At Long Last – The FAR CUI Rule is Here!
The wait is finally over! After more than 14 years of anticipation, the Federal Acquisition Regulation (“FAR”) Proposed Rule on Controlled Unclassified Information (“CUI”) was released on January 15, 2025 and comes as part of the Government’s broader efforts to identify, detect, and respond to ever-evolving threats targeting Federal contractors.
History and Development of the FAR CUI Proposed Rule
This rule stems from Executive Order 13556, Controlled Unclassified Information (the “CUI Executive Order”) from November 2010, which sought to address the patchwork system of marking and handling unclassified information across executive branch agencies. On September 14, 2016, the National Archives and Records Administration (“NARA”) issued a final rule (81 FR 63324) to establish a uniform policy for agencies on CUI. This rule became effective on November 14, 2016, but the CUI Program still needed to be incorporated into the acquisition process via the FAR to establish contractual requirements for Federal contractors.
In January 2017, following release of NARA’s final rule, the FAR Council introduced FAR Case 2017-016, Controlled Unclassified Information, which served as the placeholder for the current FAR CUI Proposed Rule. We saw no real developments until just this month. In the meantime, the Department of Defense (“DoD”) implemented the CUI Program for its contractors through DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. This provision requires “adequate security” for covered defense information; implements incident reporting, investigation, and preservation requirements; and includes a flow down requirement to subcontractors. The DFARS clause applies only to defense contractors and subcontractors, but serves as the model for the new FAR CUI Proposed Rule (although, as discussed below, there are significant differences).
The proposed rule has implications for all contractors that do business with the Federal government and provides guidance to clarify contractor obligations for safeguarding and handling CUI.
Key Updates and Impact on Federal Contractors
Defining and Safeguarding Controlled Unclassified Information
The proposed rule includes the standard definition of CUI as “information that the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Key here, the proposed rule further includes a list of information that is not CUI, which includes:
Classified information;
Covered Federal information;
Information a contractor possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency (see 32 CFR 2002.4); or
Federally-funded basic and applied research in science, technology, and engineering at colleges, universities, and laboratories in accordance with National Security Decision Directive 189.
The proposed rule further requires certain safeguarding requirements for CUI held in both federal and non-federal systems as follows:
Non-federal systems/contractor information systems must be compliant with NIST SP 800-171 Rev. 2;
Contractors must comply with agency-identified security requirements for Federal information systems (derived from NIST SP 800-53);
Cloud service providers must comply with FedRAMP Moderate requirements; and
Any additional special safeguarding requirements, as applicable.
Additionally, the proposed rule includes explicit training requirements. Contractors must ensure employees have completed training on properly handling CUI prior to doing so. Contractors are required to provide evidence of employee training upon request, though such requests are expected to be limited. For example, a Contracting Officer may inquire about training after an incident. Such evidence of CUI training may include the contractor’s system security plan and/or annual employee training certificates.
New Standard Form to Identify CUI Requirements for Contracts
The proposed rule introduces a new Standard Form (“SF XXX”) to be completed by agencies that will identify CUI and define relevant handling requirements for each contract. Of note, the proposed rule states that contractors will be required to safeguard only the CUI identified in the Standard Form and offerors and contractors will not be responsible for identifying or marking unmarked or mismarked CUI not already identified in the Standard Form. However, offerors are requested and contractors are required to notify the Contracting Officer within 8 hours of discovering any unmarked CUI, mismarked CUI, or any CUI that is not identified on the Standard Form, though this is expected to be rare.
Incident Reporting and Response Requirements
The proposed rule defines a “CUI incident” as “suspected or confirmed improper access, use, disclosure, modification, or destruction of CUI, in any form or medium.” This new definition is different from the definition of “cyber incident” in DFARS 252.204-7012. Notably, the rule specifies that unmarked or mismarked CUI is not considered a CUI incident unless the mismarking or lack of marking has resulted in the mishandling or improper dissemination of the information.
Per the proposed rule, contractors must report any suspected or confirmed “CUI incident” within 8 hours of discovery.
The proposed rule includes a statement that if a contractor is determined to be at fault for an incident (for example, due to not safeguarding CUI in accordance with contract requirements), the contractor may be financially liable for government costs incurred in the response and mitigation effort.
Defining Types of Information – Covered Federal Information
Another key update in the proposed rule is an overarching change in the FAR to use the term “covered Federal information” instead of “Federal contract information,” which currently is defined in FAR 52.204-21 and used in materials underlying the DoD’s CMMC program.
The updated definition for “covered Federal information” is “information provided by or created for the Government, when that information is other than—
Simple transactional information (such as that necessary to process payments);
Information already publicly released (such as on public websites), or marked for public release, by the Government;
Federally-funded basic and applied research in science, technology, and engineering at colleges, universities, and laboratories in accordance with National Security Decision Directive 189;
Controlled unclassified information (CUI); or
Classified information.”
Covered Federal information is not required to be marked or identified by the government. However, some administrative markings (such as “draft,” “deliberative process,” “pre-decisional,” or “not for public release”) can indicate that the information is covered federal information, within the meaning of the term.
Updates Relating to Treatment of Contractor Proprietary Information
The proposed rule addresses an issue contractors have struggled with when trying to interpret CUI requirements for their internal information or information they create. This rule provides that offerors or contractors should identify and mark their bid or proposal information, proprietary business information, and/or contractor-attributional information to ensure the information is adequately protected under the proposed rule. The government will determine whether such information provided by offerors or contractors is to be protected as CUI internally or is entitled to other protections. The Standard Form will identify any contractor CUI marking requirements under the contract.
New FAR Clauses
The proposed rule introduces a new FAR solicitation provision and two new FAR clauses. Contracting officers will add the following for all solicitations and contracts, except for procurements solely for commercially available off the shelf (COTS) products:
FAR 52.204-WW, Notice of Controlled Unclassified Information Requirements: A new solicitation provision that informs offerors of requirements on restricted use of Government-provided information, appropriately identifying sensitive offeror-provided information, and procedures to notify the Government of unmarked or mismarked CUI.
FAR 52.204-XX, Controlled Unclassified Information: A new FAR clause thatwill be inserted in solicitations and contracts where the government expects the contractor will handle CUI. The clause requires contractors to comply with applicable CUI safeguarding, training, and incident response requirements and must be flowed down to subcontractors.
FAR 52.204-YY, Identifying and Reporting Information That Is Potentially Controlled Unclassified Information: A new FAR clause that will be inserted in solicitations and contracts where the agency indicates on the Standard Form that CUI is not involved in the performance of the contract. Even where CUI is not expected to be involved, contractors will have requirements to notify the government if they discover CUI during performance. This clause must be flowed down to subcontractors.
