SEC Staff Cede Jurisdiction Over Certain Stablecoins
On 4 April 2025, the SEC’s Division of Corporation Finance (Division) issued a statement (Statement) providing that the offer and sale of certain “Covered Stablecoins” do not involve the offer and sale of securities within the meaning of federal securities laws. As such, persons involved in the process of offering, selling and redeeming Covered Stablecoins are not required to register those transactions with the SEC or rely on an exemption from registration.
The Division defines “Covered Stablecoins” as crypto assets that are designed to maintain a stable value relative to the US Dollar (USD) on a one-for-one basis, can be redeemed for USD on a one-for-one basis, and are backed by low-risk and readily liquid assets held in a reserve, with a USD value that, at a minimum, meets the redemption value of the stablecoins in circulation. Accordingly, stablecoins outside this definition – including those that are pegged to the price of digital assets or other currencies besides USD and algorithmic stablecoins – are not covered by the guidance included in the Statement.
The Division provided its analyses of Covered Stablecoins under Reves v. Ernst & Young and SEC v. W.J. Howey Co., the key cases setting forth the tests for whether an asset is a “security.” If not considered to be “securities,” Covered Stablecoins would likely be considered “commodities,” and thus subject to the enforcement jurisdiction of the CFTC. However, legislation currently pending in Congress could shift oversight of these digital assets to banking regulators.
Commissioner Caroline Crenshaw criticized the Statement as doing “a real disservice to USD-stablecoin holders,” and questioned whether any existing stablecoin falls within the scope of “Covered Stablecoin”.
Following the Division’s recent Statement on Meme Coins, the Statement appears to be another small but positive step towards regulatory clarity for the digital asset industry.
TCPA CONSENT PRIMER: Here Are the Basics of the TCPA’s Requirements For Consent for Various Types of Calls
Here’s a quick look at the basic rules around consent for those interested in TCPA issues.
First the TCPA contains two general restrictions– those related to calls made using certain types of technology (“regulated technology”) and those made for marketing purposes to numbers on the DNC list.
Regulated technology includes calls made using an automatic telephone dialing system (ATDS), prerecorded or artificial voice calls and calls made using an AI voice. It also likely includes prerecorded and artificial or AI voicemails or ringless voicemails.
Calls made using regulated technology to a cellular phone require “express consent” when made for informational purposes and “express written consent” when made for marketing purposes.
Prerecorded or artificial or AI voice calls made to a landline require “express written consent” when made for marketing purposes or when made in excess of three per month for informational purposes (three prerecorded calls to landlines for informational purposes may be made monthly without consent.)
The precise contours of what constitutes express consent and express written consent is shifting, as is the definition of “marketing.”
Generally courts hold “express consent” means “consent that is clearly and unmistakably stated.” This include both a content requirement and format requirement.
As to content the FCC has required the inclusion of 9 critical pieces of information in a valid express written consent form. (See 47 CFR Section 64.1200(f)(9)).
The disclosure must also be presented in a manner that is not deceiving to the consumer and clearly and CONSPICOUSLY lays out the terms. Generally companies use the R.E.A.C.H. standards to assure they are complying with these rules.
For informational calling “express consent” does not require full written consent but does need to clearly have the consumer express an intention to receive calls. For many years an FCC ruling from 2009 implied express consent to use such technology any time a consumer provided their number to a caller for a purpose closely related to the purpose of the call. However that ruling is in doubt following recent Supreme Court determinations striking down Chevron deference. Accordingly, it is unclear whether the consumer must now specifically authorize the use of automated or prerecorded or artificial voice contact to provide valid express consent for informational purposes.
The line between what is marketing and informational is also fuzzy. The definition of marketing is broad an includes any effort to encourage a consumer to buy or rent any good or service. Whether a call is marketing looks at the INTENT of the caller– not the content of the call. Some courts have found a call made only to offer to buy something–or to offer a free service–are NOT marketing calls. But if any payment is to be expected of a consumer–directly or indirectly– you can expect a finding the call is marketing, even if serving a dual or informational purpose as well.
Finally, calls made to numbers on the DNC list for marketing purposes require either prior express invitation or permission or an established business relationship.
Like PEWC, PEIP must be in writing but the nine requirements of 47 CFR 64.1200(f)(9) are not required. Instead a consumer must merely ask for the messages at issue in a clear and written form.
An oral request for information qualifies as an inquiry EBR but only lasts for 90 days. During that 90 day period a caller may contact a consumer manually regarding the good or service the consumer inquired about, even if their number is on the DNC list.
