Congress Revisits Stablecoins
After unsuccessful past efforts to enact federal legislation regulating stablecoins, Congress has again turned to stablecoins. While it is always difficult to predict whether any bill will pass, there seems to be growing support in the current Congress, with the Senate Banking Committee and House Financial Services committee working closely together to adopt legislation.
In the Senate, a bipartisan bill entitled the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act is sponsored by Senators Bill Hagerty (R-TN), Tim Scott (R-SC), Cynthia Lummis (R-WY) and Kirsten Gillibrand (D-NY). The bill defines a payment stablecoin as a digital asset used for payment or settlement that is pegged to a fixed monetary value. It would permit both bank and certain nonbank entities to issue payment stablecoins, and provides for either federal or optional state regulation, depending on the total amount of stablecoins issued. The bill makes clear that payment stablecoins are not securities subject to SEC regulation, and instead provides for banking-like examination, supervision and enforcement.
In the House, House Financial Services Committee Chair French Hill (R-AR) and Digital Assets, Financial Technology, and Artificial Intelligence Subcommittee Chairman Bryan Steil (R-WI) announced a discussion draft of a bill entitled the Stablecoin Transparency and Accountability for a Better Ledger Economy (STABLE) Act. The bill is similar in many respects to the GENIUS Act in that it seeks to provide a path for the permitted issuance of payment stablecoins with regulation at either the federal or state level. A key difference between the GENIUS Act and STABLE Act is that while the GENIUS Act requires the Treasury Department to prepare a written study on “endogenously collateralized stablecoins,” also known as algorithmic stablecoins, the STABLE Act imposes a two-year moratorium on their issuance.
CISA and FDA Sound Alarm on Backdoor Cybersecurity Threat with Patient Monitoring Devices
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) and the U.S. Food and Drug Administration (“FDA”) released warnings about an embedded function they found in the firmware of the Contec CMS8000, which is a patient monitoring device used to provide continuous monitoring of a patient’s vital signs, including electrocardiogram, heart rate, temperature, blood oxygen and blood pressure.1 Healthcare organizations utilizing this device should take immediate action to mitigate the risk of unauthorized access to patient data, to determine whether or not such unauthorized access has already occurred, and to prevent future unauthorized access.
Contec Medical Systems (“Contec”), a global medical device and healthcare solutions company headquartered in China, sells medical equipment used in hospitals and clinics in the United States. The Contac CMS800 has also been re-labeled and sold by resellers, such as with the Epsimed MN-120.
The three cyber security vulnerabilities identified by CISA and FDA include:
An unauthorized user may remotely control or modify the Contec CMS8000, and it may not work as intended.
The software on the Contec CMS8000 includes a “backdoor,” which allows the device or network to which the device has been connected to be compromised.
The Contec CMS8000, once connected to the internet, will transmit the patient data it collects, including personally identifiable information (“PII”) and protected health information (“PHI”), to China.
Mitigation Strategies
Healthcare organizations should take an immediate inventory of their patient monitoring systems and determine whether their enterprise uses any of the impacted devices. Because there is no patch currently available, FDA recommends disabling all remote monitoring functions by unplugging the ethernet cable and disabling Wi-Fi or cellular connections if used. FDA further recommends that the devices in question be used only for local in-person monitoring. Per the FDA, if a healthcare provider needs remote monitoring, a different patient monitoring device from a different manufacturer should be used.
Healthcare providers that are not using impacted devices should still take the time to conduct an audit of their patient monitoring and other internet-connected devices to determine the risk of potential security breaches. Organizations should use this opportunity to evaluate, once again, their incident response plans, continue to conduct periodic risk assessments of their technologies, and evaluate whether their organization’s policies, procedures, and plans enable them to fulfill cybersecurity requirements.2
[1] See CISA, Contec CMS800 Contains a Backdoor (January 30, 2025); FDA, Cybersecurity Vulnerabilities with Certain Patient Monitors from Contec and Epsimed: FDA Safety Communication (January 30, 2025).
[2] See e.g., Polsinelli’s discussion of cybersecurity compliance in 2025.
FINRA Facts and Trends: February 2025
Welcome to the latest issue of Bracewell’s FINRA Facts and Trends, a monthly newsletter devoted to condensing and digesting recent FINRA developments in the areas of enforcement, regulation and dispute resolution. We dedicate this month’s issue to FINRA’s 2025 Annual Regulatory Oversight Report. Read about the Report’s findings and observations, below.
FINRA Issues 2025 Regulatory Oversight Report
On January 28, 2025, FINRA published its 80-page 2025 Regulatory Oversight Report (the Report), offering insights and observations on key regulatory topics and emerging risks that firms should consider when evaluating their compliance programs and procedures. Broadly speaking, the Report identifies relevant rules, summarizes noteworthy findings, highlights key considerations for member firms’ compliance programs, and provides helpful and practical considerations as member firms analyze their existing procedures and controls.
The 2025 Report discusses 24 topics relevant to the securities industry. While many of these are perennially important topics, the Report also includes two new sections: third-party risk landscape and extended hours trading. Below, we provide an overview of the Report’s new priorities, together with certain continuing priorities highlighted in the Report.
A FINRA Unscripted podcast episode about the report — featuring Executive Vice President and Head of Member Supervision, Greg Ruppert, Executive Vice President and Head of Market Regulation and Transparency Services, Stephanie Dumont, and Executive Vice President and Head of Enforcement, Bill St. Louis — is available on FINRA’s website.
Newly Identified Priorities
Third-Party Risk Landscape: The most significant addition to the Report is a new top-level section on Third-Party Risk Landscape. Firms’ reliance on third parties for many of their day-to-day functions create risks, and, as the Report indicates, this new section was prompted by “an increase in cyberattacks and outages at third-party vendors” firms use.
As the broad heading indicates, the newly added material outlines effective practices and general steps to be taken by firms, including:
maintaining a list of all third-party vendor-provided services, systems and software components that the firm can leverage to assess the impact on the firm in the event of a cybersecurity incident or technology outage at a third-party vendor;
adopting supervisory controls and establishing contingency plans in the event of a third-party vendor failure;
affirmatively inquiring if potential third-party vendors incorporate generative AI into their products or services, and evaluating and reviewing contracts with these third parties to ensure they comply with the firms’ regulatory obligations, i.e., adding contractual language that prohibits firm or customer information from being ingested into the vendor’s open-source generative AI tool;
assessing third-party vendors’ ability to protect sensitive firm and customer non-public information and data;
ensuring that a vendor’s access to a firm’s systems and data is revoked when the relationship ends; and
periodically reviewing the third party’s vendor tool default features and settings.
