It’s a Wrap—The Latest from the Ninth Circuit on “Sign-In Wrap” Agreements
On February 27, 2025, in Chabolla v. ClassPass Inc., the U.S. Court of Appeals for the Ninth Circuit, in a split 2-1 decision, held that website users were not bound by the terms of a “sign-in wrap” agreement.
ClassPass sells subscription packages that grant subscribers access to an assortment of gyms, studios and fitness and wellness classes. The website requires visitors to navigate through several webpages to complete the purchase of a subscription. After the landing page, the first screen (“Screen 1”) states: “By clicking ‘Sign up with Facebook’ or ‘Continue,’ I agree to the Terms of Use and Privacy Policy.” The next screen (“Screen 2”) states: “By signing up you agree to our Terms of Use and Privacy Policy.” The final checkout page (“Screen 3”) states: “I agree to the Terms of Use and Privacy Policy.” On each screen, the words “Terms of Use” and “Privacy Policy” appeared as blue hyperlinks that took the user to those documents.
The court described four types of Internet contracts based on distinct “assent” mechanisms:
Browsewrap – users accept a website’s terms merely by browsing the site, although those terms are not always immediately apparent on the screen (courts consistently decline to enforce).
Clickwrap – the website presents its terms in a “pop-up screen” and users accept them by clicking or checking a box expressly affirming the same (courts routinely enforce).
Scrollwrap – users must scroll through the terms before the website allows them to click manifesting acceptance (courts usually enforce).
Sign-in wrap – the website provides a link to the terms and states that some action will bind users but does not require users to actually review those terms (courts often enforce depending on certain factors).
The court analyzed ClassPass’ consent mechanism as a sign-in wrap because its website provided a link to the company’s online terms but did not require users to read them before purchasing a subscription. Accordingly, the court held that user assent required a showing that: (1) the website provides reasonably conspicuous notice of the terms to which users will be bound; and (2) users take some action, such as clicking a button or checking a box, that unambiguously manifests their assent to those terms.
The majority found Screen 1 was not reasonably conspicuous because of the notice’s “distance from relevant action items” and its “placement outside of the user’s natural flow,” and because the font is “timid in both size and color,” “deemphasized by the overall design of the webpage,” and not “prominently displayed.”
The majority did not reach a firm conclusion on whether the notice on Screen 2 and Screen 3 is reasonably conspicuous. On one hand, Screen 2 and Screen 3 placed the notice more centrally, the notice interrupted the natural flow of the action items on Screen 2 (i.e., it was not buried on the bottom of the webpage or placed outside the action box but rather was located directly on top of or below each action button), and users had to move past the notice to continue on Screen 3. On the other hand, the notice appeared as the smallest and grayest text on the screens and the transition between screens was somewhat muddled by language regarding gift cards, which may not be relevant to a user’s transaction; thus, a reasonable user could assume the notice pertained to gift cards and hastily skim past it.
Even if the notice on Screen 2 and Screen 3 was reasonably conspicuous, the majority deemed the notice language on both screens ambiguous. Screen 2 explained that “[b]y signing up you agree to our Terms of Use and Privacy Policy,” but there was no “sign up” button—rather, the only button on Screen 2 read “Continue.” Screen 3 read, “I agree to the Terms of Use and Privacy Policy,” and the action button that follows is labeled “Redeem now”; it does not specify the user action that would constitute assent to the terms. In other words, the notice needs to clearly articulate an action by the user that will bind the user to the terms, and there should be no ambiguity that the user has taken such action. For example, clicking a “Place Order” button unambiguously manifests assent if the user is notified that “by making a purchase, you confirm that you agree to our Terms of Use.”
Accordingly, the court held that Screen 1 did not provide reasonably conspicuous notice and, even if Screen 2 and Screen 3 did, progress through those screens did not give rise to an unambiguous manifestation of assent.
The dissent noted that the majority opinion “sows great uncertainty” in the area of internet contracts because “minor differences between websites will yield opposite results.” Similarly, the dissent argued that the majority opinion will “destabilize law and business” because companies cannot predict how courts are going to react from one case to another. Likewise, the dissent expressed concern that the majority opinion will drive websites to the only safe harbors available to them—clickwrap or scrollwrap agreements.
While ClassPass involved user assent to an arbitration provision in the company’s online terms, the issue of user assent runs far deeper, extending to issues like consent to privacy and cookie policies—a formidable defense to claims involving alleged tracking technologies and wiretapping theories. Notwithstanding the majority’s opinion, many businesses’ sign-in wrap agreements will differ from the one at issue in the lawsuit and align more closely with the types of online agreements that courts have enforced. Nonetheless, as the dissent noted, use of a sign-in wrap agreement carries some degree of uncertainty. Scrollwrap and clickwrap agreements continue to afford businesses the most certainty.
Common Privacy Pitfalls in M&A Deals
Many expect that deal activity will increase in 2025. As we approach the end of the first quarter, it is helpful to keep in mind privacy and data security issues that can potentially derail a deal. We discussed this in a webinar last week, where we highlighted issues from the buyer’s perspective. We recap the highlights here:
Take a Smart Start Approach: Often when privacy “specialists” are brought into deals, it is without a clear understanding of the goal of the deal and post-acquisition plans. Keeping these in mind can be crucial to conducting appropriate and risk-based diligence. (Along with having a clear understanding of the structure of the deal.) Questions to ask include the extent to which the target will be integrated into the buyer. Or, whether privacy assets (mailing lists) are important to the deal.
Conducting Diligence: Diligence can happen on a piece-meal basis. There are facts about the target that can be discovered even before the data room opens. What information has it shared about operations and products on its website? Has there been significant press? Any publicly-announced data breaches? What about privacy or data security related litigation? When submitting diligence question lists, keep the scope of the deal in mind. What are priority items that can be gathered, and how can that be done without overwhelming the target?
Pre-Closing Considerations: There are some obvious things that will need to happen before closing, like reviewing and finalizing deal documents and schedules. There may also be privacy-specific issues, such as addressing potential impediments to personal information transfers.
Post-Closing Integration: In many deals, the privacy and cybersecurity team is not involved in the integration process. Or, a different team handles these steps. Issues that might arise- and can be anticipated during the deal process- include understanding the data and processes that will be needed post integration, and the personnel who can help (whether at the target or buyer).
Putting It Into Practice: Keeping track of the intent of the deal and the key risks can help the deal flow more smoothly. This checklist can help with your next transaction.
Enforcement Update: Regulatory Attention Focused on Deletion Requests
Data protection authorities worldwide are intensifying their focus on individuals’ rights to have their personal data deleted. This heightened regulatory attention underscores the importance of organizations implementing robust compliance mechanisms to handle deletion requests effectively. For example:
In October 2023, California enacted pioneering legislation to strengthen consumer data protection. The California Delete Act (Senate Bill 362), signed into law in October 2023, establishes a centralized mechanism for consumers to request the deletion of their personal information held by data brokers. Under this law, data brokers are mandated to register annually with the California Privacy Protection Agency (CPPA) starting January 2024 and to process deletion requests submitted through the centralized platform beginning August 2026. This legislation aims to simplify the process for consumers to manage their personal data and imposes stringent requirements on data brokers to ensure compliance. Since November 2024, the CPPA has fined seven data brokers for failing to register and to pay the annual fee required under the California Delete Act.
In March 2025, Oregon released an enforcement report highlighting that “the number one right consumers have requested and been denied, is the right to delete their data.”
In March 2025, the European Data Protection Board (EDPB) initiated its Coordinated Enforcement Framework (CEF) action, centering on the right to erasure, commonly known as the “right to be forgotten,” as stipulated in Article 17 of the General Data Protection Regulation (GDPR). This initiative involves 32 Data Protection Authorities (DPAs) across Europe collaborating to assess and enhance compliance with erasure requests. Participating DPAs will engage with various data controllers, either by launching formal investigations or conducting fact-finding exercises, to scrutinize how these entities manage and respond to erasure requests, including the application of relevant conditions and exceptions. The findings from these national actions will be collectively analyzed to facilitate targeted follow-ups at both the national and EU level.
These developments reflect a broader global trend toward empowering individuals with greater control over their personal data and ensuring that organizations uphold these rights. For businesses, this signifies a need to evaluate and, if necessary, enhance their data management practices to comply with evolving regulatory standards concerning data deletion requests.
