NEW HAMPSHIRE DEEPFAKE SCANDAL TCPA LAWSUIT: Court Refuses To Dismiss Claims Against Platforms That Allegedly Aided In Sending The AI/Deepfake Calls Impersonating President Biden
Hi TCPAWorld! Remember last year when that political consultant from Texas hired the New Orleans magician to sound like Joe Biden in order to make calls using AI technology to New Hampshire voters in an attempt to convince them not to vote?
Well, that saga continues!
So for some background here, Steve Kramer, a political consultant, used AI technology to create a deepfake recording of President Joe Biden’s voice. Days before the New Hampshire primary, nearly 10,000 voters received a call in which the AI voice falsely suggested that voting in the primary would harm Democratic efforts in the general election. To further the deception, Kramer spoofed the caller ID to display the phone number of Kathleen Sullivan, a well-known Democratic leader. Voice Broadcasting Corporation and Life Corporation enabled the call campaign, providing the technology and infrastructure necessary to deliver the calls.
Steve Kramer, Voice Broadcasting Corporation, and Life Corporation in the US District Court of New Hampshire were sued on March 14, 2024, for violations of the TCPA (as well as violations of the Voting Rights Act of 1965 and New Hampshire statutes regulating political advertising) by the League of Women Voters of the United States, the League of Women Voters of New Hampshire, and three individuals who received those calls. League of Women Voters of New Hampshire et al v. Steve Kramer et al, No. 24-CV-73-SM-TSM.
Broadcasting Corporation and Life Corporation filed a motion to dismiss arguing 1) they did not “initiate” the at-issue calls and 2) these calls did not violate the TCPA because they were “’political campaign-related calls,’ which are permitted when made to landlines, even without the recipient’s prior consent.”
The court denied their motion on 3/26/25 finding that the plaintiffs adequately alleged a plausible claim for relief under the TCPA. League of Women Voters of New Hampshire et al v. Steve Kramer et al, No. 24-CV-73-SM-TSM, 2025 WL 919897 (D.N.H. Mar. 26, 2025).
The TCPA makes it unlawful “to initiate any telephone call to any residential telephone line using an artificial or prerecorded voice to deliver a message without the prior express consent of the called party.” While the TCPA does not specifically define what it means to “initiate” a call, the FCC has established clear guidance. According to In the Matter of the Joint Petition filed by Dish Network, Federal Communications Commission Declaratory Ruling, 2013 WL 1934349 at para. 26 (May 9, 2013), a party “initiates” a call if it takes the steps necessary to physically place it or is so involved in the process that it should be deemed responsible.
In this case, the court assumed, without deciding, that neither Voice Broadcasting nor Life Corporation physically placed the calls. But that didn’t absolve them. The court turned to the totality of the circumstances to determine whether the companies were sufficiently involved to bear liability.
The allegations were that Voice Broadcasting didn’t merely act as a passive service provider. Instead, it actively collaborated with Kramer to refine the message and even suggested adding a false opt-out mechanism that directed recipients to call Kathleen Sullivan’s personal phone number. Life Corporation, in turn, allegedly facilitated the delivery of thousands of the calls using its telecommunications infrastructure. The court found that these facts were more than enough to justify holding the companies accountable under the TCPA.
Quoting the FCC’s guidance, the court explained that companies providing calling platforms cannot simply “blame their customers” for illegal conduct. Liability attaches to those who “knowingly allow” their systems to be used for unlawful purposes. Voice Broadcasting and Life Corporation had the means to prevent the deepfake calls— but they didn’t. As the court explained, “Even if one were to assume that neither Voice Broadcasting nor Life Corp. actually ‘initiated’ the Deepfake Robocalls, they might still be liable for TCPA violations, depending upon their knowledge of, and involvement in, the scheme to make those illegal calls.”
As for the defendants’ second argument, that the calls were political and therefore exempt from the TCPA’s consent requirements, the court acknowledged that political campaign calls using regulated technology, such as the AI-voice technology used in the alleged calls, to landlines are generally permissible, even without prior express consent. However, this exemption is not a free pass. The calls must comply with other key provisions of the TCPA, including the requirement to provide a functional opt-out mechanism.
Here, instead of providing a legitimate way for recipients to opt-out, the alleged calls instructed the recipients to call Kathleen Sullivan’s personal phone number. This sham opt-out mechanism not only failed to meet TCPA standards but also contributed to the deception. The court had no trouble rejecting the claim that this constituted compliance: “Little more need be said other than to note that such an opt-out mechanism plainly fails to comply with the governing regulations and is not, as defendants suggest, ‘adequate.’”
And in case you are all wondering about Mr. Kramer himself, a default was entered against Kramer on 8/29/24.
The entire story behind these calls has been something to watch. This is definitely a case to keep an eye on!
Federal Regulators Continue Crypto Rationalization
Following President Trump’s Executive Order on Digital Assets, which instructed agencies to streamline and rationalize regulation of the digital asset space in a way that is technology-neutral, federal agencies have been responding. Below we summarize recent activities by the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC) and Commodity Futures Trading Commission (CFTC).
On March 7, 2025, the OCC, which supervises national banks, issued Interpretive Letter 1183 regarding Certain Crypto-Asset Activities for national banks. IL 1183 withdraws several previous interpretive letters that limited national banks’ ability to engage in various crypto-asset activities. Instead, the OCC sought to “ensure that bank activities will be treated consistently, regardless of the underlying technology.”
On March 28, the FDIC took similar action and issued Financial Institution Letter 7-2025 to establish a process for banks engaging in crypto-related assets. FIL 7-2025 replaces prior guidance, FIL 16-2022, and affirms that FDIC-supervised institutions may engage in permissible activities, including activities involving new and emerging technologies such as crypto-assets and digital assets, provided that they adequately manage the associated risks. In contrast to FIL-16-2022, which established a prior notification requirement specific to crypto-related activities, FIL 7-2025 clarifies that FDIC-supervised institutions may engage in certain permissible crypto-related activities without receiving prior FDIC approval.
Also on March 28, the CFTC staff announced the withdrawal of its prior staff advisory entitled Review of Risks Associated With Expansion of DCO Clearing of Digital Assets. In withdrawing the prior guidance, the CFTC staff noted that its regulatory treatment of digital asset derivatives does not vary from its treatment of other products. Instead, the staff conducts its supervision of clearing activities and oversight of compliance with the Commodity Exchange Act and Commission regulations regardless of the specific commodity underlying relevant contracts.
Legal AI Unfiltered: Legal Tech Execs Speak on Privacy and Security
With increasing generative AI adoption across the legal profession, prioritizing robust security and privacy measures is critical. Before using any generative AI tool, lawyers must fully understand the underlying technology, beginning with thorough due diligence of legal tech vendors.
