FCC Delays Key Part of New Consent Revocation Rule Until 2026
Last year, the FCC adopted new rules under the Telephone Consumer Protection Act (TCPA) designed to expand consumers’ rights to revoke consent to receive robocalls and text messages. As we noted in a prior post, these changes were set to take effect on April 11, 2025, and would require businesses to treat any valid opt-out request as revoking consent for all robocalls and texts from that sender — even if the message concerned a different line of business.
However, that all went out the window yesterday. The FCC issued a new order granting a limited one-year delay for this particular requirement, pushing the effective date for this portion of the rule to April 11, 2026.
1. What’s Being Delayed?
The specific rule in question would have required businesses to treat a consumer’s opt-out request as applying to all future robocalls and texts from that sender, even if the messages originated from different business units or covered unrelated subjects. For example, a consumer may want to opt out of marketing text messages from the promotions department but still receive essential communications such as appointment reminders from the scheduling department or fraud alerts from the security team.
With yesterday’s order, the FCC has delayed implementation of this rule only as it relates to this broad application of opt-outs across unrelated communications. The rest of the new TCPA rule — including requirements to honor common opt-out keywords and process revocations within 10 business days — is still on track to go into effect on April 11, 2025.
2. Why the Delay?
The FCC referred to concerns from financial institutions that implementing this part of the rule would pose significant operational and technical challenges. Industry commenters explained that it can be difficult to design systems that appropriately apply a single opt-out request across different departments or business units without overreaching or violating customer intent.
For example, a consumer may want to opt out of text messages from one department but still receive necessary communications from another. Without additional system upgrades, institutions risk either failing to honor revocation requests or overly restricting communications the consumer still wants.
The FCC found that these concerns require more time for the industry to address, and a limited extension will serve the public interest by allowing organizations to adopt compliance solutions in a cost-effective and customer-friendly way.
3. What This Means for Businesses
Companies in the financial services industry should take note:
The April 11, 2025 deadline remains in effect for most parts of the rule, including the requirement to honor common opt-out terms and the 10-business-day response time.
The requirement to treat opt-out requests as applying across all unrelated robocalls and texts from a sender is now delayed until April 11, 2026.
This extension provides a window for organizations to upgrade communication platforms, clarify revocation scopes with customers, and align business units to handle these revocations appropriately.
Businesses should continue to monitor FCC guidance and work to ensure compliance with consent management procedures in advance of the 2025 and 2026 deadlines.
Listen to this post
FCC Approved Limited, One Year Waiver of Key Element of New TCPA Consent Revocation Rules
In February of last year, Privacy World reported on the Federal Communications Commission’s (“FCC” or “Commission”) clarification and codification of its Telephone Consumer Protection Act (TCPA) consent rules (“Revocation Order”). Among other things, the agency confirmed that consent to receive autodialed calls and texts could be revoked by “any reasonable means” and included specific examples of such of such methods.
Significantly, the Revocation Order prescribed that the scope of such a revocation would include further robocalls or robotexts to that party, except those exempted from the consent requirement, which have been enumerated by the FCC (e.g., calls that do not require prior consent as set out in 47 CFR § 64.1200(a)(3), (9), such as healthcare related messages). For example, a revocation to stop bank statement availability reminders would extend to any other robocalls or robotexts from the bank. The FCC ultimately set April 11, 2025 as the effective date for these provisions.
But just a month before that date, several associations of banks and financial institutions petitioned the FCC for a one-year waiver of the new Revocation Order, arguing there was “good cause” to do so “because financial institutions face numerous challenges modifying existing communications to process ‘a revocation sent in response to one business unit’s call or text so that all business unit’s cease placing calls or texts to the consumer.’”
Just days before the effective date, the FCC has concluded that “special circumstances justify a limited extension to allow calls or senders of text messages a reasonable opportunity to ensure that they can process revocation requests consistent with [FCC] rules.” The limited waiver – until April 11, 2026 – applies only “to the extent the rule requires callers to treat a request to revoke consent made by a called party in response to one type of message as applicable to all future to all future robocalls and robotexts from that caller on unrelated matters.” Businesses should clearly distinguish different messaging programs so that a simple “Stop” opt-out to one program (e.g., store discounts) does not apply to another program (e.g., store loyalty programs). By doing so, a simple “Stop” to specific messages is not required to equate – at least for the next year – with “Stop All” for all non-exempt messages. If programs are not clearly distinguished, businesses should consider providing an opt-out confirmation message where consumers may clarify the scope of their revocation, which is explicitly provided for in the Revocation Order and will take effect.
The FCC emphasized the limited extent of its action. The ruling does not otherwise delay the April 11, 2025 effective date of other rules adopted in its original Revocation Order and it does not alter the status quo of other prior FCC decisions addressing revocation of consent issues.
Further, if a consumer clearly indicates, using reasonable means, that he or she does not want to receive any further robocalls or robotexts on any subject, that request is not exempt from being honored. And the issue of what constitutes a “reasonable means” for revoking consent can still be subject to challenge. Businesses should ensure that they are able to effectuate opt-outs, including those received via other mediums (e.g., telephone calls and emails), to the messaging systems within ten (10) business days of receipt. The application and interpretation of the rules taking effect will be watched closely by callers and consumer groups. But for a year, one element of the rule has now been waived.
