NYDFS Fines PayPal $2 Million for Cybersecurity Failures
On January 23, 2025, the New York Department of Financial Services (“NYDFS”) announced a $2 million civil fine against PayPal, Inc. (“PayPal”) for alleged cybersecurity failures that resulted in the unauthorized exposure of customers’ personal information.
According to the consent order, in December 2022, a PayPal security analyst identified an online post describing a security gap that allowed unauthorized parties to access Forms 1099-K available on PayPal’s online platform. The forms contained PayPal customers’ unredacted personal information, including names, dates of birth and full Social Security numbers. One day after the analyst identified the issue, PayPal’s cybersecurity team noticed activity indicative of threat actors using credential stuffing to gain access to the personal information contained in the forms.
According to NYDFS, the data became exposed when PayPal changed its data flows to make the forms available to more customers. NYDFS alleged that PayPal failed to adequately train the engineering team implementing this change to implement the company’s policies and procedures designed to protect personal information with respect to the updated data flows. NYDFS also alleged that PayPal’s failure to mandate multi-factor authentication for customer accounts contributed to the unauthorized parties’ ability to access the forms.
NYDFS charged PayPal with violations of the NYDFS Cybersecurity Regulation, including the failure to provide sufficient cybersecurity training to personnel and to maintain adequate cybersecurity policies designed to protect nonpublic information, resulting in a $2 million fine against the company. The consent order notes that PayPal had cooperated with NYDFS’s investigation and implemented several corrective measures, including mandating multi-factor authentication and conducting enhanced training programs for its cybersecurity personnel and engineers.
EuGH zur Zukunft der (Datenschutz-)Betriebsvereinbarungen: Was ändert sich?
Der Europäische Gerichtshof (EuGH) hat festgestellt, dass Kollektivvereinbarungen (wie bspw. Betriebsvereinbarungen) nur dann eine rechtliche Grundlage für die Verarbeitung von Beschäftigtendaten darstellen können, wenn sie strenge Kriterien erfüllen. Wir stellen Ihnen die EuGH-Entscheidung vom 19. Dezember 2024 (Aktenzeichen C-65/23) im Folgenden genauer dar.
Warum ist das wichtig?
Das Urteil betrifft eine der großen Fragen im Beschäftigtendatenschutz der letzten Jahre: Nach Art. 88 DSGVO, § 26 Abs. 4 können personenbezogene Daten von Beschäftigten auch auf Grundlage von Kollektivvereinbarungen (z.B. Betriebsvereinbarungen) verarbeitet werden. Unklar war bisher jedoch, ob und ggf. welcher Spielraum den Betriebsparteien bei der Gestaltung der Betriebsvereinbarung (und damit der Verarbeitung personenbezogener Daten) zusteht. Kann relativ frei auf spezifische Besonderheiten des Unternehmens eingegangen werden oder ist lediglich eine Konkretisierung der DSGVO-Vorschriften möglich, sodas der Handlungsspielraum der Betriebsparteien bei Erstellung von Betriebsvereinbarungen nur sehr begrenzt wäre?
Was sagt der EuGH?
Betriebsvereinbarungen sollen keine Umgehung der Verpflichtungen des Verantwortlichen oder gar des Auftragsverarbeiters bezwecken oder bewirken können. Anderenfalls wäre das Ziel der DSGVO, ein hohes Schutzniveau für die Beschäftigten im Fall der Verarbeitung ihrer personenbezogenen Daten im Beschäftigungskontext sicherzustellen, beeinträchtigt. Daraus folgt für den EuGH:
Ja, Betriebsvereinbarungen und Kollektivvereinbarungen können eine Rechtsgrundlage für die Verarbeitung personenbezogener Daten darstellen.
Es ist ein „Ja, aber“, denn: Der Spielraum ist sehr begrenzt, auch Betriebsvereinbarungen, so der EuGH, müssen die allgemeinen Anforderungen der Art. 5, Art. 6 Abs. 1 sowie Art. 9 Abs. 1, 2 der DSGVO erfüllen. Das bedeutet u.a., dass immer auch eine allgemeine Rechtsgrundlage nach Art. 6 Abs. 1 S. 1 DSGVO gegeben sein muss.
Insbesondere gilt dies auch für die Einhaltung des Kriteriums der Erforderlichkeit der Verarbeitung. Betriebsparteien haben einen eng umgrenzten Verhandlungsspielraum. Betriebsvereinbarungen dürfen gerade nicht dazu führen, dass die Voraussetzung der Erforderlichkeit weniger streng angewandt wird oder gar darauf verzichtet wird.
Allerdings: Die Betriebsparteien kennen ihren Betrieb, die Mitarbeiterinnen und Mitarbeiter und deren Aufgaben sowie die spezifischen Herausforderungen, die sich im Unternehmen stellen. Sie verfügen also über eine grundsätzlich gute Expertise für die Beurteilung, ob eine Verarbeitung von Beschäftigtendaten in einem konkreten beruflichen Kontext „erforderlich“ im Sinne der DSGVO ist. Insoweit besteht allerdings auch eine umfassende gerichtliche Kontrolle, um die Einhaltung aller Voraussetzungen und Grenzen der DSGVO zu gewährleisten.
Was sollten Sie jetzt beachten?
Klar ist jetzt: Betriebsvereinbarungen sind für sich genommen keine eigenständige Rechtsgrundlage. Sie können stets nur zusammen mit einer der Rechtsgrundlagen des Art. 6 Abs. 1 S. 1 DSGVO die Verarbeitung von Beschäftigtendaten regeln. Daher sollte bei Neuverhandlungen und Überarbeitungen von (bestehenden) Betriebsvereinbarungen immer ausdrücklich aufgenommen werden, welche DSGVO-Rechtsgrundlage die Betriebsparteien für anwendbar halten. Aufgrund des Urteils des EuGH ist auch die Erforderlichkeit der Verarbeitung von Beschäftigtendaten kritisch zu hinterfragen. Die Erwägungen der Betriebsparteien, weshalb sie die Verarbeitung für erforderlich halten, sollten sich ebenfalls in der Betriebsvereinbarung wiederfinden.
Schließlich sollte auch die „Bürokratie“ rund um die Betriebsvereinbarung nicht vergessen werden. Sofern a) in den Datenschutzinformationen für Beschäftigte und b) im Verarbeitungsverzeichnis bisher allein die Betriebsvereinbarung als Rechtsgrundlage genannt ist, muss dies konsequenterweise um die zusätzliche allgemeine DSGVO-Rechtsgrundlage (z.B. Begründung, Durchführung oder Beendigung eines Arbeitsvertrages oder Wahrung berechtigter Interessen) ergänzt werden.
New Direct Mail Laws: California, Here We Come
With the all the preparation around 1:1 consent, a lot of marketers planned on moving away from telephone solicitations to direct mail assuming it was a safer choice with less restrictions.
And, generally, it is.
Except in California.
Ah, California with your beaches and your perfect weather and your strong consumer protection laws. As of January 1, 2025, there is a new restriction on “solicitations” for “consumer financial product or service” made by physical mail in California.
Per the new rule, which stemmed from State Bill 1096, physical mail solicitations must include “in at least 16-point bold type on the front of an envelope” the following language:
“THIS IS AN ADVERTISEMENT. YOU ARE NOT REQUIRED TO MAKE ANY PAYMENT OR TAKE ANY OTHER ACTION IN RESPONSE TO THIS OFFER.”
OOF, Buzz.
What is a “consumer financial product or service”? What is a “solicitation”?
A consumer financial product or service uses the California Financial Code definition of “consumer financial product or services” which broadly defines it, in pertinent part, as: “A financial product or service that is delivered, offered, or provided for use by consumers primarily for personal, family, or household purposes.”
