Report on improving collaboration between the FCC and NTIA. First, to address the increase in demand for spectrum from both federal and non-federal users, the GAO recommends that NTIA establish procedures to help guide the design of spectrum-sharing and potential interference studies intended as U.S. contributions to World Radiocommunication Conference technical meetings. Second, the GAO recommends that NTIA request that the Department of State review and update the General Guidance Document outlining processes for working with other agencies to prepare for international conferences where spectrum regulations are updated.
Legislative Efforts
The House Introduces a Bill That Would Promote Secure and Trusted Telecommunications Infrastructure. On July 17, 2025, Representatives Kim and Keating introduced the Securing Global Telecommunications Act. If enacted, the bill would, among other things, require the State Department to establish a comprehensive strategy to promote secure telecommunications infrastructure around the world. In particular, the strategy would address mobile networks, data centers, 6G, and low-earth orbit satellites, aerostats, and stratospheric balloons. The bill is now in committee.
Privacy Tip #454 – Students Sue Kansas School District Over AI Surveillance Tool
Current and former students at Lawrence High School and Free State High School, located in Lawrence, Kansas, have sued the school district, alleging that its use of an AI surveillance tool violates their privacy.
The allegations revolve around the school district’s use of Gaggle, which is an AI tool that mines the district’s Google Workspace, including Gmail, Drive, and other Google products used by students through the public schools’ network. Gaggle is designed to “flag content it deems a safety risk, such as allusions to self-harm, depression, drug use and violence.”
The plaintiffs are student journalists, artists, and photographers who reported on Gaggle or had their work flagged and removed by the AI tool. They allege that Gaggle could access their notes, thereby allowing access by the district, which they allege is a violation of journalists’ legal protections. They allege that “[s]tudents’ journalism drafts were intercepted before publication, mental health emails to trusted teachers disappeared, and original artwork was seized from school accounts without warning or explanation.”
They further allege that the district’s use of Gaggle is a “sweeping, suspicionless monitoring program” that “violated student rights by flagging and seizing student artwork.” They allege that “Gaggle undermines the mental health goals it attempts to address by intercepting appeals for help students may send to teachers or other trusted adults.”
The lawsuit requests a permanent injunction to stop the use of Gaggle in the district, along with compensatory, nominal, and punitive damages as well as attorney’s fees.
AI tools have their place in today’s business environment, but without careful protocols implemented to protect user privacy, organizations can find themselves in lawsuits that will drain resources and time away from more critical areas of need.
Use Natural Intelligence Before Artificial Intelligence
The cutting-edge technology encompassing Artificial Intelligence (AI) solutions is astonishing, and this technology has led to a steady increase in organizations adopting or developing their own AI solutions.
Several healthcare and customer service organizations are using AI technology to streamline business processes by mimicking or replacing humans with robotics, and this has led to noteworthy cost savings as a byproduct of early AI adoption.
Not all early adopters of AI were able to reap these rewards. Because of AI’s inherent security risks, some organizations experienced unplanned business disruptions, significant reputational damage, and financial loss. For example, when Samsung employees used ChatGPT for internal code review purposes, they accidentally leaked confidential information, which resulted in Samsung banning the use of generative AI tools.
Is It Time to Embrace AI and Does Its Strengths Outweigh Its Weaknesses?
According to a publicly accessible AI solution, its most significant information security risks are:
Phishing Attacks
Ransomware
Advanced Persistent Threats (APTs)
Zero-Day Exploits
Man-in-the-Middle (MitM) Attacks
Insider Threats
DDoS Attacks
Misconfigured Access Controls
SQL Injection Vulnerabilities
AI-Enabled Attacks
Most of these attack methods have been around for years and each should not be taken lightly, as their high-risk significance can expose an organization to unauthorized access to its network and information systems. In turn, unexpected information system downtime, significant disruptions to business service, reputational damage, and financial loss could result.
Moreover, AI’s mainstream usage has increased the likelihood of greater data privacy and security risks that result from deceptive practices. Take for example ‘AI-Enabled Attacks’ which leverage unpredictability to create deepfake news, videos, and audio to mislead people into thinking that real events have occurred when in fact they have not.
