CAPITAL ONE SUED: Plaintiffs Allege 17 Separate Causes of Action in New Website Tracking Case
Shah v. Cap. One Fin. Corp., No. 24-CV-05985-TLT, 2025 WL 714252 (N.D. Cal. Mar. 3, 2025) has raised some serious allegations against Capital One (“Defendant”), accusing the financial giant of secretly intercepting and sharing sensitive personal information through third-party tracking technologies on its website.
According to a group of plaintiffs, led by the somewhat seasoned Vishal Shah (see INVISIBLE DATA, REAL CONSEQUENCES: Navigating the IP Consent Dilemma – CIPAWorld), these trackers “instantaneously and surreptitiously” captured communications between users and the site, sending personal details to companies like Google, Microsoft, Adobe, Facebook, and others. The information allegedly shared included everything from employment and bank account details to credit card application status and browsing activities.
The Plaintiffs claim they never authorized sharing of their personal and financial data with these third or fourth parties for marketing and sales purposes. In the complaint, the Plaintiffs highlight specific privacy concerns, particularly with the targeted advertising section of Capital One’s Privacy Policy. The Policy states:
“We and our third-party providers may collect information about your activities on our Online Services and across different websites, mobile apps, and devices over time for targeted advertising purposes. These providers may then show you ads, including across the internet and mobile apps, and other devices, based in part on the information they have collected or that we have shared with them.”
The Plaintiffs argue that Capital One’s practices go well beyond what they ever agreed to in the company’s Privacy Policy. While the Privacy Policy does include an option to opt out of targeted advertising, this opt-out only applies to the “specific browser or device” used, meaning users may allegedly still be tracked across other platforms.
In total, the Complaint outlines a staggering 17 different causes of action, ranging from constitutional privacy violations to property claims. In response to these allegations, Capital One has filed a motion to dismiss the complaint in its entirety, along with all 17 claims brought forth by the Plaintiffs.
So, buckle in, and let’s go through them.
Threshold Issues
Defendant sought to dismiss the entire Complaint for two overarching reasons: (1) the Complaint’s exhibits conflict with Plaintiffs’ key allegations and (2) Plaintiffs fail to allege that Defendant disclosed Plaintiffs’ personal information and financial information.
Conflict between allegations of unauthorized disclosure and Privacy Policy attached to the Complaint.
Defendant contended that Plaintiffs’ allegations directly conflict with Defendant’s Privacy Policy because Defendant discloses that it releases customer information for third party marketing. However, the Court noted that while the Privacy Policy states that it collects information about a customer’s internet activities, it does not state that it releases that customer’s personal information such as employment information and credit card preapproval or approval status, which Plaintiffs allege is collected and shared. Therefore, the Court found that the Privacy Policy did not directly conflict with Plaintiffs’ allegations.
Defendant also argued that Plaintiffs consented to the disclosure of their personal information, that Defendant provided sufficient opt out instruction, and that the disclosures did not involve fourth parties. The Court found that the issue of consent was a factual question and declined to decide it at the pleadings stage.
Sufficiency of allegations as to disclosure of personal and financial information.
For the second threshold issue, Defendant argued that Plaintiffs failed to allege specific disclosures of their personal and financial information. The Court found that they did. For instance, Plaintiffs alleged that they interacted with Defendant’s website, which they alleged contained third party trackers. They alleged that they put their personal and financial information, including employment information, bank account information, citizenship status, and credit card preapproval or eligibility, into Defendant’s website and then received targeted third- and fourth-party marketing ads. They also alleged that, as a result of using Defendant’s website, their information was transmitted to third party trackers such as Google, Microsoft, and Meta, without their consent. The Court found these factual allegations sufficient to allege the disclosure of Plaintiff’s personal information and denied Defendant’s motion to dismiss as to the second threshold issue.
Plaintiffs’ Negligence Claims.
Defendant first argued that Plaintiffs have not identified a duty owed by Defendant arising under the Gramm-Leach-Bliley Act (“GLBA”) or the Federal Trade Commission (“FTC”) Act, because neither statute provides a private right of action. The Court dismissed this argument as the Defendant conflated negligence and negligence per se, with only the latter being concerned with a statutorily identified duty.
Further, the Court evaluated the California factors for determining whether a valid duty of care exists and found that Plaintiffs did allege such a duty by alleging that they placed trust in Defendant to protect their personal information, which Defendant then disclosed.
Next, the Court turned to the economic loss doctrine, which prohibits recovery of purely pecuniary or commercial losses in tort actions. While Defendant argued that the economic loss rule bars Plaintiffs’ negligence claims, the Court found that Plaintiffs also plead non-economic harms such as lost time and money incurred to mitigate the effect of the use of their information. Accordingly, the Court denied Defendant’s motion to dismiss as to negligence.
Plaintiffs’ Negligence Per Se Claims.
The doctrine of negligence per se creates an evidentiary presumption that affects the standard of care in a cause of action for negligence. Defendant next argued that negligence per se is not a standalone cause of action. The Court agreed and held that because Plaintiffs brought a negligence per se cause of action in addition to a negligence claim, the negligence per se claim was not proper. Accordingly, the Court granted Defendant’s motion to dismiss the negligence per se claim without leave to amend.
Plaintiffs’ Invasion of Privacy Claim under the California Constitution.
To state a claim for invasion of privacy under the California Constitution, plaintiffs must show that they possess a legally protected privacy interest, they maintain a reasonable expectation of privacy, and the intrusion is so serious as to contribute an egregious breach of social norms.
The Court determined that regardless of whether Plaintiffs possessed a legally protected privacy interest or maintained a reasonable expectation of privacy in this case, the alleged disclosure of employment information, bank account information, and preapproval or approval for a credit card does not rise to the level of an “egregious breach of social norms.” The Court granted Defendant’s motion to dismiss as the California constitutional privacy claim without prejudice.
Plaintiffs’ Comprehensive Computer Data Access and Fraud Act (“CDAFA”) and the Unfair Competition Law (“UCL”) Claim.
The CDAFA prohibits certain computer-based conduct such as knowingly and without permission accessing or causing to be accessed any computer, computer system, or computer network. The CDAFA provides that only an individual who has suffered damage or loss due to a violation of the statute may bring a civil action. Similarly, the UCL prohibits “unlawful, unfair or fraudulent business act or practice.” To have standing under the UCL, a plaintiff must establish that they suffered an injury in fact and lost money or property as a result of the wrongful conduct.
Here, Plaintiffs stated that they had a property interest in their personal information and that they lost money and property when Defendant disclosed their personal information to third parties. However, the Court determined that Plaintiffs’ personal information does not constitute property. Additionally, Plaintiffs did not plead that they “ever attempted or intended to participate in the market for the information” Defendant allegedly disclosed, or that they derived economic value from that information. Further, the Court held that even an argument that Plaintiffs experienced a diminution of the value of their private and personal information would not confer standing. Accordingly, the Court granted Defendant’s motion to dismiss for lack of standing as to the CDAFA and the UCL without prejudice.
Plaintiffs’ California Consumer Privacy Act (“CCPA”) Claims.
The CCPA imposes a duty on businesses to implement and maintain reasonable security practices to protect consumers’ personal information. While it is generally enforced by the California Attorney General, it also provides a limited private cause of action for any consumer whose personal information is subject to unauthorized access or disclosure as a result of a security breach. Courts, however, have also permitted CCPA claims to survive a motion to dismiss in cases where the plaintiff does not allege a data breach, but instead alleges that the defendants disclosed plaintiff’s personal information without consent by failing to maintain reasonable security practices.
In this case, because Plaintiffs allege that Defendant allowed third parties such as Google and Microsoft to embed trackers on its website and that these trackers transmitted Plaintiffs’ personal information, the Court held that Plaintiffs need not allege a data breach. Accordingly, the Court denied Defendant’s motion to dismiss as to the CCPA claim.