DOJ Final Rule on Bulk Transfer of Sensitive U.S. Personal and Government Data to Countries and Persons of Concern Goes Into Effect
On April 8, 2025, the Department of Justice’s final rule implementing Executive Order 14117 (“Final Rule”) went into effect, with the exception of certain due diligence, audit and reporting obligations that will take effect on October 5, 2025. The Final Rule restricts the bulk transfer of sensitive U.S. personal and government data to certain countries and persons of concern.
The Final Rule establishes a national security regulatory regime that either prohibits or restricts “covered data transactions,” which are certain transactions (i.e., data brokerage, employment agreements, investment agreements and vendor agreements) that could result in access to bulk U.S. sensitive personal data or government-related data by (1) a “country of concern” (i.e., China, Cuba, Iran, North Korea, Russia and Venezuela) or (2) a “covered person” (e.g., an entity with 50% or more ownership by a country of concern, an entity organized under the laws of, or with their principal place of business in, a country of concern, or a foreign person that is an employee or contractor of such entity or a primary resident of a country of concern).
Read our previous coverage of the Final Rule.
District Court Dismisses Putative Nationwide TCPA Class Action Filed Against Berkshire Hathaway Home Services of Nevada Based on Failure to Allege Vicarious Liability
Companies across multiple industries that utilize promotional text messages and phone calls are being targeted by class actions filed under the Telephone Consumer Protection Act. On March 31, 2025, a Nevada federal district court dismissed a putative TCPA class action filed against a real estate company, Berkshire Hathaway HomeServices Nevada Properties because the plaintiff had failed to sufficiently allege that BHHS should be held vicariously liable for marketing calls made by nonparty real estate agents to phone numbers registered on the National Do-Not-Call Registry. The case is Kelly Usanovic v. Americana, L.L.C., No. 2:23-cv-01289-RFB-EJY, 2025 WL 961657 (D. Nev. Mar. 31, 2025).
The plaintiff had allegedly listed her home for sale, and when the listing expired, she immediately received several marketing calls, and calls using an artificial or prerecorded voice, from multiple real estate agents affiliated with BHHS, even though her number was on the NDNCR. The plaintiff claimed the calls violated the TCPA, and that BHHS, which had allegedly provided extensive training on cold calling practices to its agents, was vicariously liable for the calls. She sought to represent two nationwide classes of persons who received similar calls.
The court granted BHHS’s motion to dismiss the plaintiff’s Second Amended Complaint, with prejudice, and entered judgment for defendant. It held the plaintiff had failed to allege sufficient facts to establish an agency relationship between BHHS and the agents. As the Court observed: “To establish an agency relationship, the plaintiff must show that BHHS controlled or had the right to control the real estate agents—specifically the manner and means of the calls conducted. (citation). The essential ingredient in determining whether an agency relationship exists is the extent of control exercised by the employer.”
Although the plaintiff alleged that BHHS trained the real estate agents on how to make unsolicited calls to expired listings and that BHHS suggested where they could purchase phone numbers and dialers, the plaintiff did not allege this training was required, or that the agents had to use the specific vendors that BHHS recommended. Nor did the plaintiff allege that BHHS directed agents on how many calls to make, or that any of the calls occurred under BHHS’s supervision.
The court also held that, even if an agency relationship existed, the plaintiff did not allege facts sufficient to establish vicarious liability under an actual authority, apparent authority, or ratification theory. There were no allegations that BHHS authorized or directed agents to call numbers listed on the NDNCR, that the plaintiff relied on any statement of the agent’s authority made BHHS or by any of the agents who allegedly called her, or that BHHS knowingly accepted the benefits of or otherwise ratified any allegedly unlawful calls.
Vicarious liability has been and will continue to be a hotly contested issue in many TCPA class actions, both in the real estate space and in other industries. It is the plaintiffs, however, who have the burden of alleging specific facts which, if proven true, would establish the defendant is vicariously liable for the telemarking calls or text messages. The Usanovic decision is useful reminder that challenging the sufficiency of the plaintiff’s vicarious liability allegations may be an effective way to stop a TCPA class action in its tracks.
SEC Staff Issues Statement on Stablecoins
On April 4, 2025, Staff in the SEC’s Division of Corporation Finance issued a public statement on stablecoins. The statement opines that the offer and sale of “covered stablecoins” do not involve the offer and sale of securities, and that persons involved in minting covered stablecoins do not need to register their offer and sale with the SEC.
The Staff statement provides several characteristics of “covered stablecoins” for the purpose of its analysis, and the issuer of a stablecoin that does not meet these criteria may not be able to rely fully on the statement’s holding. In particular, the statement assumes that a covered stablecoin is backed by a reserve fund of high-quality assets (such as cash, cash equivalents or treasury securities), that the stablecoin is exchangeable one-for-one with a fiat currency (such as the US Dollar), and that the stablecoin is marketed solely for use in commerce, as a means of making payments, for transmitting money, or as a means of storing value, but not as an investment. The Staff further notes that covered stablecoins are typically marketed so as not to impart any governance rights to holders or to reflect any ownership interest in the issuer of the stablecoin. To support its conclusion, the statement also provides a brief analysis of a covered stablecoin under both the Supreme Court’s Howey test for investment contracts and the “family resemblance” test under the Supreme Court’s Reves case. Over the years, the SEC Staff has provided little guidance as to its views on the Reves test, so the Staff statement is interesting in that regard.