Therefore, this is a pretty expansive definition.
A solicitation is “any advertisement or marketing communication through writing or graphics that is directed to, or likely to give the impression of being directed to, an individually identified person, residence, or business location.”
But, it does not include mass advertisements such as catalogs, websites, or broadcast messages. It also does not include “communication via…mail..that was initiated by a consumer.” Or credit solicitations that fit the disclosure requirements under the Fair Credit Reporting Act for credit solicitations using a consumer’s credit file.
Those are pretty broad exceptions.
Essentially, completely unsolicited blind mailings are covered by this new rule if they are for a “consumer financial product or service”. For instance, if you wanted to send a mailing to everyone in a certain zip code about mortgages, then that would likely be covered.
While direct mail can be “easier” to comply with for consumer outreach, there are pitfalls. Companies that are new to direct mail should not ignore the compliance responsibilities around direct mail.
CFPB Shaken Up While Courts Address Consumer Fraud Obligations Under EFTA and Convenience Fees
The new administration continues to shake up the financial services regulatory environment. The CFPB’s new acting director indicated over the weekend that the agency will not take its next draw of funding from the Federal Reserve, noting the CFPB’s current balance as being more than sufficient. Its acting director has separately told staff to “stand down” from doing work, which has prompted lawsuits by staff. In the short term, the CFPB has already moved to stay multiple pending actions that were filed under the prior administration. Whether the CFPB will resume pursuit of the Rohit Chopra agenda remains to be seen. Notably, in the final two weeks under Chopra’s lead, the CFPB, perhaps seeing the writing on the wall in terms of the Bureau’s funding and direction or even its existence, issued a report calling for the states to pursue initiatives of the agency. See Strengthening State-Level Consumer Protections, CFPB (Jan. 14, 2025).
Some state attorneys general have not needed CFPB prompting. Attorney Letitia James, the AG in New York, is currently pursuing an enforcement action seeking to apply the Electronic Fund Transfer Act (EFTA) to consumer wire transfers. It has generally been accepted that wire transfers are governed by Article 4 of the UCC and are exempt from the EFTA. In its suit, the New York AG nonetheless alleges that consumer wire transfers, which are becoming more prevalent, are subject to the EFTA and therefore banks and credit unions should be liable for fraudulent wire transfers. The defendant in that case filed a motion to dismiss, but the US District Court for the Southern District of New York denied it. In a 62-page order, the Court concluded it would be incompatible with the text and history of the EFTA to find that it did not apply to consumer-initiated wire transfers.
In another recent case, Booze v. Ocwen, the 11th Circuit held that it is a violation of the Fair Debt Collection Practices Act (FDCPA) to collect fees for loan payments (so called “convenience fees”) unless they are expressly provided for in the loan documents. The defendant in that case had contracted with a third party to process payments by phone or online and was charging customers for the privilege of making payments via the intermediary. The Booze decision follows an earlier decision out of the Fourth Circuit, Alexander v. Carrington Mortgage, and a CFPB advisory opinion issued in 2022. Even if the CFPB is not around to enforce its advisory opinion, banks and credit unions that charge convenience fees should be wary of doing so because there are now two federal circuit courts of appeal that have found they violate the FDCPA.
Top Tips for Companies to Prepare for an Immigration Visit
Here are our top tips to assist companies and institutions in preparing for visits by immigration officials. The second Trump administration has set robust enforcement of the immigration laws as a top-level priority. On January 20, 2025, President Trump issued an executive order that directed all executive branch departments and agencies to “employ all lawful means” to ensure “total and efficient” enforcement of federal immigration laws. As an initial step, the Department of Homeland Security (DHS) terminated its prior “sensitive location” policy that prevented immigration enforcement activities in or near areas such as schools, medical facilities, places of worship, social service centers, daycare centers, or shelters without agency headquarters approval or exigent circumstances. In commenting on the new policy, the DHS spokesperson stated, “Criminals will no longer be able to hide in America’s schools and churches to avoid arrest. The Trump Administration will not tie the hands of our brave law enforcement, and instead trusts them to use common sense.” While we have not heard any confirmed reports of enforcement in these spaces since the rescinding of the Biden-era guidance, it would be prudent for businesses to be prepared and have a lawful response plan for visits from immigration authorities, including local police authorities, U.S. Immigration and Customs Enforcement (ICE), U.S. Customs and Border Protection (CBP), and other agencies empowered to enforce the immigration laws.
Review Your Policies. Keep in mind that immigration authorities are specialized law enforcement. Many companies already will have policies in place that instruct employees how to respond generally to inquiries by law enforcement. Therefore, companies should ensure employees are properly trained on company policies concerning how to interact with ICE or other immigration enforcement agents. If your company does not have such a policy and is in a category of spaces no longer protected as “sensitive locations,” now may be the time to study and potentially adopt appropriate policies. Companies should consider appointing “liaisons,” or other point persons at each company location, who are specially trained and authorized to interact with law enforcement. This will ensure consistency of process and help relieve stress of others who may be directly impacted by these immigration encounters.
Identify Public versus Private Areas. Companies should decide whether they want to have policies or procedures indicating a clear delineation between their public and private spaces. Immigration agents generally do not need permission to enter public areas of a business. Public spaces are general areas that are accessible not only to clients, staff, patients, or students but are accessible and available to the general public. These can include parking lots, waiting areas, hallways, lobbies, or entrances. Areas that are not open and accessible to the public are generally considered private areas, where law enforcement is accordingly not permitted without legal authority. To go beyond these public spaces into private areas, enforcement agents may need to show a warrant (more on this below), not only to apprehend a person but also to enter and search any non-public spaces of a business absent permission from the business. Given that the previous guidance prevented enforcement near protected areas without agency headquarters approval or exigent circumstances, enforcement agents likely will take advantage of accessing public spaces before seeking access to private spaces. Businesses should consider whether they wish to specifically designate public and private areas to help manage engagement with law enforcement.
Review the Warrant. If the enforcement agent is seeking access to a private space and the company decides not to consent voluntarily to such access, then an employee will need to ask to see the warrant; if the agent presents a warrant, the best place to start is to read the scope and wording of the warrant. There are several different types of warrants that can be used in immigration enforcement situations, so a lawyer or trained layperson may need to review the warrant to know what type of warrant the enforcement officer is presenting to gain access. (Samples are included at the end of this piece.)
Judicial Warrant: This is a formal written order, issued by a judicial officer, that authorizes law enforcement to make an arrest or conduct a search. This is issued by a court — typically a federal court — so you will see something like “U.S. District Court” at the top of the warrant and a signature from a judge or magistrate judge at the bottom. Pay close attention to whether the warrant allows for (1) just an arrest of a person named in the warrant, (2) a search for items on the identified person’s body, or (3) a search of a location for listed items or persons. An arrest warrant does not give law enforcement permission to enter a particular private space but does permit the agent to arrest someone listed in the warrant. A search warrant, by contrast, permits the specified enforcement agency to search a specified area (including public and private spaces) for papers, data, property, or persons and seize such listed items or identified persons. Companies should be observant during law enforcement activities on their premises, and carefully and thoroughly document law enforcement actions at all times while they are on company premises.
Administrative Warrant: An administrative warrant authorizes a law enforcement officer from a federal agency, such as ICE or CBP, to make an arrest or remove/deport someone from the country, depending on the type of administrative warrant utilized. This type of warrant is issued by a federal agency, such as ICE, not a court, and can therefore be signed by an “immigration judge” or “immigration official.” Importantly, this warrant does not authorize a search of a private area. Practically speaking, an administrative warrant does not allow agents to enter a private area to apprehend a person named in the warrant or to search an area or seize private property or information, even if the agents reasonably believe the person to be located in that area. Absent changes to the law, administrative warrants cannot be used to search premises.