Plaintiffs’ California Customer Records Act (“CRA”) Claims under §§ 1789.81.5 and 1798.82 of the California Civil Code.
The CRA regulates businesses with regard to treatment and notification procedures relating to their customers’ personal information. It requires businesses to “maintain reasonable security procedures and practices appropriate to the nature of the information” and to protect “personal information from unauthorized access, destruction, use, modification, or disclosure.”
The Court first addressed Plaintiffs’ CRA claim under § 1789.81.5. Defendant argued that because it is a financial institution, it is exempt from liability for any violations under this provision. See Cal. Civ. Code § 1798.81(e)(2) (exempting financial institutions from liability under section 1798.81.5). Plaintiffs, however, alleged that Defendant is a business within the meaning of § 1798.81.5(b). The Court sided with Defendant and granted its motion to dismiss without leave to amend as to Plaintiffs’ § 1789.81.5 claims.
The Court next addressed Plaintiffs’ CRA claim under Section 1798.82, which requires a business to disclose a breach of security systems to customers. Plaintiffs allege that the CRA applies because Defendant knew that Plaintiffs’ information was acquired by unauthorized persons and failed to disclose it to Plaintiffs. However, there must be a breach of security to show a CRA claim. See Cal. Civ. Code § 1798.82(a) (stating that a person or business shall “disclose a breach of security of the system following discovery or notification of the breach”). Further, a claim under section 1798.82 is not actionable for the breach itself but instead for the “unreasonably delayed notification,” so Plaintiffs must allege when the breach occurred. Here, the Court held that Plaintiffs not to only failed to allege that there was a breach of security but also failed to allege when Defendant became aware of the alleged breach.
Accordingly, the Court granted Defendant’s motion to dismiss as to the CRA section 1798.82 claim without prejudice.
Plaintiffs’ Breach of Express Contract Claim.
The Court found that Plaintiffs did not state a claim as to the breach of express contract because, while they alleged that they entered a contract with Defendant, they failed to cite to any specific section of the contract that Defendant allegedly violated. Instead, Plaintiffs stated generally that Defendant breached its express contract with Plaintiffs “to protect their nonpublic personal information.” Questioning where in the contract Defendant agreed to protect their nonpublic personal information or when Defendant explicitly promised not to disclose their data, the Court granted Defendant’s Motion to Dismiss as to the breach of express contract without prejudice.
Plaintiffs’ Breach of Implied Contract Claim.
Plaintiffs alleged that they had an implied contract with Defendant that it would keep their personal information confidential. However, once again, Plaintiffs did not state a claim because they failed to expand on the nature of the implied contract. Plaintiffs also fail to differentiate the express contract claim from the implied contract claim – the Court noted that Plaintiffs must elaborate on whether the implied contract involves separate promises from the express contract because Plaintiffs cannot allege both an express contract and an implied contract on the same matter. Accordingly, the Court granted Defendant’s motion to dismiss as to breach of implied contract without prejudice.
Plaintiffs’ Breach of Confidence Claim.
For the same reason as above, the Court held that Plaintiffs do not state a claim as to breach of confidence because they allege the existence of both an express and implied contracts, and the express contract precludes the breach of confidence claim. The Court dismissed the Plaintiffs’ claim without prejudice.
Plaintiffs’ Unjust Enrichment Claim.
The Court acknowledged the “somewhat unclear” nature of unjust enrichment claims in California, but, noting that both the Ninth Circuit and the California Supreme Court have allowed independent claims for unjust enrichment to proceed, allowed Plaintiffs claim to proceed basis the allegations that Defendant benefited from using Plaintiffs’ information and that Plaintiffs’ remedies at law are inadequate.
Plaintiffs’ Bailment Claim.
Bailment is generally defined as the deposit of personal property with another, usually for a particular purpose. The Court held that Plaintiffs have not alleged a deposit of personal property that falls within the scope of bailment because they only allege that they deposited their personal information. The Court cited Worldwide Media, Inc. v. Twitter, Inc., 17-cv-07335-VKD, 2018 WL 5304852 (N.D. Cal. Oct. 24, 2018) and In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012), both finding that personal information is not something that can be delivered or taken custody of and later returned. Accordingly, the Court granted Defendant’s motion to dismiss as to bailment with prejudice.
Plaintiffs’ Claim for Declaratory Judgment.
The Court acknowledged Defendant’s contention that the declaratory judgment claim is duplicative of other claims but held that Plaintiffs may still bring it as it is predicated on their negligence claim. Therefore, the Court denied Defendant’s motion to dismiss as to declaratory judgment.
Plaintiffs’ Electronic Communications Privacy Act (“ECPA”) Claim.
The ECPA prohibits unauthorized interception of an electronic communication. To state a claim, a plaintiff must allege that the defendant intentionally intercepted the contents of plaintiff’s electronic communications using a device. The one-party consent exemption provides that it is not unlawful for a person to intercept a wire, oral, or electronic communication when that person is a party to the communication or when a party to the communication has consented to interception, unless the interception is to commit a crime or a tort.
Defendant argued that the “one-party consent exemption” applies because Defendant was a party to the communications. However, because Plaintiffs alleged that Defendant intercepted the contents of the communications for an unauthorized purpose, which resulted in tortious acts, the Court held that the one-party exemption does not apply.
Another reason that the one-party exemption does not apply is because the issue of whether Plaintiffs consented to Defendant’s conduct is at the center of the dispute – and this is a factual determination. Accordingly, the Court denied Defendant’s motion to dismiss as to the ECPA.
Plaintiffs’ CIPA Claims
Plaintiffs allege that Defendant violated both §§ 631 and 632 of CIPA.
Plaintiffs’ § 631 claims.
§ 631(a)(2) applies to anyone who reads, attempts to read, or to learn the contents of a communication while it is in transit and without the consent of all parties to the communication. Defendant argues that Plaintiffs’ claims under § 631 fail because Plaintiffs consented to the data sharing practices in the Privacy Policy, do not allege that any third party read a communication “in transit,” and do not allege that Defendant disclosed “contents” of a communication.
As for the first issue, because this once again involves factual determination of consent, the Court held that Plaintiffs’ allegations were sufficient for the pleadings stage. The Court also held that Plaintiffs plausibly alleged that Defendant intercepted communications while they were in transit by describing how Defendant allegedly installed third-party trackers on its website. Finally, Plaintiffs stated that the communication included personal information, which is a “content” under CIPA. As a result, the Court found that Plaintiffs sufficiently stated a claim as to § 631.
Plaintiffs’ § 632 claims.
§ 632 prohibits intentionally and without consent using an “electronic amplifying or recording device” to eavesdrop upon or record confidential communication. Again, because this issue hinges on whether Plaintiffs consented to Defendant’s disclosure, the Court found that Plaintiffs allegations are sufficient for purposes of a motion to dismiss.
Accordingly, the Court denied Defendant’s motion to dismiss as to the CIPA.
Plaintiffs’ Stored Communications Act Claim.
The Stored Communications Act created a private right of action against anyone who intentionally and without authorization (or in excess of their authorization) accesses a facility through which an electronic communications service is provided. The Stored Communications Act, however, only provides liability for a provider that is a “remote computing services” or “electronic communication services.” Plaintiffs alleged in the complaint that Defendant is an electronic communication service because it “intentionally procures and embeds” Plaintiffs’ personal information through the tracking technology on Defendant’s website. However, the Court held that Defendant is not an electronic communication service because its website does not allow customers to send and receive messages to third parties. The Court compared the situation here to that in In re Betterhelp, Inc., No. 23-cv-01033-RS, 2024 WL 4504527, at *2 (N.D. Cal. Oct. 15, 2024), where the defendant was found to be an electronic communication service because defendant’s customers communicated with third parties through the “conduit” of defendant’s websites. Instead, Plaintiffs here themselves stated that they were unaware of the presence of the trackers, and did not allege that they communicated with the third parties. Therefore, because Defendant’s website does not allow customers to send and receive messages to third parties, the Court held Defendant is not an electronic communication service.
