Data Processing Evaluation and Risk Assessment Requirements Under California’s Proposed CCPA Regulations
As we have previously detailed here, the latest generation of regulations under the California Consumer Privacy Act (CCPA), drafted by the California Privacy Protection Agency (CPPA), have advanced beyond public comments are closer to becoming final. These include regulations on automated decision-making technology (ADMT), data processing evaluation and risk assessment requirements and cybersecurity audits.
Assessments and Evaluations Overview
The new ADMT notice, opt-out and access and appeal obligations and rights go into immediate effect upon the regulation’s effective date, which follows California Office of Administrative Law (OAL) approval and would either be subject to the quarterly regulatory implementation schedule in the Government Code, or as has been the case with prior CCPA regulations immediately on OAL sign-off. We will not know if the CPPA will again seek a variance from the schedule until they submit the final rulemaking package.
Moving on to evaluations and risk assessments, the draft regulations do propose a phase-in, but only in part. Evaluations must be undertaken beginning on the regulation’s effective date, whereas assessment requirements apply to practices commencing on the effective date, but there is a 24 month period to complete, file certifications and abridged versions, and make available for inspection.
However, since Colorado, which like California, has very detailed requirements for conducting and documenting assessments, and New Hampshire, Oregon, Texas, Montana, Nebraska, and New Jersey already require assessments, Delaware and Minnesota will this summer, and Indiana, Rohde Island and Kentucky will by the new year, query whether the California phase-in is of much use. Out of the 20 state consumer privacy laws, all but Utah and Iowa require assessments.
Further, without at least a cursory assessment, how can you determine if the notice, opt-out and access and appeal rights apply?
So, what is the difference between an evaluation and an assessment?
First, they are required by different provisions. Evaluations are required by Section 7201, and risk assessments by Section 7150.
Next, there is no phase-in of evaluations as with risk assessments.
Risk assessments are much more complex and prescribed, and are at the core of a risk benefit judgment decision, and must be available for inspection and abridged summaries must be filed.
The content of the evaluation, which need not be published or subject to inspection demand outside of discovery, need only address if the process and technology is effective, in other words, materially error free, and if it discriminates against a protected class, in other words free of material bias. As such, they have similarities to assessments under the Colorado AI Act, effective next year but likely to be amended before then, and the recently passed Virginia HB 2094 AI bill that may or may not get signed by Governor Yougkin.
Thus, an evaluation alone won’t help you determine if the ADMT notice, opt-out and access and appeal rights apply, nor meet the risk assessment requirements. While it is a separate analysis, it can be incorporated into assessments assuming a company begins those immediately.
Also, evaluations are not required for selling and processing of sensitive personal information (PI), as are assessments, and assessments are only required for identification processing to the extent AI is trained to do so, whereas any processing for identification is subject to an evaluation. Since CCBA is part of behavioral advertising, which is part of extensive profiling, sharing needs to be addressed in both evaluations and assessments.
Finally, under Section 7201, a business must implement policies, procedures, and training to ensure that the physical or biological identification or profiling works as intended for the business’s proposed use and does not discriminate based on protected classes.
So on to assessments, what activities need to be assessed?
First selling or sharing. All 18 states that require assessments require them for this; though, for the non-California states, the trigger is processing for targeted advertising rather than “sharing”, which is broader than sharing for CCBA, but the California regulations catch up with the new concept of behavioral advertising.
Next, processing of sensitive personal information. The same 18 states require assessments for the processing of sensitive data, with differing definitions. For instance, what is considered children’s personal data differs considerably. Notably, the California draft Regulation amendments would raise the age from 13 to 16, and Florida is under 18. There is also variation in the definition of health data.
Note, while the Nevada and Washington (and potential New York) consumer health laws do not explicitly require assessments, they are practically needed, and Vermont’s data broker law requires initial risk assessments and a process for evaluating and improving the effectiveness of safeguards.
Other Risk Assessment Triggers
Assessments are mandatory before using ADMT to make or assist in making a significant decision, which is “profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.” This is a General Data Protection Regulation (GDPR) and European Data Protection Board (EDPB) inspired provision. The other states that require assessments also have a similar obligation, although the definitions may differ somewhat. In California, “Decisions that produce legal or similarly significant effects concerning a consumer” means decisions that result in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, healthcare services, or access to essential goods or services. Only California gives guidance on what are essential goods or services, by means a parenthetical “(e.g., groceries, medicine, hygiene products, or fuel). Critics are concerned that this limits algorithmic custom pricing, sometimes derogatively referred to as surveillance pricing, or even AI of consumer behavior to decide where to open or close stores, though the aggregate or de-identified data should suffice for that. There is considerable guidance out of the EU, which can be looked to, though is clearly not binding. The EU approach is quite broad.
Speaking of looking to the EU, beware that the California and Colorado regulations diverge considerably from what is required under GDPR assessments, and keep in mind the material differences between GDPR with its lawful basis and legitimate interest tests and the US laws with opt-out concepts.
Uniquely amongst the states, California proposes the concept of extensive profiling, which covers any:
1) work or educational profiling;
2) public profiling; or
3) behavioral advertising.
Note however, that whilst behavioral advertising is said to include CCBA, it is broader and is defined as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity—both across businesses, distinctly-branded websites, applications, or services, (i.e., CCBA) and within the business’s own distinctly-branded websites, applications, or services.” Significantly, this closes the gap between CCBA and the non-California regulation of targeted advertising, by including entirely 1st party behavioral advertising.
