CPPA Enforces Delete Act Against Data Brokers
As part of the California Privacy Protection Agency’s (“CPPA”) investigative sweep of data broker registration compliance under California’s Delete Act, the CPPA recently announced an enforcement action against a Florida-based data broker and a settlement with a California-based data broker for failure to register as a data broker on the California Data Broker Registry (the “Registry”), as required under the Delete Act.
On February 20, 2025, the CPPA announced that it brought an enforcement action against Jerico Pictures, Inc., a Florida-based data broker doing business under the name National Public Data. The CPPA is seeking a $46,000 fine against the company for its failure to timely register as a data broker on the Registry. The CPPA has alleged that National Public Data registered as a data broker on September 18, 2024, which is 230 days after the January 31, 2024 registration deadline for data brokers that operated in 2023. The CPPA also asserted that National Public Data only registered on the Registry after the CPPA’s Enforcement Division contacted the company during an investigation. National Public Data experienced a data breach in 2024 which resulted in the 2.9 billion records being exposed, including names and Social Security numbers.
On February 27, 2025, the CPPA reached a settlement with Background Alert, Inc. (“Background Alert”), a California-based data broker for its failure to timely register on the 2025 Registry. The CPPA alleged that Background Alert created and sold profiles about individuals through the website, backgroundalert.com. In particular, the CPPA alleged that Background Alert collected billions of public records, drew inferences from those records to identify individuals who may be associated with other individuals and identified patterns to create profiles about consumers. Per the settlement, Background Alert is required to shut down its operations through 2028 or face a $50,000 fine.
As we previously reported, the CPPA adopted new data broker regulations under the Delete Act in November 2024 that amended existing data broker regulations.
DOJ’S False Claims Act Based Civil Cyber-Fraud Initiative in 2024
The start of a new year presents an opportune time to reflect on the past. We have been tracking and reporting on the U.S. Department of Justice (“DOJ”)’s Civil Cyber-Fraud Initiative (“CCF Initiative”), which former U.S. Deputy Attorney General Lisa O. Monaco announced in October 2021. The CCF Initiative employs the powerful False Claims Act (“FCA”) in an effort to “hold accountable entities or individuals that put U.S. information or systems at risk by (1) knowingly providing deficient cybersecurity products or services, (2) knowingly misrepresenting their cybersecurity practices or protocols or (3) knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
We previously offered insight into the first two FCA enforcement actions brought under this initiative, then a third, and a fourth. 2024 brought even more.
Towards the end of 2024, on October 22, 2024, DOJ announced an FCA settlement with a major public university relating to its alleged failure to comply with cybersecurity requirements for more than a dozen Department of Defense (“DOD”) and National Aeronautics and Space Administration (“NASA”) contracts and subcontracts. The university agreed to pay $1.25M to resolve allegations that it violated the FCA by failing to comply with cybersecurity requirements in fifteen contracts or subcontracts involving the DOD or NASA. The settlement resolves allegations brought by a chief information officer for the university’s Applied Research Laboratory in October 2022 under the FCA’s qui tam provisions.
The covered conduct includes allegations that the university failed to implement certain cybersecurity controls that were contractually required, and did not adequately develop and implement plans of action to correct deficiencies it identified. Specifically, the allegation was that the university did not implement certain National Institute of Standards and Technology requirements. There were no allegations that a third party ever breached any secured data within the university’s custody; the university’s alleged noncompliance alone was sufficient to fall in DOJ’s crosshairs.
Just a week prior, on October 15, 2024, a government services contractor agreed to pay $306,722 and waive $877,578 in potentially reimbursable remediation costs to settle allegations that it failed to properly protect personally identifiable information and personal health information of Medicare beneficiaries, resulting in a data breach. Despite the contractor promptly notifying Centers for Medicare and Medicaid Services (“CMS”) and cooperating with DOJ investigation, DOJ still pursued a FCA violation. The allegations stemmed from a shift to the electronic handling of “certain Medicare Support services” during the COVID-19 pandemic that the contractor provided to CMS between March 2021 and October 2022. Under its agreement with the CMS, the contractor was required to adhere to the Department of Health and Human Services (“HHS”)’s cybersecurity requirements. However, a subcontractor, whose servers were used to carry out the electronic task, was allegedly not in compliance with HHS’ cybersecurity requirements. Specifically, the subcontractor allegedly took screenshots from CMS systems that contained personally identifiable information and stored the screenshots without encryption, violating HHS’ cybersecurity requirements. Notably, per DOJ, “[t]he subcontractor’s server was breached by a third party in October 2022 and the unencrypted screenshots were allegedly compromised during that breach.”
