Opthamalogy Group Cannot Turn Blind Eye to TCPA Requirements
The “healthcare exemption” to the TCPA’s consent requirements is one of the more misunderstood parts of the TCPA. And a recent case in North Carolina just gave a lesson to an ophthalmology group to help them see the requirements of the exemption a little more clearly.
Before discussing the case, let’s look at the healthcare exemption. The healthcare exemption exempts certain calls from the consent requirements found in 47 C.F.R. § 64.1200(a)(1)(iii) which require prior express consent when using an ATDS or an artificial or prerecorded voice to dial cell phones.
The healthcare exemption only applies in certain circumstances. First, the calls must be made by, or on behalf of, healthcare providers. Second, there are several conditions that the calls being made by healthcare providers are required to meet, including but not limited to:
Calls or texts must be sent only to the wireless telephone number provided by the patient
Calls or texts must be limited to the “following purposes: appointment and exam confirmations and reminders, wellness checkups, hospital pre-registration instructions, pre-operative instructions, lab results, post-discharge follow-up intended to prevent readmission, prescription notifications, and home healthcare instructions”
Calls or texts must not include any telemarketing, solicitation, or advertising
Calls or texts are limited to only one message (either by call or text message) per day and no more than three messages combined per week.
The healthcare provider must honor opt-out immediately.
In Hicks v. Raleigh Ophthalmology, P.C., 2025 WL 1047708 (E.D. N.C. Apr. 8, 2025), Deanna Hicks visited her optometrist about some vision issues. Her optometrist referred her to Raliegh Ophthalmoghy (“Raliegh”). Hicks had never provided Raliegh with any paperwork and had no prior patient relationship with Raliegh.
However, according to the complaint, Raliegh called Hicks using a pre-recorded call to her cell phone which stated the call was from Raliegh. Hicks used the automated menu to speak with an employee and told the employee she was not interested in booking an appointment. She received a text message from Raliegh which also requested her to book an appointment, and she responded “STOP” to the text message.
This did not end the communication carousel that Hicks found herself on with Raliegh. She received several more calls and she talked to live employees and asked to be removed from their list. Even after speaking to a manager, the calls continued. Unsurprisingly, Hicks sued, and the remaining count addressed in the opinion is that Raliegh called Hicks without her consent.
Raliegh raised three arguments in their motion to dismiss. The first is that they had the consent of Hicks because she gave her number to the optometrist and that was consent for Raliegh to call her. Hicks’s complaint states that she did not provide consent to Raliegh or provide them with paperwork. The Court stated that to infer there was consent for her optometrist to call Hicks, it is not reasonable to extend that to Raliegh as a third-party healthcare provider with no preexisting relationship with Hicks. Furthermore, consent is a fact issue and not suitable for a motion to dismiss.
Raliegh’s second argument is related to the healthcare exemption. The Court stated the healthcare exemption is limited to calls about a certain number of topics, and Raliegh “has not identified any authority to support that the TCPA authorizes an entity to make a prerecorded call to an individual to book an appointment prior to establishing a treatment relationship with that individual, and the court is unable to locate any.”
[SIDE NOTE: The Court did not address this, but I would also call out that these calls could be considered telemarketing under the TCPA because they were initiated for the purpose of encouraging the purchase of Raliegh’s services. Therefore, they would fail under the healthcare exemption due to that as well.]
The Court stated that even if the first call qualified under the exemption, the exemption requires the healthcare provider to “honor opt-out requests immediately”. Clearly, Raliegh failed to do so. Therefore, the second argument was insufficient for dismissal.
The third argument was related to the proposed class definition, but the Court said that argument is better left for opposing class certification. And therefore, Hicks survives the motion for dismissal.
This case illustrates the power of the healthcare exemption. But, much like Peter Parker, with great power comes great responsibility. To rely on the healthcare exemption, a healthcare provider, such as Raliegh, must not turn a blind eye to the requirements of the exemption. Because if the requirements are not met completely, the future reliance on the exemption for TCPA purposes could get very hazy.
OH THE HUMANITY: Humana Crushed in TCPA Class Certification Order Over Wrong Number Robocalls
I told you Humana was in trouble.
The Medicare giant is facing massive TCPA exposure following a ruling by a federal court in Kentucky certifying a class containing over 23,000 individuals.
In Elliot v. Humana, 2025 WL 1065755 (W.D. Ky April 9, 2025) the Court certified a wrong number TCPA class defined as follows:
[a]ll persons or entities throughout the United States (1) to whom Humana placed, or caused to be placed, a call (2) directed to a number assigned to a cellular telephone service, but not assigned to a current account holder of Humana (3) in connection with which Humana used an artificial or prerecorded voice, (4) four years from the filing of this action through the date of class certification.
According to Plaintiff, Humana’s own data sets shows wrong number designations for 23,682 individuals that received at least one prerecorded call from Humana after they received a wrong number designation, a violation of the TCPA.
Not good.