While the Staff’s guidance is helpful as a general starting point, it does not delve into several nuances among different varieties of stablecoins that could impact the security analysis. More generally, and as described above, the guidance makes a number of other critical assumptions about the structure of a hypothetical covered stablecoin as well. The guidance seems to imply that algorithmic stablecoins are out of scope and do not meet the criteria for a covered stablecoin, for example. Notably, the Staff guidance does not speak to the status of the reserve fund under the Investment Company Act of 1940, a topic outside the purview of the Division of Corporation Finance. SEC Commissioner Crenshaw also issued a public statement highly critical of the Staff’s analysis. With several bills on stablecoins making their way through Congress, we anticipate that the Staff statement will not be the last word from Washington on stablecoins.
REFRESHING: Coca Cola Wins Huge TCPA Victory With Motion to Strike Massive Class
The Plaintiff’s bar has grown incredibly aggressive in TCPA class actions recently and filed suits with the broadest possible class definition to sweep in as many potential plaintiffs as possible.
In doing so, of course, the plaintiff’s attorneys hope to create massive risk for the defendant–and ultimately massive settlements.
In order to beat these guys you need to be aggressive right back, and Coca Cola deployed an ole trick of the Czar’s recently to strike a class at the pleadings stage and I love to see it.
In Barnes v. Coca Cola, 2025 WL 1027431 (E.D. Cal April 7, 2025) the Plaintiff had asserted a class consisting of every call Coca Cola had ever made.
Rather obviously such a class could never be certified because the vast majority of class members will have no standing and would have consented to the calls. TCPA plaintiffs often file such classes, however, arguing that consent is an affirmative defense that they have no duty to plead around.
In Barnes, however, the court correctly determined that a plaintiff needs to plead the real class he intends to certify– not some overly broad nonsense. Noting that the class as plead was simply “implausible” the Court found “Coca-Cola—like all defendants facing suit—is “entitled to know the class definition being alleged against them.”
This is a massive win for Coca-Cola as the plaintiff will now have to redefine his class and narrow it to the group of people he is actually trying to represent. This will allow Coca Cola to better refine its arguments in opposition to class certification, narrow discovery, and prepare laser focused expert reports.
THIS is the way it is supposed to work. But courts commonly (erroneously) deny defense motions to strike as premature. Good to see that didn’t happen here.
Interesting the court also granted Coke’s motion to dismiss finding the portion of the message in the complaint from the plaintiff mentioned only a delivery being available–which is not marketing. Although plaintiff contended there was more to the message that encouraged the call recipient to place an order that portion of the message was not alleged in the complaint– so it could not be considered.
Really great ruling over all.
Notably this motion to dismiss was filed over two years ago in January, 2023! The court took that long to issue this ruling–highlighting just how long it takes to get rulings out of the Eastern District of California right now. It is a VERY backed up federal court.
IBM United Kingdom Limited v LzLabs GmbH & Ors: A Landmark Case in Software Licensing and Unlawful Means Conspiracy
Introduction
In a recent judgment, the High Court found Swiss software development company LzLabs and Co-Defendants, including tech billionaire John Jay Moores, liable for breach of contract and unlawful means conspiracy.[1] The case involves allegations of software reverse engineering and breaches of licensing agreements. The court’s judgment not only highlights the complexities of software licensing, but also brings into focus the legal boundaries of interoperability and intellectual property rights.
Background
IBM developed its first mainframe computers in 1950s. These room-sized machines initially ran on vacuum tubes and were some of the very earliest commercially available computers. Today, IBM continues to market mainframe hardware and software descended from these pioneering models, which are relied on by 67% of the Fortune 100 companies. Mainframe systems are designed to reliably and securely process large volumes of information for institutions, running commercial databases, transaction services and customer applications.
On 15 August 2013, IBM entered into a licensing agreement with Winsopia Limited, a subsidiary of LzLabs, under the IBM Customer Agreement (ICA). The agreement allowed Winsopia to use IBM mainframe software, but imposed restrictions on reverse engineering and external distribution. These restrictions were intended to safeguard IBM’s proprietary technology and prevent unauthorised use of its intellectual property.
LzLabs subsequently developed a product known as the Software Defined Mainframe (SDM), the intended purpose of which was to allow IBM mainframe customers to run their existing customer applications (which are written for a mainframe) but without any mainframe hardware or software, thereby achieving significant cost savings and rendering the need to use IBM’s mainframe hardware and software redundant.
IBM claimed that the development of SDM involved unlawful reverse engineering of its software, in breach of the ICA. The case also involved key individuals, including Mark Cresswell, Thilo Rockmann, and John Jay Moores, who were alleged to have played pivotal roles in procuring the breaches and facilitating the unauthorised use of IBM’s software.
IBM alleged that, in developing SDM, the Defendants had accessed and analysed IBM’s software in a way that violated the licensing terms, thereby obtaining critical insights into IBM’s proprietary technology. These actions, according to IBM, resulted in the unlawful replication of its mainframe capabilities in SDM, effectively undermining IBM’s competitive position in the market.
The Claimant’s Allegations
IBM alleged multiple claims including:
Reverse engineering in breach of the ICA: that Winsopia used IBM’s mainframe software to reverse engineer various components for SDM, violating contractual terms prohibiting such activities. IBM presented evidence suggesting that Winsopia systematically analysed IBM software using debugging tools and decompilation techniques.
