The TCPA Landscape in 2025: Key Developments and Compliance Priorities
The Telephone Consumer Protection Act (TCPA) continues to be a major source of litigation risk for businesses engaged in outbound marketing. In the first quarter of 2025, litigation under the TCPA surged dramatically, with 507 class action lawsuits filed — more than double the volume compared to the same period in 2024. This steep rise reflects shifting enforcement patterns and a growing emphasis on consumer communications practices. Companies should be aware of several emerging trends and evolving interpretations that are shaping the compliance environment.
TCPA Class Action Trends
In the first quarter of 2025, 507 TCPA class actions were filed, representing a 112% increase compared to the same period in 2024. April filings also reflected continued growth, indicating a sustained trend.
Key statistics:
Approximately 80% of current TCPA lawsuits are class actions.
By contrast, only 2%-5% of lawsuits under other consumer protection statutes, such as the Fair Debt Collection Practices Act (FDCPA) or the Fair Credit Reporting Act (FCRA), are filed as class actions.
This trend highlights the unique procedural and financial exposure associated with TCPA compliance.
Time-of-Day Allegations on the Rise
There has been an uptick in lawsuits alleging that companies are contacting consumers outside of the TCPA’s permitted calling hours — before 8 a.m. or after 9 p.m. local time. In March 2025 alone, a South Florida firm filed over 100 lawsuits alleging violations of these timing restrictions, many of which involved text messages.
Under the TCPA, telephone solicitations are not permitted during restricted hours, unless:
The consumer has given prior express permission;
There is an established business relationship; or
The call is made by or on behalf of a tax-exempt nonprofit organization.
It is currently unclear whether these exemptions definitively apply to time-of-day violations. A petition filed with the FCC in March 2025 seeks clarification on whether prior express consent precludes liability for messages sent during restricted hours. The FCC accepted the petition and opened a public comment period that closed in April.
Drivers of Increased Litigation
Several factors appear to be contributing to the rise in TCPA filings:
An increase in plaintiff firm activity and case volume;
Ongoing confusion regarding the interpretation of revocation rules; and
Continued complaints regarding telemarketing practices, including unwanted robocalls and text messages.
These dynamics reflect a broader trend of regulatory and private enforcement in the consumer protection space.
Compliance Considerations
Businesses should take steps to ensure their outbound communication practices are aligned with current TCPA requirements. This includes:
Documenting consumer consent clearly at the point of lead capture;
Ensuring systems adhere to permissible calling and texting times;
Reviewing policies and procedures for revocation of consent; and
Seeking guidance from counsel with experience in consumer protection laws.
Conclusion
The volume and nature of TCPA litigation in 2025 underscore the need for proactive compliance. Companies should treat consumer communication compliance as a core operational issue. Regular policy reviews, up-to-date systems, and informed legal support are essential to mitigating risk in this evolving area of law.
Listen to this post
Pennsylvania PUC Reviews Data Center Impacts Amid New Energy Plan
Key Takeaways:
During a recent Pennsylvania Utility Commission (PUC) hearing to evaluate how the rise in data centers is impacting energy demand, grid reliability and utility regulation, stakeholders emphasized fair cost allocation for infrastructure, opposing special treatment for data centers and favoring standard tariff processes.
Primary concerns include infrastructure investment and cost allocation, generation and reliability issues, and tariff design.
Six proposed bills in connection with Governor Shapiro’s “Lightning Plan” were unveiled on the same day of the PUC hearing, aimed at modernizing Pennsylvania’s energy landscape through a carbon cap-and-invest program, expanded clean energy targets, streamlined project approvals, infrastructure tax incentives, support for rural and low-income communities, and enhanced energy efficiency rebates.
As data centers surge across Pennsylvania, the PUC is taking a closer look at their impact on energy systems and regulatory oversight. At the same time, Governor Shapiro’s Lightning Plan proposes sweeping changes to modernize the Commonwealth’s energy systems, setting the stage for potential shifts in utility law and oversight. This update explores the legal context, policy drivers and impacts that may emerge from the intersection of infrastructure growth and state energy policy.
On April 24, 2025, the PUC convened an en banc hearing to address the growing impact of data centers and other large electricity consumers on the state’s power grid. In the Motion calling for the hearing, the Chair recognized what has been a running theme across the nation for large load consumers and developers looking to attract data centers — uncertainty regarding both the interconnection timeline and the costs these users will face to procure power in the Commonwealth.
The hearing brought together stakeholders from tech, public utility and consumer advocacy groups to discuss the opportunities presented by the rapid expansion of energy-intensive facilities and the challenges posed by the new demand on the grid. The testimony bore out three primary themes: (1) generation and reliability concerns, (2) infrastructure investment and cost allocation and (3) tariff design.
Infrastructure and Cost Allocation
Fair cost allocation was articulated as a priority by utility and data center panelists alike. The utilities explained in detail how their large load interconnection process works, including how infrastructure investment costs specific to large load customers are allocated. Panelists encouraged the PUC to avoid the creation of a data center customer class and instead rely on cost-of-service studies and rate case proceedings to ensure transparency and that proper allocation of costs to data center customers. This would mean that data centers would be customers under tariffs and not under special contracts, which are often filed for commission approval on a confidential basis.
Tariff Design
The panelists expressed differing views around a model tariff versus a policy statement. Some panelists advocated for a policy statement citing concerns around changes in the market and the potential of a model tariff that is too restrictive or cannot adapt to a changing environment. Others, particularly the statutory advocates, believe a model tariff will level the playing field for utilities serving data centers and not force the utilities to compete against each other in attracting them.
Commissioner Zerfuss noted at the end of the utility panel that she saw no difference between a model tariff and a policy statement, as both would be considered recommendations and not mandates.