Humana countered that the Plaintiff has failed to demonstrate any actual called parties that were not Humana customers but the Court stated “common sense” confirmed accounts coded “wrong #” or the like were sufficiently included in the numerosity count.
The Court next identified three common issues it asserts Humana did not adequately challenge: (1) whether Humana initiated non-emergency prerecorded calls to non customers; (2) whether Humana used a prerecorded voice to make calls to class members; and (3) whether the number called was a cellular telephone. The Court appears to acknowledge whether calls were made to a wrong number is not common but it refused to deny certification on that basis.
Humana argued the case should not be certified because “wrong number designations could refer to typographical errors, calls where a Humana team member called the wrong number, intentional contact with individuals who said, ‘wrong number because they didn’t want to talk,’ and Humana members who incorrectly reported a wrong number” but the Court was unmoved. The Court would not “ignore the plain meaning of ‘wrong number’ to accommodate several errors or inconsistencies Humana found in self reviewing their own record.”
Eesh.
At bottom the court acknowledged that not every call recipient noted in the Humana data set might be a wrong number call recipient but it intends to use that data set as a starting point–certify a class based on the data, and then use declarations as part of the claims process to determine who was, and was not, a class member.
Not good. At all.
The interesting thing is that it is very tough to determine potential exposure here.
Per the Plaintiff, every member of the class received at least one call after the wrong number notation. That would appear to set damages at $11,500,000-$34,500,000.00.
However TCPA damages for wrong number claims don’t work that way. Calls made even before the wrong number note are also actionable–if it is a real wrong number. So the exposure might be much higher, depending on how many calls Humana was placing here.
Then again, if very few of the 23k or so individuals with wrong number notations were “real” wrong numbers then the exposure could be much much lower. The Court’s order simply does not provide enough information to assess these issues.
What we do know is that Humana is now facing a certified TCPA class action and it is fair to say there are at least 8 figures on the line here. A few obvious take aways:
This is another prerecorded call case. Using such technology is the easiest way to get yourself caught up in a TCPA class action.
Wrong number TCPA class actions continue to be the most dangerous sort of case to defend against. These cases are far more likely to be certified than other types of TCPA cases. You MUST defend yourself by engaging in SMART data practices– Humana was hung on its own records folks– and also using the FCC’s Reassigned Numbers Database (they just lowered their rates)!
Notably the Plaintiff’s counsel in this case was Tom Alvord of LawHQ— Dr. Evil and his crew. These guys are good folks.
Department of Justice Changes Course on Digital Assets
On April 7, 2025, Deputy Attorney General Todd Blanche issued a memorandum to all DOJ employees entitled “Ending Regulation By Prosecution.” The memorandum describes DOJ’s new priorities regarding prosecution of crimes involving digital assets and the broader cryptocurrency industry.
The memo begins by noting that DOJ “is not a digital assets regulator” and “will no longer pursue litigation or enforcement actions that have the effect of superimposing regulatory frameworks on digital assets while President Trump’s actual regulators do this work outside the punitive criminal justice framework.” With President Trump’s executive order on digital assets in mind, going forward DOB will “focus on prosecuting individuals who victimize digital asset investors, or those who use digital assets in furtherance of criminal offenses such as terrorism, narcotics and human trafficking, organized crime, hacking, and cartel and gang financing.”
The memorandum then lays out a series of priorities for federal prosecutors. DOJ will prioritize cases involving use of digital assets in furtherance of unlawful conduct by cartels, transnational criminal organizations, terrorist organizations, and parties subject to US sanctions. Accordingly, DOJ will pursue the “illicit financing of these enterprises by the individuals and enterprises themselves, including when it involves digital assets, but will not pursue actions against the platforms that these enterprises utilize to conduct their illegal activities.” To this end, DOJ will generally not target virtual currency exchanges, mixing and tumbling services, and offline wallets for the acts of their end users or unwitting violations of regulations.
Instead, the memo instructs prosecutors to prioritize cases against individuals who cause financial harm to digital asset investors and consumers or use digital assets in furtherance of other criminal conduct. Prosecutors are instructed not to charge regulatory violations in cases involving digital assets including unlicensed money transmitting under 18 U.S.C. § 1960(b), violations of the Bank Secrecy Act, unregistered securities offering violations, unregistered broker-dealer violations, and other violations of registration requirements under the Commodity Exchange Act-unless there is evidence that the defendant knew of the licensing or registration requirement at issue and violated such a requirement willfully.
The memo lays out a series of other priorities as well, including compensating victims in the digital asset space and participating in the President’s Working Group on Digital Assets. Further, the memo disbands the National Cryptocurrency Enforcement Team and shifts responsibility to the Criminal Division’s Computer Crime and Intellectual Property Section to liaise on digital asset issues.
CPPA Proposes Key Updates to Cybersecurity, Risk Assessment and ADMT CCPA Regulations Following Public Comment
The California Privacy Protection Agency (“CPPA”) recently released modified draft California Consumer Privacy Act regulations (“CCPA Regs.”) in response to public feedback, with a focus on the sections addressing cybersecurity audits, risk assessments, automated decisionmaking technology (“ADMT”) and sensitive data.