Extended Hours Trading: In recent years, trading in National Market System stocks and other securities has extended beyond regular trading hours. In its other new section, FINRA reminds firms that offer extended hours trading that they must comply with FINRA Rule 2265, which requires that these firms provide their customers with a risk disclosure statement. Importantly, if a firm allows its customers to participate in extended hours trading online, the firm must be sure to post a risk disclosure statement on the firm’s website “in a clear and conspicuous manner.” In addition to Rule 2265, firms participating in extended hours trading must also comply with FINRA Rule 5310 (Best Execution and Interpositioning) and Rule 3110 (Supervision).
The Report recommends the following best practices to address any perceived risks associated with extended hours trading:
conducting best execution reviews geared toward evaluating how extended hours orders are handled, routed and executed;
reviewing customer disclosures to ensure they address the risks associated with extended hours trading;
establishing and maintaining supervisory processes designed to address the “unique characteristics or risks” of extended hours trading; and
evaluating the operational readiness and customer support needs during extended hours trading.
Continuing Priorities
In addition to the Report’s new topics, each of the Report’s sections — Financial Crimes Prevention, Firm Operations, Member Firms’ Nexus to Crypto, Communications and Sales, Market Integrity, and Financial Management — places special emphasis on certain continuing priorities that will remain key focus areas for FINRA in 2025:
Reg BI and Form CRS: Reg BI and Form CRS have been perennial areas of focus for FINRA since they first became effective in 2020. The 2025 Report details a number of new findings and observations for each of the four component obligations of Reg BI (Care, Conflict of Interest, Disclosure, and Compliance).
With respect to the Care Obligation, many of FINRA’s latest findings and observations center around firms’ obligations with respect to recommendations of complex or risky products. FINRA reminds firms making such recommendations to consider whether the investments align with the customer’s overall investment profile, and whether the investment would result in concentrations that exceed the firm’s policies or the customer’s risk tolerance, or that represent an inappropriate portion of a retail customer’s liquid net worth.
The primary addition to the Report concerning firms’ Conflict of Interest Obligation is a finding that firms may violate Reg BI by failing to identify all material conflicts of interest that may incentivize an associated person to make a particular recommendation, such as a financial incentive to recommend the opening of an account with the firm’s affiliate, or to invest in securities tied to a company in which the associated person has a personal ownership stake.
The Report also contains a new finding related to the Compliance Obligation, noting that firms must have written policies and procedures that address account recommendations (as distinct from investment recommendations), including transfers of products between brokerage and advisory accounts, rollover recommendations, and potentially fraudulent patterns of account switches by the same associate person.
While the Report contains no new findings or observations related to the Disclosure Obligation, FINRA continues to remind firms of their obligation to provide customers “full and fair” disclosures of all material facts related to the scope of their relationship and any conflicts of interest.
As it relates to Form CRS, the Report’s findings included failures to properly deliver Form CRS and to properly post Form CRS — including posting Form CRS on any websites maintained by financial professionals who offer the firm’s services through a separate “doing business as” website.
Cybersecurity and Cyber-Enabled Fraud: The Report’s section on Cybersecurity and Cyber-Enabled Fraud — titled Cybersecurity and Technology Management in previous years’ reports — includes several important additions in 2025.
Most prominently, the Report highlights the emerging risks associated with quantum computing, a new technology that relies on quantum mechanics to perform functions not possible for more traditional forms of technology. Noting that many financial institutions have recently begun exploring use of quantum computing in their business operations, the Report warns that these technologies could be exploited by threat actors. Among other things, quantum computing has the potential to quickly break current encryption methods utilized by firms in the financial services industry. FINRA recommends that firms considering the use of quantum computers place a particular emphasis on ensuring cybersecurity, third-party vendor management, data governance and supervision.
The Report also discusses a variety of cybersecurity threats and attacks that financial institutions must be prepared to counter. First, the Report observes an increase in the variety, frequency and sophistication of many common threats, including new account fraud, account takeovers, data breaches, imposter sites, and “quishing” (an attack that uses QR codes to redirect victims to phishing URLs). In addition to these more conventional threats, the Report also describes several emerging threats, including: Quasi-Advanced Persistent Threats (Quasi-APTs) (sophisticated cyberattacks intended to gain prolonged network or system access); Generative AI-Enabled Fraud (attacks that make use of emerging generative AI technology to enhance cyber-related crimes); and Cybercrime-as-a-Service (attacks perpetrated by criminals with technical expertise on a for-hire basis, or by selling cyber-attack tools to third parties).
Among the effective practices recommended by FINRA to combat these threats, the Report highlights two new practices: tabletop exercises, in which firms bring internal and external stakeholders together to ensure cyber threats are appropriately identified, mitigated and managed; and lateral movement, a method of subdividing a firm’s networks into various sections to make it more difficult for threat actors to gain access to a network in its entirety.
Senior Investors and Trusted Contact Persons: FINRA remains keenly focused on preventing the financial exploitation of senior investors. The Report reminds members of their regulatory obligations under FINRA Rule 4512 with respect to “Trusted Contact Persons” (TCPs) and FINRA Rule 2165 (Financial Exploitation of Specified Adults).
FINRA Rule 4512(a)(1)(F) requires FINRA members to make reasonable efforts to obtain the name of and contact information for a TCP for non-institutional customer accounts to address possible financial exploitation, to confirm the specifics of the customer’s current contact information, health status, or the identity of any legal guardian, executor, trustee, or holder of a power of attorney; or take other steps permitted by Rule 2165. In particular, Rule 2165 permits firms to place temporary holds on securities transactions and account disbursements if the member reasonably believes that financial exploitation of a Specified Adult has occurred, is occurring, has been attempted, or will be attempted. “Specified Adult” means (A) a natural person age 65 and older; or (B) a natural person age 18 and older who the member reasonably believes has a mental or physical impairment that renders the individual unable to protect his or her own interests.
In the “Findings and Effective Practices” section of the Report, FINRA notes that recent examinations and investigation focus on firms not making reasonable attempts to obtain the name and contact information of a TCP; not providing written disclosures explaining when a firm may contact a TCP; not developing training policies reasonably designed to ensure compliance with the requirement of Rule 2165; and not retaining records that document the firm’s internal review underlying any decision to place a temporary hold on a transaction.
As for suggested effective practices, the Report recommends, among other things: implementing a process to track whether customer accounts have designated TCPs, establishing specialized groups to handle situations involving elder abuse or diminished capacity, and hosting conferences or participating in industry groups focused on the protection of senior customers.
Anti-Money Laundering (AML) and Fraud: FINRA Rule 3310 requires that each member firm develop and implement a written AML program that is approved in writing by senior management and is reasonably designed to achieve and monitor the firm’s compliance with the Bank Secrecy Act and its implementing regulations.