These rules apply equally to B2C and B2B calls, although there is a narrow exception to the DNC rules for calls made to business numbers (note: B2B intent is irrelevant, what matters is how the number at issue is being used.)
Even after consent has been obtained properly it can be revoked for all purposes. As of April 11, 2025 a new FCC rule will go into effect that will massively expand the scope of revocation and will result in consent being treated as revoked across all channels for all purposes.
TRIAL DATE SET: QuoteWizard to Face TCPA Claims in Certified Class Action in November, 2025!
As TCPAWorld.com readers know QuoteWizard is embroiled in TCPA litigation linked back to a bad lead it purchased years ago.
Although QuoteWizard isn’t really alleged to have done anything wrong in the moral sense it still faces massive potential exposure in the suit following remarkable certification ruling last year.
QuoteWizard took a emergency appeal following that ruling but the Appellate Court refused to set aside the certification ruling. That put the case back in the hands of the district court.
The Court has now set the matter for trial on November 3, 2025.
Trial briefs and motions in limine are due October 30, 2025 and we should know a lot more about each party’s trial strategy when those documents roll in.
We’ll keep an eye on this for everyone.
UK Government Sets Out Scope for Cyber Security and Resilience Bill
On April 1, 2025, the UK government published the Cyber Security and Resilience Policy Statement (the “Policy Statement”), which details the UK government’s legislative proposals for the Cyber Security and Resilience Bill (the “Bill”), which was originally announced in July 2024. As explained in the Policy Statement, currently, the key legislation in the UK governing “cross sector” cybersecurity is the Network and Information Systems (NIS) Regulations 2018 (the “NIS Regulations”). The NIS Regulations were the pre-Brexit national implementation of the EU NIS Directive. The EU NIS Directive was recently repealed and replaced by the Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the EU (the “NIS2 Directive”). The Bill will propose amendments to the NIS Regulations, taking into consideration “insights” and “valuable lessons” from the EU on the implementation of NIS2. According to the Policy Statement, the Bill will “address the specific cybersecurity challenges faced by the UK while aligning, where appropriate, with the approach taken in the EU NIS 2 directive. This strategic approach ensures…[the UK] can be flexible and responsive to cyber threats in a proportionate way that balances the impact on business.”
As detailed further in the Policy Statement, the Bill will include measures such as:
Extending the scope of the NIS Regulations to include more entities. The Policy Statement details several ways in which the scope will be extended. For example, it explains how Managed Service Providers will be brought into scope given their “unprecedented access to clients’ IT systems, networks, infrastructure and data.” While subject to further drafting for the Bill, the Policy Statement defines a “managed service” as a service that:
is provided to another organization (i.e., not in-house);
relies on the use of network and information systems to deliver the service;
relates to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications and/or IT networks, including for the purpose of activities relating to cybersecurity; and
involves a network connection and/or access to the customer’s network and information systems.
The Policy Statement also sets out plans to extend the scope by strengthening supply chain duties for operators of essential services (an “OES”) and relevant digital service providers (an “RDSP”) through secondary legislation. Regulators will also be able to designate critical suppliers if the supplier’s goods or services are so critical that disruption could cause a significant disruptive effect on the essential or digital service it supports. According to the Policy Statement, critical suppliers are expected to account for a “very small number and percentage of those suppliers providing goods or services” to an OES or RDSP.
Empowering regulators and enhancing oversight. The Policy Statement details several proposals in this respect, including by:
developing technical and methodological security requirements. While the UK National Cyber Security Centre (“NCSC”) Cyber Assessment Framework currently acts as a resource supporting certain organizations in assessing and managing cybersecurity, it is proposed that three principles and objectives will be established that will make it “essential for firms to follow best practice,” in turn making it “simpler for the regulators to oversee the requirements.” The Policy Statement also confirms that the technical standards and methods requirements of the NIS Regulations will be updated to bring them closer into alignment with NIS2.
enhancing incident reporting requirements. The Policy Statement sets out how the Bill will update and enhance the current incident reporting requirements for regulated entities under the NIS Regulations by expanding the incident reporting criteria, updating incident reporting times, streamlining reporting, and enhancing transparency requirements for digital services and data centres. For example, similar to NIS2, the Bill is said to introduce a two-stage reporting structure, which will require regulated entities to notify their regulator and also inform the NCSC of a significant incident no later than 24 hours after becoming aware of that incident, followed by an incident report within 72 hours. The Policy Statement states the UK government intends “for this procedure to be similar to, and no more onerous than, the equivalent requirements under” NIS2.
