Tokenization of Real-World Assets: Opportunities, Challenges and the Path Ahead
Digital assets are no longer just the playground of fintech startups. Mainstream financial institutions now offer token-friendly custody and settlement, global exchanges are piloting digital-asset divisions, and traditional asset managers are dipping their toes into tokenized share classes. For established players, the appeal is clear: smoother operations, faster settlements and a bigger pool of potential investors.
Tokenization of real-world assets (RWA) is the process of representing rights in an asset through a cryptographically secured digital token recorded on a distributed ledger. In plain English: RWA tokenization uses blockchain technology (like a spreadsheet in the cloud that no one can secretly edit) to buy, sell, track and hold digital versions of RWA – from real estate and works of art to financial instruments, including investment fund interests.
The RWA tokenization market reached $24 billion in size this year, growing 308 percent in three years, and could reach up to $30 trillion by 2034.1 This growth appears primed to accelerate as mainstream financial institutions increasingly adopt the technology and identify genuine efficiencies in blockchain infrastructure. RWA tokenization looks set to modernize the process of funding, trading and managing assets in the digital economy. Therefore, it is important for financial service providers and their advisors to understand the risks and opportunities presented by RWA tokens, as well as legal and regulatory considerations.
Tokenization in a Nutshell
In the physical world, a casino chip might represent the right to exchange it for money, or a concert ticket might represent the right to attend a specific concert. Similarly, in the digital world, tokens are digital assets that represent ownership, rights or value, existing on a blockchain or other distributed ledger technology (DLT).
DLT enables digital tokenization without the need for ledgers or databases controlled by a central entity. A digital token can be “native” – created solely for use on the blockchain, with no real-world twin (e.g., a cryptocurrency like Ether) – or “linked”, where the token is a digital counterpart to something tangible or intangible in the real world. Either way, the DLT records every transfer, and smart contracts can be used to automatically execute the rules attached to the token (such as issuance and redemption protocols, distribution of dividends, interest or other income, or implementation of governance proposals once voting thresholds are satisfied) and even conditions to a transfer (such as permissions, compliance checks and corporate actions). Tokenization has enabled RWA to be divided, traded and managed in ways not previously possible, all while leaving an audit trail where every transaction is transparent and verifiable.
RWA Tokenization
Tokenization can be applied to any object of recognized value, including real estate, precious metals, fine art, intellectual property royalties and financial instruments. Tokenization allows these RWAs to be divided into multiple fractional interests, enabling ordinary investors to own a portion of a high-value asset they would otherwise be unable to purchase outright.
RWA tokenization refers to the process of representing legal or beneficial ownership rights of RWA as “on-chain”, “off-chain” or hybrid tokens. “On-chain” means tokens that can be managed entirely on a DLT, where all key legal information about the asset is embedded in the token and recorded directly on the blockchain – facilitating a transparent, verifiable and immutable record of ownership. Conversely, an “off-chain” structure is where the token serves as a digital representation or reference instrument while the underlying rights and records remain with a third party outside the blockchain using traditional legal and custody frameworks (e.g., platinum bars in a vault or the UK’s Land Registry). Hybrid approaches are also possible, where some legal data is stored on the DLT and other information remains “off-chain”. For example, ownership records or transaction histories might be recorded “on-chain” for transparency and automation, while sensitive documents are kept with traditional legal registries. Hybrid tokens might enable parties to benefit from the efficiency and transparency of DLT, such as automated settlement or real-time ownership tracking, while still relying on established legal processes for aspects like dispute resolution, privacy or compliance.
Legally, it is important to note that ownership of an “off-chain” or hybrid RWA token doesn’t always mean you own the associated RWA outright. It might just be an electronic record of your interest, while the real asset sits safely off-chain in a vault, a bank or in a lawyer’s filing cabinet (share certificates, title deeds, etc.). Understanding whether a token is informational, certificatory or dispositive is crucial for enforceability and investor protection.
Key benefits and advantages of RWA tokenization include:
Enhanced liquidity. Assets that were once hard to trade or only available to deep-pocketed investors can now be sliced into smaller pieces and traded 24/7 globally. Fractional ownership lowers barriers to investment, allowing retail investors to own a portion of a high-value asset.
Enhanced efficiency. DLT is decentralized, enabling the use of smart contracts that automatically execute upon the satisfaction of pre-determined conditions. Trading and settlement automation is instantaneous and simplified, allowing interests to be traded more freely and reducing the need for intermediaries. Even where “off-chain” or hybrid tokens are used, the DLT functions as a ledger of reference that may facilitate more efficient notice, settlement and reconciliation (without replacing existing legal processes).
Transparency. Distributed ledgers are verifiable by anyone with access to the ledger, which mitigates fraud and can enhance effective regulatory compliance. Again, smart contracts can be utilized to enforce relevant governance protocols, laws and regulations automatically. This has the potential to massively simplify current record-keeping with enhanced data disclosure.
Cost savings. Operational cost savings may result from the automation process and the reduced need for intermediaries.
Fund Tokenization
The perceived advantages highlighted above have spurred innovative players in the investment funds market to create tokenized fund products. The issuance of fund tokens, where the token represents a share or unit of ownership in a limited partnership (or other traditional investment fund vehicle), is accelerating across the asset management industry.
In the UK, the Investment Association’s Technology Working Group has worked with HM Treasury and the Financial Conduct Authority (FCA) to develop a blueprint for implementing the tokenization of UK investment funds.2 The FCA has recently shown support for the Monetary Authority of Singapore’s Project Guardian, which is also related to the tokenization of assets and investment funds.3 In 2023, HM Treasury announced plans for the Digital Security Sandbox, where firms can set up and operate financial market infrastructure using digital asset technology.4 The implicit acceptance by the government and regulating bodies that digital assets are here to stay has helped pave the way for the wave of innovation we see today, with the tokenization of UK-authorized funds being brought within the confines of an acknowledged regulatory framework.