As for recommended effective practices, the Report recommends:
conducting thorough inquiries when customers — particularly the elderly — request an unusually significant amount of funds to be disbursed to a personal bank account;
conducting formal, written AML risk assessments;
incorporating additional methods for verifying customer identities when establishing online accounts;
delegating AML duties to specific business units that are best positioned to monitor and identify suspicious activity; and
establishing an AML training program for personnel that is tailored to the individuals’ roles and responsibilities.
The Report highlights one emerging risk: FINRA has observed an increase in investment fraud committed by those that engage directly with investors. This can include persuading victims to withdraw funds from their accounts as part of a fraudulent scheme. The FBI’s Internet Crime Report notes that “investment fraud is the costliest type of crime tracked by the FBI’s Internet Crime Complaint Center.” To help mitigate this threat, FINRA recommends: monitoring for sudden changes in a customer’s behavior, including withdrawal requests that are out of character for the customer; educating firm personnel that are in contact with customers on how to recognize red flags; and developing clear response plans for when the firm identifies a customer that has been victimized.
Private Placements: The Report’s section on private placements does not stray far from previous years’ reports, and primarily re-emphasizes a key area of focus for FINRA’s Enforcement division over the past two years, first highlighted in Regulatory Notice 23-08. As we reported at the time, Regulatory Notice 23-08 reminded member firms of their obligation to conduct a reasonable investigation of private placement investments prior to making any recommendation — including, most particularly, conducting an investigation of the issuer, its management and its business prospects, the assets held or to be acquired by the issuer, and the issuer’s intended use of proceeds from the offering. In its discussion of findings from targeted exams, FINRA further notes that firms fail to satisfy this obligation when, among other things, they do not conduct adequate research into issuers that have a lack of operating history, or where they rely solely on the firm’s past experience with an issuer based on previous offerings. FINRA’s findings offer a reminder to firms to apply scrutiny to all offerings, whether or not the issuer is a known quantity — and to be especially vigilant when an issuer is new to the space.
The Report’s findings also provide another cautionary tale: FINRA warns that firms fail to comply with Reg BI’s care obligation when they take the position that the firm is not making recommendations, even though the firms’ representatives have made communications to customers that include a “call to action” and are individually tailored to the customer. Firms should remain aware that these types of communications are likely to be viewed as investment recommendations, and ensure that they conduct reasonable diligence before making any such communication to a customer.
The Report also discusses an emerging trend concerning firms that have made material misrepresentations and omissions related to recommendations of private placement offerings of pre-IPO securities. As examples, FINRA cites firms that have failed to disclose potential selling compensation, and that have failed to conduct reasonable due diligence to confirm that the issuer actually held or had access to the shares it purported to sell.
Manipulative Trading: Member firms are prohibited, pursuant to a series of FINRA Rules, from engaging in impermissible trading practices. The relevant rules include FINRA Rule 2010 (Standards of Commercial Honor and Principles of Trade); FINRA Rule 5230 (Payments Involving Publications that Influence the Market Price of a Security); and FINRA Rule 5210 (Publication of Transactions and Quotations), which FINRA has relied on in pursuing enforcement actions accusing member firms of publicizing or circulating inflated trading activity.
The Report highlights certain recent findings, including firms having inadequate WSPs, not establishing surveillance controls designed to capture manipulative trading, and not establishing and maintaining a surveillance system reasonably designed to monitor for potentially manipulative trading.
Communications With the Public: As in previous years, the Report details the content standards prescribed for three categories of firm written communications: correspondence, retail communications and institutional communications.
The Report also presents findings on an emerging trend: retail communications focused on registered index-linked annuities (RILAs). FINRA’s findings concerning firms’ communications related to RILAs mirror many of the common findings in connection with other types of investments. For example, FINRA has found that firms have failed to adequately explain how RILAs function and the meaning of specialized terms that are specific to RILAs, as well as finding that firms have made inadequate disclosures of the risks, fees and charges associated with RILAs.
The Report also contains a new focus on firms’ communications made through social media and generative AI. In particular, it recommends that firms ensure that communications made with the assistance of generative AI (including chatbot communications used with investors) are appropriately supervised and retained. Similarly, the Report cautions that firms must maintain systems, including WSPs, reasonably designed to supervise communications disseminated on the firm’s behalf by influencers on social media.
The Report’s findings and observations are intended to serve as a guide for member firms to assess their current compliance, supervisory, and risk management programs and note any perceived deficiencies that could result in scrutiny by FINRA. Member firms are encouraged to focus on the findings, observations and effective practices relevant to their respective business models.
Australia’s Proposed Scams Prevention Framework
In response to growing concerns regarding the financial and emotional burden of scams on the community, the Australian government has developed the Scams Prevention Framework Bill 2024 (the Bill). Initially, the Scams Prevention Framework (SPF) will apply to banks, telecommunications providers, and digital platform service providers offering social media, paid search engine advertising or direct messaging services (Regulated Entities). Regulated Entities will be required to comply with obligations set out in the overarching principles (SPF Principles) and sector-specific codes (SPF Codes). Those failing to comply with their obligations under the SPF will be subject to harsh penalties under the new regime.
Why Does Australia Need a SPF?
Australian customers lost AU$2.7 billion in 2023 from scams. Whilst the monetary loss from scams is significant, scams also have nonfinancial impacts on their victims. Scams affect the mental and emotional wellbeing of victims—victims may suffer trauma, anxiety, shame and helplessness. Scams also undermine the trust customers may have in utilising digital services.
Currently, scam protections are piecemeal, inconsistent or non-existent across the Australian economy. The SPF is an economy-wide initiative which aims to:
Halt the growth in scams;
Safeguard the digital economy;
Provide consistent customer protections for customers engaging with Regulated Entities; and
Be responsive and adaptable to the scams environment.
What is a Scam?
A scam is an attempt to cause loss or harm to an individual or entity through the use of deception. For example, a perpetrator may cause a target to transfer funds into a specified bank account by providing the target with what appears to be a parking fine. However, financial loss caused by illegal cyber activity such as hacking would not be a scam as it does not involve the essential element of deception.
SPF Principles
The Bill sets out six SPF Principles which Regulated Entities must comply with. The SPF Principles will be enforced by the Australian Competition and Consumer Commission (ACCC) as the SPF General Regulator.
The SPF Principles are outlined in table 1 below.
SPF Principle
Description
1. Governance
Regulated Entities are required to ‘develop and implement governance policies, procedures, metrics and targets to combat scams’. In discharging their obligations under this principle, entities must develop and implement a range of policies and procedures which set out the steps taken to comply with the SPF Principles and SPF Codes. The ACCC is expected to provide guidance on how an entity can ensure compliance with their governance obligations under the SPF.