There is a carve out for “nonpersonalized advertising” as defined by CCPA Section .140(t), which means advertising and marketing that is based solely on a consumer’s personal information derived from the consumer’s current interaction with the business with the exception of the consumer’s precise geolocation. But also, note that here the exception is specifically limited to where the PI is not disclosed to third parties (i.e., not a processor or contractor). This has led some to argue that this guts the carve out. However, if personal data was disclosed to a third party, that would likely be a sale, especially given the breadth of the concept of “over valuable consideration” in the eyes of the regulators. So, the approach really is not inconsistent with the current treatment of contextual advertising.
PI to train ADMT or AI
Assessments are also proposed to be required for processing of PI to train ADMT or AI. This is another uniquely California concept, at least under state consumer privacy laws, and the California Chamber of Commerce and others, including some members of the legislature, have argued that, like other aspects of the proposed regulation’s treatment of ADMT, it goes beyond the Agency’s statutory authority. It is interesting to note that one of the topics included in the US House Committee on Energy and Commerce’s request for information to inform federal privacy legislation this week is the role of privacy and consumer protection standards in AI regulation and specifically the impact of state privacy law regulation of ADMT and profiling on US AI leadership. Another topic of focus is “the degree to which US privacy protections are fragmented at the state level and costs associated with fragmentation,” which seems to be inviting a preemption scope debate. So by the time at least this part of the regulation requires action, it may possibly be curtailed by federal law. That said, evaluations and assessments are practically necessary to guide compliance and information governance and to date repeated attempts at federal consumer privacy legislation have been unsuccessful.
Assessment Details
Most state laws do not have any specifics regarding how to conduct or document risk assessments, with the notable exception of Colorado. When it started assessment rulemaking, the Agency stated that it would look to try to create interoperability with Colorado and would also look to the guidance by the EDPB. While both can be seen to have influenced California’s proposed requirements, California adds to these.
Some of the content requirements are factual, such as purposes of processing and categories of PI. Others are more evaluative, such as the quality of the PI and the expected benefits and potential negative impacts of the processing, and how safeguards may mitigate those risks of harm. Nine examples are included in Section 7152(a)(5) to guide analysis.
Section 7152(a)(3) calls for analysis of specific operational elements for the processing.
Focus on Operational Elements
These operational elements are listed here[1] and can be seen as not only getting under the hood of the processing operations but also informing consumer expectations, and the risks and benefit analysis that is the heart of an assessment. Note, in particular, the inquiries into retention and logic, the latter meaning ‘built-in’ assumptions, limitations, and parameters that inform, power or constrain the processing, particularly as concerns ADMT.
Analysis and Conclusions
The assessment must not only document those processing details and the risk / benefit and risk mitigation analysis, but the conclusions and what was approved and/or disapproved.
The draft regulations call for participation by all relevant stakeholders, and they must be specifically named, as must the identification of the person responsible for the analysis and conclusions.
Filing and Certification
California diverges from the other states with respect to reporting requirements. Annually a responsible executive must certify to the CCPA that the business assessed all applicable processing activities, and an abridged assessment must be filed for each processing activity actually initiated. This will make it very apparent which businesses are not conducting assessments.
Further, the draft regulations limit what is required in the abridged assessments to largely factual statements:
The triggering processing activity;
The purposes;
The categories of personal information, including any sensitive categories; and
The safeguards undertaken.
Note that the risk / benefit analysis summary is not a part of the filing.
Inspection and Constitutional and Privilege Issues
Contrast that with the detailed risk / benefit analysis required by the full assessment, which, like all of the other states that require or will require assessments, is subject to inspection upon request.
This GDPR-inspired approach to showing how you made decisions calls for publication of value judgments, which, as I have opined in an article that is in your materials (see a synopsis here), is likely unconstitutional compelled speech. While the 9th Circuit in the X Corp and NetChoice cases struck down harm assessment and transparency requirements in the context of children’s online safety, the Court distinguished compelling disclosure of subjective opinions about a company’s products and activities from requiring disclosure of merely product facts. There is no 1st Amendment in GDPR-land, so we will have to wait and see if the value judgment elements of assessments can really be compelled for inspection.
Inspections also raise serious questions about attorney-client and work product privilege. Some states specifically provide that inspections of assessments is not a waiver of privilege, and/or that they will be maintained as confidential and/or are not subject to public records access requests. The draft regulations do not; however, the CCPA itself provides that the Act shall not operate to infringe on evidentiary privileges. At any event, consider labeling legal analysis and counsel as such and maintaining them apart from what is maintained for inspection.[2]
[1] Planned method for using personal information; disclosures to the consumer about processing, retention period for each category of personal information, categories of third parties with access to consumers’ personal information, relationship with the consumer, technology to be used in the processing, number of consumers whose personal information will be processed and the logic used.
[2] Note – Obtaining educational materials from Squire Patton Boggs Services Ireland, Limited, or our resellers, does not create an attorney-client relationship with any Squire Patton Boggs entity and should be used under the direction of legal counsel of your choice.
U.S. Consumer Privacy Laws Taking Effect in 2025 and Ensuing Compliance Complexities
The United States continues to operate without a comprehensive federal consumer privacy law as the American Privacy Rights Act remains subject to further amendments and uncertainty. Consequently, nineteen states enacted comprehensive consumer privacy legislation, of which eight are becoming or have become effective in 2025, and some existing state privacy laws have been amended since their enactment. This fragmented approach creates compliance complexities and operational considerations for organizations operating at state and national levels.