Accordingly, the Court granted Defendant’s motion to dismiss as to the Stored Communications Act with prejudice.
Plaintiffs’ Computer Fraud and Abuse Act (“CFAA”) Claim.
The CFAA makes intentionally accessing a computer without authorization a federal crime. It imposes a civil liability when someone “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access” unless the “object of the fraud” is less than $5,000 in any 1-year period. Plaintiffs here did not state a claim as to CFAA because they did not allege with specificity a loss of $5,000. The complaint only states that “secret transmission” of Plaintiffs’ personal information caused them loss, but it does not go into further detail. The alleged loss is therefore speculative, and insufficient for purposes of the CFAA. Accordingly, the Court granted Defendant’s motion to dismiss as to the CFAA claim without prejudice.
Takeaways
My first takeaway – if you got through all that, congratulations on your attention span. Secondly, a recurring theme in the Court’s extensive analysis is its refusal to determine issues of consent at the pleadings stage. This is nothing new or groundbreaking, the issue of consent unquestionably requires a factual investigation and is rarely, if ever, conclusive as grounds for a motion to dismiss.
On the brighter side for Capital One, the Court did agree to dismiss three of the Plaintiffs’ claims with prejudice, meaning the Plaintiffs cannot amend these claims and bring them again. These were Plaintiffs’ claims under negligence per se, bailment, and the Stored Communications Act.
The Court also granted the motion to dismiss as to Plaintiffs’ claims for invasion of privacy under the California Constitution, CDAFA, UCL, breach of express contract, breach of implied contract, breach of confidence, and CFAA, albeit with leave to amend. The California Constitution and CDAFA claims are notable for the Courts findings that the alleged disclosures do not amount to an “egregious breach of social norms”, and that Plaintiffs’ personal information does not constitute property. This fits into a trend of Courts being somewhat hesitant to expand the scope of privacy standing where there is no “tangible” harm. Blake digs into this here: READ ALL ABOUT IT: Reuters Faces Privacy Lawsuit But The Court Finds No Story To Tell – CIPAWorld.
You can read the order here: Shah v. Cap. One Fin. Corp., No. 24-CV-05985-TLT, 2025 WL 714252 (N.D. Cal. Mar. 3, 2025)
Forget It!: EDPB Announces Focus on Right to Erasure in 2025
Right of erasure (or “right to be forgotten”) has been selected by the European Data Protection Board as its priority enforcement topic for 2025. This work is being done under the “Coordinated Enforcement Framework” or “CEF.” The EDPB created the CEF in 2022 as a way to streamline and coordinate enforcement across EU data protection authorities. Past topics have included the right of access, and the role of data protection officers in organizations.
Data Protection Authorities in the various member states (and seven state-level authorities in Germany) this year will examine how companies are complying with GDPR obligations around erasure requests. The topic was selected, the EDPB indicated, because it is the most common right requested by individuals . . . and also the one about which DPAs often receive complaints.
As they did with the actions for right of access, DPAs will take steps ranging from fact finding to formal investigations. The DPAs will also work together to analyze the results of the initiative, and the EDPB will publish a report at the conclusion of the initiative. This will be similar to the report issued on the 2024 right of access actions (adopted this January).
Putting It Into Practice: The announcement about the right of erasure priority, as well as the release of the right of access report, can serve as a reminder for companies to revisit their process for responding to rights requests.
Listen to this article
Competition Currents | March 2025
United States
A. 1.FTC secures $5.68M HSR gun-jumping penalty from 2021 deal.On Jan. 7, 2025, the FTC, in conjunction with the Department of Justice (DOJ) Antitrust Division, settled allegations that sister companies Verdun Oil Company II LLC and XCL Resources Holdings, LLC exercised unlawful, premature control of EP Energy LLC while acquiring EP in 2021. This alleged “gun-jumping” violation involved Verdun and XCL exercising various consent rights under the merger agreement and coordinating sales and strategic planning with EP during the interim period before closing. In settling, the parties agreed to pay a total civil penalty of $5.68 million, appoint or retain an antitrust compliance officer, provide annual antitrust trainings, use a “clean team” agreement in future transactions involving a competing product, and be subject to compliance reporting for a decade.
Further information about this settlement and the factual background can be found in our January GT Alert. 2.2025 HSR thresholds took effect Feb. 21, 2025. On Jan. 10, 2025, the FTC approved updated jurisdictional thresholds and filing fees for the Hart-Scott-Rodino (HSR) Antitrust Improvements Act of 1976. These revisions are made annually, with the size-of-transaction threshold for reporting proposed mergers and acquisitions under the Clayton Act increasing from $119.5 million to $126.4 million for 2025. These changes took effect on Feb. 21, 2025. The adjustments are based on changes in the gross national product and consumer price index as mandated by the HSR Act and the 2023 Consolidated Appropriations Act. 3.FTC releases staff report on AI partnerships & investments. In January 2025, the FTC issued a report under former Commissioner Khan examining several partnerships among participants in the AI technology chain. Broadly, participants in the AI chain include (1) providers of specialized (and scarce) semiconductor chips used to provide the computational power to train and refine generative AI models, as well as generate the actual output (be it text, images, or data); (2) cloud service providers that enable access to computing infrastructure; (3) AI developers; and (4) AI application creators. The report highlights several areas of concern with respect to such partnerships, including traditional antitrust concerns around competitor access to important resources, increased switching costs for participants, and the exchange of sensitive technical and business information.
Current FTC Chairman Andrew Ferguson—then commissioner—issued a concurring and dissenting statement (joined by Commissioner Holyoak) shortly after the report’s release. While signaling areas of disagreement and discouraging the Commission from “running headlong to regulate AI,” the dissent does not appear to depart significantly from FTC views with respect to a focus on Big Tech when it comes to AI. According to Ferguson, “AI may [] be the most significant challenge to Big Tech firms’ dominance since they achieved that dominance.” He cautioned, however, that the Commission must strike a delicate balance, safeguarding against regulation that hinders U.S. AI technology development while ensuring that “Big Tech incumbents do not control AI innovators.” 4.FTC secures settlement with private equity firm in antitrust “roll-up” case. On Jan. 17, 2025, the FTC settled a second administrative case against private equity firm Welsh, Carson, Anderson, and Stowe and its affiliates for allegedly monopolizing certain local Texas anesthesiology markets through an anticompetitive “roll up” strategy. In May 2024, a federal judge dismissed Welsh Carson from a similar FTC action, but held that Welsh Carson’s conduct could be challenged in federal court in the future if the FTC can allege specific facts that it controls a company actively engaged in ongoing violations or is otherwise directly involved in another attempt to violate the law, “beyond mere speculation and conjecture,” and could still pursue an in-house administrative case against the private equity firm.
The FTC settled its in-house case, discussed in a May 2024 GT Alert, in a consent order designed to both limit Welsh Carson’s investment in this space and identify future investment strategies in this or an adjacent space, which in the view of the Commission would risk becoming another anticompetitive “roll up.” The order requires Welsh Carson to:
freeze its investment in USAP at current levels and reduce its board representation to a single, non-chair seat;
obtain prior approval for any future investments in anesthesia nationwide, as well as prior approval for certain acquisitions by any majority-owned Welsh Carson anesthesia group nationwide; and
provide 30-days advance notice for certain transactions involving other hospital-based physician practices nationwide.
The Commission voted 5-0 to accept the consent agreement for public comment. 5.Federal court denies Commission’s bid to block Tempur Sealy’s $4B Mattress Firm deal. On Jan. 31, a Texas federal court denied the FTC’s challenge to preliminarily enjoin Tempur Sealy International Inc.’s planned $4 billion purchase of Mattress Firm Group Inc. The parties thereafter closed the merger, and the FTC then withdrew the matter from in-house adjudication, effectively ending its challenge. The FTC challenged the deal in July 2024, asserting that the combination of the world’s largest mattress supplier, Tempur Sealy, with the largest retail mattress chain in the United States, Mattress Firm, would give the new firm the ability and incentive to suppress competition and raise prices for mattresses by blocking rival suppliers from selling in Mattress Firm stores.
