Changes to EEO-1 Report Approved
As an update to our previous post, the EEOC’s request for a non-substantive change to remove the option for employers to voluntarily report non-binary data on the EEO-1 data collection has been approved without change.
We are now waiting to see when EEOC will open the 2024 EEO data collection portal. In the proposed instructions filed with the requested change, EEOC indicated May 20, 2025 as the anticipated opening.
We are continuing to monitor the situation and will report back with any updates.
California Privacy Protection Agency Fines National Clothing Retailer More Than US$345,000 for Alleged CCPA Privacy Rights Violations
The California Privacy Protection Agency (CPPA) has made clear that failing to ensure compliance with consumer privacy requests can be costly. Last week was no different when the CPPA took decisive enforcement action against national clothing retailer, Todd Snyder, Inc., signaling that companies’ execution of consumer rights requests under the California Consumer Privacy Act of 2018, as amended (the CCPA), is at the center of the California privacy regulator’s priorities. This article explores the basis for the CPPA’s latest enforcement action and summarizes key takeaways to help minimize regulatory scrutiny.
Key Findings
On May 6, 2025, the CPPA announced that it had issued an order requiring the clothing retail company to change its business practices and pay a US$345,178 fine to resolve alleged violations of the CCPA with respect to the retailer’s procedures in responding to consumer privacy requests. This is the CPPA’s second major enforcement announcement based on similar privacy violations in recent months.
Specifically, the CPPA alleged that the clothing retailer had violated the CCPA in the following ways:
Failure to Process Consumer Opt-Out Requests: For a period of 40 days, the company’s privacy portal was not properly configured. As a result, requests from consumers to opt-out of the sale or sharing of their personal information were not processed.
Excessive Information Collection: When consumers submitted privacy-related requests, the company required them to provide more personal information than was necessary to process these requests. This ran counter to the CCPA’s data minimization requirement.
Unnecessary Identity Verification: Consumers were also required to verify their identity (even to opt-out of personal information sales or sharing — a step that is generally not required under CCPA unless sensitive information is being accessed or deleted).
The CPPA’s latest enforcement action highlights critical compliance features related to consumer opt-out rights and the handling of personal information, with particular emphasis on the company’s reliance on third-party privacy management tools and its imposition of excessive verification requirements.
Lessons Learned
Below are some key takeaways that can help CCPA-regulated businesses stay out of the CPPA’s crosshairs when it comes to complying with consumer rights requests:
1. Do not simply rely on third-party privacy management tools without ongoing oversight, but instead regularly monitor, test, and validate the effectiveness of these tools to ensure that consumer privacy rights are respected, and that opt-out mechanisms are functioning as required by law. This requires an ongoing interface between both the technical and legal teams to ensure both know what technologies are being implemented as well as the appropriate (and compliant) actions taken with respect to those technologies. According to the CPPA, “[u]sing a consent management platform doesn’t get you off the hook for compliance.”
Illustrative Example
The CPPA found that Snyder installed third-party tracking technologies (such as cookies and pixels) on its website, which collected and shared consumer personal information for analytics and cross-context behavioral advertising. Although the company represented to consumers (through outright statements that this would be the case) that the consumer could opt-out of the sale or sharing of their personal information via a Cookie Preferences Center, a technical misconfiguration rendered the opt-out mechanism inoperable for 40 days in late 2023.
2. Ensure that consumers can successfully exercise their opt-out rights easily, as well as identify and remediate any website design flaws that prevent consumers from exercising their requests via your website or other online interface.
Illustrative Example
In this latest enforcement action, the CPPA alleged that the clothing retailer’s website did not properly configure its opt-out mechanism (e.g., opt-out preference signals, such as the Global Privacy Control, were not processed during the 40-day period noted above), and its consent banner kept disappearing before consumers could submit their requests to opt-out of sale and sharing of personal information, making it impossible for consumers to submit opt-out requests.
3. When responding to a consumer’s CCPA rights request (i) seek to rely, as much as possible, on data it already has in its possession to verify the identity of the consumer making the request, and (ii) do not ask consumers for information that is not needed to process the request.
Illustrative Example
Todd Snyder required consumers to upload pictures of their driver licenses (which is considered sensitive personal information) to verify their identity for any CCPA request submitted. This requirement was imposed regardless of the type of CCPA request, including opt-out requests, which under the CCPA do not require verification. By requiring government identification for all requests, Snyder unlawfully imposed an undue burden on consumers and discouraged them from exercising their privacy rights. In addition, according to the CPPA, even for verifiable consumer requests (where verification is appropriate), the CCPA requires businesses to avoid collecting more information than necessary and to use information already maintained by the business whenever feasible. Accordingly, Snyder’s blanket requirement for government identification exceeded what was necessary and violated these provisions.
4. Do not engage in verification when it is not necessary to do so, and make sure that your policies and procedures are clear as to when a consumer’s request needs verification and when it does not.
Illustrative Example
As discussed above, Todd Snyder required consumers to provide certain information to verify their identity in connection with opt-out requests they submitted, even though the CCPA prohibits businesses from requiring consumers to verify their identity for opt-out requests. Thus, if you are subject to the CCPA and receive an opt-out request, you should not proceed to verifying the identity of the consumer making that request.
Conclusion
By understanding the alleged CCPA violations brought against Todd Snyder in this latest enforcement action, CCPA-regulated businesses can help to ensure that its processes and mechanisms for managing consumer privacy requests align with the CCPA’s requirements and reduce the likelihood that its practices for handling consumer requests under this state law are not subject to regulatory scrutiny.