Comprehensive consumer privacy laws taking effect in 2025
Effective date
State comprehensive consumer privacy laws
January 1, 2025
• Delaware Personal Data Privacy Act• Iowa Consumer Data Protection Act• Nebraska Data Privacy Act• New Hampshire Senate Bill 255
July 1, 2025
• Tennessee Information Protection Act
July 31, 2025
• Minnesota Consumer Data Privacy Act
October 1, 2025
• Maryland Online Data Privacy Act
General requirements across each law
Each state law mandates distinct, jurisdiction-specific obligations on regulated organizations, which generally include the following:
Consumer rights: Each state law grants consumers certain privacy rights. While consumers’ privacy rights vary from state to state, consumers may be granted the right, subject to certain exceptions, to: (1) access, correct and delete data that an organization collects from or about them; (2) opt-out of further data processing; (3) the right to data portability and to direct the transfer of their personal information; and (4) the right to restrict and limit the use and disclosure of sensitive personal information.
Organizational compliance obligations: Each state law also imposes certain obligations on regulated entities acting as a data controller (i.e., an entity that controls the purpose and means of processing personal data) and data processors (i.e., third parties that process data under the direction and control of data controllers, such as service providers or vendors). Regulated organizations acting as data controllers may be obligated to, among other things, respond to consumer privacy requests, implement reasonable technical and organizational security measures, provide consumers with a notice of privacy practices and a mechanism through which consumers may opt out of data processing.
Key compliance considerations
In light of the complexities highlighted above, organizations should reflect on the following compliance considerations:
Whether your organization’s corporate policies are compliant with new privacy legislation.
With several new legislative updates, organizational corporate policies, such as privacy policies and privacy notices, may become dated and/or noncompliant with the most recent and looming updates. It is recommended practice for organizations to routinely evaluate their corporate policies to ensure compliance with any updated regulatory requirements and implement changes to the extent necessary.
Whether your organization is equipped to respond to consumer privacy requests.
Responding to consumer privacy requests may be problematic for organizations operating across multiple states due to variance among consumer privacy rights, related nuances and exceptions. Organizations should evaluate the various privacy rights and exceptions, if any, in states in which they operate and establish a playbook to implement an efficient and effective response.
Whether your organization is exempt from compliance.
Some privacy laws provide for entity-level and data-level exemptions, subject to certain nuances. An entity-level exemption generally exempts an organization based on the type of entity. For example, some states include an entity-level exemption for not for profit corporations or entities regulated by certain federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA). A data-level exemption exempts certain data that is subject to regulation under certain federal laws, such as HIPAA and the Gramm-Leach-Bliley Act.
In addition, some states have an operational threshold that an organization must meet or exceed to be subject to the relevant act. For example, in Delaware, an organization must (1) do organization in the state or produce products or services that are targeted to Delaware residents, and (2) one of the following must apply: (i) control or process personal data of 35,000 or more consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction or (ii) (a) control or process personal data of 10,000 or more consumer and (b) derive more than 20% of its gross revenue from the sale of personal data.
Organizations should evaluate whether they may be exempt from certain state laws and, if so exempt, how that might impact their corporate policies and go-to-market strategies.
Speed Bump: CPPA Pulls Over Honda for Privacy Practices
It’s no surprise that the California Privacy Protection Agency (“CPPA”) has been active. They are making a strong case for being the most active state agency in the privacy arena.
Well, they just strengthened that claim in a Stipulated Final Order with American Honda Motor Company, Inc. (“Honda”) from last week. The CPPA claims that Honda’s practices were violations of the California Consumer Privacy Act and the claims are pretty surprising.
Not because they are egregious. But, mostly because it’s demonstrative of the fact that the CPPA is not giving points for “effort”.
Honda required too much information from consumers to opt-out of sale/sharing of consumer data
The CCPA allows consumers certain rights. Included in these rights are the right to opt-out of the sale or sharing of personal information, right to limit the use of sensitive personal information, and the right to delete personal information.
Honda had created a Privacy Center page to allow consumers to manage how their personal data was handled. Because Honda needed to be able to verify the information from the consumer, certain questions were asked in an attempted effort to identify the consumer and manage their personal data.
However, the CPPA felt that Honda was asking too many questions. From the order: “although Honda generally needs only two data points from the Consumer to identify the Consumer within its database, Honda’s verification process for Verifiable Consumer Requests requires the matching of more than two data points.” (emphasis in original)
According to the CPPA, the design of Honda’s Privacy Center “impairs or interferes with the Consumer’s ability to exercise those rights. The CCPA prohibits businesses from designing methods for submitting CCPA Requests that substantially subverts or impairs the Consumer’s autonomy, decisionmaking, or choice.”
Honda required too much information to allow third-party agents to opt-out on behalf of consumers
Consumers can allow third-party agents to exercise their privacy rights under the CCPA. And businesses can require the agents to a written authorization from the consumer to allow the third-party agents to do so.
But, businesses cannot “require the Consumer to directly confirm that they have provided the Authorized Agent permission to submit the request. Businesses may directly contact the Consumers directly in that manner only for Verifiable Consumer Requests.”