“Blackie’s” Warrant: This judicial warrant, named after the case Blackie’s House of Beef v. Castillo, is a specific type of judicial warrant that does not always name or even describe the person or people sought. A Blackie’s warrant is a civil search warrant issued by a magistrate judge, which authorizes immigration agents to enter private premises for the purpose of enforcing the civil/administration provisions of law relating to exclusion and deportation. While this warrant has fallen out of favor in many jurisdictions, we may begin to see more of its use going forward. Again, this warrant may provide legal authority for enforcement agents to search a private space, without the owner’s consent, for persons unlawfully in the United States.
Consider Privacy Laws. To the extent the company is a covered entity or business associate subject to the Health Insurance Portability and Accountability Act (HIPAA), or a similar entity subject to state laws, the company will need to review a law enforcement request to ensure compliance with applicable privacy laws. Protected health information can be disclosed under HIPAA and state law in limited circumstances. HIPAA permits (but does not require) disclosing protected health information in compliance with, and as limited by the relevant requirements of, a court order or court-ordered warrant, a subpoena, or a summons. HIPAA also permits disclosure pursuant to administrative requests for which response is required by law, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law provided all of the following are true: (1) the information sought is relevant and material to the law enforcement agency, (2) requested information is specific and limited in scope as reasonably practicable, and (3) de-identified information could not be reasonably used. There also are federal and state privacy protections in place for certain sensitive types of health information. State law can be more restrictive, so make sure your policies on responding to law enforcement take into account any relevant state law(s). The company’s existing policies and procedures should address the production of this type of information in response to law enforcement requests.
Triage. The company should request from law enforcement a reasonable amount of time to review and perform an initial assessment of the warrant, to appropriately escalate to legal counsel or a point person as needed. If it is something new or unfamiliar, seek advice from legal counsel, who should carefully review the warrant to determine the company’s obligations in interacting with law enforcement. Provide training to staff and leadership to ensure they read any paperwork provided and triage the situation. Again, appointing “liaisons” at each worksite who are specially trained and designated with authority to interact with enforcement agencies may be advisable.
Avoid Obstructing Law Enforcement. Importantly, employees should avoid obstructing law enforcement’s activities. Even if such activities appear to go beyond the scope of the warrant, interfering is not helpful and can risk criminal charges. Legal remedies for law enforcement overstepping, including unlawful searches and seizures, can be addressed later in the process. Interfering with law enforcement while they are onsite often will serve only to escalate the situation.
The immigration landscape is quickly changing under the Trump administration, but preparing for potential enforcement in advance and training employees on these issues can help your company know how best to respond to unfamiliar situations. Constitutional law provides companies with important protections from unreasonable searches and seizures by law enforcement, so consultation with legal counsel to understand those rights and obligations is critical to ensuring compliance with the law.
Please contact a member of Foley’s Immigration, Government Enforcement or Labor & Employment teams with questions for help preparing for immigration enforcement action on site or for further information about the federal government’s new immigration-related policies.
Samples of Warrants
Judicial Warrant for a search:
Judicial Warrant for an arrest only:
Administrative Warrant (Warrant of Removal/Deportation)
Administrative Warrant (Warrant for Arrest)
Final Rule Implementing ICTS Supply Chain Executive Order 13873 In Effect
On May 15, 2019, President Trump issued Executive Order 13873 – Securing the Information and Communications Technology and Services Supply Chain (“EO” or “EO 13873”). After taking comments on a proposed implementing rule, the Department of Commerce (“DOC” or “Secretary”), on the very eve of the Biden Administration taking office, issued an Interim Final Rule implementing the EO and establishing procedures for its review of transactions involving information and communications technology and services (ICTS) designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of a “foreign adversary” that may pose undue or unacceptable risk to the US or US persons. The DOC also sought further comments on the Interim Final Rule.
Since then the DOC announced that it had initiated certain investigations under the EO and the Interim Final Rule, and there were press reports of other investigations. Despite numerous investigations however, the DOC has only issued one Final Determination pursuant to EO 13873 since adoption of the Interim Final Rule.
On December 6, 2024, nearly three years later, the DOC published its “Final Rule” guiding review of ICTS Transactions, amending and, in some cases, removing terms or concepts which experience has shown to be unnecessary, inefficient or ineffective. The Final Rule was effective February 4, 2025.
The DOC committed to continue to review its procedures and possibly consider future rulemakings to further clarify aspects of the regulations. The new Trump Administration may also bring further adjustments. To date, the new Trump Administration has not indicated that it has “paused” enforcement under the Final Rule, as it has to other areas of regulatory enforcement. (And of course, the EO on which the Final Rule is based was issued by President Trump in his first term.)
Highlights of key adjustments reflected in the Final Rule include the following:
Scope of covered ICTS transactions – First, the DOC noted that its reviews and investigations of “ICTS Transactions” have thus far involved the review of all ICTS Transactions involving the subject entity of the review, rather than individual transactions between the entity and other parties, because the provision of anyICTS by that entity was the basis of the undue or unacceptable risks. Second, the Final Rule further refines the ICTS Transactions subject to further review by listing broad technology categories to indicate that the DOC is concerned about ICTS Transactions involving:
Information and communications hardware and software
ICTS integral to data hosting, computing or storage that uses, processes or retains sensitive personal data; connected software applications
ICTS integral to critical infrastructure
ICTS integral to critical and emerging technologies
Definitional changes –In response to certain comments, the Final Rule added or clarified certain definitions. Examples:
New definition of “Dealing In” as used in the definition of “ICTS Transaction” – “The activity of buying, selling, reselling, receiving, licensing or acquiring ICTS, or otherwise doing or engaging in business involving the conveyance of ICTS.’’
New Definition of “Importation” as used in the definition of “ICTS Transaction” – ‘‘The process or activity of bringing foreign ICTS to or into the US, regardless of the means of conveyance, including via electronic transmission.’’
Revised definition of “Party or Parties to a Transaction” – ‘‘A person or persons engaged in an ICTS Transaction or class of ICTS Transactions, including but not limited to the following: designer, developer, provider, buyer, purchaser, seller, transferor, licensor, broker, acquiror, intermediary (including consignee), and end user.”
Revised definition of “Person owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary” to exclude US citizens and permanent residents – A US citizen or permanent resident would not be considered a ‘‘person owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary’’ merely due to dual citizenship, or residency in a country controlled by a foreign adversary.”
Revised definition of “Person owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary” – “An entity may be subject to the jurisdiction of a foreign adversary if it has a principal place of business in, is headquartered in, is incorporated in or is otherwise organized under the laws of a foreign adversary or a country controlled by a foreign adversary.”
Removal of one million unit or person threshold – This Final Rule removes the previous qualification that certain ICTS Transactions that involve the use, processing or retention of sensitive personal data must include the data of more than one million US persons to be subject to review. Additionally, it removes the one-million-unit sales minimum for internet-enabled sensors, webcams or other end-point surveillance or monitoring devices; routers, modems or any other home networking device; or drones or other unmanned aerial systems. Finally, the Final Rule also removes the qualification that software designed primarily for connecting with, and communicating via the internet be in use by over one million people to be considered ICTS for the purposes of the Rule
Committee on Foreign Investment in the United States (CFIUS) exemption – The Final Rule clarifies that the DOC will not review an ICTS Transaction that is also a covered transaction or covered real estate transaction, provided that it is either under review, investigation or assessment by CFIUS or CFIUS has concluded all action under section 721 of the Defense Production Act of 1950, as amended.
