U.S. Senate Advances KOSMA Bill Targeting Social Media Use by Minors
Varnum Viewpoints:
KOSMA Restrictions: The Kids Off Social Media Act (KOSMA) aims to ban social media for kids under 13 and limit targeted ads for users under 17.
Bipartisan Support & Opposition: While KOSMA has bipartisan backing, critics argue it could infringe on privacy and First Amendment rights.
Business Impact: KOSMA could affect companies targeting minors, requiring compliance with new privacy regulations alongside existing laws like COPPA.
While COPPA 2.0 and KOSA are discussed more frequently when it comes to protecting the privacy of minors online, the U.S. Senate is advancing new legislation aimed at regulating social media use by those 17 and under. In early February, the Senate Committee on Commerce, Science and Transportation voted to advance the Kids Off Social Media Act (KOSMA), bringing it closer to a full Senate vote.
KOSMA Restrictions
KOSMA would prohibit children under 13 from accessing social media. Additionally, social media companies would be prohibited from leveraging algorithms to promote targeted advertising or personalized content to users under 17. Further, schools receiving federal funding would be required to limit the use of social media on their networks. The bill would also grant enforcement authority to the Federal Trade Commission and state attorneys general.
Bipartisan Support & Opposition
KOSMA has received bipartisan support, with advocates such as Senator Brian Schatz (D-HI), who introduced the bill in January, citing the growing mental health crisis amongst minors due to social media use. Supporters argue that while existing laws like COPPA protect children’s data, they do not adequately address the considerations of social media since they predate the platforms. However, much like similar state laws that have come before it, KOSMA is rife with opposition as well. Opponents argue that this type of regulation could erode privacy and impose unconstitutional restrictions on young people’s ability to engage online. Instituting a ban as opposed to mandating appropriate safeguards, opponents argue, infringes on First Amendment rights.
Business Impact
Although KOSMA only applies to “social media platforms,” the definition of this term could be interpreted broadly and potentially include many companies that publish user-generated content within the scope of KOSMA’s restrictions. KOSMA identifies specific types of companies that would be exempt from the definition of social media platforms, such as teleconferencing platforms or news outlets. If KOSMA were to go into effect, companies across the country that are knowingly collecting data from minors or targeting them with personalized content or advertising would have an additional layer of regulatory consideration when assessing their privacy practices pertaining to the processing of data related to minors—on top of existing federal and state laws.
Congress Extends Certain Telehealth Flexibilities Through March 31, 2025
Overview
KEY UPDATE
At the close of 2024, US Congress passed a short-term extension of Medicare telehealth flexibilities as part of the American Relief Act, 2025 (ARA). The Medicare telehealth waivers, originally enacted as part of the COVID-19 public health emergency (PHE) and subsequently extended through legislation, were set to end on December 31, 2024. These flexibilities, along with the Acute Hospital Care at Home waiver program, are now set to expire March 31, 2025. The ARA failed to extend other waivers, such as the temporary safe harbor for high-deductible health plans (HDHPs) to provide first-dollar coverage of telehealth without interfering with health savings account (HSA) eligibility. While the short-term extension provides continued access to telehealth for Medicare patients, stakeholders should continue to engage with Congress for a more permanent solution.
WHY IT MATTERS
The ARA extension is limited to certain Medicare policies and is only effective through March 31, 2025. Some bipartisan policies, such as the extension of the telehealth HDHP safe harbor, were not included in the ARA. Additionally, the flexibilities related to coverage of cardiac and pulmonary rehabilitation services provided via telehealth were not extended.
The extension indicates bipartisan support for continuing coverage for telehealth services, but the short timeline warrants continued stakeholder engagement for the extension and eventual permanence of the Medicare telehealth flexibilities and reinstatement of the HDHP safe harbor. As the new administration takes office, it is unclear where telehealth will fall on the list of priorities.