Honda, apparently, was treating all third-party requests the same and not limited the outreach to the consumer to the Verifiable Consumer Requests.
Honda’s cookie management tool was not offering symmetrical choices
And now we enter the nit-picking section of the program.
(This is John’s opinion, not necessarily the opinion of TCPAWorld, but hey, I’m writing this, so I get to interject my opinion.)
Honda uses a third-party cookie management tool. It’s one of, if not THE, industry leader cookie management tool.
Cookie management menu pops up. And consumer has two clicks to turn off the advertising cookies: (1) click the toggle button, and (2) click the “Confirm my choices” button.
Seems reasonable.
However, if the consumer goes back to the cookie management tool at a later point, there is one button – an “Allow All” button. This button allows all the cookies to be turned back on in a single click.
THE HORROR.
Excuse me, while I clutch my pearls.
The CCPA said the single opt-in was not symmetrical in choice. “Symmetry in choice means that the path for a Consumer to exercise a more privacy-protection option cannot be longer or more difficult or time-consuming than the path to exercise a less privacy-protection option because that would impair or interfere with the Consumer’s ability to make a choice.”
I get it. That’s the law. But, two clicks versus one click is absurd.
Especially, when the consumer can still opt out of individual categories of cookies in two clicks. It’s just the opt-in takes one click. (However, the user has to go back into the cookie management tool somehow, so arguably that’s an additional click.)
Honda couldn’t provide the CPPA with their contracts with advertising vendors
The CCPA requires companies that collect and disclose personal information to vendors to have specific requirements in their contracts around personal information.
However, per the Stipulated Order, Honda could not produce the contracts.
OK, so that one’s clearly on Honda.
The big takeaways from this order:
The CPPA is not joking. They are NOT going to give you points for trying to comply.
The CPPA is very aggressive. The administrative fine is a total of $632,500. Of that amount, $382,500 accounts for Honda’s conduct to a total of 153 consumers.
Read that again.
One Hundred Fifty Three Consumers accounted for a fine of $382,500.
Reliance on vendors is not going to save you from CCPA violations.
Basic contract management = Keep copies of contracts and produce them.
It’s a Wrap—The Latest from the Ninth Circuit on “Sign-In Wrap” Agreements
On February 27, 2025, in Chabolla v. ClassPass Inc., the U.S. Court of Appeals for the Ninth Circuit, in a split 2-1 decision, held that website users were not bound by the terms of a “sign-in wrap” agreement.
ClassPass sells subscription packages that grant subscribers access to an assortment of gyms, studios and fitness and wellness classes. The website requires visitors to navigate through several webpages to complete the purchase of a subscription. After the landing page, the first screen (“Screen 1”) states: “By clicking ‘Sign up with Facebook’ or ‘Continue,’ I agree to the Terms of Use and Privacy Policy.” The next screen (“Screen 2”) states: “By signing up you agree to our Terms of Use and Privacy Policy.” The final checkout page (“Screen 3”) states: “I agree to the Terms of Use and Privacy Policy.” On each screen, the words “Terms of Use” and “Privacy Policy” appeared as blue hyperlinks that took the user to those documents.
The court described four types of Internet contracts based on distinct “assent” mechanisms:
Browsewrap – users accept a website’s terms merely by browsing the site, although those terms are not always immediately apparent on the screen (courts consistently decline to enforce).
Clickwrap – the website presents its terms in a “pop-up screen” and users accept them by clicking or checking a box expressly affirming the same (courts routinely enforce).
Scrollwrap – users must scroll through the terms before the website allows them to click manifesting acceptance (courts usually enforce).
Sign-in wrap – the website provides a link to the terms and states that some action will bind users but does not require users to actually review those terms (courts often enforce depending on certain factors).
The court analyzed ClassPass’ consent mechanism as a sign-in wrap because its website provided a link to the company’s online terms but did not require users to read them before purchasing a subscription. Accordingly, the court held that user assent required a showing that: (1) the website provides reasonably conspicuous notice of the terms to which users will be bound; and (2) users take some action, such as clicking a button or checking a box, that unambiguously manifests their assent to those terms.
The majority found Screen 1 was not reasonably conspicuous because of the notice’s “distance from relevant action items” and its “placement outside of the user’s natural flow,” and because the font is “timid in both size and color,” “deemphasized by the overall design of the webpage,” and not “prominently displayed.”
The majority did not reach a firm conclusion on whether the notice on Screen 2 and Screen 3 is reasonably conspicuous. On one hand, Screen 2 and Screen 3 placed the notice more centrally, the notice interrupted the natural flow of the action items on Screen 2 (i.e., it was not buried on the bottom of the webpage or placed outside the action box but rather was located directly on top of or below each action button), and users had to move past the notice to continue on Screen 3. On the other hand, the notice appeared as the smallest and grayest text on the screens and the transition between screens was somewhat muddled by language regarding gift cards, which may not be relevant to a user’s transaction; thus, a reasonable user could assume the notice pertained to gift cards and hastily skim past it.
Even if the notice on Screen 2 and Screen 3 was reasonably conspicuous, the majority deemed the notice language on both screens ambiguous. Screen 2 explained that “[b]y signing up you agree to our Terms of Use and Privacy Policy,” but there was no “sign up” button—rather, the only button on Screen 2 read “Continue.” Screen 3 read, “I agree to the Terms of Use and Privacy Policy,” and the action button that follows is labeled “Redeem now”; it does not specify the user action that would constitute assent to the terms. In other words, the notice needs to clearly articulate an action by the user that will bind the user to the terms, and there should be no ambiguity that the user has taken such action. For example, clicking a “Place Order” button unambiguously manifests assent if the user is notified that “by making a purchase, you confirm that you agree to our Terms of Use.”