Oregon Suit Muddies Crypto Regulatory Landscape
On April 18, 2025, the State of Oregon brought a civil enforcement action against Coinbase Global, Inc. (“Coinbase”) for the alleged sale of unregistered securities. In a press release, Oregon Attorney General Dan Rayfield openly acknowledged the action was in response to the United States Securities and Exchange Commission (“SEC”) dropping its own case against Coinbase, noting his belief that “states must fill the enforcement vacuum being left by federal regulators who are giving up under the new administration.” This begs the question: is the federal government’s resetting of its approach to crypto regulation an “enforcement vacuum” or a return to order?
Oregon’s complaint asserts that certain digital assets on Coinbase’s platform are investment contracts and, thus, securities under Oregon law. In order to be offered for sale in Oregon, a security must be registered or fall under an exemption (e.g., “Federal covered securities may be offered and sold in [Oregon] without registration,” subject to administrative conditions). ORS 59.049, 59.055, 59.115. Oregon statutorily defines a security to include “investment contracts” (see ORS 59.015), and its courts use a modified version of a test established by the United States Supreme Court in SEC v. W.J. Howey, 328 U.S. 293 (1946), to determine if a particular investment is a security. Oregon claims that Coinbase solicited and participated, or materially aided, in the sale of unregistered crypto securities, resulting in violations of Oregon’s blue sky laws.
The suit is aggressive in that it bumps up against the SEC’s historically exclusive mandate to regulate national exchanges, and for that reason, is vulnerable to legal challenge. In addition, consistent with the state’s press release, it was apparently brought in direct response to the SEC’s dismissal of its Coinbase enforcement action. However, the dismissal of this case and those against other crypto firms are hardly the only things the SEC has done in the crypto space of late. Since President Trump reentered the White House, the SEC has undertaken numerous steps to bring some order to crypto regulation. In recent remarks, newly-minted SEC Chair Paul Atkins stated that the SEC is committed to establishing a “rational, fit-for-purpose framework for crypto assets,” enabling innovation that has been “stifled for the last several years due to market and regulatory uncertainty that unfortunately the SEC has fostered.”
Consistent with this objective, the SEC has established a Crypto Task Force whose purpose is to “help the Commission draw clear regulatory lines, provide realistic paths to registration, craft sensible disclosure frameworks, and deploy enforcement resources judiciously.” The Task Force has hosted industry roundtables addressing key subjects relevant to crypto regulation. At the inaugural roundtable, then-Acting Chair Mark Uyeda remarked that the “approach of using notice-and-comment rulemaking or explaining the Commission’s thought process through releases—rather than through enforcement actions—should have been considered for classifying crypto assets under the federal securities laws.” Topics addressed by roundtables thus far include defining the security status of digital assets, tailoring regulation for crypto trading, know-your-customer considerations for crypto custody, and tokenization. A fifth roundtable is scheduled for June 9 on the subject of “DeFi and the American Spirit.” The roundtables are broadcast live to the public and archived for later viewing through links posted on the SEC’s website.
Moreover, at a conference in March 2025, Uyeda remarked that the SEC would conduct economic analyses that would help the agency “distinguish between approaches that are effective and efficient, versus those that are effective but costly.” He added that the SEC is “required by statute to consider efficiency, competition, and capital formation in its rulemaking. Our Division of Economic and Risk Analysis has developed robust procedures that build on this statutory mandate, recognizing that high-quality economic analysis is an essential part of our rulemaking.” Industry participants might fairly claim that these efforts are far from the SEC “giving up” and leaving an “enforcement vacuum” that states must rush to fill.
Taking the opposite tack of Oregon, several states have yielded in their pursuit of Coinbase. The Coinbase suit that the SEC dismissed was originally brought in June 2023, alongside ten states that initiated actions claiming the company’s administration of its crypto staking program resulted in unregistered securities offerings. According to the SEC’s press release accompanying its complaint, these ten states were part of a task force that coordinated their efforts with the SEC. After the SEC dismissed its case against Coinbase with prejudice in February 2025, five of those ten states—Vermont, Alabama, Illinois, Kentucky and South Carolina—followed suit. Some of those state regulators that withdrew their Coinbase actions have highlighted the SEC’s ongoing rulemaking efforts in their rescission papers. For instance, the Alabama Securities Commission’s Consent Order rescinding its June 6, 2023 Show Cause Order without prejudice cited the new SEC Crypto Task Force’s work and stated that “it would be apt to allow policy makers time to consider regulatory constructs.” The other five states that participated in the task force—California, New Jersey, Maryland, Washington and Wisconsin—have left their enforcement actions against Coinbase in place, at least for the time being.
While states may go their own way when they sense a regulatory gap, restraint may be the better course where active efforts are underway at the federal level to fill that gap with a legal framework informed by stakeholder input. Emergent state actions like Oregon’s present novel complications in the search for regulatory clarity. Given this state of play, both crypto industry participants and investors stand to benefit from governmental patience and coordination as the SEC’s Crypto Task Force performs its work.
Listen to this post
UK Data (Use and Access) Bill Status Update
As the draft UK Data (Use and Access) Bill (the “DUA Bill”) reaches its final stages, the House of Commons and the House of Lords are still debating several key issues. On May 14, 2025, the House of Commons received a program motion, urging it to deliberate on the amendments proposed by the House of Lords on May 12, 2025. The latest amendments introduced by the House of Lords include:
Scientific Data: Limiting the scope of the ‘scientific data’ provision by setting a higher standard for the reasonableness test such that “scientific research must be conducted according to appropriate ethical, legal and professional frameworks, obligations and standards.” This amendment is contrary to the position taken by the House of Commons, which proposed expanding the scope of the ‘scientific data’ provision by removing the requirement for the processing of ‘scientific data’ to be conducted in the ‘public interest.’
