U.S. Consumer Privacy Laws Taking Effect in 2025 and Ensuing Compliance Complexities
The United States continues to operate without a comprehensive federal consumer privacy law as the American Privacy Rights Act remains subject to further amendments and uncertainty. Consequently, nineteen states enacted comprehensive consumer privacy legislation, of which eight are becoming or have become effective in 2025, and some existing state privacy laws have been amended since their enactment. This fragmented approach creates compliance complexities and operational considerations for organizations operating at state and national levels.
Comprehensive consumer privacy laws taking effect in 2025
Effective date
State comprehensive consumer privacy laws
January 1, 2025
• Delaware Personal Data Privacy Act• Iowa Consumer Data Protection Act• Nebraska Data Privacy Act• New Hampshire Senate Bill 255
July 1, 2025
• Tennessee Information Protection Act
July 31, 2025
• Minnesota Consumer Data Privacy Act
October 1, 2025
• Maryland Online Data Privacy Act
General requirements across each law
Each state law mandates distinct, jurisdiction-specific obligations on regulated organizations, which generally include the following:
Consumer rights: Each state law grants consumers certain privacy rights. While consumers’ privacy rights vary from state to state, consumers may be granted the right, subject to certain exceptions, to: (1) access, correct and delete data that an organization collects from or about them; (2) opt-out of further data processing; (3) the right to data portability and to direct the transfer of their personal information; and (4) the right to restrict and limit the use and disclosure of sensitive personal information.
Organizational compliance obligations: Each state law also imposes certain obligations on regulated entities acting as a data controller (i.e., an entity that controls the purpose and means of processing personal data) and data processors (i.e., third parties that process data under the direction and control of data controllers, such as service providers or vendors). Regulated organizations acting as data controllers may be obligated to, among other things, respond to consumer privacy requests, implement reasonable technical and organizational security measures, provide consumers with a notice of privacy practices and a mechanism through which consumers may opt out of data processing.
Key compliance considerations
In light of the complexities highlighted above, organizations should reflect on the following compliance considerations:
Whether your organization’s corporate policies are compliant with new privacy legislation.
With several new legislative updates, organizational corporate policies, such as privacy policies and privacy notices, may become dated and/or noncompliant with the most recent and looming updates. It is recommended practice for organizations to routinely evaluate their corporate policies to ensure compliance with any updated regulatory requirements and implement changes to the extent necessary.
Whether your organization is equipped to respond to consumer privacy requests.
Responding to consumer privacy requests may be problematic for organizations operating across multiple states due to variance among consumer privacy rights, related nuances and exceptions. Organizations should evaluate the various privacy rights and exceptions, if any, in states in which they operate and establish a playbook to implement an efficient and effective response.
Whether your organization is exempt from compliance.
Some privacy laws provide for entity-level and data-level exemptions, subject to certain nuances. An entity-level exemption generally exempts an organization based on the type of entity. For example, some states include an entity-level exemption for not for profit corporations or entities regulated by certain federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA). A data-level exemption exempts certain data that is subject to regulation under certain federal laws, such as HIPAA and the Gramm-Leach-Bliley Act.
In addition, some states have an operational threshold that an organization must meet or exceed to be subject to the relevant act. For example, in Delaware, an organization must (1) do organization in the state or produce products or services that are targeted to Delaware residents, and (2) one of the following must apply: (i) control or process personal data of 35,000 or more consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction or (ii) (a) control or process personal data of 10,000 or more consumer and (b) derive more than 20% of its gross revenue from the sale of personal data.
Organizations should evaluate whether they may be exempt from certain state laws and, if so exempt, how that might impact their corporate policies and go-to-market strategies.
Speed Bump: CPPA Pulls Over Honda for Privacy Practices
It’s no surprise that the California Privacy Protection Agency (“CPPA”) has been active. They are making a strong case for being the most active state agency in the privacy arena.
Well, they just strengthened that claim in a Stipulated Final Order with American Honda Motor Company, Inc. (“Honda”) from last week. The CPPA claims that Honda’s practices were violations of the California Consumer Privacy Act and the claims are pretty surprising.
Not because they are egregious. But, mostly because it’s demonstrative of the fact that the CPPA is not giving points for “effort”.
Honda required too much information from consumers to opt-out of sale/sharing of consumer data
The CCPA allows consumers certain rights. Included in these rights are the right to opt-out of the sale or sharing of personal information, right to limit the use of sensitive personal information, and the right to delete personal information.
Honda had created a Privacy Center page to allow consumers to manage how their personal data was handled. Because Honda needed to be able to verify the information from the consumer, certain questions were asked in an attempted effort to identify the consumer and manage their personal data.
However, the CPPA felt that Honda was asking too many questions. From the order: “although Honda generally needs only two data points from the Consumer to identify the Consumer within its database, Honda’s verification process for Verifiable Consumer Requests requires the matching of more than two data points.” (emphasis in original)
According to the CPPA, the design of Honda’s Privacy Center “impairs or interferes with the Consumer’s ability to exercise those rights. The CCPA prohibits businesses from designing methods for submitting CCPA Requests that substantially subverts or impairs the Consumer’s autonomy, decisionmaking, or choice.”
Honda required too much information to allow third-party agents to opt-out on behalf of consumers
Consumers can allow third-party agents to exercise their privacy rights under the CCPA. And businesses can require the agents to a written authorization from the consumer to allow the third-party agents to do so.
But, businesses cannot “require the Consumer to directly confirm that they have provided the Authorized Agent permission to submit the request. Businesses may directly contact the Consumers directly in that manner only for Verifiable Consumer Requests.”
Honda, apparently, was treating all third-party requests the same and not limited the outreach to the consumer to the Verifiable Consumer Requests.
Honda’s cookie management tool was not offering symmetrical choices
And now we enter the nit-picking section of the program.
(This is John’s opinion, not necessarily the opinion of TCPAWorld, but hey, I’m writing this, so I get to interject my opinion.)
Honda uses a third-party cookie management tool. It’s one of, if not THE, industry leader cookie management tool.
Cookie management menu pops up. And consumer has two clicks to turn off the advertising cookies: (1) click the toggle button, and (2) click the “Confirm my choices” button.
Seems reasonable.
However, if the consumer goes back to the cookie management tool at a later point, there is one button – an “Allow All” button. This button allows all the cookies to be turned back on in a single click.