In Depth
Historically, Medicare has provided coverage for telehealth services in instances where patients would otherwise be geographically distant from approved providers (e.g., physicians, nurse practitioners, and clinical psychologists). Section 1834(m) of the Social Security Act provides that telehealth services are covered if the beneficiary is seen:
At an approved “originating site” (e.g., physician office, hospital, or skilled nursing facility) that is located within a rural health professional shortage area that is either outside of a metropolitan statistical area (MSA), in a rural census tract, or in a county outside of an MSA
By an approved provider
For a defined set of services
Using certain telecommunications technologies.
Many of these Medicare restrictions regarding coverage and payment for telehealth services were waived via authority delegated in the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Congress subsequently extended the waivers in other pieces of legislation, including the Consolidated Appropriations Act (CAA) 2022 and CAA 2023, with the flexibilities most recently set to expire on December 31, 2024.
The ARA extended the following Medicare flexibilities through March 31, 2025:
Geographic restrictions and originating sites. Patients’ homes will continue to serve as eligible originating sites for all telehealth services (ARA § 3207(a)(2)). Geographic restrictions also remain waived (ARA § 3207(a)(1)).
Eligible practitioners. The expanded definition of the term “practitioner” will continue to apply. The expanded definition includes qualified occupational therapists, physical therapists, speech-language pathologists, and audiologists (ARA § 3207(b)).
Audio-only. Audio-only telehealth services remain eligible for reimbursement (ARA § 3207(e)).
Extending telehealth services for federally qualified health centers (FQHCs) and rural health clinics (RHCs). The US Department of Health and Human Services will cover telehealth services furnished via FQHCs and RHCs to eligible individuals (ARA § 3207(c)).
In-person requirements for mental health. The in-person requirement for mental health care to be reimbursed under Medicare has been delayed until April 1, 2025 (ARA § 3207(d)(1)).
Telehealth for hospice. Telehealth can continue to be used for the required face-to-face encounter prior to the recertification of a patient’s eligibility for hospice care (ARA § 3207(f)).
The ARA also extended the Acute Hospital Care at Home waiver program through March 31, 2025. In the midst of the PHE, the Centers for Medicare & Medicaid Services (CMS) used its PHE flexibilities to issue waivers to certain Medicare hospital conditions of participation (CoPs). These waivers, along with the PHE-related telehealth flexibilities, allowed Medicare-certified hospitals to furnish inpatient-level care in patients’ homes. Addressing hospital bed capacity during the pandemic was a high priority for CMS. These waivers and flexibilities, collectively referred to as the AHCAH Initiative, included:
Waiver of the CoP requiring nursing services to be provided on-premises 24 hours a day, seven days a week.
Waiver of the CoP requiring immediate on-premises availability of a registered nurse for care of any patient.
Waiver of CoPs that define structural and physical environment criteria specific to the hospital setting.
Telehealth flexibility allowing the home or temporary residence of an individual to serve as an originating telehealth site.
Telehealth flexibility allowing a hospital to use remote clinician services in combination with in-home nursing services to provide inpatient-level care in the patient’s home.
As with the Medicare telehealth flexibilities, these had been previously extended through December 31, 2024.
Notable flexibilities that expired or were absent from the ARA include the following:
The telehealth safe harbor for HDHPs. The CARES Act created a temporary safe harbor that permitted HDHPs to cover telehealth and remote care services on a first-dollar basis without jeopardizing eligibility for HSA contributions. By permitting health plans to provide HDHP participants coverage for telehealth services without requiring them to first meet the minimum required deductible, the safe harbor increased access to telehealth services. Additionally, covered individuals who received these services were still able to make or receive contributions to their HSAs because telehealth services were temporarily disregarded in determining eligibility for HSA contributions. Previously, the telehealth HDHP safe harbor ceased for three months from January 1, 2022, to March 31, 2022, before the CAA 2022 renewed it. Most recently extended by the CAA 2023, the telehealth safe harbor for HDHPs expired on December 31, 2024. Starting on January 1, 2025, health plans, insurers, and health plan vendors that previously relied on the telehealth HDHP safe harbor may need to update telehealth coverage for HDHP participants, such as updating plan design and/or cost sharing, to prevent disqualifying HDHP participants from making or receiving HSA contributions.
The SPEAK Act, which would establish a task force to improve access to health IT for non-English speakers.