Cybersecurity Audits
New Definition of “Cybersecurity Audit Report”: The updated CCPA Regs. adds a definition of “cybersecurity audit report,” clarifying that the term refers to the specific documentation required as part of a business’s annual cybersecurity audit required under Article 9 of the CCPA Regs. (CCPA Regs. Sect. 7001(n)).
Expanded Scope of “Information Systems”: The definition of “information system” was revised to explicitly include service providers’ or contractors’ systems used on behalf of the business. This ensures businesses account for third-party environments when assessing cybersecurity risk. (CCPA Regs. Sect. 7001(w)).
Deadline-Specific Requirements for First Cybersecurity Audit: The updated CCPA Regs. include deadlines by which a business must complete its first cybersecurity audit, which is dependent upon when a business determines its processing activities present significant risk to consumers’ security. (CCPA Regs. Sect. 7121(a)).
Scope and Documentation of Cybersecurity Audits: The updated CCPA Regs. clarify that auditors may include recommendations “separate from articulating audit findings,” helping delineate reporting expectations. (CCPA Regs. Sect. 7122(a)(1)). The Regs. also include examples of what how a cybersecurity audit report must describe the audit’s scope (e.g., the processes, activities and components of the information system assessed), and extend the requirement to retain documents to both the business and the business’s auditor. (CCPA Regs. Sects. 7122(d), (j)).
Risk Assessments: Updates to Roles, Disclosures and Safeguards
Responsible Personnel and Decisionmakers: The updated CCPA Regs. now require that risk assessments identify not only the individuals who reviewed or approved the assessment but also the individual with the authority to determine whether the business will proceed with the associated data processing activity. (CCPA Regs. Sect. 7152(a)(9)).
Timing for Risk Assessments: The updated CCPA Regs. establish a calendar deadline for conducting risk assessments for data processing activities that began prior to the updated regulations’ effective date but continue afterward. (CCPA Regs. Sect. 7155(c)).
Automated Decisionmaking Technology (“ADMT”)
Consumer Rights and Business Obligations: The updated CCPA Regs. specify that, upon a consumer’s opt-out request, businesses must notify service providers and contractors of the specific ADMT use for which the consumer opted out. (CCPA Regs. Sect. 7221(n)(2)).
Removed Requirement to Document “Quality of Personal Information” in ADMT Risk Assessments: The CPPA removed a provision that would have required businesses to assess and document the quality of personal information (e.g., the accuracy, reliability and consistency of the information) used in ADMT or artificial intelligence (“AI”) systems. (CCPA Regs. Sect. 7152(a)(2)(B)).
Expanded Definitions of Sensitive Data Categories
Addition of “Neural Data”: The definition of “sensitive personal information” was revised to include “neural data,” aligning with other states’ emerging concerns around brain-computer interface technologies. (CCPA Regs. Sect. 7001(ddd)).
Exemption for Non-Identifiable Physical/Biological Traits: The CPPA added an exception to the definition of “physical or biological identification or profiling,” excluding traits that cannot be linked to a specific consumer. (CCPA Regs. Sect. 7001(hh)).
Notice at Collection – AR/VR and Device-Based Interactions
Timing Flexibility for Notice in New Environments: The updated CCPA Regs. allow businesses to provide notice either before or “at the time” a device begins collecting personal information that the business sells or shares. (CCPA Regs. Sects. 7013(e)(3)(C), (D). This change accommodates more dynamic and immersive tech environments.
Enforcement and Simplification Measures
Removed Requirements for Agency Complaint Information: The CPPA removed the obligation to inform consumers about their ability to file complaints with the CPPA or Attorney General.
Deleted Redundancies and Technical Burdens: Several provisions were struck to streamline requirements, including § 7023(f)(3), which previously required businesses to notify others that a consumer contests certain personal data accuracy claims.
Businesses subject to the CCPA should review these changes carefully, ensure internal alignment with new deadlines and definitions, and prepare for continued rulemaking as the CPPA moves toward finalizing these updates.
Federal Circuit’s Xencor Decision: Considerations for Jepson Claims and Implications for 35 U.S.C. § 101 Analysis
Go-To Guide:
Federal Circuit’s Xencor decision raises new challenges for Jepson claim format users.
Ruling requires more detailed descriptions of prior art in Jepson claims.
Decision may impact subject matter eligibility analysis under 35 U.S.C. §101.
Heightened need for articulating specific technical problems and solutions in patent applications.
Potential implications for demonstrating “significantly more” in §101 eligibility examinations.
The Federal Circuit’s March decision in In re Xencor, Inc., No. 24-1870 (Fed. Cir. Mar. 13, 2025) has altered the landscape for patent applicants using a Jepson claim format, creating new challenges that may warrant careful consideration. The ruling not only impacts written description requirements but has potential implications for subject matter eligibility analysis under 35 USC §101. As practitioners navigate these new waters, understanding both the Xencor decision and its broader ramifications appear to have become essential for effective patent prosecution strategy. The Xencor Decision: Raising the Bar for Jepson Claims
The Federal Circuit upheld the rejection of Xencor Inc.’s patent application for an antibody treatment method, finding that the company’s Jepson-formatted claims failed to adequately describe the state of the prior art. Named after a 1917 ruling, claims in Jepson format recite a preamble detailing previously known art followed by an improvement clause describing the applicant’s novel contribution that improves that art.