Fund tokenization is also being utilized in Europe, with various models emerging in France, Germany and Luxembourg (to name a few). The EU DLT Pilot Regime, set out in Regulation (EU) 2022/858, seeks to achieve some homogeneity across the European jurisdictions by introducing a single regulatory “sandbox” for DLT multilateral trading facilities, settlement systems, and combined trading-and-settlement systems. Such a regime allows authorized operators to admit and record tokenized shares, bonds and fund units below defined value thresholds, while benefiting from targeted exemptions from other EU regulatory requirements.5 This harmonized framework is intended to stimulate cross-border liquidity, underpin investor protection and facilitate supervisory convergence.6
US funds are even using public blockchains, representing the trust that some players now have in the technology. For example, Hamilton Lane has a number of tokenized funds available, including a tokenized feeder for the off-chain Private Infrastructure Fund. This feeder has reduced the typical minimum investment amounts for investors from an average of $5 million (for the direct fund) to $500.7
Key Debates and Considerations about Tokenization
While momentum behind fund tokenization continues to build, certain legal and regulatory challenges must be considered before managers, custodians and distributors can effectively scale this technology:
Regulatory perimeter. In the UK, the FCA’s technology-neutral approach means tokenized fund units that mirror conventional shares/units are already treated as “security tokens” (i.e., specified investments under the UK’s financial markets regulation), so the regulatory regimes and anti-money laundering laws that govern traditional securities offerings still apply. The position is similar across all jurisdictions.
Ownership and title transfer. While the Property (Digital Assets, etc.) Bill8, which formalizes the recognition of digital assets as property under English law, is expected to be passed soon; uncertainty remains as to how certain tokenized units can be legally transferred. If the distributed ledger is only evidential and the legal title stays off-chain, a traditional instrument of transfer is still required. Conversely, if the ledger is the register of legal title, managers must ensure they can still execute mandatory redemptions or freeze units (e.g., in case of anti-money laundering (AML) or sanctions events) consistent with unilateral, court-recognized transactions. Documenting that override power in the fund documentation and coding it into the smart contract is essential.
Smart contracts. As discussed, many tokenized fund models automate issue, redemption and distributions via smart contracts. Smart contracts are, at heart, code that acts like a contract. Following the Law Commission’s 2021 advice, English courts are open to enforcing them if the usual ingredients – offer, acceptance, consideration and intention – are present.
Cross-border distribution and recognition. Regulatory sandboxes (like the FCA’s Digital Securities Sandbox, the EU DLT Pilot, Singapore’s Project Guardian, and Abu Dhabi’s Global Market’s DLT regime) offer safe spaces for players to experiment with digital asset initiatives and innovations, but cross-border recognition is still in its infancy. For example, a UK-domiciled tokenized fund that wishes to promote in the EU or the US must still comply with the full suite of local offering, registration and disclosure requirements applicable to those jurisdictions. Within the EU, this involves navigating both the pan-European Markets in Crypto-assets Regulation (MiCA Regime) and the various domestic sandbox frameworks under the EU DLT Pilot Regime. In the US, the Securities and Exchange Commission (SEC) is scrutinizing tokenized money market funds, feeder funds and similar structures on a case-by-case basis and granting relief, if at all, through bespoke exemptive orders or no-action letters.
Security risks. Private-key theft, protocol bugs, cybercrime and data privacy laws are all risks associated with DLT. Unlike centralized registrars, blockchains are unforgiving – a mistaken or fraudulent transfer may be irreversible. Moreover, the permanent recording of an individual’s wallet address could conflict with laws on controlling and processing personal data.
Conclusions
RWA tokenization is no longer a speculative thought experiment; it is steadily re-engineering the plumbing of global capital markets, offering the promise of deeper liquidity, operational efficiency and increased transparency. Yet the pace of innovation has outstripped the harmonization of the legal and regulatory frameworks that must ultimately safeguard investors, issuers and intermediaries. As we have explored, questions of title, enforceability of smart contracts and cross-border recognition remain unresolved, even as supervisors from the FCA to the European Securities and Markets Authority (ESMA) and the SEC signal a willingness to experiment through sandboxes and pilot regimes. It is, therefore, essential to navigate the legal considerations involved in order to ensure legally sound and compliant tokenization projects. For issuers, this means proactively engaging with evolving regulations to structure trustworthy and attractive offerings. Intermediaries must adapt their processes to ensure robust compliance and risk management in a continuously changing environment. Investors, meanwhile, should seek clarity on rights, protections and recourse mechanisms before participating in tokenized funds, or other RWA tokenization projects.
*Leander Rodricks, a trainee in the Financial Markets and Funds practice, and former Katten Associate Alex Taylor contributed to this advisory.
1 “Real World Asset Tokenisation Market has Grown Almost Fivefold in 3 Years,” CoinDesk, June 26, 2025
2 The Investment Association, UK Fund Tokenisation: A Blueprint for Implementation, November 2023.
3 FCA, FCA welcomes Project Guardian’s first industry report on tokenisation, November 4, 2024.
4 HM Treasury, Consultation on the First Financial Market Infrastructure Sandbox, Digital Securities Sandbox, July 2023.
5 Including the recast Markets in Financial Instruments Directive and the Central Securities Depositories Regulation.
6 ESMA, DLT Pilot Regime – Regulation (EU) 2022/858.
7 Hamilton Lane Private Infrastructure Fund.
8 UK Parliament, Property (Digital Assets etc) Bill, July 17, 2025.
Hitting the Snooze Button: CFTC Staff Issues Relief Intended to Reduce Burdens of Swap Data Notification Requirements
Staff from the Commodity Futures Trading Commission’s (CFTC) Division of Market Oversight issued No-Action Relief Letter 25-25 on July 31, 2025 to help ease compliance burdens placed on reporting counterparties in meeting the agency’s current swap data error reporting requirements. In the letter, CFTC staff cited the fact that numerous swap data error notifications filed with the agency have “not been utilized as originally intended” following the CFTC’s adoption of 2020 amendments to its swap data reporting rules.
Generally, under Part 43 and Part 45 of the CFTC’s regulations, swap execution facilities (SEFs), designated contract markets (DCMs) and reporting counterparties must notify CFTC staff if they will not timely correct a swap data error or errors. In particular, CFTC Regulations 43.3(e)(1)(ii) and 45.14(a)(1)(ii) require SEFs, DCMs and reporting counterparties to submit relevant swap reporting error notifications for all errors that cannot be timely corrected, whether or not such errors are material.
The International Swaps and Derivatives Association (ISDA) and the Securities Industry and Financial Markets Association (SIFMA) requested relief from these requirements on behalf of their memberships for swap data errors that do not exceed a certain threshold. In granting the industry trade associations’ request, CFTC staff found persuasive both the arguments made in ISDA and SIFMA letter, as well as representations made by various reporting counterparties who have met with staff during the past two and a half years following the implementation of the error notification requirements.
No-Action Letter 25-25 expressly provides that the CFTC will not take an enforcement action against a reporting counterparty that does not file an error notification when it initially discovers a swap reporting error if such reporting counterparty reasonably determines that “the number of reportable trades affected by the error does not exceed five percent of the reporting counterparty’s open swaps for the relevant asset class in swaps for which it was the reporting counterparty.” The CFTC noted that the five percent threshold shall be calculated in accordance with CFTC Regulation 45.14 and added that reporting counterparties may still notify CFTC staff for errors below the five percent threshold if the reporting counterparty believes data quality for the CFTC or users of publicly disseminated swap data would be adversely affected by the error.