In July 2024, the American Bar Association issued Formal Opinion 512, which provides some guidance on the proper review and use of generative AI in legal practice. The opinion underscores some of the ABA Model Rules of Professional Conduct that are implicated by lawyers’ use of generative AI tools. This includes the duty to deliver to competent representation, keep client information confidential, communicate generative AI use to clients, properly supervise subordinates in their use of generative AI, and to only charge reasonable fees.
Even before deploying generative AI tools, however, lawyers must understand a vendor’s practices. This includes verifying vendor credentials and fully reviewing policies related to data storage and confidentiality.
According to Formal Opinion 512, “all lawyers should read and understand the Terms of Use, privacy policy, and related contractual terms and policies of any GAI tool they use to learn who has access to the information that the lawyer inputs into the tool or consult with a colleague or external expert who has read and analyzed those terms and policies.” Lawyers may also need to consult IT and cybersecurity professionals to understand terminology and assess any potential risks.
In practice, this means carefully reviewing vendor contract terms related to a vendor’s limitation of liability, understanding if a vendor’s tool “trains” on your client’s data, assessing data retention policies (before, during, and after using the tool), and identifying appropriate notification requirements in the event of a data breach.
To further explore these ethical guidelines in practice, we spoke with legal technology executives about the security and privacy measures they implement, as well as best practices for lawyers when evaluating and vetting legal tech vendors.
What security measures do you take to protect client data?
Troy Doucet, Founder @ AI.Law
Enterprise-expected security measures including SOCII, HIPAA, and robust encryption at rest and in transit for data. We also follow ABA guidance on AI, including confidentiality, not training our models on our users’ data, and making it clear that we do not own the data users input.
Jordan Domash, Founder & CEO @ Responsiv
The foundation must be traditional security and privacy controls that have always been important an enterprise software. On top of that, we’ve built a de-identification process to strip out PII and corporate identifiable content before processing by an LLM. We also have a commitment to not have access to or train on client questions and content.
Michael Grupp, CEO & Co-founder @ BRYTER
We have an entire team focused on security and compliance so the answer is of course, all of them: SOC 2 Type II, ISO27001, GDPR, CCPA, EU AI Act etc. And, BRYTER does not use client data to develop, train or fine-tune the AI models we use.
Gil Banyas, Co-Founder & COO @ Chamelio
Chamelio safeguards client data through industry-standard encryption, SOC 2 Type II certified security controls, and strict access management with multi-factor authentication. We maintain zero data retention arrangements with third-party LLMs and employ continuous security monitoring with ML-based anomaly detection. Our comprehensive security framework ensures data remains protected throughout its entire lifecycle.
Khalil Zlaoui, Founder & CEO @ CaseBlink
Client data is encrypted in transit and at rest, and is not used to train AI models. We enforce a strict zero data retention policy – no user data is stored after processing. A SOC 2 audit is nearing completion to certify that our security and data handling practices meet industry standards, and customers can request permanent deletion of their data at any time.
Dorna Moini, CEO & Founder @ Gavel
Gavel was built for legal documents, so our security standards exceed those typical of software platforms. We use end-to-end encryption, private AI environments, and enterprise-grade access controls—backed by SOC II databases and third-party audits. Client data is never used for training, and our retention policies give firms full control, ensuring compliance and peace of mind.
Ted Theodoropoulos, CEO @ Infodash
Infodash is built on Microsoft 365 and Azure and deployed directly into each customer’s own tenant, which means we host no client data whatsoever. This unique architecture ensures that law firms always maintain full control over their data. Microsoft’s enterprise-grade security includes encryption at rest and in transit, identity management via Azure Active Directory, and compliance with certifications like ISO/IEC 27001 and SOC 2.
Jenna Earnshaw, Co-Founder & COO @ Wisedocs
Wisedocs uses services that implement strict access controls, including role-based access control (RBAC), multi-factor authentication (MFA), and regular security audits to prevent unauthorized access to your data. Our organization employs configurable data retention policies as agreed upon with our clients. Wisedocs has achieved our Soc 2 Type 2 attestation, as well as established information security and privacy program in accordance with SOC 2, HIPPA, PIPEDA, PHIPA, as well as annual risk assessments and continual vulnerability scans.
Daniel Lewis, CEO @ LegalOn
Security and privacy are top priorities for us. We are SOC 2 Type II, GDPR, and CCPA compliant, follow industry-standard encryption protocols, and use state-of-the-art infrastructure and practices to ensure customer data is secure and private.
Gila Hayat, CTO & Co-Founder @ Darrow
Darrow is working mostly on the open web realm, utilizing as much as publicly available data as possible, surfacing potential matters from the open web. Our clients confidentiality and privacy is a must, therefore we adhere to security standards and regulations, and collect minimal data as possible to maintain trust. We take client confidentiality and privacy very seriously.
Sigge Labor, CTO & Co-Founder @ Legora | Jonathan Williams, Head of France @ Legora
We exclusively use reputable, secure providers and AI models that never store or log data, with no human review or monitoring permitted. All vendors are contractually bound to ensure data is never retained or used for training in any form. This, in combination with ISMS certifications and adherence to industry standards, ensures robust data security and privacy.
Gary Sangha, CEO @ LexCheck Inc.
We are SOC 2 compliant and follow rigorous cybersecurity standards to ensure client data is protected. Our AI tools do not retain any personally identifiable information (PII), and all data processing is handled securely within Microsoft Word, leveraging Azure’s built-in data protection. This ensures client data remains encrypted, confidential, and under the highest level of enterprise-grade security.
Tom Martin, CEO & Founder @ Lawdroid
As a lawyer myself, I understand the fiduciary responsibility we have to handle our client data responsibly. At LawDroid, we use bank-grade data encryption, do not train on your data, and provide you with fine grain control over how long your data is retained. We also just implemented browser-side masking of personally identifiable information to prevent it from ever being seen.
Lawyers are very concerned about data privacy. What would you tell a lawyer who doesn’t use legal-specific AI tools due to privacy concerns?
Troy Doucet, Founder @ AI.Law
You have control over what you input into AI, so do not input data that you do not feel comfortable inputting. AI products vary in their functionality too, meaning different levels of concern. For example, asking AI about the difference between issue and claim preclusion is a low-risk event, versus mentioning where Jonny buried mom and dad in the woods.
Jordan Domash, Founder & CEO @ Responsiv
You’re right to be skeptical and critically consider a vendor before giving them confidential or privileged information! The risk is vendor-specific – not with the category. The right vendor designs the platform with robust data privacy measures in mind.