The court’s decision sets forth a critical new principle: “The invention is not only the claimed improvement, but the claimed improvement as applied to the prior art, so the inventor must provide written description sufficient to show possession of the claimed improvement to what was known in the prior art.” In Xencor, while the application described an improved method for treating patients with specific antibodies, the court found the evidence to establish that such antibody treatments were well-known in the field insufficient.
This ruling may create a hurdle for Jepson claim users, as it requires applicants to adequately describe both their improvement and the underlying technology it builds upon. The court expressly rejected the position that inventors could assert something is “well-known” without proper description, using a hypothetical example of someone claiming an improvement to a “time machine” without sufficiently describing such a device in their patent. According to the Federal Circuit, allowing such practice would leave the patent system vulnerable to abuse.
The decision does acknowledge that description requirements will vary based on factors including “the unpredictability of the art and the newness of the technology.” For example, while “automobile” needs little explanation today, the term would have required extensive elaboration in the 19th century. However, beyond this example, the court provided limited guidance on when technology becomes sufficiently well-known to forgo detailed description in a Jepson claim.
While patent examiners may sometimes recommend a Jepson-style claim to more quickly advance prosecution, practitioners that may have agreed to such a suggestion should now consider rejecting such an offer, given the heightened scrutiny these claims will face. Examiners and courts will need to evaluate whether the applicant’s description of prior art is adequate, creating new validity concerns that many applicants may prefer to avoid entirely.
Potential Implications for 35 USC §101 Analysis: Technical Problems and Solutions
The Xencor decision’s impact extends beyond written description requirements and into the realm of subject matter eligibility under 35 USC §101. This ruling reinforces the USPTO’s existing guidance that patent applications should clearly articulate technical problems and technical solutions to overcome subject matter eligibility challenges.
Heightened Need for Technical Problem-Solution Discussion
The Federal Circuit’s emphasis on “possession of the claimed improvement to what was known in the prior art” parallels the USPTO’s approach to analyzing eligibility under the Alice/Mayo framework. When examiners evaluate whether claims are directed to abstract ideas, they look for “meaningful limitations” that demonstrate the invention improves computer functionality or other technology. The Xencor ruling effectively raises the bar for these demonstrations, likely requiring more robust technical disclosures in the specification for some technical fields.
Patent applicants should consider being more diligent in clearly identifying the specific technical problem being addressed and precisely how their claimed solution resolves this issue. Rather than generic statements about efficiency, accuracy, or convenience, specifications should articulate concrete technical challenges in the prior art and explain how the claimed solution overcomes these challenges through technical means. Just as the Xencor court rejected vague assertions about “well-known” prior art, examiners may scrutinize vague claims of technical improvement without supporting technical explanation.
For example, an application claiming improved data processing algorithms should detail the specific technical limitations of existing processing methods (such as, for example, excessive memory usage, processing bottlenecks, or inability to handle specific data formats) and then explain how the claimed invention overcomes these specific technical hurdles. This enhanced focus on the problem-solution paradigm directly aligns with the “significantly more” analysis under Step 2B of the USPTO’s subject matter eligibility examination procedure.
Particularized Technical Component Details
Perhaps the most significant §101-related implication of the Xencor decision is the heightened need for particularized technical details regarding claim components. The ruling’s emphasis on describing prior art with specificity creates a parallel requirement for describing the technical implementation of claimed elements with similar specificity to overcome §101 rejections, where articulating the distinction over the prior art and how it is improved is paramount.
In light of this decision, practitioners should consider drafting specifications that:
Detail specific implementations: Rather than broadly claiming “a processor configured to perform X,” specifications should detail how that processor is specifically configured, what technical adaptations enable the claimed functionality, and how these configurations differ technically from conventional implementations.
Explain technical interactions: Practitioners may wish to clarify how different components interact in technically innovative ways, avoiding descriptions that merely string together conventional components performing their routine functions.
Provide technical metrics: Where possible, practitioners should consider including quantifiable improvements (e.g., processing speed increases, memory usage reductions, improved accuracy rates) that demonstrate the technical advancement over prior solutions.
Link technical details to claims: Ensure that the technical details in the specification are clearly reflected in the claims, creating a coherent narrative that examiners can follow from problem to solution.