In September, Tempur Sealy offered to sell 178 stores and seven distribution centers to Mattress Warehouse, in an effort to alleviate the FTC’s concerns. The companies offered to preserve 43% of premium “slots” in Mattress Firm stores for rival manufacturers, up from a previous offer of 28%. The FTC countered that the court should not give weight to this “unenforceable promise” that Tempur Sealy could break at any time. The judge did state that “the proposed acquisition won’t substantially harm competition … [b]ut even if assumed to the contrary, Defendants’ commitments to divest certain stores and to maintain going-forward slot allocations resolves any lingering concern.” 6.Daniel Guarnera named FTC Bureau of Competition director. On Feb. 10, Chairman Ferguson appointed Daniel Guarnera as director of the Bureau of Competition. Guarnera previously served as chief of the Civil Conduct Task Force at the DOJ Antitrust Division. During his tenure, the task force filed monopolization suits against certain Big Tech companies, as well as multiple cases involving agriculture and labor markets. Prior to that role, he was a trial attorney with the Antitrust Division during the first Trump administration. He also served as special counsel to U.S. Senate Judiciary Committee Chairman Charles Grassley during the confirmation of President Trump’s Supreme Court appointee, Justice Neil Gorsuch.
The Commission voted 4-0 to approve Guarnera’s appointment as director of the Bureau of Competition, with Chairman Ferguson stating “[h]e has tremendous experience litigating antitrust cases in critical markets, including agriculture and Big Tech” and “using the antitrust laws to promote competition in labor and healthcare markets—two of my top priorities.” 7.FTC chair clarifies 2023 merger review guidelines remain in effect. On Feb. 18, 2025, FTC Chairman Ferguson issued a public statement to FTC staff stating if “there is any ambiguity, let me be clear: the FTC’s and DOJ’s joint 2023 Merger Guidelines are in effect and are the framework for this agency’s merger-review analysis.” Ferguson explained that FTC should “prize stability and disfavor wholesale recission,” to provide predictability for businesses, enforcement agencies, and the courts. In Ferguson’s view, the guidelines reiterate prior policy statements, guidelines, and decisional case law. 8.FTC launches inquiry on tech censorship. On Feb. 20, 2025, the FTC launched a public inquiry into how technology platforms deny or degrade users’ access to services based on the content of their speech or affiliations. The Commission’s press release said, in announcing the inquiry, “Censorship by technology platforms is not just un-American, it is potentially illegal. Tech firms can employ confusing or unpredictable internal procedures that cut users off, sometimes with no ability to appeal the decision. Such actions taken by tech platforms may harm consumers, affect competition, may have resulted from a lack of competition, or may have been the product of anti-competitive conduct.” The FTC is requesting public comment on how consumers may have been harmed by technology platforms that “limited their ability to share ideas or affiliations freely and openly.” Comments are open until May 21, 2025. B. Department of Justice (DOJ) Civil Antitrust DivisionDOJ sues to block Hewlett Packard Enterprise’s proposed $14 billion acquisition of rival Juniper Networks.
On Jan. 30, 2025, the DOJ Antitrust Division sued to block Hewlett Packard Enterprise Co.’s proposed $14 billion acquisition of wireless local area network (WLAN) technology provider Juniper Networks Inc. The Division alleges that HPE and Juniper are the second- and third- largest providers, respectively, of enterprise-grade WLAN solutions in the United States and that the deal would “eliminate fierce head-to-head competition between the companies, raise prices, reduce innovation, and diminish choice.” The Division says that the proposed transaction between HPE and Juniper would further consolidate an already highly concentrated market.
“HPE and Juniper are successful companies. But rather than continue to compete as rivals in the WLAN marketplace, they seek to consolidate — increasing concentration in an already concentrated market. The threat this merger poses is not theoretical. Vital industries in our country — including American hospitals and small businesses — rely on wireless networks to complete their missions. This proposed merger would significantly reduce competition and weaken innovation, resulting in large segments of the American economy paying more for less from wireless technology providers,” Acting Assistant Attorney General Omeed A. Assefi said. The Division asserted that Juniper has been a “disruptive force that has grown rapidly from a minor player to among the three largest enterprise-grade WLAN suppliers in the U.S.,” and that its innovation has decreased costs and put competitive pressure on HPE that HPE seeks to alleviate by acquiring Juniper. C. U.S. Litigation
1.Goldstein v. National Collegiate Athletic Association, Case No. 3:25-00027 (M.D. Ga. Feb. 20, 2025). On Feb. 20, 2025, the Honorable Judge Tilman E. Self III denied a college baseball player’s request for a temporary restraining order that would have prevented the National Collegiate Athletic Association (NCAA) from barring the student from the 2025 baseball season. The plaintiff filed a suit earlier this month that joins other similar suits seeking to invalidate the NCAA’s eligibility rule which gives college athletes no more than five years to play four seasons of college sports. In denying the temporary restraining order, Judge Tilman scheduled a follow-up hearing to allow for a more fulsome evidentiary hearing on a longer injunction. 2.State of Arkansas v. Syngenta Crop Protection AG, Case No. 4:22-cv-01287 (E.D. Ark. Feb. 18, 2025). Federal Judge Brian S. Miller denied two large pesticide manufacturers’ motion to dismiss the State of Arkansas’ lawsuit alleging that the manufacturers conspired to prevent generic pesticides from gaining market entry. In the lawsuit, Arkansas alleges that these manufactures entered into “loyalty programs,” which pay distributers and retailers incentives if they limit or refuse to sell generic crop-protection products whose patents have expired. In allowing the lawsuit to proceed, Judge Miller noted that the State has sufficiently alleged that these loyalty programs foreclose generic competitors from entering the market successfully. 3.Earth’s Healing Inc. v. Shenzhen Smoore Technology Co., Case No. 3:25-cv-01428 (N.D. Cal. Feb. 11, 2025). A Chinese-based vape manufacturing company and its U.S.-based distributors were sued in a putative class action, alleging that the defendants conspired to keep the price of marijuana vaping pens and cartridges high by limiting competition among distributors. The complaint alleges that Shenzhen Smoore Technology forced its distributors to enter into a horizontal conspiracy not to solicit each other’s retail customers and report any distributor who violated this non-solicitation policy. The proposed class includes any licensed cannabis business in the 24 states that have legalized marijuana for recreational use that have sold Shenzhen’s products since November 2016. 4.Alliance of Automotive Innovation v. Campbell, Case No. 1:20-CV-12090 (D. Mass. Feb. 11, 2025). On Feb. 11, 2025, the Honorable Judge Denise L. Casper dismissed a lawsuit an automakers’ advocacy group brought that sought to block the State of Massachusetts’s “right-to-repair,” which allows customers and mechanics open access to vehicles’ “telematics” systems. These systems are used to electronically track a vehicle’s location, speed, fuel efficiency, and other metrics. The automakers claimed that applying this state law to automobiles violates the National Traffic and Motor Vehicle Safety Act and the Clean Air Act and raises the risk of impairing the cybersecurity protections installed in these systems. Judge Casper’s order dismissing the case was filed under seal, and the has automakers have already indicated an intent to appeal the decision to the U.S. Court of Appeals for the First Circuit.
The Netherlands
A. Dutch Competition Authority (ACM) Dutch commitments decision spotlights ACM’s enforcement policy.
The Authority for Consumers and Markets (ACM) recently closed a cartel investigation into three chiropractic trade associations without imposing sanctions. The investigation concluded after the associations promised not to prohibit their members from offering discounts and free examinations. This decision was intended to promote competition, but critics raised concerns about transparency and the fair treatment of other companies that may have received harsher penalties for similar violations. Critics also pointed out that the ACM appears more reluctant to penalize the healthcare sector, leading to additional questions about its policy’s fairness and consistency. B. Dutch Court Decision Rotterdam District Court confirms egg purchasing cartel violation.