Improve information gathering powers of the UK Information Commissioner’s Office (“ICO”). In addition to being the UK data protection regulator, the ICO is the regulator for RDSPs under the NIS Regulations, regulating online marketplaces, search engines, and cloud services. Once the Bill is implemented, the ICO will also be the regulator for managed service providers. According to the Policy Statement, the Bill will enhance the ICO’s ability to gather information to assist it in determining the criticality of regulated digital services, including by expanding the duties on firms to share information with the ICO on registration and expanding the criteria for the ICO to use its existing power to serve information notices on firms.
In addition, the Policy Statement detailed other measures under consideration by the UK government, which may be included in the Bill or advanced under other legislation, such as:
Bring data centres into scope of the regulatory framework. The Policy Statement explains that UK data centres that meet certain criteria will be subject to certain duties. This would include, for example, notifying and providing certain information, having in place appropriate and proportionate measures to manage risks and reporting significant incidents.
Publish a statement of strategic priorities for regulators. The UK government is considering introducing a new power for the UK Secretary of State to publish a statement of strategic priorities to establish a unified set of objectives and expectations for the implementation of the regulations. Such a statement would be updated once every three to five years and be accompanied by a requirement for regulators to report annually on their progress against the objectives in the statement.
New executive powers for UK government to enable swift and decisive action in response to cyber threats. The Policy Statement details two powers that the UK government is considering granting to the UK Secretary of State:
The power to issue a direction to a regulated entity in relation to a specific cyber incident or threat, requiring the entity to take action to remedy the incident or threat. The UK Secretary of State would only be able to issue a direction where necessary and proportionate for reasons of national security; and
The power to issue a direction to regulators on national security grounds, requiring them to exercise their functions to ensure that action is undertaken across their sectors. The power would only be used where necessary for national security and where the impact of a direction is deemed to be proportionate.
According to the press release on the Policy Statement, the Bill is to be introduced later this year.
SEC Provides Stablecoin Guidance Amid Legislative Developments
On Friday, the Securities and Exchange Commission’s (SEC) Division of Corporation Finance issued guidance clarifying when certain stablecoins may not constitute securities under the federal securities laws.[1] This development comes as Congress is actively considering legislation — notably the GENIUS Act and the STABLE Act — that would explicitly carve out payment stablecoins from securities definitions and establish a comprehensive federal regulatory framework for payment stablecoins. The timing suggests the SEC is attempting to provide interim clarity while legislative solutions remain pending.
Overview of the Division’s Guidance
The guidance provides detailed analysis of whether “Covered Stablecoins” constitute securities under the federal securities laws. The Division defined Covered Stablecoins as digital assets designed to maintain stable value relative to the US Dollar (USD) on a one-for-one basis, redeemable for USD on demand, and backed by assets held in a reserve with value meeting or exceeding the redemption value of stablecoins in circulation. These reserves must consist of low-risk, readily liquid assets to enable issuers to honor redemptions.
The Division’s analysis applied two distinct securities law tests. First, under the Reves “family resemblance” test for note-like instruments, the Division examines four factors: (1) buyer and seller motivations; (2) plan of distribution; (3) reasonable expectations of the investing public; and (4) risk-reducing features.[2] The Division concluded that Covered Stablecoins are issued and purchased for commercial rather than investment purposes, with buyers motivated by stability and utility in commercial transactions rather than profit potential. According to the Division, the price stability mechanisms of Covered Stablecoins minimize speculative trading, and marketing materials typically emphasize payment functionality rather than investment returns.
Importantly, the Division viewed adequately funded reserves as a significant risk-reducing feature under the fourth Reves factor, which examines whether there are features that reduce risk such that the application of securities laws becomes unnecessary. In the Reves decision, the Supreme Court noted that instruments that are “collateralized” may possess sufficient risk-reducing features to avoid classification as securities, and the Division draws a parallel between such traditional collateralization and stablecoin reserves.[3]
Second, the Division applied the Howey test for investment contracts, examining whether there is an investment of money in a common enterprise with reasonable expectation of profits derived from entrepreneurial efforts of others. The Division determined that buyers lack reasonable profit expectations since Covered Stablecoins are generally marketed for use in commerce rather than as investments, offering price stability instead of appreciation potential.
Commissioner Caroline Crenshaw issued a dissenting statement challenging the Division’s analysis. She emphasized that approximately 90 percent of USD stablecoins circulate through intermediaries rather than direct issuer-to-retail distribution channels, and as a result, retail holders generally have no direct redemption rights against issuers and no claims to the reserve assets.