The Xencor court’s “automobile” example provides a useful framework – while certain technologies are well understood today, emerging technologies may require more extensive explanation. Similarly, under §101 analysis, applications in cutting-edge fields may need particularly robust technical disclosures to overcome the presumption that claimed elements are merely abstract ideas implemented on generic components. Beyond Mere ‘Application’ to ‘Specific Practical Application’
The Xencor decision reinforces the distinction between a general application of known technology and a specific practical application of an improvement to technology that has become central to §101 analyses. Just as the court found that Xencor needed to describe more than just a general improvement to antibody treatments, the USPTO guidance requires that eligible claims do more than merely apply abstract ideas in a particular field using routine and conventional components. Applications thus should demonstrate specific technological improvements that go beyond mere conceptual applications. This potentially means:
Narrowing from general concepts to specific implementations: While the application may begin with broader concepts, practitioners might wish to narrow it to specific technical implementations that can be claimed.
Demonstrating transformative elements: Consider highlighting how the claimed elements transform the underlying technology rather than using existing technology in expected ways.
Avoiding result-oriented claiming: Applicants should consider focusing claims on specific technical means rather than claiming desired outcomes or results.
Creating technological interdependencies: Consider demonstrating how claimed elements work together in technically innovative ways that produce results that individual components could not achieve independently.
Conclusion
The Xencor decision represents a shift in the landscape for both Jepson claims and subject matter eligibility analysis. While directly addressing written description requirements, the decision’s underlying principles effectively raise the bar for demonstrating technical improvements necessary to overcome §101 rejections. For patent practitioners, this may mean crafting specifications that thoroughly document both the technical problem and solution, with particular attention to detailing how specific claimed components implement the invention in technically novel ways. Evolving and embracing a more rigorous approach to technical disclosure may help applicants and practitioners navigate both the Xencor requirements and the increasingly stringent §101 analysis framework examiners and judges apply.
Closing Time: Hell, High Water, and Insights from the Delaware Chancery Court Decision in Desktop Metal v. Nano Dimension
Cross-border M&A deals frequently present unique issues and strategic closing considerations for transaction parties to navigate—including national security approvals. In a recent Delaware Chancery Court decision, these issues intersected when the court was forced to weigh national security-related approval conditions imposed by the Committee on Foreign Investment in the United States (“CFIUS”) against the buyer’s stringent contractual closing obligations.
On July 2, 2024, Nano Dimension, an Israeli company, agreed to acquire Desktop Metal, a U.S. company that makes industrial-use 3D printers which produce specialized parts for missile defense and nuclear-related applications. Unsurprisingly, closing the acquisition was contingent upon receiving CFIUS approval due to the sensitive nature of Desktop Metal’s operations. At the conclusion of its review period, CFIUS required Nano Dimension to enter into a national security agreement (“NSA”) outlining several post-closing operational restrictions imposed upon the parties, which Nano Dimension refused to accept as a result of new leadership that opposed the acquisition. Desktop Metal subsequently filed suit to force Nano Dimension to enter into the NSA to obtain CFIUS approval and consummate the acquisition, which the court granted.
Key Findings and Takeaways:
Hell-or-High-Water Provision: A pivotal aspect of the court’s decision was the interpretation of a “hell-or-high-water” clause in the transaction merger agreement. This clause required Nano Dimension to undertake all necessary actions—including agreeing to several enumerated conditions typically requested by CFIUS—to secure approval, subject to limited exceptions (i.e., a condition that would require Nano to relinquish control of 10% or more of its business). The court found that Nano Dimension breached this obligation through both its negotiating posture with CFIUS in relation to the NSA and by delaying the CFIUS approval process.
CFIUS Approval Strategy: Desktop Metal’s operations in critical technology sectors resulted in a complicated CFIUS approval process. The ruling emphasized that transaction parties should be aware of the potential for CFIUS to rely on NSAs impacting post-closing operations to address potential national security risks associated with foreign control.
Contractual Clarity Around CFIUS Obligations: The court’s decision illustrates the importance of clear contractual language detailing the relative obligations of the parties to obtain CFIUS approvals. We recommend that transaction parties carefully consider the implications of CFIUS approval language included in transaction documents:
For example, agreements should clearly delineate what conditions would be considered reasonable mitigation conditions that a potential buyer must accept (e.g., data security practices and auditing mechanisms) and those conditions that would not trigger an obligation to close (e.g., divestment of certain business lines or the use of proxy boards).
The use of clear language outlining stakeholder alignment, permissible negotiation strategies and timing considerations with respect to CFIUS approval also contribute to the likelihood of a better outcome with CFIUS.
The Nano Dimension and Desktop Metal ruling serves as a crucial reminder of the complexities involved in cross-border mergers subject to CFIUS approval and provides valuable insights for practitioners and transaction parties navigating the CFIUS process.
GeTtin’ SALTy Episode 50 | Sine Die: Maryland Legislative Session Wrap-up [Podcast]
In this episode of GeTtin’ SALTy, Nikki Dobay and DeAndré Morrow dive into the Maryland’s legislative session, which adjourned this week. Specifically, they unpack key tax provisions that were proposed and ultimately passed.
From new personal income tax brackets targeting high earners to the controversial 3% tech tax on digital services, they explore the measures passed in the Budget Reconciliation and Financing Act (BRFA) and their potential impact on businesses and consumers. They also discuss some key Maryland politics regarding certain tax policies that keep coming up and whether they expect to see those policies in the future.
