Eleventh Circuit Vacates TCPA One-to-One Consent Rule Immediately After FCC Postpones its Effective Date
On the eve prior to its effective date, the FCC’s One-to-One Consent Rule which sought to redefine the meaning of “prior express written consent” under the Telephone Consumer Protection Act, was postponed for one year by order of the FCC’s Consumer and Government Affairs Bureau. Just minutes thereafter, the rule was struck down by the U.S. Court of Appeals for the Eleventh Circuit.
Background
The Telephone Consumer Protection Act (TCPA) , in part, requires callers to possess “prior express consent” when making non-emergency telephone calls to cell phones using an automatic telephone dialing system, or artificial or prerecorded voice; and telephone calls to residential telephone lines using an artificial or prerecorded voice (with limited exceptions).
In 2012, the Federal Communications Commission established that the foregoing calls (including SMS text messages) for marketing purposes must have “prior express written consent,” defined as “an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice, and the telephone number to which the signatory authorizes such advertisements or telemarketing messages to be delivered.”
The FCC Consumer and Government Affairs Bureau Postpones Effective Date of the TCPA One-to-One Consent Rule
On January 24, 2025, the FCC announced that it has postponed the effective date of the one-to-one consent rule. “By this Order, we postpone the effective date for revisions to section 64.1200(f)(9) of the Commission’s rules, 47 CFR § 64.1200(f)(9), by 12 months, to January 26, 2026, or until the date specified in a Public Notice following a decision from the court reviewing a challenge to the new rule on the petition filed by the Insurance Marketing Coalition (IMC), whichever is sooner.”
The announcement also states, in pertinent part, that “we find that justice requires postponement of the effective date pending judicial review of the adopted rule.”
As stated by the Acting Chief, Consumer and Governmental Affairs Bureau, “[t]he previous requirements for prior express written consent in 47 CFR § 64.1200(f)(9) under the Telephone Consumer Protection Act (TCPA) will meanwhile remain in effect. We will provide notice of the new effective date, if any, through publication of a Public Notice in the Federal Register.”
The Second Text Blocking Report and Order revised section 64.1200(f)(9) of the Commission’s rules.
Second Text Blocking Report and Order, 38 FCC Rcd at 12258-69, paras. 30-53. The Second Text Blocking Report and Order adopted several additional provisions, that are not postponed. Specifically, the FCC required terminating mobile wireless providers to block text messages from a particular number following notification from the Commission unless their investigation determines that the identified text messages are not illegal; the Commission codified that the National DNC Registry’s protections apply to text messages; and the Commission encouraged providers to make email-to-text a service that consumers proactively opt into.
The Federal Communications Commission published the revised 47 CFR § 64.1200(f)(9) in the Federal Register on January 26, 2024 (Targeting and Eliminating Unlawful Text Messages, Implementation of the Telephone Consumer Protection Act of 1991, Advanced Methods To Target and Eliminate Unlawful Robocalls, 89 Fed. Reg. 5098 (Jan. 26, 2024)), with an effective date of January 27, 2025 (Effective Date for One-To-One Consent Rule Set for January 27, 2025, CG Docket Nos. 02-278, 21-402, 17-59, Public Notice, DA 24-1154 (CGB Nov. 19, 2024)).
IMC filed a petition for review of the revised section 64.1200(f)(9) in the Second Text Blocking Report and Order in the Eleventh Circuit on January 26, 2024 (Insurance Marketing Coalition v. FCC, No. 24-10277 (11th Cir.), filed Jan. 26, 2024. IMC also petitioned the Commission for stay of this revision pending judicial review. Insurance Marketing Coalition, Ltd, Petition for Partial Stay Pending Judicial Review, CG Docket Nos. 02-278, 21-402, 17-59 (Mar. 21, 2024) (IMC Petition for Stay). The Commission did not act on that petition. IMC subsequently filed a petition in the Eleventh Circuit for a judicial stay, which the Commission opposed and the court denied. See Insurance Marketing Coalition, Ltd. v. FCC, No. 24-10277 (11th Cir. May 30, 2024) (denying stay)).
The court heard oral arguments on December 18, 2024, and its review in this matter remains pending.
“We find that justice requires postponing the effective date of the new rule pending judicial review. We take this action sua sponte under section 705 of Title 5, which provides: “When an agency finds that justice so requires, it may postpone the effective date of action taken by it, pending judicial review.”
Several commenters expressed serious concerns about their ability to comply with the revised prior express consent rule by January 27, 2025.
Since the adoption of the Second Text Blocking Report and Order, several submissions have asked the Commission to revise or postpone the rule and have made a clear showing of the rule’s compliance burden. See, e.g., Letter from attorney for LendingTree to Secretary, FCC (Dec. 6, 2024) (requesting a revision to the new rule to permit “curated comparison shopping”); Letter from attorney for IMC to Secretary, FCC (Dec. 3, 2024) (stating that there would be adverse consequences from the Commission’s “one-to-one” and “logically and topically associated” consent requirements on small businesses); Letter from attorney for REACH to Secretary, FCC (Oct. 21, 2024) (requesting that the Commission change the phrase “one identified seller” to “one identified seller, entity, or brand” to alleviate many of the unintended consequences stemming from the current language of the one-to-one rule); Letter from attorney for QuinStreet to Secretary, FCC (Sept.13, 2024) (requesting that the Commission adopt LendingTree’s proposal for a narrow exception to the one-to-one consent rule for “curated comparison-shopping platforms”); Letter from attorney for LendingTree to Secretary, FCC (Jul. 12, 2024) (“small businesses will suffer a loss when compared to nationwide, name brand providers”); IMC Petition for Stay at 20 (“Absent a stay, IMC and its members will suffer irreparable harm from the Order, including damage to their business operations, significant compliance costs, and chilling of their speech.”).
The submissions the FCC received from commenters since adopting the Second Text Blocking Report and Order “now persuade us that allowing the rule to take effect on January 27, 2025, likely will cause significant burdens for multiple parties at a time when—following oral argument before the Eleventh Circuit on December 18, 2024—judicial review of the rule is likely nearing completion.”
Given the advanced stage of the pending judicial proceeding, the FCC announced that it is in the interest of justice to provide a limited postponement of the effective date of the rule to avoid imposing new burdens on parties while the court is adjudicating challenges to the rule and to avoid subjecting texters and callers acting in good faith to the risk of having to defend themselves against private suits seeking statutory damages for a period in which the rule is still undergoing judicial review.