THE HORROR.
Excuse me, while I clutch my pearls.
The CCPA said the single opt-in was not symmetrical in choice. “Symmetry in choice means that the path for a Consumer to exercise a more privacy-protection option cannot be longer or more difficult or time-consuming than the path to exercise a less privacy-protection option because that would impair or interfere with the Consumer’s ability to make a choice.”
I get it. That’s the law. But, two clicks versus one click is absurd.
Especially, when the consumer can still opt out of individual categories of cookies in two clicks. It’s just the opt-in takes one click. (However, the user has to go back into the cookie management tool somehow, so arguably that’s an additional click.)
Honda couldn’t provide the CPPA with their contracts with advertising vendors
The CCPA requires companies that collect and disclose personal information to vendors to have specific requirements in their contracts around personal information.
However, per the Stipulated Order, Honda could not produce the contracts.
OK, so that one’s clearly on Honda.
The big takeaways from this order:
The CPPA is not joking. They are NOT going to give you points for trying to comply.
The CPPA is very aggressive. The administrative fine is a total of $632,500. Of that amount, $382,500 accounts for Honda’s conduct to a total of 153 consumers.
Read that again.
One Hundred Fifty Three Consumers accounted for a fine of $382,500.
Reliance on vendors is not going to save you from CCPA violations.
Basic contract management = Keep copies of contracts and produce them.
It’s a Wrap—The Latest from the Ninth Circuit on “Sign-In Wrap” Agreements
On February 27, 2025, in Chabolla v. ClassPass Inc., the U.S. Court of Appeals for the Ninth Circuit, in a split 2-1 decision, held that website users were not bound by the terms of a “sign-in wrap” agreement.
ClassPass sells subscription packages that grant subscribers access to an assortment of gyms, studios and fitness and wellness classes. The website requires visitors to navigate through several webpages to complete the purchase of a subscription. After the landing page, the first screen (“Screen 1”) states: “By clicking ‘Sign up with Facebook’ or ‘Continue,’ I agree to the Terms of Use and Privacy Policy.” The next screen (“Screen 2”) states: “By signing up you agree to our Terms of Use and Privacy Policy.” The final checkout page (“Screen 3”) states: “I agree to the Terms of Use and Privacy Policy.” On each screen, the words “Terms of Use” and “Privacy Policy” appeared as blue hyperlinks that took the user to those documents.
The court described four types of Internet contracts based on distinct “assent” mechanisms:
Browsewrap – users accept a website’s terms merely by browsing the site, although those terms are not always immediately apparent on the screen (courts consistently decline to enforce).
Clickwrap – the website presents its terms in a “pop-up screen” and users accept them by clicking or checking a box expressly affirming the same (courts routinely enforce).
Scrollwrap – users must scroll through the terms before the website allows them to click manifesting acceptance (courts usually enforce).
Sign-in wrap – the website provides a link to the terms and states that some action will bind users but does not require users to actually review those terms (courts often enforce depending on certain factors).
The court analyzed ClassPass’ consent mechanism as a sign-in wrap because its website provided a link to the company’s online terms but did not require users to read them before purchasing a subscription. Accordingly, the court held that user assent required a showing that: (1) the website provides reasonably conspicuous notice of the terms to which users will be bound; and (2) users take some action, such as clicking a button or checking a box, that unambiguously manifests their assent to those terms.
The majority found Screen 1 was not reasonably conspicuous because of the notice’s “distance from relevant action items” and its “placement outside of the user’s natural flow,” and because the font is “timid in both size and color,” “deemphasized by the overall design of the webpage,” and not “prominently displayed.”
The majority did not reach a firm conclusion on whether the notice on Screen 2 and Screen 3 is reasonably conspicuous. On one hand, Screen 2 and Screen 3 placed the notice more centrally, the notice interrupted the natural flow of the action items on Screen 2 (i.e., it was not buried on the bottom of the webpage or placed outside the action box but rather was located directly on top of or below each action button), and users had to move past the notice to continue on Screen 3. On the other hand, the notice appeared as the smallest and grayest text on the screens and the transition between screens was somewhat muddled by language regarding gift cards, which may not be relevant to a user’s transaction; thus, a reasonable user could assume the notice pertained to gift cards and hastily skim past it.
Even if the notice on Screen 2 and Screen 3 was reasonably conspicuous, the majority deemed the notice language on both screens ambiguous. Screen 2 explained that “[b]y signing up you agree to our Terms of Use and Privacy Policy,” but there was no “sign up” button—rather, the only button on Screen 2 read “Continue.” Screen 3 read, “I agree to the Terms of Use and Privacy Policy,” and the action button that follows is labeled “Redeem now”; it does not specify the user action that would constitute assent to the terms. In other words, the notice needs to clearly articulate an action by the user that will bind the user to the terms, and there should be no ambiguity that the user has taken such action. For example, clicking a “Place Order” button unambiguously manifests assent if the user is notified that “by making a purchase, you confirm that you agree to our Terms of Use.”
Accordingly, the court held that Screen 1 did not provide reasonably conspicuous notice and, even if Screen 2 and Screen 3 did, progress through those screens did not give rise to an unambiguous manifestation of assent.
The dissent noted that the majority opinion “sows great uncertainty” in the area of internet contracts because “minor differences between websites will yield opposite results.” Similarly, the dissent argued that the majority opinion will “destabilize law and business” because companies cannot predict how courts are going to react from one case to another. Likewise, the dissent expressed concern that the majority opinion will drive websites to the only safe harbors available to them—clickwrap or scrollwrap agreements.
While ClassPass involved user assent to an arbitration provision in the company’s online terms, the issue of user assent runs far deeper, extending to issues like consent to privacy and cookie policies—a formidable defense to claims involving alleged tracking technologies and wiretapping theories. Notwithstanding the majority’s opinion, many businesses’ sign-in wrap agreements will differ from the one at issue in the lawsuit and align more closely with the types of online agreements that courts have enforced. Nonetheless, as the dissent noted, use of a sign-in wrap agreement carries some degree of uncertainty. Scrollwrap and clickwrap agreements continue to afford businesses the most certainty.