The Rotterdam District Court confirmed the findings of the ACM against three egg-product manufacturers who were fined for price-fixing, supplier allocation, and sharing competitively sensitive information in the egg-purchasing market. In 2021, the ACM sent a statement of objections, concluding that the three companies had violated the cartel prohibition provisions of Article 101(1) of the Treaty on the Functioning of the European Union (TFEU) and Article 6(1) of the Dutch Competition Act. Coordinating purchasing prices leads to such a significant restriction of competition (“by object” violation) that the ACM was not required to analyze the effects of the practice. The court acknowledged the companies’ objections to the amount of the fines and, since the proceedings exceeded the reasonable timeframe by a few weeks, all fines were reduced by EUR 5,000. The court set the fines at EUR 995,000, EUR 7,655,000, and EUR 15,736,500.
Poland
A. UOKiK president tightens the noose on price fixing agreements.
The president of the Office of Competition and Consumer Protection continues to focus on alleged price-fixing agreements, in particular those maintaining minimum prices (so-called RPMs) in online sales. Recent proceedings indicate an increased level of scrutiny on pricing practices, particularly around online distribution. 1.Fines imposed on pet-food distributor, Empire Brands. The UOKiK president has imposed a fine on Empire Brands, a pet food distributor, for engaging in resale price maintenance practices in online sales channels (online stores and digital marketplaces). Resellers were required to set prices that were at least equal to those Empire Brands offered in its own online store. According to the UOKIK president, the company penalized resellers by sending warnings, altering payment terms, restricting access to promotions, and terminating business relationships. Following the investigation, the UOKiK president imposed a fine of approximately PLN 353,000 (approximately EUR 84,000/USD 87,000) on Empire Brands. In addition, the UOKIK president also penalized the company’s managers, who received individual fines of PLN 82,000 (approximately EUR 20,000/USD 20,000) and PLN 39,000 (approximately EUR 9,000/USD 10,000), respectively. 2.Charges brought against sanitary equipment distributor, Oltens. UOKiK president also announced charges against Oltens, a distributor of sanitary equipment, for allegedly fixing online resale prices. The UOKiK president suspects that Oltens has entered into a price-fixing agreement with independent resellers of its products. The company allegedly imposed minimum resale prices for online sales, preventing retailers from offering lower prices (including within promotional campaigns). According to the UOKIK president, Oltens may have ensured compliance by actively monitoring resellers and intervening against those who deviated from set prices, including by refusing to supply or terminating cooperation agreements. The proceedings are pending. 3.Trend of enforcement. The Oltens and Empire Brands cases add to a growing list of resale price maintenance investigations the UOKiK president has conducted. In recent years, the competition authority has taken similar actions against multiple companies. For example, in 2024, Dahua Technology was fined PLN 3.7 million (approximately EUR 900,000/USD 900,000) for restricting the pricing policies of its distributors, and Kia Polska was fined PLN 3.5 million (approximately EUR 800,000/USD 900,000) for imposing minimum resale prices on its dealers. The UOKiK president considers RPMs to be particularly harmful to competition, given their capacity to restrict freedom of establishing prices, therefore negatively affecting market competitiveness and consumer interests. Infringing companies may be subject to significant financial penalties, which can be up to 10% of their annual turnover. The UOKiK president may also impose individual fines on managers of up to PLN 2 million. Moreover, anticompetitive contractual provisions would be void, and affected entities can seek damages in civil courts.
Italy
A. Italian Competition Authority (ICA) 1.Mulpor and IBCM fined for repeatedly failing to comply with ICA ruling. In January 2025, ICA fined Mulpor Company S.r.l. and International Business Convention Management Ltd. (IBCM) EUR 3.5 million for repeated non-compliance with a 2019 prohibition decision on unfair trading. In ICA’s view, the two companies sent allegedly deceptive communications to businesses and micro-companies, under the pretext of requesting business data verification, while in fact leading recipients to enter into multi-year contracts for advertising services. ICA considered these communications, resembling those that led to earlier fines in 2019 and 2021, to be disguised as updates to a database called the “International Fairs Directory.” But by signing the forms, business and micro-companies committed to a three-year advertising contract.
ICA concluded that these communications were deceptive, causing recipients to unknowingly subscribe to unwanted services. IBCM also allegedly used undue pressure by threatening legal actions to collect payments for the unsolicited services. 2.Radiotaxi 3570 fined for repeatedly failing to comply with ICA ruling. ICA imposed an approximately EUR 140,000 fine on Radiotaxi 3570 for repeated non-compliance with a June 2018 ruling, which found certain agreements in Rome’s taxi service market to be anticompetitive. According to ICA, the company failed to eliminate allegedly restrictive non-compete clauses in its statutes and regulations that ICA believed hindered competition. Radiotaxi 3570 did not comply with the measures ICA required, including submitting a written report outlining corrective actions, nor did it pay the imposed fines. ICA is considering imposing further penalties, including daily fines, and may consider suspending the company’s operations for up to 30 days in the event of persistent non-compliance. 3.Redetermination of Imballaggi Piemontesi S.r.l.’s cartel penalty. In 2019, Imballaggi Piemontesi S.r.l. was fined more than EUR 6 million for its participation in an anti-competitive cartel in the industry that produces and markets corrugated cardboard sheets. In 2023, after a Council of State ICA judgment– which involved a EU Court of Justice referral for a preliminary ruling on that matter (C-588/24) – ICA had to reassess the fine imposed on Imballaggi Piemontesi S.r.l. on the basis, inter alia, of the effective involvement in the cartel.
The company argued for a reduced penalty, but ICA determined that its participation was to be considered “full” in any case. As a result, ICA maintained the fine at EUR 6 million, which was equal to 10% of the company’s total turnover, within the legal limit.
European Union
A. European Commission Commission sends Lufthansa supplementary statement of objections.
The European Commission has issued a supplementary statement of objections to Lufthansa, ordering the airline to restore Condor’s access to Lufthansa’s feed traffic to and from Frankfurt Airport as agreed in June 2024. This step follows an investigation into potential competition restrictions by Lufthansa’s transatlantic joint venture with other airlines. The European Commission has preliminarily assessed that this joint venture restricts competition on the Frankfurt-New York route and that interim measures are needed to prevent harm to competition on this market.
Previously, Lufthansa and Condor had special prorate agreements (SPAs) allowing Condor to access Lufthansa’s short-haul network to feed its long-haul flights. In 2020, Lufthansa notified Condor of the termination of their SPAs. The European Commission expressed preliminary concerns that without these agreements, Condor could struggle to operate sustainably on the Frankfurt-New York route, further undermining the competitive market structure. To ensure the effectiveness of any future decision, Lufthansa must reinstate the previous agreements. This case falls under Articles 101 of the TFEU and 53 of the EEA Agreement, which prohibit agreements that restrict competition. B. ECJ Decisions
1.CJEU addresses preliminary questions on the restrictive nature of technical specifications. The Court of Justice of the European Union (CJEU) ruled on the interpretation of Article 42 of the EU’s Public Procurement Directive (Directive 2014/24/EU) regarding technical specifications for public procurement. The case involves a dispute between DYKA Plastics, which produces plastic drainage pipes, and Fluvius, the Belgian grid operator for electricity and natural gas in all municipalities in Flanders. Fluvius required that only drainage pipes made of stoneware and concrete can be used. DYKA argued that this requirement violates the principles of procurement, leading to four preliminary questions addressed to the CJEU.