Other types of AI-enabled attack methods use weaponized malware which mimics legitimate network traffic, making it much harder for entities’ network operations teams to detect and defend against. The byproduct of these efforts can include accidental misconfiguration of security controls (e.g., antivirus software), with an increased susceptibility to malware that can allow an adversary to gain unauthorized access to Protected Health Information (PHI) and perform data exfiltration through illicit means.
How Does an Organization Defend Against These Attack Methods?
Deploying a customized AI solution that integrates predictive behavioral analysis techniques into network monitoring is a type of method that can allow for timelier detection of unusual network activities. For supplemental support, organizations should consider:
Creating an AI governance policy
Implementing strict information access controls
Using secure coding practices
Employing data encryption to prevent unauthorized data manipulation
Providing relevant security awareness training
Conducting continuous IT audits and network monitoring activities, to detect behavioral anomalies such as unauthorized AI use
Managing AI Risks
The adoption of a comprehensive AI framework is essential for managing AI risks and will help ensure proper governance of AI solutions.
Below is a brief outline of notable frameworks worth considering.
In January 2023, the National Institute of Standards and Technology released its NIST AI Risk Management Framework (AI RMF), which addresses how to manage new and emerging risks related to AI.
Published by the European Commission, the Ethics Guidelines for Trustworthy AI require AI systems to be lawful, ethical, and robust.
Practices for responsible and secure use of AI systems are detailed in Google’s Security Artificial Intelligence Framework (SAIF).
Conclusion
Although AI risks can be prevented and mitigated, failure to govern and deploy a secure AI system can result in significant fines imposed by governing regulatory bodies such as Health and Human Services, when protected health information is abused, or by the European Union if an organization fails to adequately implement data protection safeguards.
Before deploying AI solutions, organizations should establish AI ethical use committees to govern information security initiatives such as: the deployment of guardrails which may permit for the early detection and prevention of AI-related risks; secure system development life cycle practices; alignment of controls with AI framework requirements and security control standards (e.g., NIST Cybersecurity Framework version 2.0).
This article was originally published in Financial PoiseTM. This article is subject to the disclaimers found here.
Federal Jury Finds Against Meta for Collecting Data from Flo Health
On August 1, 2025, a California federal jury found that Meta violated the California Invasion of Privacy Act (CIPA) by collecting data from the Flo Health app without the consent of the individuals who downloaded the app and provided information about their period, ovulation, and pregnancies.
CIPA is California’s wiretap law, and the jury found that Meta effectively “eavesdropped” on Flo app users without their consent. According to the plaintiffs, Flo collected information from Flo users after they completed a survey regarding their pregnancy status, tracking of their period, and other information about their menstrual cycle. The suit alleged that although Flo promised not to disclose user-provided information, it provided Meta, Google, and Flurry access to this information through custom app events sent through software development kits incorporated into the Flo app. This is very standard in websites and apps to track individuals for marketing purposes.
The jury found that the sharing of this data was a violation of CIPA. Damages have not been determined as yet. Flo, Google, and Flurry were also named defendants in the case, but plaintiffs settled with the other three defendants before trial began.
New Updates to CCPA Regulations: California’s Focus on Automated Decisionmaking Technology, Cybersecurity Audits, Risk Assessments, and More
On July 24, 2025, during a public meeting following public comment, the California Privacy Protection Agency (CPPA) Board unanimously approved amendments to the California Consumer Privacy Act (CCPA). These substantial changes include new obligations for businesses subject to the CCPA. Significantly, the updates emphasize CPPA’s new regulatory focus over AI decision-making and cybersecurity in addition to privacy. In addition, the CPPA opted to open the Delete Request and Opt-Out Platform (DROP) regulations for further public comment on its proposed changes. Below is a summary of the key updates:
Automated Decisionmaking Technology
ADMT Defined –The updates provide a new regulatory focus on automated decisionmaking technology (ADMT), which is defined as “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.” This definition does not cover when such automated technology is used to assist in, but not to entirely substitute, human decisionmaking.