Given the intensified regulatory focus on data deletion rights, organizations worldwide should consider proactively assessing and strengthening their data protection practices. By implementing robust mechanisms to handle deletion requests effectively, businesses may not only ensure compliance with current regulations but also build trust with consumers who are increasingly concerned about their privacy rights.
KEEPING UP: Kardashian Brand Sued in TCPA Call Timing Class Action
When Kim Kardashian said, “Get up and work”, the TCPA plaintiff’s bar took that seriously. And another Kardashian sibling may be facing the consequences.
We at TCPAWorld were the first to report on the growing trend of lawsuits filed under the TCPA’s Call Timing provisions, which prohibit the initiation of telephone solicitations to residential telephone subscribers before 8 am and after 9 pm in the subscriber’s time zone. Call it a self-fulfilling prophecy or just intuition honed by decades of combined experience, but these lawsuits show no signs of slowing down.
In Melissa Gillum v. Good American, LLC. (Mar. 11, 2025, C.D. Ca), Plaintiff alleges that Khloe Kardashian’s clothing brand Good American sent the following text messages to her residential telephone number at 07:15 AM and 06:30 AM military time:
Of course, Plaintiff alleges she never authorized Good American to send her telephone solicitations before 8 am or after 9 pm.
Plaintiff also seeks to represent the following class:
All persons in the United States who from four years prior to the filing of this action through the date of class certification (1) Defendant, or anyone on Defendant’s behalf, (2) placed more than one marketing text message within any 12-month period; (3) where such marketing text messages were initiated before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).
The consensus here on TCPAWorld is that calls or text messages made with prior express consent are not “telephone solicitations” and likely not subject to Call Time restrictions. We’ll have to see how these play out but stay tuned for the latest updates!
NO SMOKING UNTIL 8 AM: R.J. Reynolds Burned By TCPA Time-Of-Day Class Action Lawsuit
Hi TCPAWorld! R. J. Reynolds Tobacco Company—the powerhouse behind Camel, Newport, Doral, Eclipse, Kent, and Pall Mall—is back in court. This time, though, it isn’t about the usual allegations against Big Tobacco. Instead, the plaintiff accuses the company of violating the TCPA’s time-of-day restrictions and causing “intrusion into the peace and quiet in a realm that is private and personal to Plaintiff and the Class members.” Vallejo v. R. J. Reynolds Tobacco Company, 8:25CV00466: Vallejo v RJ Reynolds Tobacco Complaint Link
Under the TCPA, telemarketing calls or texts can’t be made before 8 a.m. or after 9 p.m. (local time for the recipient). We’ve been seeing a lot of these time-of-day cases pop up lately:
IN HOT WATER: Louisiana Crawfish Company Sued Over Early-Morning Text Messages – TCPAWorld
IT WAS A MATTER OF TIME: Another Company Allegedly Violated TCPA Time Restrictions. – TCPAWorld
TIME OUT!: NFL Team Tampa Bay Buccaneers Hit With Latest in A Series of Time Restriction TCPA Class Action – TCPAWorld
SOUR MORNING?: For Love and Lemons Faces TCPA Lawsuit Over Timing Violations – TCPAWorld
TOO LATE: 7-Eleven Sued in TCPA Class Action for Allegedly Failing to Comply With Call Time Limitations–And This Is Crazy If its True – TCPAWorld
Here, in Vallejo v. R. J. Reynolds Tobacco Company, however, the plaintiff claims he received early-morning marketing texts around 7:15 a.m. and 7:36 a.m., local time. The complaint further alleges that he “never signed any type of authorization permitting or allowing Defendant to send them telephone solicitations before 8 am or after 9 pm,” though it doesn’t actually say he withheld consent entirely for these messages.
The plaintiff seeks to represent the following class:
All persons in the United States who from four years prior to the filing of this action through the date of class certification (1) Defendant, or anyone on Defendant’s behalf, (2) placed more than one marketing text message within any 12-month period; (3) where such marketing text messages were initiated before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).
As I’ve said before, from my reading of the TCPA, these time-of-day restrictions apply specifically to “telephone solicitations,” meaning calls or texts made with the recipient’s prior consent or within an existing business relationship might be exempt. Since the plaintiff doesn’t deny consenting to these texts in the first place, we’ll have to keep an eye on this lawsuit to see if the Central District of California agrees with that interpretation.
COMPLAINTS ABOUT COMPLAINTS: Defendant Granted Leniency from Burdensome Discovery Production
Discovery disputes are a big part of TCPA cases and, practically speaking, it can be exceptionally difficult for defendants to produce all documents requested by TCPA plaintiffs… for several reasons. Requests for production and interrogatories tend to be worded as broadly as possible (generally to seek class information). Then, even with discovery requests that are agreed upon by the parties, the practical difficulty of obtaining and producing the requested material can range from difficult to nearly impossible.
In Nock v. PalmCo Administration, LLC, No. 1:24-CV-00662-JMC, 2025 WL 750467 (D. Md. Mar. 10, 2025), the District Court of Maryland showed leniency to the defendant, although it still ordered the defendant to at least attempt to produce nearly every material that the plaintiff had requested.
For some context, the plaintiff alleged that the defendant had violated 47 U.S.C. § 227(c), the Do Not Call (“DNC”) provision of the TCPA, and Md. Com. Law § 14-320, Maryland’s analogous DNC law. Id at *1. An informal discovery dispute was brought before the court based on the defendant’s purportedly incomplete responses to the plaintiff’s discovery requests. Id.
Firstly, the court found that an interrogatory seeking “all complaints ‘regarding [the defendant’s] marketing practices’” unreasonably burdened the defendant—since complaints relating to all marketing practices would clearly turn up material unrelated to the case’s subject matter. Id. at *2. However, the court still ordered production of all complaints related to the case’s subject matter. Id. at *3.
Secondly, the plaintiff sought production of documents that had previously been ordered by the court. Id. However, one of the categories of documents was outside the defendant’s possession—data from one of its vendors. Id. As the defendant demonstrated “reasonable efforts to obtain the requested information,” the court allowed the defendant to send one more email request to furnish missing data from the third-party vendor to fulfill the defendant’s obligations under the previous court order. Id.
Although this specific request did not fall under retention requirements, it is worth a reminder that the statutory Telemarketing Sales Rule recently expanded in what records must be kept for all telemarketing calls.
Thirdly, the plaintiff sought records of all communications between the defendant and a third-party vendor. Id. Similarly, the court was lenient with the defendant, even though the defendant had already missed a court ordered production deadline on those communications. Id. The defendant was still ordered to produce the communications within thirty days, but the court was understanding of the practical difficulties in producing all said communications. Id. at *3-4.
That is all for this order. However, the TCPA keeps seeing new rules and requirements. Most urgently, we are now less than a month away from new revocation rules coming into effect. Be ready for those changes as they are set to be implemented on April 11, 2025!
Even With FCC 1:1 Gone, the CMS 1:1 Rule is Still Standing
Obviously, a lot going on in the lead gen space over the last six weeks. The biggest change of all is the FCC’s one-to-one rule being vacated. The pivot the industry had to make immediately after that ruling affected so many businesses.
But, one thing that did not change was CMS’s requirement for one-to-one consent to share personal beneficiary data between TPMOs. This is true even though CMS’s guidance throughout the summary of the rule was all based on the FCC’s one-to-one rule.
As a reminder:
CMS requires individualized consent: Beneficiary consent for data sharing must be obtained on a specific, one-to-one basis, with clear and easily understood disclosures.
The key to obtain consent is transparency CMS mandates that beneficiaries understand
Where their personal data is being shared.
The specific purpose of the contact they are consenting to, and
The identity of the entity that will be contacting them.
CMS Consent is Broader than the FCC’s proposed 1:1 consent: The CMS consent rule has a wider scope than the proposed 1:1 consent in the TCPA because it also applies to manual dialed calls.
Opt-In Consent is Mandatory: CMS requires an opt-in consent model, meaning the default should be that data is not shared, and the beneficiary must affirmatively choose to allow sharing.
Separate Legal Entities Require Explicit Consent: TPMOs cannot share beneficiary data with a TPMO that is a different legal entity without the beneficiary’s prior express written consent. This applies even to affiliated agents within the same marketing organization.
While the industry took a collective sigh of relief when the TCPA’s 1:1 rule was vacated, those TPMOs under CMS’s purview must remain diligent. And, new CMS rules should be announced within the next few weeks, so stay tuned.