2. Prevent
Regulated Entities must take reasonable steps to prevent scams on or relating to the service they provide. Such steps should aim to prevent people from using the Regulated Entity’s service to commit a scam, as well as prevent customers from falling victim to a scam. This includes publishing accessible resources which provide customers with information on how to identify scams and minimise their risk of harm.
3. Detect
Regulated Entities must take reasonable steps to detect scams by ‘identifying SPF customers that are, or could be, impacted by a scam in a timely way’.
4. Report
Where a Regulated Entity has reasonable grounds to suspect that a ‘communication, transaction or other activity on, or relating to their regulated service, is a scam’, it must provide the ACCC with a report of any information relevant to disrupting the scam activity. Such information is referred to as ‘actionable scam intelligence’ in the SPF.
Additionally, if requested by an SPF regulator, an entity will be required to provide a scam report. The appropriate form and content of the report is intended to be detailed in each SPF Code.
5. Disrupt
A Regulated Entity is required to take ‘reasonable steps to disrupt scam activity on or related to its service’. Any such steps must be proportionate to the actionable scam intelligence held by the entity. As an example, for banks, appropriate disruptive activities may include:
Contacting customers to warn them of popular scams;
Introducing confirmation of payee features on electronic banking services; and
Placing a hold on payments directed to an account associated with scam activity to allow the bank time to contact the customer and provide them with information about the suspected scam.
6. Respond
Regulated Entities are required to implement accessible mechanisms which allow customers to report scams and establish accessible and transparent internal dispute resolution processes to deal with any complaints. Additionally, Regulated Entities must be a member of an external dispute resolution scheme authorised by a Treasury Minister for their sector. The purpose of such an obligation is to provide an independent dispute resolution mechanism for customers whose complaints have not been resolved through initial internal dispute resolution processes, or where the internal dispute resolution outcome is unsatisfactory.
Table 1
What are ‘Reasonable Steps’?
We expect that SPF Codes will provide further clarification regarding what will be considered ‘reasonable steps’ for the purposes of discharging an obligation under the SPF Principles. From the explanatory materials, it is evident that whether reasonable steps have been taken will depend on a range of entity-specific factors including, but not limited to:
The size of the Regulated Entity;
The services of the Regulated Entity;
The Regulated Entity’s customer base; and
The specific types of scam risk faced by the Regulated Entity and their customers.
Disclosure of Information Under the Reporting Principle
As indicated in table 1 above, the SPF reporting principle requires disclosure of information to the SPF regulator. It is clear from the explanatory materials that, to the extent this reporting obligation is inconsistent with a legal duty of confidence owed under any ‘agreement or arrangement’ entered into by the Regulated Entity, the SPF obligation will prevail. However, it is not expressly stated how this obligation will interact with statutory protections of personal information.
The Privacy Act 1988 (Cth) (Privacy Act) imposes obligations regarding the collection, use and disclosure of personal information. Paragraph 6.2(b) of Schedule 1 to the Privacy Act allows an entity to use or disclose information for a purpose other than which it was collected where the use or disclosure is required by an Australian law. Arguably, once the SPF is enacted, disclosure of personal information in accordance with the obligations under the reporting principle will be ‘required by an Australian law’ and therefore not in breach of the Privacy Act.
Safe Harbour Protection for Disruptive Actions
As noted in table 1, SPF Principle 5 requires entities to take disruptive actions in response to actionable scam intelligence. This may leave Regulated Entities vulnerable to actions for breach of contractual obligations. For example, where a bank places a temporary hold on a transaction, the customer might lodge a complaint for failure to follow payment instructions. To prevent the risk of such liability from deterring entities from taking disruptive actions, the SPF provides a safe harbour protection whereby a Regulated Entity will not be liable in a civil action or proceeding where they have taken action to disrupt scams (including suspected scams) while investigating actionable scam intelligence.
In order for the safe harbour protection to apply, the following requirements must be met:
The Regulated Entity acted in good faith and in compliance with the SPF;
The disruptive action was reasonable and proportionate to the suspected scam;
The action was taken during the period starting on the day that the information became actionable scam intelligence, and ending when the Regulated Entity identified whether or not the activity was a scam, or after 28 days, whichever was earlier; and
The action was promptly reversed if the Regulated Entity identified the activity was not a scam and it was reasonably practicable to reverse the action.
The assessment of whether disruptive actions were proportionate will be determined on a case-by-case basis. However, relevant factors may include:
The volume of information received or available;
The source of that information; and
The apparent likelihood that the activity is associated with a scam.
SPF Codes
As a ‘one-size-fits-all’ approach across the entire scams ecosystem is not appropriate, the SPF provides for the creation of sector-specific codes. These SPF Codes will set out ‘detailed obligations’ and ‘consistent minimum standards’ to address scam activity within each regulated sector. The SPF Codes are yet to be released.
It is not clear whether the SPF Codes will interact with other industry codes and, if so, how and which codes will prevail.
It appears from the explanatory materials that the SPF Codes are intended to impose consistent standards across the regulated sectors. It is unclear whether this will be achieved in practice or whether there will be a disproportionate compliance burden placed on one regulated sector in comparison to other regulated sectors. For example, because banks are often the ultimate sender/receiver of funds, will they face the most significant compliance burden?
SPF Regulators
The SPF is to be administered and enforced through a multiregulator framework. The ACCC, as the General Regulator, will be responsible for overseeing the SPF provisions across all regulated sectors. In addition, there will be sector-specific regulators responsible for the administration and enforcement of SPF Codes.
Enforcement
The proposed Bill sets out the maximum penalties for contraventions of the civil penalty provisions of the SPF.
There are two tiers of contraventions, with a tier 1 contravention attracting a higher maximum penalty in order to reflect that some breaches would ‘be the most egregious and have the most significant impact on customers’. A breach will be categorised based on the SPF Principle contravened as indicated in table 2 below.
Tier 1 Contravention
Tier 2 Contravention
SPF principle 2: prevent
SPF principle 4: detect
SPF principle 5: disrupt
SPF principle 6: respond
An SPF Code
SPF principle 1: governance
SPF principle 3: report
Table 2
In addition to the civil penalty regime, other administrative enforcement tools will be available including:
Infringement notices;
Enforceable undertakings;
Injunctions;
Actions for damages;
Public warning notices;
Remedial directions;
Adverse publicity orders; and
Other punitive and nonpunitive orders.
BOOM: R.E.A.C.H. Adds Two Critical Board Members to Help Guide Organization Through Rapid Growth
So R.E.A.C.H. is really on fire following its efforts in support of industry’s position on the FCC’s one-to-one consent rules.
With one-to-one seemingly out the window–or is it?–the R.E.A.C.H. standards remain the only comprehensive set of lead gen standards and everyone is taking notice.
Biggest uptick in membership yet this month and tons of activity and energy.