10-year record keeping requirement – The Final Rule also clarifies that any records that a notified person must retain in connection with an ICTS Transaction must be retained for 10 years following issuance of a Final Determination, unless the Final Determination specifies otherwise. Previously there was no limit on the retention period.
Details on information provided in an Initial Determination –The Final Ruleprovides thatthe Initial Determination will provide parties with information regarding the factual basis supporting the DOC’s decision to either prohibit an ICTS Transaction or permit the ICTS Transaction with mitigation measures. As to publication of an Initial Determination, in consideration of the comments about publication of Initial Determinations, under the Final Rule the DOC retains discretion to publish a notice of an Initial Determination— rather than the full text of an Initial Determination—in the Federal Register.
Response and mitigation timing – TheFinal Rule does not establish a maximum timespan for imposed mitigations because the DOC continues to believe that such an across-the-board maximum would hinder the department in fully evaluating any implemented mitigations, resulting in national security vulnerabilities. The Final Rule allows an initial 30 days to respond to an Initial Determination and allows parties to seek, and the Secretary to allow for good cause shown, an extension of another 30 days. In total, parties may receive up to 60 days to respond to an Initial Determination (30 days initially with a potential 30-day extension).
Timing imposed on interagency consultation for Final Determinations – With respect to the requirement that the Secretary seek concurrence of all appropriate agency heads before issuing a Final Determination, the Secretary may presume concurrence if no response is received within 14 days from one of the appropriate agency heads or the designee of appropriate agency heads. The Final Rule also clarifies that if an agency objects to the Final Determination, the objection must be received by the Secretary within the 14 days and the objection must come from the agency’s Deputy Secretary or equivalent level.
Final Determination timeline – The Final Rule changes certain timing associated with the Final Determination process but continues to rely on the 180-day time limit despite calls to shorten the review period. To improve clarity, it revises the 180-day time limit so that it begins when a party or parties to a transaction are served a copy of an Initial Determination and grants the Secretary sole discretion to extend this timeline. The DOC refused to establish an appeals process, but reconsideration may be warranted in some cases. The Secretary is not obliged to adopt the least restrictive means to address a determined “unacceptable risk.” The Secretary is now obligated to issue a Final Determination in every case in which the Secretary has previously issued an Initial Determination. Under the Interim Final Rule, a Final Determination was only required if the Initial Determination proposed to prohibit an ICTS Transaction. Finally, Publication in the Federal Register is now mandatory in any case where there is a Final Determination, not just where it is a Final Determination prohibiting a transaction.
Penalties – The Final Rule now provides a list of activities that may lead to civil or crimination penalties. Persons can be held responsible for assisting in the violation of a Final Determination to mitigate an ICTS Transaction, through a mitigation agreement between the US Government and identified parties to an ICTS Transaction, if they have knowledge that such a mitigation agreement exists. Activities that are prohibited for those with knowledge of the existence of a mitigation agreement include aiding and abetting violations, commanding a violation, procuring a product that is prohibited and other prohibited activities. Finally, providing false information to the DOC in connection with an ICTS Transaction under review is also prohibited.
Still no licensing regime – The DOC did not establish a licensing regime for transactions (e.g., a type of pre-clearance option contemplated by the initial rule), but it is still considering the concepts related to providing licenses.
Still no blanket exempt categories – The Final Rule applies to types of ICTS transactions most affecting US national security and does not exempt categories of industries, sectors or entities.
What is next? –The new Secretary of Commerce has yet to take his position. Nothing that he said in his nomination hearing before the Senate Commerce Committee indicated that the changes in the Final Rule would be reconsidered or rescinded, or that existing investigations would be terminated. The Secretary’s further employment of the authority embodied in the Final Rule remains to be seen, as his and the Bureau of Industry Security agenda unfolds. However, it seems unlikely that this tool in securing the ICTS supply chain will be abandoned. As such, more enforcement in this area is expected.
CHASING THE AMBULANCE CHASER?: TCPA Suit Against Accident Law Firm Shows Sharks Can Eat Each Other After All
This one will be fun for folks.
A personal injury law firm in Florida is being sued in a TCPA class action based on calls apparently made by a lead generator hoping to drum up work for the law firm.
The complaint alleges FRIEDLAND & ASSOCIATES, P.A. d/b/a Accident Claims called Plaintiff more than 130 times despite his number being on the DNC list and despite his requests to stop calling.
Fiedland moved to dismiss the suit but in Helmuth v. Friedland 2025 WL 442477 (S.D. Fl. Feb. 10, 2025) the Court denied the motion finding the complaint was properly pleaded.
Diving in a bit, the court found allegations Defendant “encouraged Plaintiff to engage the legal services” of Friedland and provided Plaintiff’s number to Defendant Friedland, which proceeded to call Plaintiff offering its legal services” were enough to show the calls were made at the law firms direction and subject to its control.
Next Friedland argued complaint should be dismissed because it does not identify the phone numbers the calls came from and does not state when the opt-out occurred in relation to the 130 alleged calls. The Court determined, however, that neither allegation was required given the large number of calls at issue– the court essentially inferred that the calls continued after a reasonable time elapsed.
The Court also refused to dismiss the willful damage request determining a jury might decide Friedland’s conduct was knowing or willful.
Indeed the Court refused to even throw out the injunctive relief claim determining that given over 100 calls were made to the guy there was a likelihood of future injury.
My goodness.
A complete loss for a law firm in a TCPA suit.
Can’t say I like to see it. But I don’t hate it either.
April 11, 2025 Is Coming!: Reminder On New FCC Revocation Rules [Video]
But at a high level, come April 11, 2025 you will need to break up all messaging and voice calling across your enterprise into three tiers: i) marketing; ii) informational; iii) exempted.
Come April 11, 2025 a stop response will require ALL communications requiring the same or greater level of consent to cease based on these tiers.
So a “stop” to a marketing message will require all calls and texts requiring PEWC or PIEP to cease;
A “stop” to an informational/transaction call will require all calls and texts requiring any level of express consent to cease;
A “stop” to an exempt message—such as a fraud alert—will require all messages of any kind using regulated technology to cease.
This is a very large change from the current rules.
There is a small opportunity to “clarify” with the consumer what they intended with their opt out request, but it cannot be used as a rebuttal and if the consumer does not respond you have to apply the rubric above.
Not good.
Also unlike the FCC’s one-to-one rule THERE IS NO LEGAL CHALLENGE to this rule and there has been no effort by anybody to stay it (although R.E.A.C.H. is considering such an effort.)
Biggest change in telecom this year folks. Hope you’re all ready.
“THE ULTIMATE CONSEQUENCE”: Small Businesses Fold as FCC Moves to Require Notification of Carrier Call Blocking– But Takes No Action on Real Problems
So the FCC plans to vote next month on a rule requiring carriers to advise callers when their calls have been blocked based on “reasonable analytics.”
On the one hand that’s fine, I guess. But the carriers should NEVER have been allowed to block calls without notification to begin with. That’s just insane.
And the fact we will all need to wait another year before Sip code 603+ to be in use is cold comfort.
But, slightly better than nothing I suppose.
What we really need is IMMEDIATE action on the R.E.A.C.H. petition to STOP illegal call/sms blocking and mislabeling— and to dismantle TCR. This is URGENT.
Every day I am hearing from another small business telling me that call and text blocking– particularly text blocking– is threatening to (or is–wait or it) putting them out of business. TCR is most of the problem, but the aggregators and carriers — including phantom voicemails the carriers are apparently using to “block” calls while still charging for the traffic– blocking on the basis of content is a massive problem.