The PREVENT DIABETES Act, which would broaden access to diabetes prevention services through the Medicare Diabetes Prevention Program.
The Sustainable Cardiopulmonary Rehabilitation Services in the Home Act, which would permanently codify cardiopulmonary rehabilitation Medicare telehealth flexibilities.
With the March 31, 2025, deadline in the not-too-distant future, stakeholders should continue to engage with Congress regarding an extension and permanent solution for the telehealth flexibilities, reinstatement of flexibilities that expired, and inclusion of the other bipartisan telehealth policies that were not included in the final ARA.
Lisa Mazur, Sarah G. Raaii, and Dale C. Van Demark contributed to this article.
Indiana Department of Revenue Determines that Video Game Enhancement Offerings are Not Subject to Sales Tax
The Indiana Department of Revenue (“Department”) determined last month that a video game publishing company’s sales from optional video game enhancement features were not subject to sales tax in Indiana. Ind. Rev. Rul. No. 2024-04-RST (Jan. 7, 2025).
The Facts: A non-Indiana video game publisher (the “Company”) sells optional video game features that enhance gameplay experience. The Company does not sell video games itself; rather, video game sales are made by a related entity of the Company. After a video game is purchased, the Company offers three optional features to the video game purchaser: (1) a monthly online subscription that allows the purchaser to play the video game online and in a multi-player setting; (2) in-game items, such as character costumes and weapons; and (3) virtual currency that the purchaser can use to pay for a monthly subscription or in-game items.
The Company requested that the Department issue a revenue ruling regarding the applicability of Indiana’s sales tax on its offerings. The Department did and determined that the Company’s offerings are not subject to the State’s sales tax.
The Law: Indiana imposes a sales tax on retail transactions made in the State and on certain specified services delivered in the State. Indiana tax law generally defines a retail transaction as a transfer of tangible personal property in the ordinary course of business and also sets forth specific examples of “retail transactions.”
Relevant here, transfers of prewritten computer software, whether delivered electronically or in a tangible medium, are retail transactions subject to sales tax. Sales tax is not imposed, however, on transactions that merely provide a right to remotely access prewritten computer software over the Internet or on sales of software as a service. Thus, if the transaction does not result in the purchaser having a possessory or ownership interest in the software, then sales tax does not apply.
In addition to transfers of prewritten computer software, electronic transfers—which grant a right of permanent use to an end user—of digital audio works, digital audiovisual works, and digital books are subject to sales tax. “Digital audio works” include works such as songs and ringtones, “digital audiovisual works” include works such as movies, and “digital books” include works that are generally recognized in the ordinary and usual sense as books. These are the only digital products on which Indiana imposes sales tax.
The Ruling: In determining whether the Company’s sales were subject to sales tax, the Department analyzed the Company’s offerings under the above provisions. Ultimately, the Department ruled that the Company’s sales of monthly subscriptions, in-game items, and virtual currency are not subject to sales tax because the sale of such items do not fit into Indiana’s definition of a “retail transaction,” and the items do not fall within the enumerated services on which Indiana imposes sales tax. The Department reasoned that the Company’s offerings are neither tangible personal property nor do they fall within the definitions of digital audio works, digital audiovisual works, or digital books.
The Takeaway: This revenue ruling is helpful for taxpayers to better understand how the Department interprets Indiana’s sales tax law to apply to these digital transactions. While the revenue ruling applies only to the Company’s facts and circumstances as described, the ruling expressly states that other taxpayers with substantially identical factual situations may rely on the ruling in preparing returns and making tax decisions. Furthermore, taxpayers can and should use revenue rulings to try to persuade taxing authorities that their position is the correct one.
READ ALL ABOUT IT: Reuters Faces Privacy Lawsuit But The Court Finds No Story To Tell
Greetings CIPAWorld!