Further, the announcement states that “providing additional time may facilitate the industry’s compliance with the rule if the court upholds it. And a time-limited postponement to maintain the regulatory status quo while judicial review is completed will not pose any undue harm to the public interest.”
For these reasons, the FCC found that “justice requires postponement of the effective date of the rule” and therefore postponed the effective date for the revised 47 CFR § 64.1200(f)(9) of the Commission’s rules by 12 months, to January 26, 2026, or until, following a decision from the Eleventh Circuit, the Commission issues a Public Notice specifying a sooner date, in which case that sooner date would apply.
Should the Eleventh Circuit uphold the rule (or portions of the rule), the Commission will issue a Public Notice not more than 15 business days from the date on which the court issues its decision, announcing an effective date that is not more than 90 days from the date on which the judicial mandate issues following the court’s decision.
Accordingly, it has been ordered that pursuant to the authority contained in sections 1-4 of the Communications Act of 1934, as amended, 47 U.S.C. §§ 151-154, section 10(d) of the Administrative Procedure Act, 5 U.S.C. § 705, and sections 0.141 and 0.361 of the Commission’s rules, 47 CFR §§ 0.141, 0.361, the effective date for the revised 47 CFR § 64.1200(f)(9) is postponed to January 26, 2026 or until the date specified in a Public Notice published in the Federal Register following a decision from the court on the petition filed by the IMC, whichever is sooner.
Eleventh Circuit Subsequently Vacated TCPA One-to-One Consent Rule
The foregoing FCC Consumer and Government Affairs Bureau order clearly stated that the postponement was based upon the pending U.S. Court of Appeals for the Eleventh Circuit matter. Immediately following the GAB issuing its order, the Eleventh Circuit vacated the portion of the December 2023 TCPA order that announced the TCPA one-to-one consent rule and remanded the matter to the FCC for further proceedings.
In short, the Eleventh Circuit was tasked with considering a challenge by the Insurance Marketing Coalition relating to the legality of the one-to-one consent rule. Specifically, the December 2023 FCC order that amended the definition of “prior express written consent” by requiring a consent agreement to be specific to “no more than one identified seller” and be “logically and topically associated with the interaction that prompted the consent.”
In a unanimous decision by judges that were all appointed by President Trump, it was held that the FCC exceeded its statutory authority under the TCPA because the 2023 Order’s new consent restrictions impermissibly conflict with the ordinary statutory meaning of prior express consent. Importantly, the court opined that the TCPA does not define prior express consent and that common law principles should be considered with analyzing the phrase.
With respect to the one-to-one consent requirement, the court held “our cases show that to give prior express consent to receive a robocall, one need only “clearly and unmistakably” state, before receiving the robocall, that the consumer is willing to receive the robocall. “One-to-one consent is not required.” The court held that, “[b]ecause the one-to-one-consent restriction attempts to alter what we have said is the ordinary common law meaning of ‘prior express consent,’ the restriction falls outside the scope of the FCC’s statutory authority to implement the TCPA.”
Additionally, the court held that the FCC’s own brief provides even more support for the court’s conclusion because it concedes that a consumer could give “prior express consent” to numerous intermediaries under the TCPA where its 2023 Order states otherwise.
The court then turned its attention to the “logically and topically related” issue. In doing so, the court held that the FCC exceeded its authority under the TCPA. “[W]hether a consumer can be presumed to consent to robocalls in a particular situation says nothing about whether a consumer has in fact consented to robocalls in that situation. As long as the consumer clearly and unmistakably states, before receiving the robocall, that he is willing to receive the robocall, he has given prior express consent under the TCPA.”
It is anticipated that the FCC will address the Eleventh Circuit ruling, shortly.
FCC Postpones Effective Date of One-to-One Consent Rule
On January 24, 2025, the FCC announced that it has postponed the effective date of the one-to-one consent rule. “By this Order, we postpone the effective date for revisions to section 64.1200(f)(9) of the Commission’s rules, 47 CFR § 64.1200(f)(9), by 12 months, to January 26, 2026, or until the date specified in a Public Notice following a decision from the court reviewing a challenge to the new rule on the petition filed by the Insurance Marketing Coalition (IMC), whichever is sooner.”
The announcement also states, in pertinent part, that “we find that justice requires postponement of the effective date pending judicial review of the adopted rule.”
As stated by the Acting Chief, Consumer and Governmental Affairs Bureau, “[t]he previous requirements for prior express written consent in 47 CFR § 64.1200(f)(9) under the Telephone Consumer Protection Act (TCPA) will meanwhile remain in effect. We will provide notice of the new effective date, if any, through publication of a Public Notice in the Federal Register.”
The Second Text Blocking Report and Order revised section 64.1200(f)(9) of the Commission’s rules.
Second Text Blocking Report and Order, 38 FCC Rcd at 12258-69, paras. 30-53. The Second Text Blocking Report and Order adopted several additional provisions, that are not postponed. Specifically, the FCC required terminating mobile wireless providers to block text messages from a particular number following notification from the Commission unless their investigation determines that the identified text messages are not illegal; the Commission codified that the National DNC Registry’s protections apply to text messages; and the Commission encouraged providers to make email-to-text a service that consumers proactively opt into.
The Federal Communications Commission published the revised 47 CFR § 64.1200(f)(9) in the Federal Register on January 26, 2024 (Targeting and Eliminating Unlawful Text Messages, Implementation of the Telephone Consumer Protection Act of 1991, Advanced Methods To Target and Eliminate Unlawful Robocalls, 89 Fed. Reg. 5098 (Jan. 26, 2024)), with an effective date of January 27, 2025 (Effective Date for One-To-One Consent Rule Set for January 27, 2025, CG Docket Nos. 02-278, 21-402, 17-59, Public Notice, DA 24-1154 (CGB Nov. 19, 2024)).
IMC filed a petition for review of the revised section 64.1200(f)(9) in the Second Text Blocking Report and Order in the Eleventh Circuit on January 26, 2024 (Insurance Marketing Coalition v. FCC, No. 24-10277 (11th Cir.), filed Jan. 26, 2024. IMC also petitioned the Commission for stay of this revision pending judicial review. Insurance Marketing Coalition, Ltd, Petition for Partial Stay Pending Judicial Review, CG Docket Nos. 02-278, 21-402, 17-59 (Mar. 21, 2024) (IMC Petition for Stay). The Commission did not act on that petition. IMC subsequently filed a petition in the Eleventh Circuit for a judicial stay, which the Commission opposed and the court denied. See Insurance Marketing Coalition, Ltd. v. FCC, No. 24-10277 (11th Cir. May 30, 2024) (denying stay)).