AI Models: Introducing transparency requirements for business data used in relation to AI models. The amendment would require developers of AI models to publish all information used in the pre-training, training, fine-tuning and retrieval-augmented generation of the AI model, and to provide a mechanism for copyright owners to identify any individual works they own that may have been used during such processes. The amendment also introduces transparency obligations in respect of “bots,” including the requirement to disclose information on the (1) name of the bot, (2) responsible legal entity the bot, and (3) specific purpose for which each bot is used.
Sex Data: Introducing requirements for ‘sex data’ to be collected in the context of digital verification services.
The House of Commons will now consider such amendments. With the DUA Bill’s progress accelerating, it is anticipated that the DUA Bill will soon be finalized.
Read the latest amendments proposed by the House of Lords.
For more information on the DUA Bill, read our previous update on the DUA Bill.
The TCPA Landscape in 2025: Key Developments and Compliance Priorities
The Telephone Consumer Protection Act (TCPA) continues to be a major source of litigation risk for businesses engaged in outbound marketing. In the first quarter of 2025, litigation under the TCPA surged dramatically, with 507 class action lawsuits filed — more than double the volume compared to the same period in 2024. This steep rise reflects shifting enforcement patterns and a growing emphasis on consumer communications practices. Companies should be aware of several emerging trends and evolving interpretations that are shaping the compliance environment.
TCPA Class Action Trends
In the first quarter of 2025, 507 TCPA class actions were filed, representing a 112% increase compared to the same period in 2024. April filings also reflected continued growth, indicating a sustained trend.
Key statistics:
Approximately 80% of current TCPA lawsuits are class actions.
By contrast, only 2%-5% of lawsuits under other consumer protection statutes, such as the Fair Debt Collection Practices Act (FDCPA) or the Fair Credit Reporting Act (FCRA), are filed as class actions.
This trend highlights the unique procedural and financial exposure associated with TCPA compliance.
Time-of-Day Allegations on the Rise
There has been an uptick in lawsuits alleging that companies are contacting consumers outside of the TCPA’s permitted calling hours — before 8 a.m. or after 9 p.m. local time. In March 2025 alone, a South Florida firm filed over 100 lawsuits alleging violations of these timing restrictions, many of which involved text messages.
Under the TCPA, telephone solicitations are not permitted during restricted hours, unless:
The consumer has given prior express permission;
There is an established business relationship; or
The call is made by or on behalf of a tax-exempt nonprofit organization.
It is currently unclear whether these exemptions definitively apply to time-of-day violations. A petition filed with the FCC in March 2025 seeks clarification on whether prior express consent precludes liability for messages sent during restricted hours. The FCC accepted the petition and opened a public comment period that closed in April.
Drivers of Increased Litigation
Several factors appear to be contributing to the rise in TCPA filings:
An increase in plaintiff firm activity and case volume;
Ongoing confusion regarding the interpretation of revocation rules; and
Continued complaints regarding telemarketing practices, including unwanted robocalls and text messages.
These dynamics reflect a broader trend of regulatory and private enforcement in the consumer protection space.
Compliance Considerations
Businesses should take steps to ensure their outbound communication practices are aligned with current TCPA requirements. This includes:
Documenting consumer consent clearly at the point of lead capture;
Ensuring systems adhere to permissible calling and texting times;
Reviewing policies and procedures for revocation of consent; and
Seeking guidance from counsel with experience in consumer protection laws.
Conclusion
The volume and nature of TCPA litigation in 2025 underscore the need for proactive compliance. Companies should treat consumer communication compliance as a core operational issue. Regular policy reviews, up-to-date systems, and informed legal support are essential to mitigating risk in this evolving area of law.
Listen to this post
Pennsylvania PUC Reviews Data Center Impacts Amid New Energy Plan
Key Takeaways:
During a recent Pennsylvania Utility Commission (PUC) hearing to evaluate how the rise in data centers is impacting energy demand, grid reliability and utility regulation, stakeholders emphasized fair cost allocation for infrastructure, opposing special treatment for data centers and favoring standard tariff processes.
Primary concerns include infrastructure investment and cost allocation, generation and reliability issues, and tariff design.
Six proposed bills in connection with Governor Shapiro’s “Lightning Plan” were unveiled on the same day of the PUC hearing, aimed at modernizing Pennsylvania’s energy landscape through a carbon cap-and-invest program, expanded clean energy targets, streamlined project approvals, infrastructure tax incentives, support for rural and low-income communities, and enhanced energy efficiency rebates.
As data centers surge across Pennsylvania, the PUC is taking a closer look at their impact on energy systems and regulatory oversight. At the same time, Governor Shapiro’s Lightning Plan proposes sweeping changes to modernize the Commonwealth’s energy systems, setting the stage for potential shifts in utility law and oversight. This update explores the legal context, policy drivers and impacts that may emerge from the intersection of infrastructure growth and state energy policy.
On April 24, 2025, the PUC convened an en banc hearing to address the growing impact of data centers and other large electricity consumers on the state’s power grid. In the Motion calling for the hearing, the Chair recognized what has been a running theme across the nation for large load consumers and developers looking to attract data centers — uncertainty regarding both the interconnection timeline and the costs these users will face to procure power in the Commonwealth.
The hearing brought together stakeholders from tech, public utility and consumer advocacy groups to discuss the opportunities presented by the rapid expansion of energy-intensive facilities and the challenges posed by the new demand on the grid. The testimony bore out three primary themes: (1) generation and reliability concerns, (2) infrastructure investment and cost allocation and (3) tariff design.