Buckle up because this one’s a big deal. If you’ve been keeping an eye on data privacy litigation, you know courts have been drawing a hard line when it comes to proving harm. The Southern District of New York just handed Reuters a win in Zhizhi Xu v. Reuters News & Media Inc., No. 24 Civ. 2466 (PAE), 2025 U.S. Dist. LEXIS 26013 (S.D.N.Y. Feb. 13, 2025), dismissing a lawsuit accusing the media giant of unlawfully collecting users’ IP addresses through web trackers. Here, the case centered around alleged violations of the California Invasion of Privacy Act (“CIPA”), which ultimately fell apart due to a lack of standing. The Court ruled that Plaintiff failed to show any concrete harm—essential for a lawsuit to survive in federal court. If there’s one thing federal courts don’t have time for, it’s speculative injury.
So, what’s the news flash? Plaintiff, a California resident, filed a putative class action against Reuters, alleging that the company embedded web trackers—Sharethrough, Oinnitag, and TripleLift—on its news website. According to Plaintiff, these trackers automatically install on users’ browsers, collect their IP addresses, and transmit that information to third parties for advertising and analytics purposes. Think of it like an invisible footprint—Plaintiff asserted that Reuters tracked him without his consent, leaving behind digital breadcrumbs that were quietly collected and shared. Plaintiff claimed this amounted to a violation of CIPA Section 638.51(a), which prohibits the installation of a “pen register or trap and trace device” without a court order. In response, Reuters quickly moved to dismiss the case, arguing that Plaintiff lacked standing because he had not suffered any tangible injury. The company maintained that collecting an IP address alone—without any evidence of targeted ads or misuse—did not meet the threshold for a privacy violation. In other words, if a tree falls in the digital forest and no one hears it, does it really make a sound? Well, it depends. Like any good law school exam answer, context is everything. Are we talking about mere data collection, or has someone actually suffered harm? Courts don’t deal in hypotheticals—they want to see real, measurable impact. Without proof that Reuters’ data collection led to some kind of concrete harm, the Court wasn’t willing to entertain a privacy violation claim based on mere technicalities.
As such, Judge Paul A. Engelmayer sided with Reuters and dismissed the lawsuit under Rule 12(b)(1) for lack of Article III standing. The ruling echoes a growing trend in data privacy cases: collecting an IP address without more doesn’t trigger a legally recognizable harm. In TransUnion L.L.C. v. Ramirez, 594 U.S. 413, 424 (2021), the Court reaffirmed that a plaintiff must demonstrate a concrete injury to establish standing in federal court. The Court emphasized that IP addresses are not inherently sensitive or private information. It functions primarily as routing data rather than revealing the contents of a user’s communication. The Court relied on Heeger v. Facebook, Inc., 509 F. Supp. 3d 1182, 1188 (N.D. Cal. 2020), which held that collecting IP addresses alone does not constitute a privacy invasion. Plaintiff did not allege that he received targeted ads, suffered financial harm, or compromised his identity due to Reuters’ data collection.
Conversely, the Court noted cases like McClung v. AddShopper, Inc., No. 23-cv-01996-VC, 2024 WL 189006, at *1 (N.D. Cal. Jan. 17, 2024), where the defendant’s data collection led to unwanted marketing. That’s the key difference—Plaintiff’s data was allegedly collected, but nothing really happened as a result. Compare that to cases where companies have blasted users with personalized ads based on the data they grabbed. The Court found no historical or legal precedent equating collecting an IP address to a recognized harm like defamation, intrusion upon seclusion, or public disclosure of private facts, noting Liau v. Weed Inc., No. 23 Civ. 1177 (S.D.N.Y. Feb. 22, 2024), which found that an IP address does not constitute “personal information” for privacy claims.
This ruling isn’t just a one-off—it’s part of a larger judicial pattern I’m seeing increasingly. The courts send a message: statutory violations alone won’t cut it in federal court. This aligns with decisions like Lightoller v. JetBlue Airways Corp., No.: 23-cv-00361-H-KSC, 2023 WL 3963823, at *3 (S.D. Cal. June 12, 2023), where the Court held that a mere statutory violation under CIPA does not establish standing without an actual, concrete harm. Plaintiff’s attempt to claim a privacy right over his IP address fell flat, as the Court reiterated that voluntarily conveyed addressing information does not trigger constitutional standing concerns. If plaintiffs want to bring CIPA or similar claims in federal court, they must show tangible harm—like unwanted targeted ads, identity theft, or direct financial consequences.