Conclusion & Next Steps
The rule is currently in the “proposed rule” phase, with a 60-day public comment period that is currently open and scheduled to close on March 17, 2025. Federal contractors, especially those not already subject to DFARS 252.204-7012 requirements, should prioritize reviewing this proposed rule and further consider submitting comments to address questions or concerns relating to these new requirements.
This proposed rule represents a significant step towards standardizing the protection of CUI across Federal agencies. All Federal contractors, beyond just those DoD contractors already subject to DFARS 252.204-7012, will be subject to these uniform cybersecurity standards. When preparing for these changes, it is crucial to stay informed and proactive in understanding the implications of the proposed rule to maintain compliance and secure contractual relationships. By doing so, Federal contractors can better navigate the evolving cybersecurity landscape and continue to fulfill obligations in a secure and efficient manner.
Sidney Howe also contributed to this article.
Looking Beyond FedRAMP – Lessons from the U.S. Treasury Cybersecurity Incident
In the ever-evolving world of cybersecurity, even organizations that meet stringent security standards can be victims of sophisticated cyberattacks. A notable example of this is the December 8, 2024 cybersecurity incident involving the U.S. Department of the Treasury and its third-party cloud service provider, BeyondTrust. This incident underscores some critical lessons for entities (both government agencies and private sector) that rely on third-party cloud service providers (“CSPs”).
The Incident
In a December 30, 2024 letter, Treasury Officials notified lawmakers of a “major incident” in which Chinese state-sponsored hackers stole Treasury documents. The letter explained that on December 8, 2024, the Treasury Department was notified by BeyondTrust, a CSP responsible for providing remote technical support to Treasury Departmental Offices (“DO”), that a threat actor had gained unauthorized access to a key used by BeyondTrust to secure its cloud service. With the stolen key, the threat actor was able to bypass security protocols to remotely access specific Treasury DO workstations, potentially exposing unclassified documents maintained by the users of those systems.
Interestingly, BeyondTrust holds a security authorization under the Federal Risk and Authorization Management Program (“FedRAMP”). FedRAMP is a government program designed to ensure that CSPs meet rigorous security requirements for the handling of federal data and includes similarly rigorous continuous monitoring and reporting requirements. BeyondTrust’s authorization indicates that it met these requirements.
However, this breach illustrates a critical point: meeting government security requirements does not guarantee invincibility to security incidents. Cybersecurity threats are constantly evolving, and no system—no matter how secure it may seem at a particular moment—can be completely free from risk. Companies must be continuously vigilant and proactive, even organizations that have been cleared through rigorous government-imposed security standards like FedRAMP.
Key Takeaways for Organizations Relying on Third-Party CSPs
Government Security Standards Are Not a Guarantee Against Breaches: While government security certifications such as FedRAMP provide an important benchmark for evaluating third-party vendors, they should not be seen as a one-and-done solution. Security threats are dynamic and evolve rapidly, meaning that entities must remain vigilant and continuously evaluate and update their security protocols. This particular incident serves as an important reminder that security is a continual process, not a final checkbox.
Thorough Vetting of Third-Party Providers Is Essential: The Treasury Department incident is also a reminder of the importance of thorough, ongoing vetting of third-party CSPs. Simply confirming a CSP’s compliance with FedRAMP (or other security standards) should not be the end of the due diligence process. Entities must assess whether their third-party providers have robust security measures in place, including continuous monitoring, rapid incident response protocols, and regular updates to their security infrastructure. This is especially important when the service provider holds access to critical systems or sensitive data.
Collaboration and Transparency Are Critical in the Event of a Breach: BeyondTrust’s prompt notification to the Treasury Department highlights the importance of transparency and communication between service providers and their clients when an incident occurs. Quick and clear communication can help mitigate the damage from a breach and allow organizations to respond more effectively. It also underscores the importance of ensuring that third-party vendors have comprehensive and well-practiced incident response protocols in place.
Conclusion
The recent breach of the Treasury Department’s technical support systems, facilitated by a compromised security key from BeyondTrust, serves as an important reminder of the ever-present risks in the cybersecurity supply chain. While third-party CSPs, such as BeyondTrust, may meet rigorous government standards, such actions reduce, but do not eliminate, risk.
Organizations must recognize that cybersecurity is not static, and the reliance on third-party providers necessitates thorough, ongoing risk assessments and proactive security measures. As cyber threats continue to evolve, so too must the strategies used to safeguard sensitive systems and data. Vetting CSPs should be a continuous process, and security should always be viewed as a shared responsibility between organizations and their third-party vendors.
Eleventh Circuit Overturns FCC’s One-to-One Consent Rule
A 2023 Federal Communications Commission (FCC) Order interpreted the Telephone Consumer Protection Act as requiring that consumers provide specific one-to-one consent to receive robocalls. The purpose was to fill what the FCC called the “marketing partner” gap, which allowed marketers to obtain consent from consumers by checking a box applying to multiple, often unrelated, callers. The Order was to go into effect on January 27, 2025.
But on Friday, January 24, 2025, three days before the Order’s effective date, the Eleventh Circuit Court of Appeals stopped the FCC Order in its tracks. Perhaps signaling how Loper Bright will broadly affect federal agency regulations, the Court ruled that the 2023 Order exceeded the FCC’s statutory authority under the TCPA to interpret the phrase “prior express consent” beyond the plain meaning of the words.
In Insurance Marketing Coalition Limited v. Federal Communications Commission, — F.4th — (11th Cir. 2025), the Court held that while Congress gave the FCC the power to “implement” the TCPA, it did not give the FCC authority to add requirements to the statute that are not there; in this case, interpreting “prior express consent” to require that consent be given on a one-to-one basis, meaning that giving consent to a list of “marketing partners” would no longer be effective.
The 2023 FCC Order at issue interpreted “prior express consent” in the TCPA to include two new restrictions for telemarketing and advertising robocalls. The first declared that “consumers cannot consent to receive robocalls . . . from more than one entity at a time” – the one-to-one consent requirement. Insurance Marketing Coalition Limited, — F.4th —, at *4. The second restriction declared that “consumers cannot consent to receive robocalls whose subject matter is not logically and topically related to, for example, the website on which the consumer gives consent”; e.g., a consumer giving consent to receive calls concerning car loans does not consent to calls concerning loan consolidation. Id. The Insurance Marketing Coalition argued that the FCC exceeded its statutory authority under the TCPA because both of these requirements “impermissibly conflict with the ordinary statutory meaning of ‘prior express consent.’” Id. at *5. The Eleventh Circuit granted IMC’s petition for review, vacated the FCC’s requirements, and remanded for further proceedings.
Perhaps coincidentally, this ruling follows an FCC order, also entered on January 24, 2025, staying implementation of the 2023 Order to the shorter of (1) January 26, 2026, or (2) the Eleventh Circuit’s decision, discussed above. Given this ruling, it is likely the FCC will issue a supplemental order, staying implementation indefinitely. This ruling also follows recent jurisprudence under Loper Bright, which overturned Chevron deference and, as a result, has expanded the judiciary’s power to review and reject interpretations of statutes adopted by federal administrative agencies. The impact of Loper Bright is significant, with numerous similar regulatory challenges likely to come in the near future.