These two FCA settlements under the CCF Initiative are only the latest reverberations of DOJ’s increased scrutiny on cybersecurity compliance to combat emerging cyber threats. There were others in 2024, including these three that were highlighted in DOJ’s annual recap of its FCA enforcement endeavors:
May 1, 2024: a staffing company agreed to pay $2.7M to resolve allegations that it violated the FCA by failing to implement adequate cybersecurity measures to protect health information obtained during COVID-19 contact tracing.
June 17, 2024: two consulting companies agreed to pay a combined $11.3M to resolve allegations that they violated the FCA by failing to meet cybersecurity requirements in contracts intended to ensure a secure environment for low-income New Yorkers to apply online for federal rental assistance during the COVID-19 pandemic.
August 22, 2024: DOJ filed an Amended Complaint against another major public university, alleging that it failed to meet certain cybersecurity requirements in its performance of DOD contracts. The university has moved to dismiss, and the motion is pending. The university’s argument is that the pertinent contract was for fundamental research and therefore not subject to DOD cybersecurity rules. DOJ contested the notion in its opposition and, as to materiality, took the position that “common sense alone supports the materiality of the cybersecurity requirements Defendants allegedly breached.” The university’s reply primarily dealt with the materials the Court could consider to resolve the issue. The matter is pending.
The enforcement actions brought in 2024 show the breadth of the CCF Initiative. That enforcement actions have been brought even where no breach occurred broadens the scope even more. What 2025 will bring, particularly in light of the administration change (and certain percolating constitutional challenges to components of the FCA), remains to be seen.
Whether the CCF Initiative continues in current form, name, or fervor, it nonetheless underscores the importance for contractors, subcontractors, grantees, and other forms of funding that have agreements with the government to pay close attention to the cybersecurity requirements of such agreements. If have not done so already, companies should consider engaging with counsel in concert with knowledgeable information technology professional (either external or internal) to:
understand their cybersecurity obligations on existing and future U.S. government contracts, subcontracts, grants and other forms of funding,
train employees,
implement information security controls such as access and network restrictions,
invest in and ensure regular compliance with upgrades, patches, and maintenance,
devise incident response plans and ransom strategies, and
operationalize internal whistleblowing.
And should a cyber incident occur, entities need to consider any Federal Acquisition Regulation (“FAR”) and/or agency FAR supplemental clause disclosure requirements in addition to any other Federal and state cyber incident reporting requirements applicable to the incident, e.g., HIPAA.
Broadband Grants Are Still Taxable Income. Will the Broadband Grant Tax Treatment Act Finally Fix It?
In March 2022, we published a blog post explaining that broadband grants are apparently subject to federal income taxation. Three years later, and with $42.5 billion in BEAD grants on the verge of disbursement, nothing has changed.
As discussed in 2022, the taxability of broadband grants seems to be an unplanned quirk of the 2017 Tax Cuts and Jobs Act. Prior to that, broadband grants were generally exempt from taxation based on a favorable IRS interpretation of Section 118 of the tax code. But the Tax Cuts and Jobs Act amended Section 118 to the effect that “contributions to capital” (including grants) made from governmental or civic groups to a corporation are taxable as gross income.
Recent recipients of state and federal broadband grants are already struggling with this. Crucially, the tax bill applies to grants used to cover front-end costs relating to construction of a broadband network, with taxes likely due on the grant before revenues ramp up. If a company receives $50 million in grant funds in 2024 to construct a rural broadband network, the company would need to pay $10 million in taxes on the grant (give or take) in 2025. The very substantial tax bill would come due while the network developer is still building up operations, and may in fact threaten the operational feasibility of the entire project.
Bipartisan legislation has been repeatedly introduced over the past several years to address this issue, to no avail. But on February 24, a bipartisan group of Senators announced the re-introduction of the Broadband Grant Tax Treatment Act, with such varied supporters as Sen. Tim Kaine (D-VA) and Sen. Tommy Tuberville (R-AL). (Notably, the Act would apply to amounts received in taxable years ending after March 11, 2021.)
Broadband providers have reason to be optimistic that the Broadband Grant Tax Treatment Act will finally be enacted this session. But until that occurs, it would be prudent to set aside funds to cover the tax bill associated with broadband grants.
How the New US Antitrust Enforcement Priorities Are Shaping Up
We still have a limited sample—Andrew Ferguson has only been in the FTC Chair role a month, and Gail Slater, Trump’s nominee to head the DOJ Antitrust Division, is just nearing the end of her confirmation process. That said, each is starting to give indications about where enforcement policies and priorities may shift relative to the outgoing leadership at the antitrust agencies—a continued focus on “Big Tech” adding censorship as a competitive harm, more predictability to promote business certainty, and a case-by-case approach to labor market (e.g., non-compete) enforcement. Here’s what we know so far.