But the biggest news from Friday’s board meeting was the admission of two new and CRUCIAL members: Joey Liner and Michael Ferree.
If you have spent any time in the business you know these two.
Joey spent quite a bit of time with a major lead aggregator– I dare not speak its name–before setting up shop with Liner Connections as the go-to consulting firm in the lead generation space. He has also been instrumental in helping to bridge the gaps between R.E.A.C.H. and other organizations in the lead gen space– I am always very welcoming but others are not so much–and he is truly a advocate for standards the industry can live with. Love that.
Mike runs one of the best conferences in the Lead Generation World called… Lead Generation World. He also throws the FANTASTIC contact.io event each year and has tremendous reach in the space. He was also caught on to the risk posed by the FCC’s early one-to-one efforts and provided a platform for education that nobody else did. He has shown tremendous LEADERSHIP in the industry and has advocated for good actors– while pushing back against bad eggs– from the beginning.
Really proud to have these two on the board. They bring INCREDIBLE experience and CREDIBILITY to the organization and their addition really signals R.E.A.C.H. has come of age and taken a position of leadership through the lead generation, direct-to-consumer, and digital advertising communities.
Please join me in welcoming these two to the board of R.E.A.C.H.!
Trending in Telehealth: January 6 – 27, 2025
Trending in Telehealth highlights state legislative and regulatory developments that impact the healthcare providers, telehealth and digital health companies, pharmacists, and technology companies that deliver and facilitate the delivery of virtual care.
Trending in the past weeks:
Provider training
Telepharmacy
Licensure exceptions
A CLOSER LOOK
Proposed Legislation & Rulemaking:
In Ohio, the Department of Mental Health and Addiction Services proposed amendments to the mobile response and stabilization services (MRSS) rule. The changes would clarify when telehealth is a “clinically appropriate” modality for delivering MRSS, such as when a clinician requests a mobile response and that clinician is not available to respond in person as part of the MRSS team.
New York’s FY 2026 budget includes legislation to join the Nurse Licensure Compact (NLC). Joining the NLC would make it easier for certain categories of nurses licensed in other states to practice in New York either physically or through telemedicine, and for New York providers to offer virtual care to their patients who travel to other states.
Also in New York, Senate Bill 1430 passed the Senate and was referred to the Assembly. The proposed legislation would establish the New York state abortion clinical training program within the Department of Health. The curriculum would include training on the delivery of abortion and other reproductive healthcare services through telehealth.
Vermont’s Office of Professional Regulation proposed amendments to the Administrative Rules of the Board of Pharmacy that further elaborate on the state’s telepharmacy practicing and licensure requirements. Under the proposed rules, telepharmacists would be subject to the same rules and standards applicable to all modalities of pharmacy practice. The proposed rule also provides that pharmacists licensed in other jurisdictions who wish to provide only telepharmacy services from outside of Vermont to individuals located in Vermont may apply for an out-of-state telepharmacist license.
Finalized Legislation & Rulemaking Activity:
North Dakota adopted rule amendments that provide exceptions to physician licensure for telehealth providers licensed in another state, including for continuation of care for an established patient, care while the patient is located within the state temporarily, preparation for a scheduled in-person visit, practitioner-to-practitioner consultations, and emergency circumstances.
The Ohio governor signed Senate Bill 95 into law. The legislation provides an exception to current state law that prohibits pharmacists from dispensing dangerous drugs through telehealth or virtual means.
The Texas Medical Board repealed 22 Tex. Admin. Code § 170, which included regulations concerning the electronic prescribing of controlled substances. The board also repealed 22 Tex. Admin. Code § 174, concerning telemedicine generally, and replaced it with the new 22 Tex. Admin. Code § 175. These regulations state that a physician may not provide telemedicine medical services to patients in Texas unless the physician holds a full Texas medical license or an out-of-state telemedicine license as of September 1, 2022. The regulations also set parameters for the provision of telemedicine services and requirements for prescribing via telemedicine. Notably, 22 Tex. Admin. Code § 175.3 specifies requirements for prescribing for chronic pain via telemedicine, and states that a physician must use audio and video two-way communication for prescribing for chronic pain unless certain criteria are met.
Why it matters:
States continue to recognize the importance of training providers on the delivery of services via telehealth. New York’s inclusion of telehealth in its proposed provider training programs not only affirms telehealth as an effective care delivery method, but also illustrates an understanding of the modern trend of healthcare delivery through alternate means. Ohio’s proposed rule amendments designating telehealth as a “clinically appropriate” care delivery modality for MRSS further underscores these principles.
Increased demand for telepharmacy services has prompted states to reevaluate their laws and regulations. The legislation in Ohio and regulatory amendments and proposals in Texas and Vermont illustrate states’ necessary responses to the increased demand for telepharmacy services.
States continue to enact legislation reflecting the importance of the ability to provide telehealth services across state lines. While telemedicine is often viewed as an option for care delivery, it is important for states to recognize that in some instances, telemedicine is the optimal or exclusive modality available. North Dakota’s adopted rule amendments and New York’s proposal to join the NLC are prime examples of states recognizing the utility and periodic necessity of virtual care delivery.
Telehealth is an important development in care delivery, but the regulatory patchwork is complicated.
$10.00 CAR INSURANCE?: Quote Wizard Draws Complaint Over Advertisement that Does Not Comport With “Basic Common Sense”
Is this real?
So Lending Tree hasn’t apologized yet.
But I am over it.
Unrelated, picked up this odd complaint in Michigan that I thought was interesting.
Apparently Quote Wizard was running ads suggesting they could provide full auto insurance coverage for $10.00.
At least that’s the gist of the complaint I was provided.
The consumer says:
QuoteWizard.com, LLC is running at least 29 illegal advertisements to solicit insurance in the State of Michigan in violation of Michigan Compiled Law (MCL) 500.2003, 500.2005, 500.2005a, 500.2007. The Michigan Insurance Code states that unfair methods of competition and unfair and deceptive acts include the making, publishing, disseminating, circulating, etc. of any assertion with respect to the business of insurance or with respect to any person in the conduct of his insurance business, which is untrue, deceptive or misleading. MCL § 500.2007. The Michigan Insurance Code further prohibits the use of marketing that fails to disclose in a conspicuous manner that its purpose is solicitation of insurance and that contact will be made by an insurance agent or insurance company. MCL § 500.2005a. Quotewizard.com, LLC runs a variety of advertisements on Meta’s Facebook platform. These ads, which I have copied links to view in Meta’s Ad Library, are untrue, deceptive, and misleading. Quotewizard.com, LLC advertises a new insurance rate as ” New Rate $10 Full Coverage”. As a licensed insurance agency in the State of Michigan Quotewizard.com, LLC must follow the law. Based on information, belief, and the application of basic common sense, Quotewizard.com, LLC cannot offer an automobile insurance policy with “full coverage (which in common parlance generally means to include both collision and comprehensive coverage) for $10. If Quotewizard.com, LLC is in fact selling $10 auto insurance policies we have an even bigger problem because based on a search of DIFS website QuoteWizard.com, LLC is not appointed by a single insurance carrier to transact business in the state. Quotewizard.com, LLC appears to be preying on Michigan’s financially venerable [editor’s note: probably means vulnerable] population that can barely afford their car insurance and is trying to entice them to click their advertisement in hopes of financial relief. Instead clicking the advertisement will simply forward you information to dozens of insurance agents that will call you over and over trying to sell you insurance at rates that we would customarily expect to receive not $10.