Most notably, while the Eleventh Circuit stated that one of the FCC’s foundational interpretations of the TCPA was “not at issue in this case,” see id. at n. 1, it’s hard to avoid the conclusion that the FCC’s 2012 regulation finding that for TCPA purposes, “prior express consent” meant, in the context of telemarketing or advertising, “prior express written consent,” is at serious legal risk of being overturned. 47 C.F.R. § 64.1200(a)(2), (3), In the Matter of Rules and Regulations Implementing the Tel. Consumer Prot. Act of 1991, 27 FCC Rcd. 1830, 1831 (2012) (italics added). There is a strong argument that if Congress had meant that “prior express consent” be in writing, it would have said so, and that this is another example of the FCC adding requirements that go beyond the “plain meaning” of the words in the statute. For better or worse, the Insurance Marketing Coalition opinion will provide substantial support to efforts to remove “written” from the consent requirement, easing the burden on telemarketers to prove consent in TCPA cases.
White House Temporarily Pauses Certain Federal Financial Assistance Programs But U.S. District Judge Pauses Pause Until February 3
On January 27, the White House ordered a temporary pause, via an internal memorandum, on certain grants and loans disbursed by the federal government in order for each federal agency to review their federal financial assistance programs to identify if any of those programs have been impacted by President Trump’s Executive Orders.1
OMB has stated that any program that is not implicated by the above-referenced Executive Orders is not subject to the funding freeze. The temporary pause was set to take effect January 28, 2025, at 5 PM EST, but was stayed by U.S. District Court Judge Loren AliKhan until February 3, 2025, at 5 PM EST. Judge AliKhan issued the stay in order to maintain the status quo while further litigation plays out. The original pause would have temporarily impacted the National Telecommunications and Information Administration’s (NTIA) Broadband, Equity, Access, and Deployment (BEAD) Program and the Federal Communications Commission’s (FCC or Commission) USF Programs, including the Lifeline Program while those programs are reviewed.
Bottom Line: The White House was set to temporarily paused federal financial assistance programs that are implicated by certain Executive Orders. However, U.S. District Court Judge AliKhan issued an administrative stay of the temporary pause until February 3, 2025, at 5 PM EST. As we await clarification from the FCC and NTIA, as well as the courts, it is unclear the extent to which this funding freeze will last if it is implemented after February 3. In the short term, it may temporarily impact the funding stream of the federal broadband programs such as the FCC’s USF Programs, the Secure Networks Act Reimbursement Program, and NTIA’s BEAD Program. But luckily for USF recipients, Universal Service Administrative Company (USAC) payments will be processed this Friday, January 31, 2025, before the temporary funding freeze is implemented. Federal agency reports are currently still due by February 10, 2025, but OMB has noted that the temporary pause for certain programs could be as short as a day depending on the agency’s ability to coordinate with OMB. Furthermore, OMB states that any payment required by law will be paid without interruption or delay.
Background
Since being sworn into office, President Trump has issued a series of executive orders covering various issues such as trade, immigration, U.S. foreign aid, energy, civil rights, and federal worker requirements, and health care. While some of the executive orders are more symbolic, others do have immediate policy impacts.
Federal Funding Freeze
The White House issued a temporary funding freeze on all federal financial assistance programs until federal agencies have determined the impact of President Trump’s Executive Orders on such programs, effective January 28, 2025, at 5 PM EST.2 Specifically, under the now-stayed White House memorandum, each federal agency is required to complete and submit a comprehensive analysis to the Office of Management and Budget (OMB) by February 10, 2025, identifying programs, projects and activities that may be implicated by any of President Trump’s Executive Orders, including “financial assistance for foreign aid, nongovernmental organizations, DEI, woke gender ideology, and the green new deal.” This temporary freeze would also apply to all activities associated with open Notices of Funding Opportunity, such as conducting merit review panels.
The White House memorandum explains that this temporary funding freeze will provide the Administration time to review federal agency programs and “best uses of the funding for those programs consistent with the law and the President’s priorities.” But before conducting their analysis, federal agencies must identify any legally mandated obligations for their assistance programs that will arise during the temporary pause and report such information to OMB. The funding freeze would remain intact for federal agencies until OMB has reviewed the submitted information and provided guidance to such agency.
Federal Agency Review
In conducting the comprehensive analysis, federal agencies for each federal financial assistance program must assign responsibility and oversight of the analysis to a senior political appointee to ensure that the financial assistance conforms to Administration priorities. In addition, each federal agency must: (1) review any currently pending programs to ensure that Administration priorities are addressed; (2) modify in accordance with Administration priorities any unpublished financial assistance announcements, subject to statutory authority; and (3) withdraw any announcements already published consistent with Administration priorities. Federal agencies have also been directed to initiate investigations when warranted to identify any underperforming federal financial assistance recipients and cancel awards that are in conflict with Administration priorities.
Exceptions
The memorandum states that OMB is allowed to grant exceptions to this temporary freeze, on a case-by-case basis, for federal agencies to issue new awards or take other actions. It is possible that the USF program and Secure Networks Act Reimbursement Program will fall under this exception. Furthermore, to the extent required by law, federal agencies would be allowed to continue certain activities such as the closeout of Federal awards, pursuant to 2 C.F.R. 200.344, or maintaining certain recording obligations.
Additional OMB Guidance
OMB issued additional guidance noting that any program not implicated by the following Executive Orders is not subject to the funding pause: (1) Protecting the American People Against Invasion (Jan. 20, 2025); (2) Reevaluating and Realigning United States Foreign Aid (Jan. 20, 2025); (3) Putting America First in International Environmental Agreements (Jan. 20, 2025); (4) Unleashing American Energy (Jan. 20, 2025); (5) Ending Radical and Wasteful Government DEI Programs and Preferencing (Jan. 20, 2025); (6) Defending Women from Gender Ideology Extremism and Restoring Biological Truth to the Federal Government (Jan. 20, 2025); and (7) Enforcing the Hyde Amendment (Jan. 24, 2025). While reports are due to OMB by February 10, 2025, from each federal agency, OMB will continue to work with federal agencies to determine whether certain federal financial assistance programs are implicated by the above-referenced Executive Orders. Thus, funding pause for a particular program could be as short as a day. OMB has already approved an undisclosed number of federal financial assistance programs to continue their funding processes even before the pause would have gone into effect.
Administrative Stay of Funding Freeze
U.S. District Court Judge AliKhan has issued an administrative stay of the White House’s temporary funding freeze that was set to be effective January 28, 2025. However, Judge AliKhan’s administrative stay will expire on February 3, 2025, at 5 PM EST. Judge AliKhan reasoned that the administrative stay was necessary to maintain the status quo while further litigation on the White House’s funding freeze is ongoing.
