Ninth Circuit Blocks Enforcement of California Social Media Addiction Law Pending Appeal
On January 28, 2025, the U.S. Court of Appeals of the Ninth Circuit temporarily enjoined enforcement of S.B. 976, the Protecting Our Kids from Social Media Addiction Act (“the Act”) in its entirety, pending an appeal in a case brought by NetChoice, a technology trade group. The Act was set to take effect January 1, 2025, which was extended to February 1, 2025 by a district court order. Our earlier post provides a summary of the Act’s requirements and restrictions. Under an expedited appeal schedule, the Ninth Circuit will hear arguments in this case in April 2025 and will not grant the parties briefing schedule extensions.
OPT OUT WOES: Albertson’s Sued in TCPA Class Action for Allegedly Failing to Honor Stop Request– And its Harbinger of Things to Come
April 11, 2025.
That’s the date the FCC’s new and incredibly dangerous TCPA revocation rules are set to take effect.
If you’re not aware of the new rule you need to watch this incredibly important webinar that breaks it down right now:
Even without the massive expansion of revocation scope in April, some companies are having a tough time with their revocation process.
For instance Albertson’s was just sued in a TCPA class action asserting it failed to honor a consumer opt out request.
A litigator named Jennifer Schofield claims she personally placed her number on the national DNC way back in 2006. Nonetheless, she contends Albertson’s began texting her in 2024 from shortcode 48687.
According to Schofield, she texted “stop” and received a response from Albertson’s confirming no further texts would be sent.
Yet she received another text.
Schofield again allegedly texted “STOP” and, once again, continued to receive texts.
Schofield contends she was annoyed and harassed and sued Albertson’s under the TCPA. She also hopes to represent two nationwide classes:
IDNC Class: All persons within the United States who, within thefour years prior to the filing of this lawsuit through the date ofclass certification, received two or more text messages within any12-month period, from or on behalf of Defendant, regardingDefendant’s goods or services, to said person’s residential cellulartelephone number, after communicating to Defendant that they didnot wish to receive text messages by replying to the messages witha “stop” or similar opt-out instruction.
DNC CLASS: All persons in the United States who, within thefour years prior to the filing of this action through the date of classcertification, (1) were sent more than one text message within any12-month period; (2) where the person’s telephone number hadbeen listed on the National Do Not Call Registry for at least thirtydays; (3) regarding Defendant’s property, goods, and/or services;(4) to said person’s residential cellular telephone number; (5) aftermaking a request to Defendant to not receive further text messagesby replying with a “stop” or similar opt-out instruction in responseto Defendant’s text message(s).
Obviously we don’t know whether the allegations have any merit–the case was just filed– but we will keep an eye on it.
Full complaint here: Albertsons Complaint
Kein digitales Zugangsrecht – Gewerkschaft scheitert mit Klage gegen Adidas
Spätestens seit der Corona-Pandemie erfreut sich das Home-Office großer Beliebtheit: Rund ein Viertel aller Erwerbstätigen in Deutschland arbeitet zumindest teilweise aus dem Home-Office. Doch während das mobile Arbeiten sowohl für Arbeitnehmer als auch Arbeitgeber eine Reihe von Vorteilen mit sich bringt, stellt es die – ohnehin über Mitgliederschwund klagenden – Gewerkschaften vor zunehmende Herausforderungen: Potenzielle Gewerkschaftsmitglieder, die von zu Hause aus arbeiten und nicht physisch auf dem Betriebsgelände erscheinen, sind schlicht schwieriger zu erreichen als ihre Kollegen, die täglich zur Arbeitsstätte pendeln und von den Gewerkschaften auf dem Firmenparkplatz angeworben werden können.
Die Industriegewerkschaft Bergbau, Chemie, Energie (IG BCE) nahm genau diese Herausforderung nun zum Anlass, von Adidas die Herausgabe der dienstlichen E-Mail-Adressen seiner Mitarbeitenden, Zugang zum konzernweiten sozialen Netzwerk Viva Engage sowie die Verlinkung ihrer Homepage auf der Startseite des Intranets des Sportartikelherstellers zu verlangen. In einer in der vergangenen Woche ergangenen Entscheidung erteilte das Bundesarbeitsgericht den Gewerkschaftsforderungen und damit einem „digitalen Zugangsrecht“ jedoch eine Absage.