Just because a consumer says this is true doesn’t make it true. But the ads library looks pretty legit. So maybe Quote Wizard was knowingly or unknowingly tricking people into visiting its website. Or maybe somebody is submitting false stuff to a Michigan regulator. *Shrug.*
Regardless, I am sharing this because it does raise a pretty important issue for folks buying leads– you need to understand your entire funnel.
If you are accepting clicks–or even inbound calls–from social media ads that contain false content you may end up being pursued by a state agency. (That hasn’t happened here, BTW, just a complaint– but one everyone can learn from.)
And I know Musk may have just killed the CFPB and the feds look unlikely to regulate anyone or anything–at least for a while– but the states can be plenty aggressive. So watch out!
Massachusetts AG Unveils Internal TikTok Documents in Lawsuit Alleging Child Addiction Strategies
On February 3, 2025, the Massachusetts Attorney General revealed information about internal TikTok documents as part of the AG’s lawsuit in Massachusetts state court alleging that TikTok designed its platform to maximize children’s engagement while downplaying associated risks through unfair and deceptive practices prohibited under Massachusetts law. The information, revealed in a less-redacted complaint, highlights internal discussions and strategic choices made by TikTok to increase the time young users spend on the app.
The complaint alleges that TikTok’s internal metrics prioritize children’s engagement, with teenagers offering the highest “Life Time Value” to the company. According to the complaint, internal data showed that in 2020, TikTok had achieved 95% market penetration among U.S. teens aged 13 to 17. A 2019 presentation allegedly stated that the platform’s “ideal user composition” would be for 82% of its users to be under the age of 18.
TikTok executives allegedly were aware of the potential negative effects of its algorithm on children, including sleep disruption and compulsive use. Internal communications cited in the lawsuit include a statement from TikTok’s Head of Child Safety Policy acknowledging that the app’s algorithm keeps children engaged at the expense of other essential activities.
TikTok’s leadership also allegedly blocked proposed changes aimed at reducing compulsive use among minors due to concerns about negative business impacts. One example cited in the complaint involves a proposed “non-personalized feed” that could have mitigated compulsive behaviors but was ultimately rejected.
The complaint also alleges that TikTok misrepresented the effectiveness of its content moderation policies. While the company has publicly claimed high proactive removal rates for harmful content, internal data allegedly shows significant leakage of inappropriate material, including content related to child safety violations.
The Massachusetts case is one of the first to publicly disclose internal TikTok documents related to its user engagement strategies. Its outcome could impact how social media companies design their platforms and address concerns regarding child safety.
Insurtech in 2025: Opportunity and Risk
The explosion in artificial intelligence (AI) capability and applications has increased the potential for industry disruptions. One industry experiencing recent material disruption is about as traditional as it gets: insurance. While some level of disruption in the insurance industry is nothing new, AI has been accelerating more significant changes to industry fundamentals. This is the first advisory in a series exploring the legal risks and strategies surrounding disruptive insurance technologies, particularly those leveraging AI, known as Insurtech.
What is Insurtech?
Insurtech is a broad term that encompasses every stage of the insurance lifecycle. Cutting-edge technology can be instrumental in advertising, lead generation, sales, underwriting, claims processing and fraud detection, among others. Generative AI can assist in client management and retention. Insurtech can augment traditional forms of insurance such as car and health insurance, and facilitate less traditional forms of insurance, such as parametric insurance or microinsurance at scale.
Legal and Regulatory Risks of Insurtech
As Insurtech continues to evolve, designers, providers and deployers must be aware of the legal and regulatory risks inherent in the use of Insurtech at all stages. These risks are particularly heightened in the insurance world, where vendors and carriers process an enormous amount of personal information in the course of decision-making that impacts individuals’ rights, from advertising to product pricing to coverage decisions.
The heavily regulated nature of the traditional industry is also enhanced in the Insurtech context, given overlapping regulatory interests in regulating new technology applications. These additional layers of oversight – which in traditional applications may not be as much of a primary concern – include the Federal Trade Commission, states’ Attorneys’ General and in some jurisdictions, state-level privacy regulators.
Building Compliance for Insurtech Solutions
Designing, providing and deploying Insurtech solutions requires a multifaceted, customized approach to position agents, vendors, carriers and indeed any entity in the insurance stack for compliance. Taking early action to build appropriate governance for your Insurtech product or application is critical to building a defensive regulatory position. For entities that have an eye on raising capital, engaging in mergers or acquisitions, or other collaborative marketplace activity, such governance will minimize friction that can impede success.
Additionally, consumers are increasingly attentive to data privacy and AI governance standards. Incorporating proper data privacy and AI governance regimes from day one is not only a forward-thinking business decision to mitigate risk and facilitate success; it is also a market imperative.
Looking Ahead: Risks and Opportunities in 2025
Over the next few months, we will take a closer look into more discrete risks and opportunities that Insurtech providers and deployers need to keep in mind throughout 2025. Follow along as we explore this exciting area that in recent years has demonstrated enormous potential for continued growth.
The New Legal Synergy: Collaborative Intelligence with Lawyers and Agentic AI
It’s easy to dismiss new technology as impractical for an industry as established as law. But we’re well past the speculation phase. AI isn’t a theoretical disruptor — it’s already here, reshaping legal work in real-time.
The legal industry has witnessed a staggering increase in AI adoption, from a mere 19% in 2023 to an impressive 79% in 2024. In the UK alone, 41% of legal professionals now use AI for work, up from just 11% in July 2023. The dramatic surge in AI adoption is not just the latest “hype cycle”, it marks the beginning of a fundamental shift in how legal work is done.
The traditional image of a lawyer pouring over dusty tomes and case files is fading. AI-powered tools are becoming integral to legal practice. But what we’ve seen so far with generative AI is just the beginning. The fundamental transformation will come with agentic AI.
Agentic and reasoning: the next frontier of AI
Agentic AI, the next frontier beyond generative AI, is poised to revolutionize legal work. Unlike its predecessor, agentic AI uses advanced AI systems capable of independently performing complex research or document drafting tasks. These AI systems can accomplish tasks with minimal human oversight and even check their own work before human review.