Accordingly, the court held that Screen 1 did not provide reasonably conspicuous notice and, even if Screen 2 and Screen 3 did, progress through those screens did not give rise to an unambiguous manifestation of assent.
The dissent noted that the majority opinion “sows great uncertainty” in the area of internet contracts because “minor differences between websites will yield opposite results.” Similarly, the dissent argued that the majority opinion will “destabilize law and business” because companies cannot predict how courts are going to react from one case to another. Likewise, the dissent expressed concern that the majority opinion will drive websites to the only safe harbors available to them—clickwrap or scrollwrap agreements.
While ClassPass involved user assent to an arbitration provision in the company’s online terms, the issue of user assent runs far deeper, extending to issues like consent to privacy and cookie policies—a formidable defense to claims involving alleged tracking technologies and wiretapping theories. Notwithstanding the majority’s opinion, many businesses’ sign-in wrap agreements will differ from the one at issue in the lawsuit and align more closely with the types of online agreements that courts have enforced. Nonetheless, as the dissent noted, use of a sign-in wrap agreement carries some degree of uncertainty. Scrollwrap and clickwrap agreements continue to afford businesses the most certainty.
Common Privacy Pitfalls in M&A Deals
Many expect that deal activity will increase in 2025. As we approach the end of the first quarter, it is helpful to keep in mind privacy and data security issues that can potentially derail a deal. We discussed this in a webinar last week, where we highlighted issues from the buyer’s perspective. We recap the highlights here:
Take a Smart Start Approach: Often when privacy “specialists” are brought into deals, it is without a clear understanding of the goal of the deal and post-acquisition plans. Keeping these in mind can be crucial to conducting appropriate and risk-based diligence. (Along with having a clear understanding of the structure of the deal.) Questions to ask include the extent to which the target will be integrated into the buyer. Or, whether privacy assets (mailing lists) are important to the deal.
Conducting Diligence: Diligence can happen on a piece-meal basis. There are facts about the target that can be discovered even before the data room opens. What information has it shared about operations and products on its website? Has there been significant press? Any publicly-announced data breaches? What about privacy or data security related litigation? When submitting diligence question lists, keep the scope of the deal in mind. What are priority items that can be gathered, and how can that be done without overwhelming the target?
Pre-Closing Considerations: There are some obvious things that will need to happen before closing, like reviewing and finalizing deal documents and schedules. There may also be privacy-specific issues, such as addressing potential impediments to personal information transfers.
Post-Closing Integration: In many deals, the privacy and cybersecurity team is not involved in the integration process. Or, a different team handles these steps. Issues that might arise- and can be anticipated during the deal process- include understanding the data and processes that will be needed post integration, and the personnel who can help (whether at the target or buyer).
Putting It Into Practice: Keeping track of the intent of the deal and the key risks can help the deal flow more smoothly. This checklist can help with your next transaction.
Enforcement Update: Regulatory Attention Focused on Deletion Requests
Data protection authorities worldwide are intensifying their focus on individuals’ rights to have their personal data deleted. This heightened regulatory attention underscores the importance of organizations implementing robust compliance mechanisms to handle deletion requests effectively. For example:
In October 2023, California enacted pioneering legislation to strengthen consumer data protection. The California Delete Act (Senate Bill 362), signed into law in October 2023, establishes a centralized mechanism for consumers to request the deletion of their personal information held by data brokers. Under this law, data brokers are mandated to register annually with the California Privacy Protection Agency (CPPA) starting January 2024 and to process deletion requests submitted through the centralized platform beginning August 2026. This legislation aims to simplify the process for consumers to manage their personal data and imposes stringent requirements on data brokers to ensure compliance. Since November 2024, the CPPA has fined seven data brokers for failing to register and to pay the annual fee required under the California Delete Act.
In March 2025, Oregon released an enforcement report highlighting that “the number one right consumers have requested and been denied, is the right to delete their data.”
In March 2025, the European Data Protection Board (EDPB) initiated its Coordinated Enforcement Framework (CEF) action, centering on the right to erasure, commonly known as the “right to be forgotten,” as stipulated in Article 17 of the General Data Protection Regulation (GDPR). This initiative involves 32 Data Protection Authorities (DPAs) across Europe collaborating to assess and enhance compliance with erasure requests. Participating DPAs will engage with various data controllers, either by launching formal investigations or conducting fact-finding exercises, to scrutinize how these entities manage and respond to erasure requests, including the application of relevant conditions and exceptions. The findings from these national actions will be collectively analyzed to facilitate targeted follow-ups at both the national and EU level.
These developments reflect a broader global trend toward empowering individuals with greater control over their personal data and ensuring that organizations uphold these rights. For businesses, this signifies a need to evaluate and, if necessary, enhance their data management practices to comply with evolving regulatory standards concerning data deletion requests.
Given the intensified regulatory focus on data deletion rights, organizations worldwide should consider proactively assessing and strengthening their data protection practices. By implementing robust mechanisms to handle deletion requests effectively, businesses may not only ensure compliance with current regulations but also build trust with consumers who are increasingly concerned about their privacy rights.