Generation and Reliability
With the anticipated surge in electricity demand, the PUC acknowledged the strain on the existing grid infrastructure. The PUC emphasized that simply building more generation or transmission facilities may not suffice, advocating for a diversified approach that includes load management and demand response strategies. Panelists discussed the concept of a “bring your own generation” (BYOG) model, where data centers would provide their own power generation infrastructure, such as solar panels or wind turbines, to support their primary generation needs.
From a regulatory compliance perspective, BYOG could convert a data center to a utility, thus obligating compliance with a host of utility regulations. While some data centers are already navigating complex FERC guidelines resulting from recent FERC orders allowing them to monetize their on-site generation, a BYOG data center could also be subject to grid interconnection laws, energy trading restrictions and local zoning laws around where on-site generation can be located. It remains unclear whether BYOG would slow the development of data centers in the Commonwealth given the potential regulatory and legal obstacles that the data centers may face. There is a possibility, however, that the legal framework may change because of Governor Shapiro’s “Lightning Plan.”
The Lightning Plan
On the day of the PUC hearing, Governor Josh Shapiro’s Lightning Plan was introduced into the General Assembly through six pieces of legislation.
The Pennsylvania Climate Emissions Reduction Act (PACER) (HB 503) introduces a cap and invest program requiring power plants to pay for their carbon emissions with 70 percent of the revenues funneled back to consumers through utility bill rebates and the rest funding low-income assistance and clean energy initiatives.
The Pennsylvania Reliable Energy Sustainability Standard (PRESS) (HB 501) aims to increase the Commonwealth’s clean energy requirement from eight to 35 percent by 2035.
The Pennsylvania Reliable Energy Siting and Electric Transition (RESET) Board (HB 502) would expedite energy project approvals by streamlining the siting and permitting process in the Commonwealth, which is one of only 12 states without a state siting and permitting entity for such projects.
Improvements to the EDGE Tax Credit (HB 500) would add tax incentive credits for investment in energy infrastructure, including up to $100 million annually for new power plants over three years.
The community energy bill (HB 504) would support rural communities, farmers and low-income residents by promoting shared energy resources — such as methane digesters on farms — to reduce energy costs.
Modernizing energy efficiency in the Commonwealth (HB 505) through an amendment to Act 129 would provide more money to consumers in the form of rebates and incentives for buying energy efficient appliances.
Data Transactions: DOJ’s Final Rule’s Implications for Academic Medical Centers with Clinical Research Programs
The Department of Justice (DOJ) published its Final Rule to implement Executive Order 14117 on January 8, 2025, with a correcting amendment issued April 18, 2025. Executive Order 14117, issued on February 28, 2024, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” instructed the Attorney General to create regulations that ban or limit U.S. persons from participating in transactions involving property in which a foreign country or its nationals have an interest. Transactions are banned or limited if they involve U.S. government-related data or bulk sensitive personal data (as defined by the final implementing rules), fall into categories deemed by the Attorney General to pose a national security risk (with such security risk arising from potential access to data by identified countries of concern or related individuals), and meet additional criteria outlined in the Executive Order.
The Final Rule outlines categories of transactions that are either banned or limited; designates specific countries and types of individuals or entities with whom transactions involving government-related or bulk U.S. sensitive personal data are restricted; creates a system for granting, modifying, or revoking licenses for otherwise restricted activities and for issuing advisory opinions; and sets requirements for transaction recordkeeping and reporting requirements to support the DOJ’s investigations, enforcement, and regulatory actions in relation to the Executive Order.
Academic Medical Centers (AMCs) and similar entities engaged in clinical research and international collaborations need to be aware of and determine the applicability of the regulatory requirements imposed by the Final Rule. Research partnerships involving biometric identifiers, personal health information, or genomic data may be deemed restricted or prohibited transactions if the partnerships include entities from designated countries of concern.
Summary
The Final Rule is aimed at preventing certain U.S. foreign adversaries — including China, Russia, Iran, North Korea, Cuba, and Venezuela — from accessing sensitive U.S. personal data and government-related information.
Key Definitions. The Final Rule authorizes the DOJ to regulate and enforce restrictions on data transactions with designated “Countries of Concern” and “Covered Persons.”
“Country of Concern” is defined to mean:
any foreign government that, as determined by the Attorney General with the concurrence of the Secretary of State and the Secretary of Commerce, (1) has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons, and (2) poses a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or security and safety of U.S. persons.
“Covered Person” is defined to include: (1) foreign entities that (a) are fifty percent or more owned, directly or indirectly, by countries of concern or another covered persons; or (b) are organized under the law of, or have their principal place of business in, a Country of Concern; (2) foreign entities that are fifty percent or more owned, directly or indirectly, by Covered Persons, either individuals or entities; (3) foreign individuals who are non-U.S. residents working as employees or contractors of a Country of Concern; (4) foreign individuals primarily residing in Countries of Concern; and (5) other entities or individuals as reasonably determined by the Attorney General based on certain criteria.
Categories of Covered Data. The Final Rule targets eight categories of “Covered Data,” including biometric identifiers, genomic data, health and financial data, precise geolocation information, and personal identifiers that can be linked to other sensitive data. It also includes certain government-related information, such as data tied to U.S. government personnel or the geolocation of sensitive facilities. Notably, the regulations apply regardless of data processing volume when government-related information is involved.