In seiner Entscheidung (BAG, Urt. v. 28.01.2025, Az. 1 AZR 33/24) stellte der erste Senat um die Präsidentin des Bundesarbeitsgerichts Inken Gallner klar, dass Arbeitgeber weder hinsichtlich bereits beschäftigter Arbeitnehmer noch hinsichtlich neu hinzukommender Arbeitnehmer dazu verpflichtet seien, dienstliche E-Mail-Adressen zum Zwecke der Mitgliederwerbung an die jeweils tarifzuständige Gewerkschaft herauszugeben. Zwar gewährleiste die in Art. 9 Abs. 3 GG normierte Koalitionsfreiheit die grundsätzliche Befugnis von Gewerkschaften, betriebliche E-Mail-Adressen der Arbeitnehmer zu Werbezwecken und für deren Information zu nutzen, allerdings resultiere daraus keine Verpflichtung von Arbeitgebern, die Mitgliederwerbung durch Übermittlung der E-Mail-Adressen selbst aktiv zu unterstützen. Neben den insofern betroffenen konkurrierenden Grundrechten des Arbeitgebers aus Art. 14 GG sowie Art. 12 Abs. 1 GG und der verfassungsrechtlich garantierten wirtschaftlichen Betätigungsfreiheit seien die ebenfalls berührten Grundrechte der betroffenen Arbeitnehmer aus Art. 2 Abs. 1 i.V.m. Art. 1 Abs. 1 GG bzw. Art. 8 der Charta der Grundrechte der Europäischen Union zu berücksichtigen und mit der Koalitionsfreiheit abzuwägen. Die von der Gewerkschaft erhobene Forderung bringe die betroffenen Rechte dabei nicht in einen angemessenen Ausgleich.
Auch mit ihren Anträgen auf Zugang zum konzerninternen sozialen Netzwerk und eine Verlinkung der Gewerkschafts-Homepage auf der Startseite des firmeneigenen Intranets scheiterte die Gewerkschaft. Die damit einhergehenden Beeinträchtigungen des Arbeitgebers übersteigen dem Bundesarbeitsgericht zufolge das durch Art. 9 Abs. 3 GG geschützte Interesse der Gewerkschaft an der Durchführung solcher Werbemaßnahmen. Insbesondere die Forderung nach Verlinkung im firmeneigenen Intranet finde aktuell keine Grundlage im Gesetz und könne mangels planwidriger Regelungslücke im Betriebsverfassungsgesetz auch nicht auf § 9 Abs. 3 S. 2 BPersVG gestützt werden.
Ob der Gesetzgeber vor dem Hintergrund dieser Entscheidung tätig wird und mit der ausdrücklichen Normierung eines elektronischen Zugangsrechts auf den Wandel der Arbeitswelt reagiert, bleibt abzuwarten. Bis dahin bleibt den Gewerkschaften lediglich, auf klassischem Wege um Nachwuchs zu werben oder – wie das Bundesarbeitsgericht betont – potenzielle Mitglieder vor Ort im Betrieb nach ihrer dienstlichen E-Mail-Adresse zu fragen. Betroffene Unternehmen können bei vergleichbaren Gewerkschaftsanfragen hingegen – jedenfalls vorerst – getrost auf die Rechtsprechung aus Erfurt verweisen.
SEC’s Crypto Journey Continues
In a wide-ranging public statement entitled “The Journey Begins,” SEC Commissioner Hester Peirce previewed next steps for the SEC’s Crypto Task Force. As chair of the Crypto Task Force, Commissioner Peirce’s statement lays out a broad agenda for the SEC’s approach to cryptocurrency over the next four years.
The statement begins by criticizing the SEC’s past approach to crypto, noting:
it took us a long time to get into this mess, and it is going to take us some time to get out of it. The Commission has engaged with the crypto industry in one form or another for more than a decade. The first bitcoin exchange-traded product application hit our doorstep in 2013, and the Commission brought a fraud case that had a tangential crypto element that same year. In 2017, we issued the DAO Section 21(a) report, which reflected the first application of the Howey test in this context. Since then, there have been many enforcement actions, a number of no-action letters, some exemptive relief, endless talk about crypto in speeches and statements, lots of meetings with crypto entrepreneurs, many inter-agency and international crypto working groups, discussion of certain aspects of crypto in rulemaking proposals, consideration of crypto-related issues in reviews of registration statements and other filings, and approval of numerous SRO proposed rule changes to list crypto exchange-traded products.
Commissioner Peirce also sought to manage expectations about the timing and complexity of future SEC action:
Throughout this time, the Commission’s handling of crypto has been marked by legal imprecision and commercial impracticality. Consequently, many cases remain in litigation, many rules remain in the proposal stage, and many market participants remain in limbo. Determining how best to disentangle all these strands, including ongoing litigation, will take time. It will involve work across the whole agency and cooperation with other regulators. Please be patient. The Task Force wants to get to a good place, but we need to do so in an orderly, practical, and legally defensible way.
The statement hits libertarian notes, proclaiming, “In this country, people generally have a right to make decisions for themselves, but the counterpart to that wonderful American liberty is the equally wonderful American expectation that people must decide for themselves, not look to Mama Government to tell them what to do or not to do, nor to bail them out when they do something that turns out badly.” But Commissioner Peirce also warned that “SEC rules will not let you do whatever you want, whenever you want, however you want,” and that the SEC will not “tolerate liars, cheaters, and scammers.”
The heart of the statement lays out a 10-point, nonexclusive agenda for the SEC Crypto Task Force:
providing greater specificity as to which crypto assets are securities;
identifying areas both within and outside the SEC’s jurisdiction;
considering temporary regulatory relief for prior coin or token offerings;
modifying future paths for registering securities token offerings;
updating policies for special purpose broker-dealers transacting in crypto;
improving crypto custody options for investment advisers;
providing clarity around crypto lending and staking programs;
revisiting SEC policies regarding crypto exchange-traded products;
engaging with clearing agencies and transfer agents transacting in crypto; and
considering a cross-border sandbox for limited experimentation.