Nonprofit and public health organizations had argued that the funding freeze could result in devastating outcomes for people who rely on federal funds and intruded on First Amendment rights by seeking to block funding for groups that engage in DEI programs. In response, the U.S. government argued that the organizations failed to show that they needed an immediate halt to the temporary pause on federal financial assistance and that the OMB’s additional guidance alleviated concerns about cutting off essential programs. Nonetheless, Judge AliKhan ruled that the temporary pause on federal financial assistance has a “specter of irreparable harm.”
Impact on Broadband-Related Programs
We note that after President Trump’s separate Executive Order titled Unleashing American Energy, which directed federal agencies to pause Inflation Reduction Act and Infrastructure Act funding related to the energy sector, OMB provided guidance on January 21, 2025 that this Executive Order only applies to certain energy projects, not broadband-related spending. We believe further guidance will also be forthcoming from OMB and the FCC. However, it appears that the DEI Executive Order will impact Infrastructure Act programs such as NTIA’s State Digital Equity Planning Grant Program, State Digital Equity Capacity Grant Program, and Digital Equity Competitive Grant Program which all have DEI elements.
Since the BEAD Program is separately funded under the Infrastructure Act from the broadband-related State Digital Equity programs, the DEI aspects of those programs will not impact the BEAD Program. But there are certain DEI initiatives required under the BEAD NOFO, such as requiring that states and territories coordinate with their local communities, Tribal governments, and worker organizations to ensure full representation by underrepresented communities throughout the planning and deployment process, that could be impacted by NTIA’s review. At the least during any temporary funding freeze, because States and Territories are not subject to the Executive Order, state and territory broadband offices should be able to continue conducting their BEAD Program-related processes until federal funding is needed to award selected broadband projects. It is also unclear whether other NTIA programs such as the Tribal Broadband Connectivity Program will be impacted by President Trump’s Executive Orders due to what may be characterized as DEI goals. Arguably, this program is geographic based and provides benefits to anyone living on Tribal land regardless of ethnicity.
Regarding the FCC’s federal financial assistance programs, without clarification from the Commission, it is unclear how President Trump’s Executive Orders will impact the FCC’s funding programs. It is especially unclear whether programs such as the Secure Networks Act Reimbursement Program will even be subject to the funding freeze as reimbursements do not clearly fall within the federal regulation’s definition of federal financial assistance.3 However, the temporary freeze could have delayed the receipt of funds for recipients of the FCC’s USF Programs that depend on frequent disbursements from USAC given that the next one is scheduled for January 31, 2025, but such recipients got a reprieve due to the temporary stay and lasting at least until Monday, February 3.
We will provide updates as they become available.
1The listed Executive Orders include Protecting the American People Against Invasion (Jan. 20, 2025), Reevaluating and Realigning United States Foreign Aid (Jan. 20, 2025), Putting America First in International Environmental Agreements (Jan. 20, 2025), Unleashing American Energy (Jan. 20, 2025), Ending Radical and Wasteful Government DEI Programs and Preferencing (Jan. 20, 2025) (“DEI”), Defending Women from Gender Ideology Extremism and Restoring Biological Truth to the Federal Government (Jan. 20, 2025), and Enforcing the Hyde Amendment (Jan. 24, 2025).2The White House memorandum does note that this pause does not affect assistance programs that provide funds directly to individuals, such as Social Security, Medicare, Medicaid, and SNAP. In addition, funds for small businesses, farmers, Pell grants, Head Start, rental assistance, and other similar programs will not be paused.3See 2 C.F.R. 200.1 (“Federal financial assistance means: (1) Assistance that recipients or subrecipients receive or administer in the form of: (i) Grants; (ii) Cooperative agreements; (iii) Non-cash contributions or donations of property (including donated surplus property); (iv) Direct appropriations; (v) Food commodities; and (vi) Other financial assistance…”).
The Impact of AI Executive Order’s Revocation Remains Uncertain, but New Trump EO Points to Path Forward
On January 20, 2025, President Trump revoked a number of Biden-era Executive Orders, including Executive Order 14110 on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (“EO 14110”). We previously reported on EO 14110. The full impact of this particular revocation is still being assessed, but Trump’s newly published Executive Order on Removing Barriers to American Leadership in Artificial Intelligence (“Trump EO”), issued on January 23, specifically directs his advisors to “identify any actions taken pursuant to Executive Order 14110 that are or may be inconsistent with, or present obstacles to, the policy set forth in . . . this order.”
EO 14110, issued by President Biden in 2023, called for a plethora of evaluations, reports, plans, frameworks, guidelines, and best practices related to the development and deployment of “safe, secure, and trustworthy AI systems.” While much of the directive demanded action from federal agencies, it also directed private companies to share with the federal government the results of “red-team” safety tests for foundation models that pose certain risks.
Many EO 14110-inspired actions have already been initiated by both the public and private sectors, but it is unclear the extent to which any such actions should be or have already been halted. It is also unclear whether final rules based, even in part, on EO 14110’s directives—such as the Department of Commerce’s Framework for Artificial Intelligence Diffusion and Health & Human Services’ Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing—are or will be affected.
The as-yet unnumbered Trump EO, issued on January 23, directs the Assistant to the President for Science and Technology, the Special Advisor for AI and Crypto, and the Assistant to the President for National Security Affairs, to “review, in coordination with the heads of all agencies as they deem relevant, all policies, directives, regulations, orders, and other actions taken pursuant to the revoked Executive Order 14110 . . . and identify any actions taken pursuant to Executive Order 14110 that are or may be inconsistent with, or present obstacles to, the policy set forth in section 2 of this order.”
Section 2 of the Trump EO provides: “It is the policy of the United States to sustain and enhance America’s global AI dominance in order to promote human flourishing, economic competitiveness, and national security.” Hunton will continue to monitor for more specific indications associated with Executive Order 14110’s revocation and the Trump EO’s implementation and will share updates accordingly.
Eleventh Circuit Vacates TCPA One-to-One Consent Rule on Eve of Effective Date
On Friday, January 24, 2025, just one business day before it was to take effect on January 27, the Eleventh Circuit vacated the Federal Communications Commission’s (FCC) One-to-One Consent Rule that was adopted as an amendment to the Telephone Consumer Protection Act (TCPA) on December 13, 2023. The decision came on the immediate heels of the FCC’s announcement, also on January 24, that it would postpone the effective date of the One-to-One Consent Rule by one year.
One-to-One Consent Rule: Heightened Standard for Prior Express Consent
The TCPA requires businesses to obtain prior express written consent from recipients before initiating any telemarketing or advertising calls or text messages using an “autodialer” or an artificial or prerecorded voice. The One-to-One Consent Rule was particularly notable, and created a lot of uncertainty, because it heightened these consent requirements by requiring:
(1) Express, individual consent for each “seller” (the ultimate marketer), meaning a single consent obtained by an aggregator or lead generator on behalf of multiple sellers would be insufficient.