Primary Types of Restricted Transactions. The DOJ identifies three primary types of restricted transactions: employment, investment, and vendor agreements. U.S. businesses must ensure foreign employees, investors, and service providers — especially those linked to Countries of Concern — do not gain access to Covered Data unless strict security protocols are met. This affects a wide range of commercial activities, from hiring and corporate deals to cloud services and software subscriptions, and likely impacts AMCs engaging in clinical research when data is shared with certain employees. Research sponsors, investors and service providers. Prohibitions and restrictions of the Final Rule, however, only apply to Covered Data Transactions with a Country of Concern or Covered Person that involve access by a Country of Concern or Covered Person to government-related data or bulk U.S. sensitive personal data. The Final Rule does not regulate transactions that do not implicate access to government-related data or bulk U.S. sensitive personal data by a Country of Concern or a Covered Person.
Prohibited Transactions. Notably, under the Final Rule certain transactions are absolutely prohibited, such as those involving the sale or licensing of Covered Data to foreign entities in data brokerage arrangements, or those involving biometric data or biospecimens.
Penalties for Non-Compliance. Violations of the Final Rule carry significant fines and penalties. Civil fines can reach the greater of US$368,136 or twice the transaction amount. Willful violations may result in criminal penalties of up to US$1 million and up to 20 years in prison.
The Bottom Line for Clinical Research. To comply with the Final Rule, AMCs must engage in rigorous and thorough diligence on proposed, and existing research activities, collaborations and operations, including on their partners, clients, employees/contractors, and data recipients, to determine if a proposed or existing transaction falls within the ambit of the Final Rule. The scope and penalties for violations of and non-compliance with the Final Rule are a clear indicator that a process to determine and ensure compliance with the Final Rule will be critical for AMCs, and businesses across industries, that engage in activities and transactions involving personal or government-related data.
Implications for Academic Medical Centers with Clinical Research Programs
The Final Rule adds a new layer of regulatory compliance complexity for AMCs and similar entities engaged in clinical research and international collaborations.
Research studies and activities, including research collaborations and partnerships involving biometric identifiers, personal health information or genomic data, may be deemed restricted or prohibited transactions if the partnerships include entities from designated Countries of Concern and/or Covered Persons.
Existing and proposed multi-national studies and data-sharing initiatives must be reviewed to determine if the Final Rule is applicable to the study or activity, and if so, to ensure compliance.
Additionally, AMCs must also ensure that vendors, including cloud and AI service providers, are not affiliated with Countries of Concern and that all data processing activities meet stringent new security and compliance standards. As noted above, ensuring compliance with the Final Rule will necessitate a thorough review of the AMC’s vendor contracts.
Further, the Final Rule necessitates a reassessment by AMCs, of their data-sharing policies and multi-site protocols, and will likely require the incorporation of national security-focused compliance clauses in certain data sharing agreements (such as data use agreements) and the enhancement of institutional data governance frameworks, which frameworks should be designed to avoid and mitigate any legal and regulatory exposure, and ensure that the institution is able to maintain eligibility for receipt of federal funding.
Next Steps
This Final Rule prescribes significant categorical rules that prevent U.S. persons from providing government-related data or U.S. citizens’ bulk, sensitive personal data, including through commercial data-brokerage transactions, to Countries of Concern or Covered Persons. Compliance with the Final Rule specifically necessitates that AMCs and institution implement security measures when engaging in investment transactions, employment agreements, and vendor contracts, that involve either government-related data or large-scale collections of sensitive personal data — such as health records, biometric identifiers, or financial information.
The requirements of the Final Rule are intended to prevent foreign adversaries from indirectly accessing this data through commercial relationships. By identifying these specific transaction types, the Final Rule seeks to address perceived national security gaps and provides clear, enforceable standards that define when and how data-related dealings with foreign actors are restricted.
Failure to comply with these new requirements could result in fines and penalties, regulatory scrutiny, loss of federal funding, and enforcement actions, making compliance with the Final Rule, when and as applicable to a transaction and activity, a critical compliance priority for AMCs and institutions handling large volumes of sensitive personal data.
Belgium’s Private Investigations Act: Is Your Internal Investigations Service in Focus?
In December 2024, the new Private Investigations Act came into force. The Act replaced the Private Detectives Act of 1991 and was long overdue, considering how much has changed in the world of private investigations. The 1991 law focused on detectives as sole practitioners, think Columbo or Magnum P.I., a world of uncertain ethics, periodic violence and grubby raincoats, most of which no longer exists outside the small screen. The new Act aims to modernise the applicable legal framework in light of new investigation methods and bring it into line with the General Data Protection Regulation (GDPR), though sadly not to address the traditional private detective issues of implausible dialogue and unhappy dress choices.
The Act imposes a number of obligations on employers instructing investigations on their employees, and we will discuss these changes at length in future blogs, but there is a more pressing issue we need to deal with first, and that regards your internal investigations service. The Act extends its scope from solo private detectives to all types of investigations companies but more importantly, also to internal investigations services. An internal investigations service is defined by the Act as ‘any service organised by a natural or legal person for its own purposes for the systematic performance of private investigation activities’. This definition is very wide and has prompted the legislator to exclude a number of roles and functions, such as lawyers, bailiffs and auditors.
The legislator has taken into account that in practice, internal services are often organised at group level and has therefore provided that investigation activities still qualify as internal when they are performed for the benefit of companies in the same group structure. What the legislator has seemingly not considered, however, is that international groups will often have an investigations team in one location, which is not necessarily Belgium, that will conduct all investigations for the group, including those concerning employees located in Belgium. This means that the Belgian legislator has probably also not fully realised that the registration obligation imposed by the Act may thus also extend to these internal investigations services located outside of Belgium, if their remit extends to this country.
The Act provides an exception for members of the HR team “who carry out private investigation activities on behalf of their own employer within the framework of incident investigations [not defined] involving employees of that employer”. The HR team will not be considered to perform the activities of an internal investigations service, so the registration obligation will not apply to them. The criterion of distinction would be the focus of the team: is it day-to-day HR activities, with an exceptional side activity of investigative work, or is investigation work the main focus for the team?