The CJEU ruled that technical specifications must describe the characteristics of the works, supplies, or services, and that contracting authorities may not make specific mentions of materials—like references to stoneware or concrete—that favor or eliminate certain companies. The CJEU also explained that unless the use of a specific material is unavoidable, references to that material must be accompanied by the words “or equivalent.” In conclusion, the CJEU stated that eliminating companies or products through incompatible technical specifications necessarily conflicts with the obligation to provide equal access to procurement procedures and not to restrict competition per Article 42 of Directive 2014/24. 2.Beevers Kaas BV v. Albert Heijn België NV raises preliminary questions about parallel obligation. The case involves a dispute between Beevers Kaas, the exclusive distributor of branded dairy products in Belgium and Luxembourg, and Albert Heijn, a distributor in other markets. Beevers Kaas alleges that Albert Heijn violated exclusivity arrangements by selling in Belgium, while Albert Heijn argues that it cannot be prohibited from actively selling and that the exclusivity agreement offers insufficient protection. The case was referred to the CJEU to address the application of Article 4(b)(i) of the former EU Vertical Block Exemption Regulation (Regulation (EU) 330/2010 – old VBER), which has since been replaced.
First, the CJEU asked whether the “parallel obligation” requirement (where a supplier granting exclusivity to one buyer in a territory must also restrict other buyers from actively selling in that territory) may be fulfilled merely by observing that other buyers are not actively selling in the exclusive territory. Advocate General Medina’s January 2025 opinion states that the mere observation that other purchasers are not actively selling in the area is insufficient.
Second, the CJEU was asked to clarify whether proof of compliance with the “parallel obligation” must be maintained throughout the entire applicable period, or only when other purchasers show their intent to sell actively. According to Advocate General Medina, the supplier must generally demonstrate that the parallel obligation is fulfilled for all its other buyers within the EEA during the entire period for which it claims the benefit of the block exemption.
Japan
A. JFTC orders mechanical parking garage manufacturers to pay a surcharge of approximately JPY 520 million for bid-rigging allegations. In December 2024, the Japan Fair Trade Commission (JFTC) issued cease-and-desist orders to five manufacturers of mechanical parking garages and other facilities for bid-rigging allegations. The JFTC also ordered four manufacturers to pay a surcharge of approximately JPY 520 million in total.
According to the JFTC, the manufacturers repeatedly engaged in bid-rigging to determine which companies would receive orders from major general contractors, and at what price. The manufacturers are suspected to have engaged in bid-rigging, but one of them is also suspected of avoiding JFTC orders under the leniency program. The JFTC sent the proposed disciplinary measures to the manufacturers and will issue an order after receiving feedback from each. B .JFTC issues cease-and-desist orders to a cloud services company for the first time. In December 2024, the JFTC issued a cease-and-desist order to MC Data Plus, Inc., a company providing cloud services regarding labor management, for unfair trade practices that allegedly prevented customers from switching to other companies’ services. The order comes after the JFTC conducted an on-site inspection of MC Data Plus in October 2023.
According to the JFTC, starting in 2020, MC Data Plus refused to provide its clients with information on their employees, which the client registers on the cloud, in a form compatible with other labor safety services, due to the protection of personal information. The JFTC determined that such an act falls under the category of “interference with transactions (unjustly interfering with a transaction between its competitor),” which Japanese antimonopoly law prohibits.
This is the first time that a cease-and-desist order has been issued in connection with transactions regarding cloud services. MC Data Plus has filed a lawsuit to have the order revoked and has also filed a petition to suspend the order’s execution.
1 Due to the terms of GT’s retention by certain of its clients, these summaries may not include developments relating to matters involving those clients.
BOLD: Before Even Being Allowed in the Case NCLC Submits An Aggressive Challenge to Eleventh Circuit IMC Ruling
The FCC’s TCPA one-to-one consent rule still has the faintest of pulses as the NCLC continues to struggle to bring it back to life.
In a new filing yesterday the National Consumer Law Center has submitted a proposed petition seeking a full en banc re-hearing and characterizing the Eleventh Circuit panel’s ruling in IMC v. FCC as a departure from established judicial review norms and contrary to supreme court precedent.
As the Czar previously explained the IMC ruling is, indeed, a breathtaking departure from the rules courts would ordinarily apply to such appeals. However, this change appears to have been enabled by the recent destruction of Chevron deference and concomitant strengthening of judicial review.
The issue really boils down to this:
In the old days (last year) a court had to defer to an agency’s interpretation of vague phrases in a statute. That is no longer the case.
The IMC could held, however, that an agency had to defer to a court’s interpretation of vague phrases statute. This had never happened before.
While IMC’s approach seems permissible following the death of Chevron it by no means follows that they adopted the correct framework. Under a doctrine called Skidmore deference courts and agencies are essentially equally powerful– and if Skidmore deference were applied IMC probably would have come out differently.
NCLC’s petition argues the Eleventh Circuit Court of Appeals–all of it–should get together and decide whether Skidmore applies here or whether IMC sets a vast new paradigm for judicial review of agency action.
Part of me kind of wants to know the answer because I’m a nerd.
But on the other hand, I don’t think lead gen is capable of handling another pendulum swing on one-to-one so let’s hope this whole thing stays dead.
Anyway you can read the whole petition here: NCLC En Banc
New York Health Data Requirements Potentially Ahead: Understanding the Newly Passed Health Information Privacy Act
New York lawmakers recently passed a wide-ranging health information privacy bill that would require entities to obtain consent to collect, use, or sell an individual’s health information except for designated purposes. Notably, the bill broadly defines both regulated entities and regulated health information, and it would potentially impact companies nationwide that may not otherwise consider themselves to be collecting individuals’ private health information.
Quick Hits
New York lawmakers passed a health information privacy bill that, among other obligations, would require entities to obtain authorization to collect, use, or sell an individual’s health information unless it is “strictly necessary” for certain purposes.
The bill broadly defines regulated health information to include data that goes beyond traditional protected health information (PHI) and broadly defines regulated entities to include New York entities and certain non-New York entities.
While there is no private right of action, the bill would empower the state attorney general to seek significant penalties for violations.
The governor must still sign the bill and it would take effect one year after becoming law.
On January 22, 2025, the New York State Legislature passed Senate Bill (S) 929, known as the New York Health Information Privacy Act (New York HIPA). The bill has not yet been sent to Governor Kathy Hochul’s desk for signature. If signed, New York HIPA would take effect one year after becoming law.
In general, New York HIPA would place strict requirements on the collection or “processing” of individual health information or “any information that is reasonably linkable” to an individual’s mental or physical health. It would require authorization to process regulated health information unless it is “strictly necessary” for a specific designated purpose. The bill would further give individuals a right to access and request deletion of their health information and require regulated entities to develop and maintain safeguards to protect health data.
New York HIPA is the latest of a series of state privacy laws being considered and passed in recent years, such as Washington State’s recently enacted My Health My Data Act (MHMDA), which imposes a host of requirements for businesses in Washington concerning the collection of “consumer health data.” That law is at the center of a recently filed and potentially precedent-setting class action alleging that advertising software attached to third-party mobile phone apps unlawfully harvested PHI in the form of location data from millions of users. Unlike Washington’s MHMDA, New York HIPA would not provide a private right of action for individuals to file suit, but New York HIPA would empower the attorney general to enforce the law and allow for the imposition of stiff monetary penalties for violations.
Here is a breakdown of some key New York HIPA bill provisions.
Processing Regulated Health Information
New York HIPA, if enacted, would make it generally unlawful for a regulated entity to sell an individual’s regulated health information to a third party or process such information without a valid authorization unless it is “strictly necessary” for specific purposes. The bill details the requirements for obtaining valid authorization and the permissible purposes for processing without authorization. New York HIPA broadly defines “processing” to include the collection, use, access, sharing, sale, monetization, analysis, and retention, among other actions, of an individual’s regulated health information.
Notably, New York HIPA defines “regulated health information” broadly as “any information reasonably linkable” to an individual or device that “is collected or processed in connection with an individual’s physical or mental health,” including “location or payment information that relates to an individual’s physical or mental health” or “any inference drawn or derived about an individual’s physical or mental health.” This expansive definition could include a wide range of data points or information about individuals that might not typically be considered PHI, such as location data and payment information related to trips to the doctor or the gym.