DeAndré also highlights other developments like increased taxes on recreational cannabis and sports betting, the removal of IP taxation proposals, and the ongoing discussions surrounding Maryland’s digital advertising tax.
They wrap up the episode with a lighthearted discussion on birthday celebrations.
Remote Meetings Reauthorized Through June 2027
On March 28, 2025, Mass. Governor Maura Healy signed an emergency law extending the COVID-19 remote and hybrid meeting authorizations for public meetings of local boards and committees until June 30, 2027. The law, Chapter 2 of the Acts of 2025, also extends legislation permitting remote representative Town Meetings and reducing the quorum requirements for open Town Meetings. The COVID-19-era legislation allowing remote meetings was set to expire on March 31, 2025, but was extended just in time to permit municipalities to continue holding meetings and hearings remotely. The ability to hold remote meetings has been popular among board members, developers, and citizens alike for improving access and saving time driving to and from town halls.
Legislation to permanently allow remote meetings (the so-called “Municipal Empowerment Act”, H.3342) has been resubmitted by Representative Danielle Gregoire of Marlborough. We’ll track this bill and report back on any significant developments.
Lay of the Land: Challenges to Data Center Construction—Past, Present and Future [Podcast]
In this episode of Lay of the Land, we are joined by Paul Manzer, principal and data center market leader with Navix Engineering, to explore the evolving landscape of data center construction. We dive into the unique civil engineering challenges—from site selection to due diligence—and trace the evolution of these challenges from past limitations to present-day complexities like supply chain issues and legal hurdles.
Looking ahead, we discuss future trends driven by AI and emerging technologies, examining how legal strategies and engineering innovation can address these challenges. We provide key takeaways for developers and investors, emphasizing the critical collaboration between legal and engineering teams.
Influencer Marketing Practices Under Scrutiny in Europe
Influencer activities in the European Union may be deemed unfair market practices, potentially harming the brands they promote.
The influencer marketing industry has experienced significant growth, with its global value reaching approximately $24 billion in 2024. Brands often turn to this form of advertising, not always realizing that influencer activities may be scrutinized for compliance with consumer protection laws. Enforcement in Europe is increasing, and non-compliant actions may harm the reputation and credibility of both influencers and the brands they promote.
Influencer Marketing Under EU Law
The European Commission classifies influencers engaged in commercial activities—such as promoting brands and receiving compensation—as “traders” under the unfair commercial practices directive (Directive 2005/29/EC Of European Parliament and of the Council of 11 May 2005, concerning unfair business-to-consumer commercial practices in the internal market). This classification requires influencers to comply with consumer protection laws, including transparency requirements for advertising disclosures.
Failure to disclose paid partnerships or affiliate marketing links may be considered a misleading commercial practice under EU law. The European Commission actively monitors influencer marketing and provides guidance and compliance tools through its Influencer Legal Hub.
Increasing Enforcement Actions Across Europe
National competition authorities from different jurisdictions are increasing enforcement actions against influencers and brands that appear to lack transparency in advertising. In Spain, investigations on social media content revealed that approximately 77.75% of the examined content did not comply with disclosure obligations. Many European jurisdictions have acted to raise awareness among influencers and the agencies representing them. The Italian antitrust authority regularly sends “moral suasion letters” to influencers violating consumer protection laws. However, in several countries, regulators have imposed financial penalties on influencers for breaching consumer rights, including in France, Latvia, Romania, Norway, Denmark, and Poland. The maximum amount of possible fines varies across jurisdictions. However, in some countries (e.g., Poland), maximum fines for such violations may be imposed at the same level as for the most serious competition law infringements (e.g., cartels), i.e., up to 10% of the company’s annual turnover.
Considerations for Influencers
Some of the European Commission’s guidance housed in the Influencer Legal Hub includes the following:
Clearly disclose advertising content: Influencers should inform audiences when content includes advertising and use clear labels such as “advertising” or “advertisement” in post or video language. Influencers should seek to avoid unclear or misleading terms when indicating advertising. Audiences should understand when they are viewing promotional content. Transparency is crucial to maintain trust and comply with legal obligations.
Use appropriate hashtags: Incorporating clear disclosure hashtags like #advertising or #advertisement help to indicate promotional content.
Label each promotional post individually: Posts, reels, or stories containing advertising should be individually labeled as such.
Utilize platform disclosure features: Influencers should consider using disclosure tools that social media platforms provide, such as “paid partnership with” tags, when available.
Ensure visibility and clarity of disclosures: Consider placing disclosure labels and hashtags at the beginning of posts or videos so they are easily noticeable to audiences.
Many national regulators have issued their own recommendations (Belgium, Denmark, Finland, Poland, Germany, Hungary, Ireland, Latvia, Lithuania, Norway, Portugal, Sweden), which may impose additional obligations for labeling advertising content. Advertisers and marketing agencies, in addition to influencers, may also be liable for non-compliance. Brands should ensure that contractual agreements require proper advertising disclosure.