No-Action Letter 25-25 can be found here.
CCPA Compliance Alert: $1.55M Healthline Settlement
On July 1, 2025, California Attorney General Rob Bonta announced the largest CCPA settlement to date, which included a $1.55 million penalty against Healthline Media LLC. This settlement sends a clear message to businesses that California Consumer Privacy Act (CCPA) enforcement is ramping up, and health-related data is in scope.
According to the complaint filed against Healthline, a popular health information website, the state alleged Healthline:
Shared sensitive health-related data with third parties without adequate user consent.
Failed to provide a clear opt-out mechanism for targeted advertising.
Lacked CCPA-compliant contracts with third parties, and assumed, but did not verify, that the third parties had agreed to abide by an industry contractual framework.
Transmitted article titles (e.g., “You’ve Been Newly Diagnosed with MS”) that could reveal a user’s medical condition, effectively disclosing personal health information.
This case marks the first time the California Department of Justice has enforced the CCPA’s protections around sensitive personal information.
Operating one of the top 40 most visited websites in the world, Healthline is a media company engaged in the use of use of online tracking technology on its website. The online trackers used on Healthline’s website, like cookies and pixels, communicate data about readers to advertisers and other third parties in order to maximize ad revenue. That data uniquely identified consumers along with, for example, titles of articles they were reading. Some titles indicated that the reader may have already been diagnosed with a serious illness, such as “You’ve Been Newly Diagnosed with MS. What’s Next?” In some cases, according to the allegation, consumers often had no idea how many online trackers might be running.
The settlement includes strict injunctive terms, such as:
A ban on sharing article titles that could imply a diagnosis.
Enhanced user opt-out mechanisms for data sharing.
Stronger contractual safeguards with service providers and third-party advertisers.
Key Takeaways for Business
For businesses that collect or share consumer data, especially when using online tracking technologies that share sensitive categories like health information, this case is just another reminder about the potential compliance and litigation risks. Here are some best practices for businesses subject to the CCPA.
Audit data practices, including identifying what personal information, as well as sensitive personal information, the business is collecting and how it is being used and shared.
Be familiar with what tracking technologies are being used on your websites, including what information they collect and share.
Strengthen opt-out mechanisms, including ensuring that the “Do Not Sell or Share My Personal Information” link is prominent and functional.
Review third-party contracts with advertisers and analytics providers, including CCPA-compliant data use restrictions.
Avoid inadvertent disclosure by being cautious about URLs, article titles, or metadata that could reveal personal information.
Conducting an annual review of CCPA compliance, as required under the CCPA, is an obvious step to help ensure ongoing compliance.
New Updates to CCPA Regulations: California’s Focus on ADMT, Cybersecurity Audits, Risk Assessments, and More
On July 24, 2025, the California Privacy Protection Agency (CPPA) Board unanimously approved amendments to the California Consumer Privacy Act (CCPA). These substantial changes include new compliance obligations for businesses subject to the CCPA. Significantly, the updates emphasize the CPPA’s new regulatory focus on artificial intelligence (AI) decisionmaking and cybersecurity in addition to privacy. The CPPA opted to open the Delete Request and Opt-Out Platform (DROP) regulations for further public comment on its proposed changes. A breakdown of the key updates and what they mean for regulatory compliance is below.
Automated Decisionmaking Technology
Definitions
This final version of the CCPA text does not include AI as a defined term. Instead, the new regulations introduce a new term, “automated decisionmaking technology” (ADMT), which means “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.”
The text further defines “substantially replace human decisionmaking” to mean that “a business uses the technology’s output to make a decision without human involvement.” In November 2024, when the CPPA initially proposed these amendments, the language read “substantially facilitate human decisionmaking.” The shift to the term “replace” in the final text indicates that the CPPA is more concerned with businesses using ADMT instead of human decisionmaking. That is, the new regulations aim to target use cases of ADMT that lack human involvement. The new text further clarifies that human involvement would require the human reviewer to:
Know how to interpret and use the technology’s output to make the decision;
Review and analyze the output of the technology and any other information relevant to make or change the decision; and
Have the authority to make or change the decision based on their analysis above.
The text clarifies that ADMT includes profiling, but does not include web hosting, domain registration, antivirus, spellchecking, and databases and spreadsheets, provided that they do not replace human decisionmaking—this clarifier is crucial. A marketing team might use Visual Basic for Applications (VBA) macros in a spreadsheet to analyze customer data such as purchase frequency and total spent. The macro uses the data to automatically classify customers into tiers and to generate a targeted email list for each tier. Without human involvement (as defined by the new text), this decisionmaking might be considered ADMT.
Consumer Rights Related to ADMT
The updated CCPA regulations provide consumers with rights related to ADMT and impose obligations on businesses to inform consumers of these rights. These “new” rights extend on rights that consumers already had under the CCPA with respect to the processing of their personal information, such as the right to opt-out and the right to access. In essence, a business’s use of ADMT adds a new category of information for which the consumer already possesses CCPA rights, but requires the business to be transparent with the consumer about the use of ADMT and provide mechanisms for consumers to exercise their CCPA privacy rights.
In this context, businesses must enable consumers to opt out of the use of ADMT to make significant decisions about them. Significant decisions are decisions that result in the provision or denial of financial or lending services, housing, education enrollment/opportunities, employment opportunities, or healthcare services. Businesses must provide consumers with two or more methods of submitting requests to opt out of ADMT. Businesses that interact with consumers online must, at a minimum, allow consumers to submit requests through an online interactive form.
In addition, businesses must provide consumers with access to information about the business’s use of ADMT to make a significant decision about the consumer. In responding to a consumer’s request to access ADMT, a business must explain the specific purpose for which it uses ADMT, the logic of the ADMT, and the outcome of the decisionmaking process for the consumer. Businesses have 45 days to respond to a request to access or appeal ADMT.
Pre-use notice
The new regulations require a business that uses ADMT to provide consumers with a pre-use notice that informs consumers about the business’s use of ADMT and consumers’ rights related to ADMT. A pre-use notice may be provided in a business’s Notice at Collection. The pre-use notice must explain, in plain language, what the business plans to use ADMT for and a description of the consumer’s right to opt out of ADMT. The notice must also include how the ADMT works to make a significant decision about consumers and how the decision would be made if the consumer opts out of ADMT, unless the business provides the consumer with a method to appeal the decision that involves human review with human authority to overturn the ADMT decision.