So what does this registration obligation entail? Internal investigations services must obtain a prior authorisation or licence from the Ministry of Interior to lawfully conduct private investigations in Belgium. The licence is granted for a renewable period of five years. It will only be awarded if the members of the team have a clean criminal record (minus some minor offences), they have undergone specific training and are Belgian nationals or have their main residence in the EEA or Switzerland. This would seem to suggest the end of investigations being carried out more or less remotely by the US parents of local subsidiaries, though it is unclear at this stage just how much (substantial) advisory input into the investigation process and/or decisions there can still be from abroad so long as the team is fronted by someone satisfying the above conditions. The members of the team should also have a certain “desired profile”, meaning that they will honour individuals’ fundamental rights, be loyal and discrete, and not entertain suspicious relations with criminal organisations, etc.
The license is awarded by the Ministry of Interior, which may or should in some cases seek the prior advice of the public prosecutor.
If an internal investigations service was already validly performing private investigation activities on the date of entry into force of the Act, 16 December 2024, they may continue to perform such services, but they will need to make a request to obtain a licence by 16 June 2025. The members of these teams will have 18 months after their company obtained a license to undergo the required training and obtain a licence card. The specific training requirements are in fact still to be defined by Royal Decree.
TALK IS CHEAP: Summary Judgment Isn’t Interested in Rumors
Greetings TCPAWorld!
I’m back with the latest. Let’s talk about a name-dropper’s worst nightmare. The Southern District of Ohio has ruled a significant win for TCPA defendants in a recent decision emphasizing the importance of admissible evidence in telemarketing litigation. In Schwartz v. Bamz Enters., L.L.C., No. Case No: 1:23-cv-608, 2025 U.S. Dist. LEXIS 89794 (S.D. Ohio May 12, 2025), Magistrate Judge Stephanie K. Bowman recommended granting summary judgment to the defendant in a matter where callers falsely claimed to represent a legitimate business. Just saying you’re someone doesn’t make it so. This wasn’t just a procedural ruling…but a resounding endorsement of evidentiary standards that protect legitimate businesses from being dragged into litigation based solely on hearsay.
At TCPAWorld, we don’t just track trends, but we spotlight the rulings that matter. This is a significant case to add to the growing body of case law protecting companies from liability when scammers or unauthorized third parties appropriate their business names during telemarketing calls—and it’s precisely the kind of misdirected claim Troutman Amin is built to defeat!
So what’s the scoop? Plaintiff received six telemarketing calls between January and March 2023 from individuals claiming to represent “Living Well Screening.” The calls pitched various medical testing services, including cancer genetic testing and free COVID test kits through Medicare. Plaintiff, who had registered his number on the DNC list in May 2021, recorded these calls and filed suit against Bamz Enterprises, LLC (“Bamz”), which legitimately does business under the trade name “Living Well Screening.” At first glance, this appeared to be a straightforward TCPA violation. However, as the Court’s analysis reveals, appearances can be deceiving regarding caller identity. For instance, it’s like blaming the bank for a phishing scam just because the scammer said, ‘This is Wells Fargo.’ Caller ID might tell one story, but admissible evidence reveals the truth.
Judge Bowman zeroed in on the most critical element of any TCPA claim: proving who made the calls at issue. Here, the only evidence connecting Bamz to the calls was the callers’ own statements that they represented “Living Well Screening.” The Court’s analysis was unequivocal: “Those recorded statements are clearly hearsay, insofar as they are out-of-court statements offered for the truth of the matter asserted. Pursuant to Rule 56(c)(1)(B), a party is entitled to summary judgment if it can show that an adverse party cannot produce admissible evidence to support the fact. Id. at *6.
Let’s think about this for a moment. This reasoning aligns perfectly with Fed. R. Civ. P. 56, which requires admissible evidence to survive summary judgment. Hearsay statements from unidentified callers don’t meet this threshold. While the Plaintiff’s theory may appear convincing at first glance, it is crucial to recognize that courts must rely on credible evidence rather than anonymous assertions.
In contrast to Plaintiff’s inadmissible evidence, Bamz presented substantial sworn testimony that none of the six calls originated from Bamz facilities, Bamz has never owned or used an automatic telephone dialing system (“ATDS”), none of the named callers (Ron Williams, Marsha, David, Ann, and Maria) were ever employed by or affiliated with Bamz, and Bamz never authorized any third party to make telemarketing calls on its behalf. As such, Bamz clearly demonstrated that its business model focused solely on providing customer service for at-home medical testing kits—referred to as “kit chasing”—rather than selling these products through telemarketing.
In turn, Plaintiff attempted to salvage his case by pointing to Bamz’s marketing materials describing itself as a “call center” and referencing “sales” activities. See Schwartz, 2025 U.S. Dist. LEXIS 89794, at *11. However, the Court dismantled this argument by asserting: “Plaintiff’s evidence is even more tangential and speculative.” Id. Bamz’s unrebutted sworn testimony clarified that while it briefly considered expanding its call center operations into sales, that effort never materialized. See Schwartz, 2025 U.S. Dist. LEXIS 89794, at *12-13. The mere capability or aspiration to conduct telemarketing is not evidence that a company engaged in such activities.