(2) The content of telemarketing calls and text messages to be “logically and topically” related to and consistent with the interaction that prompted the consent. “Logically and topically” was not defined by the FCC in its rulemaking, creating significant uncertainty in the lead-up to implementation.
For our prior guidance concerning the One-to-One Consent Rule, see our prior client alert on its adoption.
Eleventh Circuit Applied Post-Chevron Scrutiny, Finding FCC Exceeded its Authority
This eleventh-hour ruling was the culmination of litigation in Insurance Marketing Coalition Limited v. FCC, in which oral argument was heard on December 18, 2024. A three-judge panel of circuit judges unanimously ruled that the FCC exceeded its statutory authority under the TCPA because the One-to-One Consent Rule’s new consent restrictions impermissibly conflicted with the ordinary statutory meaning of “prior express consent.”
Applying the Supreme Court’s 2024 ruling in Loper Bright Enterprises v. Raimondo, which overruled the 40-year-old Chevron defense doctrine, the court noted that, when reviewing administrative action, “the reviewing court shall decide all relevant questions of law.” The court therefore concluded it was not bound by the FCC’s 2022 Urth Access decision when it came to determining what it means to give “prior express consent” under the TCPA.
Under the Eleventh Circuit’s analysis, the “one-to-one consent restriction attempts to alter what we have said is the ordinary common law meaning of ‘prior express consent,’” thus exceeding the FCC’s statutory authority to implement the TCPA.
Although the TCPA did not define “prior express consent,” the court explained that its “precedent has filled the void,” and that “prior express consent” means consent that is “clearly and unmistakably granted” before the call (or text).
Prior express consent ordinarily allowed consent to future telemarketing or advertising calls or texts from multiple entities, and did not statutorily require independent and separate consents to receive calls from each individual caller. The court also reasoned that the “logically-and-topically” requirement enhanced and exceeded the meaning of “prior express consent” already included in the statutory language of the TCPA, altering “the specific choices Congress made.”
Uncertain Future of TCPA Consent Challenges
The FCC may directly address the Eleventh Circuit ruling, with administrative changes likely impacting the direction of the Commission and its priorities. Brendan Carr, the senior Republican commissioner on the FCC, who previously served as the FCC’s general counsel, is the new FCC Chairman. (Carr did not require Senate confirmation to assume his role as chair because he was confirmed when he became an FCC commissioner.) Notably, Chairman Carr voted in favor of the One-to-One Consent Rule in 2023 but was the only commissioner who did not provide an accompanying statement.
The One-to-One Consent Rule was intended to eliminate the practice of lead generators obtaining consent on behalf of numerous parties at once. The FCC could revisit the issue of TCPA consent in lead generation and issue a new rule on its own initiative while the original litigation has been remanded for further proceedings.
In the interim, based on the Eleventh Circuit’s focus on “clearly and unmistakably granted” consent, we expect that plaintiffs will focus their challenges to consent based on this framework. But, in any case, businesses should continue to closely evaluate how they obtain leads to ensure that they have obtained appropriate consents, i.e., consents that were stated clearly and unmistakably in a manner consistent with the FCC’s current express written consent requirements.
Data, Deals, and Diplomacy, Part III: DOJ Issues National Security Final Rule with New Data Compliance Obligations for Transactions Involving Countries of Concern
On January 8, 2025, the Department of Justice (“DOJ”) published its final rule addressing Executive Order (E.O.) 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” With the final rule, the DOJ National Security Division’s Foreign Investment Review Section (“FIRS”) defines prohibited and restricted data transactions, and outlines trusted data flows for companies with overseas operations involving countries of concern, including IT infrastructure. The general effect of the rule is to close “front door” access to bulk sensitive personal data on U.S. persons and certain U.S.-government-related data. Until now—or rather, April 8, 2025, when the majority of the rule becomes effective—nefarious actors could procure sensitive data through legitimate business transactions.
We discussed the development of the new regulation in previous blogs (here and here), and the contours of the final rule are largely unchanged from the proposed rule. In this blog, we focus on some key clarifications and updates in the final rule. Then, we turn to what this final rule means for companies with operations in countries of concern and the questions every company with overseas IT infrastructure should be asking to know if these regulations might apply to them.
1. Updates in the Final Rule
There were no big surprises with the final rule, and it remains largely unchanged from the proposed rule. For the uninitiated, the rule prohibits or restricts a subset of covered transactions by U.S. persons involving covered data with covered persons.[1] The definitions of what is covered remain the same—even the bulk thresholds are the same as the proposed rule. However, below we highlight some of the key developments hidden among the minor clarifications and conforming edits.
1.1. Effective Date and Delayed Compliance Date. The rule sets an effective date of April 8, 2025 for every component of the rule except for specified compliance obligations. Those obligations, which include the due diligence and audit requirements from Subpart J and the reporting and recordkeeping requirements of Subpart K, do not require implementation until October 6, 2025. Those delayed compliance obligations do not encompass the security requirements required for restricted transactions and thus cybersecurity requirements established by CISA should be in place before engaging in any restricted transaction after April 8, 2025.
1.2. Expanded Government-Related Location Data List. The final rule substantially expands the Government-Related Location Data List from the 8 locations in the proposed rule to 736 locations in the final rule. These additional locations consist of commonly known Department of Defense sites and installations, such as bases, camps, posts, stations, yards, centers, or homeport facilities for any ship, ranges, and training areas in the United States and its territories. In its discussion of this list, DOJ acknowledges that it plans to provide this list in a format that would be easy for developers to access and implement (e.g., .csv, .json).
1.3. New definition of human ‘omic data. The final rule creates a new sub-definition of “human genomic data” for “human ‘omic data,” which includes human epigenomic data, human proteomic data, and human transcriptomic data. Those three data categories have a bulk threshold of data on more than 1,000 U.S. persons.[2] These new definitions will have an impact on clinical and predictive research, particularly those implementing AI within their research.
2. Effects of the Regulation
As Assistant Attorney General Matthew Olsen said last year, this regulation is built like sanctions and export controls and is expected to have “real teeth.” Any U.S. company with operations in the identified countries of concern, particularly with overseas IT infrastructure, will need to have a conversation about whether this regulation will affect their business. Companies need to know and understand the following:
What data the company has or collects that might constitute sensitive personal data and/or Government-related data as defined in the regulations;
What business relationships and transactions allow access to the data;
Who internally has access to the data; and
What security measures are in place to protect that data.