Law school lecture 101: Federal standing isn’t just some procedural hurdle—it’s the gatekeeper to the courtroom, and judges are making it clear that not all claims get past the front door. Just because a statute grants a right doesn’t mean plaintiffs automatically have standing in federal court. That’s the real kicker here. Courts are increasingly skeptical of claims that hinge on technical violations without real-world consequences. If the only harm is theoretical, don’t expect a federal judge to bite. This ruling doubles down on that message: if you want your case to survive, show the court some real, measurable damage. Otherwise, your complaint might as well be a hypothetical from law school.
What is more, this case aligns with other recent dismissals of privacy lawsuits that fail to show real harm. There’s a growing judicial skepticism of privacy claims that rest on bare statutory violations. Courts are signaling that mere technical violations of privacy statutes won’t cut it—plaintiffs must demonstrate how they were harmed. And this makes sense. Privacy is a big deal, but without actual damage, courts don’t want to police every instance of data collection. It’s the legal equivalent of “no harm, no foul.”
So, where do we go from here? The battle over what qualifies as ‘concrete injury’ in data privacy cases isn’t going away anytime soon. Expect more lawsuits, more motions to dismiss, and more courts refining the boundaries of what actually constitutes harm in data privacy.
As always,
Keep it legal, keep it smart, and stay ahead of the game.
Talk soon!
Congress Advances KOSMA Bill Targeting Social Media Use by Minors
Varnum Viewpoints:
KOSMA Restrictions: The Kids Off Social Media Act (KOSMA) aims to ban social media for kids under 13 and limit targeted ads for users under 17.
Bipartisan Support & Opposition: While KOSMA has bipartisan backing, critics argue it could infringe on privacy and First Amendment rights.
Business Impact: KOSMA could affect companies targeting minors, requiring compliance with new privacy regulations alongside existing laws like COPPA.
While COPPA 2.0 and KOSA are discussed more frequently when it comes to protecting the privacy of minors online, the U.S. Senate is advancing new legislation aimed at regulating social media use by those 17 and under. In early February, the Senate Committee on Commerce, Science and Transportation voted to advance the Kids Off Social Media Act (KOSMA), bringing it closer to a full Senate vote.
KOSMA Restrictions
KOSMA would prohibit children under 13 from accessing social media. Additionally, social media companies would be prohibited from leveraging algorithms to promote targeted advertising or personalized content to users under 17. Further, schools receiving federal funding would be required to limit the use of social media on their networks. The bill would also grant enforcement authority to the Federal Trade Commission and state attorneys general.
Bipartisan Support & Opposition
KOSMA has received bipartisan support, with advocates such as Senator Brian Schatz (D-HI), who introduced the bill in January, citing the growing mental health crisis amongst minors due to social media use. Supporters argue that while existing laws like COPPA protect children’s data, they do not adequately address the considerations of social media since they predate the platforms. However, much like similar state laws that have come before it, KOSMA is rife with opposition as well. Opponents argue that this type of regulation could erode privacy and impose unconstitutional restrictions on young people’s ability to engage online. Instituting a ban as opposed to mandating appropriate safeguards, opponents argue, infringes on First Amendment rights.
Business Impact
Although KOSMA only applies to “social media platforms,” the definition of this term could be interpreted broadly and potentially include many companies that publish user-generated content within the scope of KOSMA’s restrictions. KOSMA identifies specific types of companies that would be exempt from the definition of social media platforms, such as teleconferencing platforms or news outlets. If KOSMA were to go into effect, companies across the country that are knowingly collecting data from minors or targeting them with personalized content or advertising would have an additional layer of regulatory consideration when assessing their privacy practices pertaining to the processing of data related to minors—on top of existing federal and state laws.
NewsBank Hit with Class Action over Employee Data Breach
Last week, a class action was filed against NewsBank, Inc., a Florida-based news database company, related to a 2024 breach of employee personal information.