Judge Bowman’s recommendation aligns with a growing trend across federal courts. In Lindenbaum v. Realgy, L.L.C., 606 F. Supp. 3d 732 (N.D. Ohio 2022), the Court granted summary judgment because the plaintiff could only offer hearsay statements from callers claiming to represent the defendant. Moverover, the Court in Worsham v. TSS Consulting Grp., L.L.C., No. Case No: 6:18-cv-1692-LHP, 2023 WL 5016558, at *2 (M.D. Fla. Aug. 7, 2023), was equally direct, holding that a plaintiff’s hearsay statement that callers claimed to work for the defendant was “simply insufficient” to overcome summary judgment.
Does this case ring any alarm bells? We see companies whose names have been misappropriated by unauthorized callers all the time. A successful defense strategy includes presenting sworn testimony from company officers denying authorization of the calls, providing comprehensive employee records showing none of the identified callers work for your company, documenting your business model and demonstrating how it differs from the activities described in the calls, and challenging the admissibility of the plaintiff’s evidence under the hearsay rule. As Judge Bowman notes, in today’s telemarketing environment, “unscrupulous telemarketers or scammers employ a variety of deceptive practices – including misrepresenting that they are affiliated with a government agency or a legitimate company or charity – in order to manipulate the person that they are calling.” Schwartz, 2025 U.S. Dist. LEXIS 89794, at *6.
The decision recognizes that the technological landscape has changed dramatically since the law’s enactment in 1991. Today, spoofing technology and international call centers make it easier than ever for unscrupulous operators to impersonate legitimate businesses. The Court acknowledged this evolving landscape, noting that legitimate telemarketers abide by TCPA rules. But illegitimate ones…do not. Id. at *5.
Perhaps most compelling was Plaintiff’s admission during deposition that he had no admissible evidence to refute [Bamz’s] claim that someone is using Living Well Screening without their permission, and that [Bamz] is not responsible for the six calls. See Schwartz, 2025 U.S. Dist. LEXIS 89794, at *7-8. This acknowledgment underscores the fundamental weakness in many similar TCPA claims in which the only evidence connecting a defendant to allegedly illegal calls is the caller’s unverified statement.
Here we have a significant victory for TCPA defense litigation. It recognizes that company names can be easily misappropriated by bad actors, and it places the evidentiary burden squarely on plaintiffs to prove caller identity through admissible evidence. Judge Bowman aptly concluded: “To deny summary judgment on the record presented would be to ignore the shifting burdens built into Rule 56 and allow a plaintiff to proceed to trial who lacks admissible evidence on the most critical element of his claim – here, the caller’s identity.” Id. at *9.
So here’s a critical takeaway for TCPAWorld: as litigation around spoofing and impersonation continues to rise, courts are signaling that if your only link is a voice on the line, it better come with more than a name drop. Courts are willing to protect legitimate businesses from liability for the unauthorized actions of third parties who appropriate their names or brand identities. In an era of spoofing and shadow dialing, proof beats presumption.
As always,
Keep it legal, keep it smart, and stay ahead of the game.
Talk soon!
SEC Chairman Lays Out Crypto Agenda
In prepared remarks at the SEC’s roundtable on tokenization held May 12, 2025, SEC Chairman Paul Atkins provided a roadmap for the SEC’s future efforts involving crypto and digital assets. A “key priority,” Atkins declared, “will be to develop a rational regulatory framework for crypto asset markets that establishes clear rules of the road . . . while continuing to discourage bad actors from violating the law.”
Chairman Atkins cited President Trump’s desire for the US to be the “crypto capital of the planet,” and promised to coordinate with the Administration and Congress. Atkins announced that SEC policy “will no longer result from ad hoc enforcement,” but instead the SEC will use “rulemaking, interpretive and exemptive authorities to set fit-for-purpose standards for market participants.”
Atkins then turned to three areas of focus for crypto assets: issuance, custody and trading. As to issuance, Atkins intends for the SEC to establish clear guidelines for distributions of crypto assets that are securities or subject to an investment contract. He referenced recent SEC staff statements on digital assets and alluded to several accommodations the SEC could make to its rules and procedures to advance this goal. Atkins also asked the SEC staff to consider whether additional guidance, registration exemptions or safe harbors are necessary.
On custody, Atkins announced his support for providing greater optionality. He hopes to provide clarity on the status of “qualified custodians” under the Investment Advisers Act and the Investment Company Act, as well as to consider whether it is necessary to repeal and replace the “special purpose broker-dealer” framework, which is utilized by only two entities.
Finally, on trading, Atkins is in favor of providing a broader variety of financial products on trading platforms, including permitting trading of both securities and non-securities in a single venue. In an effort to prevent registrants from going offshore to innovate with blockchain technology, Atkins would also like to explore whether conditional SEC exemptions would be appropriate to level the playing field between offshore and US regulation.
SEC Regulation in a Non-Regulatory Environment
With Paul Atkins as the new SEC Chair, the agency’s priorities have shifted away from many of the aggressive policies of former Chair Gensler. The first four months of the Republican controlled SEC saw a dramatic shift in the approach to crypto with the dismissal or pause of major litigation, the termination of several longstanding investigations, the recission of accounting guidance regarding the safeguarding of crypto assets and the establishment of a new task force to help formulate the regulatory approach to crypto going forward. With the enforcement program under a new SEC undergoing significant changes, there will likely be a return to more traditional enforcement cases with greater emphasis on egregious conduct involving pecuniary gain or investor harm, moving away from “pushing the envelope” cases. Enforcement sweeps involving off-channel communications, late filings and other “broken windows” initiatives are expected to fall by the wayside. Regulation by enforcement could be replaced by increased interaction with the Staff, formal or informal guidance or lighter-touch rulemaking.