Common Privacy Pitfalls in M&A Deals
Many expect that deal activity will increase in 2025. As we approach the end of the first quarter, it is helpful to keep in mind privacy and data security issues that can potentially derail a deal. We discussed this in a webinar last week, where we highlighted issues from the buyer’s perspective. We recap the highlights here:
Take a Smart Start Approach: Often when privacy “specialists” are brought into deals, it is without a clear understanding of the goal of the deal and post-acquisition plans. Keeping these in mind can be crucial to conducting appropriate and risk-based diligence. (Along with having a clear understanding of the structure of the deal.) Questions to ask include the extent to which the target will be integrated into the buyer. Or, whether privacy assets (mailing lists) are important to the deal.
Conducting Diligence: Diligence can happen on a piece-meal basis. There are facts about the target that can be discovered even before the data room opens. What information has it shared about operations and products on its website? Has there been significant press? Any publicly-announced data breaches? What about privacy or data security related litigation? When submitting diligence question lists, keep the scope of the deal in mind. What are priority items that can be gathered, and how can that be done without overwhelming the target?
Pre-Closing Considerations: There are some obvious things that will need to happen before closing, like reviewing and finalizing deal documents and schedules. There may also be privacy-specific issues, such as addressing potential impediments to personal information transfers.
Post-Closing Integration: In many deals, the privacy and cybersecurity team is not involved in the integration process. Or, a different team handles these steps. Issues that might arise- and can be anticipated during the deal process- include understanding the data and processes that will be needed post integration, and the personnel who can help (whether at the target or buyer).
Putting It Into Practice: Keeping track of the intent of the deal and the key risks can help the deal flow more smoothly. This checklist can help with your next transaction.
Enforcement Update: Regulatory Attention Focused on Deletion Requests
Data protection authorities worldwide are intensifying their focus on individuals’ rights to have their personal data deleted. This heightened regulatory attention underscores the importance of organizations implementing robust compliance mechanisms to handle deletion requests effectively. For example:
In October 2023, California enacted pioneering legislation to strengthen consumer data protection. The California Delete Act (Senate Bill 362), signed into law in October 2023, establishes a centralized mechanism for consumers to request the deletion of their personal information held by data brokers. Under this law, data brokers are mandated to register annually with the California Privacy Protection Agency (CPPA) starting January 2024 and to process deletion requests submitted through the centralized platform beginning August 2026. This legislation aims to simplify the process for consumers to manage their personal data and imposes stringent requirements on data brokers to ensure compliance. Since November 2024, the CPPA has fined seven data brokers for failing to register and to pay the annual fee required under the California Delete Act.
In March 2025, Oregon released an enforcement report highlighting that “the number one right consumers have requested and been denied, is the right to delete their data.”
In March 2025, the European Data Protection Board (EDPB) initiated its Coordinated Enforcement Framework (CEF) action, centering on the right to erasure, commonly known as the “right to be forgotten,” as stipulated in Article 17 of the General Data Protection Regulation (GDPR). This initiative involves 32 Data Protection Authorities (DPAs) across Europe collaborating to assess and enhance compliance with erasure requests. Participating DPAs will engage with various data controllers, either by launching formal investigations or conducting fact-finding exercises, to scrutinize how these entities manage and respond to erasure requests, including the application of relevant conditions and exceptions. The findings from these national actions will be collectively analyzed to facilitate targeted follow-ups at both the national and EU level.
These developments reflect a broader global trend toward empowering individuals with greater control over their personal data and ensuring that organizations uphold these rights. For businesses, this signifies a need to evaluate and, if necessary, enhance their data management practices to comply with evolving regulatory standards concerning data deletion requests.
Given the intensified regulatory focus on data deletion rights, organizations worldwide should consider proactively assessing and strengthening their data protection practices. By implementing robust mechanisms to handle deletion requests effectively, businesses may not only ensure compliance with current regulations but also build trust with consumers who are increasingly concerned about their privacy rights.
KEEPING UP: Kardashian Brand Sued in TCPA Call Timing Class Action
When Kim Kardashian said, “Get up and work”, the TCPA plaintiff’s bar took that seriously. And another Kardashian sibling may be facing the consequences.
We at TCPAWorld were the first to report on the growing trend of lawsuits filed under the TCPA’s Call Timing provisions, which prohibit the initiation of telephone solicitations to residential telephone subscribers before 8 am and after 9 pm in the subscriber’s time zone. Call it a self-fulfilling prophecy or just intuition honed by decades of combined experience, but these lawsuits show no signs of slowing down.
In Melissa Gillum v. Good American, LLC. (Mar. 11, 2025, C.D. Ca), Plaintiff alleges that Khloe Kardashian’s clothing brand Good American sent the following text messages to her residential telephone number at 07:15 AM and 06:30 AM military time:
Of course, Plaintiff alleges she never authorized Good American to send her telephone solicitations before 8 am or after 9 pm.
Plaintiff also seeks to represent the following class:
All persons in the United States who from four years prior to the filing of this action through the date of class certification (1) Defendant, or anyone on Defendant’s behalf, (2) placed more than one marketing text message within any 12-month period; (3) where such marketing text messages were initiated before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).
The consensus here on TCPAWorld is that calls or text messages made with prior express consent are not “telephone solicitations” and likely not subject to Call Time restrictions. We’ll have to see how these play out but stay tuned for the latest updates!
NO SMOKING UNTIL 8 AM: R.J. Reynolds Burned By TCPA Time-Of-Day Class Action Lawsuit
Hi TCPAWorld! R. J. Reynolds Tobacco Company—the powerhouse behind Camel, Newport, Doral, Eclipse, Kent, and Pall Mall—is back in court. This time, though, it isn’t about the usual allegations against Big Tobacco. Instead, the plaintiff accuses the company of violating the TCPA’s time-of-day restrictions and causing “intrusion into the peace and quiet in a realm that is private and personal to Plaintiff and the Class members.” Vallejo v. R. J. Reynolds Tobacco Company, 8:25CV00466: Vallejo v RJ Reynolds Tobacco Complaint Link
Under the TCPA, telemarketing calls or texts can’t be made before 8 a.m. or after 9 p.m. (local time for the recipient). We’ve been seeing a lot of these time-of-day cases pop up lately:
IN HOT WATER: Louisiana Crawfish Company Sued Over Early-Morning Text Messages – TCPAWorld
IT WAS A MATTER OF TIME: Another Company Allegedly Violated TCPA Time Restrictions. – TCPAWorld
TIME OUT!: NFL Team Tampa Bay Buccaneers Hit With Latest in A Series of Time Restriction TCPA Class Action – TCPAWorld
SOUR MORNING?: For Love and Lemons Faces TCPA Lawsuit Over Timing Violations – TCPAWorld
TOO LATE: 7-Eleven Sued in TCPA Class Action for Allegedly Failing to Comply With Call Time Limitations–And This Is Crazy If its True – TCPAWorld
Here, in Vallejo v. R. J. Reynolds Tobacco Company, however, the plaintiff claims he received early-morning marketing texts around 7:15 a.m. and 7:36 a.m., local time. The complaint further alleges that he “never signed any type of authorization permitting or allowing Defendant to send them telephone solicitations before 8 am or after 9 pm,” though it doesn’t actually say he withheld consent entirely for these messages.