New York HIPA also includes a broad definition of regulated entities. A “regulated entity” would include both entities located in New York that control the processing of regulated health information, and non-New York entities that control the processing of regulated health information of New York residents or individuals who are “physically present in New York.”
Designated Purposes
New York HIPA also sets forth the designated purposes for collecting or processing an individual’s health information without specific authorization. The collection or processing would need to be “strictly necessary” for:
providing a product or service that the individual has requested;
conducting internal business operations, excluding marketing, advertising, research and development, or providing products or services to third parties;
protecting against fraud or illegal activity;
detecting and responding to security threats;
protecting the individual’s “vital interests”; or
investigating or defending a legal claim.
Requests for Authorization
Under the bill, an authorization request must be separate from any other transaction, and individuals must be allowed to withhold authorization separately for each kind of processing. A “valid authorization” must also include several specific disclosures, including “the nature of the processing activity” and “the specific purposes for such processing.”
Individual Rights
New York HIPA would further require regulated entities to provide an “easy-to-use mechanism” for individuals to request access to and delete their regulated health information. Regulated entities would be required to provide access to or delete health data within thirty days of a request. If using a service provider, regulated entities would be required to communicate the request to a service provider within thirty days “[u]nless it proves impossible or involves disproportionate effort.”
Exemptions
The bill exempts certain information from its provisions, including:
“information processed by local, state, and federal governments, and municipal corporations”;
PHI governed by federal regulations under the Health Insurance Portability and Accountability Act (HIPAA);
covered entities governed by HIPAA; and
certain information collected as part of clinical trials.
Notably, the bill does not exempt entities subject to the Gramm-Leach-Bliley Act. Further, the bill does not exempt “business associates” under HIPAA with respect to “regulated health information” that goes beyond traditional PHI.
Security Safeguards
Under New York HIPA, regulated entities would be required to develop and maintain reasonable safeguards to protect the security, confidentiality, and integrity of regulated health information. They would also be required to securely dispose of such information according to a publicly available retention schedule.
The bill does not address the obligations of a regulated entity in the event of a data breach. New York’s data breach notification law (General Business Law § 899-aa), however, was recently amended to expand the definition of “private information” to include medical information and health insurance information, and to impose a thirty-day deadline for businesses to notify New York residents impacted by a data breach.
Service Providers
The bill would require any processing of health information by service providers on behalf of regulated entities to be governed by a written agreement. That agreement would need to include specific obligations for the service provider, such as ensuring confidentiality, protecting the data, and complying with individual rights requests.
Contracts and Waivers
Any contractual provision or waiver inconsistent with New York HIPA would be declared void and unenforceable, meaning individuals would not be able to waive their rights under the law.
Enforcement
New York HIPA would empower the state attorney general to investigate alleged breaches of the privacy requirements and bring enforcement actions. Such actions could result in civil penalties of up to $15,000 per violation or up to 20 percent of the revenue obtained from New York consumers within the past fiscal year, whichever is greater. The bill would also give the attorney general the ability to enjoin violations, seek restitution, and obtain the disgorgement of profits “obtained directly or indirectly” by any violations. Unlike Washington State’s MHMDA, the bill does not include a private right of action for individuals to sue for violations.
Next Steps
New York HIPA underscores the state’s focus, and a broader focus of states across the country, on protecting the privacy of health information. Like Washington’s MHMDA, New York HIPA would broadly define regulated health information as any information reasonably tied to an individual or device and related to an individual’s physical or mental health, including location and payment information. The bill therefore seeks to protect a broader scope of health data than what has been historically viewed as PHI under HIPAA.
New York HIPA has potential far-reaching implications for businesses nationwide that collect or process data of New York residents or individuals located in New York. If the bill is signed into law, such businesses may wish to review and consider changes to their data processing practices, data handling policies, employee training programs, contractual agreements with service providers, and customer agreements. Additionally, they may want to review their websites with respect to collecting user information and providing consumers with opt-outs.
Notably, however, New York HIPA must still be delivered to and signed by Governor Hochul, who may seek to negotiate changes to the bill before signature or effectuate changes later through chapter amendments. The governor has shown a propensity to use such chapter amendments, which refer to changes by the governor that are approved by the legislature through subsequent legislation after the law has been signed. In addition, if enacted, the bill provides that the attorney general can promulgate rules and regulations to enforce the law.
TCPA Filings Are Out of Control RIght Now
Its the 10th day of March, 2025.
And there have already been more TCPA class actions filed this March (85) than all of March, 2024 (84).
And there are still three weeks to go this month.
As I already reported TCPA filings were up 260% in January. February was another triple digit increase.
And March looks like it is going to absolutely go insane.
And remember, in 2024 TCPA filings were up 67% from the year before– and 2024 saw the highest number of class action filings in TCPA history.
But it looks like 2025 is going to smoke those numbers.
Good time to be the best “TCPA defense law firm” in the nation tho…
And probably a good time to switch to superior counsel before you get eaten alive!
Chat soon.
FTC Requests Input from Tech Platform Users About Speech
The Federal Trade Commission recently requested public comment from users of tech platforms. In particular, the impact the platforms may have on user speech. Input is sought -by May 21- on the extent to which tech firms are engaging in potentially suppressing free speech.
Using terms like “censorship,” “demonization,” and “shadow banning,” this request for public comment signals a new direction of the agency under Andrew Ferguson. The direction being taken reflects the concern expressed before the new administration: that tech platforms were using their roles to censor speech (see Murthy v. Biden).
The request is unlike those we had seen in the past from the FTC, insofar as it requests comment about the tech platforms not from the platforms themselves, but instead directly from users. As of this writing, the agency had received over 1,000 comments. Among other things, the agency has asked people to provide input on:
Impact: Whether tech platforms banned users from the platform because of the content of their speech, or took other adverse actions and the extent to which those actions adversely impacted them. Relatedly, the request asks if people were given a “meaningful” way to challenge adverse decisions.
Moderation: Whether there were moderation policies in place, and if the platform told people (even implicitly) that they could appeal the platforms’ decisions. Also asked was whether the platforms used “opaque” or “unpredictable” processes to restrict access.
Pressure: Interestingly, the request asks potential commenters to speculate on “factors [that] motivated platforms’ decisions.” Included in these might be measures that resulted in them getting banned from the platform. This includes suggestions like pressure from advertisers, state or local governments, or foreign governmental action.
Competition: If the tech platforms were coordinating directly or through trade associations about policy and adverse actions.
Putting it into Practice: Private platforms’ moderation policies date to the early days of the Internet, and the Digital Millennium Copyright Act and the Communications Decency Act. These policies typically indicate that content that violates the policy will be removed (the alternative -modifying content- would run the risk of the platform participating in the creation of the content, losing the shield of the DMCA or CDA). We anticipate comments from industry groups, in addition to the many already received from users themselves. The comment period closes May 21.
James O’Reilly also contributed to this article.
Listen to this post
BIGGER THAN YOU THINK?: Why New TCPA Revocation Rule May Wreak Havoc on Lead Generators And Buyers After All
As we creep closer at our petty pace, day to day, toward April 11, 2025 lead generators need to be paying close attention to one of the major potential impacts of the new FCC TCPA revocation order.
While enterprise is much more concerned with the “scope” provisions of the new rule crushing their ability to make informational outreach to their customers, lead generators need to be considering these provisions through the lens of ceasing continued marketing after a brand has received a revocation request.
This is a particularly big issue when a brand is buying both data and transfers.
Example.
Major insurance company buys both data leads and transfers from large lead generator.
When a consumer texts “stop” in response to an outreach by the insurance company the company is unlikely to notify the generator of the stop. Yet when the lead generator continues to send messages carrying offers for that insurance company those messages may be viewed as having been made “on behalf” of the insurance company– hence the stop should have been heeded and continued outreach by the lead generator would be illegal.