For Whom the Bell Tolls? The Impact of Wisconsin Bell v. United States ex rel. Todd Heath and United States v. Regeneron Pharmaceuticals Inc. on False Claims Act Litigation
The Supreme Court’s decision in Wisconsin Bell v. United States ex rel. Todd Heath clarifies what constitutes a “claim” under the federal False Claims Act (FCA). At issue in Wisconsin Bell was whether reimbursement requests submitted to the FCC’s “E-Rate Program” are considered “claims” under the FCA. The U.S. Supreme Court agreed that they were, finding that the plaintiff’s liability theory could move forward.
While the issues presented in Wisconsin Bell occurred in the context of the FCC, the implications of the Court’s decision appear to extend far beyond—reaching industries frequently targeted for FCA enforcement, such as health care, aerospace, defense, energy and others involving government contracts (like cybersecurity). As in years past, SCOTUS’s docket and Wisconsin Bell reflects the continued significance of FCA litigation and its importance to the government’s recovery of funds. Therefore, all companies that receive federal funds, particularly in highly regulated industries such as health care, should be interested in understanding this ruling and its impact.
Wisconsin Bell had argued that it could not be exposed to FCA liability because the E-rate program, congressionally mandated to help certain schools and libraries afford internet and telecommunications, is administered by a private nonprofit organization and funded by government-mandated payments from private telecommunications carriers into the Universal Service Fund (USF). But the Court ruled narrowly that, because the U.S. Treasury itself had provided $100 million to the USF, through its collection of delinquent debts to the USF and related penalties and interest, as well as other settlements and criminal restitution payments, the federal government did “provide” a portion of the funds at issue, so the whistleblower’s allegations are thus covered under the FCA.
One thing of interest is seen in the concurrence from Justice Kavanaugh (with Thomas concurring) who renewed their questions about the constitutionality of the FCA’s qui tam provisions (and thereby invited future challenges), writing in Wisconsin Bell that “the [False Claims] Act’s qui tam provisions raise substantial constitutional questions under Article II. … [I]n an appropriate case, the Court should consider the competing arguments on the Article II issue.” Ultimately though, it was a unanimous decision, where the Supreme Court found that that E-Rate reimbursement requests were “claims” under the FCA.
Another interesting aspect is that the Court’s decision was notably narrow, relying on the U.S. Treasury’s supply of a $100 million ancillary sliver of overall USF funding, which totals nearly $10 billion annually. Justice Thomas’s concurrence (with Justice Kavanaugh concurring, and Justice Alito concurring in part) highlights the limits of this approach, observing that, “the Government paid scant attention to the fact that courts historically have not applied the FCA to cover fraud on nongovernment entities unless the Government itself will face a financial loss.” And, the Court’s opinion itself forewarns that issues of, “whether (and, if so, how) the amount of money the Government deposited should limit the damages Heath can recover” are likely to emerge if Heath ultimately prevails.
The narrow holding was necessary because, as the Court explained, larger questions as to the constitutionality of the USF under the nondelegation doctrine are looming in a separate case, Consumers’ Research v FCC, Docket Nos. 24-354, 24-422 (set for oral argument on March 26, 2025). Notably, Justice Thomas’s concurrence sends a warning shot for the Government in that case, questioning the implications of its other two arguments – either that the entire USF constitutes government funds, or that the private, non-profit USF administrator is an agent of the United States – for those constitutional questions, and for compliance with a separate statute, the Government Corporation Control Act. Those answers are likely to affect Heath’s potential for eventual recovery. (The fact that Justice Kavanaugh – seen as a potential swing vote in Consumers’ Research – joined this concurrence may also be an ominous portent for the future of the USF as currently constituted. See our recent Client Alert for more details about the issues presented in the Consumers’ Research case.)
In another recent and important FCA decision, United States v. Regeneron Pharmaceuticals Inc., the First Circuit joined some other courts of appeal in holding that the “but-for” causation standard applies when purported Anti-Kickback Statute (AKS) violations result in FCA violations. This is a commonly used theory because it allows plaintiffs to allege that when a relationship becomes tainted by kickbacks then all reimbursement claims to a federal payor that follow are tainted and fraudulent, triggering FCA liability.
In Regeneron Pharmaceuticals Inc., the First Circuit had to evaluate competing arguments from the government and defendant about whether the 2010 amendments to the AKS effectively changed the proof requirements under this theory. As the court explained,
Regeneron argued that, under the 2010 amendment, the government “b[ore] the burden of proving that an AKS violation … actually caused [a] physician to provide different medical treatment (and thus caused the false claims).” United States v. Regeneron Pharms., Inc., No. 20-11217, 2023 WL 6296393, at *10 (D. Mass. Sept. 27, 2023). In other words, Regeneron asserted that the phrase “resulting from” in the 2010 amendment imposed a “ ‘but-for’ causation standard.” Id. The government disagreed, and it urged the district court to adopt the Third Circuit’s view that “all that is required to prove a causal link [under the 2010 amendment] is that ‘a particular patient is exposed to an illegal recommendation or referral and a provider submits a claim for reimbursement pertaining to that patient.’ ” Id. (quoting United States ex rel. Greenfield v. Medco Health Sols., Inc.,880 F.3d 89, 100 (3d Cir. 2018)).
After evaluating various textual arguments asserted by the government, the First Circuit found that was no good reason “to deviate from the default presumption that the phrase ‘resulting from’ as used in the 2010 amendment imposes a but-for causation standard” and that “to demonstrate falsity under the 2010 amendment, the government must show that an illicit kickback was the but-for cause of a submitted claim.”
Since there is a clear circuit court split on this issue, it is ripe for certiorari by the Supreme Court.
Since False Claims Act plaintiffs are motivated by the potential of obtaining significant bounties by suing companies and individuals that do business with government agencies and affiliates, these and other recent decisions underscore the continued importance for companies that receive federal funds to have robust compliance plans and take appropriate steps to avoid becoming embroiled in these bet-the-company cases.
GRAB THE POPCORN: Regal’s Marketing Texts Just Premiered in a TCPA Blockbuster!
Grab your popcorn, here’s a quick case alert for you. Regal Cinemas just found itself in the middle of a legal thriller, and this one is playing out in the Central District of California instead of the big screen. See Hensley v. Regal Cinemas, Inc., No. 8:25-cv-00468 (C.D. Cal. Mar. 11, 2025). Here, we have a moviegoer suing the theater giant, claiming they were bombarded with promotional text messages before 8 a.m., breaking the rules set by the TCPA.
We are not just talking about a single rogue text. According to the Complaint, Regal allegedly sent off four early morning marketing messages, including two that landed at 7:21 and 7:22 in the morning. Instead of waking up to a quiet morning, Plaintiff was greeted with ads for free popcorn, extra Crown Club credits, and something called Funnel Fangs. Curious enough, I had to look into what these Funnel Fangs are and apparently they are funnel cake fries with red icing… which sound pretty good. Nothing like getting a promo for deep-fried snacks before you have even had your first sip of coffee.
But here is where things get sticky, like the bottom of a theater floor after a late-night screening. As we know, strict guidelines under the TCPA prohibit businesses from sending telemarketing messages before 8 a.m. or after 9 p.m. However, allegedly Regal rolled the credits on that rule and kept the marketing show going anyway.
This is no small popcorn flick. This is a class action lawsuit, meaning thousands could have been hit with these early morning texts. And the timing could not be worse, no pun intended. TCPA lawsuits are exploding faster than a bag of extra-butter popcorn in a hot microwave. More TCPA class actions were filed in the first ten days of March than in all of March last year!
Lawsuits over time-restricted messages keep rolling in, proving that plaintiffs’ lawyers are watching compliance missteps like hawks. Companies are learning the hard way that when they ignore TCPA rules, the lawsuits come in faster than a summer blockbuster lineup.
CAPITAL ONE SUED: Plaintiffs Allege 17 Separate Causes of Action in New Website Tracking Case
Shah v. Cap. One Fin. Corp., No. 24-CV-05985-TLT, 2025 WL 714252 (N.D. Cal. Mar. 3, 2025) has raised some serious allegations against Capital One (“Defendant”), accusing the financial giant of secretly intercepting and sharing sensitive personal information through third-party tracking technologies on its website.
According to a group of plaintiffs, led by the somewhat seasoned Vishal Shah (see INVISIBLE DATA, REAL CONSEQUENCES: Navigating the IP Consent Dilemma – CIPAWorld), these trackers “instantaneously and surreptitiously” captured communications between users and the site, sending personal details to companies like Google, Microsoft, Adobe, Facebook, and others. The information allegedly shared included everything from employment and bank account details to credit card application status and browsing activities.