Consumer Rights – Under the new ADMT provisions, businesses must inform consumers of their opt-out and access rights with respect to the business’s use of ADMT to make any significant decisions about the consumer. “Significant decisions” are defined as decisions related to financial or lending services, housing, education opportunities, employment opportunities, or healthcare services.
Pre-Use Notice – Businesses must also provide pre-use notices regarding the use of ADMT. These notices should explain what the ADMT does, consumer rights related to opt-out and access, and a detailed description of how the ADMT works to make a significant decision about the consumer.
Annual Cybersecurity Audits
The CCPA final text introduces an annual cybersecurity audit requirement for businesses that meet a certain threshold. Businesses will be required to conduct annual, independent cybersecurity audits to assess how their cybersecurity program protects consumer personal information from unauthorized access and disclosure. Businesses are required to submit a certificate of completion to the CPPA annually.
Audit Components – Components of a cybersecurity program that fall into the audit’s scope include the business’s cybersecurity measures such as authentication, access controls, inventory management, secure hardware and software configurations, network monitoring, and cybersecurity education. The report must outline, in detail, gaps or weaknesses in the organization’s policies or cybersecurity program components that the auditor deemed to increase the risk of unauthorized access or activity.
Impartiality Requirement – Audits must be performed by an independent and qualified professional. If the auditor is internal to the business, the CCPA requires specific measures to be put in place to ensure the auditor’s impartiality and objectivity.
Repurposing Audits – A cybersecurity audit used for another purpose, such as an audit that uses the NIST Cybersecurity Framework 2.0, may be used for this audit purpose, provided that it meets all of the requirements outlined in the CCPA.
Compliance Timeline – The timeline for completion of the initial cybersecurity audit depends on the business’s revenue for the previous years. All businesses must complete this audit by April 1, 2030, but some will be required to do so by April 1, 2028, depending on annual income.
Pre-Processing Risk Assessments
Under the new regulations, any business that poses a significant risk to consumers’ privacy in processing personal information must conduct a risk assessment before initiating that processing. The goal of a risk assessment is to restrict or prohibit the processing of personal information if the resulting privacy risks to the consumer outweigh the benefits to the business and other stakeholders. Risk assessments must be reviewed and updated once every three years. If there is a material change in processing activity, a business must update its risk assessment as soon as possible, but no later than 45 calendar days from the change.
Broad Definition of Significant Risk – The CCPA outlines several activities that are deemed to present significant risk, including selling or sharing personal information and processing sensitive personal information. This is an expansive definition, because most businesses share personal information with third parties.
Risk Assessment Components – Risk assessments must document a business’s purpose for processing consumer personal information and the benefits to the organization of that processing. Risk assessments must also document the categories of information to be processed. In addition, the risk assessment must also consider the negative impacts of processing to consumers’ privacy. The business must further identify safeguards it plans to implement for the processing, such as encryption and privacy-enhancing technologies.
Compliance Timeline – For risk assessments conducted in 2026 and 2027, businesses must submit an attestation to the CPPA by April 1, 2028. The individual submitting the risk assessment attestation must be a member of the business’s executive management team who is directly responsible for, and has sufficient knowledge of, the business’s risk assessment compliance. Risk assessments must be maintained for as long as the processing continues or five years after completion, whichever is later, and available for inspection by CPPA or the Attorney General.
Insurance
The final CCPA changes also include clarification of the law’s application to insurance companies. Insurers are required to comply with the CCPA for personal information collected outside of an insurance transaction. The final text provides an example whereby if an insurance company collects personal information of website visitors who have not applied for any insurance product or service to tailor personalized advertisements to those users, the insurer must comply with the CCPA with respect to that information. Since most websites use
tracking technologies, insurance companies should assess their compliance with the CCPA promptly.