KEEPING UP: Kardashian Brand Sued in TCPA Call Timing Class Action
When Kim Kardashian said, “Get up and work”, the TCPA plaintiff’s bar took that seriously. And another Kardashian sibling may be facing the consequences.
We at TCPAWorld were the first to report on the growing trend of lawsuits filed under the TCPA’s Call Timing provisions, which prohibit the initiation of telephone solicitations to residential telephone subscribers before 8 am and after 9 pm in the subscriber’s time zone. Call it a self-fulfilling prophecy or just intuition honed by decades of combined experience, but these lawsuits show no signs of slowing down.
In Melissa Gillum v. Good American, LLC. (Mar. 11, 2025, C.D. Ca), Plaintiff alleges that Khloe Kardashian’s clothing brand Good American sent the following text messages to her residential telephone number at 07:15 AM and 06:30 AM military time:
Of course, Plaintiff alleges she never authorized Good American to send her telephone solicitations before 8 am or after 9 pm.
Plaintiff also seeks to represent the following class:
All persons in the United States who from four years prior to the filing of this action through the date of class certification (1) Defendant, or anyone on Defendant’s behalf, (2) placed more than one marketing text message within any 12-month period; (3) where such marketing text messages were initiated before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).
The consensus here on TCPAWorld is that calls or text messages made with prior express consent are not “telephone solicitations” and likely not subject to Call Time restrictions. We’ll have to see how these play out but stay tuned for the latest updates!
NO SMOKING UNTIL 8 AM: R.J. Reynolds Burned By TCPA Time-Of-Day Class Action Lawsuit
Hi TCPAWorld! R. J. Reynolds Tobacco Company—the powerhouse behind Camel, Newport, Doral, Eclipse, Kent, and Pall Mall—is back in court. This time, though, it isn’t about the usual allegations against Big Tobacco. Instead, the plaintiff accuses the company of violating the TCPA’s time-of-day restrictions and causing “intrusion into the peace and quiet in a realm that is private and personal to Plaintiff and the Class members.” Vallejo v. R. J. Reynolds Tobacco Company, 8:25CV00466: Vallejo v RJ Reynolds Tobacco Complaint Link
Under the TCPA, telemarketing calls or texts can’t be made before 8 a.m. or after 9 p.m. (local time for the recipient). We’ve been seeing a lot of these time-of-day cases pop up lately:
IN HOT WATER: Louisiana Crawfish Company Sued Over Early-Morning Text Messages – TCPAWorld
IT WAS A MATTER OF TIME: Another Company Allegedly Violated TCPA Time Restrictions. – TCPAWorld
TIME OUT!: NFL Team Tampa Bay Buccaneers Hit With Latest in A Series of Time Restriction TCPA Class Action – TCPAWorld
SOUR MORNING?: For Love and Lemons Faces TCPA Lawsuit Over Timing Violations – TCPAWorld
TOO LATE: 7-Eleven Sued in TCPA Class Action for Allegedly Failing to Comply With Call Time Limitations–And This Is Crazy If its True – TCPAWorld
Here, in Vallejo v. R. J. Reynolds Tobacco Company, however, the plaintiff claims he received early-morning marketing texts around 7:15 a.m. and 7:36 a.m., local time. The complaint further alleges that he “never signed any type of authorization permitting or allowing Defendant to send them telephone solicitations before 8 am or after 9 pm,” though it doesn’t actually say he withheld consent entirely for these messages.
The plaintiff seeks to represent the following class:
All persons in the United States who from four years prior to the filing of this action through the date of class certification (1) Defendant, or anyone on Defendant’s behalf, (2) placed more than one marketing text message within any 12-month period; (3) where such marketing text messages were initiated before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).
As I’ve said before, from my reading of the TCPA, these time-of-day restrictions apply specifically to “telephone solicitations,” meaning calls or texts made with the recipient’s prior consent or within an existing business relationship might be exempt. Since the plaintiff doesn’t deny consenting to these texts in the first place, we’ll have to keep an eye on this lawsuit to see if the Central District of California agrees with that interpretation.
COMPLAINTS ABOUT COMPLAINTS: Defendant Granted Leniency from Burdensome Discovery Production
Discovery disputes are a big part of TCPA cases and, practically speaking, it can be exceptionally difficult for defendants to produce all documents requested by TCPA plaintiffs… for several reasons. Requests for production and interrogatories tend to be worded as broadly as possible (generally to seek class information). Then, even with discovery requests that are agreed upon by the parties, the practical difficulty of obtaining and producing the requested material can range from difficult to nearly impossible.
In Nock v. PalmCo Administration, LLC, No. 1:24-CV-00662-JMC, 2025 WL 750467 (D. Md. Mar. 10, 2025), the District Court of Maryland showed leniency to the defendant, although it still ordered the defendant to at least attempt to produce nearly every material that the plaintiff had requested.
For some context, the plaintiff alleged that the defendant had violated 47 U.S.C. § 227(c), the Do Not Call (“DNC”) provision of the TCPA, and Md. Com. Law § 14-320, Maryland’s analogous DNC law. Id at *1. An informal discovery dispute was brought before the court based on the defendant’s purportedly incomplete responses to the plaintiff’s discovery requests. Id.