The Plaintiffs claim they never authorized sharing of their personal and financial data with these third or fourth parties for marketing and sales purposes. In the complaint, the Plaintiffs highlight specific privacy concerns, particularly with the targeted advertising section of Capital One’s Privacy Policy. The Policy states:
“We and our third-party providers may collect information about your activities on our Online Services and across different websites, mobile apps, and devices over time for targeted advertising purposes. These providers may then show you ads, including across the internet and mobile apps, and other devices, based in part on the information they have collected or that we have shared with them.”
The Plaintiffs argue that Capital One’s practices go well beyond what they ever agreed to in the company’s Privacy Policy. While the Privacy Policy does include an option to opt out of targeted advertising, this opt-out only applies to the “specific browser or device” used, meaning users may allegedly still be tracked across other platforms.
In total, the Complaint outlines a staggering 17 different causes of action, ranging from constitutional privacy violations to property claims. In response to these allegations, Capital One has filed a motion to dismiss the complaint in its entirety, along with all 17 claims brought forth by the Plaintiffs.
So, buckle in, and let’s go through them.
Threshold Issues
Defendant sought to dismiss the entire Complaint for two overarching reasons: (1) the Complaint’s exhibits conflict with Plaintiffs’ key allegations and (2) Plaintiffs fail to allege that Defendant disclosed Plaintiffs’ personal information and financial information.
Conflict between allegations of unauthorized disclosure and Privacy Policy attached to the Complaint.
Defendant contended that Plaintiffs’ allegations directly conflict with Defendant’s Privacy Policy because Defendant discloses that it releases customer information for third party marketing. However, the Court noted that while the Privacy Policy states that it collects information about a customer’s internet activities, it does not state that it releases that customer’s personal information such as employment information and credit card preapproval or approval status, which Plaintiffs allege is collected and shared. Therefore, the Court found that the Privacy Policy did not directly conflict with Plaintiffs’ allegations.
Defendant also argued that Plaintiffs consented to the disclosure of their personal information, that Defendant provided sufficient opt out instruction, and that the disclosures did not involve fourth parties. The Court found that the issue of consent was a factual question and declined to decide it at the pleadings stage.
Sufficiency of allegations as to disclosure of personal and financial information.
For the second threshold issue, Defendant argued that Plaintiffs failed to allege specific disclosures of their personal and financial information. The Court found that they did. For instance, Plaintiffs alleged that they interacted with Defendant’s website, which they alleged contained third party trackers. They alleged that they put their personal and financial information, including employment information, bank account information, citizenship status, and credit card preapproval or eligibility, into Defendant’s website and then received targeted third- and fourth-party marketing ads. They also alleged that, as a result of using Defendant’s website, their information was transmitted to third party trackers such as Google, Microsoft, and Meta, without their consent. The Court found these factual allegations sufficient to allege the disclosure of Plaintiff’s personal information and denied Defendant’s motion to dismiss as to the second threshold issue.
Plaintiffs’ Negligence Claims.
Defendant first argued that Plaintiffs have not identified a duty owed by Defendant arising under the Gramm-Leach-Bliley Act (“GLBA”) or the Federal Trade Commission (“FTC”) Act, because neither statute provides a private right of action. The Court dismissed this argument as the Defendant conflated negligence and negligence per se, with only the latter being concerned with a statutorily identified duty.
Further, the Court evaluated the California factors for determining whether a valid duty of care exists and found that Plaintiffs did allege such a duty by alleging that they placed trust in Defendant to protect their personal information, which Defendant then disclosed.
Next, the Court turned to the economic loss doctrine, which prohibits recovery of purely pecuniary or commercial losses in tort actions. While Defendant argued that the economic loss rule bars Plaintiffs’ negligence claims, the Court found that Plaintiffs also plead non-economic harms such as lost time and money incurred to mitigate the effect of the use of their information. Accordingly, the Court denied Defendant’s motion to dismiss as to negligence.
Plaintiffs’ Negligence Per Se Claims.
The doctrine of negligence per se creates an evidentiary presumption that affects the standard of care in a cause of action for negligence. Defendant next argued that negligence per se is not a standalone cause of action. The Court agreed and held that because Plaintiffs brought a negligence per se cause of action in addition to a negligence claim, the negligence per se claim was not proper. Accordingly, the Court granted Defendant’s motion to dismiss the negligence per se claim without leave to amend.
Plaintiffs’ Invasion of Privacy Claim under the California Constitution.
To state a claim for invasion of privacy under the California Constitution, plaintiffs must show that they possess a legally protected privacy interest, they maintain a reasonable expectation of privacy, and the intrusion is so serious as to contribute an egregious breach of social norms.
The Court determined that regardless of whether Plaintiffs possessed a legally protected privacy interest or maintained a reasonable expectation of privacy in this case, the alleged disclosure of employment information, bank account information, and preapproval or approval for a credit card does not rise to the level of an “egregious breach of social norms.” The Court granted Defendant’s motion to dismiss as the California constitutional privacy claim without prejudice.
Plaintiffs’ Comprehensive Computer Data Access and Fraud Act (“CDAFA”) and the Unfair Competition Law (“UCL”) Claim.
The CDAFA prohibits certain computer-based conduct such as knowingly and without permission accessing or causing to be accessed any computer, computer system, or computer network. The CDAFA provides that only an individual who has suffered damage or loss due to a violation of the statute may bring a civil action. Similarly, the UCL prohibits “unlawful, unfair or fraudulent business act or practice.” To have standing under the UCL, a plaintiff must establish that they suffered an injury in fact and lost money or property as a result of the wrongful conduct.
Here, Plaintiffs stated that they had a property interest in their personal information and that they lost money and property when Defendant disclosed their personal information to third parties. However, the Court determined that Plaintiffs’ personal information does not constitute property. Additionally, Plaintiffs did not plead that they “ever attempted or intended to participate in the market for the information” Defendant allegedly disclosed, or that they derived economic value from that information. Further, the Court held that even an argument that Plaintiffs experienced a diminution of the value of their private and personal information would not confer standing. Accordingly, the Court granted Defendant’s motion to dismiss for lack of standing as to the CDAFA and the UCL without prejudice.
Plaintiffs’ California Consumer Privacy Act (“CCPA”) Claims.
The CCPA imposes a duty on businesses to implement and maintain reasonable security practices to protect consumers’ personal information. While it is generally enforced by the California Attorney General, it also provides a limited private cause of action for any consumer whose personal information is subject to unauthorized access or disclosure as a result of a security breach. Courts, however, have also permitted CCPA claims to survive a motion to dismiss in cases where the plaintiff does not allege a data breach, but instead alleges that the defendants disclosed plaintiff’s personal information without consent by failing to maintain reasonable security practices.
In this case, because Plaintiffs allege that Defendant allowed third parties such as Google and Microsoft to embed trackers on its website and that these trackers transmitted Plaintiffs’ personal information, the Court held that Plaintiffs need not allege a data breach. Accordingly, the Court denied Defendant’s motion to dismiss as to the CCPA claim.
Plaintiffs’ California Customer Records Act (“CRA”) Claims under §§ 1789.81.5 and 1798.82 of the California Civil Code.
The CRA regulates businesses with regard to treatment and notification procedures relating to their customers’ personal information. It requires businesses to “maintain reasonable security procedures and practices appropriate to the nature of the information” and to protect “personal information from unauthorized access, destruction, use, modification, or disclosure.”
The Court first addressed Plaintiffs’ CRA claim under § 1789.81.5. Defendant argued that because it is a financial institution, it is exempt from liability for any violations under this provision. See Cal. Civ. Code § 1798.81(e)(2) (exempting financial institutions from liability under section 1798.81.5). Plaintiffs, however, alleged that Defendant is a business within the meaning of § 1798.81.5(b). The Court sided with Defendant and granted its motion to dismiss without leave to amend as to Plaintiffs’ § 1789.81.5 claims.