In Poland, the national competition authority imposed a fine of PLN 5 million (USD 1.25 million) on a dietary supplements manufacturer for the misleading labeling of advertisements by influencers collaborating with the company on social media. According to the guidelines the company provided, the recommended practice included using vague ad disclosures, such as references solely to the advertiser’s brand.
Given Europe’s increasing regulatory scrutiny, companies engaging in influencer marketing should proactively review their compliance strategies.
DORA Compliance: Navigating the Latest Developments
On 24 March 2025, the following two developments relating to the implementation of the EU Digital Operational Resilience Act (DORA) took place:
the European Commission (Commission) adopted a Delegated Regulation supplementing DORA with regard to regulatory technical standards (RTS) on the subcontracting of information communication and technology (ICT) services that support critical or important functions (Subcontracting RTS); and
the Delegated Regulation supplementing DORA regarding the RTS to specify the criteria for determining the composition of the joint examination team was published in the Official Journal of the European Union (OJEU) (JET RTS).
In addition, on 27 March 2025, the Commission published a press release (Press Release)setting out its decision to open infringement procedures against certain EU member states for failing to fully transpose the Directive on DORA (DORA Directive) into their national law.
Subcontracting RTS
The Commission has adopted the Subcontracting RTS, which specifies the elements that a financial entity must determine and assess when it permits its ICT third-party providers (TPPs) to subcontract ICT services supporting critical or important functions (or material parts of such functions).
The Commission initially rejected a version of the draft Subcontracting RTS due to concerns that requirements introduced went beyond the mandate given to the European Supervisory Authorities (ESAs). Further information regarding such rejection of the draft Subcontracting RTS can be found in our previous article (available here).
The most significant change since the previous draft of the Subcontracting RTS is the deletion of Recital 5 and Article 5, which would have included mandatory contract content requirements relating to ongoing monitoring of the chain of ICT subcontractors providing ICT services supporting critical or important functions.
Nevertheless, in-scope financial entities will still have to monitor their subcontracting supply chains:
financial entities must still maintain an adequate register of information, which may in turn trigger indirect supply chain monitoring obligations (including contractual obligations) on TPPs; and
the Subcontracting RTS still include certain flow down requirements in relation to TPPs subcontracts, which were not rejected by the Commission.
In summary, the Subcontracting RTS:
establish the rules on proportionality and group application;
set out rules on due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions;
establish the description and the conditions under which ICT services supporting a critical or important function may be subcontracted; and
contain the rules on material changes to subcontracting arrangements of ICT service supporting critical or important functions and the provisions on the termination of contractual arrangements.
The Subcontracting RTS will enter into force on the twentieth day after its publication in the OJEU.
JET RTS
The JET RTS were published in the OJEU on 24 March 2025. This follows the Commission’s adoption of the JET RTS in December 2024.
The JET RTS have been developed under a mandate contained in Article 41(2) of DORA. The aim of the JET RTS is to ensure a balanced participation of staff members from the ESAs and from the relevant competent authorities, and to establish arrangements for their designation, tasks and working arrangements of team members.
The JET RTS will come into force on 13 April 2025 (i.e., 20 days after publication in the OJEU).
Non-transposition of DORA Directive
Member states were required to transpose the DORA Directive into national law by 17 January 2025.
The Commission has sent a letter of formal notice to 13 member states (i.e., Belgium, Bulgaria, Denmark, Greece, Spain, France, Latvia, Lithuania, Malta, Poland, Portugal, Romania and Slovenia) for failing to fully transpose the DORA Directive. These member states now have two months to respond and to complete their transposition and notify their measures to the Commission. In the absence of a satisfactory response, the Commission may decide to issue a reasoned opinion.
In the Press Release, the Commission explains how full implementation of DORA is key to strengthen the digital operational resilience of financial entities across the EU.
The Subcontracting RTS, the JET RTS and the DORA Directive are available here, here and here, respectively.
DOJ Rule Restricting Sensitive Data Transfers Takes Effect
Today, April 8, 2025, the U.S. Department of Justice’s Final Rule restricting transfers of bulk sensitive personal data and U.S. government-related data becomes effective, implementing former President Biden’s Executive Order 14117 – Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (the “Final Rule”). The Final Rule aims to protect U.S. national security by restricting certain data transactions with covered persons or countries of concern, which currently include Russia, Iran, North Korea, Cuba, Venezuela, and China (including Hong Kong and Macau). U.S. businesses must work now to ensure compliance and avoid significant penalties for violations.
The Final Rule defines many key terms such as “covered data transaction,” “country of concern,” “U.S. person,” “covered person,” “bulk U.S. sensitive personal data,” “government-related data,” “human ‘omic data,” and “knowingly,” while providing examples of restricted transactions. Ultimately, the Final Rule prohibits certain transfers of U.S. government related data and bulk U.S. sensitive personal data to covered persons (see §202.243 Prohibited Transaction), adopting a 50% ownership threshold to capture certain foreign persons as covered persons akin to Office of Foreign Assets Control (OFAC) sanction designations for covered persons (see §202.211 Covered Person).