Andrew Ferguson – FTC Chair
Andrew Ferguson became FTC Chair immediately after inauguration on Jan. 20, 2025. He was able to assume the role without a confirmation because he was already a sitting Commissioner confirmed by Congress in the spring of 2024. Before joining the FTC, Ferguson served as a solicitor general of Virginia, chief counsel to Sen. Mitch McConnell, and Republican counsel for the Senate Judiciary Committee. He also worked in private practice after clerking for Judge Karen L. Henderson of the D.C. Circuit and U.S. Supreme Court Justice Clarence Thomas.
As Commissioner, Ferguson authored several strong dissents, critical of what he perceived as overstep by the prior FTC majority. On Feb. 20, Chair Ferguson gave a window into his priorities during an interview with Fox Business. From that several themes emerged.
Focus on Big Tech, Consolidation, & Censorship. During his interview, Chair Ferguson was critical of companies with “economic power” that enabled abuses in “social and political ways, like with censorship.” He said he will look to prevent those conditions and confront abuses of such power in the future. Along these lines, Chair Ferguson expressed opinions that Section 230 of the Communications Decency Act, which provides certain immunity to online platforms for third-party content or its removal, was originally intended to promote nascent business but is now used by large platforms to “mistreat ordinary Americans,” and the courts or Congress should address that. When it came to “Big Tech” specifically, he commented that pending FTC cases will continue and “all of Big Tech is going to remain under the microscope” as the authorities hold “Big Tech’s feet to the fire.”
Emphasis on Business Certainty—Especially in Merger Reviews. Chair Ferguson made clear that promoting a “vibrant, innovative economy” is a priority and he sees his part in that as providing clarity and certainty to the business community. Consistent with this statement, Ferguson also issued a memo to FTC Staff on Feb. 18 affirming that the joint FTC and DOJ Merger Guidelines issued in 2023 will continue to guide agency merger analysis. During his interview he stated that the guidelines are “not perfect” and they “push the envelope a bit.” However, he wants to hold off on any changes and base them on future working experience because the Guidelines are generally “consistent with older guidelines” and “case law” in his view. If revisions to the Guidelines are needed, he said they will be done in an “iterative transparent revision process” but he would not “rescind them wholesale.”
Protecting Labor But Still Against the 2024 Non-Compete Ban. Chair Ferguson reiterated his criticism of the FTC’s rule broadly banning non-compete agreements, the validity of which remains the subject of litigation in Ryan LLC v. Federal Trade Commission, No. 24-10951 (5th Cir. Jan. 2, 2025) and Properties of the Villages, Inc. v. Federal Trade Commission, No. 24-13101 (11th Cir. June 21, 2024). (Many commentators have opined they expect the administration to drop its defense of the FTC ban. But even once a third Republican Commissioner is confirmed, defense of the rule in the courts may continue to preserve questions about the FTC’s rulemaking authority for the Supreme Court.) Despite his opposition to the non-compete rule, however, Ferguson said that the FTC’s job is, in part, to “protect workers” because the antitrust laws “protect labor markets.” Favoring case-by-case enforcement, Ferguson emphasized he will be “focusing very intently on attacking anticompetitive conduct that hurts America’s workers” and will look across industries for no poach, no hire, and non-compete agreements that are unlawful under the Sherman Act.
Gail Slater – Nominee to Lead DOJ Antitrust Division
Gail Slater is the President’s nominee for assistant attorney general of the DOJ Antitrust Division. She most recently served as then-Senator JD Vance’s economic policy adviser, and during the last Trump administration she was an advisor on technology issues for the National Economic Council. Slater worked at the FTC for a decade and also worked in-house, including for an internet trade association. On Feb. 12, 2025, the Senate Judiciary Committee held a hearing on Slater’s nomination, giving a first window into what her approach at DOJ might entail.
Tech Focus – Though Current Cases Could be Narrowed. As her background suggests, technology will remain a focus for Slater. She testified that she “will bring a deep understanding of technology markets to the Department as the common thread in my private sector work was technology.” She views antitrust law as playing a key role in fostering innovation and economic freedom. However, she emphasized that enforcement should be a “scalpel” and “requires evidence of anticompetitive conduct and harm to consumers.” Regarding pending DOJ cases against major tech firms, she committed to reviewing the files but noted that “resources are of course a very important consideration in antitrust litigation and taking cases further . . . . It’s very complex civil litigation . . . and costly.”
AI: Traditional Analysis of Component Concentration But Open to More Merger Remedies Generally. Slater seemed undecided about AI technology’s impact on competition, but she did commit to looking at “concentration in the AI technology stack.” During her testimony she also noted there is a “critical need to prevent the monopolization of digital markets,” though in another statement she signaled that under her leadership the Division may be more open to settlements in merger cases when “effective and robust structural remedies can be implemented without excessively burdening the Antitrust Division’s resources.”