Commissioner Peirce’s statement concludes with instructions on how to engage with the Crypto Task Force, both in writing and in person.
NAD Recommends Revolve Upgrade Disclosures When Gifting Items to Influencers
In a recent decision, the National Advertising Division (NAD) of BBB National Programs recommended that Revolve Group, Inc., a clothing company with an extensive influencer network, modify influencer posts to more clearly disclose the material connections between Revolve and influencers in its product gifting program.
Make It Crystal: Revolve’s Brand Ambassador Posts Not Clear Enough
Revolve had engaged the two influencers through a product-gifting relationship in which the company offered a clothing credit towards their merchandise in exchange for a certain number of social media posts about the Revolve brand. The posts in question, flagged by NAD’s routine monitoring program, directed viewers to Revolve’s social media account and featured a hashtag used typically by Revolve customers to identify Revolve clothing featured in social media posts. Despite the mention of Revolve in the posts, the NAD found that the tags — @Revolve and #revolveme — failed to disclose the nature of the connection between Revolve and the influencers.
Revolve’s Influencer Guidelines Missed the Mark on Ensuring Disclosure
During its inquiry, the NAD found that the guidelines Revolve provided to brand ambassadors were insufficient in instructing how to properly make material connections known to consumers or comply with the FTC’s Endorsement Guides. Although Revolve did inform its partners how to conspicuously disclose the gifted-clothing relationship with the company, the NAD found the instructions could be easily missed because they were listed at the bottom of a bulleted list.
In response, Revolve updated it guidelines to provide its influencers with examples of hashtags and language to make their material connections with Revolve explicit in the first line of any sponsored post. Moreover, Revolve revised its Checkout Terms for influencers to clarify disclosure requirements for any posts made under the agreement and provided visual examples of conforming material connection disclosures. Finally, Revolve pledged to more closely monitor advertising posts to ensure compliance.
Still Not Clear Enough: NAD Deems Ambiguities in Revised Posts Do Not Conform to the FTC Endorsement Guide
Even after certain posts were updated to include the more robust disclosures (e.g., #Sponsored and #giftedbyresolve), the NAD found aspects of those posts to continue to fall flat. First, hashtags used by influencers that run words together, such as #giftedbyrevolve, make it difficult for customers to understand that a brand is sponsoring the post. The FTC’s “What People Are Asking” makes clear that hashtags made of several words can be confusing to consumers, and assert that disclosures about a sponsorship relationship must be easily noticed and understood. Second, including the hashtag “#sponsored” may be inadequate when multiple brands are tagged in the post. In one instance, a post with the caption “Wearing @revolve @loversfriendsla #sponsored” did not make it clear to the consumer which entity was sponsoring the post.
The Bottom Line: Social Media Posts Must Make Material Connections Unambiguous and Obvious
It bears repeating (see here and here) that brands should carefully craft their influencer guidelines, making clear and prominent the full requirements NAD and the FTC would expect. Brands should also monitor influencer posts, even those that are part of gifting and ambassador programs.
California’s Kids’ Social Media Law Wrangling Continues, and Maryland Too!
The Ninth Circuit continued the pause on California’s SB 976 (Protecting Our Kids from Social Media Addiction Act) as of late January 2025. The law was signed by Governor Newsom in September 2024, and challenged by NetChoice shortly thereafter.
A federal judge first enjoined the law until February 1, 2025. The case continued in the courts, and most recently the Ninth Circuit blocked the law until April of 2025. At that time, it will examine substantively whether the law infringes free speech rights. This delay will impact the AG’s drafting of rules for the law.
This is not NetChoice’s first attempt to stop kid-focused social media laws. It took similar steps in Utah in 2024, and has challenged similar laws in Arkansas, Ohio, Mississippi, Texas, and most recently, as of Maryland’s similar Age Appropriate Design Code Act.
Putting it into Practice: These decisions are a reminder that the social media laws being passed at a state level are continuing to be challenged. We will be continuing to monitor them for further developments.
James O’Reilly also contributed to this article.
Listen to this post
Looking Back at the False Claims Act in 2024 as the Government Keeps its Sights on Cybersecurity in 2025
In 2024, the government and whistleblowers were party to 558 settlements and judgments collecting over $2.9 billion. The government continued its effort to combat cybersecurity threats through its Civil Cyber-Fraud Initiative, which is dedicated to using the FCA to ensure that federal contractors and grantees are compliant with cybersecurity requirements. Settlements in 2024 included allegations against companies for their failure to provide secure systems to customers, failure to provide secure hosting of personal information, and failing to properly maintain, patch, and update the software systems. The Justice Department has made clear that cybersecurity is one of its key enforcement priorities in 2025 and moving forward, meaning all federal contractors must be particularly mindful of federal cybersecurity requirements. To keep you apprised of the current enforcement trends and the status of the law, Bradley’s Government Enforcement & Investigations Practice Group is pleased to present the False Claims Act: 2024 Year in Review, our 13th annual review of significant FCA cases, developments, and trends.