Timeline for Compliance
Businesses that use ADMT prior to January 1, 2027, must comply with the ADMT requirements no later than that date.
Cybersecurity Audit
In many ways, the new regulations show that the regulatory line between enforcing privacy and cybersecurity is becoming increasingly blurred. The CCPA final text manifests the CPPA’s intent to regulate businesses’ privacy and cybersecurity programs. Significantly, the regulations introduce an annual cybersecurity audit requirement for businesses that meet a certain threshold. This audit must assess how the business’s cybersecurity program protects consumer personal information from unauthorized access and disclosure. Components of a cybersecurity program that fall into the audit’s scope include the business’s cybersecurity measures, such as authentication, access controls, inventory management, secure hardware and software configurations, network monitoring, and cybersecurity education.
The audit must be conducted by a “qualified, objective, [and] independent” professional who has knowledge of cybersecurity and how to audit an organization’s cybersecurity program. An internal auditor can be used, but to maintain their independence, an internal auditor must report directly to a member of the organization’s business executive team who does not have direct responsibility for the organization’s cybersecurity program. Regardless of whether the auditor is internal or external to the business, the business must make all relevant information and facts available to the auditor. The final audit report must be signed by the highest-ranking auditor with a certification statement affirming that their review was independent, objective, and impartial.
The audit report must identify the organization’s relevant policies, procedures, and practices, as well as the criteria used by the auditor. The report must also identify the specific evidence used to make the decisions and explain why the evidence justifies the auditor’s findings. The report must outline, in detail, gaps or weaknesses in the organization’s policies or cybersecurity program components that the auditor believes will increase the risk of unauthorized access or activity.
A cybersecurity audit used for another purpose, such as an audit that uses the NIST Cybersecurity Framework 2.0, may be used for this audit purpose, provided that it meets all the requirements outlined in the CCPA.
The timeline for completion of the initial cybersecurity audit depends on the business’s revenue for the previous years. All businesses must complete this audit by April 1, 2030, but some will be required to do so by April 1, 2028, depending on income. Businesses are required to submit a certificate of completion to the CPPA annually.
Pre-Processing Risk Assessment
Under the new regulations, any business that poses a significant risk to consumers’ privacy in processing personal information must conduct a risk assessment before initiating that processing. The goal of a risk assessment is to restrict or prohibit the processing of personal information if the resulting privacy risks to the consumer outweigh the benefits to the business and other stakeholders. Businesses must conduct and document a risk assessment before initiating any processing activity and must update a risk assessment whenever there is any material change to a processing activity.
The CCPA outlines several activities that are deemed to present significant risk, including selling or sharing personal information and processing sensitive personal information. This is an expansive definition, because most businesses, in some way, share personal information with third parties. The CCPA also sets forth certain scenarios where using automated processing to extrapolate a consumer’s intelligence presents significant risk. Using ADMT for significant decisions concerning a consumer or using consumer personal information to train an ADMT is also considered to present a significant risk.
Risk assessments must document a business’s purpose for processing consumer personal information and the benefits to the organization of that processing. The CCPA requires these descriptions to be made in specific terms. The CCPA does not consider vague descriptions such as “to improve services” or “for security purposes” to be specific, and businesses must identify the precise improvements or security reasons for which the information is being processed.
Risk assessments must also document the categories of information to be processed, including any categories of sensitive personal information. They must also include operational elements of processing, such as expected retention of information, what disclosures the business plans to make to the consumer, and the logic and output of any ADMT, if used. In addition, the risk assessment must also consider the negative impacts of processing on consumers’ privacy, including unauthorized access to their information, discrimination, or impairing consumers’ control over their information. The business must further identify safeguards it plans to implement for the processing, such as encryption and privacy-enhancing technologies.
Risk assessments must be reviewed and updated once every three years. If there is a material change in processing activity, a risk assessment should be updated as soon as possible, but no later than 45 calendar days from the change. For risk assessments conducted in 2026 and 2027, businesses must submit an attestation to the CPPA by April 1, 2028. The individual submitting the risk assessment attestation must be a member of the business’s executive management team who is directly responsible for, and has sufficient knowledge of, the business’s risk assessment compliance. Risk assessments must be maintained for as long as the processing continues or for five years after completion, whichever is later, and available for inspection by the CPPA or the Attorney General.
Insurance
The final CCPA changes also include clarification of the law’s application to insurance companies. Insurers are required to comply with the CCPA for personal information collected outside of an insurance transaction. The final text provides an example whereby if an insurance company collects personal information of website visitors who have not applied for any insurance product or service to tailor personalized advertisements to those users, the insurer must comply with the CCPA with respect to that information. Insurers must also comply with the CCPA with respect to processing employees’ personal information. Since most websites use some form of tracking technologies, and since all employers collect their employees’ personal information, insurance companies should assess their compliance with the CCPA promptly.
Other Notable Changes
Neural data – The CCPA’s definition of sensitive personal information now includes a consumer’s neural data. As health technology devices and applications become more advanced, this addition reflects the CPPA’s contemplation of novel risks associated with data derived from consumers’ nervous systems.
Conspicuous links on websites – The new text clarifies that any conspicuous link required under the CCPA should be present on any internet page where personal information is collected. For mobile apps, the conspicuous link must also be accessible within the application, such as through the application’s settings menu. For businesses only displaying such links on their homepages, this clarification imposes an additional compliance obligation.
Choice architecture – The CCPA includes a provision against choice architecture that impairs or interferes with a customer’s ability to make a choice. The new text adds a clarifying example that acceptance of the general terms of use that contain descriptions of personal information processing, along with other unrelated information, is a type of choice architecture because it prevents a user from freely giving specific and informed consent.
Clarification to right to limit – The new text explains that a business’s notice of the Right to Limit must be provided in the same manner in which the business collects the sensitive personal information. For example, if the business collects information at its brick-and-mortar store, the notice should be provided via an offline method. If a business uses sensitive personal information through a connected device, it should provide notice so that the consumer encounters the notice before or at the time the device begins collecting the sensitive personal information.
Service providers and the right to know – Businesses already had to identify the categories of personal information and categories of third parties to whom a business sold or disclosed personal information. The new text also requires businesses to identify categories of service providers or contractors to whom the business disclosed personal information.
Opt-out confirmation – Businesses must provide a means by which a consumer can confirm that their request to opt out has been processed by the business, such as displaying an “Opt-out request honored” message. Businesses should work with their consent management platforms to enable such a feature if not already enabled.