Censorship as a Monopolization & Collusion Issue. Like Chair Ferguson, Slater also touched on potential enforcement around censorship. She expressed concern that in highly concentrated markets “anybody’s viewpoint can be quickly throttled or suppressed.” However, Slater also suggested that group boycotts may also be pursued; she noted a recent House Judiciary Committee report describing a trade association’s alleged facilitation of national brands (representing an estimated 90% of domestic ad expenditures) selectively withholding advertising dollars from certain companies.
Non-Competes as a Potential Abuse of Monopoly Power. Slater said she wanted to “depoliticize” the harms from non-compete agreements. She said “this is a growing concern in many parts of the country. It prevents workers from switching jobs easily, which is particularly problematic in highly concentrated markets.”
As the antitrust landscape in the U.S. evolves under new leadership, businesses across industries should stay alert to shifting enforcement priorities and their potential implications.
“The Court’s Work in This Case Should Be Over”: IMC Responds to NCLC’s Effort to Intervene and Revive One-to-One Rule
As TCPAWorld.com readers already know, the NCLC and others attempted to join in the Eleventh Circuit Court of Appeals case involving the FCC’s one-to-one rule.
The NCLC wants the Court to reconsider the ruling striking down one-to-one and get ALL of the judges together on the Eleventh Circuit to rule on the issue.
Well today IMC fired back with a very nice brief explaining why there’s zero chance that should happen.
I am pleased to say they hit all the right notes here.
In particular NCLC’s failure to comply with the Hobbs Act timeframe for intervention feels pretty dang dispositive to Troutman.
The brief also points out that NCLC has already filed briefs in the case–so it has already had its say–plus it shouldn’t be allowed to stand in the shoes of the government (that’s just weird.) And hey look, they can have their say with the Commission as part of remand proceedings anyway– so if they want something done from a policy perspective they can do it there.
Now the last point may ring a bit hollow–just being real– but the other points are well made and dead on. Hopefully the court shuts the door on this pretty frivolous intervention effort.
In fact, in light of this filing I think R.E.A.C.H. will likely NOT be seeking to intervene after all– but need to discuss with the board to make sure.
We’ll keep an eye on this.
Full brief here: Brief Opposing NCLC
America First Investment Policy: U.S. Foreign Investment Policy Evolves under Trump 2.0
Last week, the White House issued a National Security Presidential Memorandum (“NSPM”) intended to address current national security threats while preserving an open environment for international investment.
Key Takeaways: The NSPM outlines further restrictions on investment and M&A activity from foreign adversaries while proposing more favorable treatment for U.S. allies and those firms who distance themselves from these adversaries—in particular, the People’s Republic of China (“PRC”). Going forward, investors and other transaction parties should be aware of three key takeaways from the NSPM:
Further Restrictions on Chinese Investment in the U.S. The NSPM outlines further restrictions on investments (both inbound and outbound) from U.S. adversaries, continuing the policies of Trump 1.0 and the Biden Administration, with a few added wrinkles—namely, explicitly restricting Chinese investment in several key sectors and industries, including technology, critical infrastructure, and healthcare;
New “Fast Track” Process for U.S. Allies. Contemplating a “Fast Track” process for key U.S. allies and recognizing the increasing burdens posed on these allies by the mitigation agreement framework typically relied on by the Committee on Foreign Investment in the United States (“CFIUS”); and
No Greenfield Exception. The NSPM proposes eliminating the “greenfield” exception long relied on by startups and new ventures to bypass CFIUS review for investments in new businesses.
Critically, the NSPM itself does not adopt any regulations or propose a timeline for doing so; we expect CFIUS to potentially initiate a new rulemaking process to implement these objectives in the near term.
Specific Changes to Current CFIUS Framework: The NSPM articulates a multi-pronged approach to foster foreign investment in the United States:
Contours of the New “Fast Track” Process. The NSPM calls for an expedited “fast-track” process, using objective standards to facilitate more investment from allied countries and partner sources in U.S. businesses involved with advanced technology and other important sectors. Several key questions remain. For example, it is unclear how this “Fast Track” would align with the “Excepted Investor” framework for Five Eyes nations, which currently requires entities to satisfy an exhaustive list of criteria—unless CFIUS were to consider some kind of carve-out or preclearance process for these investments. Moreover, it’s possible CFIUS requires transaction parties seeking to utilize this Fast Track process to demonstrate no commercial relationships with U.S. adversaries—something that may be difficult for investment funds with global operations.