Listen to this post
VINTAGE: Court Throws Out TCPA Class Action Against Vintage Stock and This One Is Sure to Stand the Test of Time
Wow.
This one is a remarkable ruling folks.
Lady visits a retail store. She is asked for her phone number and told it is necessary for her to return goods. She tells the employee she does not want to receive any advertisements. But when she provides her number she is actually signing up for a recurring text program.
What result?
According to the court in Thompson v. Vintage Stock, 2025 WL 385681 (E.D. Mo Feb. 3, 2025) the consent provided by the consumer trumps and the resulting messages are legal.
Let’s dive in.
Plaintiff’s phone number is on the DNC list. She visited a store called Vintage Stock and made a purchase.
The sales lady apparently told her that she needed to enter her number on the POS system because it would be needed in case Plaintiff wanted to return an item.
Plaintiff tells sales lady “I don’t want to receive any advertisements” but goes ahead and enters her number in the POS anyway.
On the POS is a display reading: ““Enter your phone # to receive coupons and sales notices. Message and data rates may apply.”
As a result Plaintiff received at least four promotional text messages sent to her phone.
Plaintiff sued claiming Vintage Stock violated the DNC rules of the TCPA. Even though she entered her phone number Plaintiff claims she did not provide her prior express invitation of permission because she told the sales lady she did not want advertising and because the POS language was too vague– for instance it didn’t mention text messages and it didn’t specifically authorize Vintage Stock to send anything to her phone.
VS moved for summary judgment and the court sided with it.
In the Court’s view Plaintiff’s submission of her number on the POS was sufficient to constitute “prior express invitation” to receive further messages–a lower standard than prior express written consent.
Here’s the analysis:
When visiting Vintage Stock’s store, Sheila entered her number into the VeriFone system. Doc. 72 at ¶ 9. That system clearly stated that one should enter her phone number to receive coupons and sales notices, and it warned that “[m]essage and data rates may apply.” Doc. 68-2 at 2. If one entered her phone number into this system, she would undoubtedly expect a few things. One, she would receive coupons and sales notices from Vintage Stock. Two, Vintage Stock would send those coupons and sales notices to the phone number she entered. Three, the coupons and sales would arrive in, at least, message format. (Because this case does not involve a phone call, the Court need not address whether one would expect to receive phone calls regarding coupons or sales notices.)
Hmmm. Maybe.
The disclosure did not actually tell the consumer she would receive anything on a phone number but I see where the Court is coming from here. Still this is the most relaxed application of prior express invitation we have seen yet.
On the failure to mention text messages piece the Court mysteriously determined it didn’t need to address that issue because it related to “permission” rather than “invitation” but it is not clear why that is.
Now the really fun issue– Plaintiff claiming she was tricked by a sales lady.
The Court was unmoved by this argument and determined, in essence, that whatever happened between Plaintiff and the sales girl was irrelevant to the issue of whether invitation was given to the text program. Here the Court took a very limited view of the language used: “expressing a lack of desire to receive advertisements does not counter expressly requesting coupons and sales notices to be sent to you.”
Hmmm.
At bottom the case was dismissed and Vintage Stock walked away clean.
Very very interesting case here– and truthfully Vintage Stock could have lost this case easily. Indeed, 8 out of 10 times these folks lose this motion. There are a bunch of interesting issues here and it is, frankly, stunning to me that Vintage Stock is walking away unscathed. I suspect an appeal is likely here.
But notice this is the third POS text club case we have discussed in the last two weeks!:
Circle K is stuck in a case because it included advertising in its opt ins;
7-Eleven is sued because it sent text messages outside of call time hours; and now
Vintage Stock barely gets away with very thin language on a POS.
Again, if you are a retailer launching a consent/preference center or managing POS messaging GET ASSISTANCE FROM QUALIFIED COUNSEL. My goodness.
Some take away here:
This case applies to loosest application of “prior express invitation” we have seen yet. Remember this is the standard applicable to calls and texts to numbers on the DNC– it does NOT apply to calls made using regulated technology, that requires a HIGHER standard (Troutman 9);
Generally consent is only valid so long as the texter does not have reason to know it was limited. Here VS’ agent knew of an intent to limit consent. So this is a case it probably should have lost (on an individual basis– now way this is a class issue tho)
POS disclosures should definitely mention the word “text” or “SMS” when enrolling in a text club and should use language indicating permission is being given like “authorize” or “permit.” Yes, I know VS got away with one here but don’t let their mistake become your bad habit.
VS couldn’t leverage the 18 month EBR defense here because it continued texting long after the consumer stopped visiting VS. Retailers should consider stopping text programs 18 months after a consumer’s last visit. One, these folks may have changed phone numbers– very bad. Two, these folks seemingly aren’t interested and continued texting might draw a claim similar to the one VS faced. Just something to think about.