Michael Grupp, CEO & Co-founder @ BRYTER
We have been working with the biggest law firms and corporates for years, and we know that trust is earned, not given. This means that first, we try to be over-compliant – so this means agreements with providers to protect attorney-client privilege. Second, we make compliance transparent. Third, we provide references to those who are already advanced in the journey.
Gil Banyas, Co-Founder & COO @ Chamelio
Adopting new technology inevitably involves some privacy trade-offs compared to staying offline, but this calculated risk enables lawyers to leverage significant competitive advantages that AI offers to legal practice. Finding the right risk-reward balance means embracing innovation responsibly by selecting vendors who prioritize security, maintain zero data retention policies, and understand legal confidentiality requirements. Success comes from implementing AI tools strategically with appropriate safeguards rather than avoiding valuable technology that competitors are already using to enhance client service.
Khalil Zlaoui, Founder & CEO @ CaseBlink
Not all AI tools treat data the same, and legal-specific platforms like ours are built with strict safeguards and guardrails. Data is never used to train models, and everything is encrypted, access-controlled, and siloed. Only clients can access their own data. They retain full ownership and control at all times, with the ability to keep information private even across internal teams.
Dorna Moini, CEO & Founder @ Gavel
With consumer AI tools, your data may be stored, analyzed, or even used to train models—often without clear safeguards. Professional-grade and legal-specific tools like Gavel are built with attorney-client confidentiality at the core: no data sharing, no training on your client data inputs, and full control over retention. Avoiding AI entirely isn’t safer—it’s just riskier with the wrong tools (and that’s not specific to AI!).
Ted Theodoropoulos, CEO @ Infodash
Legal-specific platforms like Infodash are purpose-built with confidentiality at the core, unlike general-purpose consumer AI tools. These solutions are built with the privacy requirements of legal teams in mind. With new competitors like KPMG entering the market, delaying AI adoption poses a real competitive risk for firms.
Jenna Earnshaw, Co-Founder & COO @ Wisedocs
Legal-specific AI tools are designed to be both secure and transparent, helping legal professionals understand and trust how AI processes their data while maintaining strict privacy controls. With human-in-the-loop (HITL) oversight, AI becomes a tool for efficiency rather than a risk, ensuring that outputs are accurate and reliable. By adopting AI solutions that follow strict security protocols such as SOC 2 Type 2, HIPAA, PIPEDA, and PHIPA compliance standards, legal teams can confidently leverage technology while maintaining control over their data through role-based access control (RBAC), multi-factor authentication (MFA), and configurable data retention policies.
Daniel Lewis, CEO @ LegalOn
Ask questions about how your data may be used — will it touch generative AI (where, without the right protections, your content could display to others), or non-generative AI? If it’s being processed by LLMs like OpenAI, understand whether your data is being used to train those models and if it’s being used in non-generative AI use cases, understand how. The use of your data might make the product you use better, so consider the risk/benefit trade-offs.
Gila Hayat, CTO & Co-Founder @ Darrow
Pro-tip for privacy preservation and worry-free experimentation with various AI tools: Have a non-sensitive or redacted document or use-case ready that you know the answers that you wouldn’t expect – and benchmark the various tools against it to have a fair comparison and no stress over leaking random work documents.
Sigge Labor, CTO & Co-Founder @ Legora | Jonathan Williams, Head of France @ Legora
Make sure to use a trusted vendor where no model training or fine-tuning is happening on client input.
Gary Sangha, CEO @ LexCheck Inc.
Lawyers should first understand what information they are actually sharing when using legal specific AI tools, often it is not personally identifiable information or sensitive client data. In many cases, you are not disclosing anything subject to confidentiality, especially when working with redlined drafts or standard contract language. That said, if you are sharing sensitive information, it is important to review your firm’s protocols, but depending on what you are sharing, it may not be a concern.
Tom Martin, CEO & Founder @ Lawdroid
Lawyers should be concerned about data privacy. But, steering away from legal-specific AI tools due to privacy concerns would be a mistake. If anything, legal AI vendors take greater security precautions than consumer-facing tools, given our exacting customer base: lawyers.
For security and privacy purposes, what should lawyers and law firms know about a legal AI vendor before using their product?
Troy Doucet, Founder @ AI.Law
Knowing what they do to protect data, how they use your data, certifications they have, and encryption efforts are smart. However, knowing what your privacy and security needs are before using the product is probably the best first step.
Jordan Domash, Founder & CEO @ Responsiv
I’d start with a traditional security and privacy review process like you’d run for any enterprise software platform. On top of that, I’d ask: Do they train on your data? Do they have access to your data? What is your data retention policy?
Michael Grupp, CEO & Co-founder @ BRYTER
Even the early-adopters and fast-paced firms ask their vendors three questions: Where is the client data stored? Do you use the firm’s data, or client data, to train or fine-tune your models? How is legal privilege protected?
Gil Banyas, Co-Founder & COO @ Chamelio
Before adopting legal AI tools, lawyers should verify the vendor has strong data encryption, clear retention policies, and SOC 2 compliance or similar third-party security certifications. They should understand how client data flows through the system, whether information is stored or used for model training, and if data sharing with third parties occurs. Additionally, they should confirm the vendor maintains appropriate legal expertise to understand attorney-client privilege implications and offers clear documentation of privacy controls that align with relevant bar association guidance.
Dorna Moini, CEO & Founder @ Gavel
I did a post on what to ask your vendors here: https://www.instagram.com/p/C9h5jVYK5Zc/. Lawyers need clear answers on what happens to their data and how it’s being used. When choosing a vendor, it’s also important to understand output accuracy and the AI product roadmap as it relates to legal work – you are engaging in a marriage to a software company you know will continue to improve for your purposes.
Ted Theodoropoulos, CEO @ Infodash
Firms should ask where and how data is stored, whether it’s isolated by client, and if it’s used for training. Look for vendors that run on secure environments like Microsoft Azure and support customer-managed encryption keys. Transparency around data flows and integration with existing infrastructure is essential.
Jenna Earnshaw, Co-Founder & COO @ Wisedocs
Lawyers and law firms should ensure that any legal AI vendor follows strict security protocols, such as SOC 2 Type 2, HIPAA, PIPEDA, and PHIPA compliance, along with role-based access control (RBAC), multi-factor authentication (MFA), and regular security audits to protect sensitive legal data. They should ensure the AI vendor is not using third party models or sharing data with AI model providers and the deployment of their AI is secure and limited. Additionally, firms should assess whether the AI system includes human-in-the-loop (HITL) oversight to mitigate hallucinations and organizational risks, ensuring accuracy and reliability in legal workflows.