The plaintiff seeks to represent the following class:
All persons in the United States who from four years prior to the filing of this action through the date of class certification (1) Defendant, or anyone on Defendant’s behalf, (2) placed more than one marketing text message within any 12-month period; (3) where such marketing text messages were initiated before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).
As I’ve said before, from my reading of the TCPA, these time-of-day restrictions apply specifically to “telephone solicitations,” meaning calls or texts made with the recipient’s prior consent or within an existing business relationship might be exempt. Since the plaintiff doesn’t deny consenting to these texts in the first place, we’ll have to keep an eye on this lawsuit to see if the Central District of California agrees with that interpretation.
COMPLAINTS ABOUT COMPLAINTS: Defendant Granted Leniency from Burdensome Discovery Production
Discovery disputes are a big part of TCPA cases and, practically speaking, it can be exceptionally difficult for defendants to produce all documents requested by TCPA plaintiffs… for several reasons. Requests for production and interrogatories tend to be worded as broadly as possible (generally to seek class information). Then, even with discovery requests that are agreed upon by the parties, the practical difficulty of obtaining and producing the requested material can range from difficult to nearly impossible.
In Nock v. PalmCo Administration, LLC, No. 1:24-CV-00662-JMC, 2025 WL 750467 (D. Md. Mar. 10, 2025), the District Court of Maryland showed leniency to the defendant, although it still ordered the defendant to at least attempt to produce nearly every material that the plaintiff had requested.
For some context, the plaintiff alleged that the defendant had violated 47 U.S.C. § 227(c), the Do Not Call (“DNC”) provision of the TCPA, and Md. Com. Law § 14-320, Maryland’s analogous DNC law. Id at *1. An informal discovery dispute was brought before the court based on the defendant’s purportedly incomplete responses to the plaintiff’s discovery requests. Id.
Firstly, the court found that an interrogatory seeking “all complaints ‘regarding [the defendant’s] marketing practices’” unreasonably burdened the defendant—since complaints relating to all marketing practices would clearly turn up material unrelated to the case’s subject matter. Id. at *2. However, the court still ordered production of all complaints related to the case’s subject matter. Id. at *3.
Secondly, the plaintiff sought production of documents that had previously been ordered by the court. Id. However, one of the categories of documents was outside the defendant’s possession—data from one of its vendors. Id. As the defendant demonstrated “reasonable efforts to obtain the requested information,” the court allowed the defendant to send one more email request to furnish missing data from the third-party vendor to fulfill the defendant’s obligations under the previous court order. Id.
Although this specific request did not fall under retention requirements, it is worth a reminder that the statutory Telemarketing Sales Rule recently expanded in what records must be kept for all telemarketing calls.
Thirdly, the plaintiff sought records of all communications between the defendant and a third-party vendor. Id. Similarly, the court was lenient with the defendant, even though the defendant had already missed a court ordered production deadline on those communications. Id. The defendant was still ordered to produce the communications within thirty days, but the court was understanding of the practical difficulties in producing all said communications. Id. at *3-4.
That is all for this order. However, the TCPA keeps seeing new rules and requirements. Most urgently, we are now less than a month away from new revocation rules coming into effect. Be ready for those changes as they are set to be implemented on April 11, 2025!
Even With FCC 1:1 Gone, the CMS 1:1 Rule is Still Standing
Obviously, a lot going on in the lead gen space over the last six weeks. The biggest change of all is the FCC’s one-to-one rule being vacated. The pivot the industry had to make immediately after that ruling affected so many businesses.
But, one thing that did not change was CMS’s requirement for one-to-one consent to share personal beneficiary data between TPMOs. This is true even though CMS’s guidance throughout the summary of the rule was all based on the FCC’s one-to-one rule.
As a reminder:
CMS requires individualized consent: Beneficiary consent for data sharing must be obtained on a specific, one-to-one basis, with clear and easily understood disclosures.
The key to obtain consent is transparency CMS mandates that beneficiaries understand
Where their personal data is being shared.
The specific purpose of the contact they are consenting to, and
The identity of the entity that will be contacting them.
CMS Consent is Broader than the FCC’s proposed 1:1 consent: The CMS consent rule has a wider scope than the proposed 1:1 consent in the TCPA because it also applies to manual dialed calls.
Opt-In Consent is Mandatory: CMS requires an opt-in consent model, meaning the default should be that data is not shared, and the beneficiary must affirmatively choose to allow sharing.
Separate Legal Entities Require Explicit Consent: TPMOs cannot share beneficiary data with a TPMO that is a different legal entity without the beneficiary’s prior express written consent. This applies even to affiliated agents within the same marketing organization.
While the industry took a collective sigh of relief when the TCPA’s 1:1 rule was vacated, those TPMOs under CMS’s purview must remain diligent. And, new CMS rules should be announced within the next few weeks, so stay tuned.
For Whom the Bell Tolls? The Impact of Wisconsin Bell v. United States ex rel. Todd Heath and United States v. Regeneron Pharmaceuticals Inc. on False Claims Act Litigation
The Supreme Court’s decision in Wisconsin Bell v. United States ex rel. Todd Heath clarifies what constitutes a “claim” under the federal False Claims Act (FCA). At issue in Wisconsin Bell was whether reimbursement requests submitted to the FCC’s “E-Rate Program” are considered “claims” under the FCA. The U.S. Supreme Court agreed that they were, finding that the plaintiff’s liability theory could move forward.