New Chair Atkins has advocated for greater transparency and efficiency in rulemaking and enforcement. Under his leadership, onerous new rulemaking should decrease dramatically, helpful guidance on existing rules should emerge and new ideas could be solicited through industry roundtables. Amendments to existing rules may even open new possibilities for fund managers and other investment advisers (including, per recent announcements, facilitating capital formation). On the enforcement front, investigations may proceed more efficiently, resolve faster, and focus more on substantive violations. Settlements may also align more closely with the SEC’s penalty guidelines, calibrated to elements of the penalty statute.
A new direction in rulemaking and enforcement, however, does not necessarily mean that the Staff will no longer focus on the concerns underlying the more controversial issues under former Chair Gensler. The current Republican Commissioners may have previously spoken critically of certain rule proposals, but they have also recognized a need to prevent fraudulent or other harmful activities by investment advisers and other regulated market actors. Thus, while the SEC may not bring waves of high penalty, off-channel communications cases against registered entities, the Staff will expect those records to be retained as required under existing rules and may more regularly request their production in exams and investigations. Other issues that may have been referred to Enforcement in the past may remain as exam deficiencies, or the investigative Staff could look harder to find a substantive violation over mere compliance policy or internal control violations.
Having developed specialized expertise over private fund managers since the adoption of Dodd Frank, the Examinations Division (both at the Regional Office level and in at the Division’s Private Funds Unit), as well as the Enforcement Division’s Asset Management Unit, will continue to look for emerging, impactful issues and cases. Indeed, given the expected return to more “bread-and-butter” issues and enforcement cases, the following traditional issues involving private fund managers should still be in play:
Fiduciary Obligations –situations involving allegations of potential fraud, breach of fiduciary duty, or conflicts of interest; expect greater scrutiny where the alleged conduct involves pecuniary gain to the manager or investor losses or other harm. Issues relating to fees and expenses, allocations, valuations, cross-fund transactions and related matters should remain a focus in exams and enforcement, as they were under the previous Republican administration.
Retail Investors – matters that can be framed as protection of individual investors (i.e., registered funds or 3(c)(1) funds, which do not limit their investors to “qualified purchasers”); the market’s push towards retailization of alternatives may heighten the Staff’s interest in this area.
Trading/MNPI – insider trading investigations, which have been supported across the political divide; the Staff’s focus on credit instruments and other markets that traditionally have not been a focus has been demonstrated by recent enforcement actions alleging an adviser’s failure to maintain and enforce written MNPI policies involving trading in distressed debt and collateralized loan obligations.
While enforcement actions based solely on violations of the Compliance Rule (Rule 206(4)-7 under the Investment Advisers Act) seem less likely, these investigations typically begin by focusing on potential substantive violations. Enforcement Staff rarely set out to pursue compliance policy cases. Under the new SEC, investigations that fail to reveal substantive violations are more likely to be terminated without an enforcement recommendation, rather than resolved with compliance violations. However, investigations and exams will still focus on a firm’s culture of compliance. The perception of weak internal controls or inadequate policies are often viewed as a “red flags,” prompting the Staff to dig deeper and look for other potential issues – some of which may lead to related (or even unrelated) substantive findings the longer the Staff’s review drags on.
The SEC’s shift in rulemaking and enforcement priorities is certainly welcomed by many investment advisers. It should not, however, be seen as a move to complete deregulation, and investment advisers should remain focused on compliance and their fiduciary obligations.
Additional Authors: Seetha Ramachandran, Nathan Schuur, Robert Sutton, Jonathan M. Weiss, William D. Dalsen, Adam L. Deming, Adam Farbiarz and Hena M. Vora
Colorado Legislature Passes Amendments to Colorado Privacy Act
On May 7, 2025, the Colorado legislature passed a bill to protect the civil rights of persons in Colorado based on immigration status, (S.B. 276), which, if signed into law, would amend the Colorado Privacy Act (“CPA”). The bill awaits signature by Colorado Governor Jared Polis.
The bill would amend the CPA’s definition of “sensitive data” to include precise geolocation data, and would amend the definition of “precise geolocation data” from information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of [1,750] feet to global positioning system (GPS) coordinates within a radius of [1,850] feet; or any data derived from a device and that is used or intended to be used to locate a consumer within a geographic area within a radius of [1,850] feet.
The definition of “precise geolocation data” would exclude the content of communications or “any data generated by or connected to advanced utility meeting infrastructure systems or equipment for use by a utility.”
The bill also would amend the CPA to prohibit controllers from “selling” consumer’s sensitive data without first obtaining consumers’ prior affirmative consent. Note that the current version of the CPA already prohibits the “processing” of consumers’ sensitive data without consent, which term is defined to include the “sale” of personal data, but this amendment would make this requirement more explicit.
Belgian DPA Finds Broad Tax Information Transfers to IRS Unlawful
The Belgian Data Protection Authority recently ruled that a Belgian government entity, FPS Finance, cannot transfer the personal data of “accidental Americans” to the IRS. According to the decision, the transfers needed to cease for several reasons.
The case was brought by a dual US-Belgian citizen, who, while a US citizen by birth, did not reside in the US or otherwise have any significant connections to the US (i.e., an “accidental American”). He argued that his personal information should not be transferred to the US, even though the US’s Foreign Account Tax Compliance Act requires all US citizens to report their tax information to the US to combat terrorism and prevent tax evasion. That law is enforced in Belgium through a 2014 bilateral treaty, which was entered into before the GDPR’s effective date. The Belgian tax authority argued that it could make the transfer under a GDPR exception (Article 96), which allows pre-GDPR international agreements, such as this one, to remain in place if they comply with the law in effect at the time. Thus, the Belgian DPA examined not only whether the transfer violated GDPR (as the individual argued) but also whether it violated the laws in existence at the time the treaty was signed.