Service providers – The CCPA already provided that service providers and contractors may not use personal information except for specific reasons, such as the specific business purpose outlined in the contract between the provider/contractor and the business, and for subcontracting. The new text specifies that any such use or disclosure must be reasonably necessary and proportionate for those purposes. For example, if a subcontractor only needs a certain subset of information, providing them access to an entire dataset may not be reasonably necessary and could violate this provision.
Next Steps
The California Office of Administrative Law (OAL) still needs to review and approve these amendments. The OAL has 30 business days after receiving the final text from the CPPA to do so. However, many industry experts expect that the OAL will only make minor, if any, changes. The regulations take effect in 2027, so preparation for these new compliance obligations should be a top priority. CPPA’s next meeting is September 26, 2025, where it is expected to present its annual enforcement report and priorities.
CLASS DECERTIFIED: Company That Was Too Small to Pay Class Judgment Exits Certified TCPA Case for Individual Settlement– And Its a Useful Reminder
Every once in a while a plaintiff’s attorney will do the unthinkable.
They will win certification in a TCPA class action and then walk it back– agreeing to accept an individual resolution instead of a classwide deal.
The reasons for this vary– usually it is an ability to pay issue– but the procedure for decertifying a class is always fraught with peril.
This is true because the Court has to approve a decertification and, in doing so, may question the motives and rationale of the plaintiff’s lawyers in requesting that relief.
In Aley v. Lightfire Partners, 2025 WL 2210145 (N.D.N.Y. Aug. 4, 2025) the parties reached an individual resolution of a TCPA case after certification. But the settlement was conditioned on the court’s agreement to set aside the certification order.
In analyzing the issue the court firat determined class members would not be harmed by the decertification because class notice had not yet been sent out– important point. As a result the claims of class members were tolled during the proceeding– meaning the statute of limitations on their claims was paused so they would not be injured by the dismissal.
More importantly, the court credited the plaintiff’s statements that Defendant would not be able to pay a classwide settlement:
The parties have agreed, on the record, that Defendant’s demonstrated financial status presents an obstacle to the efficient and just resolution of this dispute on behalf of the class. Indeed, the “prospect of a bankrupt judgment debtor down at the end of the road does not satisfy anyone involved in the use of class action procedures…” Because “it is unlikely that the Defendants could satisfy a sizeable judgment on behalf of a class …. a class action is no longer the ‘superior … method for fairly and efficiently adjudicating the controversy.’ ”
So it looks like the plaintiff’s move here was one designed to get something out of the case recognizing the defendant was too small to satisfy a classwide resolution.
Notice that this result happened far too late in the case though. Nobody wins here. The Plaintiff’s lawyers will end up getting a smallish sum after working all the way through certification. The class gets nothing. The plaintiff presumably gets some small sum. And, of course, the defendant had to pay fees for years just to wind up paying an individual setlement in the end that results in very little protection from future suits.
Then again, the class was decertified and that is a nice win for the defendant in and of itself.
But the lesson here is clear– if the company is too small to pay for a classwide resolution it makes no sense for a plaintiff’s attorney to chase it in a class action. The sooner those cases are resolved–or better yet, never filed– the better.
CCPA Enforcement Action Highlights CPPA Focus on Opt-Out Rights, Website Functionality, and Reliance on Service Providers
On May 1, 2025, the California Privacy Protection Agency (CPPA) issued a Final Order in one of its first public enforcement actions under the California Consumer Privacy Act (CCPA), imposing a fine of nearly $350,000 on the business.
An important take away from the Final Order: simply posting a privacy policy is not enough. Businesses must actively monitor, test, and verify that the tools supporting consumer rights are working — even when those tools are managed by third parties.
What Went Wrong?
The CPPA found multiple violations of the CCPA and its implementing regulations. Here are the most notable failures:
1. Non-Functioning “Cookie Preferences Center” Link
Like many retailers, the business used third party tracking software on its website, such as cookies and pixels, to share data about consumers online behavior (a category of personal information) with third parties. The business shared this data for purposes such as analytics and cross-context behavioral advertising. While the business told consumers they could opt out of the sharing of their personal information, the technical infrastructure of their website did not support elections by consumers to do so. In short, opt-out elections simply were not processed correctly for a period of time, 40 days.
According to the CPPA, the business
“would have known that Consumers could not exercise their CCPA right if the company had been monitoring its Website, but [the company] instead deferred to third-party privacy management tools without knowing their limitations or validating their operation.”
2. Failure to Properly Identify Verifiable Requests and Overcollection of Verification Information
The business offered a webform to enable consumers to exercise several of their CCPA rights, including the right to opt-out of the selling or sharing of personal information. However, using the webform to exercise any of those rights required consumers to provide certain personal information, including a picture of the consumer holding an “identity document.” This approach created two problems: (i) it resulted in the collection of sensitive personal information (e.g., a drivers license) to make the request, and (ii) it failed to distinguish requests to opt-out of the sale or sharing of personal information, which are not verifiable consumer requests. In short, according to the CPPA, the webform collected more personal information than necessary for verifiable consumer requests and failed to authenticate consumers in a compliant manner, ultimately leading to complaints from consumers.
Practical Takeaways
This case illustrates the kind of avoidable but costly missteps that any business could make. Conducting an annual review of CCPA compliance, as required under the law, is an obvious step to help ensure ongoing compliance. But here are some more specific items to consider as well:
Test your links and forms regularly across devices and browsers. Don’t assume that what’s written in your privacy policy functions properly.
Review webforms and verification procedures to ensure they correctly identify, route, and respond to verifiable consumer requests without collecting unnecessary personal data. Also, assess whether backend processes and training support procedures outlined in online privacy policies.
Vet and monitor third-party vendors responsible for CCPA compliance tools. Require written assurances of compliance and retain the right to audit their systems and processes, while also checking to ensure the services provided are compliant.
Document your due diligence and monitoring to illustrate a focus on compliance. Mistakes happen, but the business can mount a stronger defense to allegations of non-compliance when it can show an ongoing effort to achieve compliance.
Rhode Island Takes Steps to Safeguard Judicial Officer Security
Rhode Island’s Governor recently signed the Rhode Island Judicial Security Act (H5892), which aims to bolster the privacy and security of current and former judicial officers and their families by introducing several measures to safeguard their personal information.
Definition of Protected Individuals
The Act defines “protected individuals” as current, retired, or recalled justices, judges, and magistrates of the Rhode Island unified judicial system, as well as federal judicial officers residing in Rhode Island.
Definition of Personal Information
Personal information is defined to mean the Social Security number, residence address, home phone number, mobile phone number, or personal email address of, and identifiable to, the protected individual or their immediate family member.