The court heard oral arguments on December 18, 2024, and its review in this matter remains pending.
“We find that justice requires postponing the effective date of the new rule pending judicial review. We take this action sua sponte under section 705 of Title 5, which provides: “When an agency finds that justice so requires, it may postpone the effective date of action taken by it, pending judicial review.”
Several commenters expressed serious concerns about their ability to comply with the revised prior express consent rule by January 27, 2025.
Since the adoption of the Second Text Blocking Report and Order, several submissions have asked the Commission to revise or postpone the rule and have made a clear showing of the rule’s compliance burden. See, e.g., Letter from attorney for LendingTree to Secretary, FCC (Dec. 6, 2024) (requesting a revision to the new rule to permit “curated comparison shopping”); Letter from attorney for IMC to Secretary, FCC (Dec. 3, 2024) (stating that there would be adverse consequences from the Commission’s “one-to-one” and “logically and topically associated” consent requirements on small businesses); Letter from attorney for REACH to Secretary, FCC (Oct. 21, 2024) (requesting that the Commission change the phrase “one identified seller” to “one identified seller, entity, or brand” to alleviate many of the unintended consequences stemming from the current language of the one-to-one rule); Letter from attorney for QuinStreet to Secretary, FCC (Sept.13, 2024) (requesting that the Commission adopt LendingTree’s proposal for a narrow exception to the one-to-one consent rule for “curated comparison-shopping platforms”); Letter from attorney for LendingTree to Secretary, FCC (Jul. 12, 2024) (“small businesses will suffer a loss when compared to nationwide, name brand providers”); IMC Petition for Stay at 20 (“Absent a stay, IMC and its members will suffer irreparable harm from the Order, including damage to their business operations, significant compliance costs, and chilling of their speech.”).
The submissions the FCC received from commenters since adopting the Second Text Blocking Report and Order “now persuade us that allowing the rule to take effect on January 27, 2025, likely will cause significant burdens for multiple parties at a time when—following oral argument before the Eleventh Circuit on December 18, 2024—judicial review of the rule is likely nearing completion.”
Given the advanced stage of the pending judicial proceeding, the FCC announced that it is in the interest of justice to provide a limited postponement of the effective date of the rule to avoid imposing new burdens on parties while the court is adjudicating challenges to the rule and to avoid subjecting texters and callers acting in good faith to the risk of having to defend themselves against private suits seeking statutory damages for a period in which the rule is still undergoing judicial review.
Further, the announcement states that “providing additional time may facilitate the industry’s compliance with the rule if the court upholds it. And a time-limited postponement to maintain the regulatory status quo while judicial review is completed will not pose any undue harm to the public interest.”
For these reasons, the FCC found that “justice requires postponement of the effective date of the rule” and therefore postponed the effective date for the revised 47 CFR § 64.1200(f)(9) of the Commission’s rules by 12 months, to January 26, 2026, or until, following a decision from the Eleventh Circuit, the Commission issues a Public Notice specifying a sooner date, in which case that sooner date would apply.
Should the Eleventh Circuit uphold the rule (or portions of the rule), the Commission will issue a Public Notice not more than 15 business days from the date on which the court issues its decision, announcing an effective date that is not more than 90 days from the date on which the judicial mandate issues following the court’s decision.
Accordingly, it has been ordered that pursuant to the authority contained in sections 1-4 of the Communications Act of 1934, as amended, 47 U.S.C. §§ 151-154, section 10(d) of the Administrative Procedure Act, 5 U.S.C. § 705, and sections 0.141 and 0.361 of the Commission’s rules, 47 CFR §§ 0.141, 0.361, the effective date for the revised 47 CFR § 64.1200(f)(9) is postponed to January 26, 2026 or until the date specified in a Public Notice published in the Federal Register following a decision from the court on the petition filed by the IMC, whichever is sooner.
FTC Issues Proposed Order Against GoDaddy and Provides Guidance on Security Practices
On January 15, 2025, the Federal Trade Commission announced a proposed order against web hosting company GoDaddy Inc. and its operating subsidiary GoDaddy.com, LLC, (collectively, “GoDaddy”) for unfair or deceptive acts or practices in violation of Section 5 of the FTC Act, and issued guidance for customers of web hosting services on security practices in light of the settlement.
According to the FTC’s complaint, GoDaddy failed to adopt reasonable and appropriate measures to protect certain portions of GoDaddy’s web hosting environment from unauthorized access.
The FTC alleged that GoDaddy’s unreasonable security practices l included failing to: inventory and manage computer assets and security-related software updates (i.e., patches); assess risks to its web hosting environment; adequately log and monitor security-related events in its web hosting environment; implement multi-factor authentication; segment its web hosting environment from less-secure portions of its network; and secure connections to application programming interfaces.
According to the FTC, GoDaddy’s data security failures resulted in several major compromises of its web hosting environment between 2019 and 2022 in which threat actors gained unauthorized access to certain GoDaddy customer websites and data. These incidents exposed consumers visiting the websites to risks, including redirection to malicious websites.
GoDaddy also allegedly misrepresented that it used reasonable and appropriate measures to protect its web hosting environment from unauthorized access and that it adhered to the EU-U.S. and/or Swiss-U.S. Privacy Shield Principles, including the Security Principle, which requires companies to use reasonable and appropriate measures to protect personal information.
The proposed order will: (1) prohibit GoDaddy from making misrepresentations about its security and the extent to which it complies with a privacy or security program; (2) require GoDaddy to establish and implement a comprehensive information security program that protects the security, confidentiality and integrity of its web hosting services; and (3) mandate that GoDaddy hire an independent third-party assessor to conduct an initial and biennial review of its information security program.
In the FTC’s guidance in light of the settlement, the agency highlights that customers of web hosting services should ask for information on the security practices employed and breaches experienced by web hosts, review FTC cybersecurity resources for small businesses, and report potential scams or cyberthreats to the FTC.
The EU’s Digital Operational Resilience Act Comes Into Effect
The European Union’s Digital Operational Resilience Act (DORA) came into effect on January 17, 2025. DORA aims to harmonise rules concerning the provision of information and communication technology (ICT) services to regulated financial institutions and ensure they are capable of maintaining their operations through periods of severe disruption.