Recommended Next Steps
The California Office of Administrative Law (OAL) still needs to review and approve these changes. OAL has 30 business days after receiving the final text from the CPPA to do so. However, many industry experts expect that the OAL will only make minor, if any, changes. Businesses should expect the OAL to approve most of this final text. The regulations take effect in 2027, so preparation for these new compliance obligations should be a top priority. CPPA’s next meeting is September 26, 2025, where it is expected to present its annual enforcement report and priorities. For a more in-depth analysis of the new CPPA Regulations, click here.
CISA Releases Malware Analysis Report for Microsoft SharePoint Vulnerabilities
Threat actors continue to exploit ToolShell to gain unauthorized access to on-premises SharePoint servers. On August 6, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a malware analysis report after analyzing six files “including two Dynamic Link-Library (.DLL), one cryptographic key stealer, and three web shells. Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint host system and exfiltrate data.”
The report includes the indicators of compromise and detection signatures to identify malware samples. The report also includes an analysis of YARA Rules, Sigma Rules, ssdeep matches, screenshots, PE Metadata, PE Sections, Packers/Compilers/Cyrptors, Tags and Details.
If your organization has been, or is potentially affected by ToolShell, take advantage of CISA’s analysis and use it to mitigate any potential effect on your company.
Tennessee Data Privacy Law (TIPA) Effective July 1: Are You Prepared?
July 1 marked the official enforcement date of the Tennessee Information Protection Act (TIPA), the state’s comprehensive consumer privacy law. Signed into law in 2023, TIPA grants consumers specific rights concerning their personal information and regulates covered businesses and service providers that collect, use, share, or otherwise process consumers’ personal information. With all TIPA provisions now enforceable, it is important for regulated companies to understand the law’s comprehensive requirements.
Covered businesses and organizations
TIPA regulates entities that conduct business in Tennessee or produce products or services targeted to Tennessee residents, exceed $25 million in revenue, and meet one of the below criteria:
Control or process information of 25,000 or more Tennessee consumers per year and derive more than 50% of gross revenue from the sale of personal information; or
Control or process information of at least 175,000 Tennessee consumers during a calendar year.
Consumer Rights
TIPA grants consumers (Tennessee residents acting in a personal context only) the rights to confirm, access, correct, delete, or obtain a copy of their personal information, or opt out of specific uses of their data (such as selling data to third parties, using data for targeted advertising, or profiling consumers in certain instances). Companies must respond to authenticated consumer requests within 45 days, with a possible 45-day extension, and they must establish an appeal process for request denials. Controllers, which TIPA defines as companies that (alone or jointly) determine the purpose and means of processing personal information, must also offer a secure and reliable means for consumers to exercise their rights without requiring consumers to create a new account.
Company Responsibilities
Companies must limit data collection and processing to what is necessary, maintain appropriate data security practices, and avoid discrimination. Companies must provide a clear and accessible privacy notice detailing their practices, and, if selling personal information or using it for targeted advertising, disclose these practices and provide an opt-out option.
Opt-In for Sensitive Personal Information
TIPA prohibits processing sensitive personal information without first obtaining informed consent. Sensitive personal information is defined broadly and includes any personal information that reveals a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. Sensitive information also includes any data collected from a known child younger than age 13, precise geolocation data (i.e., within a 1,750-foot radius), and the processing of genetic or biometric data for the purposes of identifying an individual.
Controller-Processor Requirements
Processors must adhere to companies’ instructions and assist them in meeting their obligations, including responding to consumer rights requests and providing necessary information for data protection assessments. Contracts between companies and processors must outline data processing procedures, including confidentiality, data deletion or return, compliance demonstration, assessments, and subcontractor engagement. The determination of whether a person is acting as a company or processor depends on the context and specific processing of personal information.
Data Protection Assessments
Companies must conduct and document data protection assessments for specific data processing activities involving personal information. These assessments must weigh the benefits and risks of processing, with certain factors considered. Assessments apply to processing of personal data created or generated on or after July 1, 2024, and in investigations by the Tennessee attorney general, are to be treated as confidential and exempt from public disclosure without a waiver of attorney-client privilege or work product protection.