While the issues presented in Wisconsin Bell occurred in the context of the FCC, the implications of the Court’s decision appear to extend far beyond—reaching industries frequently targeted for FCA enforcement, such as health care, aerospace, defense, energy and others involving government contracts (like cybersecurity). As in years past, SCOTUS’s docket and Wisconsin Bell reflects the continued significance of FCA litigation and its importance to the government’s recovery of funds. Therefore, all companies that receive federal funds, particularly in highly regulated industries such as health care, should be interested in understanding this ruling and its impact.
Wisconsin Bell had argued that it could not be exposed to FCA liability because the E-rate program, congressionally mandated to help certain schools and libraries afford internet and telecommunications, is administered by a private nonprofit organization and funded by government-mandated payments from private telecommunications carriers into the Universal Service Fund (USF). But the Court ruled narrowly that, because the U.S. Treasury itself had provided $100 million to the USF, through its collection of delinquent debts to the USF and related penalties and interest, as well as other settlements and criminal restitution payments, the federal government did “provide” a portion of the funds at issue, so the whistleblower’s allegations are thus covered under the FCA.
One thing of interest is seen in the concurrence from Justice Kavanaugh (with Thomas concurring) who renewed their questions about the constitutionality of the FCA’s qui tam provisions (and thereby invited future challenges), writing in Wisconsin Bell that “the [False Claims] Act’s qui tam provisions raise substantial constitutional questions under Article II. … [I]n an appropriate case, the Court should consider the competing arguments on the Article II issue.” Ultimately though, it was a unanimous decision, where the Supreme Court found that that E-Rate reimbursement requests were “claims” under the FCA.
Another interesting aspect is that the Court’s decision was notably narrow, relying on the U.S. Treasury’s supply of a $100 million ancillary sliver of overall USF funding, which totals nearly $10 billion annually. Justice Thomas’s concurrence (with Justice Kavanaugh concurring, and Justice Alito concurring in part) highlights the limits of this approach, observing that, “the Government paid scant attention to the fact that courts historically have not applied the FCA to cover fraud on nongovernment entities unless the Government itself will face a financial loss.” And, the Court’s opinion itself forewarns that issues of, “whether (and, if so, how) the amount of money the Government deposited should limit the damages Heath can recover” are likely to emerge if Heath ultimately prevails.
The narrow holding was necessary because, as the Court explained, larger questions as to the constitutionality of the USF under the nondelegation doctrine are looming in a separate case, Consumers’ Research v FCC, Docket Nos. 24-354, 24-422 (set for oral argument on March 26, 2025). Notably, Justice Thomas’s concurrence sends a warning shot for the Government in that case, questioning the implications of its other two arguments – either that the entire USF constitutes government funds, or that the private, non-profit USF administrator is an agent of the United States – for those constitutional questions, and for compliance with a separate statute, the Government Corporation Control Act. Those answers are likely to affect Heath’s potential for eventual recovery. (The fact that Justice Kavanaugh – seen as a potential swing vote in Consumers’ Research – joined this concurrence may also be an ominous portent for the future of the USF as currently constituted. See our recent Client Alert for more details about the issues presented in the Consumers’ Research case.)
In another recent and important FCA decision, United States v. Regeneron Pharmaceuticals Inc., the First Circuit joined some other courts of appeal in holding that the “but-for” causation standard applies when purported Anti-Kickback Statute (AKS) violations result in FCA violations. This is a commonly used theory because it allows plaintiffs to allege that when a relationship becomes tainted by kickbacks then all reimbursement claims to a federal payor that follow are tainted and fraudulent, triggering FCA liability.
In Regeneron Pharmaceuticals Inc., the First Circuit had to evaluate competing arguments from the government and defendant about whether the 2010 amendments to the AKS effectively changed the proof requirements under this theory. As the court explained,
Regeneron argued that, under the 2010 amendment, the government “b[ore] the burden of proving that an AKS violation … actually caused [a] physician to provide different medical treatment (and thus caused the false claims).” United States v. Regeneron Pharms., Inc., No. 20-11217, 2023 WL 6296393, at *10 (D. Mass. Sept. 27, 2023). In other words, Regeneron asserted that the phrase “resulting from” in the 2010 amendment imposed a “ ‘but-for’ causation standard.” Id. The government disagreed, and it urged the district court to adopt the Third Circuit’s view that “all that is required to prove a causal link [under the 2010 amendment] is that ‘a particular patient is exposed to an illegal recommendation or referral and a provider submits a claim for reimbursement pertaining to that patient.’ ” Id. (quoting United States ex rel. Greenfield v. Medco Health Sols., Inc.,880 F.3d 89, 100 (3d Cir. 2018)).
After evaluating various textual arguments asserted by the government, the First Circuit found that was no good reason “to deviate from the default presumption that the phrase ‘resulting from’ as used in the 2010 amendment imposes a but-for causation standard” and that “to demonstrate falsity under the 2010 amendment, the government must show that an illicit kickback was the but-for cause of a submitted claim.”
Since there is a clear circuit court split on this issue, it is ripe for certiorari by the Supreme Court.
Since False Claims Act plaintiffs are motivated by the potential of obtaining significant bounties by suing companies and individuals that do business with government agencies and affiliates, these and other recent decisions underscore the continued importance for companies that receive federal funds to have robust compliance plans and take appropriate steps to avoid becoming embroiled in these bet-the-company cases.
GRAB THE POPCORN: Regal’s Marketing Texts Just Premiered in a TCPA Blockbuster!
Grab your popcorn, here’s a quick case alert for you. Regal Cinemas just found itself in the middle of a legal thriller, and this one is playing out in the Central District of California instead of the big screen. See Hensley v. Regal Cinemas, Inc., No. 8:25-cv-00468 (C.D. Cal. Mar. 11, 2025). Here, we have a moviegoer suing the theater giant, claiming they were bombarded with promotional text messages before 8 a.m., breaking the rules set by the TCPA.
We are not just talking about a single rogue text. According to the Complaint, Regal allegedly sent off four early morning marketing messages, including two that landed at 7:21 and 7:22 in the morning. Instead of waking up to a quiet morning, Plaintiff was greeted with ads for free popcorn, extra Crown Club credits, and something called Funnel Fangs. Curious enough, I had to look into what these Funnel Fangs are and apparently they are funnel cake fries with red icing… which sound pretty good. Nothing like getting a promo for deep-fried snacks before you have even had your first sip of coffee.