Gila Hayat, CTO & Co-Founder @ Darrow
When choosing a legal AI vendor, it’s important to make sure it follows top-tier security standards and has a solid track record when it comes to protecting data.Don’t forget the contract: make sure it includes strong confidentiality terms so your clients’ data stays protected and compliant. Trusting the human and knowing the team: the legal tech scene is tight and personal, hop on a call with one of the team members to make sure you’re doing business with a trustworthy partner.
Sigge Labor, CTO & Co-Founder @ Legora | Jonathan Williams, Head of France @ Legora
You should understand whether a vendor’s AI models are trained on user data, this is a critical distinction. Vendors that fine-tune or improve their models using client input may pose significant privacy risks, especially if sensitive information is involved. It’s important to evaluate whether specially trained or fine-tuned models offer enough added value to justify the potential trade-off in privacy.
Gary Sangha, CEO @ LexCheck Inc.
Lawyers and law firms should understand what information they are sharing through the AI tool, as it is often personally identifiable information or subject to confidentiality. They should confirm whether the vendor is compliant with frameworks like SOC-2 which ensures rigorous controls for data protection and ensure that data is encrypted and securely processed. Reviewing how the tool handles data protection helps ensure it aligns with the firm’s security and privacy policies.
Tom Martin, CEO & Founder @ Lawdroid
Lawyers need to ask questions: 1) Do you employ encryption? 2) Do you train on data I submit to you? 3) Do you take precautions to mask PII? 4) Can I control how long the data is retained?
By carefully evaluating security credentials, vendor practices, and model usage policies, lawyers can responsibility and confidently employ generative AI tools to improve their delivery of legal services. As these technologies evolve, best practices for security and implementation will also evolve, making it important for lawyers to continue following industry updates and new best practices.
New Guidelines Establishing the Requirements and Procedures That Must Be Observed to Obtain Permission to Advertise Prepackaged Food and Non-Alcoholic Beverages
Following our newsletter dated March 31, 2020 “The new Mexican Official Standard for the labelling of pre-packaged food and non-alcoholic beverages” and other newsletters regarding labelling of products, after five years of the publication of this Mexican Official Standard, on March 11, 2025, the Guidelines regarding advertising of prepackaged food and non-alcoholic beverages were published in the Official Gazette and entered into force on March 12, 2025.
These Guidelines appear to now restrict the advertising of these types of products, imposing advertisers, advertising agencies and media, the obligation to obtain a permit/approval for advertising the products on open television, restricted television, movie theaters, internet and other digital platforms.
Any product is subject to approval by the Federal Comision Against Sanitary Risks (COFEPRIS) when their label includes one or more warning seals of the front labeling system.
The main restrictions, among others, are the following:
It is forbidden to use animated characters, pets or interactive games directed at children to promote the consumption of the products.
To compare the products with natural ones.
To compare with similar products regarding their composition or nutritional contents.
To suggest physical or intellectual abilities from its consumption.
To promote excessive consumption of the product.
To suggest that the products may modify body proportions.
The requirements for obtaining the permit/approval to advertise the products are to fill in a format, pay government fees and attach the “operation notice” (authorization) of the product.
Once submitted the application, COFEPRIS has a term of 20 working days to approve the advertisement and/or 10 days to issue a requirement. Applicant has a term of 5 days to reply or else, the approval will be dismissed.
Although, we consider all these requirements to be an unnecessary burden to the industry, this Guidelines provide definitions of terms such as, “pets”, “celebrities”, “children’s characters”, “digital downloads”, “cartoons” and “indirect advertising”, that were missing in the Mexican Official Standard for the labelling of pre-packaged food and non-alcoholic beverages.
Tick-Tock, Don’t Get Caught: Navigating TCPA’s Quiet Hours
In recent months, businesses across various industries have been hit with a wave of lawsuits targeting alleged violations of the Telephone Consumer Protection Act’s (“TCPA”) call time rules. Plaintiffs are increasingly claiming that text messages, often sent just minutes outside the allowable hours, violate the Federal Communication Commission’s (“FCC”) rules and entitle them to substantial compensation. These lawsuits are creating challenges for businesses that rely on telemarketing and short message service (“SMS”) programs, even when they have received prior consent from their customers.
Understanding the TCPA’s Statutory and Regulatory Framework
The TCPA, enacted in 1991, was designed to protect consumers from unwanted telemarketing calls. Over time, its reach has expanded to cover text messages, making businesses that engage in text message marketing campaigns subject to compliance. One key area of regulation is the TCPA’s call time rules, found in the Do-Not-Call (“DNC”) regulations issued by the FCC. These rules prohibit telephone solicitations to residential subscribers before 8:00 AM or after 9:00 PM local time at the called party’s location.
Under the TCPA, a “telephone solicitation” is defined as a call or message made for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services. Importantly, the statute and regulations carve out several exceptions, including for calls or messages made to individuals who have given prior express consent to be contacted.
The penalties for violating the TCPA can be severe. Violations can result in statutory damages ranging from $500 to $1,500 per call or message, depending on whether the violation was willful. These potential damages create significant exposure for businesses that rely on telemarketing or SMS outreach, particularly when multiple calls or messages are at issue.
Recent Wave of Lawsuits and Why the Claims Are Unmeritorious
Despite the FCC’s long-standing guidance and the clear statutory language regarding consent, plaintiffs have increasingly filed lawsuits alleging that text messages sent outside the 8:00 AM – 9:00 PM window violate the TCPA’s call time restrictions. Many of these lawsuits focus on minor deviations from the permissible time window, such as texts sent just minutes before 8:00 AM or shortly after 9:00 PM.
What makes these lawsuits particularly problematic is that in many cases, the plaintiffs had previously opted into the SMS programs and expressly consented to receive marketing messages. Under the plain language of the TCPA and FCC regulations, such consent removes the text message from the definition of a “telephone solicitation” and, by extension, exempts it from the call time restrictions. This means that businesses with valid consent should not be subject to these lawsuits.
However, plaintiffs are exploiting the uncertainty created by the lack of clear FCC guidance on whether the call time rules apply to text messages where consent has been provided. They argue that, regardless of consent, any text message sent outside the permissible hours violates the TCPA, leaving businesses vulnerable to litigation and potential class action exposure.
The FCC Petition for Declaratory Ruling
In response to this growing litigation trend, an industry group recently filed a petition with the FCC, seeking a declaratory ruling that the TCPA’s call time restrictions do not apply to text messages sent to individuals who have given prior express consent. The petition highlights the plain language of the statute and regulations, arguing that consent should exempt businesses from the call time rules and shield them from the growing number of predatory lawsuits.