For its part, the Commodity Futures Trading Commission (CFTC) has long maintained that stablecoins are commodities and, therefore, are subject to the CFTC’s anti-fraud and anti-manipulation enforcement jurisdiction. For example, in October 2021, the CFTC brought and settled an enforcement action with Tether Holdings Limited for making untrue or misleading statements of material fact when it claimed that the US dollar tether token (USDt) was fully backed by US dollars held in reserve.[4]
Regulatory and Market Implications
The guidance may serve as an interim regulatory clarification until comprehensive legislation passes, potentially offering some clarity for issuers of Covered Stablecoins. However, its effectiveness may be limited since proposed legislation, if adopted, would likely supersede it with explicit statutory carve-outs. Furthermore, both the GENIUS Act and STABLE Act would explicitly assign enforcement authority over payment stablecoins to federal and state banking regulators rather than the SEC, potentially creating a different regulatory framework than what might be inferred from the Division’s guidance.
[1]See Katten’s Quick Reads post on the Division’s recent similar guidance on proof-of-work mining activities and memecoins here.
[2]Reves v. Ernst & Young, 494 U.S. 56 (1990).
[3]Id. at 69.
[4]See also In the Matter of Opyn, Inc., 2023 WL 593238, at *3 (“Ether and stablecoins such as USDC are encompassed in the definition of ‘commodity’ in Section 1a(9) of the [Commodity Exchange Act], and are subject to the applicable provisions of the Act and Regulations.”).
New-Aged Automakers Beware: CPPA’s Enforcement Action Against Honda Results in the Agency’s First Settlement
Key Takeaways:
CPPA launched its first major enforcement action in targeting connected vehicle-maker Honda.
Connected vehicles often collect various kinds of sensitive driver information, including geolocation, biometric and behavioral data.
After the CPPA found Honda in violation of several CCPA provisions, the company agreed to settle the enforcement action for approximately $650,000 while also agreeing to adopt certain remedial measures.
Other Connected vehicle-makers have also experienced a spike in regulatory scrutiny, signaling rising enforcement pressure and growing expectations for privacy-by-design.
CPPA’s Investigation into Connected Cars
In 2023, the California Privacy Protection Agency (“CPPA”) commenced a formal investigation into the data privacy practices of vehicle manufacturers (the “Investigation”), focusing primarily on the collection, use, and disclosure of personal information by “connected vehicles.”
Connected vehicles are vehicles equipped with technologies able to capture, among other kinds of consumer information, geolocation, biometric and behavioral data, including global positioning systems (“GPS”), telematics sensors, onboard cameras and smartphone integrations. With over 35 million registered vehicles in California and the rapid growth of these technologies in newer vehicles, automakers must educate themselves about the growing privacy concerns presented by these connected vehicles, especially where these technologies are still linked to third party service providers.
The Investigation marks the CPPA’s first formal inquiry since gaining full enforcement authority on July 1, 2023, and seeks to determine whether automakers were complying with key provisions of the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). Specifically, the agency is examining whether these vehicle manufacturers: (i) provide sufficient notice; (ii) obtain valid consent; (iii) limit data collection consistent with data minimization principles; and (iv) maintain transparency around third-party data sharing practices. See Cal. Civ. Code § 1798.
CPPA’s inquiry underscores the agency’s intent to promote accountability among manufacturers and to ensure consumers retain meaningful control over their personal data.
Honda’s Privacy Violations and Settlement Terms
On March 12, the CPPA announced its first public enforcement action based on the Investigation[FAM3]. The action stemmed from a series of purported CCPA violations regarding American Honda Motor Co., Inc. (“Honda” or the “Company”)’s handling of consumer privacy rights. The CPPA found that:
Honda unlawfully interfered with consumers’ ability to exercise their data rights. For example, Honda required consumers to provide excess personal information even when such verification was not legally necessary. The CPPA determined that these burdensome conditions discouraged or delayed valid privacy requests, violating the CCPA’s intent to grant consumers meaningful control over their personal information without unreasonable obstacles.
Honda’s interface steered users toward surrendering their privacy rights. For example, Honda’s online privacy rights platform was designed in a way that made it easier for consumers to opt in to the sale of their personal information, while creating friction for those attempting to opt out. This unequal treatment of consumer choices violated CCPA’s requirement that options be presented in a fair and neutral manner.
Honda did not provide clear or accessible methods for consumers to authorize third-party representatives (i.e., “authorized agents”) to act on their behalf. The CPPA determined that this omission weakened an essential mechanism intended to support the exercise of privacy rights, which limited consumers ability to benefit from guaranteed privacy protections.