Unlawful transfer of “unscrubbed” and/or partially “scrubbed” IBM materials containing mainframe software in breach of the ICA: IBM contended that Winsopia transferred IBM proprietary software to LzLabs and third parties without authorisation. This included the transfer of confidential technical documentation, code fragments and proprietary runtime components – which due to having not been scrubbed correctly, caused the unauthorised dissemination of IBM’s proprietary code.
Procurement of breach: The individual Defendants were accused of knowingly assisting Winsopia in breaching the ICA. Internal communications revealed discussions about circumventing IBM’s restrictions and strategies to expedite SDM’s development.
Unlawful means conspiracy: IBM alleged that the Defendants colluded to circumvent IBM’s licensing restrictions, causing harm to IBM’s commercial interests. The Court was presented with evidence of coordinated efforts to reverse engineer IBM software and integrate it into SDM.
IBM sought declaratory relief, an injunction to prevent further breaches, and an account for profits and/or damages for losses incurred due to the Defendants’ conduct. The damages sought reflected the significant financial impact of the alleged misconduct, including lost revenue and market share.
The Defendants’ Defence
The Defendants denied IBM’s allegations, arguing that:
Clean room development: LzLabs implemented stringent procedures to prevent unauthorized access to IBM software, ensuring SDM was developed independently. They maintained that SDM was built from scratch without reliance on IBM’s proprietary materials.
Interoperability rights: Winsopia’s activities were protected under the Software Directive and the Copyright, Designs and Patents Act 1988 (CDPA), which allows lawful observation, study, and testing of software for interoperability purposes. The Defendants contended that their actions fell within these legal boundaries.
No use of IBM proprietary code: The Defendants alleged that the SDM was developed without incorporating IBM’s proprietary material, other than in compliance with the terms of the ICA and as permitted by the Software Directive. They argued that any similarities between SDM and IBM software resulted from standard industry practices rather than unauthorised access.
Legitimate business model: LzLabs maintained that it operated lawfully within the bounds of the industry’s standard software migration practices. The company positioned itself as an innovator offering an alternative to traditional mainframe solutions.
The Defendants in turn counterclaimed injunctive/declaratory relief that Winsopia was not in breach of the ICA, and damages for breach of the ICA.
Key Findings from the Judgment
Breach of the ICA
Mrs Justice O’Farrell found that Winsopia was in breach of multiple provisions of the ICA, concluding that:
Reverse engineering had taken place, including the use of IBM compiler listings and debugging tools to analyse IBM software. The evidence demonstrated that Winsopia systematically examined IBM software to understand its internal workings.
IBM proprietary materials had been transferred to LzLabs, including parts of the code that should have been scrubbed. The court determined that Winsopia’s scrubbing process was inadequate.
LzLabs and the individual Defendants knowingly facilitated the breaches, contrary to their claim of strict clean room protocols. The evidence included internal emails discussing strategies to expedite SDM’s development by leveraging IBM software.
Procuring the breaches
The Court found that LzLabs (although not LzLabs UK) and the individual Defendants had actively encouraged Winsopia’s breach of contract. Notably, internal communications revealed pressure to relax clean room procedures to speed up development, undermining the claim that SDM was developed independently. The Court held that the defendants had acted with full knowledge of the breaches and had directly benefitted from the unauthorised use of IBM software.
While the Court found that two of the director Defendants, Mr Rockmann and Mr Cresswell, caused Winsopia to act in breach of contract, they were not found to be liable for the procurement of breach of contract. This is because they were entitled to rely on the defence in Said v Butt [1920] 3 KB 497 – namely, that a director of a company who causes a company to act in breach of contract cannot be found to have committed the tort of inducing a breach of a contract, provided that the director acted bona fide in the course of their duties.
However, Mr Moores – the indirect beneficial owner of LzLabs and Winsopia – was not entitled to rely on the Said v Butt defence, as he was not an officer or employee in either of those companies. IBM alleged that Mr Moores was ultimately in control of all the corporate Defendants who followed his instructions in relation to the development of the SDM. The Court agreed, finding that Mr Moores had intentionally “used his power and control over LzLabs and Winsopia to direct and/or assist in the breaches of the ICA that have been established, primarily by dismantling the protective barriers put in place by the clean room processes”.
Unlawful Means Conspiracy
In their case for unlawful means conspiracy, IBM claimed that all the Defendants had combined to achieve the common end of developing the SDM using unlawful means – those being breaches of the ICA by Winsopia, and procurement of such breaches by the other Defendants. With reference to relevant common law,[2] the court outlined that for such a claim to succeed, IBM needed to prove:
a combination or agreement between the Defendants;
the use of unlawful means;
an intent to harm IBM’s business; and
knowledge by the defendants that the means used were unlawful.
In considering these grounds, the Court found that:
The Defendants collaborated with a shared objective of developing SDM in a way that breached IBM’s contractual rights. Evidence showed coordinated efforts to circumvent IBM’s restrictions.
Unlawful means were used, including reverse engineering, unauthorised use of IBM software, and the transfer of proprietary materials. The Court rejected the Defendants’ argument that their actions were protected under interoperability laws.
The Defendants intended to cause harm to IBM, as demonstrated by internal discussions about targeting IBM’s customer base and the dismissal of legal concerns. It was, in turn, found that the Defendants had deliberately sought to undermine IBM’s business.