While a feedback loop between the insurance company and the lead generator in this scenario could avoid this problem–i.e. the insurance company is notifying the lead supplier of the revocations in real time– it is unclear whether that is legal since the CFR bans the sharing of revocation information with third-parties (which is why the R.E.A.C.H. standards have always included a notification that “stop” requests will be shared between buyers of the lead.) So this is a real sticky wicket.
And the problem is even bigger in the context of a lead buyer who is buying data from one source and buying transfers from other sources.
There when a lead buyer receives a “stop” notification it will need to notify not just the lead source–indeed, if the source is not making outbound calls for transfer purposes the data lead supplier need not to be informed at all– but other lead suppliers who may be calling that same consumer on the same or different data.
Suddenly the wisdom of the R.E.A.C.H. model of a hub and spoke approach to lead gen revocation looks very compelling indeed.
Regardless, one thing is crystal clear– brands buying leads and companies generating those leads need to come up with a game plan for April 11, 2025.
IT WAS A MATTER OF TIME: Another Company Allegedly Violated TCPA Time Restrictions.
Businesses must avoid sending solicitations before 8 a.m. or after 9 p.m. (local time at the called party’s location), especially if they have not obtained prior express written consent. The number of allegations for violations of 47 U.S.C. § 227(c)(5) and 47 C.F.R. § 64.1200(c)(1) continue to pile on.
In a complaint filed against Grenades, LLC, a seller of “explosively, strong” gum, the plaintiff raises these same allegations. Specifically, in Toscano v. Grenades, LLC, No. 2:25-CV-02049 (C.D. Cal. Mar. 7, 2025), Toscano (“Plaintiff”) alleges that Grenades, LLC, (“Defendant”) violated 47 C.F.R. § 64.1200(c)(1) by initiating three telephone solicitations to Plaintiff’s phone before 8 a.m. or after 9 p.m. (local time at the called party’s location). The first message Plaintiff claimed to have received at 7:02 a.m. reads as follows:
Grenades Gum: The 4-PACK is Back, just $9.99! That’s a savings of 37%!
https://kvo2.ioEMKJbW
Id. at ¶ 14. On a separate Sunday, Plaintiff claims to have received another 7:02 a.m. message, stating:
Grenades Gum: SINGLES ARE BACK AGAIN! 12% OFF individually wrapped singles, Assorted Variety Pack FIVE flavors! https://kvo2.io/UAYRbn
Plaintiff seeks to represent the following class:
Proposed Class. All persons in the United States who from four years prior to the filing of this action through the date of class certification (1) Defendant, or anyone on Defendant’s behalf, (2) placed more than one marketing text message within any 12-month period; (3) where such marketing text messages were initiated before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).
Id. at ¶ 23.
Don’t forget to stay compliant with both federal and state regulations, as many states have layered their own restricted timeframes on top of the TCPA.
BREAKING: Rocket to Acquire Redfin for $1.75 Billion!
In very big news today, the Rocket Companies announce plans to acquire real estate brokerage giant Redfin for $1.75 billion of equity value.
While this is obviously huge news in the mortgage/real estate space, how does this affect the lead gen market as a whole?
One, it gives Rocket a better and potentially easier entrance to the purchase mortgage market which the company has historically struggled with. Rocket is a master at refinance lead gen and they drive huge numbers both organically and through third party lead providers. However, their share of the purchase market has not kept up with their share of refinance. There is a lot of reasons for this, but this acquisition should help bolster growth there.
Two, it will be interesting to see how this affects lead generators, such as LendingTree, Zillow and other platforms. Does Rocket and their loan officers pull off of any advertising they are doing on these platforms to focus on Redfin? Can Redfin take advantage of the Rocket marketing machine to grow their own marketshare and therefore, use the newfound leads to supply Rocket with the leads they need to continue at their current or prospective level?
Three, it’s a clear sign that Rocket is not content to rest on its laurels. The company has had six consecutive quarters of YOY growth. This is a growth play and with an estimated $200 million in runrate synergies, it could be huge.
Very interesting to watch how this ripples out into the ecosystem.
And, oh yeah, Rocket is still appealing the LMB TCPA class action with briefs filed last week. So, those “synergies” could be very helpful in the future.
FDIC Withdraws Proposed Rule on Brokered Deposits
On March 3, the FDIC announced the withdrawal of its proposed rule on brokered deposits, citing concerns regarding potential disruptions to the financial sector. This move follows significant pushback from industry stakeholders who argued that the proposed changes could have unintended consequences for liquidity management and market stability.
The proposed rule sought to alter the classification and regulatory treatment of brokered deposits by broadening the definition and imposing stricter reporting and supervisory requirements. It aimed to clarify which deposit arrangements qualified as brokered deposits and thus could have resulted in more deposits being subject to restrictions under the FDIC’s capital and liquidity rules. Industry participants also raised concerns that the changes could disrupt long-standing banking relationships, reduce funding access, and create additional disruptive compliance burdens.
The FDIC argued that brokered deposits pose risks to financial stability, particularly during times of market stress, contending that the proposed changes would help to mitigate potential overreliance on such funding sources. In its statement, the FDIC indicated that for any future regulatory action it takes related to brokered deposits, it will pursue such initiatives through new proposals or issuances that comply with the Administrative Procedure Act.
Putting It Into Practice: The withdrawal of the brokered deposits rule aligns with Acting Chairman Travis Hill’s stated commitment to streamlining the FDIC’s supervisory approach (previously discussed here). Given Hill’s focus on reducing regulatory burdens, financial institutions should expect further shifts in the FDIC’s approach to oversight.
Listen to this post
CFPB Continues Lawsuit Over Alleged Military Lending Act Violations
On March 1, and despite recent policy shifts under the new administration, the CFPB sent a letter to the judge overseeing its lawsuit against a fintech lender in the United States District Court for the Southern District of New York, stating that it would proceed with its filed action. The lawsuit, originally filed in September 2022, alleges violations of the Military Lending Act’s (MLA) restrictions on extensions of credit to covered servicemembers. The complaint further alleges violations of the Consumer Financial Protection Act’s (CFPA) prohibitions on unfair, deceptive, or abusive acts or practices (UDAAPs).
The CFPB’s letter follows the court’s denial of the lender’s request to stay the case. In its letter, the lender argued that the new administration needed time to reassess whether the enforcement action aligned with its regulatory priorities. Citing the CFPB’s broader enforcement pause under new leadership (previously discussed here), the lender contended that the lawsuit should be temporarily halted. However, the court rejected this argument and required the CFPB to clarify its position.
Specifically, the complaint alleges that the lender:
Exceeded the MLA’s 36% Rate Cap. The lender allegedly required military borrowers to pay membership fees as a condition of receiving credit, which resulted in an effective loan cost that exceeded the 36% cap imposed by the MLA.
Required Covered Borrowers to Submit to Arbitration. The lender allegedly included mandatory arbitration clauses in its loan agreements, in violation of the MLA’s prohibition of such clauses.
Failed to Make Mandatory Loan Disclosures. The lender allegedly did not provide covered borrowers with disclosures required under the MLA, including the Military Annual Percentage Rate (MAPR) and other key terms of the credit.
Restricted Consumers’ Ability to Cancel Memberships. The complaint alleges the lender violated the CFPA’s prohibition on deceptive acts or practices by making representations that consumers could cancel their memberships at any time while restricting cancellations for users with unpaid balances, effectively forcing them to continue accruing membership fees. In other cases, the lender refused to allow cancellation for users with unpaid membership fees, even after users had fully repaid their loans.
Putting It Into Practice: The CFPB’s decision to continue litigating this case signals that, despite leadership changes and the withdrawal of multiple lawsuits initiated by the previous administration (previously discussed here), certain Bureau enforcement priorities persist. Lenders should continue to monitor how the CFPB’s enforcement posture evolves under the new administration and adjust compliance strategies accordingly.
Listen to this Article