Large law firms are already experimenting with agentic AI, with experts predicting that AI systems could soon be members of legal teams. This gradual integration is expected to continue, emphasizing training and preparation.
Advanced legal reasoning, powered by AI
One of the most promising applications of agentic AI in the legal field is advanced legal reasoning (ALR), which goes beyond simple document analysis or basic research tasks.
ALR allows lawyers to upload tens of thousands of documents and conduct deep analyses to uncover insights into the strengths, weaknesses, and potential strategies buried in the complexities of the facts and issues — all within minutes. Leveraging the most advanced AI systems, ALR streamlines complex workflows, enabling lawyers to make informed decisions faster than ever.
It can interpret complex legal scenarios, apply relevant case law and statutes, and even suggest strategic approaches to legal problems. Lawyers can ask ALR systems questions like, “What is the weakest part of our claim concerning liability?” By analyzing key documents and referencing leading legal authorities, the ALR platform would provide a detailed, actionable response.
For example, when asked about a spouse’s income for child support calculations, ALR first employs an agent to search for the legal standard, then uses another agent to apply that understanding to case documents and extract the necessary information.
The impact of advanced legal reasoning tools is already evident. A staggering 71% of lawyers cite faster delivery as a key benefit of AI, while 54% report improved client service. Unsurprisingly, 78% of large law firms and 74% of corporate in-house teams have implemented AI changes.
Considerations for law firms adopting agentic AI
As agentic AI becomes more integrated into legal practice, firms must navigate ethical considerations and data privacy concerns. About two-thirds (70%) of firms prioritize data privacy policies when vetting technology vendors and litigation support providers. This focus on data protection is crucial, as 76% of legal professionals express concern about inaccurate or fabricated information from public AI platforms. To address these privacy and security concerns, a growing pool of legaltech companies is helping law firms adopt self-hosted AI solutions built to run within a firm’s private cloud ecosystem.
The future of agentic AI in law
Looking ahead, the future of law is undeniably intertwined with AI – from established firms to schools teaching the next generation of lawyers.
Two-thirds (75%) of organization leaders expect to change talent strategies within two years due to AI advancement. Law schools are already integrating generative AI training for new junior lawyers, preparing the next generation for an AI-powered workforce.
But let’s be clear: AI is not here to replace lawyers. It’s here to make them better. Those who embrace it — who approach it with curiosity and a willingness to adapt — will gain the most. The legal industry isn’t losing its expertise. It’s gaining new tools to apply that expertise more effectively.
If you take this shift seriously, AI won’t just change how you practice law — it will give you an edge.
Geolocation Takes the Day at Churchill Downs
Like the thoroughbred Rich Strike at the 2022 Kentucky Derby, one category of personal data recently broke from the rear and galloped its way to the forefront of awareness, astonishing the grandstands. You may hold its source in the palm of your hand. It is precise geolocation data1, collected from mobile devices.
The analogy presumes that the grandstands are packed with privacy nerds. For the rest of you, here’s a quick setup: Modern privacy laws2 define personal information very broadly3. Examples are given, including the physical location of an identifiable human being4 (“location” or “geolocation” data). Certain categories of personal info are deemed to be riskier to handle than others5. An increase in the level of risk attributed to precise geolocation data is the topic of this article.
Also presumed is a memory of Rich Strike’s epic victory. Picture a horse making moves like a running back, cutting a path through the field like he’s the only steed with a sense of urgency. Then he’s over the line and like: Whoa, what just happened?
But we’re getting ahead of ourselves.
Upon entering the gates at post time, geolocation data seemed to merit the same odds as Rich Strike (80:1) of what was about to transpire. After all, GDPR6 itself (the OG of privacy laws) deemed it to be nothing special.7
Let’s trace its path as it makes its astonishing run. Then we’ll circle back to GDPR and answer the obvious question: did it really (as it appears) fail to back the right horse? (Spoiler alert: the answer is no.) Finally, we’ll explore whether a silver bullet might exist to address the core concern underlying the discussion. (Spoiler alert: the answer is yes.)
A Word About Geolocation Data
Normally, geolocation data collected from cell phones is used to serve targeted ads to consumers who have consented to the process. The ideal recipient delights in getting a coupon for the precise cup of joe (for example) that happens to be his favorite, just as he happens to pass a store that happens to offer it.8 Yay to that.
But unfortunately, a sketchier use came to light at about the same time that GDPR was published (2016). It seemed like a niche concern at the time, more of a culture-war skirmish than anything broader. The story appeared in the Rewire News Group, a special interest publication with a narrowly focused readership9:
Anti-Choice Groups Use Smartphone Surveillance to Target ‘Abortion-Minded Women’ During Clinic Visits.10
It garnered little attention.11 Following in GDPR’s footsteps, the 1.0 version of CCPA12 (2018) mentions “geolocation data” as one example of personal information, but declines to single it out as anything special.
That changed in 2020 when CCPA 2.0 was adopted.13 Among the amendments, a newly-created category of “sensitive personal data” debuted, including a “consumer’s precise geolocation.” However the added protections afforded were limited.14
The Sprint to Prominence
The day that corresponds (in our analogy) to the sixth furlong at Churchill Downs, and the start of the homestretch, is May 2, 2022.
That’s when the SCOTUS decision in Dobbs v. Jackson15 was leaked to the press. The very next day, Vice Media published a story entitled Data Broker Is Selling Location Data of People Who Visit Abortion Clinics.16 The article warned of “an increase in vigilante activity or forms of surveillance and harassment against those seeking or providing abortions.”17 A cascade of similar reporting ensued.18
Following the lead of the fourth estate, the other three soon got involved.19 A handful of pro-choice states quickly passed laws restricting the use of geolocation data associated with family planning centers.20
Meanwhile, the Federal Trade Commission entered the fray, deeming certain uses of geolocation data to be unfair.21 In 2022, it floated a novel position: that using precise geolocation data associated with sensitive locations is an invasion of privacy22 prohibited by law.23 By 2024, it had firmed up a list of locations it deemed in the scope of the prohibition, including medical facilities, religious organizations, ethnic/religious group social services, etc. (The full list appears in the table below.)
Effectively, the FTC consigned “Sensitive Location Data” to the highest rank of sensitivity: personal data so sensitive that even informed consent can’t sanction its processing. Other rule-makers would go even further, proposing to ban the sale of precise geolocation altogether (sensitive or not)24, which brings us to the present day – and to a present-day head-scratcher:
Are the risks so dire that our hypothetical coffee consumer must be denied the targeted coupon that so delights him?
Circling back to GDPR provides a helpful perspective.
Did GDPR Really Back the Wrong Horse?