So let’s back up and remind everyone of what’s at stake.
There are actually two separate issues, but they fall into the same basic concept of carriers blocking communications.
First, is carrier VOICE call blocking based on “reasonable analytics.” This was first authorized back in 2018 and there have now been a ton of revisions to a safeharbor created to allow carriers to violate section 201 of the Communications Act–which basically requires carriers to act as “common carriers” and connect all phone traffic.
As already noted, carriers have been allowed to block calls for years now based on an unspecific black box of requirements that, as far as I can tell, have resulted in BILLIONS of LEGAL AND CONSTITUTIONAL phone calls being blocked essentially at the FCC’s invitation with ZERO recourse.
I talked to a client YESTERDAY so was having so much trouble getting calls to go through he bought his own carrier operator. Plus he has to cycle through thousands of DIDs a day to avoid his numbers being labeled. As he tells me: “If you call more than 20 times a day from a DID they label you as spam. More than 40 they label you as scam.”
The carriers figure if you are calling at volume then your phone number must be important to your business. As soon as they know that they figure you will pay them to white label your number and they will block and label you until they pay up.
DISGUSTING.
Requiring the carriers to advise you (finally) when they block is step one–this should have been done years ago, of course– but so what if there’s no required redress?
And there isn’t.
Because the FCC has never said what can and cannot be blocked to begin with. That’s part of what the R.E.A.C.H. petition is trying to fix.
But that’s just the first problem and probably the smaller of the two.
The second problem is SMS blocking, and this is even more painful and the FCC has intentionally made it harder for businesses to address. And you REALLY need to understand this part– because it is nuts.
Also back in 2018 the FCC clarified that SMS isn’t a telecommunication service it is an “information service.” Because, you see, SMS isn’t a communication function its a storage function. You’re not talking to someone else when you send a message you’re just transferring a data set.
Crazy, absurd, tortured logic– and one of the worst rulings to come out of the FCC at that time.
The classification of SMS as a Title III information service was done specifically to allow carriers to block SMS. It was believed at the time that the carriers had successfully deployed SMS blocking already and the FCC didn’t want to upset the apple cart by stripping text blocking authority away from the carriers.
But they did.
By removing the requirement of the carriers to faithfully transmit all SMS messages it allowed the carriers to determine their own terms of use on content providers (people sending text messages) including declaring that certain content just wouldn’t be allowed on their networks.
Total violation of the First Amendment. A licensing scheme of the highest order.
It gets worse.
The carriers have conspired (anti-trust?) to only accept traffic registered through a company called The Campaign Registry. TCR is foreign owned and has both tremendous power and visibility in the telecom ecosystem right now.
TCR literally has the ability to prevent any business or political campaign from sending high volume text messages. And it is using that power to silence people based on CONTENT. And the aggregators are afraid of TCR rejections so they are not even submitting campaigns to TCR to begin with (just like they are blocking SMS and calls that they think the carriers won’t like.)
Just yesterday I was told of a campaign that an aggregator would not even submit to TCR for approval because the political message was “polarizing and considered offensive [to some].”
Prior restraints on free political speech are literally actively ongoing. It is a massive problem.
How big of a problem?
How about a small business that just shut down because it could not get 10DLC access. In the words of the owner:
To give you some background, we ran our business for five successful years using P2P texting – a model that allowed us to deliver highly responsive and personalized service. Our customer service was second to none, and we consistently met the high expectations of our clients. However, the introduction of 10DLC upended everything.
Here’s what happened…
Regulatory Impact:The 10DLC regulations brought with them a burdensome, protracted registration process. We were initially advised by our provider that unregistered traffic would soon be phased out (multiple times over the course of 2 years), prompting us to urge our clients to register promptly. Unfortunately, this promise was repeatedly reversed. Each time we were told to push for registration with an imminent cutoff, the timeline shifted unexpectedly. These delays were not trivial – they were lengthy enough to derail critical campaigns, especially for political clients with tight election deadlines.
Client Impact:The prolonged and unpredictable registration procedures forced our clients into a corner. Many of our smaller clients, who relied on our nimble P2P texting to engage with voters, found themselves unable to complete registration in time, rendering them unable to run their campaigns effectively. Worse yet, several larger clients, seeking more stable and predictable service, migrated to vendors who seemed to have insider information or more streamlined processes in place. The impact on our reputation was severe, despite our best efforts to support our clients every step of the way.
The Ultimate Consequence:After years of success, these cumulative issues made it impossible for us to maintain our business model. We prided ourselves on agility and excellent customer service, but the excruciating delays and inconsistent guidance around 10DLC left us with no viable path forward. This week, we made the difficult decision to close our doors.
Done.
Small business vaporized.
By a process that was never legal to begin with.
Its nuts.
And here’s the worst part– it doesn’t work. In fact, SMS spam has gotten WORSE since TCR took over its little role as censorship king of America.
Now how is that possible?
Before there was very little SMS spam. The FCC takes the reigns off the carriers and they put a foreign-owned company in charge of network access and now there is a ton of SMS spam.
Hmmmmm.
I wonder why that is?
Dear FCC:
I know you have A TON going on– and thank you very much for your efforts staying one-to-one–but we need a public comment period on the R.E.A.C.H. petition to stop all of this right away.
Thank you.
Navigating Text Messages in Discovery
In We The Protesters, Inc., et al., v. Sinyangwe et. Al, the Southern District of New York was recently called upon to resolve a discovery dispute that, according to the Magistrate Judge, “underscore[d] the importance of counsel fashioning clear and comprehensive agreements when navigating the perils and pitfalls of electronic discovery.” More specifically, the court was determining whether, without an express agreement between the parties’ counsel in place, plaintiffs could properly redact text messages based on responsiveness.
We The Protesters, Inc. Background
The litigation arose from a business divorce between the founders of nonprofit Campaign Zero. Plaintiffs’ complaint asserted 17 causes of action for inter alia, trademark infringement, unfair competition, misappropriation, and conversion. Defendants counterclaimed, accusing plaintiffs of copyright infringement, trademark infringement, cyberpiracy, and unfair competition.
In March 2024, the Hon. John P. Cronan granted in part and denied in part plaintiffs’ motion to dismiss three of defendants’ counterclaims. Discovery proceeded and the current dispute came to light after the parties exchanged productions of text messages and direct messages from a social media platform.
In drafting the operative discovery protocol, the parties agreed to collect and review all text messages in the same chain on the same day whenever a text within the chain hit on an agreed-upon search term. (Dkt. No. 64 at 1 & Ex. A). Plaintiffs understood this to mean they needed to produce only the portions of the messages from the same-day text chain that were responsive or provided context for a responsive text message.
Defendants had a different understanding, claiming the entire same-day text chain must be produced in unredacted form. Upon reviewing plaintiffs’ production, defendants objected and claimed plaintiffs’ unilateral redaction of these text messages was improper. Following an unsuccessful meet and confer, defendants filed a letter-motion seeking to compel production of unredacted copies of all text messages in the same chain that were sent or received within the same day. Plaintiffs responded, contending their redactions were proper and, in the alternative, seeking a protective order.
Discussion
Text Messages in Discovery
The court’s decision began with the observation that text messages are an increasingly common source of relevant and often critical evidence in 21st century litigation.[1] According to the court, text messages do not fit neatly into the paradigms for document discovery embodied by Rule 34 of the Federal Rules. Although amended in 2006 to acknowledge the existence of electronically stored information (ESI), i.e., email, the rules were crafted with different modes of communication in mind. Unlike emails, with text messages each text or chain cannot necessarily be viewed as a single, identifiable “document.”