The Court next addressed Plaintiffs’ CRA claim under Section 1798.82, which requires a business to disclose a breach of security systems to customers. Plaintiffs allege that the CRA applies because Defendant knew that Plaintiffs’ information was acquired by unauthorized persons and failed to disclose it to Plaintiffs. However, there must be a breach of security to show a CRA claim. See Cal. Civ. Code § 1798.82(a) (stating that a person or business shall “disclose a breach of security of the system following discovery or notification of the breach”). Further, a claim under section 1798.82 is not actionable for the breach itself but instead for the “unreasonably delayed notification,” so Plaintiffs must allege when the breach occurred. Here, the Court held that Plaintiffs not to only failed to allege that there was a breach of security but also failed to allege when Defendant became aware of the alleged breach.
Accordingly, the Court granted Defendant’s motion to dismiss as to the CRA section 1798.82 claim without prejudice.
Plaintiffs’ Breach of Express Contract Claim.
The Court found that Plaintiffs did not state a claim as to the breach of express contract because, while they alleged that they entered a contract with Defendant, they failed to cite to any specific section of the contract that Defendant allegedly violated. Instead, Plaintiffs stated generally that Defendant breached its express contract with Plaintiffs “to protect their nonpublic personal information.” Questioning where in the contract Defendant agreed to protect their nonpublic personal information or when Defendant explicitly promised not to disclose their data, the Court granted Defendant’s Motion to Dismiss as to the breach of express contract without prejudice.
Plaintiffs’ Breach of Implied Contract Claim.
Plaintiffs alleged that they had an implied contract with Defendant that it would keep their personal information confidential. However, once again, Plaintiffs did not state a claim because they failed to expand on the nature of the implied contract. Plaintiffs also fail to differentiate the express contract claim from the implied contract claim – the Court noted that Plaintiffs must elaborate on whether the implied contract involves separate promises from the express contract because Plaintiffs cannot allege both an express contract and an implied contract on the same matter. Accordingly, the Court granted Defendant’s motion to dismiss as to breach of implied contract without prejudice.
Plaintiffs’ Breach of Confidence Claim.
For the same reason as above, the Court held that Plaintiffs do not state a claim as to breach of confidence because they allege the existence of both an express and implied contracts, and the express contract precludes the breach of confidence claim. The Court dismissed the Plaintiffs’ claim without prejudice.
Plaintiffs’ Unjust Enrichment Claim.
The Court acknowledged the “somewhat unclear” nature of unjust enrichment claims in California, but, noting that both the Ninth Circuit and the California Supreme Court have allowed independent claims for unjust enrichment to proceed, allowed Plaintiffs claim to proceed basis the allegations that Defendant benefited from using Plaintiffs’ information and that Plaintiffs’ remedies at law are inadequate.
Plaintiffs’ Bailment Claim.
Bailment is generally defined as the deposit of personal property with another, usually for a particular purpose. The Court held that Plaintiffs have not alleged a deposit of personal property that falls within the scope of bailment because they only allege that they deposited their personal information. The Court cited Worldwide Media, Inc. v. Twitter, Inc., 17-cv-07335-VKD, 2018 WL 5304852 (N.D. Cal. Oct. 24, 2018) and In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012), both finding that personal information is not something that can be delivered or taken custody of and later returned. Accordingly, the Court granted Defendant’s motion to dismiss as to bailment with prejudice.
Plaintiffs’ Claim for Declaratory Judgment.
The Court acknowledged Defendant’s contention that the declaratory judgment claim is duplicative of other claims but held that Plaintiffs may still bring it as it is predicated on their negligence claim. Therefore, the Court denied Defendant’s motion to dismiss as to declaratory judgment.
Plaintiffs’ Electronic Communications Privacy Act (“ECPA”) Claim.
The ECPA prohibits unauthorized interception of an electronic communication. To state a claim, a plaintiff must allege that the defendant intentionally intercepted the contents of plaintiff’s electronic communications using a device. The one-party consent exemption provides that it is not unlawful for a person to intercept a wire, oral, or electronic communication when that person is a party to the communication or when a party to the communication has consented to interception, unless the interception is to commit a crime or a tort.
Defendant argued that the “one-party consent exemption” applies because Defendant was a party to the communications. However, because Plaintiffs alleged that Defendant intercepted the contents of the communications for an unauthorized purpose, which resulted in tortious acts, the Court held that the one-party exemption does not apply.
Another reason that the one-party exemption does not apply is because the issue of whether Plaintiffs consented to Defendant’s conduct is at the center of the dispute – and this is a factual determination. Accordingly, the Court denied Defendant’s motion to dismiss as to the ECPA.
Plaintiffs’ CIPA Claims
Plaintiffs allege that Defendant violated both §§ 631 and 632 of CIPA.
Plaintiffs’ § 631 claims.
§ 631(a)(2) applies to anyone who reads, attempts to read, or to learn the contents of a communication while it is in transit and without the consent of all parties to the communication. Defendant argues that Plaintiffs’ claims under § 631 fail because Plaintiffs consented to the data sharing practices in the Privacy Policy, do not allege that any third party read a communication “in transit,” and do not allege that Defendant disclosed “contents” of a communication.
As for the first issue, because this once again involves factual determination of consent, the Court held that Plaintiffs’ allegations were sufficient for the pleadings stage. The Court also held that Plaintiffs plausibly alleged that Defendant intercepted communications while they were in transit by describing how Defendant allegedly installed third-party trackers on its website. Finally, Plaintiffs stated that the communication included personal information, which is a “content” under CIPA. As a result, the Court found that Plaintiffs sufficiently stated a claim as to § 631.
Plaintiffs’ § 632 claims.
§ 632 prohibits intentionally and without consent using an “electronic amplifying or recording device” to eavesdrop upon or record confidential communication. Again, because this issue hinges on whether Plaintiffs consented to Defendant’s disclosure, the Court found that Plaintiffs allegations are sufficient for purposes of a motion to dismiss.
Accordingly, the Court denied Defendant’s motion to dismiss as to the CIPA.
Plaintiffs’ Stored Communications Act Claim.
The Stored Communications Act created a private right of action against anyone who intentionally and without authorization (or in excess of their authorization) accesses a facility through which an electronic communications service is provided. The Stored Communications Act, however, only provides liability for a provider that is a “remote computing services” or “electronic communication services.” Plaintiffs alleged in the complaint that Defendant is an electronic communication service because it “intentionally procures and embeds” Plaintiffs’ personal information through the tracking technology on Defendant’s website. However, the Court held that Defendant is not an electronic communication service because its website does not allow customers to send and receive messages to third parties. The Court compared the situation here to that in In re Betterhelp, Inc., No. 23-cv-01033-RS, 2024 WL 4504527, at *2 (N.D. Cal. Oct. 15, 2024), where the defendant was found to be an electronic communication service because defendant’s customers communicated with third parties through the “conduit” of defendant’s websites. Instead, Plaintiffs here themselves stated that they were unaware of the presence of the trackers, and did not allege that they communicated with the third parties. Therefore, because Defendant’s website does not allow customers to send and receive messages to third parties, the Court held Defendant is not an electronic communication service.
Accordingly, the Court granted Defendant’s motion to dismiss as to the Stored Communications Act with prejudice.
Plaintiffs’ Computer Fraud and Abuse Act (“CFAA”) Claim.
The CFAA makes intentionally accessing a computer without authorization a federal crime. It imposes a civil liability when someone “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access” unless the “object of the fraud” is less than $5,000 in any 1-year period. Plaintiffs here did not state a claim as to CFAA because they did not allege with specificity a loss of $5,000. The complaint only states that “secret transmission” of Plaintiffs’ personal information caused them loss, but it does not go into further detail. The alleged loss is therefore speculative, and insufficient for purposes of the CFAA. Accordingly, the Court granted Defendant’s motion to dismiss as to the CFAA claim without prejudice.
Takeaways
My first takeaway – if you got through all that, congratulations on your attention span. Secondly, a recurring theme in the Court’s extensive analysis is its refusal to determine issues of consent at the pleadings stage. This is nothing new or groundbreaking, the issue of consent unquestionably requires a factual investigation and is rarely, if ever, conclusive as grounds for a motion to dismiss.
On the brighter side for Capital One, the Court did agree to dismiss three of the Plaintiffs’ claims with prejudice, meaning the Plaintiffs cannot amend these claims and bring them again. These were Plaintiffs’ claims under negligence per se, bailment, and the Stored Communications Act.
The Court also granted the motion to dismiss as to Plaintiffs’ claims for invasion of privacy under the California Constitution, CDAFA, UCL, breach of express contract, breach of implied contract, breach of confidence, and CFAA, albeit with leave to amend. The California Constitution and CDAFA claims are notable for the Courts findings that the alleged disclosures do not amount to an “egregious breach of social norms”, and that Plaintiffs’ personal information does not constitute property. This fits into a trend of Courts being somewhat hesitant to expand the scope of privacy standing where there is no “tangible” harm. Blake digs into this here: READ ALL ABOUT IT: Reuters Faces Privacy Lawsuit But The Court Finds No Story To Tell – CIPAWorld.