Restrictions on Public Posting
Protected individuals may file a written notice of their status as a protected individual, for themselves and immediate family, with any state, county, and municipal agencies, as well as with any person, data broker, business, or association.
Following receipt of this notice, these entities shall:
mark as confidential the protected individual’s or immediate family member’s personal information,
remove within 72 hours any publicly available personal information of the protected individual or immediate family member, and
obtain written permission from the protected individual prior to publicly posting or displaying the personal information of the protected individual or immediate family members.
After receiving a protected individual’s written request, a person, data broker, business, or association shall also:
ensure that the protected individual’s or the immediate family member’s personal information is not made available on any website or subsidiary website under their control, and
not transfer this information to any other person, business, or association through any medium.
The Act further prohibits data brokers from selling, licensing, trading, or otherwise making available for consideration the personal information of a protected individual or immediate family member.
Enforcement and Legal Recourse:
Protected individuals or their immediate family members can seek injunctive or declaratory relief in court if their personal information is disclosed in violation of the act. Violators may be required to pay the individual’s costs and reasonable attorneys’ fees.
The law will take effect January 1, 2026.
Rhode Island’s Judicial Security Act bears a striking resemblance to New Jersey’s Daniel’s Law. Daniel’s Law prohibits the disclosure of the residential addresses and unpublished phone numbers of judicial officers, prosecutors, and law enforcement officers on websites controlled by New Jersey state, county, and local government agencies.
Entities subject to the Act should promptly review and, where necessary, revise their data handling practices to ensure compliance with the Act’s restrictions on disclosing protected judicial information.
CALIFORNIA PRIVACY PROTECTION AGENCY BARES ITS TEETH: Files First Judicial Action to Enforce Investigative Subpoena Against Tractor Supply Company
In a watershed moment for privacy enforcement in California, the California Privacy Protection Agency (CPPA) has turned to courts to enforce a regulatory investigation. On August 6, 2025, the CPPA filed a first of its kind judicial action seeking to compel Fortune 500 company Tractor Supply Co. to comply with an investigative subpoena.
While Tractor Supply is not the first company to come under fire recently, the CPPA has, until now, conducted its enforcement work entirely behind closed doors. This filing also marks the Agency’s first public disclosure of an ongoing investigation into a company.
According to the petition filed in the Sacramento Superior Court, the investigation stems from a complaint submitted by a California resident in early 2024 regarding Tractor Supply’s privacy practices. The Agency alleges that the company may have failed to meet several key obligations under the California Consumer Protection Act (CCPA), including updating its privacy policy, providing required consumer notices, and honoring consumer rights.
In January 2025, the Agency’s Enforcement Division served a subpoena on Tractor Supply seeking information about its privacy practices, including processing of consumer requests under the CCPA, its use of tracking technologies on its website, and its relationship with third parties who receive consumers’ personal information. The subpoena sought this information during the period between January 1, 2020, the date when the CCPA became operative, and the present.
In its response to the subpoena, Tractor Supply declined to produce any documents or information predating January 1, 2023. The company argued that because the CPPA’s enforcement authority began in July 2023, it cannot compel the production of materials from before that time.
The CPPA disagrees. In its court filing, the Agency contends that the CCPA has been in effect since January 2020, and that businesses have been subject to its requirements since then. The change in enforcement authority from the California Attorney General to the CPPA, the Agency argues, does not limit its ability to investigate earlier conduct. The CPPA also emphasized that Tractor Supply had been granted several extensions but had still failed to comply, leaving the Agency no choice but to pursue judicial enforcement.
Tractor Supply, a national retailer with more than 90 stores in California and over $14 billion in annual revenue, is not a newcomer to compliance obligations. Yet its decision to challenge the CPPA’s request may reflect broader industry uncertainty about the scope of the Agency’s powers, particularly with respect to historical data. A positive outcome for the CPPA could lead to more aggressive investigatory tactics and increased demands on businesses to maintain and produce historical records.
The CPPA has made clear that this judicial action is not a finding of wrongdoing. Rather, it is a procedural step to enforce the Agency’s ability to conduct a full investigation. Nevertheless, the filing underscores the Agency’s willingness to escalate matters when businesses do not cooperate with its investigations.
DOJ Settles Cybersecurity FCA Claims With PE Firm and Government Contractors
On July 31, 2025, the Fraud Section of the U.S. Department of Justice’s Commercial Litigation Branch (Fraud Section) announced new settlement agreements with government contractors to resolve their respective False Claim Act (FCA) liabilities arising out of cyber fraud allegations. These settlements mark the Fraud Section’s fifth and sixth cyber fraud settlements of 2025, indicating a continued focus on leveraging the FCA’s civil tools to ensure government contractors comply with cybersecurity controls.
Recent DOJ False Claims Act Settlements for Cybersecurity Violations
Aero Turbine and Gallant Capital Partners – In coordination with the U.S. Attorney’s Office for the Eastern District of California, DOJ announced a settlement with defense contractor Aero Turbine Inc. (ATI) and private equity firm Gallant Capital Partners LLC to resolve FCA liability for alleged cybersecurity violations. Gallant owned a controlling stake in ATI during the alleged violations period. There has been no determination of liability under the settlement.
–
The allegations: Between January 2018 and February 2020, ATI allegedly failed to implement certain NIST SP 800-171 controls during its performance of a contract with the U.S. Air Force. By way of background, defense contractors must safeguard controlled unclassified information (CUI) according to the cybersecurity standards set forth in DFARS 252.204-7012, including NIST SP 800-171. Instead, ATI had allegedly assumed that its compliance efforts with export controls were sufficient to meet its cybersecurity obligations under NIST SP 800-171, but there was no proper verification. Additionally, during a two-month period in 2019, ATI and Gallant allegedly failed to safeguard sensitive defense information when they provided files containing protected information to an external software company based in Egypt. The software company and its non-U.S. personnel were not authorized to receive such information under the Air Force contract, but ATI and Gallant allegedly failed to control the flow of CUI and limit access to the controlled information systems to authorized users.
–
The settlement: ATI and Gallant voluntarily disclosed the alleged violations to the government, cooperated with the subsequent investigation, and took prompt remedial actions. DOJ credited ATI and Gallant for the self-disclosures pursuant to the Justice Manual guidelines, and the parties ultimately agreed to resolve ATI’s and Gallant’s FCA liability for $1.75 million.