Honda failed to produce contracts with its advertising technology vendors that included the required privacy safeguards, raising serious concerns about whether the Company had properly limited how third parties could use, retain, or disclose consumer information as required under California law.
The CPPA enforcement action against Honda concluded with a settlement order (the “Order”) in which the Company agreed to pay $632,500 in monetary penalties and undertake significant reforms to its data privacy practices, including (i) creating a streamlined process for privacy rights requests, (ii) engaging a user experience designer to ensure the system meets CCPA fairness standards, (iii) training employees on proper handling of privacy requests, and (iv) revising contracts with third-party data recipients to include all required privacy protection clauses.
The Order also mandates several technical upgrades to Honda’s privacy infrastructure. For instance, Honda must establish separate processes for verifiable and non-verifiable privacy requests to reduce barriers to opting out. It must also add a “Reject All” button to its cookie management tool to ensure that privacy-protective choices are as accessible as opt-in options.
Broader Privacy Concerns in the Automotive Industry
Federal regulators and certain states, like Texas, have launched investigations into the data privacy practices of automakers, focusing on how personal information, such as driving behavior, is collected and shared with third party insurance companies. Recently Ford, Hyundai, Toyota and Fiat Chrysler Automobiles, were sent letters by the Texas Attorney General’s Office demanding sworn answers about how they collect, share and sell consumer data.
Other major automakers have also faced privacy controversies. Earlier this year, Tesla was sued over allegations that employees accessed and shared images and videos recorded by customers’ vehicles without their consent. Yeh v. Tesla, Inc.
California lawmakers are taking action to regulate in-vehicle data collection, including, for example, by restricting the collection and use of images and videos captured by in-car cameras.
Looking Ahead: CPPA’s Growing Role in Consumer Privacy
The CPPA is actively enforcing its authority across all industries, with penalties ranging from $2,500 to $7,500 per violation. The Honda settlement marks a clear warning: as connected devices like vehicles continue to harvest large volumes of personal data, the cost of noncompliance will continue to rise. In today’s fragmented U.S. privacy landscape, businesses must ensure they offer consumers clear, meaningful choices around data use. Working closely with legal counsel is essential to stay ahead of regulatory changes — because in this new era of enforcement, transparency and trust are no longer best practices; they’re legal imperatives.
CMS Confirms Relocation of Physician-Owned Hospital Does Not Jeopardize Stark Law Exception
CMS confirmed that a physician-owned hospital proposing to move eight miles away from its original site and add an emergency department would continue to meet the whole hospital exception, provided all other conditions remain met.
CMS emphasized that the hospital must remain the same legal and operational entity post-relocation, with no changes in ownership or Medicare provider agreement.
The decision reflects CMS’s continued scrutiny of, yet possibly softening stance towards, physician-owned hospitals and the structural safeguards in place to protect against self-referral risks.
The Centers for Medicare & Medicaid Services (CMS) recently released Advisory Opinion No. CMS-AO-2025-1, addressing whether a physician-owned hospital’s proposed full-site relocation and addition of an emergency department would jeopardize its ability to continue to rely on the Stark Law’s “whole hospital exception.” In the advisory opinion, CMS concluded that relocation, by itself, is not necessarily disqualifying — and that no single factor is dispositive. Instead, the agency took a holistic approach in assessing whether the hospital remained the same entity post-relocation for purposes of the exception.
By retaining the same ownership, provider agreement, licensure, services, name, patient base, and bed count, CMS concluded that the hospital would remain the “same hospital” under Stark requirements and continue to qualify under the “whole hospital exception”— enabling the hospital to retain its protection for physician referrals.
This Advisory Opinion — the first issued since 2021 — provides noteworthy guidance and important considerations for hospital administrators, compliance officers, and legal counsel of physician-owned hospitals currently taking advantage of the exception considering structural changes or expansions.
Background and Legal Analysis
The Stark Law “Whole Hospital Exception”
In 2010, the Affordable Care Act tightened Stark Law rules to prevent the creation of new physician-owned hospitals (with limited exceptions) and restrict the expansion of existing ones.
According to the CMS Advisory Opinion, the hospital at issue had met the Stark Law’s whole hospital exception before the 2010 cutoff by having physician ownership and a Medicare provider agreement in place. The hospital requested that CMS confirm it would still qualify as the “same hospital” and remain in compliance with the Stark Law exception, despite its plans to relocate eight miles away and to add an emergency department.