Mitigation Agreement Streamlining. The NSPM calls for simplified mitigation agreements that provide clear, actionable steps for compliance, reducing the bureaucratic burden on investors and transaction parties. Although investors from U.S. allies are often frustrated by the breadth and duration of current mitigation agreements, it is not clear if the implementation of the NSPM would provide concrete relief: it is possible a new approach could take the form of simply preventing investors from maintaining relationships with U.S. adversaries (as noted above) and/or outright prohibiting these investments.
Passive Investments. The NSPM continues to encourage truly passive foreign investments (e.g., those investments that do not include certain governance or key information rights), although these investments could attract scrutiny if from foreign adversaries.
Restrictions on Adversarial Investments: The NSPM also outlines several measures to safeguard U.S. national security from investments from key U.S. adversaries:
Restrictions Governing U.S. Companies and Investors. The Secretary of the Treasury, in consultation with the heads of other executive departments as deemed necessary, is directed to establish new rules to prevent U.S. companies and investors from investing in industries that advance the PRC’s national Military-Civil Fusion strategy and prevent PRC-affiliated persons from buying up critical American businesses and assets. As part of the broader review, the Trump Administration (“Administration”) will consider applying restrictions on certain outbound investment types—including private equity, venture capital, greenfield investments, corporate expansions, and investments in publicly traded securities—in the PRC, especially in high technology sectors such as semiconductors, artificial intelligence, and biotechnology.
Further Review of Real Estate Transactions. The Administration plans to further utilize CFIUS to safeguard specific critical American assets, including strategic technology and infrastructure, as well as farmland and real estate near sensitive government facilities, from investment by foreign adversaries.
No Greenfield Exception. The Administration is also committed to strengthening CFIUS authority over “greenfield” investments to restrict foreign adversary access to domestic sensitive technologies, including artificial intelligence. Transaction parties should be aware that eliminating this exception would significantly expand CFIUS’ jurisdiction and expose many more transactions to CFIUS review—including angel and early-stage startup investments.
Privacy Tip #433 – Privacy and Security Personnel Throughout Federal Government Fired
The Trump administration has systematically fired federal privacy- and security-focused employees since taking office.
Three members of the bipartisan, independent agency, the Privacy and Civil Liberties Oversight Board (which was established by Congress in 2004 “to ensure that the federal government’s efforts to prevent terrorism are balanced with the need to protect privacy and civil liberties”) were fired on January 27, 2025.
The administration has also fired multiple members of the privacy team and employees who oversee Freedom of Information Act (FOIA) requests from the Office of Personnel Management (OPM), which is the equivalent of the federal government’s human resources department. The firings were discovered when CNN filed a FOIA request with OPM seeking information about the security clearances of Elon Musk and “anyone from the Department of Government Efficiency (DOGE) who has been granted access to sensitive or classified government networks.”
OPM’s response to CNN’s FOIA request, as reported by CNN, was, “Good luck with that they just got rid of the entire privacy team.” In addition to the privacy team and the FOIA response team, the administration fired other members of OPM’s communications staff. Although an OPM official told CNN that the agency did not lay off the entire privacy team, and some of the firings are not effective until April 15, these actions call into question whether OPM can still “ensur[e] the agency’s data privacy practices meet legal requirements and protect the trust of the public” with the sensitive data housed within OPM.
Jonathan Kamens, Information Security Lead at the Department of Veterans Affairs, was also fired. The Associated Press reports that, according to Kamens, sensitive health data of millions of veterans stored on a benefits website is at risk of compromise. Kamens oversaw security for the VA.gov website and was responsible for “securing private health and financial information including bank account numbers and credit card numbers.” According to Kamens, millions use the VA.gov website monthly: “VA.gov has access to a huge number of databases within VA in order to provide all of those benefits and services to veterans, so if that information can’t be kept secure, then all of that information is at risk and could be compromised by a bad actor.” Kamens questioned whether DOGE workers were background-checked to access the data, alleging that “[t]hey’re not confirmed to be trustworthy.”
More recently, 21 DOGE staffers resigned on February 25, 2025, stating that they would not use their “skills as technologists to compromise core government systems, jeopardize Americans’ sensitive data, or dismantle critical public services…We will not lend our expertise to carry out or legitimize DOGE’s actions.” According to the joint resignation letter, the staffers (who had previously been part of the U.S. Digital Service, which was assimilated into DOGE after the inauguration) wrote, “We swore to serve the American people and uphold our oath to the Constitution across presidential administrations. However, it has become clear that we can no longer honor those commitments.”
Earlier in February, about 40 staffers from the Digital Service had been laid off. The resignation letter claimed that “[t]hese highly skilled civil servants were working to modernize Social Security, veterans’ services, tax filing, health care, disaster relief, student aid, and other critical services. Their removal endangers millions of Americans who rely on these services every day. The sudden loss of their technology expertise makes critical systems and American’s data less safe.”