Firstly, the court found that an interrogatory seeking “all complaints ‘regarding [the defendant’s] marketing practices’” unreasonably burdened the defendant—since complaints relating to all marketing practices would clearly turn up material unrelated to the case’s subject matter. Id. at *2. However, the court still ordered production of all complaints related to the case’s subject matter. Id. at *3.
Secondly, the plaintiff sought production of documents that had previously been ordered by the court. Id. However, one of the categories of documents was outside the defendant’s possession—data from one of its vendors. Id. As the defendant demonstrated “reasonable efforts to obtain the requested information,” the court allowed the defendant to send one more email request to furnish missing data from the third-party vendor to fulfill the defendant’s obligations under the previous court order. Id.
Although this specific request did not fall under retention requirements, it is worth a reminder that the statutory Telemarketing Sales Rule recently expanded in what records must be kept for all telemarketing calls.
Thirdly, the plaintiff sought records of all communications between the defendant and a third-party vendor. Id. Similarly, the court was lenient with the defendant, even though the defendant had already missed a court ordered production deadline on those communications. Id. The defendant was still ordered to produce the communications within thirty days, but the court was understanding of the practical difficulties in producing all said communications. Id. at *3-4.
That is all for this order. However, the TCPA keeps seeing new rules and requirements. Most urgently, we are now less than a month away from new revocation rules coming into effect. Be ready for those changes as they are set to be implemented on April 11, 2025!
Even With FCC 1:1 Gone, the CMS 1:1 Rule is Still Standing
Obviously, a lot going on in the lead gen space over the last six weeks. The biggest change of all is the FCC’s one-to-one rule being vacated. The pivot the industry had to make immediately after that ruling affected so many businesses.
But, one thing that did not change was CMS’s requirement for one-to-one consent to share personal beneficiary data between TPMOs. This is true even though CMS’s guidance throughout the summary of the rule was all based on the FCC’s one-to-one rule.
As a reminder:
CMS requires individualized consent: Beneficiary consent for data sharing must be obtained on a specific, one-to-one basis, with clear and easily understood disclosures.
The key to obtain consent is transparency CMS mandates that beneficiaries understand
Where their personal data is being shared.
The specific purpose of the contact they are consenting to, and
The identity of the entity that will be contacting them.
CMS Consent is Broader than the FCC’s proposed 1:1 consent: The CMS consent rule has a wider scope than the proposed 1:1 consent in the TCPA because it also applies to manual dialed calls.
Opt-In Consent is Mandatory: CMS requires an opt-in consent model, meaning the default should be that data is not shared, and the beneficiary must affirmatively choose to allow sharing.
Separate Legal Entities Require Explicit Consent: TPMOs cannot share beneficiary data with a TPMO that is a different legal entity without the beneficiary’s prior express written consent. This applies even to affiliated agents within the same marketing organization.
While the industry took a collective sigh of relief when the TCPA’s 1:1 rule was vacated, those TPMOs under CMS’s purview must remain diligent. And, new CMS rules should be announced within the next few weeks, so stay tuned.
For Whom the Bell Tolls? The Impact of Wisconsin Bell v. United States ex rel. Todd Heath and United States v. Regeneron Pharmaceuticals Inc. on False Claims Act Litigation
The Supreme Court’s decision in Wisconsin Bell v. United States ex rel. Todd Heath clarifies what constitutes a “claim” under the federal False Claims Act (FCA). At issue in Wisconsin Bell was whether reimbursement requests submitted to the FCC’s “E-Rate Program” are considered “claims” under the FCA. The U.S. Supreme Court agreed that they were, finding that the plaintiff’s liability theory could move forward.
While the issues presented in Wisconsin Bell occurred in the context of the FCC, the implications of the Court’s decision appear to extend far beyond—reaching industries frequently targeted for FCA enforcement, such as health care, aerospace, defense, energy and others involving government contracts (like cybersecurity). As in years past, SCOTUS’s docket and Wisconsin Bell reflects the continued significance of FCA litigation and its importance to the government’s recovery of funds. Therefore, all companies that receive federal funds, particularly in highly regulated industries such as health care, should be interested in understanding this ruling and its impact.
Wisconsin Bell had argued that it could not be exposed to FCA liability because the E-rate program, congressionally mandated to help certain schools and libraries afford internet and telecommunications, is administered by a private nonprofit organization and funded by government-mandated payments from private telecommunications carriers into the Universal Service Fund (USF). But the Court ruled narrowly that, because the U.S. Treasury itself had provided $100 million to the USF, through its collection of delinquent debts to the USF and related penalties and interest, as well as other settlements and criminal restitution payments, the federal government did “provide” a portion of the funds at issue, so the whistleblower’s allegations are thus covered under the FCA.
One thing of interest is seen in the concurrence from Justice Kavanaugh (with Thomas concurring) who renewed their questions about the constitutionality of the FCA’s qui tam provisions (and thereby invited future challenges), writing in Wisconsin Bell that “the [False Claims] Act’s qui tam provisions raise substantial constitutional questions under Article II. … [I]n an appropriate case, the Court should consider the competing arguments on the Article II issue.” Ultimately though, it was a unanimous decision, where the Supreme Court found that that E-Rate reimbursement requests were “claims” under the FCA.