The Hospital’s Proposal: A Relocation Without Disruption
CMS took a holistic approach in its analysis and reviewed the hospital’s comprehensive certification of facts in light of factors previously outlined in its CY 2023 OPPS/ASC proposed rule and reaffirmed in the FY 2024 IPPS final rule, namely:
Continuity of state licensure and Medicare provider agreement;
Consistent use of Medicare provider number and tax ID;
Same services and patient base;
No changes to ownership or scope of services (with some flexibility, such as adding an emergency room);
Same state regulatory framework.
The hospital certified that it had maintained physician ownership and a Medicare provider agreement continuously since December 31, 2010; the aggregate number of operating rooms, procedure rooms, and beds had remained the same since March 23, 2010 (and would remain unchanged post-relocation); the hospital’s services and patient base would remain unchanged; the hospital would continue to operate under the same name, branding, and tax ID number; there would be no ownership or leadership changes; and the hospital would continue under the same Medicare provider agreement.
Additionally, the hospital certified that its state’s law did not require a certificate of need for new construction, but any structural changes required prior notice and approval from that state’s health department. The requesting hospital also affirmed that discussions with its state officials confirmed the facility could maintain its existing state licensure after relocation.
Based on the certifications and documentation provided by the hospital, CMS concluded that neither the relocation of the facility or the addition of an emergency department would run afoul of the Stark Law’s referral and billing prohibitions. Specifically, the hospital would continue to meet the condition at 42 C.F.R. § 411.362(b)(1) as set forth in Stark’s Whole Hospital Exception.
Five Key Considerations for Hospital Leadership
One of the leading takeaways from the advisory opinion is CMS’s emphasis on a hospital’s continuity in legal identity, services, structure, and ownership when making a “whole hospital exception” determination. But beyond its specific facts, the opinion also serves as an important reminder for hospital administrators, compliance officers, and legal counsel of physician-owned hospitals that even operational changes—like relocation or new departments—can trigger significant legal and regulatory scrutiny.
Here are five strategic considerations hospital leadership should keep in mind:
Maintain Continuity: Ensure Medicare provider agreements, tax IDs, and licensure remain uninterrupted during transitions.
Document Everything: Detailed certifications and planning are crucial for regulatory assurance.
Avoid Ownership Changes: Even minor shifts in physician ownership could threaten compliance with the Whole Hospital Exception.
Engage Regulators Early: Involve CMS and state departments of health well in advance of any move or structural change.
Seek Advisory Opinions: Where doubt exists, requesting a formal CMS advisory opinion can offer clarity and protection.
FCC Opposes Effort to Re-Open One-to-One!: “The Government Has Decided Not to Seek Further Review of This Court’s Panel Decision Vacating an FCC Rule”
The FCC filed its brief responding to the effort of the National Consumers League to bring the TCPA one-to-one consent rule back from the dead.
In their filing today the FCC has affirmatively stated it will NOT challenge the Eleventh Circuit’s ruling and will oppose any effort by any other entity to do so:
The government has decided not to seek further review of this Court’s panel decision vacating an FCC rule. Allowing the Proposed Intervenors to become parties at this late stage, only to continue litigation that the government has decided no longer to pursue, would undermine the government’s prerogative to direct the course of this case.
Wow!
While everyone assumed (correctly) the FCC would not take any steps to defend the one-to-one ruling in the wake of the Eleventh Circuit’s IMC opinion this was its first direct public statement confirming as much.
The Commission goes onto argue the intervention effort is too late and the court should deny the discretionary request regardless and defer to the government’s decision not to appeal or challenge the ruling.
Really fascinating stuff. Can’t wait to see the ruling here.
Full brief available here: FCC brief
Federal Crypto Ownership: Compliance Implications of the Strategic Bitcoin Reserve and U.S. Digital Asset Stockpile
Following President Trump’s March 6 Executive Order establishing a Strategic Bitcoin Reserve and U.S. Digital Asset Stockpile, federal agencies and market participants may begin to grapple with the operational and compliance implications of the federal government’s proposed foray into crypto ownership and stewardship. While many of the program’s details remain under development, the initiative raises questions related to governance, custody, disclosure, and alignment with existing financial and national security laws.
As the U.S. begins to treat digital assets not just as speculative instruments, but as components of sovereign infrastructure, various compliance obligations—some existing, others emerging—will come into play.
Asset Classification and Oversight
Federal agencies charged with oversight of crypto markets—including the SEC, CFTC, FinCEN, and the IRS—will likely need to coordinate with the Presidential Working Group on Digital Asset Markets (previously discussed here), which the executive order references as a key platform for developing operational standards for the reserve. This could include initiatives such as (i) developing inter-agency compliance protocols for classification and treatment of different digital assets, and (ii) addressing whether sovereign ownership triggers obligations under existing securities, commodities, or money transmission laws when assets are transferred, staked, or deployed in decentralized finance protocols to generate yield.