You can read the order here: Shah v. Cap. One Fin. Corp., No. 24-CV-05985-TLT, 2025 WL 714252 (N.D. Cal. Mar. 3, 2025)
Forget It!: EDPB Announces Focus on Right to Erasure in 2025
Right of erasure (or “right to be forgotten”) has been selected by the European Data Protection Board as its priority enforcement topic for 2025. This work is being done under the “Coordinated Enforcement Framework” or “CEF.” The EDPB created the CEF in 2022 as a way to streamline and coordinate enforcement across EU data protection authorities. Past topics have included the right of access, and the role of data protection officers in organizations.
Data Protection Authorities in the various member states (and seven state-level authorities in Germany) this year will examine how companies are complying with GDPR obligations around erasure requests. The topic was selected, the EDPB indicated, because it is the most common right requested by individuals . . . and also the one about which DPAs often receive complaints.
As they did with the actions for right of access, DPAs will take steps ranging from fact finding to formal investigations. The DPAs will also work together to analyze the results of the initiative, and the EDPB will publish a report at the conclusion of the initiative. This will be similar to the report issued on the 2024 right of access actions (adopted this January).
Putting It Into Practice: The announcement about the right of erasure priority, as well as the release of the right of access report, can serve as a reminder for companies to revisit their process for responding to rights requests.
Listen to this article
Competition Currents | March 2025
United States
A. 1.FTC secures $5.68M HSR gun-jumping penalty from 2021 deal.On Jan. 7, 2025, the FTC, in conjunction with the Department of Justice (DOJ) Antitrust Division, settled allegations that sister companies Verdun Oil Company II LLC and XCL Resources Holdings, LLC exercised unlawful, premature control of EP Energy LLC while acquiring EP in 2021. This alleged “gun-jumping” violation involved Verdun and XCL exercising various consent rights under the merger agreement and coordinating sales and strategic planning with EP during the interim period before closing. In settling, the parties agreed to pay a total civil penalty of $5.68 million, appoint or retain an antitrust compliance officer, provide annual antitrust trainings, use a “clean team” agreement in future transactions involving a competing product, and be subject to compliance reporting for a decade.
Further information about this settlement and the factual background can be found in our January GT Alert. 2.2025 HSR thresholds took effect Feb. 21, 2025. On Jan. 10, 2025, the FTC approved updated jurisdictional thresholds and filing fees for the Hart-Scott-Rodino (HSR) Antitrust Improvements Act of 1976. These revisions are made annually, with the size-of-transaction threshold for reporting proposed mergers and acquisitions under the Clayton Act increasing from $119.5 million to $126.4 million for 2025. These changes took effect on Feb. 21, 2025. The adjustments are based on changes in the gross national product and consumer price index as mandated by the HSR Act and the 2023 Consolidated Appropriations Act. 3.FTC releases staff report on AI partnerships & investments. In January 2025, the FTC issued a report under former Commissioner Khan examining several partnerships among participants in the AI technology chain. Broadly, participants in the AI chain include (1) providers of specialized (and scarce) semiconductor chips used to provide the computational power to train and refine generative AI models, as well as generate the actual output (be it text, images, or data); (2) cloud service providers that enable access to computing infrastructure; (3) AI developers; and (4) AI application creators. The report highlights several areas of concern with respect to such partnerships, including traditional antitrust concerns around competitor access to important resources, increased switching costs for participants, and the exchange of sensitive technical and business information.
Current FTC Chairman Andrew Ferguson—then commissioner—issued a concurring and dissenting statement (joined by Commissioner Holyoak) shortly after the report’s release. While signaling areas of disagreement and discouraging the Commission from “running headlong to regulate AI,” the dissent does not appear to depart significantly from FTC views with respect to a focus on Big Tech when it comes to AI. According to Ferguson, “AI may [] be the most significant challenge to Big Tech firms’ dominance since they achieved that dominance.” He cautioned, however, that the Commission must strike a delicate balance, safeguarding against regulation that hinders U.S. AI technology development while ensuring that “Big Tech incumbents do not control AI innovators.” 4.FTC secures settlement with private equity firm in antitrust “roll-up” case. On Jan. 17, 2025, the FTC settled a second administrative case against private equity firm Welsh, Carson, Anderson, and Stowe and its affiliates for allegedly monopolizing certain local Texas anesthesiology markets through an anticompetitive “roll up” strategy. In May 2024, a federal judge dismissed Welsh Carson from a similar FTC action, but held that Welsh Carson’s conduct could be challenged in federal court in the future if the FTC can allege specific facts that it controls a company actively engaged in ongoing violations or is otherwise directly involved in another attempt to violate the law, “beyond mere speculation and conjecture,” and could still pursue an in-house administrative case against the private equity firm.
The FTC settled its in-house case, discussed in a May 2024 GT Alert, in a consent order designed to both limit Welsh Carson’s investment in this space and identify future investment strategies in this or an adjacent space, which in the view of the Commission would risk becoming another anticompetitive “roll up.” The order requires Welsh Carson to:
freeze its investment in USAP at current levels and reduce its board representation to a single, non-chair seat;
obtain prior approval for any future investments in anesthesia nationwide, as well as prior approval for certain acquisitions by any majority-owned Welsh Carson anesthesia group nationwide; and
provide 30-days advance notice for certain transactions involving other hospital-based physician practices nationwide.
The Commission voted 5-0 to accept the consent agreement for public comment. 5.Federal court denies Commission’s bid to block Tempur Sealy’s $4B Mattress Firm deal. On Jan. 31, a Texas federal court denied the FTC’s challenge to preliminarily enjoin Tempur Sealy International Inc.’s planned $4 billion purchase of Mattress Firm Group Inc. The parties thereafter closed the merger, and the FTC then withdrew the matter from in-house adjudication, effectively ending its challenge. The FTC challenged the deal in July 2024, asserting that the combination of the world’s largest mattress supplier, Tempur Sealy, with the largest retail mattress chain in the United States, Mattress Firm, would give the new firm the ability and incentive to suppress competition and raise prices for mattresses by blocking rival suppliers from selling in Mattress Firm stores.
In September, Tempur Sealy offered to sell 178 stores and seven distribution centers to Mattress Warehouse, in an effort to alleviate the FTC’s concerns. The companies offered to preserve 43% of premium “slots” in Mattress Firm stores for rival manufacturers, up from a previous offer of 28%. The FTC countered that the court should not give weight to this “unenforceable promise” that Tempur Sealy could break at any time. The judge did state that “the proposed acquisition won’t substantially harm competition … [b]ut even if assumed to the contrary, Defendants’ commitments to divest certain stores and to maintain going-forward slot allocations resolves any lingering concern.” 6.Daniel Guarnera named FTC Bureau of Competition director. On Feb. 10, Chairman Ferguson appointed Daniel Guarnera as director of the Bureau of Competition. Guarnera previously served as chief of the Civil Conduct Task Force at the DOJ Antitrust Division. During his tenure, the task force filed monopolization suits against certain Big Tech companies, as well as multiple cases involving agriculture and labor markets. Prior to that role, he was a trial attorney with the Antitrust Division during the first Trump administration. He also served as special counsel to U.S. Senate Judiciary Committee Chairman Charles Grassley during the confirmation of President Trump’s Supreme Court appointee, Justice Neil Gorsuch.