Another interesting aspect is that the Court’s decision was notably narrow, relying on the U.S. Treasury’s supply of a $100 million ancillary sliver of overall USF funding, which totals nearly $10 billion annually. Justice Thomas’s concurrence (with Justice Kavanaugh concurring, and Justice Alito concurring in part) highlights the limits of this approach, observing that, “the Government paid scant attention to the fact that courts historically have not applied the FCA to cover fraud on nongovernment entities unless the Government itself will face a financial loss.” And, the Court’s opinion itself forewarns that issues of, “whether (and, if so, how) the amount of money the Government deposited should limit the damages Heath can recover” are likely to emerge if Heath ultimately prevails.
The narrow holding was necessary because, as the Court explained, larger questions as to the constitutionality of the USF under the nondelegation doctrine are looming in a separate case, Consumers’ Research v FCC, Docket Nos. 24-354, 24-422 (set for oral argument on March 26, 2025). Notably, Justice Thomas’s concurrence sends a warning shot for the Government in that case, questioning the implications of its other two arguments – either that the entire USF constitutes government funds, or that the private, non-profit USF administrator is an agent of the United States – for those constitutional questions, and for compliance with a separate statute, the Government Corporation Control Act. Those answers are likely to affect Heath’s potential for eventual recovery. (The fact that Justice Kavanaugh – seen as a potential swing vote in Consumers’ Research – joined this concurrence may also be an ominous portent for the future of the USF as currently constituted. See our recent Client Alert for more details about the issues presented in the Consumers’ Research case.)
In another recent and important FCA decision, United States v. Regeneron Pharmaceuticals Inc., the First Circuit joined some other courts of appeal in holding that the “but-for” causation standard applies when purported Anti-Kickback Statute (AKS) violations result in FCA violations. This is a commonly used theory because it allows plaintiffs to allege that when a relationship becomes tainted by kickbacks then all reimbursement claims to a federal payor that follow are tainted and fraudulent, triggering FCA liability.
In Regeneron Pharmaceuticals Inc., the First Circuit had to evaluate competing arguments from the government and defendant about whether the 2010 amendments to the AKS effectively changed the proof requirements under this theory. As the court explained,
Regeneron argued that, under the 2010 amendment, the government “b[ore] the burden of proving that an AKS violation … actually caused [a] physician to provide different medical treatment (and thus caused the false claims).” United States v. Regeneron Pharms., Inc., No. 20-11217, 2023 WL 6296393, at *10 (D. Mass. Sept. 27, 2023). In other words, Regeneron asserted that the phrase “resulting from” in the 2010 amendment imposed a “ ‘but-for’ causation standard.” Id. The government disagreed, and it urged the district court to adopt the Third Circuit’s view that “all that is required to prove a causal link [under the 2010 amendment] is that ‘a particular patient is exposed to an illegal recommendation or referral and a provider submits a claim for reimbursement pertaining to that patient.’ ” Id. (quoting United States ex rel. Greenfield v. Medco Health Sols., Inc.,880 F.3d 89, 100 (3d Cir. 2018)).
After evaluating various textual arguments asserted by the government, the First Circuit found that was no good reason “to deviate from the default presumption that the phrase ‘resulting from’ as used in the 2010 amendment imposes a but-for causation standard” and that “to demonstrate falsity under the 2010 amendment, the government must show that an illicit kickback was the but-for cause of a submitted claim.”
Since there is a clear circuit court split on this issue, it is ripe for certiorari by the Supreme Court.
Since False Claims Act plaintiffs are motivated by the potential of obtaining significant bounties by suing companies and individuals that do business with government agencies and affiliates, these and other recent decisions underscore the continued importance for companies that receive federal funds to have robust compliance plans and take appropriate steps to avoid becoming embroiled in these bet-the-company cases.
GRAB THE POPCORN: Regal’s Marketing Texts Just Premiered in a TCPA Blockbuster!
Grab your popcorn, here’s a quick case alert for you. Regal Cinemas just found itself in the middle of a legal thriller, and this one is playing out in the Central District of California instead of the big screen. See Hensley v. Regal Cinemas, Inc., No. 8:25-cv-00468 (C.D. Cal. Mar. 11, 2025). Here, we have a moviegoer suing the theater giant, claiming they were bombarded with promotional text messages before 8 a.m., breaking the rules set by the TCPA.
We are not just talking about a single rogue text. According to the Complaint, Regal allegedly sent off four early morning marketing messages, including two that landed at 7:21 and 7:22 in the morning. Instead of waking up to a quiet morning, Plaintiff was greeted with ads for free popcorn, extra Crown Club credits, and something called Funnel Fangs. Curious enough, I had to look into what these Funnel Fangs are and apparently they are funnel cake fries with red icing… which sound pretty good. Nothing like getting a promo for deep-fried snacks before you have even had your first sip of coffee.
But here is where things get sticky, like the bottom of a theater floor after a late-night screening. As we know, strict guidelines under the TCPA prohibit businesses from sending telemarketing messages before 8 a.m. or after 9 p.m. However, allegedly Regal rolled the credits on that rule and kept the marketing show going anyway.
This is no small popcorn flick. This is a class action lawsuit, meaning thousands could have been hit with these early morning texts. And the timing could not be worse, no pun intended. TCPA lawsuits are exploding faster than a bag of extra-butter popcorn in a hot microwave. More TCPA class actions were filed in the first ten days of March than in all of March last year!
Lawsuits over time-restricted messages keep rolling in, proving that plaintiffs’ lawyers are watching compliance missteps like hawks. Companies are learning the hard way that when they ignore TCPA rules, the lawsuits come in faster than a summer blockbuster lineup.