The Defendants knew that the means employed were unlawful, as evidenced by internal communications that acknowledged the risks of legal consequences and sought to downplay them. The Court emphasized that knowledge of the unlawfulness was a key factor in establishing liability under the conspiracy claim.
Accordingly, the Court concluded that IBM had established unlawful means conspiracy and held the Defendants jointly liable for damages arising from their coordinated actions. This finding significantly strengthened IBM’s position in protecting its intellectual property and enforcing its licensing agreements.
Conclusion
The judgment underscores the legal risks associated with software reverse engineering and the importance of strict compliance with software licensing agreements. Furthermore, it clarifies the application of unlawful means conspiracy in the context of technology disputes – setting a significant precedent for the software industry, as to the need for companies to ensure that interoperability efforts do not infringe on copyright and contractual restrictions.
Furthermore, the case highlights the growing legal scrutiny on software migration and interoperability solutions. Companies developing alternative solutions to proprietary systems must exercise caution to avoid breaching intellectual property laws. The ruling serves as a cautionary tale for businesses that engage in reverse engineering, emphasizing the need for transparent and legally compliant development practices.
[1] IBM United Kingdom Limited v LzLabs GmbH & Ors [2025] EWHC 532 (TCC)
[2] Kuwait Oil Tanker v Al Bader [2000] 2 All ER (Comm) 271 (CA), paras. 108 & 132; JSC BTA Bank v Khrapunov [2018] UKSC 19, para. 8; and The Racing Partnership Ltd v Sports Information Services [2020] EWCA Civ 1300, para. 104.
DOJ Rule Restricting Sensitive Data Transfers Takes Effect!
Today, April 8, 2025, the U.S. Department of Justice’s Final Rule restricting transfers of bulk sensitive personal data and U.S. government-related data becomes effective, implementing former President Biden’s Executive Order 14117 – Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (the “Final Rule”). The Final Rule aims to protect U.S. national security by restricting certain data transactions with covered persons or countries of concern, which currently include Russia, Iran, North Korea, Cuba, Venezuela, and China (including Hong Kong and Macau). U.S. businesses must work now to ensure compliance and avoid significant penalties for violations.
The Final Rule defines many key terms such as “covered data transaction,” “country of concern,” “U.S. person,” “covered person,” “bulk U.S. sensitive personal data,” “government-related data,” “human ‘omic data,” and “knowingly,” while providing examples of restricted transactions. Ultimately, the Final Rule prohibits certain transfers of U.S. government related data and bulk U.S. sensitive personal data to covered persons (see §202.243 Prohibited Transaction), adopting a 50% ownership threshold to capture certain foreign persons as covered persons akin to Office of Foreign Assets Control (OFAC) sanction designations for covered persons (see §202.211 Covered Person).
U.S. government-related data means certain precise geolocation data, regardless of volume, explicitly enumerated in the rule and any sensitive data, regardless of volume, linkable to current or recent employees of the U.S. government (see §202.222 Government-Related Data and §202.1401 Government-Related Location Data List).
While bulk U.S. sensitive personal data means any amount of sensitive personal data that meets or exceeds the following thresholds at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person:
Human ‘omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons (human ‘omic data includes human genomic data, human epigenomic data, human proteomic data, and human transcriptomic data, but excludes pathogen-specific data embedded in human ‘omic data sets);
Biometric identifiers collected about or maintained on more than 1,000 U.S. persons;
Precise geolocation data collected about or maintained on more than 1,000 U.S. devices;
Personal health data collected about or maintained on more than 10,000 U.S. persons;
Personal financial data collected about or maintained on more than 10,000 U.S. persons;
Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons; or
certain data combinations of (a) – (f) combined data (see§202.205 Bulk and 202.206 Bulk U.S. Sensitive Personal Data).
Prohibited Transactions
The Final Rule prohibits U.S. persons from:
Knowingly engaging in any covered data transaction involving data brokerage with a country of concern or covered person; a covered data transaction is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves: (a) data brokerage; (b) a vendor agreement; (c) an employment agreement; or (d) an investment agreement (see 202.301 Prohibited Data-Brokerage Transactions and §202.210 Covered Data Transaction).
Knowingly engaging in any transaction that involves any access by a foreign person to government-related data or bulk U.S. sensitive personal data and that involves data brokerage with any person unless the foreign person is contractually restricted from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person and the U.S. person reports any known or suspected violation of the contractual requirement (see 202.302 Other Prohibited Data-Brokerage Transactions Involving Potential Onward Transfer to Countries of Concern or Covered Persons).
Knowingly engaging in any covered data transaction with a country of concern or covered person that involves access by that country of concern or covered person to bulk U.S. sensitive personal data that involves bulk human ‘omic data, or to certain human biospecimens (see 202.303 Prohibited Human `Omic Data and Human Biospecimen Transactions).
Knowingly directing any transaction that would be a prohibited transaction or a restricted transaction that fails to meet the applicable requirements if such transaction was engaged in by a U.S. person (see 202.305 Knowingly Directing Prohibited or Restricted Transactions).
Evading or avoiding, causing a violation of, or attempting to violate these prohibitions (see 202.304 Prohibited Evasions, Attempts, Causing Violations, and Conspiracies).
The prohibited transactions are categorically prohibited unless otherwise authorized pursuant to an exemption, general license, or specific license.