The Commission voted 4-0 to approve Guarnera’s appointment as director of the Bureau of Competition, with Chairman Ferguson stating “[h]e has tremendous experience litigating antitrust cases in critical markets, including agriculture and Big Tech” and “using the antitrust laws to promote competition in labor and healthcare markets—two of my top priorities.” 7.FTC chair clarifies 2023 merger review guidelines remain in effect. On Feb. 18, 2025, FTC Chairman Ferguson issued a public statement to FTC staff stating if “there is any ambiguity, let me be clear: the FTC’s and DOJ’s joint 2023 Merger Guidelines are in effect and are the framework for this agency’s merger-review analysis.” Ferguson explained that FTC should “prize stability and disfavor wholesale recission,” to provide predictability for businesses, enforcement agencies, and the courts. In Ferguson’s view, the guidelines reiterate prior policy statements, guidelines, and decisional case law. 8.FTC launches inquiry on tech censorship. On Feb. 20, 2025, the FTC launched a public inquiry into how technology platforms deny or degrade users’ access to services based on the content of their speech or affiliations. The Commission’s press release said, in announcing the inquiry, “Censorship by technology platforms is not just un-American, it is potentially illegal. Tech firms can employ confusing or unpredictable internal procedures that cut users off, sometimes with no ability to appeal the decision. Such actions taken by tech platforms may harm consumers, affect competition, may have resulted from a lack of competition, or may have been the product of anti-competitive conduct.” The FTC is requesting public comment on how consumers may have been harmed by technology platforms that “limited their ability to share ideas or affiliations freely and openly.” Comments are open until May 21, 2025. B. Department of Justice (DOJ) Civil Antitrust DivisionDOJ sues to block Hewlett Packard Enterprise’s proposed $14 billion acquisition of rival Juniper Networks.
On Jan. 30, 2025, the DOJ Antitrust Division sued to block Hewlett Packard Enterprise Co.’s proposed $14 billion acquisition of wireless local area network (WLAN) technology provider Juniper Networks Inc. The Division alleges that HPE and Juniper are the second- and third- largest providers, respectively, of enterprise-grade WLAN solutions in the United States and that the deal would “eliminate fierce head-to-head competition between the companies, raise prices, reduce innovation, and diminish choice.” The Division says that the proposed transaction between HPE and Juniper would further consolidate an already highly concentrated market.
“HPE and Juniper are successful companies. But rather than continue to compete as rivals in the WLAN marketplace, they seek to consolidate — increasing concentration in an already concentrated market. The threat this merger poses is not theoretical. Vital industries in our country — including American hospitals and small businesses — rely on wireless networks to complete their missions. This proposed merger would significantly reduce competition and weaken innovation, resulting in large segments of the American economy paying more for less from wireless technology providers,” Acting Assistant Attorney General Omeed A. Assefi said. The Division asserted that Juniper has been a “disruptive force that has grown rapidly from a minor player to among the three largest enterprise-grade WLAN suppliers in the U.S.,” and that its innovation has decreased costs and put competitive pressure on HPE that HPE seeks to alleviate by acquiring Juniper. C. U.S. Litigation
1.Goldstein v. National Collegiate Athletic Association, Case No. 3:25-00027 (M.D. Ga. Feb. 20, 2025). On Feb. 20, 2025, the Honorable Judge Tilman E. Self III denied a college baseball player’s request for a temporary restraining order that would have prevented the National Collegiate Athletic Association (NCAA) from barring the student from the 2025 baseball season. The plaintiff filed a suit earlier this month that joins other similar suits seeking to invalidate the NCAA’s eligibility rule which gives college athletes no more than five years to play four seasons of college sports. In denying the temporary restraining order, Judge Tilman scheduled a follow-up hearing to allow for a more fulsome evidentiary hearing on a longer injunction. 2.State of Arkansas v. Syngenta Crop Protection AG, Case No. 4:22-cv-01287 (E.D. Ark. Feb. 18, 2025). Federal Judge Brian S. Miller denied two large pesticide manufacturers’ motion to dismiss the State of Arkansas’ lawsuit alleging that the manufacturers conspired to prevent generic pesticides from gaining market entry. In the lawsuit, Arkansas alleges that these manufactures entered into “loyalty programs,” which pay distributers and retailers incentives if they limit or refuse to sell generic crop-protection products whose patents have expired. In allowing the lawsuit to proceed, Judge Miller noted that the State has sufficiently alleged that these loyalty programs foreclose generic competitors from entering the market successfully. 3.Earth’s Healing Inc. v. Shenzhen Smoore Technology Co., Case No. 3:25-cv-01428 (N.D. Cal. Feb. 11, 2025). A Chinese-based vape manufacturing company and its U.S.-based distributors were sued in a putative class action, alleging that the defendants conspired to keep the price of marijuana vaping pens and cartridges high by limiting competition among distributors. The complaint alleges that Shenzhen Smoore Technology forced its distributors to enter into a horizontal conspiracy not to solicit each other’s retail customers and report any distributor who violated this non-solicitation policy. The proposed class includes any licensed cannabis business in the 24 states that have legalized marijuana for recreational use that have sold Shenzhen’s products since November 2016. 4.Alliance of Automotive Innovation v. Campbell, Case No. 1:20-CV-12090 (D. Mass. Feb. 11, 2025). On Feb. 11, 2025, the Honorable Judge Denise L. Casper dismissed a lawsuit an automakers’ advocacy group brought that sought to block the State of Massachusetts’s “right-to-repair,” which allows customers and mechanics open access to vehicles’ “telematics” systems. These systems are used to electronically track a vehicle’s location, speed, fuel efficiency, and other metrics. The automakers claimed that applying this state law to automobiles violates the National Traffic and Motor Vehicle Safety Act and the Clean Air Act and raises the risk of impairing the cybersecurity protections installed in these systems. Judge Casper’s order dismissing the case was filed under seal, and the has automakers have already indicated an intent to appeal the decision to the U.S. Court of Appeals for the First Circuit.
The Netherlands
A. Dutch Competition Authority (ACM) Dutch commitments decision spotlights ACM’s enforcement policy.
The Authority for Consumers and Markets (ACM) recently closed a cartel investigation into three chiropractic trade associations without imposing sanctions. The investigation concluded after the associations promised not to prohibit their members from offering discounts and free examinations. This decision was intended to promote competition, but critics raised concerns about transparency and the fair treatment of other companies that may have received harsher penalties for similar violations. Critics also pointed out that the ACM appears more reluctant to penalize the healthcare sector, leading to additional questions about its policy’s fairness and consistency. B. Dutch Court Decision Rotterdam District Court confirms egg purchasing cartel violation.
The Rotterdam District Court confirmed the findings of the ACM against three egg-product manufacturers who were fined for price-fixing, supplier allocation, and sharing competitively sensitive information in the egg-purchasing market. In 2021, the ACM sent a statement of objections, concluding that the three companies had violated the cartel prohibition provisions of Article 101(1) of the Treaty on the Functioning of the European Union (TFEU) and Article 6(1) of the Dutch Competition Act. Coordinating purchasing prices leads to such a significant restriction of competition (“by object” violation) that the ACM was not required to analyze the effects of the practice. The court acknowledged the companies’ objections to the amount of the fines and, since the proceedings exceeded the reasonable timeframe by a few weeks, all fines were reduced by EUR 5,000. The court set the fines at EUR 995,000, EUR 7,655,000, and EUR 15,736,500.
Poland
A. UOKiK president tightens the noose on price fixing agreements.
The president of the Office of Competition and Consumer Protection continues to focus on alleged price-fixing agreements, in particular those maintaining minimum prices (so-called RPMs) in online sales. Recent proceedings indicate an increased level of scrutiny on pricing practices, particularly around online distribution. 1.Fines imposed on pet-food distributor, Empire Brands. The UOKiK president has imposed a fine on Empire Brands, a pet food distributor, for engaging in resale price maintenance practices in online sales channels (online stores and digital marketplaces). Resellers were required to set prices that were at least equal to those Empire Brands offered in its own online store. According to the UOKIK president, the company penalized resellers by sending warnings, altering payment terms, restricting access to promotions, and terminating business relationships. Following the investigation, the UOKiK president imposed a fine of approximately PLN 353,000 (approximately EUR 84,000/USD 87,000) on Empire Brands. In addition, the UOKIK president also penalized the company’s managers, who received individual fines of PLN 82,000 (approximately EUR 20,000/USD 20,000) and PLN 39,000 (approximately EUR 9,000/USD 10,000), respectively. 2.Charges brought against sanitary equipment distributor, Oltens. UOKiK president also announced charges against Oltens, a distributor of sanitary equipment, for allegedly fixing online resale prices. The UOKiK president suspects that Oltens has entered into a price-fixing agreement with independent resellers of its products. The company allegedly imposed minimum resale prices for online sales, preventing retailers from offering lower prices (including within promotional campaigns). According to the UOKIK president, Oltens may have ensured compliance by actively monitoring resellers and intervening against those who deviated from set prices, including by refusing to supply or terminating cooperation agreements. The proceedings are pending. 3.Trend of enforcement. The Oltens and Empire Brands cases add to a growing list of resale price maintenance investigations the UOKiK president has conducted. In recent years, the competition authority has taken similar actions against multiple companies. For example, in 2024, Dahua Technology was fined PLN 3.7 million (approximately EUR 900,000/USD 900,000) for restricting the pricing policies of its distributors, and Kia Polska was fined PLN 3.5 million (approximately EUR 800,000/USD 900,000) for imposing minimum resale prices on its dealers. The UOKiK president considers RPMs to be particularly harmful to competition, given their capacity to restrict freedom of establishing prices, therefore negatively affecting market competitiveness and consumer interests. Infringing companies may be subject to significant financial penalties, which can be up to 10% of their annual turnover. The UOKiK president may also impose individual fines on managers of up to PLN 2 million. Moreover, anticompetitive contractual provisions would be void, and affected entities can seek damages in civil courts.