And so, the issue is whether, for discovery purposes, each text message should be viewed as its own stand-alone “document”? Or is the relevant “document” the entire chain of text messages between the custodian and the other individual(s) on the chain, which could comprise hundreds or thousands of messages spanning innumerable topics?[2]
As the opinion notes, federal courts have adopted different approaches with respect to text messages. Some courts, including the Southern District of New York, suggest that a party must produce the entirety of a text message conversation that contains at least some responsive messages.[3] By contrast, other jurisdictions, like the Northern District of Ohio, hold “the producing party can unilaterally withhold portions of a text message chain that are not relevant to the case.”[4] “Still other courts have taken a middle ground.”[5]
Against this backdrop, the court noted that litigants are free to—and are well-advised to—mitigate the risk of this uncertain legal regime by agreeing on how to address text messages in discovery. Rule 29(b) specifically affords parties the flexibility to design their own, mutually agreed upon protocols for handling discovery, but “encourage[s]” counsel “to agree on less expensive and time-consuming methods to obtain information.”[6] Such “‘private ordering of civil discovery’” is “‘critical to maintaining an orderly federal system’” and “‘it is no exaggeration to say that the federal trial courts otherwise would be hopefully awash.’”[7]
The court noted a party may think twice about insisting on the most burdensome and costly method of reviewing and producing text messages for its adversary if it knows it will be subject to the same burden and cost. In general, the parties are better positioned than the court to customize a discovery protocol that suits the needs of the case given their greater familiarity with the facts, the likely significance of text message evidence, and the anticipated volume and costs of the discovery.[8]
Resolution Where Agreement is Incomplete
Here, the court noted the parties negotiated an agreement regarding the treatment of text messages. However, the agreement was incomplete. According to the court, email exchanged between the parties, along with the parties’ summary of the verbal discussions that took place show agreement that (1) discovery would include text messages; (2) specific search terms would be used to identify potentially responsive text messages; and (3) when a search term hit on a text message, counsel would review all messages in the same chain sent or received the same day, regardless of whether the text message that hit on the search term was responsive. The parties both produced responsive text messages in the form of same-day text chains, manifesting mutual assent that a same-day chain represented the appropriate unit of production. However, the parties’ agreement did not explicitly address whether, in producing those same-day text chains, texts deemed irrelevant and non-responsive would be redacted or, instead, the chains needed to be produced in their entirety. It was that failure that caused the instant dispute.
In resolving the dispute, the court viewed the issue through the prism of the parties’ prior agreement, discussions, and lack of discussions. The court indicated its task was not to determine the “right answer” to the redaction question in the abstract, but rather how to proceed with an agreement that was unknowingly incomplete. The court identified its task as akin to filling a gap in the parties’ incomplete agreement.[9]
In completing its task, the court noted the familiar principle of contract law that “contracting parties operate against the backdrop” of applicable law which, in this context, was supplied by Al Thani — the leading case in the Southern District on the issue of redactions from text messages and one authored by the presiding district judge in this litigation. Al Thani holds squarely that “parties may not unilaterally redact otherwise discoverable” information from text messages for reasons other than privilege.[10] Yet that is precisely what plaintiffs did.
The court further relied upon Judge Aaron’s decision in In re Actos Antitrust Litigation as instructive. In Actos, the issue involved “email threading,” i.e., the production of a final email chain in lieu of producing each separate constituent email. Specifically, a discovery dispute arose because defendants made productions “using email threading even though the Discovery Protocol, by its terms, did not permit such approach.”[11] Judge Aaron rejected defendants’ unilateral decision to use threading, explaining “if the issue had been raised when the parties were negotiating the Discovery Protocol, Plaintiffs may have been able to [avoid the issue], however, Plaintiffs were not provided the opportunity to negotiate how email threading might be accomplished in an acceptable manner.”[12] The court declined to impose threading on plaintiffs.
Here, the court found the Actos reasoning persuasive. If plaintiffs wanted to redact their text messages, it was incumbent upon them to negotiate an agreement to that effect or, in the absence of agreement, resolve the issue with the court before defendants made their production. Accordingly, as in Actos, the court construed the absence of a provision in the parties’ agreement allowing redaction of text messages to preclude plaintiffs from unilaterally redacting.
Considerations for Text Message Discovery
We The Protesters, Inc., is an important reminder of a few things. First, text messages and other forms of mobile instant messages are a critical form of evidence in today’s litigation. Any discovery protocol should address preservation, production, and potential redactions to that ESI. Additionally, given the cost and burden attendant to ESI, parties should leverage Rule 29(b) and fashion their own, mutually agreeable protocols for handling discovery, with an eye toward proportionality and efficiency. Finally, cooperation and communication are key in litigation. When in doubt, consider picking up the phone to opposing counsel. Here, had plaintiff confirmed its intention to redact content prior to production, much effort and cost may have been avoided.
[1] Mobile phone users in the United States sent an estimated 2 trillion SMS and MMS messages in 2021, or roughly 5.5 billion messages per day, a 25-fold increase from 2005. SMS and MMS messages represent only a subset of the universe of mobile instant messaging, or MIM, which also includes other means of messaging via mobile phones. MIM, in turn, does not account for the vast volume of instant messages, or IM, sent on computer-mediated communication platforms. The use of IM and MIM “has become an integral part of work since COVID-19.” Katrina Paerata, The Use of Workplace Instant Messaging Since COVID-19, Telematics and Informatics Reports (May 2023).
[2] After all, an email chain is typically confined to a single subject, whereas a single text chain can read more like a stream of consciousness covering countless topics.
[3] Lubrizol Corp. v. IBM Corp., (citing cases); see also Al Thani v. Hanke (noting the general rule that parties may not unilaterally redact otherwise discoverable documents for reasons other than privilege,) id. at *2; see also Vinci Brands LLC v. Coach Servs., Inc. (following Al Thani).
[4] Lubrizol at *4 (citing cases from various jurisdictions that follow this approach).
[5] Id. (citing cases from such jurisdictions).
[6] Id. 1993 Adv. Comm. Note.
[7] Brown v. Hearst Corp. (quoting 6 Moore’s Federal Practice § 26.101(1)(a)).
[8] See generally Jessica Erickson, Bespoke Discovery, 71 Vand. L. Rev. 1873, 1906 (2018) (“Parties should have more information than judges about the specific nature of their disputes and thus should be in a better position to predict the types of restrictions that will be appropriate.”).
[9] See In re World Trade Center Disaster Site Litig. (“In limited circumstances, a court may supply a missing term in a contract.”); Adler v. Payward, Inc.(“[C]ourts should supply reasonable terms to fill gaps in incomplete contracts.”) (citation omitted).
[10] Al Thani at *2.
[11] Id. at 551.
[12] Id.
A New Era: Trump 2.0 Highlights for Privacy and AI
Since the Trump 2.0 administration commenced, the U.S. federal government has experienced some major policy shifts. Several Biden-Harris administration era regulations are now eliminated or on a 60-day hold while under review. States and other organizations have filed lawsuits to stay implementation of certain Trump 2.0 initiatives (i.e., the funding freezes, deferred resignation offer, birthright citizenship, among others).
Below is a summary of some of the federal ‘de-regulation’ related to privacy and AI that we are following:
The January Freeze: COPPA Rule Amendments
Issued on inauguration day, January 20, 2025, the Executive Order titled “Regulatory Freeze Pending Review” (Regulatory Freeze EO) directed federal agencies to not propose or issue any new rule and to withdraw any rule sent to the Office of the Federal Register but not published as final in the Federal Register.