But here is where things get sticky, like the bottom of a theater floor after a late-night screening. As we know, strict guidelines under the TCPA prohibit businesses from sending telemarketing messages before 8 a.m. or after 9 p.m. However, allegedly Regal rolled the credits on that rule and kept the marketing show going anyway.
This is no small popcorn flick. This is a class action lawsuit, meaning thousands could have been hit with these early morning texts. And the timing could not be worse, no pun intended. TCPA lawsuits are exploding faster than a bag of extra-butter popcorn in a hot microwave. More TCPA class actions were filed in the first ten days of March than in all of March last year!
Lawsuits over time-restricted messages keep rolling in, proving that plaintiffs’ lawyers are watching compliance missteps like hawks. Companies are learning the hard way that when they ignore TCPA rules, the lawsuits come in faster than a summer blockbuster lineup.
CAPITAL ONE SUED: Plaintiffs Allege 17 Separate Causes of Action in New Website Tracking Case
Shah v. Cap. One Fin. Corp., No. 24-CV-05985-TLT, 2025 WL 714252 (N.D. Cal. Mar. 3, 2025) has raised some serious allegations against Capital One (“Defendant”), accusing the financial giant of secretly intercepting and sharing sensitive personal information through third-party tracking technologies on its website.
According to a group of plaintiffs, led by the somewhat seasoned Vishal Shah (see INVISIBLE DATA, REAL CONSEQUENCES: Navigating the IP Consent Dilemma – CIPAWorld), these trackers “instantaneously and surreptitiously” captured communications between users and the site, sending personal details to companies like Google, Microsoft, Adobe, Facebook, and others. The information allegedly shared included everything from employment and bank account details to credit card application status and browsing activities.
The Plaintiffs claim they never authorized sharing of their personal and financial data with these third or fourth parties for marketing and sales purposes. In the complaint, the Plaintiffs highlight specific privacy concerns, particularly with the targeted advertising section of Capital One’s Privacy Policy. The Policy states:
“We and our third-party providers may collect information about your activities on our Online Services and across different websites, mobile apps, and devices over time for targeted advertising purposes. These providers may then show you ads, including across the internet and mobile apps, and other devices, based in part on the information they have collected or that we have shared with them.”
The Plaintiffs argue that Capital One’s practices go well beyond what they ever agreed to in the company’s Privacy Policy. While the Privacy Policy does include an option to opt out of targeted advertising, this opt-out only applies to the “specific browser or device” used, meaning users may allegedly still be tracked across other platforms.
In total, the Complaint outlines a staggering 17 different causes of action, ranging from constitutional privacy violations to property claims. In response to these allegations, Capital One has filed a motion to dismiss the complaint in its entirety, along with all 17 claims brought forth by the Plaintiffs.
So, buckle in, and let’s go through them.
Threshold Issues
Defendant sought to dismiss the entire Complaint for two overarching reasons: (1) the Complaint’s exhibits conflict with Plaintiffs’ key allegations and (2) Plaintiffs fail to allege that Defendant disclosed Plaintiffs’ personal information and financial information.
Conflict between allegations of unauthorized disclosure and Privacy Policy attached to the Complaint.
Defendant contended that Plaintiffs’ allegations directly conflict with Defendant’s Privacy Policy because Defendant discloses that it releases customer information for third party marketing. However, the Court noted that while the Privacy Policy states that it collects information about a customer’s internet activities, it does not state that it releases that customer’s personal information such as employment information and credit card preapproval or approval status, which Plaintiffs allege is collected and shared. Therefore, the Court found that the Privacy Policy did not directly conflict with Plaintiffs’ allegations.
Defendant also argued that Plaintiffs consented to the disclosure of their personal information, that Defendant provided sufficient opt out instruction, and that the disclosures did not involve fourth parties. The Court found that the issue of consent was a factual question and declined to decide it at the pleadings stage.
Sufficiency of allegations as to disclosure of personal and financial information.
For the second threshold issue, Defendant argued that Plaintiffs failed to allege specific disclosures of their personal and financial information. The Court found that they did. For instance, Plaintiffs alleged that they interacted with Defendant’s website, which they alleged contained third party trackers. They alleged that they put their personal and financial information, including employment information, bank account information, citizenship status, and credit card preapproval or eligibility, into Defendant’s website and then received targeted third- and fourth-party marketing ads. They also alleged that, as a result of using Defendant’s website, their information was transmitted to third party trackers such as Google, Microsoft, and Meta, without their consent. The Court found these factual allegations sufficient to allege the disclosure of Plaintiff’s personal information and denied Defendant’s motion to dismiss as to the second threshold issue.
Plaintiffs’ Negligence Claims.
Defendant first argued that Plaintiffs have not identified a duty owed by Defendant arising under the Gramm-Leach-Bliley Act (“GLBA”) or the Federal Trade Commission (“FTC”) Act, because neither statute provides a private right of action. The Court dismissed this argument as the Defendant conflated negligence and negligence per se, with only the latter being concerned with a statutorily identified duty.
Further, the Court evaluated the California factors for determining whether a valid duty of care exists and found that Plaintiffs did allege such a duty by alleging that they placed trust in Defendant to protect their personal information, which Defendant then disclosed.
Next, the Court turned to the economic loss doctrine, which prohibits recovery of purely pecuniary or commercial losses in tort actions. While Defendant argued that the economic loss rule bars Plaintiffs’ negligence claims, the Court found that Plaintiffs also plead non-economic harms such as lost time and money incurred to mitigate the effect of the use of their information. Accordingly, the Court denied Defendant’s motion to dismiss as to negligence.
Plaintiffs’ Negligence Per Se Claims.
The doctrine of negligence per se creates an evidentiary presumption that affects the standard of care in a cause of action for negligence. Defendant next argued that negligence per se is not a standalone cause of action. The Court agreed and held that because Plaintiffs brought a negligence per se cause of action in addition to a negligence claim, the negligence per se claim was not proper. Accordingly, the Court granted Defendant’s motion to dismiss the negligence per se claim without leave to amend.
Plaintiffs’ Invasion of Privacy Claim under the California Constitution.
To state a claim for invasion of privacy under the California Constitution, plaintiffs must show that they possess a legally protected privacy interest, they maintain a reasonable expectation of privacy, and the intrusion is so serious as to contribute an egregious breach of social norms.