For companies impacted by this regulation, those companies will also need to understand how this regulation operates differently from other DOJ regulations and data privacy regulations. Here, DOJ has availed itself of IEEPA penalties, and this regulation operates more like sanctions and export controls. This means the regulation is very compliance-focused as opposed to using case-by-case approaches like CFIUS or Team Telecom. While corporate compliance is a key component of DOJ strategy, as we have seen with the Civil Cyber Fraud Initiative, DOJ is not shying away from enforcement. Further, the FIRS has developed the skillset and prosecutorial experience for reviewing corporate compliance programs. All to say, companies should take the April 8 and October 6, 2025 deadlines seriously.
Finally, companies should understand how this regulation operates differently from other data-related regulations. Chiefly, this is not a privacy regulation; it is a national security regulation. For that reason, the focus is not on the collection of data, but rather on the subsequent sale and/or accessibility of that data. Also, the scope of what is covered data is more limited than what companies may come to expect with state privacy laws. Rather than capture all personally identifiable information (PII), this regulation is concerned with sensitive information. That is to say, information that could be exploitable. However, because the data captured by the regulation is a national security concern, there is no consent exemption, meaning companies cannot have customers opt-out of the regulation’s protection.
While the programmatic compliance requirements (i.e., due diligence, auditing, reporting and recordkeeping) are not required until Q4 of this year, the effective date, and beginning of potential enforcement, is right around the corner on April 8. Additionally, companies will still need to implement the CISA security requirements by April 8 if they intend to continue with restricted transactions. Still, companies should not delay in beginning to build out and implement their compliance programs.
FOOTNOTES
[1] For more details, see our Data, Deal, and Diplomacy, Part II blog.
[2] Human genomic data’s bulk threshold remains the same at more than 100 U.S. persons.
Part one and part two of this series.
FedRAMP Releases New Draft Authorization Boundary Guidance
Over the last few years, the Federal Risk and Authorization Management Program (“FedRAMP”) Program Management Office (“PMO”) has released two draft guidance documents related to defining the applicable boundary for security assessments of cloud service offerings, but final versions were never released. On January 16, 2025, FedRAMP released another draft authorization boundary guidance document (RFC-0004). FedRAMP’s authorization boundary guidance is “the most frequently requested policy update” as it forms the foundation for determining the scope of review for assessment and authorization. The new draft currently is open for public comment through February 17, 2025.
Refresher
An authorization boundary is defined in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-37, Risk Management Framework for Information Systems and Organizations, as “all components of an information system to be authorized for operation by an Authorizing Official and excludes separately authorized systems to which the information system is connected.”
We have been following the FedRAMP authorization boundary guidance for a few years (see our blog here). During this time, the FedRAMP PMO has published the current authorization boundary guidance and two draft versions (Version 2.0 and Version 3.0). In these draft guidance documents, FedRAMP guidance focused on two types of information: (1) Federal data and (2) Federal metadata. Federal metadata was later broken out into several different types of data such as Direct-impact, Indirect-impact, Low and Limited-impact data, and Corporate data. The new draft guidance document largely moves away from use of these data subcategories and instead focuses on providing streamlined requirements for defining the authorization boundary.
New Draft FedRAMP Authorization Boundary Guidance
The new draft authorization boundary guidance seeks to clarify and streamline which systems and data fall within the FedRAMP boundary. The FedRAMP boundary should include all services that:
Handle federal information; and/or
Directly impact the confidentiality, integrity, or availability of federal information.
The new guidance provides the following example of services that are included within the authorization boundary:
This includes all services to be consumed by tenants/customers and the underlying components, infrastructure, and services (including external services), that handle federal information as part of the CSO and the related organizational users operating the service. It also includes privileged security tooling, authentication systems, management/orchestration, and keying material and secrets.
Services not meeting these criteria should be excluded from the authorization boundary, with appropriate justification and risk-based review. Ancillary services posing negligible risk to federal information are explicitly outside the scope. The draft FedRAMP authorization boundary guidance provides the following description of ancillary services that may be outside of the FedRAMP boundary:
Examples of ancillary services that may be outside the FedRAMP boundary include corporate email services, development environments, and customer service systems where a loss of confidentiality, integrity, or availability is not likely to directly affect federal information within the CSO.
One area of focus in the draft FedRAMP authorization boundary guidance is limiting the assessment to services whose compromise could pose significant risks to federal information security (i.e., services that are not FedRAMP authorized). In order to do so, the guidance encourages the reuse of FedRAMP authorized external services to minimize duplication of effort. In other words, the guidance encourages the use of other FedRAMP authorized cloud services to reduce the need for additional assessment of the particular external service. This will allow focus on assessing customer configurations rather than the entire external service.
Requirements for CSPs
The new draft authorization boundary guidance provides requirements for CSPs regarding boundary definition, protection of information, and restrictions on inbound and outbound connections. Below are a few key requirements in the draft:
CSPs must define the FedRAMP boundary to include all relevant services and components that handle federal information and/or directly impact the confidentiality, integrity, or availability of federal information.
CSPs must document components, data flows, encryption, and access points in the System Security Plan.
CSPs must ensure federal information is not reused for shared purposes without customer approval and document information exchange agreements.
CSPs must continuously update boundary documentation as the system architecture evolves and as protections or data flows change. These updates must be made promptly in the SSP, as well as in continuous monitoring reports and Plan of Action and Milestones (“POA&Ms”).
CSPs shall not permit any systems outside the FedRAMP boundary to directly access federal information or make changes to the security of the FedRAMP boundary without approval by the owners of the federal information.
CSPs must document all connections established between the FedRAMP boundary and systems in the environment of operations, including the data types, encryption employed, ports/protocols/services used, the level of access, and the service or component involved.
Companies currently preparing for the FedRAMP authorization process should continue utilizing the current final authorization boundary guidance available on the FedRAMP website. This draft authorization boundary guidance can be used as a reference to inform your analysis to define your authorization boundary.
Role of Independent Assessors
Independent assessors (e.g., third party assessment organizations (“3PAOs”)) are responsible for testing all components within the authorization boundary and evaluating connections to external systems. The Independent Assessor also must validate data flows and ensure they do not pose direct security risks or provide privileged access to federal information.
Conclusion
The new draft FedRAMP authorization boundary guidance aims to enhance the efficiency of the authorization process by clearly defining the scope of assessment and focusing resources on high-risk areas. Feedback from industry will be critical for developing the final guidance that has been years in the making to ensure it meets the needs of all stakeholders while maintaining robust security standards. FedRAMP anticipates multiple rounds of comments for “the most frequently requested policy update” to ensure the appropriate guidance is provided in the final version.
The comment period currently is open until February 17, 2025. Comments can be submitted through various channels, including a discussion forum through GitHub, a public comment spreadsheet available on the draft guidance webpage, and email to [email protected] with subject “RFC 0004 Feedback.”
YOU CAN’T JUST CALL IT A TCPA VIOLATION: The Court Needs Proof, Not a Vague Complaint!
Greetings TCPAWorld!