Quick Hits
The EU Digital Operational Resilience Act (DORA) aims to enhance security and resilience for financial institutions across Europe, protecting them from severe operational disruptions, such as cyberattacks or information and communication technology (ICT) incidents.
DORA applies to a wide range of financial entities, including banks, insurance companies, investment firms, credit agencies, crypto-asset service providers, and ICT third-party service providers used within the financial sector.
The European Supervisory Authorities (ESAs) have the authority to impose fines for noncompliance as of January 17, 2025.
DORA applies to financial entities operating within the EU and their critical third-party technology service providers supporting them, including those outside the EU. Under DORA’s mandate, financial market participants are subject to strict and complex requirements for various aspects of ICT risk management. These obligations range from reporting and incident management to resilience testing and third-party risk management.
Key Measures
Financial entities within the scope of DORA must adopt and comply with obligations, including the following:
Developing and maintaining a comprehensive ICT risk management framework capable of classifying, monitoring, preventing, or mitigating ICT-related risks, with regular reviews and internal audits.
Establishing processes for reporting ICT-related or major incidents to the relevant supervisory authorities. National authorities will have to submit registers to ESAs by the end of April 2025.
Developing and regularly reviewing ICT third-party risk management strategy, including mandatory provisions in contracts with ICT service providers and a registry of information documenting all existing contractual arrangements.
Enforcing a digital operational resilience testing program that includes a range of assessments and tools.
Encouraging financial entities to share information and intelligence about known cybersecurity risks.
DORA will apply directly to service providers designated as critical to the sector. It is not anticipated that essential ICT third-party service providers will be designated under DORA before the third quarter of 2025. Nonetheless, any service provider that fulfils the requirements for a critical third-party service provider level 2 may want to evaluate its operational processes in accordance with DORA specifications.
DORA is not directly applicable in the United Kingdom; however, the provisions will apply to UK organisations that have operations or interactions within the EU. In the UK, on January 1, 2025, the Policy Statement 16/24 issued jointly by the Financial Conduct Authority and the Prudential Regulation Authority, “Operational resilience: Critical third parties to the UK financial sector,” took effect, implementing similar resilience requirements for critical third parties operating within the UK.
Safeguarding CRE Companies: Navigating Risks in Revenue Management Software Agreements
In the wake of the DOJ’s pending antitrust lawsuits, CRE companies should include several protections in their vendor agreements that involve the use of revenue management software. This article provides tips to mitigate risks and avoid potential legal violations.
In today’s rapidly evolving commercial real estate market, it is crucial that CRE companies include protective provisions in their agreements with vendors that utilize revenue management software (RMS). Legal actions, including a U.S. Department of Justice’s (DOJ) antitrust lawsuit against a prominent RMS provider, highlight the potential risks associated with the use of these RMS systems.
The DOJ lawsuit alleges that the provider’s RMS product enabled multifamily landlords “to share their competitively sensitive data … in return for pricing recommendations and decisions that are the result of combining and analyzing competitors’ sensitive data”. The landlords allegedly funneled their sensitive, confidential data into the RMS algorithm, which also uses other CRE companies’ proprietary, non-public data (including occupancy and rental rates), and received rental pricing recommendations for their apartment communities. The DOJ asserts that this practice resulted in increased rents and decreased market competition in rental pricing across the numerous apartment communities owned by CRE companies that use the RMS platform.
The DOJ’s antitrust lawsuit follows a 2022 investigation by ProPublica into the provider’s use of its RMS algorithm in setting rents. That investigation launched a series of lawsuits filed against the provider on behalf of apartment residents in several cities seeking class-action status. In 2023, the-then District of Columbia Attorney General filed a lawsuit against the provider and fourteen of the largest apartment landlords operating in DC. That suit accused the defendants of “colluding to illegally raise rents for tens of thousands of DC residents by collectively delegating price-setting authority to [the RMS provider], which used a centralized pricing algorithm to inflate prices, costing renters millions of dollars”.
While the provider has denied that its RMS “facilitates collusion” and has stated that it “is willing to make changes to its system to ease antitrust concerns”, CRE companies that continue to use these types of RMS risk facing similar claims by residents, the DOJ and other public agencies. According to a recent Washington Post article, in the past week, the DOJ “expanded its suit to sue six large landlords, which it says operate in 43 states and D.C.”
Here are some protective provisions that CRE owners and managers should consider including in their contracts with vendors that use RMS products similar to those that are the subject of the DOJ lawsuit:
Compliance with Laws: Have the vendor agree that in using the RMS and providing pricing recommendations, it will do so in compliance with all current and future laws. This should include court orders issued in any pending or future litigation involving any RMS.
Confidentiality: Require the vendor to keep strictly confidential all non-public information and data about the CRE company and its operations. This includes information about the CRE company’s rental rates and methods for pricing rents. The point is to have the vendor agree to not share or use any of the CRE company’s data with any competitor, including through the implementation of its RMS algorithm.
Non-Use of Confidential Information: Forbid the vendor from using any confidential or nonpublic information or data from any other CRE company in using the RMS (or implementing its algorithm) other than the information and data the vendor obtains from the CRE company that is a party to the agreement.
No Collusion: Prohibit the vendor from colluding or collaborating with the CRE company or any other CRE business in its use, application or operation of the RMS in any manner (including in setting or raising rents) that might give rise to a claim of price-fixing or other violation of any antitrust or other laws.
Documentation: Require the vendor to maintain a record documenting each action and decision concerning rental and other pricing determinations for the properties covered by the agreement, including how the RMS and its algorithm is utilized and the source of information used for each action and decision.
Antitrust Policy: Have the vendor represent in the agreement that it maintains and updates an antitrust policy and compliance program to ensure its adherence with all laws, including in the use of the RMS. The vendor should also have a continuing obligation to modify the RMS and how it is used at the CRE company’s properties to avoid any violation of antitrust or other laws.
Indemnification: The vendor should broadly indemnify the CRE company against all losses and claims resulting from the use of the RMS or otherwise from the agreement, including the vendor’s breach of the agreement or the failure of its RMS to comply with antitrust or other laws.
Vendors may push back on requests for many of these provisions. However, given the current litigious environment involving RMS systems, CRE companies may have increasing leverage in their contract negotiations to insist that vendors accept them. The RMS provider that is the subject of the DOJ lawsuit publicly acknowledged that its customers “are starting to worry about the legal threats”, which is a signal that RMS vendors may be more accommodating in negotiating their agreements in order to retain their existing customers and attract new ones.