The Court determined that regardless of whether Plaintiffs possessed a legally protected privacy interest or maintained a reasonable expectation of privacy in this case, the alleged disclosure of employment information, bank account information, and preapproval or approval for a credit card does not rise to the level of an “egregious breach of social norms.” The Court granted Defendant’s motion to dismiss as the California constitutional privacy claim without prejudice.
Plaintiffs’ Comprehensive Computer Data Access and Fraud Act (“CDAFA”) and the Unfair Competition Law (“UCL”) Claim.
The CDAFA prohibits certain computer-based conduct such as knowingly and without permission accessing or causing to be accessed any computer, computer system, or computer network. The CDAFA provides that only an individual who has suffered damage or loss due to a violation of the statute may bring a civil action. Similarly, the UCL prohibits “unlawful, unfair or fraudulent business act or practice.” To have standing under the UCL, a plaintiff must establish that they suffered an injury in fact and lost money or property as a result of the wrongful conduct.
Here, Plaintiffs stated that they had a property interest in their personal information and that they lost money and property when Defendant disclosed their personal information to third parties. However, the Court determined that Plaintiffs’ personal information does not constitute property. Additionally, Plaintiffs did not plead that they “ever attempted or intended to participate in the market for the information” Defendant allegedly disclosed, or that they derived economic value from that information. Further, the Court held that even an argument that Plaintiffs experienced a diminution of the value of their private and personal information would not confer standing. Accordingly, the Court granted Defendant’s motion to dismiss for lack of standing as to the CDAFA and the UCL without prejudice.
Plaintiffs’ California Consumer Privacy Act (“CCPA”) Claims.
The CCPA imposes a duty on businesses to implement and maintain reasonable security practices to protect consumers’ personal information. While it is generally enforced by the California Attorney General, it also provides a limited private cause of action for any consumer whose personal information is subject to unauthorized access or disclosure as a result of a security breach. Courts, however, have also permitted CCPA claims to survive a motion to dismiss in cases where the plaintiff does not allege a data breach, but instead alleges that the defendants disclosed plaintiff’s personal information without consent by failing to maintain reasonable security practices.
In this case, because Plaintiffs allege that Defendant allowed third parties such as Google and Microsoft to embed trackers on its website and that these trackers transmitted Plaintiffs’ personal information, the Court held that Plaintiffs need not allege a data breach. Accordingly, the Court denied Defendant’s motion to dismiss as to the CCPA claim.
Plaintiffs’ California Customer Records Act (“CRA”) Claims under §§ 1789.81.5 and 1798.82 of the California Civil Code.
The CRA regulates businesses with regard to treatment and notification procedures relating to their customers’ personal information. It requires businesses to “maintain reasonable security procedures and practices appropriate to the nature of the information” and to protect “personal information from unauthorized access, destruction, use, modification, or disclosure.”
The Court first addressed Plaintiffs’ CRA claim under § 1789.81.5. Defendant argued that because it is a financial institution, it is exempt from liability for any violations under this provision. See Cal. Civ. Code § 1798.81(e)(2) (exempting financial institutions from liability under section 1798.81.5). Plaintiffs, however, alleged that Defendant is a business within the meaning of § 1798.81.5(b). The Court sided with Defendant and granted its motion to dismiss without leave to amend as to Plaintiffs’ § 1789.81.5 claims.
The Court next addressed Plaintiffs’ CRA claim under Section 1798.82, which requires a business to disclose a breach of security systems to customers. Plaintiffs allege that the CRA applies because Defendant knew that Plaintiffs’ information was acquired by unauthorized persons and failed to disclose it to Plaintiffs. However, there must be a breach of security to show a CRA claim. See Cal. Civ. Code § 1798.82(a) (stating that a person or business shall “disclose a breach of security of the system following discovery or notification of the breach”). Further, a claim under section 1798.82 is not actionable for the breach itself but instead for the “unreasonably delayed notification,” so Plaintiffs must allege when the breach occurred. Here, the Court held that Plaintiffs not to only failed to allege that there was a breach of security but also failed to allege when Defendant became aware of the alleged breach.
Accordingly, the Court granted Defendant’s motion to dismiss as to the CRA section 1798.82 claim without prejudice.
Plaintiffs’ Breach of Express Contract Claim.
The Court found that Plaintiffs did not state a claim as to the breach of express contract because, while they alleged that they entered a contract with Defendant, they failed to cite to any specific section of the contract that Defendant allegedly violated. Instead, Plaintiffs stated generally that Defendant breached its express contract with Plaintiffs “to protect their nonpublic personal information.” Questioning where in the contract Defendant agreed to protect their nonpublic personal information or when Defendant explicitly promised not to disclose their data, the Court granted Defendant’s Motion to Dismiss as to the breach of express contract without prejudice.
Plaintiffs’ Breach of Implied Contract Claim.
Plaintiffs alleged that they had an implied contract with Defendant that it would keep their personal information confidential. However, once again, Plaintiffs did not state a claim because they failed to expand on the nature of the implied contract. Plaintiffs also fail to differentiate the express contract claim from the implied contract claim – the Court noted that Plaintiffs must elaborate on whether the implied contract involves separate promises from the express contract because Plaintiffs cannot allege both an express contract and an implied contract on the same matter. Accordingly, the Court granted Defendant’s motion to dismiss as to breach of implied contract without prejudice.
Plaintiffs’ Breach of Confidence Claim.
For the same reason as above, the Court held that Plaintiffs do not state a claim as to breach of confidence because they allege the existence of both an express and implied contracts, and the express contract precludes the breach of confidence claim. The Court dismissed the Plaintiffs’ claim without prejudice.
Plaintiffs’ Unjust Enrichment Claim.
The Court acknowledged the “somewhat unclear” nature of unjust enrichment claims in California, but, noting that both the Ninth Circuit and the California Supreme Court have allowed independent claims for unjust enrichment to proceed, allowed Plaintiffs claim to proceed basis the allegations that Defendant benefited from using Plaintiffs’ information and that Plaintiffs’ remedies at law are inadequate.
Plaintiffs’ Bailment Claim.