Restricted Transactions
The Final Rule creates a set of restricted transactions, including a vendor agreement, employment agreement, or investment agreement as to which U.S. persons may engage if the U.S. person complies with certain cybersecurity program requirements published by Cybersecurity & Infrastructure Security Agent (CISA), as well as reporting and recordkeeping requirements (see §202.401 Authorization to Conduct Restricted Transactions).
Exempted Transactions
The Final Rule exempts the following categories of transactions that would otherwise be prohibited or restricted transactions:
Personal Communications
Information and Informational Materials
Travel
Official Business of the U.S. Government
Financial Services
Corporate Group Transactions
Transactions Required or Authorized by Federal Law or International Agreements, or Necessary for Compliance with Federal Law
Investment Agreements Subject to CFIUS Action
Telecommunication Services
Drug, Biological Product, and Medical Device Authorizations
Other Clinical Investigations and Post-Marketing Surveillance Data (see Exempt Transactions §§202.501 through 202.511)
Licensing and Advisory Opinions
The Final Rule provides for processes to obtain licenses authorizing otherwise prohibited or restricted transactions (see Licensing §§202.801 through 202.803). Additionally, the Final Rule provides the ability to apply for advisory opinions as necessary (see Advisory Opinions §202.901).
Reporting and Recordkeeping Requirements
The Final Rule enacts compliance requirements for due diligence, audits of restricted transactions, as well as other record keeping and annual reporting requirements. The reporting requirements include an obligation to file an annual report of certain restricted transactions becoming effective on October 6, 2025 (see Reporting and Recordkeeping Requirements §§202.1101 through 1104).
Penalties
The Final Rule provides substantial civil and criminal penalties for violations. Civil penalties can reach the greater of $368,136 or an amount that is twice the amount of the transaction (subject to adjustment for inflation). For willful violations, criminal penalties include $1 million fines and up to 20-year imprisonment (see Penalties and Finding of Violation §§202.1301 through 202.1306).
Conclusion
The Final Rule becomes effective today April 8, 2025. U.S. businesses that collect, maintain, or transfer sensitive personal data, or government-related data, should carefully review their business activities alongside related data collection and transfer policies. Then the U.S. business may assess potential exposure to liability under the Final Rule, making any necessary policy adjustments for covered data transactions to ensure ongoing compliance for data collection and transfers.
Triggers and Risks
Having granted a Writ of Certiorari to review the decision of the United States Circuit Court of Appeals for the Ninth Circuit (the “Ninth Circuit”) in Amalgamated Bank et al v. Facebook, Inc. et al (In re Facebook, Inc. Securities Litigation), 87 F.4th 934 (9th Cir. 2023) (“Facebook”)[i], and having heard oral argument by the parties and amici curiae, on November 22, 2024 the United States Supreme Court issued an unusual decision — surprising to some but perhaps not to others. The Court dismissed the case, stating only that the Writ of Certiorari had been “improvidently granted”. (604 U.S. 4 (2024)
Facebook involved, among other things, the question of whether the discussion of a risk can be misleading if it does not disclose previous occurrences of that risk or of events that increase the probability of that risk. Facebook did not make such disclosure, and the Ninth Circuit held that the plaintiffs had adequately pleaded a cause of action under Section 10(b) of the Securities Exchange Act of 1934 (the “1934 Act”) and Rule 10b-5(b) thereunder on the grounds that the omission of such information rendered its risk discussion misleading. Facebook asked the Supreme Court to review the judgment of the Ninth Circuit on the following somewhat oddly posed question:
Are risk disclosures false or misleading when they do not disclose that a risk has materialized in the past, even if that past event presents no known risk of ongoing or future business harm?
A similar, although not identical, question was involved in the Ninth Circuit’s previous decision in Rhode Island v. Alphabet, Inc. (In re Alphabet, Inc. Securities Litigation), 1 F.4th 687 (9th Cir. 2021) (“Alphabet”). Interestingly, following the decision of the Ninth Circuit, the Supreme Court denied Alphabet’s Petition for a Writ of Certiorari.
The clear-cut answer to the question raised in both Alphabet and Facebook seems to be that, sometimes, depending on the circumstances and the language of the risk factor, some historical information may be necessary to qualify the discussion of a risk, at least somewhere in the disclosure document. Analysis of both Alphabet and Facebook is necessary to attempt an understanding of this issue under the law of the Ninth Circuit and, indeed, after the non-decision of the Supreme Court in Facebook, presumably the law of the land. While these cases raised a multitude of collateral issues, especially in the lower courts, this note will focus on the specific question directed to the Supreme Court.
Click here to view the full article.
[i] In October 2021, Facebook, Inc., the parent company of Facebook, changed its name to Meta Platforms, Inc. However, the defendant is referred to as “Facebook” throughout the litigation.
The Future for California’s Latest Generation of Privacy Regulations is Uncertain
As reported previously, the California Privacy Protection Agency (“CPPA”) closed the public comment period for its proposed cybersecurity audit, risk assessment and automated decision-making technology (“ADMT”) regulations (the “Proposed Regulations”) in late February. In advance of the CPPA’s April 4 meeting, the CPPA released a new draft of the Proposed Regulations, which proposed relatively minor substantive changes, but pushed back the dates for when certain obligations would become effective. The Agency’s Board met on April 4, 2025, to discuss the new proposals and comments received, as well as the potential for some very different alternatives, especially related to ADMT. Members of the CPPA Board debated the staff’s approach and ultimately sent the staff back to narrow the scope of the Proposed Regulations, clarify what was in and out of scope with more examples, and to further consider how to reduce the costs and burdens on businesses. While it is unclear exactly what staff will come back with, the alternatives discussed provide some hints on what a more constrained approach may look like.