False Claims Act: 2024 Year in Review
In 2024, the government and whistleblowers were party to 558 False Claims Act (“FCA”) settlements and judgments, just slightly fewer cases than last year’s record. As a result, collections under the FCA exceeded $2.9 billion, confirming that the FCA remains one of the government’s most important tools to root out fraud, safeguard government programs, and ensure that public funds are used appropriately. As in recent years, the healthcare industry was the primary focus of FCA enforcement, with over $1.67 billion recovered from matters involving managed care providers, hospitals, pharmacies, physicians, laboratories, and long-term acute care facilities. Other areas of focus in 2024 were government procurement fraud, pandemic fraud, and enforcement through the government’s Cyber-Fraud Initiative.
To keep you apprised of the current enforcement trends and the status of the law, Bradley’s Government Enforcement and Investigations Practice Group is pleased to present the False Claims Act: 2024 Year in Review, our thirteenth annual review of significant FCA cases, developments, and trends.
Giovanni P. Giarratana, Gregory G. Marshall, Jack W. Selden, Erin K. Sullivan, Rico Falsone, Lyndsay E. Medlin, Tara S. Sarosiek, Anna M. Lashley, Ocasha O. Musah, Brianna Rhymes, and Virginia C. Wright contributed to this article.
New EPA Administrator, Same Freeze on EPA Activity
On January 29, 2025, Lee Zeldin was confirmed as the 17th Environmental Protection Agency (EPA) Administrator. After a week on the job, Zeldin continued to maintain several policies that had been put in place immediately after the Trump administration took office. Some of these policies are summarized below. While these actions are generally expected when a new administration begins, there is a sense that additional, significant changes are around the corner.
Freeze on External Actions
On January 24, 2025, the then acting EPA Administrator ordered a temporary halt on all environmental lawsuits to review and possibly change the agency’s stance on these issues. The Department of Justice’s (DOJ) Environment and Natural Resources Division, which enforces environmental protection laws, has also been ordered to freeze all activities. This included stopping pending court filings and delaying new complaints, with pending Comprehensive Environmental Response, Compensation, and Liability Act negotiations also on hold for an undetermined time.
This was followed by an internal memorandum instructing EPA staff to halt external communications (e.g., press releases, blog updates, and social media posts), except for discussions with state and federal agencies not related to enforcement, necessary communications regarding imports, and as related to the carrying out of inspections.
The EPA also announced delays for several finalized environmental rules from the prior administration. This includes rules regarding air pollution and the regulation of trichloroethylene (TCE).
The duration of each of these “freezes” is not clear at this time, but it seems aimed at helping the new administration evaluate what can be changed and likely beginning that change.
Staffing
As federal agencies implement a presidential order to limit telework and remote work, EPA employees must return to the office full-time next month. The EPA stated that regular telework and remote work agreements will be canceled to follow the recent Executive Order on the subject. EPA staff are expected to be in the office daily by February 24, unless they have a disability, medical condition, or other significant reasons certified by their supervisor.
It was also recently reported that the EPA is expected to cut over 1,000 employees who joined the agency within the past year, with a focus on those working on climate change, air pollution, and environmental regulation programs. Additionally, several senior civil service managers in the DOJ’s Environment and Natural Resource Division have reportedly been reassigned to focus on immigration matters rather than environmental issues.
FTC Finalizes Orders Against Data Brokers Over Sensitive Location Data
On January 14, 2025, the Federal Trade Commission (“FTC”) announced that it had issued final orders against data brokers Gravy Analytics, Inc. (“Gravy Analytics”) and Mobilewalla, Inc. (“Mobilewalla”). The FTC’s announcement follows a series of recent FTC actions concerning data brokers’ collection and sale of consumer precise geolocation data. Our blog posts covering these prior actions can be viewed here and here.
Gravy Analytics
According to the FTC’s complaint, Gravy Analytics is a data broker that does not have a direct relationship with consumers. Instead, it purchases consumer data (including precise geolocation data) from its data suppliers and sells such consumer data to its customers, which include both commercial and government entities. The FTC alleged that Gravy Analytics and its subsidiary violated Section 5 of the FTC Act by (1) failing to verify that its data suppliers obtained consent from consumers to collect, use and share their precise geolocation data for the purposes used by Gravy Analytics; (2) selling consumers’ precise geolocation data that revealed consumers’ visits to sensitive locations; and (3) creating and selling inferences derived from location data drawn about consumers based on sensitive characteristics, such as medical conditions, political activities and religious beliefs According to the complaint, the precise geolocation data obtained by Gravy Analytics, associated with other unique consumer identifiers licensed, used and sold by the data broker, could be used to track consumers to sensitive locations, including places of religious worship, domestic abuse shelters, homeless shelters, medical facilities, political rallies, and places that could be used to infer an LGBTQ+ status. Gravy Analytics used this data to create audience segments that categorized consumers into groups based on health or medical decisions made by consumers (e.g., “pharmacy visitor during COVID quarantine”), family status (e.g., “having children,” “getting married”), religion (e.g., based on a consumer’s visit to a particular church) and political activity (e.g., identifying a consumer as a member of a particular party based on attendance at political events). Additionally, the complaint alleged that Gravy Analytics used geofencing to create a virtual geographic boundary to identify consumers who visited certain sensitive locations and subsequently categorized these consumers into audience segments based on inferred sensitive characteristics from their visits, such as medical conditions, sexual orientation, political activities and religious beliefs. Its customers could then use these segments to serve targeted ads to consumers in these groups.