NewsBank provides a database of archived news publications utilized by libraries, higher education institutions, and other organizations. NewsBank suffered a security incident affecting its employees’ personal information between June and July 2024.
The lead plaintiff claims that, as an employee of NewsBank from January 2023 to November 2024, they were required to provide their personal information (i.e., name, date of birth, Social Security number, and financial account information) as part of their employment.
The lead plaintiff alleges they now face a heightened risk of identity theft due to the breach. The complaint states, “Plaintiff and class members must now and for years into the future closely monitor their medical and financial accounts to guard against identity theft. The risk of identity theft is not speculative or hypothetical but is impending and has materialized as there is evidence that the plaintiff’s and class members’ private information was targeted, accessed, has been misused, and disseminated on the dark web.” The lawsuit alleges claims of negligence, breach of implied contract, and breach of fiduciary duty.
Additionally, the lawsuit alleges that NewsBank failed to follow its policies, including those outlined in its website Privacy Policy, stating that NewsBank had implemented security procedures to protect personal information from unauthorized access, use, and disclosure.
The class seeks over $5 million in damages and injunctive relief, requiring NewsBank to implement enhanced security measures and provide affected individuals with lifetime identity theft protection services. The complaint alleges that “[o]nce private information is exposed, there is virtually no way to ensure that the exposed information has been fully recovered or contained against future misuse [. . . ] For this reason, plaintiff and class members will need to maintain these heightened measures for years, and possibly their entire lives, as a result of defendant’s conduct.”
Privacy Tip #432 – DOGE Sued for Unauthorized Access to Our Personal Information
The Department of Government Efficiency’s (DOGE) staggering unfettered access to all Americans’ personal information is highly concerning. DOGE employees’ access includes databases at the Office of Personnel Management, the Department of Education, the Department of Health and Human Services, and the U.S. Treasury.
If you want more information about the DOGE employees who have access to this highly sensitive data, Wired and KrebsOnSecurity have provided fascinating but disturbing accounts.
Meanwhile, New York and other states have filed suit against DOGE, alleging that the unfettered access to the federal databases is a privacy violation. On February 14, 2025, a New York federal judge found “good cause to extend a temporary restraining order” stopping DOGE employees from accessing U.S. Treasury Department databases. However, the next day, another federal judge in Washington, D.C., denied a request to stop DOGE from accessing the databases of the Department of Labor, the Department of Health and Human Services, and the Consumer Financial Protection Bureau. That means that DOGE employees now have access to the sensitive health and claims information of Medicare recipients, as well as the identities of individuals who have made workplace health and safety complaints. NBC News has reported that “the Labor Department authorized DOGE employees to use software to remotely transfer large data sets.”
Currently, 11 lawsuits have been filed against DOGE over access to sensitive information in federal databases, alleging that the access violates privacy laws. The databases include student loan applications at the Department of Education, taxpayer information at the Department of the Treasury, and the personnel records of all federal employees contained in the database of the Office of Personnel Management, the Department of Labor, the Social Security Administration, FEMA, and USAID.
According to a plaintiff, the potential to misuse Americans’ personally identifiable information “is serious and irrevocable….The risks are staggering: identity theft, fraud, and political targeting. Once your data is exposed, it’s virtually impossible to undo the damage.” We will be closely watching the progress of these suits and their impact on the protection of our personal information.
Texas AG Investigates DeepSeek + List of Banned Countries Expands
Texas Attorney General Ken Paxton announced on February 14, 2024, that his office has opened an investigation into DeepSeek’s privacy practices. DeepSeek, an artificial intelligence company with ties to the People’s Republic of China, has been banned on state owned devices in Texas, New York, and Virginia. The Pentagon, NASA, and the U.S. Navy have also prohibited employees from using DeepSeek.
According to Paxton’s press release, he has notified DeepSeek “that its platform violates the Texas Data Privacy and Security Act.” He sent civil investigative demands to tech companies to obtain information about their analysis of the application and any documentation DeepSeek forwarded to the tech companies before they were offered to consumers.
DeepSeek has been banned in Italy, South Korea, Australia, Taiwan, and India.