These practical tips are intended to protect CRE companies from being inadvertently caught up in the current antitrust scrutiny involving RMS systems. Antitrust claims based on information sharing are easier to allege than prove. Proof requires specific economic analysis of the specific practice and its impact on the market, which is often difficult to determine when initially entering into seemingly benign agreements. Once entangled in an antitrust case, however, a CRE company faces significant costs and disruption of its business, regardless of the ultimate outcome of the case.
The lawsuits against the RMS provider (and now the landlords that are using the RMS) underscore the importance of safeguarding the interests of CRE companies. By ensuring that contracts with vendors using RMS include provisions that protect against potential antitrust and other legal violations, CRE companies can mitigate risks and avoid becoming embroiled in this type of lengthy and expensive litigation.
RAISING HELL’TH!: SelectQuote Hit With Two More Complaints
Hey, TCPAWorld!
SelectQuote seems to be on fire lately on TCPAWorld—it seems like I just blogged about them. See ONE AFTER ANOTHER!: SelectQuote Hit With Yet Another TCPA Complaint – TCPAWorld; ATTACKED FROM EVERY ANGLE!: SelectQuote is Hit with Three Complaints in One Day – TCPAWorld.
Nevertheless, SelectQuote was hit with not one, but another TWO class action complaints, both of which bring DNCR claims and were filed by a familiar face—Anthony Paronich.
Friel v. SelectQuote
Filed in the Middle District of Pennsylvania, Friel v. SelectQuote Insurance Services Inc., No. 3:25-cv-00153 (M.D. Pa. Jan. 23, 2025), alleges that Plaintiff Friel was called multiple times despite his number being listed on the DNCR. Specifically, Friel claims that SelectQuote called him on at least October 16, 17 (5 calls), 18, 19, 21, 22 (3 calls), and 23 of 2024—a total of at least twelve calls. On October 23, 2024, Friel claims to have spoken specifically with Melissa from SelectQuote who offered these services. Each of these calls supposedly came from the same (641) number and offered him Medicare supplemental insurance from SelectQuote.
Based on these allegations, Friel charges SelectQuote with violating the DNCR provisions of the the TCPA—47 U.S.C. § 227(c)(5) and 47 C.F.R. § 64.1200(c). He seeks to represent the following class:
National Do Not Call Registry Class: All persons within the United States: (1) whose residential telephone numbers were on the National Do Not Call Registry for at least 31 days; (2) but who received more than one telephone solicitation call from Defendant or a third party acting on Defendant’s behalf; (3) within a 12-month period; (4) within the four years prior to the filing of the Complaint.
Compl. at ¶ 28.
Remijio v. SelectQuote
In Remijio v. SelectQuote Insurance Services Inc., No. 2:25-cv-00311 (E.D. Cal. Jan. 23, 2025), Plaintiff Remijio also claims that his number was listed on the DNCR and that he never consented to receive calls, didn’t request information, and indeed wasn’t interested in services from SelectQuote. Regardless, Remijio claims to have received an unspecified number of calls from SelectQuote, as a result of SelectQuote trying to reach someone named Christopher Dominguez—a person Remijio does not know. He claims that these calls were made to advertise and market SelectQuote’s business or services.
Like Friel, Ramirez claims that SelectQuote violated the DNCR provisions, since his number was listed on the registry. He seeks to represent the following class:
National DNC Class: All persons in the United States whose (1) telephone numbers were on the National Do Not Call Registry for at least 31, days, (2) but who received more than one telemarketing call from or on behalf of Defendant promoting SelectQuote Insurance Services’ goods or services, (3) within a 12-month period (4) at any time in the period that begins four years before the date of filing this Complaint to trial.
Compl. at ¶ 24.
These complaints present a clear takeaway: be mindful of the DNCR! I hope SelectQuote is prepared for the new FCC one-to-one consent rule.
What in the [Meta]World?: Abitron Creates More Questions than Answers
At a glance, a unanimous Supreme Court, holding that two provisions of the trademark-governing Lanham Act (15 U.S.C. §§ 1114(1)(a) and 1125(a)(1)) do not apply extraterritorially and extend only to alleged infringement in domestic commerce, does not appear groundbreaking. Nor does it appear to have any effect on the metaverse. Yet, the two worlds do collide, and the courts and legislature will need to consider extra-tangible applications more frequently at a time in history when virtual reality is just a couple clicks away.
Numerous Supreme Court decisions have reached the same conclusion as Abitron Austria GmbH et al v. Hetronic International, stressing the importance of the “presumption against extraterritoriality,” and reasoning that the laws of the United States should not reach too far abroad. Similarly, preceding decisions have used the same two-step framework applied in this case to evaluate the extraterritorial reach of a statute and to determine if the case merits any redress, asking first (1) whether the statute at issue clearly and affirmatively rebuts the presumption against extraterritoriality; and if not, (2) asking whether the case involves a domestic application of the statute. If step two uncovers a domestic infringement of rights covered by the disputed statute, then there is potential that the alleged harm may be remedied.
Nine justices concluding that the Lanham Act does not reach extraterritorially, and treading a well-worn path to get there, should provide a rather ho-hum decision, right?
Not quite.
Context: Facts of the Case
Hetronic International, Inc., a U.S. company, contracted with six foreign parties (Abitron Austria GmbH, et al.) to distribute Hetronic’s products, mostly in Europe. The relationship deteriorated when Abitron decided that it, not Hetronic, owned the rights to Hetronic’s trademarks and other intellectual property. Abitron began manufacturing products identical to Hetronic and selling those products under the Hetronic brand. Hetronic terminated the contractual relationship, but Abitron continued to manufacture and sell the lookalike products. Hetronic sued in federal district court under the Lanham Act and won approximately $96 million and a worldwide injunction. On appeal, the trial court’s decision was affirmed.
Abitron turned to the Supreme Court in hopes of a different result, and presented the question: does the Lanham Act permit the owner of a U.S.-registered trademark to recover damages for the use of that trademark when the infringement occurred outside the United States and is not likely to cause confusion in the United States?
A Split Unanimity
Justice Alito’s majority opinion was the majority by a margin of just one justice, teaming up with Justices Kavanaugh, Gorsuch, Thomas, and Jackson. Chief Justice Roberts and Justices Kagan and Barret joined Justice Sotomayor’s concurrence in the result. So, the “unanimity” factor here appears more strained than a typical 9-0 result. While the two sides reached the same conclusion, the paths taken to get there vigorously differed.