The final order requires Gravy Analytics and its subsidiary to stop selling, disclosing or using sensitive location data within 90 days of the order’s effective date, unless the companies: (1) have a direct relationship with the consumer related to the sensitive location data; (2) have obtained affirmative opt-in consent from the consumer and (3) are using sensitive location data solely to provide a service directly requested by the consumer.
Key provisions from the final order also include requirements to:
maintain a sensitive location data program to identify a list of sensitive locations, and prevent the disclosure of consumers’ visits to those locations;
establish and maintain policies and procedures to prevent the companies from (1) associating consumer precise geolocation data with locations predominantly providing services to LGBTQ+ individuals or locations of political or social demonstrations, marches, and protests and (2)using consumer precise geolocation data to determine the identity or location of an individual’s home;
submit a report to the FTC within 30 days of making a determination that a third party shared consumers’ precise geolocation data in violation of a contractual requirement, including a description of the incident and the number of consumers affected by the disclosure;
delete all historic precise geolocation data and any data products developed using this data;
maintain a supplier assessment program to ensure consumers have provided consent for the collection and use of their precise geolocation data; and
not misrepresent the extent to which the companies (1) review data suppliers’ compliance and consent frameworks, consumer disclosures, sample notices, and opt-in controls; (2) collect, use, maintain, disclose, or delete any information by the final order; or (3) de-identify the data they collect, use, maintain, or disclose.
Relatedly, days before the FTC finalized its order against Gravy Analytics, the company was reported to have experienced a data breach. The company currently faces a proposed class action lawsuit in the US District Court for the District of New Jersey, alleging that it failed to adequately secure sensitive consumer location data.
Mobilewalla
In its complaint against Mobilewalla, the FTC alleged that the company collected consumer information, without consent, from real-time bidding exchanges (“RTB ad exchanges”), which data included consumers’ mobile advertising identifiers (“MAID”) and precise geolocation data. The FTC alleged that Mobilewalla then shared this information with third parties. This FTC action is the first to focus on the collection and use of consumer data through RTB ad exchanges.
During RTB ad exchanges, online publishers (i.e., websites and apps) auction off their empty ad space so that advertisers can submit bids for an ad placement. To conduct the exchange, an app or website uses a software development kit (SDK) or cookie to collect consumers’ personal information from their devices and passes it along to participating advertisers, so that they can bid to place advertisements based on the consumer information contained in the bid request. As a result, advertisers can obtain consumer information from the bid request process, even if they do not win the bid for an ad placement. In its complaint, the FTC alleged that when Mobilewalla bid to place an advertisement through an RTB ad exchange, it collected and retained the consumer information contained in the bid request, even when it did not have a winning bid. The FTC also alleged that Mobilewalla collected information from other data brokers without verifying whether consumers consented to Mobilewalla’s collection and use of their information.
Key provisions in the FTC’s final order against Mobilewalla include requirements to:
stop collecting, purchasing or acquiring personal information covered in the order during online advertising auctions for any other purpose other than participating in such auctions;
stop selling, sharing, or disclosing sensitive location data;
maintain a sensitive location data program to identify a list of sensitive locations and prevent the disclosure of sensitive location data; and
maintain a supplier assessment program to ensure consumers have provided consent for the collection and use of location data.
Employer Guidance for Workplace Interactions with ICE
The new presidential administration’s efforts to prioritize immigration law enforcement has resulted in increased activity by U.S. Immigration and Customs Enforcement (ICE) and an uptick of questions from employers about how to handle ICE investigations. This Alert provides guidance to employers for potential interactions with or inspections by ICE at the workplace, including preliminary actions, suggested steps during an ICE visit (whether announced or unannounced), and follow-up recommendations.
There is a common misconception that only employers that specifically seek or intentionally hire unauthorized workers are at risk of a visit from ICE. However, there are multiple avenues by which a generally law-abiding employer may find itself unknowingly employing an unauthorized worker. For example, an individual may have presented the employer with fraudulent documentation for the Form I-9 employment eligibility verification, and the employer may not have realized the document was inauthentic. Or an employer may have lawfully hired a noncitizen with proper employment paperwork but later may forget to reverify the worker’s Form I-9; in this instance, the individual’s work authorization could lapse or expire without the employer noticing.
To the extent an employer’s office or work facility is private property, employers have certain legal rights when faced with an ICE arrival. Employers should become familiar with their rights and best practices in the event of an ICE visit to minimize the risk of inordinate disruption to the workforce or operations, or the unauthorized seizure of company property and information. Employers should seek to balance (1) lawful compliance and cooperation with (2) private property rights and a general duty of care for employees.
Babst Calland recognizes that the topics of immigration enforcement and undocumented persons have been politicized. We therefore offer this guidance objectively, without advocating for any particular position beyond what is legally required.