Italy
A. Italian Competition Authority (ICA) 1.Mulpor and IBCM fined for repeatedly failing to comply with ICA ruling. In January 2025, ICA fined Mulpor Company S.r.l. and International Business Convention Management Ltd. (IBCM) EUR 3.5 million for repeated non-compliance with a 2019 prohibition decision on unfair trading. In ICA’s view, the two companies sent allegedly deceptive communications to businesses and micro-companies, under the pretext of requesting business data verification, while in fact leading recipients to enter into multi-year contracts for advertising services. ICA considered these communications, resembling those that led to earlier fines in 2019 and 2021, to be disguised as updates to a database called the “International Fairs Directory.” But by signing the forms, business and micro-companies committed to a three-year advertising contract.
ICA concluded that these communications were deceptive, causing recipients to unknowingly subscribe to unwanted services. IBCM also allegedly used undue pressure by threatening legal actions to collect payments for the unsolicited services. 2.Radiotaxi 3570 fined for repeatedly failing to comply with ICA ruling. ICA imposed an approximately EUR 140,000 fine on Radiotaxi 3570 for repeated non-compliance with a June 2018 ruling, which found certain agreements in Rome’s taxi service market to be anticompetitive. According to ICA, the company failed to eliminate allegedly restrictive non-compete clauses in its statutes and regulations that ICA believed hindered competition. Radiotaxi 3570 did not comply with the measures ICA required, including submitting a written report outlining corrective actions, nor did it pay the imposed fines. ICA is considering imposing further penalties, including daily fines, and may consider suspending the company’s operations for up to 30 days in the event of persistent non-compliance. 3.Redetermination of Imballaggi Piemontesi S.r.l.’s cartel penalty. In 2019, Imballaggi Piemontesi S.r.l. was fined more than EUR 6 million for its participation in an anti-competitive cartel in the industry that produces and markets corrugated cardboard sheets. In 2023, after a Council of State ICA judgment– which involved a EU Court of Justice referral for a preliminary ruling on that matter (C-588/24) – ICA had to reassess the fine imposed on Imballaggi Piemontesi S.r.l. on the basis, inter alia, of the effective involvement in the cartel.
The company argued for a reduced penalty, but ICA determined that its participation was to be considered “full” in any case. As a result, ICA maintained the fine at EUR 6 million, which was equal to 10% of the company’s total turnover, within the legal limit.
European Union
A. European Commission Commission sends Lufthansa supplementary statement of objections.
The European Commission has issued a supplementary statement of objections to Lufthansa, ordering the airline to restore Condor’s access to Lufthansa’s feed traffic to and from Frankfurt Airport as agreed in June 2024. This step follows an investigation into potential competition restrictions by Lufthansa’s transatlantic joint venture with other airlines. The European Commission has preliminarily assessed that this joint venture restricts competition on the Frankfurt-New York route and that interim measures are needed to prevent harm to competition on this market.
Previously, Lufthansa and Condor had special prorate agreements (SPAs) allowing Condor to access Lufthansa’s short-haul network to feed its long-haul flights. In 2020, Lufthansa notified Condor of the termination of their SPAs. The European Commission expressed preliminary concerns that without these agreements, Condor could struggle to operate sustainably on the Frankfurt-New York route, further undermining the competitive market structure. To ensure the effectiveness of any future decision, Lufthansa must reinstate the previous agreements. This case falls under Articles 101 of the TFEU and 53 of the EEA Agreement, which prohibit agreements that restrict competition. B. ECJ Decisions
1.CJEU addresses preliminary questions on the restrictive nature of technical specifications. The Court of Justice of the European Union (CJEU) ruled on the interpretation of Article 42 of the EU’s Public Procurement Directive (Directive 2014/24/EU) regarding technical specifications for public procurement. The case involves a dispute between DYKA Plastics, which produces plastic drainage pipes, and Fluvius, the Belgian grid operator for electricity and natural gas in all municipalities in Flanders. Fluvius required that only drainage pipes made of stoneware and concrete can be used. DYKA argued that this requirement violates the principles of procurement, leading to four preliminary questions addressed to the CJEU.
The CJEU ruled that technical specifications must describe the characteristics of the works, supplies, or services, and that contracting authorities may not make specific mentions of materials—like references to stoneware or concrete—that favor or eliminate certain companies. The CJEU also explained that unless the use of a specific material is unavoidable, references to that material must be accompanied by the words “or equivalent.” In conclusion, the CJEU stated that eliminating companies or products through incompatible technical specifications necessarily conflicts with the obligation to provide equal access to procurement procedures and not to restrict competition per Article 42 of Directive 2014/24. 2.Beevers Kaas BV v. Albert Heijn België NV raises preliminary questions about parallel obligation. The case involves a dispute between Beevers Kaas, the exclusive distributor of branded dairy products in Belgium and Luxembourg, and Albert Heijn, a distributor in other markets. Beevers Kaas alleges that Albert Heijn violated exclusivity arrangements by selling in Belgium, while Albert Heijn argues that it cannot be prohibited from actively selling and that the exclusivity agreement offers insufficient protection. The case was referred to the CJEU to address the application of Article 4(b)(i) of the former EU Vertical Block Exemption Regulation (Regulation (EU) 330/2010 – old VBER), which has since been replaced.
First, the CJEU asked whether the “parallel obligation” requirement (where a supplier granting exclusivity to one buyer in a territory must also restrict other buyers from actively selling in that territory) may be fulfilled merely by observing that other buyers are not actively selling in the exclusive territory. Advocate General Medina’s January 2025 opinion states that the mere observation that other purchasers are not actively selling in the area is insufficient.
Second, the CJEU was asked to clarify whether proof of compliance with the “parallel obligation” must be maintained throughout the entire applicable period, or only when other purchasers show their intent to sell actively. According to Advocate General Medina, the supplier must generally demonstrate that the parallel obligation is fulfilled for all its other buyers within the EEA during the entire period for which it claims the benefit of the block exemption.
Japan
A. JFTC orders mechanical parking garage manufacturers to pay a surcharge of approximately JPY 520 million for bid-rigging allegations. In December 2024, the Japan Fair Trade Commission (JFTC) issued cease-and-desist orders to five manufacturers of mechanical parking garages and other facilities for bid-rigging allegations. The JFTC also ordered four manufacturers to pay a surcharge of approximately JPY 520 million in total.
According to the JFTC, the manufacturers repeatedly engaged in bid-rigging to determine which companies would receive orders from major general contractors, and at what price. The manufacturers are suspected to have engaged in bid-rigging, but one of them is also suspected of avoiding JFTC orders under the leniency program. The JFTC sent the proposed disciplinary measures to the manufacturers and will issue an order after receiving feedback from each. B .JFTC issues cease-and-desist orders to a cloud services company for the first time. In December 2024, the JFTC issued a cease-and-desist order to MC Data Plus, Inc., a company providing cloud services regarding labor management, for unfair trade practices that allegedly prevented customers from switching to other companies’ services. The order comes after the JFTC conducted an on-site inspection of MC Data Plus in October 2023.
According to the JFTC, starting in 2020, MC Data Plus refused to provide its clients with information on their employees, which the client registers on the cloud, in a form compatible with other labor safety services, due to the protection of personal information. The JFTC determined that such an act falls under the category of “interference with transactions (unjustly interfering with a transaction between its competitor),” which Japanese antimonopoly law prohibits.
This is the first time that a cease-and-desist order has been issued in connection with transactions regarding cloud services. MC Data Plus has filed a lawsuit to have the order revoked and has also filed a petition to suspend the order’s execution.
1 Due to the terms of GT’s retention by certain of its clients, these summaries may not include developments relating to matters involving those clients.