Joint Cybersecurity Advisory Released on Ghost (Cring) Ransomware
The Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center released an advisory on February 19, 2025, providing information on Ghost ransomware activity.
According to the advisory, “Ghost actors conduct these widespread attacks targeting and compromising organizations with outdated versions of software and firmware on their internet facing services.” They use publicly available code to exploit Common Vulnerability Exposures (CVE) that have not been patched. The CVEs used by Ghost include CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.
The advisory urges organizations to:
Maintain regular system backups stored separately from the source systems, which cannot be altered or encrypted by potentially compromised network devices [CPG 2.R].
Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 2.F].
Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.
The advisory details how Ghost (Cring) is gaining initial access, executing applications, escalating privileges, obtaining credentials, evading defenses, moving laterally, and exfiltrating data. It also provides indicators of compromise and email addresses used by the threat actors.
Patching continues to be a crucial block-and-tackle technique, and timely patching is critical for mitigating exploitation. Blocking known malicious emails is a proven tactic to mitigate access. Review the advisory to ensure the applicable patches have been applied and the malicious emails associated with Ghost have been blocked.
Is Your Business Trapped? The Rise of “Trap and Trace” Litigation
Almost every business has a website; every website should have a privacy policy, terms of use, and, in some cases, a consumer privacy rights notice—if certain state consumer privacy rights laws apply to your business, such as the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively CCPA). What about a cookie policy? Or a cookie consent banner? Or a cookie preferences pop-up? If you haven’t looked at what types of ad tech your website uses—i.e., cookies, pixel tags, device IDs, and browser fingerprinting technologies that collect data about user behavior across multiple devices and platforms, which are essential for targeted advertising online—now is the time.
“Trap and trace” litigation and private demands for damages related to online tracking have risen significantly. “Trap and trace” litigation is related to the ad tech used on websites involving online trackers that plaintiffs’ attorneys liken to “pen registers” under state wiretap laws. These technologies allegedly collect website users’ device information and activities without their consent, which plaintiffs’ attorneys argue constitutes unauthorized interception of electronic communications under various wiretap laws. Here are some key considerations to assess your company’s website and ad tech:
Unauthorized Interception: the use of third-party trackers in ad tech is being construed as an intentional interception of electronic communications, similar to how pen registers and trap and trace devices operate by capturing dialing, routing, addressing, or signaling information.
Unauthorized Interception: the use of third-party trackers in ad tech is being construed as an intentional interception of electronic communications, similar to how pen registers and trap and trace devices operate by capturing dialing, routing, addressing, or signaling information.
Legal Risks: the use of such technologies without clear consent or transparency can lead to legal and reputational risks for your business, not to mention demands from plaintiffs’ attorneys seeking quick settlement in this unsettled area of the law, as well as class actions seeking millions of dollars in damages.
State Wiretap Laws: state wiretap laws, such as California’s Invasion of Privacy Act and Massachusetts’s Wiretap Act , have been adapted to address online tracking methods. These laws prohibit unauthorized interception of electronic communications, and plaintiffs’ attorneys are alleging that using online trackers could potentially violate these laws.
Privacy Rights: the use of certain ad tech may also constitute a privacy rights violation under state consumer privacy rights laws, like the CCPA.
Impossibility of Obtaining Prior Consent: the way most ad tech is set up to function means that website users’ data and activity are tracked instantaneously upon visiting the website, which prevents the business from obtaining prior consent (i.e., acceptance of website cookies) before the tracking begins. Knowing how to program your website’s ad tech properly is vital in steering clear of these claims and lawsuits.
Overall, the intersection of ad tech and “trap and trace” demands and litigation highlights the importance of understanding and complying with privacy laws and obtaining explicit consent from website users when collecting and using their data. Now is the time to evaluate your website, privacy policy, terms of use, and consumer privacy rights notices to confirm compliance with the ever-changing landscape of state and federal laws, while also finding balance between meeting your marketing team’s needs and your website users’ experience. Take action to avoid this trap.