GDPR deems certain types of personal data to be sensitive25 including data concerning a person’s health, religion, political affiliation, etc. (The full list appears in the table below.) Location data isn’t included.
Nevertheless, if and when location data reveals or concerns sensitive data, it transforms into sensitive data ipso facto.
For example, data that locates a patient within a hospital is sensitive data, because it concerns their health. But data that locates an attending physician within the same hospital is not sensitive data, because it doesn’t.
That’s one difference between GDPR and the FTC rule: the latter deems all location data associated with a Sensitive Location to be sensitive, whereas GDPR deems location data sensitive only if it actually reveals the sensitive data of a consumer.
Here’s another difference:
Even when GDPR deems personal data to be sensitive, it doesn’t prohibit its use altogether. Rather, sensitive data may be used in accordance with a consumer’s explicit consent.
If that just caused you to raise an eyebrow, you’re probably not alone. GDPR isn’t known for permissive standards. And indeed, there’s a catch. The permissiveness comes at a cost in the form of rigorous duties imposed on businesses wishing to use sensitive data.
A threshold duty is to check local laws. GDPR hedges on its permissiveness by granting member-state lawmakers the right to raise the bar; to outlaw particular uses of sensitive data altogether (like the FTC did with Sensitive Location Data).26
Furthermore, it falls to the business to adjudge whether the risks of using the sensitive data outweigh the benefits.27 A formal Data Protection Impact Assessment is required, which is no small feat. Any green light to the use of sensitive data is likely to be closely scrutinized, should it catch the attention of a Supervisory Authority. Businesses must avoid using the rope provided by GDPR to hang themselves with – that’s the takeaway.
Finally, a heightened standard is likely to govern the validity of any consents purported to authorize the use of sensitive data,28 which brings us to the crux of the matter:
A Crisis of Confidence in Consents
Modern privacy laws set a high bar for what constitutes valid consent. In a nutshell, the person providing it must understand – really and truly – what they’re saying “yes” to.29
If the high bar is met, targeted ads may properly be served to consenting consumers, assuming any applicable red lines regarding sensitive data are respected.30 No current privacy framework31 rejects this principle. Rather, what’s been called into question, in particular cases, is the proviso – i.e., whether purported consents are valid in the first place.32
Some rule makers are skeptical to the extreme. They would dispense with consent as a legal basis for using location data in targeted advertising altogether. So flawed is the system, in their view, that consumers – for their own protection – must be denied the agency to proffer consent. Sorry coffee lover, no just-in-time coupon for you!
There are reasons to think that position would go too far.
Why Consent Matters in Principle
Here’s a reality check: the right to privacy is not absolute. Even under GDPR, it must be balanced against other fundamental rights, including the freedom to conduct a business.33 This may be why GDPR stops short of an outright ban on the use of sensitive data, consent notwithstanding. Taken too far, such a ban might infringe on the rights of individuals to determine how their personal data (which they own) may be used, and the rights of businesses to use personal data in accordance with the wishes of consenting adults.
Big Improvements in Managing Consents
A protocol is currently being rolled out by a nonprofit consortium of digital advertising businesses, the IAB Tech Lab.34 Known as the Global Privacy Platform (GPP), it establishes a method for digitally recording a consumer’s consent to the use of their data. The resulting “consent string” attaches to the personal data, accompanying it on its journey through the auction houses of cyberspace. Businesses that receive the data also receive the consent string, so there’s little excuse for exceeding consumer permissions.
Universal adoption of the GPP would establish the state-of-the-art in consent management for digital advertising businesses. It would be a significant milestone.
Give Consent a Chance
Thereafter, improvements in the granularity of consent, and the effectiveness of consent management processes, might soon blow our minds. Or so we are led to expect, at this point in history, the dawn of the AI era. Consent-management “copilot” bots nestled in our pockets like Tinkerbell – only a Luddite would doubt it. Or so it seems.
This is the promised silver bullet: consents so robust and manageable that even the most privacy-conscious consumer might have the confidence to grant them – present company included.
* * * *
When is Location Data Deemed Sensitive?
FTC
“Sensitive Location Data” is precise geolocation data associated with35:
GDPR
“Location Data” becomes Sensitive Data when it reveals or concerns an individual’s:
Medical facilities
Health
Religious organizations
Religious or philosophical beliefs
Correctional facilities
Data relating to criminality is not Special Category data under Art.9, but might be effectively bucketed into this column. See Art.10.
Labor union offices
Trade union membership
Locations held out to the public as predominantly providing education or childcare services to minors
The personal data of children is not Special Category data under Art.9, but might be effectively bucketed into this column. See Art.8 and Recital 75.
Locations held out to the public as predominantly providing services to LGBTQ+ individuals such as service organizations, bars and nightlife
Sex life or orientation
Locations held out to the public as predominantly providing services based on racial or ethnic origin
Racial or ethnic origin
Locations held out to the public as predominantly providing temporary shelter or social services to homeless, survivors of domestic violence, refugees, or immigrants
No direct corollary. But the ordinary risk assessment required for non-sensitive data may result in adding data about homelessness, etc. to this column. See also the previous row, which may apply to data of refugees and immigrants.
Locations of public gatherings of individuals during political or social demonstrations, marches, and protests
Political opinions
Military installations, offices, or buildings
No direct corollary. But the ordinary risk assessment required for non-sensitive data may result in adding data about military installations, etc. to this column.
Similar protections are accorded to the location of an individual’s private residence
No direct corollary, though the ordinary risk assessment required for non-sensitive data may result in adding domicile data to this column.
1 Typically defined as latitude & longitude coordinates derived from a device such as a cellphone, which place the device at a physical location with an accuracy of
European Commission Rejects Draft DORA RTS on Sub-contracting
The European Commission (Commission) recently published a letter (Letter) that it sent to the European Supervisory Authorities (ESAs) rejecting certain draft regulatory technical standards (RTS) under the EU Digital Operational Resilience Act (DORA). The draft RTS specified the conditions and criteria to be considered by financial entities when sub-contracting information communication and technology (ICT) services supporting critical or important functions. The Letter, dated 21 January 2025, follows the ESAs’ submission of its final report on the draft RTS in July 2024.
In the Letter, the Commission explained its rejection on the basis that the requirements introduced by Article 5 of the draft RTS on the “Conditions for sub-contracting relating to the chain of ICT sub-contractors providing a service supporting a critical or important function by the financial entity” go beyond the mandate provided to the ESAs under Article 30(5) of DORA. This is because they introduce requirements not specifically linked to the conditions for sub-contracting.
In light of this, the Commission considered that Article 5 of the draft RTS and the related Recital 5 should be removed to ensure the ESAs comply with its mandate set out in DORA.
The Commission intends to adopt the RTS once its concerns are addressed and the necessary modifications are made by the ESAs.
The Letter is available here.