Infrastructure and Cost Allocation
Fair cost allocation was articulated as a priority by utility and data center panelists alike. The utilities explained in detail how their large load interconnection process works, including how infrastructure investment costs specific to large load customers are allocated. Panelists encouraged the PUC to avoid the creation of a data center customer class and instead rely on cost-of-service studies and rate case proceedings to ensure transparency and that proper allocation of costs to data center customers. This would mean that data centers would be customers under tariffs and not under special contracts, which are often filed for commission approval on a confidential basis.
Tariff Design
The panelists expressed differing views around a model tariff versus a policy statement. Some panelists advocated for a policy statement citing concerns around changes in the market and the potential of a model tariff that is too restrictive or cannot adapt to a changing environment. Others, particularly the statutory advocates, believe a model tariff will level the playing field for utilities serving data centers and not force the utilities to compete against each other in attracting them.
Commissioner Zerfuss noted at the end of the utility panel that she saw no difference between a model tariff and a policy statement, as both would be considered recommendations and not mandates.
Generation and Reliability
With the anticipated surge in electricity demand, the PUC acknowledged the strain on the existing grid infrastructure. The PUC emphasized that simply building more generation or transmission facilities may not suffice, advocating for a diversified approach that includes load management and demand response strategies. Panelists discussed the concept of a “bring your own generation” (BYOG) model, where data centers would provide their own power generation infrastructure, such as solar panels or wind turbines, to support their primary generation needs.
From a regulatory compliance perspective, BYOG could convert a data center to a utility, thus obligating compliance with a host of utility regulations. While some data centers are already navigating complex FERC guidelines resulting from recent FERC orders allowing them to monetize their on-site generation, a BYOG data center could also be subject to grid interconnection laws, energy trading restrictions and local zoning laws around where on-site generation can be located. It remains unclear whether BYOG would slow the development of data centers in the Commonwealth given the potential regulatory and legal obstacles that the data centers may face. There is a possibility, however, that the legal framework may change because of Governor Shapiro’s “Lightning Plan.”
The Lightning Plan
On the day of the PUC hearing, Governor Josh Shapiro’s Lightning Plan was introduced into the General Assembly through six pieces of legislation.
The Pennsylvania Climate Emissions Reduction Act (PACER) (HB 503) introduces a cap and invest program requiring power plants to pay for their carbon emissions with 70 percent of the revenues funneled back to consumers through utility bill rebates and the rest funding low-income assistance and clean energy initiatives.
The Pennsylvania Reliable Energy Sustainability Standard (PRESS) (HB 501) aims to increase the Commonwealth’s clean energy requirement from eight to 35 percent by 2035.
The Pennsylvania Reliable Energy Siting and Electric Transition (RESET) Board (HB 502) would expedite energy project approvals by streamlining the siting and permitting process in the Commonwealth, which is one of only 12 states without a state siting and permitting entity for such projects.
Improvements to the EDGE Tax Credit (HB 500) would add tax incentive credits for investment in energy infrastructure, including up to $100 million annually for new power plants over three years.
The community energy bill (HB 504) would support rural communities, farmers and low-income residents by promoting shared energy resources — such as methane digesters on farms — to reduce energy costs.
Modernizing energy efficiency in the Commonwealth (HB 505) through an amendment to Act 129 would provide more money to consumers in the form of rebates and incentives for buying energy efficient appliances.
Data Transactions: DOJ’s Final Rule’s Implications for Academic Medical Centers with Clinical Research Programs
The Department of Justice (DOJ) published its Final Rule to implement Executive Order 14117 on January 8, 2025, with a correcting amendment issued April 18, 2025. Executive Order 14117, issued on February 28, 2024, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” instructed the Attorney General to create regulations that ban or limit U.S. persons from participating in transactions involving property in which a foreign country or its nationals have an interest. Transactions are banned or limited if they involve U.S. government-related data or bulk sensitive personal data (as defined by the final implementing rules), fall into categories deemed by the Attorney General to pose a national security risk (with such security risk arising from potential access to data by identified countries of concern or related individuals), and meet additional criteria outlined in the Executive Order.
The Final Rule outlines categories of transactions that are either banned or limited; designates specific countries and types of individuals or entities with whom transactions involving government-related or bulk U.S. sensitive personal data are restricted; creates a system for granting, modifying, or revoking licenses for otherwise restricted activities and for issuing advisory opinions; and sets requirements for transaction recordkeeping and reporting requirements to support the DOJ’s investigations, enforcement, and regulatory actions in relation to the Executive Order.
Academic Medical Centers (AMCs) and similar entities engaged in clinical research and international collaborations need to be aware of and determine the applicability of the regulatory requirements imposed by the Final Rule. Research partnerships involving biometric identifiers, personal health information, or genomic data may be deemed restricted or prohibited transactions if the partnerships include entities from designated countries of concern.
Summary
The Final Rule is aimed at preventing certain U.S. foreign adversaries — including China, Russia, Iran, North Korea, Cuba, and Venezuela — from accessing sensitive U.S. personal data and government-related information.
Key Definitions. The Final Rule authorizes the DOJ to regulate and enforce restrictions on data transactions with designated “Countries of Concern” and “Covered Persons.”
“Country of Concern” is defined to mean:
any foreign government that, as determined by the Attorney General with the concurrence of the Secretary of State and the Secretary of Commerce, (1) has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons, and (2) poses a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or security and safety of U.S. persons.