I’m back with another case update—this time, it’s all about relentless robocalls, a wrong number, and a lawsuit that didn’t go as planned! Few things are more annoying than a relentless robocall—except maybe realizing you’re being hounded for a debt that isn’t yours. Yikes! That’s where a recent New Jersey case caught my attention. So what’s the scoop? In Frato v. Cap. Mgmt. Servs. L.P., Civil Action No. 23-4049 (MAS) (JBD), 2025 U.S. Dist. LEXIS 5454 (D.N.J. Jan. 8, 2025) offers important lessons on what it takes to plead a TCPA violation successfully.
Here we have a Plaintiff who allegedly received 29 unwanted calls from Capital Management Services about a debt—but here’s the catch—the debt wasn’t even his. The calls kept coming despite repeatedly telling them they had the wrong person and being on the Do Not Call Registry (“DNCR”). Frustrated, Plaintiff took legal action.
But this is where things start to get into the details. The Court, following precedent from Facebook, Inc. v. Duguid, 592 U.S. 395, 398 (2021), reminded us that to prove the use of an automated telephone dialing system (“ATDS)”, you need to show the system could “use a random or sequential number generator to either store or produce phone numbers to be called.”
Plaintiff’s Complaint hit a snag because he basically just stated “upon information and belief” that an ATDS was used. That alone doesn’t cut it. As the Court put it, “[A] complaint must do more than simply parrot the definition” of ATDS when bringing a claim under Section 227(a)(1). Frato, 2025 U.S. Dist. LEXIS 5454, at *7. In other words, Plaintiff needed to show something more than just speculation—actual indicators of automation. The Court noted, in Smith v. Pro Custom Solar L.L.C., No. 19-20673 (KM) (ESK), 2021 WL 141336, at *2 (D.N.J. Jan. 15, 2021), that specific facts suggesting ATDS use might include delays before hearing messages, calls ending with beeps, instructions to call 1-800 numbers, unusual phone numbers, or robotic voices.
But here’s the problem—Plaintiff’s Complaint didn’t include any of these telltale signs. In fact, the only real detail supporting his claim of automation appeared in his opposition brief—not the Complaint itself. That’s a major issue. As the Court pointed out, you can’t amend your Complaint through briefing. See Derieux v. FedEx Ground Package Sys., Inc., No. 21-13645 (NLH)(EAP), 2023 U.S. Dist. LEXIS 10033, 2023 WL 349495, at *2 n.2 (D.N.J. Jan. 20, 2023) (collecting cases). The story’s moral is that if it’s not in the Complaint, it doesn’t count.
Next, the Court also tackled another interesting claim about prerecorded voices. While Plaintiff claimed he received “scripted voicemails of an impersonal nature,” he also described having actual conversations with representatives. What? That contradiction proved destructive to his claim under Section 227(b)(1)(B). If he was having live conversations, how could the calls be prerecorded? The court wasn’t buying it, and neither would the average Joe just hearing that statement.
Perhaps most intriguingly, the Court shot down Plaintiff’s claims under the TCPA’s implementing regulations, 47 C.F.R. § 64.1200, because—plot twist—debt collection calls aren’t considered “telephone solicitations” under the law. The TCPA defines a solicitation as an attempt to encourage a purchase of goods or services. However, the 2008 FCC ruling clarifies that debt collection calls fall outside those restrictions. See In re Rules & Regulations Implementing the Tel. Consumer Prot. Act of 1991, 23 FCC Rcd. 559, 565 (2008). So, while Plaintiff may have been annoyed by the calls, the law doesn’t treat debt collection the same way it treats telemarketing. This is key here to remember.
The good news for Plaintiff? Well, the Court dismissed his claims without prejudice, giving him another bite of the apple and pleading his case with more specific facts. Frustration alone won’t win a TCPA case; you need solid evidence.
The takeaway? If you bring a TCPA claim, you better come with receipts—because courts aren’t letting cases slide on vague allegations. As the saying goes, if you have the facts on your side, pound the facts; if you have the law on your side, pound the law; but if you have neither, pound the table. Plaintiff tried to pound the table, but the Court wasn’t listening. Will Plaintiff get it right the second time around? We’ll see. Until then, let this be a reminder that when it comes to ATDS lawsuits or any lawsuit for that matter, the details make or break your case.
As always,
Keep it legal, keep it smart, and stay ahead of the game.
Talk soon!
Luxembourg Modernises the Custody Chain to Accommodate Blockchain Technology
On 31 December 2024, the Luxembourg law of 20 December 2024 amending the existing legislative framework on dematerialised securities (Blockchain IV Act) entered into force. As background, dematerialization of securities occurs with the move from physical stock certificates to electronic bookkeeping. When this occurs, actual stock certificates are removed and retired from circulation in exchange for the electronic recording. Securities are then transferred between securities accounts by book transfer.
While Luxembourg’s existing framework covered some preexisting technologies, the primary focus of the amendments made by the Blockchain IV Act is to integrate new technologies, particularly distributed ledger technology (DLT), into the financial sector to enhance legal security and operational efficiency.
The Blockchain IV Act introduces the concept of a “control agent”, an entity that can manage the issuance of dematerialized securities using DLT, providing an alternative to the existing (traditional) model that relies on a central account keeper and a custody chain. The control agent’s role includes maintaining the issuance account, monitoring the chain of custody of dematerialized securities (while the actual securities accounts can be held with different custodians without any custody relationship with the control agent), and ensuring the reconciliation of issued securities with those held in accounts with the relevant custodians. By contrast, the traditional central account keeper maintains the issuance account and sits at the top of the custody chain.
This new model is optional for issuers and aims to provide more flexibility, security, and transparency for both issuers and investors. The amendments also seek to strengthen Luxembourg’s position as a leading financial centre in the European Union (EU) for the use of DLT in unlisted debt and equity securities issuances. Beginning in 2019, Luxembourg has made a series of changes to the existing legal framework, making available the use of DLT in connection with financial instruments and recognising financial instruments issued using DLT in a growing number of fields as equivalent to traditional financial instruments.
Any credit institution (such as a chartered bank) or investment firm established in Luxembourg or any other EU member state, as well as operators of a Luxembourg security settlement system are eligible to serve as a control agent. The Luxembourg financial sector supervisory authority has been tasked with overseeing the compliance of control agents with the new legal requirements. Overall, the Blockchain IV Act aims to modernize the legal framework for securities in Luxembourg by leveraging DLT and other technological advancements, thereby enhancing the competitiveness and attractiveness of the financial sector while ensuring robust legal protections for market participants.
Tanner Wonnacott also contributed to this article.
RETURN TO NORMALCY: Choice Home Warranty Stuck in TCPA Class Action and it Feels Like Home
In Bradshaw v. CHW Group, 2025 WL 306783 (D. NJ Jan 24, 2025) Choice Home Warranty moved to dismiss a complaint leveraging a bunch of weak argument that seemed doomed to failure–and they were!