Major Similarities to CCPA
TIPA shares many similarities with the California Consumer Privacy Act (CCPA), including:
Similar consumer rights;
Contractual requirements between controllers and processors; and
Requiring data protection assessments for certain processing activities.
Affirmative Defense
TIPA provides for an “affirmative defense” against violations of the law by adhering to a written privacy policy that conforms to the NIST Privacy Framework or comparable standards. The privacy program’s scale and scope must be appropriate based on factors such as business size, activities, personal information sensitivity, available tools, and compliance with other laws. In addition, certifications from the Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules and Privacy Recognition for Processors systems may be considered in evaluating the program.
Enforcement
The Tennessee attorney general retains exclusive enforcement authority, and TIPA expressly states that there is no private right of action. The Tennessee attorney general must provide 60 days’ written notice and an opportunity to cure before initiating enforcement action. If the alleged violations are not cured, the Tennessee attorney general may file an action and seek declaratory and/or injunctive relief, civil penalties up to $7,500 for each violation, reasonable attorneys’ fees and investigative costs, and treble damages in the case of a willful or knowing violation.
Exemptions
The law includes numerous exemptions, including:
Government entities;
Financial institutions, their affiliates, and data subject to the Gramm-Leach-Bliley Act (GLBA);
Insurance companies;
Covered entities, business associates, and protected health information governed by the Health Insurance Portability and Accountability Act (HIPAA) and/or the Health Information Technology for Economic and Clinical Health Act (HITECH);
Nonprofit organizations;
Higher education institutions; and
Personal information that is subject to other laws, such as the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), and the Fair Credit Reporting Act (FCRA).
TIPA is just one of seven laws slated to go into effect this year. With three more laws going into effect next year, companies should review and determine whether laws such as TIPA apply to them and take steps to comply now that the law is in effect.
Listen to this post
Washington Supreme Court Increases Risks of Lawsuits for False or Misleading Email Subject Lines
The Supreme Court of Washington recently clarified the scope of violative practices under the Washington Consumer Electronic Mail Act (CEMA). In Brown v. Old Navy, LLC1, the Court ruled 5-4 that CEMA prohibits advertisers from disseminating any false or misleading information in the subject line of a commercial email, not just information that is false or misleading about the nature of the communication. In the wake of this decision, plaintiffs have filed multiple lawsuits seeking to expand traditionally limited liability for the content of commercial emails.
Analysis
In Brown v. Old Navy, LLC, the plaintiffs asserted that the defendant impermissibly sent emails with false or misleading information, in violation of CEMA. The plaintiffs alleged that the defendant, for example, announced that a 50%off promotion was ending even though the retailer continued to offer the promotion in the days following the initial e-mail.2 Other examples included e-mails that announced time-limited promotions (e.g. today only or three days only) that were extended beyond the specified time limit.3 The case was before the Washington Supreme Court on a question certified by a federal court in the Western District of Washington, in which the case against the defendant is pending.4
CEMA prohibits sending a commercial e-mail that “[c]ontains false or misleading information in the subject line.”5 The defendant argued for the same outcome as in Chen v. Sur La Table, where the Western District of Washington recently held that subsection (1)(b) “specifically prohibits false and misleading information as to the nature of the email, i.e. that the email is an advertisement.”6 Essentially, the defendant in Brown sought to have the Washington Supreme Court adopt the standard that federal courts have applied to claims under the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM), which has been interpreted to prohibit only false and misleading information as to the nature of the email (i.e., that it is commercial in nature).7 The plaintiffs argued the prohibition was not limited to information as to the commercial nature of the email.8 Instead, the plaintiffs asserted that any false and misleading information was prohibited by CEMA.9
Because the outcome of this case required statutory interpretation that would “have far-reaching effects” on those subject to Washington law, the Western District of Washington certified the following question to the Washington Supreme Court: “Does RCW 19.190.020(1)(b) prohibit the transmission of a commercial email with a subject line containing any false or misleading information, or is the prohibition limited to subject lines containing false or misleading information about the commercial nature of the email message?”10
The court ultimately sided with the plaintiffs, finding that a subject line does not need to deceive consumers about the subject or purpose of the email but rather merely needs to contain false or misleading information.11
The court was careful to limit the scope of its holding, however. It clarified that promotions that constitute statements of opinion, not of fact, are not “misrepresentations” actionable under CEMA, specifically stating that a “Best Deals of the Year” promotion would not be actionable.12 The court further held that “subjective, unverifiable claims about a product or service are ‘mere puffery’” and that “instances of mere puffery are not prohibited by [CEMA].”13
The Western District of Washington will still need to resolve two key questions that the Brown decision did not touch: (a) whether a plaintiff bringing suit under CEMA needs to establish traditional elements of fraud liability, such as scienter, reliance and damages; and (b) if not, whether CEMA is preempted by CAN-SPAM’s express preemption provision, which bars any state statutes that purport to impose liability for false statements in emails other than statutes prohibiting “falsity or deception.” Both of these questions are before the Western District on the defendant’s motion to dismiss.