The resigning staffers also alleged that they were interviewed by individuals wearing White House visitors’ badges (some of whom would not identify themselves) about their politics after the inauguration. According to the staffers, these individuals appeared to have “limited technical ability,” and the process “created significant security risks.”
Federal employees focused on privacy and security are tasked with ensuring that all of our data is accessed, used, and disclosed lawfully and that our data is protected and secured using established protocols. It is very uncertain at this time whether these laws and protocols are being followed when so many of these employees have been fired. It is crucial to stay abreast of the impacts these firings will have on the protection of our data and to be able to obtain assurances that proper measures are being taken by DOGE employees who have access to the data.
Lawyers Sanctioned for Citing AI Generated Fake Cases
In another “hard lesson learned” case, on Monday, February 24, 2025, a federal district court sanctioned three lawyers from the national law firm Morgan & Morgan for citing artificial intelligence (AI)-generated fake cases in motions in limine. Of the nine cases cited in the motions, eight were non-existent.
Although two of the lawyers were not involved in drafting the motions, all three e-signed the motions before they were filed. The lawyer who drafted the motions admitted, after the defense counsel raised issues to the court concerning the cited cases, that they used MX2.law to add case law to the motions. MX2.law is “an in-house database launched by” Morgan & Morgan. The lawyer admitted to the court that it was their first time using AI in this way. Unfortunately, they failed to verify the accuracy of the AI platform’s output before filing the motions.
To Morgan & Morgan’s credit, they withdrew the motions, were forthcoming to the court, reimbursed the defendant for attorney’s fees, and implemented “policies, safeguards, and training to prevent another [such]occurrence in the future.”
The court sanctioned all three lawyers. The attorney who drafted the motions and failed to verify the output was sanctioned $3,000 and the other two who e-filed the motions were sanctioned $1,000 each. A hard lesson learned, although by now all attorneys should be aware of the risks of using generative AI tools for assistance with writing pleadings. This is not the first hard lesson learned by an attorney who cited fake cases in a court filing. Check the output of any AI-generated material, whether it is in a court filing or not. In the words of the sanctioning court: “As attorneys transition to the world of AI, the duty to check their sources and make a reasonable inquiry into existing law remains unchanged.”
Trap and Trace Litigation: Why is this a Trend for Plaintiffs’ Attorneys?
Beware of demand letters from plaintiffs’ attorneys for allegations of illegal use of pen registers, trap and trace pixels, and search bar pixels—why? This “trap and trace” litigation is a growing trend for plaintiffs’ attorneys because they can leverage existing wiretap laws (particularly in California under the California Invasion of Privacy Act (CIPA)) to argue that common online tracking technologies like cookies, pixels, and website analytics tools essentially function as trap and trace devices, allowing them to file complaints against companies for collecting user data without proper consent, even though these technologies were originally designed for traditional phone lines, not the internet, opening up a large pool of potential plaintiffs and potentially significant damages.
Section 638.51 of CIPA is the crux of these trap and trace claims. This provision addresses the unauthorized interception of electronic communications and prohibits the installation or use of a pen register or a trap and trace device without first obtaining a court order. Section 638.50(b) defines a pen register as a device or process that records or decodes “dialing, routing, addressing, or signaling information” (DRAS) transmitted by an instrument or facility from which a wire or electronic communication is sent, but does not include the contents of the communication itself. Section 638.50(c) defines a trap and trace device as a device or process that captures incoming electronic impulses to identify the originating number or other dialing information, essentially revealing the source of a wire or electronic communication but not the communication’s content.
Recent decisions in the United States District Courts for the Southern, Central, and Northern Districts of California have encouraged many of these claims (or at least, have sparked a surge in pre-litigation settlement demands from plaintiffs’ attorneys for alleged CIPA violations related to a business’ use of common website technologies).
A violation of the CIPA wiretapping provision (section 631(a)) requires the plaintiff to show a real-time interception of a “communication,” which is often difficult for a plaintiff to prove. However, pen registers and trap and trace devices do NOT require real-time interception but are limited to the collection of DRAS.
When you think of pen registers and trap and trace devices, you probably think of devices law enforcement uses to record all outgoing and incoming telephone numbers from specific telephone numbers. However, the court’s ruling in Greenley v. Kochava, 684 F. Supp. 3d 1024 (S.D. Cal. 2023) gave rise to a different type of trap and trace claim related to website tracking technology.
In Greenley, the plaintiff claimed that Kochava (a company that offers real-time data solutions specializing in omnichannel measurement and attribution for marketers) installed an illegal pen register; of course, Kochava insisted that its software did not constitute a pen register. The court in the Southern District of California held that a software development kit used to collect user data from mobile apps could be considered a pen register under the Communications Act, meaning that the company collecting the data could be liable for violating privacy laws by collecting this information without proper consent, as the court interpreted the definition of pen register to include software processes that identify and track users through data collection and correlation, not just physical devices.