First, Defendant argued Plaintiff didn’t allege it called her cell phone. But, of course it did. The Complaint alleged a discussion with the Defendant and then receipt of a call from a person who identified herself as working for Defendant. Yeah that’s… pretty clear. Especially at the pleadings stage when a Court has to assume the Plaintiff is telling the truth.
Next, Defendant claims the calls were not prerecorded. But the message sounded robotic, was a general message and–my goodness–the recording started mid-sentence on the voicemail. Yeah, that argument’s a loser. The Court found the allegations of prerecorded voice usage sufficient.
Third, Defendant argued Plaintiff failed to allege the calls were made without consent. Yet Plaintiff alleged he asked Defendant to stop calling repeatedly. So not sure why Choice Home Warranty thought that doesn’t qualify as revoking any consent that was present– indeed, the fact that its lawyers would even make that argument almost concedes their client wasn’t following the DNC rules. Eesh.
Speaking of which, the allegations here were particularly egregious such that the Court inferred the Defendant didn’t even have an internal DNC policy. Ouch.
The Court also issued a perfunctory denial of the motion to strike that came along with the motion to dismiss.
So there you go, a complete and total rejection of Choice Home Warranty’s pleadings motions– and there’s nothing here that was even remotely had a chance as far as I could tell. Not sure what they were thinking. But we move on.
MAKE OUR PHONES GREAT AGAIN: R.E.A.C.H. Files Critical Petition Asking FCC to End Rampant Call/SMS Blocking, Labeling, and Registration Abuses by Wireless Carriers and their Partners
Well folks, its time to save the telecom world (again.)
With the distraction of one-to-one finally behind everybody we can now focus on the real battle– the blatant censorship and defamation being carried out everyday by the nation’s wireless carriers and their cohort of aggregator chums.
People are rightly waking up to the abuses of content-monitoring on social media networks but they remain largely blind to the far-more insidious censorship taking place on the most critical “social” network of all– the nation’s telephone system.
For years now the wireless carriers in this nation–banding together to form a cartel-like organization known as the CTIA–have dictated what Americans are allowed to say to each other over the phone and how they are allowed to communicate.
They have blocked billions of constitutionally-protected and perfectly legal calls/texts simply because they did not like the content of those calls– because they used certain “banned” words like “free” or “debt.”
They have served as judge, jury, and executioner of speech day in, day out.
And the worst part– the vast majority of Americans don’t even know its happening.
Oh sure they may have detected it here and there. Where was that reminder the company said it was going to send out? I know I needed to submit another loan document but I was supposed to receive a text? I thought I had a payment due, but the link for credit card never came through?
Most Americans assume these unfortunate everyday occurrences are just glitches. Network traffic jams or misdirected communications.
No. The truth is far worse.
Messages such as these are commonly blocked or delayed specifically based upon their content– a real-time censorship regime of the highest order operating right beneath our noses.
The carriers answer to no one. The FCC has never provided guidelines in terms of what can be blocked and what can’t be. All that carriers know now is they can use “reasonable analytics” to block “unwanted calls.”
But what does that even mean?
Its time for the FCC to answer that and give the carriers CLEAR rules of the road for the sorts of calls and texts they can block and what they CANNOT. Specifically, R.E.A.C.H. this morning has asked the FCC to clarify the following:
Clarify and confirm no member of the U.S. telecommunication ecosystem (including the wireless carriers and parties with whom they are in contractual privity) may block, throttle, or limit calls or text, MMS, RCS, SMS or other communications to telephone numbers on the basis of content;
Clarify and confirm no member of the U.S. telecom ecosystem (including the wireless carriers and parties with whom they are in contractual privity) may block, throttle, or limit calls or text, MMS, RCS, SMS or other communications to telephone numbers that were sent consistent with the TCPA’s statutory text and applicable regulation; and
Clarify and confirm any blocking, throttling, or limiting of calls or texts on the basis of content or any blocking, throttling, or limiting of calls or texts that were initiated consistent with the TCPA’s text and any applicable Commission’s rules is presumptively “unreasonable” under the Communications Act.
But call blocking is only half of the problem.
The wireless networks are also talking trash about callers behind their backs.
They label callers “scam” or “spam” or even “likely fraud” many time with ZERO actual indication the call is improper or illegal. I have heard stories of people missing calls from schools, friends, lawyers– even the police!–due to the INSANE mislabeling of callers taking place right now.
And the worst part?
The carriers are likely intentionally over-labeling to drive companies to use their “solutions”– white-label branded caller ID products that make the carriers millions in ill-gotten revenue.
Its terrible.
Many businesses won’t play the carriers little protection-money game so they turn to buying massive quantities of phone numbers to cycle through when one gets mislabeled. The carriers don’t like that and try to stop the practice to make sure they can maximize profits– but its only a natural response to the insane mislabeling practices exercised by the carriers themselves.
We need to put a stop to ALL of this.
As such R.E.A.C.H. is also asking the FCC today to prevent any labeling of legal calls. PERIOD.
Last– the biggest problem of all.
TCR– the Campaign Registry.
Every single business and political campaign in the nation that wishes to use a regular phone number to send high-volume text messages has to jump through the shifting and uncertain hoops presented by something called the TCR. Registration requires various disclosures of the types of messages to be sent, content, lists, practices, plans, etc.
A complete blueprint of every SMS program in America.
And guess what?
TCR’s parent is foreign owned.
*head exploding emoji*
Why in the world America would deliver a ready-made model of every SMS strategy deployed by every American business into the hands of a foreign company whose practices cannot be tracked and data footprint cannot be traced is a question beyond answer. It is entirely insane–especially when we consider political content is also disclosed.
WHAT ARE WE THINKING?
If TikTok is a threat to America, TCR is triple the threat.
R.E.A.C.H. asks the FCC to look into TCR and evaluate shutting down the entire campaign registration process or, alternatively, requiring the registry to be sold to an American-owned business.
Rather obviously these three asks– stopping call/text blocking, mislabeling, and a registration process that is a threat to national security– are the most important changes needed to preserve and protect our nation’s critical telecommunications infrastructure.
R.E.A.C.H., as an organization, is proud to be the vehicle behind this absolutely necessary movement. But we need your help!
When the FCC issues a notice of public comment we can expect the wireless carriers to fight tooth and nail in a short-sighted effect to preserve the current mess–truthfully, while carriers profit now they stand to lose everything in the long term by these errant practices as businesses move away from the PTSN altogether and toward OTT services– but we need YOUR help to assure the right movement is taken by the Commission on these items.
We will provide much more information over time. But for now begin cataloging all the ways the current SMS/call-blocking/labeling/registration paradigm is crippling consumers and your businesses.
Let’s put an end to censorship. An end to wide-scale defamation. An end to foreign companies snooping through our SMS practices.
Let’s get smart America.
And let’s save our damn telephone network.
Read the full petition here: REACH Petition to Save the World