U.S. government-related data means certain precise geolocation data, regardless of volume, explicitly enumerated in the rule and any sensitive data, regardless of volume, linkable to current or recent employees of the U.S. government (see §202.222 Government-Related Data and §202.1401 Government-Related Location Data List).
While bulk U.S. sensitive personal data means any amount of sensitive personal data that meets or exceeds the following thresholds at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person:
Human ‘omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons (human ‘omic data includes human genomic data, human epigenomic data, human proteomic data, and human transcriptomic data, but excludes pathogen-specific data embedded in human ‘omic data sets);
Biometric identifiers collected about or maintained on more than 1,000 U.S. persons;
Precise geolocation data collected about or maintained on more than 1,000 U.S. devices;
Personal health data collected about or maintained on more than 10,000 U.S. persons;
Personal financial data collected about or maintained on more than 10,000 U.S. persons;
Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons; or
certain data combinations of (a) – (f) combined data (see§202.205 Bulk and 202.206 Bulk U.S. Sensitive Personal Data).
Prohibited Transactions
The Final Rule prohibits U.S. persons from:
Knowingly engaging in any covered data transaction involving data brokerage with a country of concern or covered person; a covered data transaction is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves: (a) data brokerage; (b) a vendor agreement; (c) an employment agreement; or (d) an investment agreement (see 202.301 Prohibited Data-Brokerage Transactions and §202.210 Covered Data Transaction).
Knowingly engaging in any transaction that involves any access by a foreign person to government-related data or bulk U.S. sensitive personal data and that involves data brokerage with any person unless the foreign person is contractually restricted from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person and the U.S. person reports any known or suspected violation of the contractual requirement (see 202.302 Other Prohibited Data-Brokerage Transactions Involving Potential Onward Transfer to Countries of Concern or Covered Persons).
Knowingly engaging in any covered data transaction with a country of concern or covered person that involves access by that country of concern or covered person to bulk U.S. sensitive personal data that involves bulk human ‘omic data, or to certain human biospecimens (see 202.303 Prohibited Human `Omic Data and Human Biospecimen Transactions).
Knowingly directing any transaction that would be a prohibited transaction or a restricted transaction that fails to meet the applicable requirements if such transaction was engaged in by a U.S. person (see 202.305 Knowingly Directing Prohibited or Restricted Transactions).
Evading or avoiding, causing a violation of, or attempting to violate these prohibitions (see 202.304 Prohibited Evasions, Attempts, Causing Violations, and Conspiracies).
The prohibited transactions are categorically prohibited unless otherwise authorized pursuant to an exemption, general license, or specific license.
Restricted Transactions
The Final Rule creates a set of restricted transactions, including a vendor agreement, employment agreement, or investment agreement as to which U.S. persons may engage if the U.S. person complies with certain cybersecurity program requirements published by Cybersecurity & Infrastructure Security Agent (CISA), as well as reporting and recordkeeping requirements (see §202.401 Authorization to Conduct Restricted Transactions).
Exempted Transactions
The Final Rule exempts the following categories of transactions that would otherwise be prohibited or restricted transactions:
Personal Communications
Information and Informational Materials
Travel
Official Business of the U.S. Government
Financial Services
Corporate Group Transactions
Transactions Required or Authorized by Federal Law or International Agreements, or Necessary for Compliance with Federal Law
Investment Agreements Subject to CFIUS Action
Telecommunication Services
Drug, Biological Product, and Medical Device Authorizations
Other Clinical Investigations and Post-Marketing Surveillance Data (see Exempt Transactions §§202.501 through 202.511)
Licensing and Advisory Opinions
The Final Rule provides for processes to obtain licenses authorizing otherwise prohibited or restricted transactions (see Licensing §§202.801 through 202.803). Additionally, the Final Rule provides the ability to apply for advisory opinions as necessary (see Advisory Opinions §202.901).
Reporting and Recordkeeping Requirements
The Final Rule enacts compliance requirements for due diligence, audits of restricted transactions, as well as other record keeping and annual reporting requirements. The reporting requirements include an obligation to file an annual report of certain restricted transactions becoming effective on October 6, 2025 (see Reporting and Recordkeeping Requirements §§202.1101 through 1104).
Penalties
The Final Rule provides substantial civil and criminal penalties for violations. Civil penalties can reach the greater of $368,136 or an amount that is twice the amount of the transaction (subject to adjustment for inflation). For willful violations, criminal penalties include $1 million fines and up to 20-year imprisonment (see Penalties and Finding of Violation §§202.1301 through 202.1306).
Conclusion
The Final Rule becomes effective today April 8, 2025. U.S. businesses that collect, maintain, or transfer sensitive personal data, or government-related data, should carefully review their business activities alongside related data collection and transfer policies. Then the U.S. business may assess potential exposure to liability under the Final Rule, making any necessary policy adjustments for covered data transactions to ensure ongoing compliance for data collection and transfers.