SOUR MORNING?: For Love and Lemons Faces TCPA Lawsuit Over Timing Violations
Hi TCPAWorld! The Baroness here. And we’ve got a new filing. This time, we’re taking a look at a case involving a popular clothing brand: For Love and Lemons.
Let’s start with the allegations.
The plaintiff Michelle Huang alleges that on November 28 and 29, 2024, she received two text messages from For Love and Lemons.
However, this case isn’t about the typical Do Not Call (DNC) Registry violation you might expect.
This case is actually brought under the time restrictions provisions of the TCPA.
Here’s where it gets interesting: Huang asserts that she received the messages at 7:14 a.m. and 7:45 a.m. — times she says are outside the window in which businesses are allowed to send marketing messages. Specifically, she contends she never authorized For Love and Lemons to send texts before 8 a.m. or after 9 p.m. local time.
This is significant because under 64.1200(c)(1), “[n]o person or entity shall initiate any telephone solicitation” to “[a]ny residential telephone subscriber before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).” 47 C.F.R. § 64.1200(c)(1).
Based on this alleged violation, Plaintiff sued For Love and Lemons for violations of Section 227(c) of the TCPA and 64.1200(c)(1).
In addition, she seeks to represent a class of individuals who received similar marketing texts outside the permissible hours:
All persons in the United States who from four years prior to the filing of this action through the date of class certification (1) Defendant, or anyone on Defendant’s behalf, (2) placed more than one marketing text message within any 12-month period; (3) where such marketing text messages were initiated before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).
It is not often that we see cases being filed pursuant to 64.1200(c)(1). But this is reminder that this provision exists!
Since this case was just filed, there is not much to report. But we will of course keep you folks updated as the case progresses.
Huang v. Love And Lemons LLC, Case No.: 2:25-CV-01391 (C.D. Cal).
Online Advertisements Found to Monetize Piracy and Child Pornography
“Online Advertising Hits Rock Bottom” screams one recent headline, as reports from ad fraud researchers purportedly have found evidence that online ads for mainstream brands have appeared on websites dedicated to the display and sharing of child pornography. Some others have appeared on sites that facilitate sharing of video content. There is little doubt that the who’s who of major brands whose ads may have appeared on such sites were unaware of this and, had they known, would have objected. I have written about this before, and this keeps happening – despite the proliferation of ad tech vendors promising to prevent it.
Moreover, this is not a victimless crime. Placing ads on a website dedicated to sharing child pornography monetizes this horrific activity. Far from merely benefitting the proverbial “two guys in a Romanian basement,” monies generated from misspent digital advertising can be used to fund terrorism, human trafficking and all manner of abhorrent, criminal activity. This should be of keen interest to all advertisers, particularly public companies.
One estimate says that advertisers lost up to $1 billion to ad fraud in 2024 alone. The nature of online advertising, which has surpassed “traditional media,” lends itself to opacity. Simply put, the Internet is infinitely scalable. Billions of “impressions” are generated daily, and more are always available to the unscrupulous. Advertisers often lack the data needed to determine where every advertisement winds up, and even if they had such data, they lack the wherewithal to determine whether an appropriate price was paid, whether they received value, and whether they received rebates to which they were entitled. Indeed, recent news reports suggest that large-scale bribery has infected ad spending in some international markets.
So, one would think that advertisers would dedicate more resources to root out this fraud. To be sure, associational efforts have been undertaken and claim to have shown progress. However, the problem persists and is still quite substantial. What other industry would tolerate fraud on the order of magnitude of 10-40% of spend? Yet, it continues year after year.
What should a responsible advertiser do now?
Review relevant contracts to determine what audit rights exist;
Revise weak contracts;
Exercise relevant audit rights;
Deal with negligent or reckless vendors; and
Pursue recovery of lost funds.
The last item is sometimes tricky to accomplish and depends on the strength of rights embodied in the relevant contracts. However, the proper contracts can give advertisers the power to pursue a refund of misspent or overspent funds, provided that the audits are strong and demonstrate compensable issues exist. This need not always involve filing a lawsuit.
Pursuing recovery can take courage and surely can create tension in some ongoing relationships. However, can your company continue business as usual with the stakes as high as they are?