The petition also requests clarification or waiver of the rule requiring knowledge of the recipient’s location for compliance, arguing that current standards are unworkable and lead to abusive litigation practices. The petitioners emphasize that the TCPA’s unique combination of strict liability, statutory damages, and private right of action make it ripe for lawsuit abuse, with opportunistic litigators targeting legitimate businesses.
While this petition represents a positive step towards clarifying the law, the FCC’s rulemaking process can be lengthy. In the meantime, businesses must continue to operate in a landscape where uncertainty about the applicability of the call time rules remains. It could be months, if not longer, before the FCC issues a ruling, and during this time, we expect plaintiffs’ attorneys to continue targeting businesses with TCPA lawsuits.
Recommendations for Reducing Risk
Until the FCC provides clear guidance on the issue, businesses should take proactive steps to mitigate the risk of being targeted by TCPA quiet hour lawsuits. Here are several recommendations to help ensure compliance and reduce exposure:
Observe Call Time Windows: Despite the legal uncertainties surrounding the applicability of the call time rules to text messages, businesses should err on the side of caution and adhere to the 8:00 AM – 9:00 PM window for sending marketing messages. This simple step can help reduce the likelihood of being sued.
Review and Update Consent Mechanisms: Businesses should review their SMS consent processes to ensure that they are obtaining clear and unambiguous consent from consumers. This includes updating terms and conditions to include disclosures about the potential timing of messages and ensuring that consumers understand the nature of the messages they will receive.
Implement Robust Compliance Procedures: Businesses should implement internal procedures to monitor the timing of their telemarketing and SMS campaigns. Consider using software that can automate the scheduling of messages.
Document Consent Thoroughly: If a lawsuit arises, being able to produce clear documentation that demonstrates a consumer’s consent to receive text messages will be critical in defending against the claim. Businesses should maintain detailed records of when and how consent was obtained.
Conclusion
The recent surge in TCPA lawsuits alleging violations of the call time restrictions highlights the need for businesses to stay informed and proactive in their compliance efforts. While we believe that many of these lawsuits are unmeritorious, businesses should still remain cautious. By observing the 8:00 AM – 9:00 PM call time window, reviewing consent mechanisms, and implementing strong compliance procedures, businesses can reduce their risk of being targeted by predatory lawsuits.
We will continue to monitor litigation in the courts and the FCC’s response to the pending petition, and provide updates as new developments arise. In the meantime, please reach out if you have any questions or need assistance in reviewing your telemarketing and SMS programs to ensure compliance with the TCPA.
MAKING SMART TCPA MOVES: Rocket Mortgage Follows Up Its Redfin Purchase With STUNNING $9.4BB Take Over of Mr. Cooper
So multiple outlets are reporting that Rocket is set to absorb the nation’s largest mortgage servicer Mr. Cooper.
With Rocket having just recently acquired Redfin it looks like the company is poised to be an absolute behemoth in the mortgage industry.
Just like with Redfin, however, the TCPA is likely driving this initiative.
Yes, mortgage servicing can be profitable in its own right but it is MASSIVELY valuable to an originator to have a large servicing pool.
Why?
Who is more likely to NEED mortgage or refinance than folks who already have a mortgage product? And with trigger leads now widely available (probably illegal under FCRA but don’t tell the CRAs that) having a massive servicing book means you can LEGALLY call folks who just submitted an application elsewhere and convince them to stay.
This is because the DNC rules will soon allow Rocket to call all of the MILLIONS of Mr. Cooper customers it just acquired WITHOUT CONSENT.
Pretty slick, eh?
So with Redfin providing consent on the front end and with access to a massive pool of mortgage customers now bolted on to the backend Rocket can make ready use of the phones to bring customers into its ecosystem–and keep them there.
Pretty clever. And it was all brought to you by the TCPA.
People think of the statute as a profit killer. But leveraged correctly it can actually drive profits by building a moat around your customers and a barrier-to-entry for others in your vertical.
Smart money uses the law as a competitive advantage. Nicely done Rocket.
Virginia Governor Recommends Amendments to Strengthen Children’s Social Media Bill
On March 24, 2025, Virginia Governor Glenn Youngkin asked the Virginia state legislature to strengthen the protections provided in a bill (S.B. 854) passed by the legislature earlier this month that imposes significant restrictions on minors’ social media use.
The bill would amend the Virginia Consumer Data Protection Act (“VCDPA”) to require social media platform operators to (1) use commercially reasonable methods (such as a neutral age screen) to determine whether a user is a minor under the age of 16; and (2) limit a minor’s use of the social media platform to one hour per day, unless a parent consents to increase the limit. The bill would prohibit social media platform operators from altering the quality or price of any social media service due to the law’s time use restrictions.
The Governor declined to sign the bill and recommended that the legislature make the following amendments to enhance the protections in the bill: (1) raise the covered user age from 16 to 18; and (2) require social media platform operators to, in addition to the time use limitations, also disable (a) infinite scroll features (other than music or video the user has prompted to play) and (b) auto-playing videos (i.e., where videos automatically begin playing when a user navigates to or scrolls through a social media platform), absent verifiable parental consent.
WHEN GOOGLE FOLLOWS YOU TO THE DMV: Where Consent Gets Lost in the Traffic
Happy CIPA Sunday! What feels like a routine online interaction with your state could be something else entirely. Imagine for a moment that you’re renewing your disability parking placard online. It’s another government form to fill out from the comfort of your home. You input your personal information, including sensitive details about your disability, and click submit. You don’t realize that an invisible digital hand may reach through your screen (figuratively speaking), quietly collecting your most sensitive personal information. Isn’t that a scary thought? This isn’t the plot of the new season of Black Mirror (or is it?); it’s the allegation at the center of Wilson v. Google L.L.C., No. 24-cv-03176-EKL, 2025 U.S. Dist. LEXIS 55629 (N.D. Cal. Mar. 25, 2025).
Here, Plaintiff was just trying to renew her disability parking placard through California’s “MyDMV” portal when she allegedly fell victim to what her lawsuit describes as Google’s secret data collection. According to the Opinion, Plaintiff provided the DMV with her personal information, including disability information,” only to later discover that Google secretly used Google Analytics and DoubleClick embedded on the DMV’s website when she renewed her disability parking placard to collect her personal information unlawfully. Like millions of Americans, Plaintiff trusted that her interaction with a government agency would remain private. This information, Plaintiff alleges, was then used to generate revenue for its advertising and marketing business. If proven true, Google essentially eavesdropped on what should have been a private interaction between a citizen and her state government.