Both sides agreed at step one of the extraterritoriality two-step: the Lanham Act does not clearly and affirmatively rebut the presumption against extraterritoriality, therefore, it should not apply abroad.
At step two, however, the iceberg split. Justice Alito’s slight majority understood step two to focus solely on whether infringing “conduct” had occurred in domestic commerce within the United States. The slim majority subscribed to a conduct-based approach at step two because, when a claim involves “both domestic and foreign activity, the question is whether ‘the conduct relevant to the statute’s focus occurred in the United States.’”
In other words, after determining a statute’s focus, Alito argued that courts should determine whether actual activity relevant to the statute’s focus occurred within the defined bounds of United States territory. If the activity occurred outside the United States, courts could end their analysis; at that point, the case could be presumed extraterritorial and out of reach of the statute(s) governing the lawsuit.
Again, in the majority’s understanding, location of conduct, and not the location of the resulting confusion or lost profits, dictates whether any claims should be classified as extraterritorial or domestic.
The majority reasoned that the relevant conduct alleged in Abitron, under the trademark-focused Lanham Act, was infringing use of a trademark in commerce. Whether that conduct fell within or outside of the bounds of the United States would be a question returned to the lower courts to unravel based on the conduct-focused understanding of the extraterritoriality two-step. Because the Abitron proceedings in the lower courts were not in accord with the majority’s interpretation of extraterritoriality, they were vacated; and while the majority did not definitively describe when an infringing use in commerce of a trademark occurs in a U.S. territory, it remanded the case for the lower courts to figure it out.
While in agreement with the result, Justice Sotomayor’s concurrence argued that step two actually requires more than an analysis of mere conduct in the United States, which she believed too narrow a divining rod. Rather, it was the concurrence’s impression that step two should be based on a contextual likelihood of confusion test to determine whether activities, either at home or abroad, could induce consumer confusion in the United States.
In contrast to the majority’s conduct-based approach, Justice Sotomayor provided a focus-based approach: which interests were Congress’s focus when it enacted a statute, which parties did it intend to protect, and where were those parties and interests located? Instead of focusing on just the relevant conduct, the minority concurrence would have a court consider whether, under the Lanham Act, the alleged infringement created a likelihood of consumer confusion in the United States, regardless of where that alleged infringement occurred.
Justice Sotomayor’s minority accused Justice Alito’s conduct-based approach of adding a third step to the two-step framework which “frustrates” Congress’s goal to legislate with predictability, especially in the case of protecting U.S. trademark owners and consumers. Justice Sotomayor believed Justice Alito completely ignored the accepted second step—looking to the statute’s focus, regardless of whether its focus goes to or beyond conduct—and conjured up an unprecedented assessment of whether conduct, and solely conduct, relevant to the statute’s focus, occurred domestically. To Justice Sotomayor, this “novel approach” contradicted years of Supreme Court jurisprudence because the Court “has expressly recognized that a statute’s ‘focus’ can be ‘conduct,’ ‘parties,’ or ‘interests’ that Congress sought to protect and regulate.”
To majority’s main gripe with Justice Sotomayor’s concurrence was how broadly she would interpret the second step of the extraterritoriality framework. “Use in commerce,” Justice Alito wrote, “provides the dividing line between foreign and domestic applications of [the Lanham Act],” and shifting the relevant inquiry, as Justice Sotomayor would, to a “focus-only standard . . . that any claim involving a likelihood of consumer confusion in the United States would be a ‘domestic’ application of the Act . . . . is wrong.” The majority felt that the minority’s approach resisted a straightforward application of precedential extraterritoriality framework and would “create headaches for lower courts.”
Interestingly, although part of the majority, Justice Jackson wrote her own concurring opinion that spun “conduct” and “use in commerce” in a more expansive way than perhaps either Justices Alito or Sotomayor considered. To Justice Jackson, even though she ascribed to the majority’s conduct-focused approach, “a ‘use in commerce’,” read “conduct,” “does not cease at the place the mark is first affixed, or where the item to which it is affixed is first sold. Rather, it can occur wherever the mark serves its source-identifying function.” Citing Jack Daniel’s Properties, Inc. v. VIP Products LLC, another trademark case, Justice Jackson explained that a trademark is a trademark under the Lanham Act when it serves as a source identifier, distinguishing goods from those manufactured and sold by competitors. She emphasized that the Lanham Act defines commerce as “the bona fide use,” again, “conduct,” “of a mark in the ordinary course of trade,” which, to her, could occur “wherever the mark serves its source-identifying function”—whether that is in its country of origin, or elsewhere, even many times removed from the first sale. “If a marked good is in domestic commerce, and the mark is serving a source-identifying function in the way Congress described,” the trademark receives protection under the Lanham Act. Conversely, “if the mark is not serving that function in domestic commerce, then the conduct Congress cared about is not occurring domestically.” This understanding of conduct, particularly related to trademarks, appears to combine the Justice Alito approach (domestic conduct only) and the Justice Sotomayor approach (infringing conduct, activity, focus, or interests originating outside the United States can still have domestic implications).
Enter: The Metaverse
In a world where reality transcends tangible commerce that moves from point A to B on boats, trains, and airplanes, the question presented in future extraterritoriality cases, trademark-related or not, is going to be forced to consider where conduct takes place—both in- and outside of tangible reality.
This burgeoning understanding of extraterritoriality received hints in Abitron: both Justices Sotomayor and Jackson exhibited concern about how Abitron might affect internet commerce, and each dedicated a footnote to thinking about the online use of trademarks. Justice Jackson suggested that use “in commerce,” “in the internet age,” may very well include “a mark serving its critical source-identifying function in domestic commerce even absent the domestic physical presence of the items whose source it identifies.” Justice Sotomayor referenced “today’s increasingly global marketplace, where goods travel through different countries, [and] multinational brands have an online presence,” to argue that the majority’s conduct-only approach limits the Lanham Act to “purely domestic activities,” which results in “trademarks [that] are not protected uniformly around the world, . . . leav[ing] U. S. trademark owners without adequate protection.”
While the casual observer would do well to appreciate gestures toward the internet in any Supreme Court decision, technology has already leapt far beyond online storefronts. In a world of ChatGPT and MetaBirkins, the general “internet” is only the beginning. Source-identifying trademarks may appear far deeper in the wrinkles of cyberspace.