Likely revisions are focused on six items discussed:
Definition of “automated decision-making technology” (ADMT)
Definition of “significant decision”
“Behavioral advertising” threshold
“Work or educational profiling” and “public profiling” threshold
“Training” thresholds
Risk Assessment Submissions
Definition of “Automated Decision-making Technology” (ADMT)
The first discussion item included three proposed alternatives to the current ADMT definition. All the alternatives narrow the definition from that of the current Proposed Regulations, some significantly:
Alternative 1: Would still cover use to assist or replace human decision making, but would provide more description on what processes apply, and add a material consumer impact requirement.
Alternative 2: Would limit the definition to where the processing substantially replaces human decision making.
Alternative 3: Would limit the definition to where the processing replaces human decision making for the purpose of “making a solely automated significant decision about a consumer.”
The Board did not reach a consensus as to how to narrow the definition of ADMT, but expressed concern with the current broad scope of the ADMT definition, and a desire to see an alternative from staff that assuaged these concerns.
Definition of “Significant Decision”
The heart of the ADMT and Profiling provisions regulate where such processing can result a “significant decision,” defined as access to, or provision or denial of certain listed types of goods and services. Board Member Alistair Mactaggart raised concerns that the phrase “access to” was overly broad and could include a wide array of information services, including maps apps and other items used to route or otherwise direct a consumer to a covered service. He provided an example wherein a consumer uses a maps app to route them an emergency room or a bank. The staff’s presentation included replacing “access to” with “selection of a consumer for,” or to delete it altogether.
Other Board Members, including Drew Liebert, raised concerns that in the employment context “allocation or assignment of work,” as a form of significant decision, could include actions like selecting a specific delivery driver based on proximity. Staff’s proposed alternatives included deleting this type of decision, as well as others including insurance and criminal justice and narrowing the scope of “essential goods or services.”
The Board directed staff to return with more examples of use cases to demonstrate what is and is not within the scope of a significant decision and how various potential definition changes could affect those examples.
Behavioral Advertising
Proposed changes in this section of the draft regulations on “extensive profiling” stand to significantly alter the scope of the Proposed Regulations, which propose to expand the current concept of Cross-Context Behavioral Advertising to include first-party behavioral data-driven ad targeting. The Board spent less time discussing this issue and ultimately seemed to direct the staff to implement the proposed change, which deletes the behavioral advertising use case from the requirements for risk assessments and ADMT completely.
Work or Educational Profiling and Public Profiling
Similar to the significant decision issue, the Board was concerned that, as written, the scope of Proposed Regulations might encompass uses cases that do not fall under the spirit of the regulations. Board Member Mactaggart, specifically, raised concerns that this section of the regulation is changing the character of the law from a privacy law to an employment law. The staff did not present any specific alternatives to the Proposed Regulations as to these types of “extensive profiling.” The Board seemed to reach consensus for requesting staff to provide additional information including use cases that might help inform the scope of the regulations.
AI and ADMT Training
The staff-suggested potential changes regarding AI and ADMT training thresholds took two forms. One would narrow the scope of the rule, by limiting the requirements to where the business knows or should know that the technology will be used for the currently restricted purposes, as opposed to the current capability of use standard, while the other would delete the training thresholds completely. The Board engaged in considerable discussions, including regarding whether the language could be changed to only require risk assessments from entities that definitively used ADMT (based on a new, narrower definition). This stemmed from similar concerns underlying the other issues, that as written, the regulations would potentially apply to entities that were not really engaged in risky privacy behaviors. However, staff explained that in order for pre-use risk assessments to remain an element of the regulations, there must be some way to include potential uses.
The Board directed staff to follow the second recommendation, which would remove the artificial intelligence applicability to the training threshold. Staff was also directed to revise the requirements to apply only to businesses that are actively using or are planning to use ADMT.
Risk Assessment Submissions
The Board’s discussion on the risk assessments went beyond the staff’s issue slide regarding the summary submission process. Specifically, the Board contemplated changes that would totally revamp the required elements of risk assessments. Primarily motivated by concerns of the cost for businesses, members of the Board asked staff whether the regulations can better reflect other jurisdictions’ risk assessment frameworks (e.g., Colorado). Staff was directed to determine the feasibility of mirroring the risk assessment language to other jurisdictions, especially Colorado, to ensure that businesses conduct risk assessments need not tailor them to each state and incur significant costs in the process.
Legal Challenge Concerns
Board Member Mactaggart also raised concerns about the legality of some of the Agency’s proposed regulations, including constitutional concerns like First Amendment rights with respect to risk assessments and whether the cybersecurity audit requirements exceed the Agency’s statutory authority. Privacy World’s Alan Friel and Glenn Brown (in their personal capacities) have previously addressed the First Amendment concerns raised by risk assessments. Board Member Mactaggart requested that Agency staff provide a report to the Board regarding these litigation risks. Other Board members expressed concern regarding the confidentiality on any such analysis. No firm plan for staff was reached in this regard.