The following legal issues reveal the complex landscape of privacy law in America. Pliantiff’s lawsuit hinges on two critical privacy laws. First, the Driver’s Privacy Protection Act (“DPPA”) is a federal law designed to prevent unauthorized disclosure of personal information from DMV records. Second, the California Invasion of Privacy Act (“CIPA”) protects against “the substantive intrusion that occurs when private communications are intercepted by someone who does not have the right to access them.” Campbell v. Facebook, Inc., 951 F.3d 1106, 1118 (9th Cir. 2020). Initially, these laws weren’t crafted with the advancement of digital technology in mind. However, they’re now legal shields designed for a different era and being tested against surveillance technologies. Together, these laws create a safety net meant to protect our personal information, but are they strong enough to catch Big Tech’s increasingly sophisticated data collection methods?
Google’s defense strategy is smart and calculated to exploit procedural technicalities rather than addressing the fundamental privacy questions at stake. Their first move was to argue that the California DMV was a “required party” under Fed. R. Civ. P. 19. They asserted the entire case should be dismissed since the DMV couldn’t be joined (due to sovereign immunity). It’s a clever technical legal argument that, had it succeeded, could have created a precedent for tech companies to evade privacy lawsuits involving government websites. Judge Eumi K. Lee wasn’t buying it, though. She rejected Google’s argument, finding that dismissing Plaintiff’s claims outright “would be draconian, particularly because Plaintiff seeks other relief too—including damages.” Wilson, 2025 U.S. Dist. LEXIS 55629, at *7. The Court rightfully distinguished the case from Downing v. Globe Direct L.L.C., 806 F. Supp. 2d 461 (D. Mass. 2011), noting that, unlike in Downing, where a vendor was explicitly contracted to include advertising, Plaintiff had alleged that Google encourages website operators—including the DMV—to use Google’s tools to obtain personal information that Google uses for its own advertising business.
Conversely, regarding Plaintiff’s DPPA claim, Google had more success. The Court focused on a technical but crucial question: Did Google obtain Plaintiff’s personal information from a motor vehicle record? The Ninth Circuit had previously ruled in Andrews v. Sirius XM Radio Inc. that the DPPA does not apply when “the initial source of personal information is a record in the possession of an individual, rather than a state DMV.” Andrews v. Sirius XM Radio Inc., 932 F.3d 1253, 1260 (9th Cir. 2019). With this in mind, Judge Lee determined that because “the personal information that was allegedly transmitted to Google came from Plaintiff, it was not from a motor vehicle record.” Wilson, 2025 U.S. Dist. LEXIS 55629, at *11. This distinction creates a troubling loophole in privacy protection. Your data is protected when it sits in a DMV database, but it loses that protection when you’re transmitting it to the DMV. This is a seemingly minor distinction. Whether data was pulled from a DMV database or intercepted while being entered by a user made all the difference for Plaintiff’s DPPA claim, which was dismissed with leave to amend.
Isn’t this getting spicy? But here’s where the plot thickens. While Plaintiff’s DPPA claim stumbled, her state law claim under CIPA survived Google’s dismissal motion. Google had asserted it couldn’t be liable under CIPA because it was merely acting as a “vendor” for the DMV—an extension of the government website rather than a third-party eavesdropper. This is a fantastic assertion by Google’s defense team. Think of it as Google claiming to be the DMV’s trusted assistant rather than an uninvited guest at a private conversation. However, Judge Lee rejected this defense, noting that Plaintiff had sufficiently alleged that “Google intercepted and used her personal information for its own advertising services” and thus “did not act solely as an extension of the DMV.” Id. at *13. The Court further found that Plaintiff had adequately alleged Google acted “willfully” by detailing how Google “specifically designed” its tracking tools to gather information and “intentionally encourages” website operators to use its tools in ways that circumvent users’ privacy settings. Id. at *14. That kind of intentionality matters when pleading willfulness under CIPA.
In Google’s defense, Google tried to shield itself behind its terms of service, which allegedly prohibited websites from sharing personally identifiable information with Google. But Judge Lee noted that assertion created “a question of fact” that couldn’t be resolved at the pleading stage. Id. at *15. With this observation, the Court relied on Smith v. Google LLC, explaining that while “Google argues that judicially noticeable policy documents suggest that Google did not actually want to receive personally identifiable information and expressly prohibited developers from transmitting such data, this presents a question of fact that the Court cannot resolve at this stage.” Id. (quoting Smith v. Google, L.L.C., 735 F. Supp. 3d 1188, 1198 (N.D. Cal. 2024)). As a result, the message is clear…fine print in terms of service won’t necessarily provide legal cover for actual data collection practices if it occurs.
This case feels like déjà vu for privacy advocates because we’ve seen this before. Similar allegations were raised against LinkedIn in Jackson v. LinkedIn Corp., 744 F. Supp. 3d 986 (N.D. Cal. 2024). The parallels between these two cases are vastly similar, involving allegations that tech giants are harvesting sensitive data from DMV websites. Google even tried to use these similarities against Plaintiff, characterizing her allegations as “entirely boilerplate” and “almost identical to the same allegations” asserted against LinkedIn in the Jackson case. Wilson, 2025 U.S. Dist. LEXIS 55629, at *15. However, the Court rejected this argument too, noting that the similarity between the complaints does not render Plaintiff’s allegations conclusory, especially given that both cases challenge similar alleged conduct by two different advertising companies. Google tried to compare Byars v. Hot Topic, Inc., 656 F. Supp. 3d 1051 (C.D. Cal. 2023), where the Court criticized “copy-and-paste” privacy complaints filed in bulk. However, Judge Lee pushed back, emphasizing that, unlike in Byars, Plaintiff’s Complaint here includes “at least 48 paragraphs of detailed allegations specific to Google” and cannot be dismissed as generic boilerplate. Wilson, 2025 U.S. Dist. LEXIS 55629, at *16.
So what’s the takeaway? When you enter personal information into a government site, like renewing your vehicle registration or applying for a disability placard, it feels like a private exchange. But behind the screen, third-party tools might be collecting your data. It sounds like Black Mirror, but it’s essentially happening. It’s as if you’re filling out a paper form at the DMV counter, only to discover that a marketing executive is peering over your shoulder, taking notes on your personal information. The legal distinction between information stored in a government database and information you’re actively entering may seem arbitrary from a privacy perspective. But it creates a significant gap in legal protection.
As the case progresses, Plaintiff has been granted leave to amend her DPPA claim, and her CIPA claim will proceed. This case reminds us that data privacy isn’t just about keeping private things—well… private—it’s about controlling who knows what about us and how that information is used. With every click and keystroke, who else might be watching as you type?
As always,
Keep it legal, keep it smart, and stay ahead of the game.
Talk soon!
Privacy and Data Security in Community Associations: Navigating Risks and Compliance
Privacy and data security laws govern how organizations collect, handle, and protect personally identifiable information (PII) to ensure it is properly processed and protected.