Bailment is generally defined as the deposit of personal property with another, usually for a particular purpose. The Court held that Plaintiffs have not alleged a deposit of personal property that falls within the scope of bailment because they only allege that they deposited their personal information. The Court cited Worldwide Media, Inc. v. Twitter, Inc., 17-cv-07335-VKD, 2018 WL 5304852 (N.D. Cal. Oct. 24, 2018) and In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012), both finding that personal information is not something that can be delivered or taken custody of and later returned. Accordingly, the Court granted Defendant’s motion to dismiss as to bailment with prejudice.
Plaintiffs’ Claim for Declaratory Judgment.
The Court acknowledged Defendant’s contention that the declaratory judgment claim is duplicative of other claims but held that Plaintiffs may still bring it as it is predicated on their negligence claim. Therefore, the Court denied Defendant’s motion to dismiss as to declaratory judgment.
Plaintiffs’ Electronic Communications Privacy Act (“ECPA”) Claim.
The ECPA prohibits unauthorized interception of an electronic communication. To state a claim, a plaintiff must allege that the defendant intentionally intercepted the contents of plaintiff’s electronic communications using a device. The one-party consent exemption provides that it is not unlawful for a person to intercept a wire, oral, or electronic communication when that person is a party to the communication or when a party to the communication has consented to interception, unless the interception is to commit a crime or a tort.
Defendant argued that the “one-party consent exemption” applies because Defendant was a party to the communications. However, because Plaintiffs alleged that Defendant intercepted the contents of the communications for an unauthorized purpose, which resulted in tortious acts, the Court held that the one-party exemption does not apply.
Another reason that the one-party exemption does not apply is because the issue of whether Plaintiffs consented to Defendant’s conduct is at the center of the dispute – and this is a factual determination. Accordingly, the Court denied Defendant’s motion to dismiss as to the ECPA.
Plaintiffs’ CIPA Claims
Plaintiffs allege that Defendant violated both §§ 631 and 632 of CIPA.
Plaintiffs’ § 631 claims.
§ 631(a)(2) applies to anyone who reads, attempts to read, or to learn the contents of a communication while it is in transit and without the consent of all parties to the communication. Defendant argues that Plaintiffs’ claims under § 631 fail because Plaintiffs consented to the data sharing practices in the Privacy Policy, do not allege that any third party read a communication “in transit,” and do not allege that Defendant disclosed “contents” of a communication.
As for the first issue, because this once again involves factual determination of consent, the Court held that Plaintiffs’ allegations were sufficient for the pleadings stage. The Court also held that Plaintiffs plausibly alleged that Defendant intercepted communications while they were in transit by describing how Defendant allegedly installed third-party trackers on its website. Finally, Plaintiffs stated that the communication included personal information, which is a “content” under CIPA. As a result, the Court found that Plaintiffs sufficiently stated a claim as to § 631.
Plaintiffs’ § 632 claims.
§ 632 prohibits intentionally and without consent using an “electronic amplifying or recording device” to eavesdrop upon or record confidential communication. Again, because this issue hinges on whether Plaintiffs consented to Defendant’s disclosure, the Court found that Plaintiffs allegations are sufficient for purposes of a motion to dismiss.
Accordingly, the Court denied Defendant’s motion to dismiss as to the CIPA.
Plaintiffs’ Stored Communications Act Claim.
The Stored Communications Act created a private right of action against anyone who intentionally and without authorization (or in excess of their authorization) accesses a facility through which an electronic communications service is provided. The Stored Communications Act, however, only provides liability for a provider that is a “remote computing services” or “electronic communication services.” Plaintiffs alleged in the complaint that Defendant is an electronic communication service because it “intentionally procures and embeds” Plaintiffs’ personal information through the tracking technology on Defendant’s website. However, the Court held that Defendant is not an electronic communication service because its website does not allow customers to send and receive messages to third parties. The Court compared the situation here to that in In re Betterhelp, Inc., No. 23-cv-01033-RS, 2024 WL 4504527, at *2 (N.D. Cal. Oct. 15, 2024), where the defendant was found to be an electronic communication service because defendant’s customers communicated with third parties through the “conduit” of defendant’s websites. Instead, Plaintiffs here themselves stated that they were unaware of the presence of the trackers, and did not allege that they communicated with the third parties. Therefore, because Defendant’s website does not allow customers to send and receive messages to third parties, the Court held Defendant is not an electronic communication service.
Accordingly, the Court granted Defendant’s motion to dismiss as to the Stored Communications Act with prejudice.
Plaintiffs’ Computer Fraud and Abuse Act (“CFAA”) Claim.
The CFAA makes intentionally accessing a computer without authorization a federal crime. It imposes a civil liability when someone “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access” unless the “object of the fraud” is less than $5,000 in any 1-year period. Plaintiffs here did not state a claim as to CFAA because they did not allege with specificity a loss of $5,000. The complaint only states that “secret transmission” of Plaintiffs’ personal information caused them loss, but it does not go into further detail. The alleged loss is therefore speculative, and insufficient for purposes of the CFAA. Accordingly, the Court granted Defendant’s motion to dismiss as to the CFAA claim without prejudice.
Takeaways
My first takeaway – if you got through all that, congratulations on your attention span. Secondly, a recurring theme in the Court’s extensive analysis is its refusal to determine issues of consent at the pleadings stage. This is nothing new or groundbreaking, the issue of consent unquestionably requires a factual investigation and is rarely, if ever, conclusive as grounds for a motion to dismiss.
On the brighter side for Capital One, the Court did agree to dismiss three of the Plaintiffs’ claims with prejudice, meaning the Plaintiffs cannot amend these claims and bring them again. These were Plaintiffs’ claims under negligence per se, bailment, and the Stored Communications Act.
The Court also granted the motion to dismiss as to Plaintiffs’ claims for invasion of privacy under the California Constitution, CDAFA, UCL, breach of express contract, breach of implied contract, breach of confidence, and CFAA, albeit with leave to amend. The California Constitution and CDAFA claims are notable for the Courts findings that the alleged disclosures do not amount to an “egregious breach of social norms”, and that Plaintiffs’ personal information does not constitute property. This fits into a trend of Courts being somewhat hesitant to expand the scope of privacy standing where there is no “tangible” harm. Blake digs into this here: READ ALL ABOUT IT: Reuters Faces Privacy Lawsuit But The Court Finds No Story To Tell – CIPAWorld.
You can read the order here: Shah v. Cap. One Fin. Corp., No. 24-CV-05985-TLT, 2025 WL 714252 (N.D. Cal. Mar. 3, 2025)