Recommended Precautionary Actions Before ICE Arrives
Designate Public and Private SpacesICE agents can only be present in areas open to the public (such as parking lots, reception areas, lobbies, etc.) without a judicial warrant or specific employer consent. Therefore, employers should clearly identify the boundaries of non-public areas with signs such as “Private” or “Non-Public Area” to avoid ambiguity. Once signs are posted, management should explain these “new” boundaries or designations to the workforce, with special emphasis on its explanation to security guards, receptionists, and other public-facing employees.
Understand the Types of Documents ICE Could PresentWith a few exceptions, ICE generally cannot lawfully search persons or private spaces, or seize persons or private property, without certain documentation.[1] As explained below, employers should ensure that key personnel are trained to identify and/or differentiate these documents.
A judicial warrant provides the broadest search and/or seizure rights. A judicial warrant can be either a search warrant or an arrest warrant. A judicial warrant must be signed and dated by a judge or magistrate and it must describe with particularity the place to be searched, and/or the person or items to be seized. A judicial warrant will have the name of a court at the top of the document. Only a valid judicial warrant permits an ICE agent to enter private/non-public spaces at the workplace, and only a valid judicial warrant requires cooperation. Employers must strictly comply with judicial warrants, but it is not required to take any action to assist ICE beyond what is reasonably required by the judicial warrant. For example, an employer can be required to move an employee identified in the warrant into a contained area for questioning, but it cannot be required to sort employees into groups by citizenship status or nationality for an inspection by ICE.
An administrative warrant is much more limited than a judicial warrant. An administrative warrant is signed by an immigration officer, and it allows ICE to arrest noncitizens suspected of committing immigration violations. An administrative warrant is typically identified as a document issued by the “Department of Homeland Security” and is usually on a Form I-200 or I-205. Notably, an administrative warrant does not give an ICE agent the right to enter private/non-public spaces at the facility unless the employer consents.[2] Additionally, when faced with an administrative warrant, an employer is not required to tell ICE whether the employee named in the warrant is currently working or to bring the employee to the agent (or vice versa).
Alternatively, ICE could present an employer with a subpoena, a notice of inspection, or a notice to appear. A subpoena is a written request for information or documents that provides a certain time limit to respond and does not require immediate compliance. Like a subpoena, a notice of inspection is a document informing an employer that it must produce employees’ I-9 Forms for an audit[3] within 3 business days. A notice to appear is a document directed to an individual instructing them to appear before an immigration judge.
Assign an On-Site Response CoordinatorEmployers should assign a particular managerial or supervisory employee at each facility to be the on-site response coordinator who can serve as a single point of contact with ICE in the event that ICE arrives, as well as a back-up coordinator if the designated worker is absent or unavailable. These personnel should be trained to differentiate between the above-described documents, and to understand and be aligned with the employer’s policy for lawful compliance with visits from ICE.
Review Applicable Collective Bargaining AgreementsFor any locations that have a unionized workforce, employers should review the applicable collective bargaining agreements (CBAs) proactively to determine whether they require any additional conduct by the employer in the event of an ICE visit. For example, some CBAs might include provisions that give the union the right to be present during any ICE inspections or on-site employee interviews, or require that the employer notify all union employees when ICE agents arrive. Any additional CBA requirements should be implemented with the below recommended actions for facilities with unionized employees.
Recommended Actions If ICE Arrives
*All recommended actions below should be conducted in a calm, professional, and polite manner to prevent escalation of the interaction.*
Notify key personnel – The first steps are to immediately notify the facility supervisor, the on-site response coordinator(s), and legal counsel. Ask the agents to wait in a specific space or designated location until either a supervisor, on-site response coordinator, or legal counsel arrives to prevent disruption.
Verify agent identify – The response coordinator should clarify whether the agents are police officers or ICE agents and request their names and badge numbers.
Verify agent purpose – The response coordinator should ask the agents about the nature of their visit. Common purposes include:
Initiation of Form I-9 Audit – If ICE intends to audit a company’s Form I-9 compliance, ICE must first provide the employer with a Notice of Inspection. These notices give employers at least 3 business days to produce the requested I-9 Forms.[4] Additional productions and procedures will ensue if ICE determines that there are any Form I-9 errors, suspicious documents, or discrepancies, and employers should consult with an immigration attorney for further guidance if this occurs.
Facility Search or “Raid” – ICE can arrive without warning to investigate an employer.
Detention of specific person(s) – ICE can arrive without warning to detain specific person(s).
Fraud Detection and National Security (FDNS) visit – this is an unannounced visit related to an employer’s recent immigration petition(s) where ICE agents conduct compliance reviews to ensure the employer is complying with the terms and conditions of the petition(s). This guidance does not address such visits, as FDNS visits are only relevant for employers who have had an H-1B or L-1 intracompany transfer petition(s) adjudicated.
Verify documentation – The response coordinator should ask to see a warrant.
If a judicial warrant is provided, employers should analyze it to determine its scope and ask for a copy of it. Employers are not required to provide access to any area not specified in the warrant.