The Federal Trade Commission (FTC) finalized amendments to the Children’s Online Privacy Protection Rule (COPPA Rule Amendments) on January 16, 2025. The COPPA Rule Amendments were submitted to but not published in the Federal Register prior to January 20, 2025. Accordingly, while approved as final from the FTC’s perspective, the COPPA Rule Amendments remain a proposed rule with no effective date or compliance date. The Regulatory Freeze EO directs the FTC to “withdraw” the COPPA Rule Amendments until “a department or agency head appointed or designated by the President after noon on January 20, 2025, reviews and approves the rule.”
Also on January 20th, President Trump appointed FTC Commissioner Andrew Ferguson as FTC Chairman. While still in his role as a Commissioner, Chairman Ferguson voted in favor of the COPPA Rule Amendments but also cited “three major problems” in his concurring statement, which are:
Requiring operators to disclose and receive parental consent about the specific third parties to which the operators will disclose children’s personal information. Then-Commissioner Ferguson noted that not all additions or changes to the identities of third parties should require new parental consent. He suggested that the FTC “could have mitigated this issue” by clarifying that a “change is material for purposes of requiring new consent only when facts unique to the new third party, or the quantity of the new third parties, would make a reasonable parent believe that the privacy and security of their child’s data is being placed at materially greater risk.”
Prohibiting indefinite retention of children’s personal information. The COPPA Rule allows for retention of children’s personal information “as long as is reasonably necessary to fulfill the purpose for which the information was collected.” (§ 312.10). Then-Commissioner Ferguson criticized the addition of the prohibition on indefinite retention because it “is likely to generate outcomes hostile to users,” providing the example that “adults might be surprised to find their digital diary entries, photographs, and emails from their childhood erased from existence.” He wrote that, because the term indefinite is not defined, operators “can comply with the Final Rule by declaring that they will retain data for no longer than two hundred years […] And if ‘indefinite’ is not meant to be taken literally, then it is unclear how the requirement is any different than the existing requirement to keep the information no longer than necessary to fulfill the purpose for which it was collected.”
“Missed opportunity” to clarify that the Amended COPPA Rule is “not an obstacle to the use of children’s personal information solely for the purpose of age verification.” Commissioner Ferguson noted that the COPPA Rule Amendments “should have added an exception for the collection of children’s personal information for the sole purpose of age verification, along with a requirement that such information be promptly deleted once that purpose is fulfilled.”
Other notable changes in the COPPA Rule Amendments that were not part of the concurring statement include:
An official definition for “mixed audience”. While the concept of a mixed audience online service is covered in the COPPA Rule (see the FTC’s COPPA FAQs, Section D, Question 4), the COPPA Rule Amendments add a defined term for “mixed audience website or online service”. It means an online service that is directed to children within the meaning of COPPA but “that does not target children as its primary audience, and does not collect personal information from any visitor, other than for the limited purposes set forth in § 312.5(c), prior to collecting age information or using another means that is reasonably calculated, in light of available technology, to determine whether the visitor is a child.”
Expanded Data Security Requirements. The COPPA Rule requires “reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” (§ 312.8) The COPPA Rule Amendments provide minimum requirements for this reasonableness standard, including a written information security program that contains many of the same safeguards required under state cybersecurity laws, i.e., an accountable person, risk assessments, testing and monitoring and vendor due diligence.
Not-So-Final: Sensitive Personal Data Transfers and Negative Options
On December 30, 2024, the U.S. Department of Justice released a Final Rule titled “Preventing Access to U.S. Sensitive Personal Data and Government Related Data by Counties or Concern or Covered Persons” (DOJ Rules). President Biden’s Executive Order 14117 (EO 14117, dated February 28, 2024) directed the DOJ to issue the DOJ Rules. The DOJ Rules were published in the Federal Register on January 8, 2025.
In brief, the DOJ Rules apply to “U.S. persons,” which means U.S. citizens, national or lawful permanent residents, qualified refugees, entities organized under U.S. law or persons “in the U.S.” (§ 202.256). Subject to certain exemptions (§ 202.501 to § 202.511), U.S. persons are prohibited or restricted from knowingly engaging in a “covered data transaction,” which means a sales or licensing of “bulk sensitive personal data” or “United States Government-related data,” a vendor agreement, employment agreement, or investment agreement (§ 202.210), that involves access by a “country of concern” (§ 202.209) or “covered person” (§ 202.211.) (Counties of concern are China, Cuba, Iran, North Korea, Russia and Venezuela (§ 202.209).)
The DOJ Rules are effective on April 8, 2025. But, as a final rule published in the Federal Register prior to January 20th, the Regulatory Freeze EO requests that federal agencies “consider” postponing the effective date and opening a comment period for interested parties.
Even before the Regulatory Freeze EO was released, the DOJ had announced its intention to “continue to robustly engage with stakeholders to determine whether additional time for implementation is necessary and appropriate” during the 90 days between the DOJ Rules’ publication in the Federal Register and the effective date. Unlike many other Biden-era Executive Orders, EO 14117 was not rescinded on Inauguration Day. Whether the exclusion of EO 14117 means that the DOJ Rules will survive the regulatory freeze is unclear.
Another final rule subject to the regulatory freeze: FTC’s “Rule Concerning Recurring Subscriptions and Other Negative Option Programs” (Final Negative Option Rule), which was published in the Federal Register as final on November 15, 2024.
Parts of the Final Negative Option Rule were effective January 14, 2025, but businesses have until May 14, 2025, to comply with certain sections Final Negative Option Rule, i.e., § 425.4 (disclosures’ form, content and placement), § 425.5 (consent) and § 425.6 (simple cancellation mechanism).
Commissioner Holyoake wrote a dissent (89 FR 90540) to the Final Negative Option Rule, citing procedural issues and the failure to “define with specificity” the acts or practices that are unfair or deceptive and whether these practices are “prevalent.” FTC Chair Ferguson joined, which may indicate the parts of the Final Negative Option Rule that the FTC will revisit or replace. (More about the Final Negative Option Rule is available here).
A third rule – Personal Financial Data Rights Rule (PFDR Rule) – was published as final on November 8, 2024, and effective January 17, 2025 – three days before the Regulatory Freeze EO was issued. On February 3, 2025, the federal agency that issued the PFDR Rule – the Consumer Financial Protection Bureau (CFPB) – announced that Treasury Secretary Scott Bessent took over as acting head and ordered the CFPB to halt all activities. Subsequently, Democrats in Congress expressed concern in a February 7th letter to Acting Director Bessant. That same day, Russell Vought, the newly sworn-in Director of the Office of Management and Budget (OMB) and an architect of The Heritage Foundation’s Project 2025, reportedly replaced Secretary Bessant as acting head of the CFPB and echoed Secretary Bessant’s orders to the CFPB staff. In a social media post, Director Voight announced that the CFPB “will not be taking its next draw of unappropriated funding because it is not ‘reasonably necessary’ to carry out its duties. The Bureau’s current balance of $711.6 million is in fact excessive in the current fiscal environment.”
The CFPB website at https://www.consumerfinance.gov/ currently displays a “404: Page Not Found Error” and the CFPB offices were closed to CFPB staff and taken over by the Department of Government Efficiency (headed by Elon Musk) as of February 9, 2025.
The Congressional Review Act (CRA) (codified at 5 U.S.C. §§801- 808) also is a consideration for these final rules. If a final rule is deemed a “major rule” (5 U.S.C. §804) by the OMB, the CRA provides for a special congressional procedure to overturn the rule during a so-called look-back period. The OMB deemed each of the Negative Option Final Rule, the DOJ Rules and the PFDR Rule as a major rule.