The metaverse, being neither foreign nor domestic, provides unique problems for a piece of legislation, like the Lanham Act, originally written generations before the concept of dial-up. Yes, a user might access the internet from the United States, but once that user hops into the metaverse, there are not necessarily any helpful geographical moorings that a court can easily define as foreign or domestic because there is no real “conduct” occurring—in the metaverse, avatars run by algorithms and code do the interacting, and while they are doing, does a statute yet exist that covers virtual doings in a virtual world? Should a statute cover such dealings? Should an extraterritoriality statute do the heavy lifting here? If one applies the majority approach, where does conduct occur in a metaverse scenario? Maybe only virtual reality users accessing virtual reality in a United States territory will be on the hook. In the minority application, maybe those outside U.S. territories can still be prosecuted if their actions affect virtual reality users accessing virtual reality inside a U.S. territory.
Location, however, provides only the starting point for a metaverse inquiry. As mentioned above, what exactly constitutes “conduct” when one takes part in business as a virtual avatar? Is intangible activity also “conduct” as recognized by the Lanham Act or other statutes? Furthermore, the fact that Abitron included three different interpretations of what could constitute foreign trademark use adds another wrinkle to the metaverse inquiry because the Court has yet to nail down a meaning in the real world. Which interpretation would be most useful going forward? Does Justice Jackson’s incredibly broad definition of “use in commerce” scratch the metaverse itch that commerce within virtual reality presents? Does Justice Alito’s conduct-focused approach transcend the tangible world—and how would/should he, and we, define extraterritoriality in a place that operates on servers where the physical location isn’t germane to anything? Would Justice Sotomayor’s consumer confusion test be the most workable solution for a world where reality can be more virtual than ever before, linking a visitor in the metaverse to a geographical location?
Abitron, albeit based on tangible goods traded across real borders, shines an uncomfortably glaring light on how slowly American jurisprudence plods along in relation to lightning-quick tech updates. The questions above are what make Abitron so intriguing, however, and will have to remain unanswered for a little while longer.
SEC Withdraws Crypto Accounting Bulletin
With little fanfare, on January 23, 2025, the US Securities and Exchange Commission (SEC) withdrew controversial Staff Accounting Bulletin 121 regarding custody of digital assets. In its place, new Staff Accounting Bulletin 122 directs registrants to Accounting Standards Codification 450-20, Loss Contingencies and International Accounting Standard 37, Provisions, Contingent Liabilities and Contingent Assets.
SAB 121 proved highly controversial, and during the last Congress both the House and Senate voted to repeal it under the Congressional Review Act. President Biden vetoed that repeal.
SAB 122 instructs SEC registrants to “continue to consider existing requirements to provide disclosures that allow investors to understand an entity’s obligation to safeguard crypto-assets held for others,” and points to other accounting literature that may be instructive. The issuance of SAB 122 and withdrawal of SAB 121 comes just days after the SEC announced a new “Crypto 2.0” initiative on its approach to digital assets.
Massachusetts Aligns with National Trends and Enacts Sweeping Legislation to Regulate Pharmaceutical Benefit Managers
On the heels of a nationwide push to regulate pharmacy benefit managers (PBMs), Massachusetts enacted a landmark piece of legislation to increase transparency and oversight within the pharmaceutical supply chain, specifically targeting PBMs. Signed into law by Governor Healey on January 9, 2025, the comprehensive bill, titled “An Act Relative to Pharmaceutical Access, Costs and Transparency” (the Act), introduces a multifaceted approach that aims to reduce prescription drug costs, enhance data transparency, and impose stronger oversight of PBMs and pharmaceutical manufacturers.
Key Provisions of the Act
Patient Cost Sharing Limitations: The Act mandates that certain health plans, including those offered by MassHealth, offer limited or no cost-sharing for specific generic and brand-name drugs for chronic illnesses, such as diabetes or asthma. Specifically, health insurers must: (i) cover one generic medication for diabetes, asthma, and certain heart conditions with no cost-sharing requirements by patients (eliminating copays and deductibles), and (ii) cap copays for one brand-name medication per condition at $25 per 30-day supply. The Commissioner of Insurance may change the selection of drugs subject to this law, not more than annually. This requirement will go into effect on July 1, 2025.
PBM Licensing and Regulation: The Act established a licensing regime for PBMs and requires all PBMs to obtain a license from the Division of Insurance. The Division of Insurance is tasked with establishing the PBM licensing program by October 1, 2025, and PBMS are required to be licensed as of January 1, 2026. This oversight will enable the state to monitor PBM activities, ensure financial stability, and regulate the growing PBM market.
In addition, the Act takes aim at conflicts of interest within the PBM industry. The Act requires PBMs to disclose to its health plan clients any activity, policy, practice contract, or arrangement that directly or indirectly presents any conflict of interest in regard to the PBM’s relationship with, or obligations to, its client. The Act also specifically prohibits certain payments from PBMs to consultants and brokers whose services were obtained by a health benefit sponsor to work on the pharmacy benefit bidding or contracting process if the payment constitutes a conflict of interest. Interestingly, the Act does not explicitly define what constitutes a conflict of interest. Instead, it states that the determination of whether a payment constitutes a conflict of interest will be determined by the Commissioner of Insurance and instructs the Division of Insurance to adopt written policies and procedures or promulgate regulations to implement this requirement.
Transparency and Data Reporting: The Act requires PBMs and pharmaceutical manufacturers to submit detailed cost and pricing data to the Center for Health Information and Analysis (CHIA), including information on rebates, administrative fees, patient cost-share, and formulary decisions. This data will inform CHIA’s annual health care cost trends reports, which analyze key drivers of healthcare costs in the state. The Act also requires both PBMs and pharmaceutical manufacturers to participate in the Health Policy Commission (HPC)’s Cost Trends Hearings, by providing testimony on pricing practices, rebates, and access issues. The Act further establishes a new Office for Pharmaceutical Policy and Analysis within the HPC to monitor pharmaceutical trends using the information gathered through the hearings and reports to evaluate spending trends and recommend strategies to improve affordability.