“Covered Person” is defined to include: (1) foreign entities that (a) are fifty percent or more owned, directly or indirectly, by countries of concern or another covered persons; or (b) are organized under the law of, or have their principal place of business in, a Country of Concern; (2) foreign entities that are fifty percent or more owned, directly or indirectly, by Covered Persons, either individuals or entities; (3) foreign individuals who are non-U.S. residents working as employees or contractors of a Country of Concern; (4) foreign individuals primarily residing in Countries of Concern; and (5) other entities or individuals as reasonably determined by the Attorney General based on certain criteria.
Categories of Covered Data. The Final Rule targets eight categories of “Covered Data,” including biometric identifiers, genomic data, health and financial data, precise geolocation information, and personal identifiers that can be linked to other sensitive data. It also includes certain government-related information, such as data tied to U.S. government personnel or the geolocation of sensitive facilities. Notably, the regulations apply regardless of data processing volume when government-related information is involved.
Primary Types of Restricted Transactions. The DOJ identifies three primary types of restricted transactions: employment, investment, and vendor agreements. U.S. businesses must ensure foreign employees, investors, and service providers — especially those linked to Countries of Concern — do not gain access to Covered Data unless strict security protocols are met. This affects a wide range of commercial activities, from hiring and corporate deals to cloud services and software subscriptions, and likely impacts AMCs engaging in clinical research when data is shared with certain employees. Research sponsors, investors and service providers. Prohibitions and restrictions of the Final Rule, however, only apply to Covered Data Transactions with a Country of Concern or Covered Person that involve access by a Country of Concern or Covered Person to government-related data or bulk U.S. sensitive personal data. The Final Rule does not regulate transactions that do not implicate access to government-related data or bulk U.S. sensitive personal data by a Country of Concern or a Covered Person.
Prohibited Transactions. Notably, under the Final Rule certain transactions are absolutely prohibited, such as those involving the sale or licensing of Covered Data to foreign entities in data brokerage arrangements, or those involving biometric data or biospecimens.
Penalties for Non-Compliance. Violations of the Final Rule carry significant fines and penalties. Civil fines can reach the greater of US$368,136 or twice the transaction amount. Willful violations may result in criminal penalties of up to US$1 million and up to 20 years in prison.
The Bottom Line for Clinical Research. To comply with the Final Rule, AMCs must engage in rigorous and thorough diligence on proposed, and existing research activities, collaborations and operations, including on their partners, clients, employees/contractors, and data recipients, to determine if a proposed or existing transaction falls within the ambit of the Final Rule. The scope and penalties for violations of and non-compliance with the Final Rule are a clear indicator that a process to determine and ensure compliance with the Final Rule will be critical for AMCs, and businesses across industries, that engage in activities and transactions involving personal or government-related data.
Implications for Academic Medical Centers with Clinical Research Programs
The Final Rule adds a new layer of regulatory compliance complexity for AMCs and similar entities engaged in clinical research and international collaborations.
Research studies and activities, including research collaborations and partnerships involving biometric identifiers, personal health information or genomic data, may be deemed restricted or prohibited transactions if the partnerships include entities from designated Countries of Concern and/or Covered Persons.
Existing and proposed multi-national studies and data-sharing initiatives must be reviewed to determine if the Final Rule is applicable to the study or activity, and if so, to ensure compliance.
Additionally, AMCs must also ensure that vendors, including cloud and AI service providers, are not affiliated with Countries of Concern and that all data processing activities meet stringent new security and compliance standards. As noted above, ensuring compliance with the Final Rule will necessitate a thorough review of the AMC’s vendor contracts.
Further, the Final Rule necessitates a reassessment by AMCs, of their data-sharing policies and multi-site protocols, and will likely require the incorporation of national security-focused compliance clauses in certain data sharing agreements (such as data use agreements) and the enhancement of institutional data governance frameworks, which frameworks should be designed to avoid and mitigate any legal and regulatory exposure, and ensure that the institution is able to maintain eligibility for receipt of federal funding.
Next Steps
This Final Rule prescribes significant categorical rules that prevent U.S. persons from providing government-related data or U.S. citizens’ bulk, sensitive personal data, including through commercial data-brokerage transactions, to Countries of Concern or Covered Persons. Compliance with the Final Rule specifically necessitates that AMCs and institution implement security measures when engaging in investment transactions, employment agreements, and vendor contracts, that involve either government-related data or large-scale collections of sensitive personal data — such as health records, biometric identifiers, or financial information.
The requirements of the Final Rule are intended to prevent foreign adversaries from indirectly accessing this data through commercial relationships. By identifying these specific transaction types, the Final Rule seeks to address perceived national security gaps and provides clear, enforceable standards that define when and how data-related dealings with foreign actors are restricted.
Failure to comply with these new requirements could result in fines and penalties, regulatory scrutiny, loss of federal funding, and enforcement actions, making compliance with the Final Rule, when and as applicable to a transaction and activity, a critical compliance priority for AMCs and institutions handling large volumes of sensitive personal data.
Belgium’s Private Investigations Act: Is Your Internal Investigations Service in Focus?
In December 2024, the new Private Investigations Act came into force. The Act replaced the Private Detectives Act of 1991 and was long overdue, considering how much has changed in the world of private investigations. The 1991 law focused on detectives as sole practitioners, think Columbo or Magnum P.I., a world of uncertain ethics, periodic violence and grubby raincoats, most of which no longer exists outside the small screen. The new Act aims to modernise the applicable legal framework in light of new investigation methods and bring it into line with the General Data Protection Regulation (GDPR), though sadly not to address the traditional private detective issues of implausible dialogue and unhappy dress choices.