Since the Washington Supreme Court’s decision, plaintiffs have filed a number of putative class actions under CEMA alleging the use of false or misleading information in subject lines. Most of these cite to subject lines supposedly creating “false urgency” as to the duration of promotions, or subject lines that tout specific discounts (e.g., 50% off) that are only available on limited categories of products. These cases are in the very early stages of litigation. How courts will evaluate CEMA claims in particular contexts remains to be seen.
Implications for Advertisers
The opinion in Brown v. Old Navy, LLC, emphasizes the importance of ensuring material in advertising is not false or misleading. A violation of CEMA’s e-mail regulations is a per se violation of the Consumer Protection Act.14 CEMA sets statutory damages of US$500 for sending Washington residents commercial e-mails that violate its regulations.15 CEMA’s US$500 statutory damages does not require a showing of actual damages, as is incurred per recipient.16 Thus, there is real financial risk in failing to adhere to the newly-clarified CEMA parameters.
Conclusion
The Brown v. Old Navy decision underscores the heightened risks of CEMA lawsuits for advertisers who fail to adhere to the law’s false and misleading prohibitions. By implementing the recommended practices, advertisers can better protect themselves from legal challenges and maintain compliance with CEMA. As the legal landscape continues to evolve, staying informed and proactive is essential for minimizing risks and safeguarding business operations. We will continue to monitor court decisions as the CEMA provisions are interpreted in litigation, and are available to answer any questions you might have.
Footnotes
1 Brown v. Old Navy, LLC, 567 P.3d 38 (Wash. 2025) (opinion published April 17, 2025).
2 Id. at 42.
3 Id.
4 Id. (citing Brown v. Old Navy, LLC, 2:23-CV-00781-JHC, 2023 WL 12071921, at *1 (W.D. Wash. Nov. 29, 2023))
5 RCW 19.190.020(1)(b).
6 Brown v. Old Navy, 567 P.3d at 42 (citing Chen v. Sur La Table, Inc., 655 F. Supp. 3d 1082, 1092 (W.D. Wash. 2023)) (emphasis added by citing Court).
7 Id. at 46.
8 Id. at 44.
9 Id.
10 Brown v. Old Navy, LLC, 2:23-CV-00781-JHC, 2023 WL 12071921, at *1 (W.D. Wash. Nov. 29, 2023) (emphasis in original).
11 Brown v. Old Navy, 567 P.3d at 42.
12 Id. at 47.
13 Id.
14 See RCW 19.190.030(1), .100; ch. 19.86 RCW.
15 RCW 19.190.040.
16 Brown v. Old Navy, 567 P.3d at 42.
Massachusetts AG Issues Final Guidance Ahead of September 2 Junk-Fee Rule Enforcement
On July 29, the Massachusetts Attorney General issued updated business guidance and a webinar explaining the state’s new “junk fee” regulations under the Massachusetts Consumer Protection Act, which take effect on September 2. The guidance breaks down the rule’s disclosure and cancellation obligations into checklists and identifies narrow carve-outs for businesses already subject to comparable federal or state rules.