Next Steps
A timeline was not set for developing revised Proposed Regulations and otherwise addressing Board concerns, but the potential for considering staff responses at a July Board meeting was discussed. It is unclear how extensive changes will need to be in order to get a majority of the Board to vote a version of the Proposed Regulations forward. However, if the scope of changes is consistent with the direction at least some on the Board seem to be giving staff, a new 45-day public comment period would seem likely, even if a shorter 15-day period were to be applied to other proposed edits. It would seem that the CPPA has a long way to go and will need to more narrowly construct rules that are more aligned with other U.S. states. We will continue to monitor developments on this rulemaking process or other Agency actions.
Samuel Marticke contributed to this article.
Employee’s Attorney And Expert Witnesses Were Properly Disqualified For Use Of Employer’s Privileged Information
Johnson v. Department of Transp., 2025 WL 829714 (Cal. Ct. App. 2025)
After Christian L. Johnson sued his employer (Caltrans), an attorney for Caltrans sent a confidential email about the litigation to Nicholas Duncan (Johnson’s supervisor). Duncan then sent an image of the email to Johnson who shared it with his attorney and several retained experts and other individuals. The trial court granted Caltrans’s request for a protective order on the ground that the email was covered by the attorney-client privilege. The trial court also ordered Johnson and his attorney to destroy or return all copies of the email and to refrain from any further dissemination of the email. The trial court subsequently granted Caltrans’s motion to disqualify Johnson’s attorney and retained experts with whom the email had been shared based upon various violations of the protective order. The Court of Appeal affirmed the order. See also Cahill v. Insider Inc., 2025 WL 838264 (9th Cir. 2025) (district court had authority to order media organizations to return or destroy confidential documents that had been inadvertently disclosed).
WOAH!!!!!: FCC Issues Stay of Worst Parts of TCPA Revocation Ruling (And TCPAWorld is Saved– Again)
Well we didn’t come down to the wire like January, but it was still a little too close for comfort.
Just moments ago the FCC issued a ruling staying the most problematic parts of the TCPA revocation rule for one year. Specifically the scope of revocation ruling that would have required a caller to stop calling across all channels and for all purposes in response to a single “stop” request from a consumer.
On hold for now!
Here is the critical language from the ruling:
We find that good cause exists to justify a limited waiver of the effective date of section 64.1200(a)(10) of the Commission’s rules to the extent that it requires callers to apply a request to revoke consent made in response to one type of message to all future robocalls and robotexts from that caller on unrelated matters. For the reasons discussed herein, we delay the effective date of any such requirement until April 11, 2026.
That’s really important folks.
The new rule section would have read as follows:
(10) A called party may revoke prior express consent, including prior express written consent, to receive calls or text messages made pursuant to paragraphs (a)(1) through (3) and (c)(2) of this section by using any reasonable method to clearly express a desire not to receive further calls or text messages from the caller or sender. Any revocation request made using an automated, interactive voice or key press-activated opt-out mechanism on a call; using the words “stop,” “quit,” “end,” “revoke,” “opt out,” “cancel,” or “unsubscribe” sent in reply to an incoming text message; or pursuant to a website or telephone number designated by the caller to process opt-out requests constitutes a reasonable means per se to revoke consent. If a called party uses any such method to revoke consent, that consent is considered definitively revoked and the caller may not send additional robocalls and robotexts. If a reply to an incoming text message uses words other than “stop,” “quit,” “end,” “revoke,” “opt out,” “cancel,” or “unsubscribe,” the caller must treat that reply text as a valid revocation request if a reasonable person would understand those words to have conveyed a request to revoke consent. Should the text initiator choose to use a texting protocol that does not allow reply texts, it must provide a clear and conspicuous disclosure on each text to the consumer that two-way texting is not available due to technical limitations of the texting protocol, and clearly and conspicuously provide on each text reasonable alternative ways to revoke consent. All requests to revoke prior express consent or prior express written consent made in any reasonable manner must be honored within a reasonable time not to exceed ten business days from receipt of such request. Callers or senders of text messages covered by paragraphs (a)(1) through (3) and (c)(2) of this section may not designate an exclusive means to request revocation of consent.
It is unclear, however, what–if any–portion of this rule is now in effect. The language of the FCC’s ruling staying effectiveness is laser focused on the “scope” provisions of the FCC’s previous revocation ruling– but those scope provisions are not actually written into the new rule. And the language of the new rule itself does not address the concerns animating the requests for stay that lead to the extension. So this is going to cause some headaches I think. Especially given this language:
We emphasize that this waiver extends only to section 64.1200(a)(10) to the extent discussed herein. This ruling does not otherwise delay the effective date of the other rules adopted in the TCPA Consent Order.[1] In addition, this Order does not alter the status quo relating to any other prior Commission rulings addressing revocation of consent
So yeah, a bit of a guessing game as to what provisions of (a)(10) are and are not in effect. But what we do know is that the worst appears to have been avoided for now.
Unfortunately there is no court action pending so we may still need to deal with this ruling a year from now– so don’t lose track of it. New effective date is now April 11, 2026!
In the meantime, however, R.E.A.C.H. will certainly be asking the FCC to “delete, delete, delete” this provision come Friday.
If you have questions on any of this feel free to reach out.
Full ruling here: FCC ruling staying revocation
Chat soon!