The Belgian DPA found that the transfers did not comply with pre-GDPR law because the amount of information being transferred exceeded what was necessary to meet the specified purposes. Further, the FATCA was not compliant with current GDPR standards. The Belgian DPA also emphasized that FATCA, as implemented, lacked sufficient safeguards to protect the personal data of EU residents, especially those with tenuous or accidental ties to the US. The Belgian DPA gave FPS Finance a year to modify its transfer process. This included minimizing the amount of data transferred, conducting a data transfer impact assessment, and giving individuals more information about its data processing activities.
Putting it Into Practice: This decision is a reminder that there may an increase in scrutiny of data transfers to the US. While the facts in this case were narrow, we expect that there may be other, similar, decisions in the future.
Listen to this post
Colorado’s Artificial Intelligence Act (CAIA) Updates: A Summary of CAIA’s Consumer Protections When Interacting with Artificial Intelligence Systems
During the 2024 legislative session, the Colorado General Assembly passed Senate Bill 24-205, which is known as the Colorado Artificial Intelligence Act (CAIA). This law will take effect on February 1, 2026, and requires developers and deployers of a high-risk AI system to protect Colorado residents (“consumers”) from risks of algorithmic discrimination. Notably, the Act also requires that developers or deployers must disclose to consumers that they are interacting with an AI system. Colorado Gov. Jared Polis, however, had some concerns in 2024 and expected that the legislators would refine key definitions and update the compliance structure before the effective date in February 2026.
As Colorado moves forward toward implementation, the Colorado AI Impact Task Force issued its recommendations for updates in its February 1, 2025 Report. These updates — along with the description of the Act — are covered below.
Background
A “high-risk” AI system is defined to include any machine-based system that infers outputs from data inputs and has a material legal or similar effect on the provision, denial, cost, or terms of a product or service. The statute identifies various sectors that involve consequential decisions, such as decisions related to healthcare, employment, financial or credit, housing, insurance, or legal services. Additionally, CAIA has numerous carve-outs for technologies that perform narrow tasks or certain functions, such as cybersecurity, data storage, and chatbots.
Outside of use case scenarios, CAIA also imposes on developers of AI systems the duty to prevent algorithmic discrimination and protect consumers from any known or foreseeable risks arising from the use of the AI system. A developer is one that develops or modifies an AI system used in the state of Colorado. Among other things, a developer must make documentation available for the intended uses and potential harmful uses of the high-risk AI system.
Similarly, CAIA also regulates a person that is doing business in Colorado and deploys a high-risk AI system for Colorado residents to use (the “deployer”). Deployers face stricter regulations and must inform consumers when AI is involved in a consequential decision. The Act requires deployers to implement a risk management policy and program to govern the use of the AI system. Further, the deployers must report any identified discrimination to the Attorney General’s Office within 90 days and must allow consumers to appeal AI-based decisions or request human review of the decision when possible.
Data Privacy and Consumer Rights
Consumers have the right to opt out of data processing related to AI-based decisions and may appeal any AI-based decisions. This opt-out provision may impact further automated decision-making related to the Colorado resident and the processing of personal data profiling of that consumer. The deployer must also disclose to the consumer when a high-risk AI system has been used in the decision-making process that results in an adverse decision to the consumer.
Exemptions
The CAIA contains various exemptions, including for entities operating under other regulatory regimes (e.g., insurers, banks, and HIPAA-covered entities) or for the use of certain approved technologies (e.g., technology cleared, approved, or certified by a federal agency, such as the FAA or FDA). But there are some caveats, however. For example, HIPAA-covered entities are exempt to the extent they are providing healthcare recommendations that are generated by an AI system that require the HIPAA-covered entity to take action to implement the recommendation and are not considered to be “high risk.” Small businesses are exempt to the extent that they employ fewer than 50 full-time employees and do not train the system with their own data. Thus, deployers should closely analyze the available exemptions to ensure their activities fall squarely within the recommendations.
Updates
As highlighted in the recent Colorado AI Impact Task Force Report, the report encourages additional changes to CAIA before it is enforced in February 2026. The current concerns deal with ambiguities, compliance burdens, and various stakeholder concerns. The Governor is concerned with whether the guardrails inhibit innovation and AI progress in the State.
The Colorado AI Impact Task Force notes that there is consensus to refine documentation and notification requirements. However, there is less consensus on how to adjust the definition of “consequential decisions.” Reworking the exemptions to the definition of covered systems is also a change desired by both industry and the public.
Other potential changes to the CAIA depend on how interconnected sections are potentially revised in relation to other related provisions. For example, changes to the definition of “algorithmic discrimination” depend on other issues related to obligations of developers and deployers to prevent algorithmic discrimination and related enforcement. Similarly, intervals for impact assessments may be affected greatly by changes to the definition of “intentional and substantial modification” to high-risk AI systems. Further, those impact assessments are interrelated with the developer’s risk management programs and will likely implicate any proposed changes to either impact assessments or risk management programs.
Lastly, there remains firm disagreement on amendments related to several definitions. “Substantial factor” is one debated definition that will take a creative approach to define the scope of AI technologies subject to the CAIA. Similarly, “duty of care” is hotly contested for developers and deployers and whether to remove that concept or replace it with more stringent obligations. Other debated topics that are subject to change include the exemption for small business, the opportunity to cure incidents of non-compliance, trade secret exemptions, consumer right to appeal, and the scope of attorney general rulemaking.
Guidance
Given that most stakeholders recognize that changes are needed, any business impacted by the CAIA should continue to watch the developments in the legislative process for potential changes that could drastically impact the scope and requirements of the Colorado AI Act.