For community associations, this is especially important as these organizations often manage large amounts of PII of homeowners and residents (e.g., name, address, phone number, etc.), including certain categories of sensitive PII, such as financial details. With identity theft and various cyber scams on the rise, cybercriminals frequently target this type of data. Once this data is accessed, a threat actor can do anything it wants with the data. For instance: the threat actor can sell the PII to the highest bidder; encrypt the data and hold it for ransom, meaning that a community association can no longer access the information and potentially must pay large sums in order to get it back; or make a copy of the PII and then extort the community association to return or delete the data instead of releasing it publicly, among other malicious acts.
With these risks in mind, data security breaches have become a widespread concern, prompting legislative action. All fifty states now have laws requiring organizations to notify individuals if unauthorized access to PII occurs. These laws apply to community associations in North Carolina under North Carolina General Statute § 75-65. In order to avoid being involved in a data security breach, North Carolina community associations should prioritize taking steps to protect PII of their residents and homeowners.
While North Carolina does not offer specific statutory guidance for community associations regarding personal data handling, federal frameworks can help. The National Institute of Standards and Technology (NIST) has developed comprehensive privacy and cybersecurity guidelines. To view their resource and overview guide, visit this link. The NIST’s frameworks assist organizations in identifying the data they possess, protecting it, managing and governing it with clear internal rules, and responding to and recovering from data security incidents. To summarize some of the key steps necessary for a community association to protect its data, please see the list below.
Key Steps for Strengthening Privacy and Data Security
Keep Technology Updated. Community associations should prioritize keeping their systems, networks, and software up to date. Oftentimes, software updates include patches for security vulnerabilities that threat actors can exploit. As technology evolves, new threats emerge, and these software updates are designed to address these risks by closing security gaps. In addition, community associations should change passwords periodically and be sure that passwords are not universal among all systems and websites. If presented with the option, it is recommended to use multi-factor authentication on various log-in platforms. By using multi-factor authentication, there is an extra layer of security beyond a password that can be guessed, stolen, or compromised.
Manage Access. Ensure that only necessary employees have access to residents’ and homeowners’ PII. For those who have access, be sure to adequately train those employees to confirm they are apprised of the community associations’ cybersecurity policies and procedures. Additionally, be sure these employees can recognize common attack methods of threat actors and are able to avoid and report any suspicious activity. One of the basic ways to manage access is to ensure the community association is only collecting information that it absolutely needs to carry out its operations. If less data is in the possession of the community association, less data can be accessed by a threat actor.
Regularly Review Vendor Contracts. It’s crucial for community associations to audit contracts with vendors, at least annually, to ensure they align with the association’s risk tolerance. Many breaches stem from third-party service providers who have access to PII and sensitive PII. Without clear contractual safeguards, a breach could result in significant remediation costs, with limited legal recourse against the responsible vendor. Always be sure that your contracts address data protection and breach response obligations.
Consider Cyber Insurance. Cyber insurance has become an essential risk management tool for community associations. However, it’s important to understand that cyber insurance is not a catch-all solution. Insurers are increasingly raising premiums and limiting coverage for organizations that fail to implement strong data protection practices. Cyber insurance should be seen as a safety net, not a substitute for a comprehensive privacy and security strategy. Community associations should also periodically review their cyber insurance policies to confirm they are providing coverage for any new or emerging threats that may arise.
Engage the Community. Transparency, especially regarding the categories of data collected and how they are used, is key in building trust with residents and homeowners. Community Associations should seek input from their stakeholders on privacy and data security policies. While legal obligations will not change based on community sentiment, understanding residents’ concerns can help guide decision-making and foster a sense of accountability. Discussing data security efforts and proactively addressing cybersecurity challenges at an annual meeting provides an opportunity to clarify expectations and show the association’s commitment to protecting personal information.
For guidance on strengthening a community association’s privacy and data security efforts, contact us to learn more about best practices and compliance strategies.
Nondelegation and Environmental Law
Earlier this week, the Supreme Court held oral argument in Federal Communications Commission v. Consumers’ Research.1 The case addresses the Federal Communications Commission’s Universal Service Fund programs aimed at providing funding to connect certain customers with telecommunications services. The challengers contend that Congress ran afoul of the nondelegation doctrine in authorizing the FCC to setup the Universal Service Fund programs and that these programs are therefore unlawful.
Although that issue might appear far removed from issues of environmental law, the case could have significant ramifications and could curtail Congress’s ability to authorize federal administrative agencies to issue binding regulations. That curtailment could reach to congressional enactments that authorize the Environmental Protection Agency to promulgate regulations in a variety of areas, including several major environmental statutes like the Clean Air Act, the Clean Water Act, and the Safe Drinking Water Act, to name a few.
What is the Nondelegation Doctrine and Why is it Important?
The nondelegation doctrine holds that Congress may not delegate lawmaking (i.e., legislative) authority to executive branch agencies. As some observers have put it, however, the nondelegation doctrine had only one good year, in 1935, when the Supreme Court struck down two federal laws authorizing the executive to take certain actions that were considered legislative in nature. The cases were A.L.A. Schechter Poultry Corp. and Panama Refining Co.
Besides those two cases, the Supreme Court has not struck down any other federal laws on nondelegation grounds. This is because, after 1935, the Supreme Court adopted a relatively permissive test of whether a statute runs afoul of the nondelegation doctrine. The test, referred to as the “intelligible-principle” test, looks to whether Congress has provided the administrative agency with some “intelligible principle” to follow in promulgating regulations pursuant to a congressional enactment.
Applying the intelligible-principle test, the Supreme Court has repeatedly, and over approximately eight decades, upheld congressional delegations of rulemaking power to administrative agencies.
However, in 2019, a dissenting opinion written by Justice Gorsuch in Gundy v. United States, called on the Court to abandon the intelligible-principle test and instead move toward a test where the Agency is not able to make policy decisions and instead is left to a role where it only “fills up the details” or makes factual determinations. Notably, the Gundy dissent was joined by Justices Roberts and Thomas, and Justices Alito and Kavanaugh elsewhere expressed support for the Gundy dissent’s approach. Gundy was also decided before Justice Barrett joined the Court. This has Supreme Court watchers asking whether the Supreme Court might inject more stringency in the nondelegation test in an appropriate case.
Enter Consumers Research. This is the first Supreme Court case to squarely raise nondelegation issues since Gundy. The challengers to the Universal Service Fund program argue that Congress gave the FCC unchecked authority to raise funds to be directed toward the goal of providing universal service from telecommunications services providers. The FCC (and intervenors) respond that the program “passes . . . with flying colors” and fits comfortably within past nondelegation cases because of the numerous restrictions that the statute places on the FCC. If the Supreme Court were to shift course by establishing a more stringent nondelegation test, that could significantly constrain Congress’s ability to delegate rulemaking powers to administrative agencies. Importantly, a more stringent test for nondelegation challenges could also impact numerous existing federal laws. We discuss just a sample of environmental laws that could be affected in the following section.