The guidance (previously discussed here) offers a high-level roadmap for implementing the new regulations, clarifying when the “Total Price” must appear, how optional fees must be labeled, and what qualifies as a “simple” cancellation process. The guidance emphasizes that violations after September 2 will be deemed unfair or deceptive acts under the Massachusetts Consumer Protection Act.
Key obligations include:
Total price must lead every price display. Sellers must show the maximum amount a consumer will pay, excluding only government taxes and shipping costs, more prominently than any other figure whenever pricing information appears.
Mandatory fees require plain-language labels. Sellers must state the nature, purpose, and amount of each charge and, if avoidable, provide clear instructions for opting out.
Personal data may not precede price disclosure. Sellers cannot request billing or other personal information before displaying the total price, unless the data are strictly necessary for eligibility or regulator-approved pricing.
Negative-option offers require easy cancellation. Subscriptions and similar plans must provide a simple cancellation mechanism at least as easy to use as the sign-up method and send renewal notices 5–30 days before new charges accrue when the term exceeds 31 days.
Trial offers require date-specific disclosures. Before a consumer accepts a free or discounted trial, businesses must disclose the last day to cancel to avoid charges and the exact date billing will begin.
Only narrow exemptions apply. The regulation exempts certain telecom price labels, motor-vehicle disclosures, and licensed securities sales, but otherwise sweeps broadly across sectors including lodging, insurance, and e-commerce.
Putting It Into Practice: States are continuing to ramp up consumer-protection requirements in wake of the CFPB’s decline (previously discussed here, here, and here). Massachusetts’ updated guidance turns March’s broad “junk fee” mandate into a concrete compliance roadmap. With California and other jurisdictions advancing similar initiatives (previously discussed here), companies operating nationwide should monitor emerging rules, standardize price-transparency protocols, and adjust relevant practices now to stay ahead of the regulatory curve.
Listen to this post
Navigating Ambiguity in Consumer Protection Law: Insights from Bodenburg v. Apple
Plaintiff Lisa Bodenburg brought a putative class action against Defendant Apple Inc. after purchasing a 200 GB iCloud+ storage plan. She believed that by upgrading to the paid 200 GB plan, the 200 GB would add to the free 5 GB of storage provided to all Apple customers for a combined total of 205 GB of storage. However, after her purchase, she allegedly discovered that her total available storage was 200 GB, not the expected 205 GB. Bodenburg sued Apple, alleging breach of contract and violations of California’s Unfair Competition Law (“UCL”), Consumers Legal Remedies Act (“CLRA”), and False Advertising Law (“FAL”), seeking damages, restitution, and equitable relief on behalf of herself and a proposed nationwide class of iCloud+ customers. The district court dismissed Bodenburg’s action with prejudice, finding that none of her claims were plausible, and the Ninth Circuit affirmed.
Consumer false advertising class actions continue to proliferate in California. Plaintiffs typically bring claims under the UCL, which prohibits any “unlawful, unfair or fraudulent business act or practice” (Cal. Bus. & Prof. Code § 17200), CLRA, which prohibits “unfair methods of competition and unfair or deceptive acts or practices” (Cal. Civ. Code § 1770), and the FAL, which prohibits “untrue or misleading” statements related to real or personal property or the performance of services (Cal. Bus. & Prof. Code § 17500). To survive a dismissal, each claim must pass an objective “reasonable consumer” test. Davidson v. Kimberly-Clark Corp., 889 F.3d 956, 964, n. 4 (9th Cir. 2018). The test requires a finding “that a significant portion of the general consuming public . . . acting reasonably under the circumstances, could be misled.” Lavie v. Procter & Gamble Co., 105 Cal. App. 4th 496, 508 (2003).