The court specifically stated that “software that identifies consumers, gathers data, and correlates that data through unique ‘fingerprinting’ is a process that falls within CIPA’s pen register definition.”
Under this interpretation, almost any device that communicates using the Internet Protocol, like cell phones and websites, could potentially be considered a pen register, significantly expanding the scope of surveillance technology.
In Moody v. C2 Education Systems Inc., No. 2:24-CV-04249-RGK-SK, 2024 WL 356167 (C.D. Cal. July 25, 2024), the plaintiff alleged that C2 Education Systems (an online tutoring program) violated CIPA by installing the TikTok marketing pixel and collecting the plaintiff’s information without prior consent. C2 disagreed and argued it was the website’s user and that C2 gave TikTok consent to install pixel technology on the website. CIPA has an exception for using pen registers and trap and trace devices “if the consent of the user of that service has been obtained.” While the court did find C2’s position persuasive, it did not “foreclose the possibility that Plaintiff is the relevant user under California law.” The court held that the plaintiff’s allegations about the pixel’s data collection capabilities were plausible enough to proceed with the case.
Additionally, in Shah v. Fandom, Inc., No. 24-CV-01062-RFL, 2024 WL 4539577 (N.D. Cal. Oct. 21, 2024), the court held that the definition of pen register specifies the type of data a pen register collects as “dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.” However, the court also determined that CIPA is ambiguous about the collection tool, which is only described as “a device or process.” The court held that the plaintiffs sufficiently alleged that the website tracking technology could “at least” be a “process” because the software identifies the consumer, gathers data, and correlates that data. This broadened the definition of pen register beyond law enforcement’s common use of such devices.
While these cases are unsettled, their advancement past the pleading stage will likely lead to increased filings and demands related to website tracking technologies such as pen registers. Now is the time to assess your business’ website and address these emerging and increasing risks to deflect trap and trace litigation.
DOGE Blocked from Access to Department of Treasury Payment Systems
On February 21, 2025, a federal district court judge from the Southern District of New York issued a preliminary injunction against the Department of Government Efficiency’s (DOGE), access to Treasury Department payment systems, stating access was provided in a “chaotic and haphazard manner.” The order resulted from a suit filed by 19 state Attorneys General against DOGE for unauthorized access to Americans’ data. It prevents anyone affiliated with DOGE from accessing federal payment systems until further order.
According to the 64-page opinion, the judge was critical of the “‘rushed’ process by DOGE to access Bureau of Fiscal Service’s payment systems, which stores the names, Social Security numbers, birth dates, birth places, home addresses and telephone numbers, email addresses, and bank account information of Americans who have transacted with the federal government.”
The District Court also noted that “[t]he record is silent as to what vetting or security clearance process they went through prior to their appointment” and reported being “troubled by the fact that Elez [a DOGE associate] was apparently granted full access to [Bureau of Fiscal Service] systems rather than read-only access, writing that that process was ‘rushed and undertaken under political pressure.’” We have made a similar observation.
The Court requested that the Treasury Department provide a report by March 24, 2025: (1) certifying that the DOGE associates have been vetted, have obtained proper security clearances, and have been properly trained; and (2) setting forth the mitigation measures which have been taken to minimize threats associated with the access, including the reporting chains for DOGE within the Treasury Department.
The ruling stated that “[t]he process by which the Treasury DOGE Team was appointed, brought on board, and provided with access to [Bureau of the Fiscal Service] payment systems could have been implemented in a measured, reasonable, and thoughtful way. To date, based on the record currently before the Court, it does not appear that this has been the case.”
WAS THE FCC HACKED?: Tenlyx Respnse to FCC $4.5M NAL Over Scam Robocalls Hits Home
So Telnyx filed its response to the FCC’s $4.5MM NAL today and it is an incredibly interesting saga.
For those of you just catching up, Telnyx is a carrier that apparently allowed an outfit known as “MarioCop” onto its network.
MarioCop was able to target major players at the FCC–we’ll get just how major in a second–with a robocall scheme pretending to be an FCC fraud detection service. Ultimately the scammers were apparently trying to convince FCC staffers to fall for a gift card scam.
WHAT EVEN IS KYC?: Telnyx LLC CEO is Fighting Back Against Proposed $4.5MM FCC Penalty–and He Kind of Has A Point
If that sounds like a longshot, it is.
And Telnyx CEO David Casem has suggested his company was intentionally “swatted” by MarioCop who brought the FCC heat down on it.