The Act imposes a number of obligations on employers instructing investigations on their employees, and we will discuss these changes at length in future blogs, but there is a more pressing issue we need to deal with first, and that regards your internal investigations service. The Act extends its scope from solo private detectives to all types of investigations companies but more importantly, also to internal investigations services. An internal investigations service is defined by the Act as ‘any service organised by a natural or legal person for its own purposes for the systematic performance of private investigation activities’. This definition is very wide and has prompted the legislator to exclude a number of roles and functions, such as lawyers, bailiffs and auditors.
The legislator has taken into account that in practice, internal services are often organised at group level and has therefore provided that investigation activities still qualify as internal when they are performed for the benefit of companies in the same group structure. What the legislator has seemingly not considered, however, is that international groups will often have an investigations team in one location, which is not necessarily Belgium, that will conduct all investigations for the group, including those concerning employees located in Belgium. This means that the Belgian legislator has probably also not fully realised that the registration obligation imposed by the Act may thus also extend to these internal investigations services located outside of Belgium, if their remit extends to this country.
The Act provides an exception for members of the HR team “who carry out private investigation activities on behalf of their own employer within the framework of incident investigations [not defined] involving employees of that employer”. The HR team will not be considered to perform the activities of an internal investigations service, so the registration obligation will not apply to them. The criterion of distinction would be the focus of the team: is it day-to-day HR activities, with an exceptional side activity of investigative work, or is investigation work the main focus for the team?
So what does this registration obligation entail? Internal investigations services must obtain a prior authorisation or licence from the Ministry of Interior to lawfully conduct private investigations in Belgium. The licence is granted for a renewable period of five years. It will only be awarded if the members of the team have a clean criminal record (minus some minor offences), they have undergone specific training and are Belgian nationals or have their main residence in the EEA or Switzerland. This would seem to suggest the end of investigations being carried out more or less remotely by the US parents of local subsidiaries, though it is unclear at this stage just how much (substantial) advisory input into the investigation process and/or decisions there can still be from abroad so long as the team is fronted by someone satisfying the above conditions. The members of the team should also have a certain “desired profile”, meaning that they will honour individuals’ fundamental rights, be loyal and discrete, and not entertain suspicious relations with criminal organisations, etc.
The license is awarded by the Ministry of Interior, which may or should in some cases seek the prior advice of the public prosecutor.
If an internal investigations service was already validly performing private investigation activities on the date of entry into force of the Act, 16 December 2024, they may continue to perform such services, but they will need to make a request to obtain a licence by 16 June 2025. The members of these teams will have 18 months after their company obtained a license to undergo the required training and obtain a licence card. The specific training requirements are in fact still to be defined by Royal Decree.
TALK IS CHEAP: Summary Judgment Isn’t Interested in Rumors
Greetings TCPAWorld!
I’m back with the latest. Let’s talk about a name-dropper’s worst nightmare. The Southern District of Ohio has ruled a significant win for TCPA defendants in a recent decision emphasizing the importance of admissible evidence in telemarketing litigation. In Schwartz v. Bamz Enters., L.L.C., No. Case No: 1:23-cv-608, 2025 U.S. Dist. LEXIS 89794 (S.D. Ohio May 12, 2025), Magistrate Judge Stephanie K. Bowman recommended granting summary judgment to the defendant in a matter where callers falsely claimed to represent a legitimate business. Just saying you’re someone doesn’t make it so. This wasn’t just a procedural ruling…but a resounding endorsement of evidentiary standards that protect legitimate businesses from being dragged into litigation based solely on hearsay.
At TCPAWorld, we don’t just track trends, but we spotlight the rulings that matter. This is a significant case to add to the growing body of case law protecting companies from liability when scammers or unauthorized third parties appropriate their business names during telemarketing calls—and it’s precisely the kind of misdirected claim Troutman Amin is built to defeat!
So what’s the scoop? Plaintiff received six telemarketing calls between January and March 2023 from individuals claiming to represent “Living Well Screening.” The calls pitched various medical testing services, including cancer genetic testing and free COVID test kits through Medicare. Plaintiff, who had registered his number on the DNC list in May 2021, recorded these calls and filed suit against Bamz Enterprises, LLC (“Bamz”), which legitimately does business under the trade name “Living Well Screening.” At first glance, this appeared to be a straightforward TCPA violation. However, as the Court’s analysis reveals, appearances can be deceiving regarding caller identity. For instance, it’s like blaming the bank for a phishing scam just because the scammer said, ‘This is Wells Fargo.’ Caller ID might tell one story, but admissible evidence reveals the truth.
Judge Bowman zeroed in on the most critical element of any TCPA claim: proving who made the calls at issue. Here, the only evidence connecting Bamz to the calls was the callers’ own statements that they represented “Living Well Screening.” The Court’s analysis was unequivocal: “Those recorded statements are clearly hearsay, insofar as they are out-of-court statements offered for the truth of the matter asserted. Pursuant to Rule 56(c)(1)(B), a party is entitled to summary judgment if it can show that an adverse party cannot produce admissible evidence to support the fact. Id. at *6.
Let’s think about this for a moment. This reasoning aligns perfectly with Fed. R. Civ. P. 56, which requires admissible evidence to survive summary judgment. Hearsay statements from unidentified callers don’t meet this threshold. While the Plaintiff’s theory may appear convincing at first glance, it is crucial to recognize that courts must rely on credible evidence rather than anonymous assertions.
In contrast to Plaintiff’s inadmissible evidence, Bamz presented substantial sworn testimony that none of the six calls originated from Bamz facilities, Bamz has never owned or used an automatic telephone dialing system (“ATDS”), none of the named callers (Ron Williams, Marsha, David, Ann, and Maria) were ever employed by or affiliated with Bamz, and Bamz never authorized any third party to make telemarketing calls on its behalf. As such, Bamz clearly demonstrated that its business model focused solely on providing customer service for at-home medical testing kits—referred to as “kit chasing”—rather than selling these products through telemarketing.