If a judicial warrant is not provided, the response coordinator can (but is not required to) state: “I’m sorry, but this is private property. It is company policy not to provide consent or permission to enter private or non-public areas of the facility or to access our information or records without a valid warrant signed by a judge.”
If there is an issue with the judicial warrant (i.e. it is not signed, not dated, is missing the correct workplace address, or does not sufficiently describe the premises to be searched or items to be searched for), an employer can accept the warrant but should note its objection so that counsel can challenge the search or seizure later if sufficient grounds exist. To be clear, in this instance, the search or seizure will still occur.
Ask to be provided with a list of any items seized during the search.
If an administrative warrant is provided, the response coordinator can (but is not required to) state: “I’m sorry, but this is private property. It is company policy not to provide consent or permission to enter private or non-public areas of the facility or to access our information or records without a valid warrant signed by a judge.”
Use independent judgment if considering voluntary consent.
Employers can decide to voluntarily consent to a search or seizure of employer property by ICE without a sufficient warrant. Moreover, ICE agents are permitted to make statements intended to encourage voluntary consent or to imply that giving consent is required even in circumstances where it is not (such as when the agents do not possess a judicial warrant).
If considering consenting to a search or seizure without a sufficient warrant, employers should use independent judgment to evaluate the totality of the circumstances in addition to any statements made by the agents.
Please note that non-management or non-supervisory employees do not have the authority to act on behalf of an employer to give such consent.
Be respectful, but clear, if exercising the company’s rights.
Never attempt to block an ICE agent’s movements. If an employer believes ICE is exceeding its authority, the response coordinator can voice the employer’s objection and state that the company does not consent, but they should not argue and never physically interfere with the agent’s actions.
If agents attempt to seize something that is critical to company operations (such as a computer, proprietary information, or an important file), explain why the item is critical to the company’s operations, request a more limited or targeted seizure, and/or ask to make a copy of the information before it is seized.
Employers can notify employees that they have the right to remain silent, but employers cannot instruct employees not to respond to questions. Company representatives should not be confrontational, obstructive, or evasive.
Employers and employees alike have the right to record an encounter with ICE. Consider recording interactions with ICE agents to clearly document statements and actions. Efforts to record an encounter should never interfere with the agents’ activities.
Recommended Actions After ICE Visit
Document as much as possible – The response coordinator should interview employees and make a record of the details of the event in an incident report. The report should include details such as the number of agents, a description of what they were wearing, whether the agents kept anyone from moving around the workplace freely, a detailed list of the locations of any search (including smaller spaces such as closed drawers), a detailed description of any property seized, a detailed list of statements made by the employer declining consent or asserting legal rights, and any statements made by the agents.
Follow-up notifications – employers should call legal counsel immediately to discuss next steps. If the workplace is unionized, employers should notify the union that ICE visited the workplace.
Engage and encourage open communication with and among the workforce – Employers should be open and honest with the workforce about what occurred. In addition to individual instances of absenteeism, fear of action by ICE may lead to employees discussing their concerns or voicing disagreement with the employer’s response (or potential response) to ICE. Employers must be aware that certain employee collective action (discussions, protests, other concerted activity, etc.) may be protected under the National Labor Relations Act if it relates to the terms and conditions of employment, even for non-union workers or those who may not be authorized to work in the U.S.
Provide reasonable leave – If ICE detains a worker, consider providing the worker with an unpaid leave of absence during and in the immediate aftermath of the detention. While not legally required, an employer could consider handling the matter in a manner similar to the leave that might be provided in the event of a sudden medical issue or other unexpected absence. Failure to provide such comparable leave could give rise to a claim for national origin discrimination. Employers are never, however, required to provide employees with indefinite leaves of absence.
[1] While police officers are allowed to search and arrest without a warrant in the event of different types of emergencies such as while in “hot pursuit” of a criminal suspect, ICE agents are not police officers (regardless of whether their uniforms say “Police”). ICE agents may not search and seize without a warrant if they are merely in “hot pursuit” of a suspected undocumented person. Under applicable law, this type of warrantless search or seizure is only permitted if the agent is in “hot pursuit” of an individual who “poses a public safety threat” or who the agent personally observed crossing the border.
[2] One key exception is the “in plain view” principle. With or without a warrant, ICE agents are always allowed to look at anything in “plain view,” including computer screens or papers sitting out on desks, or listen to audible conversations that can be overheard without a listening device. If what the agent sees or hears in “plain view” gives them probable cause that unlawful activity is, has, or will occur, they can search the relevant private area and seize relevant items without a warrant.
[3] The Form I-9 is a document used to verify the identity and employment eligibility of individuals within the United States. Federal law requires employers to create and maintain I-9 Forms and supporting documentation for all employees.
[4] Employers are cautioned against voluntarily consenting to a search or seizure of the Forms I-9 if ICE agents do not have a judicial warrant for this information or if the 3-day period after receiving a Notice of Inspection has not yet expired. The Form I-9 rules are nuanced and strict, and it is very common for employers to unknowingly violate a rule due to an unintended error on the forms or in record-keeping. Employers can be subject to monetary fines for substantive violations and any uncorrected technical violations regardless of whether the violation was intentional