Custody, Security, and Risk Controls
Federal crypto assets are currently held under a patchwork of custody arrangements, often involving third-party custodians retained by the DOJ and U.S. Marshals Service (previously discussed here). The strategic reserve initiative may prompt more formalization and regulation of public-sector crypto custody, including:
Implementation of multi-signature wallets and layered access controls;
Segregated storage of assets across agencies, or centralized consolidation under a single federal custodian;
Audit process for confirming provenance and security of network hardware components used to hold and transfer the digital asset reserve; and
Mandated internal controls and periodic auditing of wallet activity, private key management, and access logs.
Anti-Money Laundering, Sanctions, and Forfeiture Frameworks
As the federal government expands its digital asset holdings, it must maintain robust anti-money laundering (AML) and sanctions compliance for both seized and strategically acquired assets. This could include:
Screening assets and counterparties for exposure to OFAC-sanctioned jurisdictions or wallet addresses;
Establishing procedures for chain-of-custody documentation in asset acquisition or liquidation; and
Determining whether assets acquired through strategic procurement (rather than through seizure in connection with illicit activities) require new reporting or risk management practices under the Bank Secrecy Act and Patriot Act.
Furthermore, to the extent the Digital Asset Stockpile includes tokens used in DeFi protocols or cross-border settlement, further questions arise regarding whether the government must comply with evolving international AML and counter-terrorist financing standards.
Putting It Into Practice
The creation of a Strategic Bitcoin Reserve and Digital Asset Stockpile marks a dramatic turnaround in how the federal government engages with crypto assets—not only as a regulator, but now as a market participant, custodian, and price maker. As this strategy unfolds, agencies and contractors involved in its implementation will need to build robust compliance infrastructures informed by existing financial laws, agency protocols, and national security objectives.
Listen to this post
Auto Insurer Settles With New York AG Over Insurance Application Platform Security Issues
The New York Attorney General recently entered into an assurance of discontinuance with Root Insurance Company following a 2021 data incident. According to the AG, the threat actors obtained people’s drivers’ license numbers by exploiting a website error on its car insurance application portal. Namely, upon entering a publicly available name and address, the site would generate a prefilled PDF that included that person’s drivers’ license number, which numbers were pulled from third-party databases. Threat actors used an automated bot to exploit this vulnerability, and gathered drivers’ license numbers of 44,449 New Yorkers (more than half of the total 72,852 people impacted). The threat actors then used many of these people’s information to file fake unemployment claims with New York, which according to the AG, was the goal of the attack.
According to the AG, the company was not aware of the design feature issue. Instead, the situation was discovered when company personnel noticed unusual application activity. Upon discovery, the company took measures to address the issue, including using CAPTCHA to ensure the application was made by a human, and masking the license numbers. The AG nevertheless brought this case, claiming that the incident occurred because the company did not have appropriate risk assessment measures in place to identify the design error. It also should have, according to the AG, used measures like masking sensitive data and detecting and deterring automated traffic. These failures, it alleged, constituted a violation of the state’s data security law, which requires that companies develop, implement and maintain “reasonable safeguards” to protect covered information. This information includes names and drivers’ license numbers.
Similar to past settlements, the AG required that the company implement of additional security measures (see, for example, our posts about settlements with a social media app last month, ENT in December 2024, a biotech company in mid-2024, and Herff Jones in 2022). Included in these are developing and maintaining a written information security program, designating a chief information security officer to oversee the program, engaging in network monitoring and employing multi-factor authentication, and maintaining compliance records for six years that the attorney general can access. The company has also agreed, among other things, to develop a data inventory, have a written process to ensure secure software development processes, to monitor network activity, and to promptly investigate suspicious activity. The company has also agreed to pay $975,000.
Putting it Into Practice: This settlement outlines expectations from the New York attorney general of the proactive measures companies it believes companies should have in place if handling sensitive personal information. As companies launch new platforms, or revamp existing ones, this is a reminder to think not only about platforms where they collect personal information directly from individuals, but also where that information might be gathered from third party sources.
Listen to this post
ONE WEEK AWAY: Critical FCC TCPA Dates Coincide on April 11, 2025– Are YOU Ready?
So Friday April 11, 2025 is shaping up to look a lot like January 24, 2025.