In turn, Plaintiff attempted to salvage his case by pointing to Bamz’s marketing materials describing itself as a “call center” and referencing “sales” activities. See Schwartz, 2025 U.S. Dist. LEXIS 89794, at *11. However, the Court dismantled this argument by asserting: “Plaintiff’s evidence is even more tangential and speculative.” Id. Bamz’s unrebutted sworn testimony clarified that while it briefly considered expanding its call center operations into sales, that effort never materialized. See Schwartz, 2025 U.S. Dist. LEXIS 89794, at *12-13. The mere capability or aspiration to conduct telemarketing is not evidence that a company engaged in such activities.
Judge Bowman’s recommendation aligns with a growing trend across federal courts. In Lindenbaum v. Realgy, L.L.C., 606 F. Supp. 3d 732 (N.D. Ohio 2022), the Court granted summary judgment because the plaintiff could only offer hearsay statements from callers claiming to represent the defendant. Moverover, the Court in Worsham v. TSS Consulting Grp., L.L.C., No. Case No: 6:18-cv-1692-LHP, 2023 WL 5016558, at *2 (M.D. Fla. Aug. 7, 2023), was equally direct, holding that a plaintiff’s hearsay statement that callers claimed to work for the defendant was “simply insufficient” to overcome summary judgment.
Does this case ring any alarm bells? We see companies whose names have been misappropriated by unauthorized callers all the time. A successful defense strategy includes presenting sworn testimony from company officers denying authorization of the calls, providing comprehensive employee records showing none of the identified callers work for your company, documenting your business model and demonstrating how it differs from the activities described in the calls, and challenging the admissibility of the plaintiff’s evidence under the hearsay rule. As Judge Bowman notes, in today’s telemarketing environment, “unscrupulous telemarketers or scammers employ a variety of deceptive practices – including misrepresenting that they are affiliated with a government agency or a legitimate company or charity – in order to manipulate the person that they are calling.” Schwartz, 2025 U.S. Dist. LEXIS 89794, at *6.
The decision recognizes that the technological landscape has changed dramatically since the law’s enactment in 1991. Today, spoofing technology and international call centers make it easier than ever for unscrupulous operators to impersonate legitimate businesses. The Court acknowledged this evolving landscape, noting that legitimate telemarketers abide by TCPA rules. But illegitimate ones…do not. Id. at *5.
Perhaps most compelling was Plaintiff’s admission during deposition that he had no admissible evidence to refute [Bamz’s] claim that someone is using Living Well Screening without their permission, and that [Bamz] is not responsible for the six calls. See Schwartz, 2025 U.S. Dist. LEXIS 89794, at *7-8. This acknowledgment underscores the fundamental weakness in many similar TCPA claims in which the only evidence connecting a defendant to allegedly illegal calls is the caller’s unverified statement.
Here we have a significant victory for TCPA defense litigation. It recognizes that company names can be easily misappropriated by bad actors, and it places the evidentiary burden squarely on plaintiffs to prove caller identity through admissible evidence. Judge Bowman aptly concluded: “To deny summary judgment on the record presented would be to ignore the shifting burdens built into Rule 56 and allow a plaintiff to proceed to trial who lacks admissible evidence on the most critical element of his claim – here, the caller’s identity.” Id. at *9.
So here’s a critical takeaway for TCPAWorld: as litigation around spoofing and impersonation continues to rise, courts are signaling that if your only link is a voice on the line, it better come with more than a name drop. Courts are willing to protect legitimate businesses from liability for the unauthorized actions of third parties who appropriate their names or brand identities. In an era of spoofing and shadow dialing, proof beats presumption.
As always,
Keep it legal, keep it smart, and stay ahead of the game.
Talk soon!
SEC Chairman Lays Out Crypto Agenda
In prepared remarks at the SEC’s roundtable on tokenization held May 12, 2025, SEC Chairman Paul Atkins provided a roadmap for the SEC’s future efforts involving crypto and digital assets. A “key priority,” Atkins declared, “will be to develop a rational regulatory framework for crypto asset markets that establishes clear rules of the road . . . while continuing to discourage bad actors from violating the law.”
Chairman Atkins cited President Trump’s desire for the US to be the “crypto capital of the planet,” and promised to coordinate with the Administration and Congress. Atkins announced that SEC policy “will no longer result from ad hoc enforcement,” but instead the SEC will use “rulemaking, interpretive and exemptive authorities to set fit-for-purpose standards for market participants.”
Atkins then turned to three areas of focus for crypto assets: issuance, custody and trading. As to issuance, Atkins intends for the SEC to establish clear guidelines for distributions of crypto assets that are securities or subject to an investment contract. He referenced recent SEC staff statements on digital assets and alluded to several accommodations the SEC could make to its rules and procedures to advance this goal. Atkins also asked the SEC staff to consider whether additional guidance, registration exemptions or safe harbors are necessary.
On custody, Atkins announced his support for providing greater optionality. He hopes to provide clarity on the status of “qualified custodians” under the Investment Advisers Act and the Investment Company Act, as well as to consider whether it is necessary to repeal and replace the “special purpose broker-dealer” framework, which is utilized by only two entities.
Finally, on trading, Atkins is in favor of providing a broader variety of financial products on trading platforms, including permitting trading of both securities and non-securities in a single venue. In an effort to prevent registrants from going offshore to innovate with blockchain technology, Atkins would also like to explore whether conditional SEC exemptions would be appropriate to level the playing field between offshore and US regulation.