But in this company’s NAL response–out today– Telnyx raises another issue that is jut fascinating– how did MarioCop have the personal cell phone numbers of so many FCC staffers to begin with?
As the NAL response says:
Commission employees (current and past) and their families were the primary and intentional targets of the calls placed by MarioCop. The persons reached include the current Chairman of the Commission, the Chairman of the Commission during President Trump’s first term, one current commissioner, numerous chiefs of staff, legal and policy advisors in the offices of all of the current commissioners and the last two Commission chairs, members of the front offices of the Enforcement Bureau, the Office of General Counsel, the Wireline Competition Bureau, the Office of the Managing Director, and staff attorneys of such bureaus and divisions, family members of Commission personnel, and other government officials and industry participants in the telecom policy ecosystem.
Wow.
As the response points out, “personal cell phone numbers of Commission personnel are not made publicly available by the agency, and the identities and personal cell phone numbers of their family members are not, either.”
So how in the world did MarioCop get all those phone numbers?
Hmmmm.
The answer to that question is just one of many lurking behind the FCC’s actions against Telnyx. And while it is tempting to say Telnyx must have done something wrong because ipso facto when the FCC gets targeted with a robocall scam the carrier is to blame, thee is more here than meets the eye.
Full response here: Telnyx Response
Press release here: Telnyx Press Release
SEC Withdraws from Prominent Crypto Enforcement Amid Regulatory Shift
Just over one month into the second Trump Administration, the crypto industry appears poised to notch yet another victory in its longstanding tug-of-war with regulators — perhaps its most significant to date. On February 21, Coinbase Chief Legal Officer Paul Grewal announced via blog post that the U.S. Securities and Exchange Commission (“SEC”) is set to drop its enforcement action against the company. The lawsuit, which claimed that the company had failed to fulfill registration requirements, has been one of the SEC’s highest-profile crypto cases.
The post stated that the SEC had “agreed in principle” to dismiss the case. The action must still be approved by the three sitting SEC commissioners, including Commissioner Hester Peirce and Acting Chair Mark Uyeda, both of whom have previously expressed crypto-friendly views.
This development comes on the heels of announcements from other crypto companies revealing that the SEC has voluntarily closed investigations into their activities. On February 21, OpenSea, the largest NFT marketplace, announced via a post on X that the SEC had closed an investigation into its operations. On February 24, the crypto arm of trading platform Robinhood announced that the SEC had closed its investigation into the company.
Background of the Case
The SEC filed its enforcement action against Coinbase in June 2023 under former-Chair Gary Gensler, alleging that the crypto platform violated securities laws by failing to register itself as a broker, exchange and clearing agency, as well as certain purported offers and sales of securities through its Staking Program. The case centered on the longstanding debate over whether and when digital assets should be classified as securities. Although the company was in the process of pursuing interlocutory review of this question in the U.S. Court of Appeals for the Second Circuit, the SEC’s apparent decision to drop the case would preclude an appellate showdown.
A Shift in Regulatory Approach
Acting Chair Mark Uyeda has stated his goal of developing a “sensible regulatory path” for digital assets, moving away from the aggressive enforcement tactics seen under former-Chair Gensler. Uyeda’s reforms include:
Establishing a “Crypto Task Force” led by Commissioner Peirce to address digital asset policies and pursue greater regulatory clarity. For more details on the Crypto Task Force’s initiatives, see our previous discussion here.
Replacing the SEC’s Crypto Assets and Cyber Unit with the Cyber and Emerging Technologies Unit, a smaller team targeting cyber-related misconduct. Commissioner Peirce indicated in a recent statement that while the SEC aims to provide greater legal clarity, it will not be giving crypto projects a free pass. She expressed that the agency’s aim is to “travel to a destination where people have great freedom to experiment and build interesting things” with no tolerance for “liars, cheaters, and scammers.”
Pausing or reviewing several ongoing crypto cases, indicating that the agency is open to halting certain active enforcement matters or pursuing constructive resolutions.
Looking Ahead
The SEC’s willingness to step away from ongoing enforcement investigations and actions underscores the changing regulatory landscape for crypto under the current administration. Rather than “slamming on the enforcement brakes,” as Commissioner Peirce put it, the agency now appears committed to working with stakeholders to develop forward-looking legislation and a clearer regulatory framework for the burgeoning industry.
For crypto companies navigating uncertain regulatory waters, this development may signal the beginning of a more collaborative era – but not one without scrutiny. Commissioner Peirce has cautioned that “SEC rules will not let you do whatever you want, whenever you want, however you want. Some of these rules will impose costs and other compliance burdens . . . and the Commission will use its enforcement tools when necessary to pursue noncompliance.” As the Crypto Task Force advances its work, further developments in crypto regulation and enforcement are expected in the months ahead.