Takeaways
Businesses should assess whether they, or their vendors, use any AI system that could be considered high risk under the CAIA. Some recommendations include:
Assess AI usage and consider whether that use is within the definition of the CAIA, including whether any exemptions are available
Conduct an AI risk assessment consistent with the Colorado AI Act
Develop an AI compliance plan that is consistent with the CAIA consumer protections regarding notification and appeal processes
Continue to monitor the updates to the CAIA
Evaluate contracts with AI vendors to ensure that necessary documentation is provided by the developer or deployer
Colorado has taken the lead as one of the first states in the nation to enact sweeping AI laws. Other states will likely look to the progress of Colorado and enact similar legislation or make improvements where needed. Therefore, watching the CAIA and its implementation is of great importance in the burgeoning field of consumer-focused AI systems that impact consequential decisions in the consumer’s healthcare, financial well-being, education, housing, or employment.
Listen to this post
Affirmative Artificial Intelligence Insurance Coverages Emerge
It was only a matter of time before new insurance coverages targeting the risks posed by artificial intelligence (AI) would hit the market. That time is now.
As the use of AI continues to proliferate, so too does our understanding of the risks presented by this broad and powerful technology. Some risks appear novel in form while others mirror traditional exposures that have long been viewed as insurable causes of loss. AI-related risks are made all the more novel because the meaning of AI itself is not only up for debate, but is constantly evolving as the technology matures. This mixture of old and new has the potential to create coverage gaps in even the most comprehensive insurance programs. Hence the development of specialized, AI-specific insurance solutions. In just the past few weeks, two new affirmative AI coverages have entered the market, signaling an acceleration in this trend.
Armilla’s Affirmative AI Coverage
On April 30, 2025, Armilla Insurance Services launched an AI liability insurance policy underwritten by certain underwriters at Lloyd’s, including Chaucer Group. This product is among the first to offer clear, affirmative coverage for AI-related risks, rather than relying on protections embedded in legacy policies.
While the introduction of this new, affirmative coverage should have no impact on the availability of coverage for AI-related losses that meet the terms of coverage under existing insurance policies such as cyber, directors and officers (D&O), or technology errors and omissions (E&O), this new product should address any unique exposures not contemplated under traditional coverages. Risks specifically contemplated under Armilla’s policy include AI hallucinations, deteriorating AI model performance, and mechanical failures or deviations from expected behavior. Armilla’s affirmative coverage may offer greater certainty for policyholders in an increasingly uncertain risk environment.
Google Cloud’s Entry into AI Risk Management
Earlier in 2025, Google took its own significant step into AI-specific risk mitigation by announcing a partnership with insurers Beazley, Chubb, and Munich Re. This collaboration introduces a tailored cyber insurance solution specifically designed to provide affirmative AI coverage that Google Cloud customers can purchase from the insurers Google has partnered with.
Customers that purchase the Google-specific insurance coverage receive a Google policy Endorsement that provides a suite of protections that can include business interruption coverage for failures in Google Cloud services, liability coverage for certain bodily injury or property damage, and protection for trade secret losses linked to malfunctioning AI tools. By embedding insurance directly into its cloud offerings, Google has taken a proactive role in delivering technological innovation, while also managing the associated risks.
Insuring the AI Future
The emergence of affirmative AI insurance products marks a key shift in the industry’s approach to managing AI-driven risks. With companies like Armilla leading the charge, insurers are beginning to address perceived coverage gaps that traditional policies may overlook. As momentum builds, 2025 is likely to bring a continued rollout of AI-specific coverages tailored to this evolving landscape. Collectively, these developments reflect a growing recognition across the industry of the distinct and complex nature of AI-related risk.
Spring 2025 Kattison Avenue
Against the backdrop of many significant developments in the advertising law space, we are thrilled to release the Spring 2025 issue of Kattison Avenue. In this edition, you will find updates on the Trump administration’s imposition of tariffs on imports and their impact on retailers and consumers, UK efforts to improve online safety for children, recent decisions by the National Advertising Division (NAD) affecting advertisers and influencers, and considerations for businesses using Generative AI (GenAI) in their day-to-day operations.
First, Intellectual Property Partner and Advertising, Marketing and Promotions Co-Chair Christopher Cole writes about businesses that rely on tariffed imports that are considering itemizing “tariff-related” costs separately to explain the price hikes to consumers. Chris notes that, while attributing part of the cost to tariffs is not categorically prohibited, calculating and disclosing the precise amount of tariff surcharges will be subject to truth-in-advertising principles such as the California Honest Pricing Law. Then, London Deputy Managing Partner Terry Green discusses the United Kingdom’s robust efforts to improve online safety for kids and recent guidance that all platforms under the Office of Communications’ (Ofcom) Online Safety Act (OSA) must comply with to mitigate children’s exposure to harmful content.
Up next, Intellectual Property Associate Catherine O’Brien summarizes recent NAD decisions targeting third-party marketing by celebrities and influencers. Katie describes the NAD’s recent evaluations, as part of its routine monitoring program, of social media posts by third parties that found unsubstantiated claims or failure to meet disclosure standards, emphasizing that brands must exercise meaningful control over advertising claims that are made on their behalf. Finally, an article by Intellectual Property Partner Michael Justus explains that GenAI vendors, models and use cases are not all created equal. He advises companies to complete due diligence before selecting model providers, carefully scrutinize use cases, and implement policies and training that reflect enterprise risk tolerance.
In This Issue
Tips For Companies Crafting Tariff Surcharge Disclosures
Byte-Sized Protection: Keeping Kids Safe Online, One Risk Assessment at a Time
Influencers Say the Darndest Things: National Advertising Division Targets Third-Party Marketing in Recent Decisions
Choose Your GenAI Model Providers, Models and Use Cases Wisely
News to Know
Read the Full Newsletter Here