SEC Regulation in a Non-Regulatory Environment
With Paul Atkins as the new SEC Chair, the agency’s priorities have shifted away from many of the aggressive policies of former Chair Gensler. The first four months of the Republican controlled SEC saw a dramatic shift in the approach to crypto with the dismissal or pause of major litigation, the termination of several longstanding investigations, the recission of accounting guidance regarding the safeguarding of crypto assets and the establishment of a new task force to help formulate the regulatory approach to crypto going forward. With the enforcement program under a new SEC undergoing significant changes, there will likely be a return to more traditional enforcement cases with greater emphasis on egregious conduct involving pecuniary gain or investor harm, moving away from “pushing the envelope” cases. Enforcement sweeps involving off-channel communications, late filings and other “broken windows” initiatives are expected to fall by the wayside. Regulation by enforcement could be replaced by increased interaction with the Staff, formal or informal guidance or lighter-touch rulemaking.
New Chair Atkins has advocated for greater transparency and efficiency in rulemaking and enforcement. Under his leadership, onerous new rulemaking should decrease dramatically, helpful guidance on existing rules should emerge and new ideas could be solicited through industry roundtables. Amendments to existing rules may even open new possibilities for fund managers and other investment advisers (including, per recent announcements, facilitating capital formation). On the enforcement front, investigations may proceed more efficiently, resolve faster, and focus more on substantive violations. Settlements may also align more closely with the SEC’s penalty guidelines, calibrated to elements of the penalty statute.
A new direction in rulemaking and enforcement, however, does not necessarily mean that the Staff will no longer focus on the concerns underlying the more controversial issues under former Chair Gensler. The current Republican Commissioners may have previously spoken critically of certain rule proposals, but they have also recognized a need to prevent fraudulent or other harmful activities by investment advisers and other regulated market actors. Thus, while the SEC may not bring waves of high penalty, off-channel communications cases against registered entities, the Staff will expect those records to be retained as required under existing rules and may more regularly request their production in exams and investigations. Other issues that may have been referred to Enforcement in the past may remain as exam deficiencies, or the investigative Staff could look harder to find a substantive violation over mere compliance policy or internal control violations.
Having developed specialized expertise over private fund managers since the adoption of Dodd Frank, the Examinations Division (both at the Regional Office level and in at the Division’s Private Funds Unit), as well as the Enforcement Division’s Asset Management Unit, will continue to look for emerging, impactful issues and cases. Indeed, given the expected return to more “bread-and-butter” issues and enforcement cases, the following traditional issues involving private fund managers should still be in play:
Fiduciary Obligations –situations involving allegations of potential fraud, breach of fiduciary duty, or conflicts of interest; expect greater scrutiny where the alleged conduct involves pecuniary gain to the manager or investor losses or other harm. Issues relating to fees and expenses, allocations, valuations, cross-fund transactions and related matters should remain a focus in exams and enforcement, as they were under the previous Republican administration.
Retail Investors – matters that can be framed as protection of individual investors (i.e., registered funds or 3(c)(1) funds, which do not limit their investors to “qualified purchasers”); the market’s push towards retailization of alternatives may heighten the Staff’s interest in this area.
Trading/MNPI – insider trading investigations, which have been supported across the political divide; the Staff’s focus on credit instruments and other markets that traditionally have not been a focus has been demonstrated by recent enforcement actions alleging an adviser’s failure to maintain and enforce written MNPI policies involving trading in distressed debt and collateralized loan obligations.
While enforcement actions based solely on violations of the Compliance Rule (Rule 206(4)-7 under the Investment Advisers Act) seem less likely, these investigations typically begin by focusing on potential substantive violations. Enforcement Staff rarely set out to pursue compliance policy cases. Under the new SEC, investigations that fail to reveal substantive violations are more likely to be terminated without an enforcement recommendation, rather than resolved with compliance violations. However, investigations and exams will still focus on a firm’s culture of compliance. The perception of weak internal controls or inadequate policies are often viewed as a “red flags,” prompting the Staff to dig deeper and look for other potential issues – some of which may lead to related (or even unrelated) substantive findings the longer the Staff’s review drags on.
The SEC’s shift in rulemaking and enforcement priorities is certainly welcomed by many investment advisers. It should not, however, be seen as a move to complete deregulation, and investment advisers should remain focused on compliance and their fiduciary obligations.
Additional Authors: Seetha Ramachandran, Nathan Schuur, Robert Sutton, Jonathan M. Weiss, William D. Dalsen, Adam L. Deming, Adam Farbiarz and Hena M. Vora
Colorado Legislature Passes Amendments to Colorado Privacy Act
On May 7, 2025, the Colorado legislature passed a bill to protect the civil rights of persons in Colorado based on immigration status, (S.B. 276), which, if signed into law, would amend the Colorado Privacy Act (“CPA”). The bill awaits signature by Colorado Governor Jared Polis.
The bill would amend the CPA’s definition of “sensitive data” to include precise geolocation data, and would amend the definition of “precise geolocation data” from information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of [1,750] feet to global positioning system (GPS) coordinates within a radius of [1,850] feet; or any data derived from a device and that is used or intended to be used to locate a consumer within a geographic area within a radius of [1,850] feet.
The definition of “precise geolocation data” would exclude the content of communications or “any data generated by or connected to advanced utility meeting infrastructure systems or equipment for use by a utility.”
The bill also would amend the CPA to prohibit controllers from “selling” consumer’s sensitive data without first obtaining consumers’ prior affirmative consent. Note that the current version of the CPA already prohibits the “processing” of consumers’ sensitive data without consent, which term is defined to include the “sale” of personal data, but this amendment would make this requirement more explicit.