In the false advertising context, “whether a business practice is deceptive will usually be a question of fact not appropriate for decision at the pleading stage.” Whiteside v. Kimberly Clark Corp., 108 F.4th 771, 778 (9th Cir. 2024) (internal quotations omitted). Dismissal at the pleading stage is only warranted where the plaintiff could not “plausibly prove that a reasonable consumer would be deceived[.]” See Williams, 552 F.3d at 940. Courts have long struggled with the question of when it is appropriate for judges to make the determination that “no reasonable consumer is likely to be deceived” as a matter of law.
In Bodenburg, the District Court took that step and dismissed the case with prejudice, finding as a matter of law that a reasonable consumer reviewing Apple’s statements would not plausibly believe that Apple’s promise of “additional storage” meant 205 GB in total storage capacity. The Ninth Circuit affirmed. The panel first applied the reasonable consumer test to the iCloud+ Legal Agreement to determine whether Apple’s assurance that subscribers will receive “[a]dditional storage” beyond the 5 GB of free storage provided to all users was ambiguous. The Court ultimately held that while some consumers, like Plaintiff, may interpret such statements as promising 205 GB of storage, such an expectation was not reasonable. The Court reasoned that plaintiff’s belief arises only from a “potential ambiguity” in the contract language that does not amount to an express representation. Although the Court noted that a plaintiff must show something more than a potential ambiguity to survive dismissal, it also considered contextual descriptions of iCloud+ plans to dispel potential ambiguity. Because the descriptions made clear the plan would result in a user receiving a total of 200 GB, it was implausible that a reasonable consumer could be misled.
The holding in Bodenburg demonstrates that, at least in the Ninth Circuit, potential ambiguity or misunderstanding by particular consumers is insufficient to state a claim under California’s consumer protection statutes. Instead, plaintiffs must plausibly allege that a significant portion of reasonable consumers would be misled based on clear, unambiguous representations. As businesses continue to navigate the evolving landscape of false advertising litigation, Bodenburg serves as a reminder that well-drafted, contextually transparent product statements and agreements can provide meaningful protection against claims rooted in subjective or idiosyncratic interpretations.
FCA Opens UK Retail Access to Crypto Exchange Traded Notes
On 1 August 2025, the Financial Conduct Authority (FCA) issued a press release (the Press Release) announcing that UK retail consumers will soon be able to access crypto exchange traded notes (cETNs) admitted to trading on UK recognised investment exchanges (RIEs).
Background
The FCA’s decision follows a period of market evolution and regulatory engagement. In January 2021, the FCA imposed a ban on the sale, marketing, and distribution of derivatives and exchange traded notes referencing unregulated transferable cryptoassets to retail clients.
However, as highlighted in the Press Release, the cryptoasset market has since matured, with products becoming more mainstream and better understood by both market participants and consumers. In March 2024, the FCA announced it would not object to RIEs creating UK-listed market segments for cETNs, but only for professional investors.
The Press Release is underpinned by the proposals set out in the FCA’s Consultation Paper 25/16 “Quarterly Consultation Paper No.48” (CP25/16), published in June 2025. Chapter 4 of CP25/16 proposed amendments to the FCA’s Handbook to lift the ban on the retail sale, marketing, and distribution of cETNs where admitted to a UK RIE. CP25/16 also proposed categorising these cETNs as Restricted Mass Market Investments (RMMIs), thereby subjecting them to the FCA’s financial promotion rules.
The FCA has confirmed that the Consumer Duty will apply to firms distributing these products to retail investors, and that there will be no coverage from the Financial Services Compensation Scheme (FSCS) for investments in cETNs.
Following CP25/16, the Board of the FCA approved the Conduct of Business (Cryptoasset Products) Instrument 2025 (the Instrument) on 31 July 2025, as noted in the FCA’s Handbook Notice 132 (the Notice).
The Instrument
The Instrument amends the FCA Handbook to enable the sale, distribution, and marketing of cETNs to retail clients, provided these products are admitted to trading on a UK RIE. The changes also categorise UK RIE cETNs as RMMIs, meaning they will be subject to the FCA’s financial promotion rules.
The Instrument will come into force on 8 October 2025.
The Press Release, CP25/16, the Instrument and the Notice are available here, here, here and here, respectively.