What Could it Mean for Environmental Law, and You?
One of the most obvious areas where a more stringent delegation test could impact environmental law is in the setting of air and water quality standards.
For example, the Clean Air Act directs the EPA to set air quality standards that apply nationwide. The Clean Air Act provides relatively loose guidance on how the EPA should go about that task, directing the EPA to promulgate standards “requisite to protect the public health” while “allowing an adequate margin of safety.” The Supreme Court upheld that delegation in Whitman v. American Trucking Associations, Inc., but if the Supreme Court were to take a more stringent approach to nondelegation like that in the Gundy dissent, the EPA may not be able to make the decision of what air standard is “requisite to protect the public health” because that could be viewed as a key policy determination and more than “fill[ing] up the details.”
Likewise, in the Clean Water Act, the EPA is also directed to review water quality standards set by individual states, again taking into account a relatively broad instruction from Congress “to protect the public health or welfare, enhance the quality of water and serve the purposes of this chapter” while also considering the waters’ “use and value for public water supplies, propagation of fish and wildlife, recreational purposes, and agricultural, industrial, and other purposes, and . . . their use and value for navigation.” Again, a more stringent nondelegation test could find that these instructions leave the EPA with too much of a policy-making role.
Finally, in the Safe Drinking Water Act, the EPA is directed to set maximum contaminant level goals “at the level at which no known or anticipated adverse effects on the health of persons occur and which allows an adequate margin of safety.” This direction to set a standard is potentially less at risk because it requires more fact finding (i.e., determining “known or anticipated adverse effects on” health), but the requirement to determine an “adequate” safety margin might be deemed to be too close to policymaking.
Although nondelegation challenges to these types of environmental regulations have been raised in the past, they have failed at least in part because of the relaxed intelligible-principle test. The outcome in Consumers’ Research could change that. The Environmental Team at Womble Bond Dickinson are well-suited to evaluate these specific questions of law with you.
Counting Noses in Consumers’ Research
For now, it appears that the current nondelegation test will live to see another day. Only Justices Thomas, Alito, and Gorsuch seemed readily willing to make the test more stringent. The Justices appointed by Democratic presidents (Sotomayor, Kagan, and Jackson) are sure “no” votes. As for the three Justices typically left in the middle, Chief Justice Roberts was unusually quiet during argument, while both Justices Kavanaugh and Barrett pushed back on counsel for Consumers’ Research in numerous instances. Given that the Universal Service Fund program enjoys continuing and broad bipartisan support, this may not be the case where any of the middle three Justices are willing to take on the nondelegation issue, especially after the Court has already issued decisions that reign in administrative agency authority through the major-questions doctrine and by overruling the Chevron deference regime.
Regardless, the Supreme Court’s opinion, which should issue by July 2025, will likely reveal where the Court is headed on nondelegation issues and could signal that a more searching nondelegation test is on the horizon.
1 Brief disclaimer: Michael Miller worked on this case in the earlier stages of litigation before it was brought before the Supreme Court. This update does not share any views on the merits of the case.
Virginia Enacts Law Protecting Reproductive and Sexual Health Data
On March 24, 2025, Virginia Governor Youngkin signed into law S.B. 754, which amends the Virginia Consumer Protection Data Act (“VCDPA”) to prohibit the collection, disclosure, sale or dissemination of consumers’ reproductive or sexual health data without consent.
The law defines “reproductive or sexual health information” as “information relating to the past, present, or future reproductive or sexual health” of a Virginia consumer, including:
Efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies;
Reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active, and whether an individual is engaging in unprotected sex;
Reproductive and sexual health-related surgeries and procedures, including termination of a pregnancy;
Use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients;
Bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels;
Any information about diagnoses or diagnostic testing, treatment, or medications, or the use of any product or service relating to the matters described above; and
Any information described above that is derived or extrapolated from non-health-related information such as proxy, derivative, inferred, emergent, or algorithmic data.
“Reproductive or sexual health information” does not include protected health information under HIPAA, health records for the purposes of Title 32.1, or patient-identifying records for the purposes of 42 U.S.C. § 290dd-2.
These amendments to the VCDPA will take effect on July 1, 2025.
Virginia Governor Vetoes Rate Cap and AI Regulation Bills
On March 25, Virginia Governor Glenn Youngkin vetoed two bills that sought to impose new restrictions on “high-risk” artificial intelligence (AI) systems and fintech lending partnerships. The vetoes reflect the Governor’s continued emphasis on fostering innovation and economic growth over introducing new regulatory burdens.
AI Bias Bill (HB 2094)
The High-Risk Artificial Intelligence Developer and Deployer Act would have made Virginia the second state, after Colorado, to enact a comprehensive framework governing AI systems used in consequential decision-making. The proposed law applied to “high-risk” AI systems used in employment, lending, and housing, among other fields, requiring developers and deployers of such systems to implement safeguards to prevent algorithmic discrimination and provide transparency around how automated decisions were made.
The law also imposed specific obligations related to impact assessments, data governance, and public disclosures. In vetoing the bill, Governor Youngkin argued that its compliance demands would disproportionately burden smaller companies and startups and could slow AI-driven economic growth in the state.
Fintech Lending Bill (SB1252)
Senate Bill 1252 targeted rate exportation practices by applying Virginia’s 12% usury cap to certain fintech-bank partnerships. Specifically, the bill sought to prohibit entities from structuring transactions in a way that evades state interest rate limits, including through “rent-a-bank” models, personal property sale-leaseback arrangements, and cash rebate financing schemes.
Additionally, the bill proposed broad definitions for “loan” and “making a loan” that could have reached a wide array of service providers. A “loan” was defined to include any recourse or nonrecourse extension of money or credit, whether open-end or closed-end. “Making a loan” encompassed advancing, offering, or committing to advance funds to a borrower. In vetoing the measure, Governor Youngkin similarly emphasized its potential to discourage innovation and investment across Virginia’s consumer credit markets.
Putting It Into Practice: The vetoes of the High-Risk Artificial Intelligence Developer and Deployer Act (previously discussed here) and the Fintech Lending Bill signal Virginia’s preference for a more flexible, innovation friendly-oversight. This development aligns with a broader pullback from federal agencies with respect to oversight of fintech and related emerging technologies (previously discussed here and here). Fintechs and consumer finance companies leveraging AI should continue to monitor what has become a rapidly evolving regulatory landscape.
Listen to this post