Illumina Inc. – DOJ announced a multi-million-dollar settlement agreement in coordination with the United States Attorney’s Office for the District of Rhode Island to resolve FCA claims arising from a whistleblower complaint regarding cybersecurity violations. This settlement alleged false claims by biotechnology company Illumina Inc. in connection with the sale of genomic sequencing systems to various defense and civilian agencies. There has been no determination of liability under the settlement.
–
The allegations: From February 2016 to September 2023, Illumina allegedly sold genomic sequencing systems with software that contained cybersecurity vulnerabilities and did not have adequate safeguards in place to address those vulnerabilities. DOJ contended that Illumina failed to properly support its personnel and systems that were responsible for product security, failed to correct known vulnerabilities, and falsely represented to government agencies that its software adhered to required cybersecurity standards. The underlying qui tam complaint (captioned United States ex. rel. Lenore v. Illumina Inc., No. 1:23-cv-00372 (D.R.I.)) further alleged that Illumina falsely certified its products that had known cybersecurity vulnerabilities. For example, Illumina’s products were scored as critically severe on the Common Vulnerability Scoring System – ranging from 7.4 to 10 – but allegedly continued to market and sell its products with elevated privileges and exposed credentials problems. Illumina also allegedly failed to comply with known cybersecurity standards, such as the FDA’s Quality System Regulation controls or the NIST Framework for Improving Critical Infrastructure Cybersecurity. DOJ further contended that Illumina resisted internal efforts to mitigate or remedy known defects, failed to minimize discovered insider threats that date back to 2020, and failed to meaningfully respond to its own vulnerability reports.
–
The settlement: DOJ investigated the allegations against Illumina in response to a whistleblower complaint submitted by a former employee who had tried to escalate and address the company’s cybersecurity vulnerabilities and was eventually terminated. Nearly two years after the qui tam complaint was filed, Illumina and DOJ agreed to resolve the FCA allegations for $9.8 million (plus interest), of which $1.9 million will be shared with the whistleblower.
Compliance Considerations from DOJ’s Cyber-Fraud Initiative Enforcement Actions
These settlement agreements reflect continued activity by DOJ’s Civil Cyber-Fraud Initiative, which launched in 2021. The initiative is focused on using enforcement mechanisms to build the cybersecurity of the federal government and its contractor industrial base. While the two matters arose from different allegations and factual postures, there are several lessons and trends that may be observed.
1.
Companies may benefit from voluntary disclosures and cooperation with the government. Companies should ensure their ethics hotlines and government contracts compliance programs enable them to identify concerns, initiate investigations, and timely report any noncompliance.
2.
The Aero Turbine and Gallant settlement confirms that liability for inadequate cybersecurity controls may extend beyond the government contractor that has privity of contract with the government. Subcontractors and affiliates must also be aware of their responsibilities to protect controlled information.
3.
These settlements suggest that DOJ is examining cybersecurity obligations that extend beyond the requirements that the Department of Defense’s acquisition regulations impose. Contractors should review all information security and cyber requirements in their government contracts, and ensure they understand the government’s expectations surrounding what information must be protected and to what level.
4.
Companies must properly identify controlled information, comply with restrictions on distribution, and flow down security controls, including when sharing that information with affiliates and their supply chains.
5.
Companies must also have sufficient controls and procedures in place to confirm the accuracy of any representations made to the government.
Key Takeaways from OFSI’s Latest Crypto-Asset Threat Assessment (July 2025)
On 21 July 2025, the UK Office for Financial Sanctions Implementation (OFSI) released a detailed threat assessment focused on the crypto-asset sector’s vulnerability to sanctions breaches (the Assessment). This Assessment sends a clear warning to UK crypto firms: sanctions compliance is not optional, and enforcement is tightening.
The following is a summary of the Assessment, which is discussed in greater detail in our client alert found here.
Why Focus on Crypto?
OFSI’s attention to the crypto space reflects growing concern about how digital assets are being used to evade sanctions and facilitate financial crimes. Crypto firms registered with the Financial Conduct Authority (FCA) – including exchanges, ATM operators and wallet providers – are now seen as high-risk entities, especially given the borderless and rapid nature of crypto transactions.
Key Takeaways:
The report underscores several areas where crypto firms fall short:
Incomplete self-disclosure: Many UK firms fail to report suspected sanctions breaches – either due to lack of detection, misunderstanding of obligations, or reluctance to self-report.
Inadvertent non-compliance: Much of the non-compliance appears unintentional and stems from direct or indirect exposure to Designated Persons (DPs) listed on the OFSI Consolidated List (see here), or retrospective discovery of suspected breaches.
Delayed breach discovery: Firms often identify exposure to sanctioned entities only after implementing blockchain analytics tools – by which time the damage is done.
Challenges in freezing assets: Unlike banks, crypto firms cannot reject incoming transactions, making them particularly vulnerable to receiving funds from designated persons (DPs) or sanctioned jurisdictions.Notable Threat Actors
OFSI highlighted three specific threats:
Russia: UK firms were found to have transacted with the Russian exchange Garantex, despite its 2023 designation. Its successor, Grinex, and links to ransomware operations and darknet markets like Hydra further heighten the threat.
Iran: OFSI suspects that UK firms may have facilitated transactions with Nobitex, an Iranian exchange tied to the Islamic Revolutionary Guard Corps.
North Korea: UK crypto firms are at high risk of targeting DPRK-linked hackers. The February 2025 Bybit hack, which resulted a $1.5 billion loss, underscores the scale of the threat.
Red Flags to Watch Out For
OFSI outlines several red flags crypto firms must monitor, including:
Dealings with DPs or their proxies;
Abrupt or unusual activity from previous dormant wallets; and
High-volume microtransactions.
Reccomendations
To stay compliant, OFSI recommends that crypto-asset firms adopt robust compliance measures including:
Providing staff training on sanctions risks and red flags;
Deploying blockchain analytics tools for tracing and screening;
Reviewing internal processes for managing frozen crypto-assets;
Enhancing due diligence on counterparties and transaction structures;
Regularly updating compliance frameworks as regulations evolve; and
Reporting to OFSI as well as file Suspicious Activity Reports with the National Crime Agency (NCA) (reporting to the NCA and OFSI can be found here and here).
Conclusion
The key message from OFSI is unmistakable: passive compliance is no longer enough. As such, UK crypto-asset firms must proactively upgrade their systems to detect, prevent and report sanctions breaches.
Connecticut Amends the Connecticut Data Privacy Act
On June 24, 2025, Connecticut enacted SB 1295, which adds another round of amendments to the Connecticut Data Privacy Act (“CTDPA”). While most of the changes will take effect on July 1, 2026, impact assessment requirements will apply to processing activities created or generated on or after August 1, 2026. The following is a summary of key amendments to the law.