TCPAWorld followers readily recall the adventures of late January. With time ticking to a close before the effective date of TCPA one-to-one consent the FCC issued a last second stay of the ruling before the Eleventh Circuit struck it down 20 minutes later– at 4:55 pm the business day before it became effective!
Well if the FCC has something similar up its sleeve for the next big TCPA ruling set to go into effect they have not let on–and time is again running slim. But the TCPA revocation ruling isn’t the only thing hanging in the balance right now as April 11, 2025 looks to be a real red-letter date for TCPAWorld.
Most importantly, of course, next Friday is the effective date of the FCC’s DISASTROUS new revocation rules. Again for anyone who is not aware a revocation of ANY informational consent (e.g. a stop to an MFA or alert) will require revocation of ALL TCPA consent across all business units, channels and purposes for that phone number.
This is INSANE folks and I guarantee you a majority of companies are not ready.
I think a lot of folks are banking on a last minute FCC stay–and it certainly could happen– but I haven’t seen anything solid to that effect. And unlike last time Puja and I are NOT flying to D.C. for any last second meetings.
So the fate of the world is in someone else’s hands… (let’s hope they don’t screw it up.)
But April 11, 2025 is also the deadline for comment on the Delete, Delete, Delete effort. you can expect R.E.A.C.H. to weigh in and demand a destruction of the entire call blocking and labeling safeharbor framework and an end to the TCR and 10DLC registration process (Infobip is driving everyone nut.)
These companies are operating beyond the law to prevent access to SMS channel communication to companies at a massive scale– censoring COMPLETELY LEGAL speech and running roughshod over COURT ORDERS striking down the one-to-one rule. It is INSANE.
Will the Commission do anything about it? So far no action on the critical R.E.A.C.H. petition on the subject– let’s hope that changes.
But bottom line–April 11, 2025 will be a huge day. Stay tuned…
The DOJ’s Final Rule on Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons
On December 27, 2024, the Department of Justice (the “DOJ”) issued its final rule (the “Rule”) carrying out Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The Rule is designed to prevent access to certain categories of U.S. data by China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela (collectively, “Countries of Concern”), as well as foreign entities or individuals with significant ties to these nations (“Covered Persons”) and will take effect on April 8, 2025.
Scope
The Rule applies to U.S. government-related data and the following categories of U.S. sensitive personal data, each as defined in the Rule (collectively, “Covered Data”):
Precise geolocation data
Biometric identifiers
Human ‘omic data
Personal health data
Personal financial data
Personal identifiers
The Rule sets out bulk thresholds applicable to each of these categories of U.S. sensitive personal data. There is no bulk threshold applicable to U.S. government-related data. Notably, the Rule applies to bulk U.S. sensitive personal data regardless of whether the data is anonymized, pseudonymized, de-identified or encrypted.
Under the Rule, transactions involving Covered Data with Countries of Concern or Covered Persons are categorized as: (1) Prohibited Transactions; (2) Restricted Transactions; or (3) Exempt Transactions, as detailed below:
Prohibited Transactions: The Rule prohibits the following:
Countries of Concern / Covered Persons: Any transaction of Covered Data involving data brokerage (e.g., sale, licensing, or other similar commercial transaction) with a Country of Concern or Covered Person;
Foreign Persons that are not Covered Persons: Any transaction of Covered Data involving data brokerage with a foreign person that is not a Covered Person unless certain requirements are met as set out in the Rule.
Restricted Transactions: The Rule prohibits the following, unless the U.S. entity conducting the data transaction complies with the Rule’s security and other requirements:
Any transaction of Covered Data with Countries of Concern or Covered Persons involving a/an (i) vendor agreement, (ii) employment agreement, or (iii) investment agreement (each as defined in the Rule).
Exempt Transactions – Certain data transactions are exempt from these prohibitions and restrictions, subject to specific conditions.
Compliance Deadlines
The Rule takes effect on April 8, 2025.
Additional diligence requirements for Restricted Transactions become enforceable beginning on October 6, 2025.
Implications & Next Steps
The Rule, designed to address risks to U.S. national security posed by access to sensitive data by foreign adversaries, is broad in its scope and regulates data transactions through a framework that deviates significantly from existing data privacy protection laws. The DOJ has stated it intends to issue additional guidance on the Rule’s requirements. We continue to monitor developments with respect to the Rule.
The Rule has significant implications for businesses handling sensitive data and engaging in cross-border data transactions. Organizations should assess their data-sharing and receiving practices, ensure compliance with the Rule’s requirements, and avoid Prohibited Transactions.
Correct application of the Rule requires careful analysis.