Funding and Broader Oversight: To fund CHIA’s and HPC’s expanded oversight and monitoring activities, starting in Fiscal Year 2026, the Act introduces financial assessments for PBMs and pharmaceutical manufacturers. The assessment amount will be between 5% and 10% of HPC and CHIA’s operating budgets, based on the entities’ market share within Massachusetts, ensuring the contribution is commensurate with their business in the state. Additional provisions adjust assessments for hospitals and non-hospital providers, requiring their contributions to fund health policy initiatives. For more details on the financial assessments imposed on PBMs and other entities, such as hospitals and non-hospital providers, see our analysis of the recently enacted “An Act Enhancing the Health Care Market Review Process.”
Key Takeaways
This comprehensive legislation positions Massachusetts alongside other states that have taken steps to regulate PBMs. However, the full scope and impact of this legislation will not be fully understood until the Division of Insurance promulgates the necessary regulations and establishes specific requirements for PBM licensing and operations. In addition, the efficacy of any regulations is unknown at this point, given that the successful implementation of the law will depend heavily on effective collaboration between the state agencies, PBMs, and health insurers. The Act’s aims require ongoing monitoring, evaluation, and potential adjustments based on the data collected and the observed impact on drug costs, patient access and the overall healthcare system. What is clear though, is that PBMs will face heightened scrutiny from regulators, requiring them to adapt to the new regulatory regime in the Commonwealth of Massachusetts.
President Trump’s Executive Order Steering Digital Assets Policy
As promised during his campaign, President Trump has taken significant steps to support the digital asset industry during his first week in office. On 23 January 2025, he signed an executive order initiating digital asset regulatory rollbacks and a new federal framework governing cryptocurrencies, stablecoins, and other digital assets (the Order).
On the same day, the Securities and Exchange Commission (SEC) rescinded the controversial Staff Accounting Bulletin 121, which required crypto custodians and banks to reflect digital assets in their custody as both an asset and a liability on their balance sheets. Earlier in the week, the SEC established Crypto 2.0, a crypto task force designed to provide paths for registration and reasonable disclosure frameworks, and to allocate enforcement resources “judiciously.”
The Order recognizes the role the digital asset industry serves in our economy and aims to support the responsible growth and use of digital assets by promoting dollar-backed stablecoins and providing regulatory clarity. The Order lays the groundwork for a regulatory shift furthering digital assets policy, focusing on the creation of “technology-neutral regulations” tailored to digital assets.
In addition to prohibiting agencies from facilitating any central bank digital currencies, the Order establishes a working group comprised of the heads of various agencies (the Working Group) and sets three deadlines:
22 February 2025: Federal agencies must report to the Special Advisor for AI and Crypto with the regulations or other agency guidance that affect the digital asset sector.
24 March 2025: Federal agencies must submit recommendations on whether to rescind or modify these regulations and guidance.
22 July 2025: The Working Group must submit a report to the President on regulatory and legislative proposals to advance digital assets policy. This report must include a proposed Federal framework for the issuance and operation of digital assets, including stablecoins, and evaluate whether establishing a national digital assets stockpile is possible.
Classification of App-Based Couriers as Employees in Mexico
App-based couriers in Mexico are now classified as employees under an amendment to the Federal Labor Law published on December 24, 2024, in the Official Gazette of the Federation (Diario Oficial de la Federación). The reform introduces a new regulatory system that protects couriers and the industries involved in digital platforms and aims to provide them with legal certainty.
Quick Hits
A new Mexican law states that app-based couriers that meet certain requirements established under this law will be considered employees of digital platforms when they provide their services through the apps.
The law also provides that only workers who generate at least a daily minimum wage per month will be entitled to social security and benefits.
Digital platforms acting as employers must determine in writing the working conditions and must meet the general requirements that the Federal Labor Law establishes for an individual employment agreement.
The amendment defines “digital platform work” as “the subordinate employment relationship for the performance of remunerated activities that require the physical presence of the employee for the provision of the service, and which are managed by an individual or legal entity in favor of third parties through a digital platform.”
Requirements for App-Based Couriers to Be Considered Employees
The amendment provides that all couriers will be considered employees of digital platforms when they provide their services through the apps, but only those who generate at least a daily minimum wage per month will be entitled to social security and benefits.
Couriers who do not meet the minimum wage per month will be considered independent workers and will only be entitled to insurance or protection against personal accidents regardless of the income generated.
The secretary of labor and social welfare will be in charge of publishing the general provisions that will define the calculation of net income to determine an employee’s category and benefits.
Employment Agreements and Employer Policies
The amendment states that the digital platform, which can be understood as the employer, must determine in writing (execute a contract) the working conditions and must meet the general requirements that the Federal Labor Law establishes for an individual employment agreement (e.g., the name of the employee, CURP number, RFC number, employee’s nationality, the services to be rendered, and work shifts).
Employers may also execute policies to describe processes and how services are rendered to third parties, among other things.
The reform provides that the salary for employees may be stipulated by the trips provided, by actual delivery, by unit of work, or any other method agreed upon by the parties. Whenever a wage is considered, compensation shall include the proportional weekly rest day, vacations, vacation premium, Christmas bonus, and overtime.
Employees on the platform will determine their own work shifts and will have complete freedom to determine their own shifts without fixed schedules. Employees will also be able to connect and disconnect at their own discretion when required.
The Official Gazette of the Federation grants a 180-day period, as of the publication date, to comply with all the obligations stated in the amendment.
UK Government Publishes Consultation on Proposals to Reduce the Threat of Ransomware Attacks
On January 14, 2025, the UK government opened a consultation seeking views on three proposals aimed at reducing the threat of ransomware attacks. The government intends to introduce legislation to counter ransomware attacks focusing on three key proposals:
Proposal 1: A targeted ban on ransomware payments for all public sector bodies, including local government, and for owners and operators of Critical National Infrastructure, that are regulated, or that have competent authorities. Critical National Infrastructure in the UK is comprised of 13 sectors including chemicals, defense, energy, finance, food, health and water. The UK government believes that breaking the cycle of paying ransomware demands is “essential to disrupting the ransomware business model.”
Proposal 2: A ransomware payment prevention regime that would require any victim of ransomware (that is not subject to the prohibition of payment under Proposal 1) to engage with the authorities and report their intention to make a ransomware payment before paying threat actors. Authorities would provide guidance and support to the victim, including with respect to potential non-payment resolution options. Information provided through reports and/or further engagement could be used to further intelligence supporting operational activity and contributing to major investigations.
Proposal 3: A ransomware incident reporting regime for suspected victims of ransomware, which would apply irrespective of any intention to pay the ransom. Through the consultation process, the UK government is considering whether this obligation should be subject to a threshold.
The consultation closes on April 8, 2025.