Expanded Applicability
The CTDPA now applies to entities that meet any of the following thresholds:
control or process the personal data of at least 35,000 consumers;
control or process consumers’ sensitive data, excluding personal data controlled or processed solely for the purposes of completing a payment transaction; or
offer consumers’ personal data for sale.
This significantly broadens the applicability of the CTDPA, as the CTDPA previously only applied to entities that controlled or processed the personal data of at least 100,000 consumers or controlled or processed the personal data of at least 25,000 consumers and derived 25% or more of their gross revenue from the sale of personal data.
Notably, the amended CTDPA removes the entity-level Gramm-Leach-Bliley Act exemption but includes a data-level exemption.
Additionally, the definition of sensitive data has been expanded and now includes categories such as disability or treatment, status as nonbinary or transgender, genetic or biometric data or information derived therefrom (i.e., with the words “for the purpose of uniquely identifying an individual” removed), neural data, and certain financial and government ID information.
Revisions to Access Right
The CTDPA’s consumer rights framework has also been revised. Notably, the right to access now explicitly includes the right to know the inferences, and has been updated with respect to profiling (see below). Additionally, the law now prohibits controllers from disclosing certain higher-risk identifiers (e.g., Social Security numbers and biometric data) in response to access requests. Instead, consumers must be notified that this data is held, without revealing the data itself.
Strengthened Profiling Provisions
Previously, consumers could opt out of profiling only for solely automated decisions. The amendments remove “solely”, expanding this right to cover profiling in furtherance of any automated decision that produces any legal or similarly significant effect concerning the consumer.
In another key revision, the law now explicitly includes within the meaning of “decision that produces any legal or similarly significant effect” a decision made “on behalf of” a controller, which may include decisions made by third parties or service providers.
The access right is also updated to reflect the expanded reach of profiling. Consumers can now request confirmation as to whether a controller or processor is processing a consumer’s personal data for the purposes of covered profiling.
The amendments also provide that, with respect to covered profiling, where feasible, consumers will be able to:
question the outcome of the decision;
receive an explanation of how the result was reached;
review the personal data that was used in the profiling; and
in housing-related contexts, correct inaccurate data and request a re-evaluation.
Importantly, controllers engaging in covered profiling must now conduct impact assessments. Under the new requirements, companies must conduct an impact assessment for profiling activities that includes:
a clear explanation of why the profiling is being done, its intended use, and the benefits it offers;
an evaluation of any known or foreseeable heightened risks of harm to consumers, and the steps taken to mitigate those risks;
a description of the types of personal data used and the outputs generated by the profiling;
an overview of the data categories used to tailor the profiling, if applicable;
any metrics used to assess how well the profiling works and its known limitations;
actions taken to inform consumers about the profiling while it is occurring; and
post-deployment oversight processes, user protections, and mechanisms to address issues that arise from the profiling.
Adjustments to Data Minimization
SB 1295 makes several updates to the CTDPA’s data minimization and purpose limitation requirements. Controllers must now ensure that collection is not only “reasonably necessary” but also “proportionate” to the disclosed purposes. The law also clarifies when secondary uses of personal data (termed “material new purposes”) require new consent.
Controllers processing sensitive data must still obtain consent, but the processing must be reasonably necessary in relation to the disclosed purposes. In addition, separate consent is now required for the sale of sensitive data.
Enhanced Protections for Minors
Controllers are now categorically prohibited from processing minors’ personal data for targeted advertising or sale, regardless of whether consent is obtained. The amendments prohibit the use of any system design feature to significantly increase, sustain or extend any minor’s use of such online service, product or feature. The law also imposes stricter requirements for profiling of minors and calls for impact assessments in addition to data protection assessments.
Updates to Privacy Notices and Transparency
The amendments also include several updates to privacy notice requirements, some of which include:
Profiling and large language models (“LLM”) disclosures: Privacy notices must state whether the controller engages in profiling and whether personal data is used to train LLMs.
Targeted Advertising disclosures: Whether the controller processes personal data for targeted advertising, or whether the controller sells personal data to a third party for the purposes of targeted advertising.
Placement and accessibility: Notices must be available through a conspicuous hyperlink that includes the word “privacy” on the controller’s homepage. Notices must also be provided in each language the controller uses in its business and be accessible to individuals with disabilities.
Notice of retroactive changes: If a controller makes material retroactive changes to its data practices, it must notify consumers and give them an opportunity to withdraw consent for any further collection, use, or sharing of previously collected data.
Next Steps
With these changes, organizations subject to the law should begin reviewing their data governance practices now, particularly around profiling, sensitive data and consumer rights workflows.
MIXED MESSAGES: Defendants Discover Informational Texts May Qualify As Solicitations.
Hey TCPAWorld!
Informational texts may qualify as solicitations—the two are not mutually exclusive.
In Germain v. Mario’s Air Conditioning & Heating, Inc., No. 8:23-cv-671-TPB-CPT, 2025 WL 2229885 (M.D. Fla. Aug. 5, 2025), Plaintiff Helena Germain (“Plaintiff”), sued Defendant Mario’s Air Conditioning & Heating, Inc., (“Defendant”) under 47 U.S.C. § 227(c), for allegedly sending her two unsolicited text messages while listed on the DNC list. The matter was before the Court on cross-motions for summary judgment.
On March 29, 2024, Plaintiff filed an amended complaint naming Mario’s, SEHS Hvac Mario’s LLC (“SEHS”), and Whitwild Management, LLC (“WWM”) as defendants, and dismissed her claims against Mario’s Air Conditioning & Heating, Inc.
Id. at 2. The parties dispute whether the first text message sent constitutes a telephone solicitation that would establish a TCPA violation.
The first text message sent on September 28, 2022, reads:
Mario’s AC is reminding you to consider flipping off the breaker to your AC unit during a hurricane. We are here for you. 727-306-0182 STOP to end.
Id. at 2. The Court found this text message to be a solicitation, reasoning that messages may serve more than one purpose. “[E]ven if a message is informational, it may also constitute telemarketing[.]” Id. at 3. Here, it was the “We are here for you” language, accompanied by a telephone number, that triggered the Court into finding this to be a solicitation. These two elements together “serves as a pretext to commercial activity and encourages the ultimate purchase or sale of services.” Id. at 3. In the Court’s view, the text did not just include information, it was information with a commercial nexus to the sender’s business.
Plaintiff’s motion for summary judgment was granted.
Messages that appear purely informational can be legally considered telemarketing solicitations if they include elements that encourage commercial activity. Always review your texts for commercial intent, even when the tone is informational.
See you on the next one—TCPAWorld!