The Senate Parliamentarian has determined that the CRA’s lookback period began on August 16, 2024, for rules submitted in the second session of the 118th Congress, which ended on January 3, 2025. Republican lawmakers already have indicated that they intend to use the CRA procedure to target as many as the Biden-Harris administration rules as possible.
The Big Shift in Artificial Intelligence Policy
President Biden’s Executive Order 14110 of October 30, 2023, titled “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence”, focused on “governing the development and use of AI safely and responsibly,” was rescinded by Trump’s Executive Order 14148 (“Initial Rescissions of Harmful Executive Orders and Actions”) and replaced by Executive Order 14179 (“Removing Barriers to American Leadership in Artificial Intelligence”) (Trump AI Executive Order) on January 23, 2025.
The Biden administration focused broadly on eight overarching principles for AI development: safety and security; privacy; managing AI bias and civil rights; consumer, patient and student protection; worker support; privacy; innovation and competition; worker support; international AI leadership; and federal use of AI. (Read more here.) By contrast, the Trump AI Executive Order is centered on deregulation and the promotion of AI innovation as a means of maintaining U.S. global dominance. (Read more here.)
The January Shakeup: The Data Privacy Framework
Like the CFPB and other U.S. federal government staffing changes as well as the controversial Deferred Resignation Program, President Trump fired three of the four members of the Privacy and Civil Liberties Oversight Board (PCLOB), including Chair Sharon Bradford Franklin, who was three years into her six-year term, Professor Edward Felton, and Travis LeBlanc, who served in the Obama administration.
By statute, the PCLOB can have up to five members appointed by the President and confirmed by the Senate. Three members constitute quorum and only three members of the PCLOB can be members of the same political party. As of January 31, 2025, only one PCLOB member – Beth Williams, who served in the first Trump administration, – remains at the PCLOB.
The PCLOB appointee removals are symbolically and practically significant to the future of the EU-U.S. Data Privacy Framework (DPF). The agreement between the European Commission and the U.S. that created the DPF (DPF Agreement) relies on a multi-layer mechanism for non-U.S. individuals to obtain review and redress of their allegations that their personal data collected through U.S. Signals Intelligence was unlawfully handled by the United States. As part of the negotiations for the DPF Agreement, President Biden issued Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO 14086), directing federal agencies to address concerns – including redress mechanisms – relating to bulk digital surveillance by U.S. law enforcement and intelligence agencies. (These concerns underpinned objections from EU regulators to the DPF’s predecessors. (Learn more about DPF generally here.)
The PCLOB, which was created in 2004 to advise the federal government on civil liberties matters in connection with U.S. anti-terrorism laws, advised on the creation of the DPF’s redress mechanism. Even though the DPF Agreement was not voted into law by Congress and EO 14086 could be overturned by another President, the redress mechanism in the DPF Agreement was pivotal in demonstrating to the European Commissions that EU citizens could receive protection for their personal data that is essentially equivalent to EU data protection law.
While the U.S. federal government is amid structural changes initiated by Trump 2.0, businesses looking to prepare for and advance compliance efforts are faced with the difficult decision about whether to continue on with compliance efforts under the final rules described above or to stand down until the dust settles in Washington. For example, should a DPF-certified business revisit other cross-border transfer mechanisms now in case the DPF does not survive legal challenges? Meanwhile, state legislatures continue to fill the void. So far this year, many states have already teed up new or amended privacy laws and new AI laws. Since neither a new federal AI law nor a new federal consumer privacy law seem to be top of mind for the Administration, business can for now continue on with state law and federal sectoral law compliance efforts.
Krista Setera and Mary Aldrich contributed to this article.
In a Crisis, It Is Not Always Smart to Run for Shelter
Andre Haddad, CEO of the online car-sharing platform Turo, could have headed for shelter when the media storm hit. Instead, he appeared to embrace the adage, “Never let a good crisis go to waste.”
On New Year’s Day, not one but two vehicles rented through the Turo app were involved in horrific and high-profile tragedies, each generating worldwide coverage.
At 3:15 a.m. in New Orleans’s French Quarter, U.S. Army veteran Shamsud-Din Jabbar drove his rented Ford F-150 into a crowd of revelers, killing 14 people and injuring dozens more before police shot and killed him. Several hours later, Matthew Alan Livelsberger, an active-duty U.S. Army Green Beret, allegedly detonated his rented Tesla Cybertruck outside the main entrance of the Trump International Hotel Las Vegas before killing himself.
The media quickly zeroed in on Turo, a privately held company that has been described as an Airbnb for autos. A customer finds a privately owned vehicle they want to rent on the site, then books it from the “host” – an individual who can make money renting out their car to total strangers.
The Wall Street Journal on Jan. 2 questioned Turo’s safety record; Fox Business followed suit a day later. Both outlets noted that cars rented from Turo and other online sites are sometimes damaged, stolen, and abandoned, and some cars reportedly have been used for human smuggling.
While Turo initially addressed reporters’ questions with a statement, Haddad agreed to go live on CNBC on Jan. 3.
It was a smart move by the company. Haddad was humble, disarming, and appeared forthright. Even when addressing the toughest questions, he was not defensive but calm and earnest, and he used facts to tell his story.
CNBC news anchor Sara Eisen kicked off the interview by asking Haddad where the investigation stood.
“We’ve been working around the clock to investigate and partner with law enforcement,” Haddad said. “My first thoughts are for the families and victims. We are really heartbroken for them. This feels so unfair.”
Eisen then asked Haddad how Turo could rent vehicles to individuals who caused such destruction and death.
While the company uses a proprietary, data-based algorithm to screen each potential renter, Haddad stressed that these two individuals had no criminal record or any other disqualifying factors.
“They had valid U.S. driver’s licenses, in fact, they were decorated servicemen,” Haddad said. “They … could have boarded any flight. They could have rented any other car in any traditional car rental chain. They could have checked into any hotel, and there were no red flags, no one would have flagged them as a security risk. So, it’s a very challenging situation to deal with.”
Eisen pressed Haddad on safety concerns.
“You know there have been articles, including on NBC, that Turo is no stranger to safety concerns, and for years, these peer-to-peer platforms have been faced with criticism about stolen cars used for nefarious purposes,” she said. “What is it about the business?”
Haddad acknowledged that there have been many “terrorist attacks” using rented vehicles “over the last 20 years in the U.S. and abroad,” but said that Turo felt “very good” about its own trust and safety track record. He supported his position with a series of facts:
“We’ve been around for 13 years, so we’re not new. We’ve facilitated over 90 million book days, 27 million trips to date, and the rate of serious incidents on our platform over that whole period, across all of these trips, is less than 0.1%. So, our safety track record is very strong,” he said.
He added, “I believe that … Turo happened to be chosen this time instead of others because we have become a really large player in this market.”
Many companies would have refused to put their leader in front of the media. Too many risks, they would conclude. What if the CEO says something that digs the company into a deeper hole or opens it up to a lawsuit? It is easy to say, “Let’s just give them a statement and be done with it.”
But Haddad’s appearance provided the company with an opportunity to demonstrate a measure of humanity by acknowledging the victims and their families. Haddad also used the platform to underscore Turo’s work with legal authorities and to stress the company’s successful track record, highlight its state-of-the-art technology to screen for bad actors, and reiterate Turo’s support for hosts whose vehicles have been damaged.
Haddad and his team smartly recognized they had a compelling story to tell, and he was brave enough to tell it. Granted, there are times when it is best to say nothing, but the Turo case provides a roadmap for all CEOs and communications pros for how to handle a crisis.
Sometimes, the best strategy is putting the CEO out front and letting them deliver the message.