Looking Back at the False Claims Act in 2024 as the Government Keeps its Sights on Cybersecurity in 2025
In 2024, the government and whistleblowers were party to 558 settlements and judgments collecting over $2.9 billion. The government continued its effort to combat cybersecurity threats through its Civil Cyber-Fraud Initiative, which is dedicated to using the FCA to ensure that federal contractors and grantees are compliant with cybersecurity requirements. Settlements in 2024 included allegations against companies for their failure to provide secure systems to customers, failure to provide secure hosting of personal information, and failing to properly maintain, patch, and update the software systems. The Justice Department has made clear that cybersecurity is one of its key enforcement priorities in 2025 and moving forward, meaning all federal contractors must be particularly mindful of federal cybersecurity requirements. To keep you apprised of the current enforcement trends and the status of the law, Bradley’s Government Enforcement & Investigations Practice Group is pleased to present the False Claims Act: 2024 Year in Review, our 13th annual review of significant FCA cases, developments, and trends.
Listen to this post
VINTAGE: Court Throws Out TCPA Class Action Against Vintage Stock and This One Is Sure to Stand the Test of Time
Wow.
This one is a remarkable ruling folks.
Lady visits a retail store. She is asked for her phone number and told it is necessary for her to return goods. She tells the employee she does not want to receive any advertisements. But when she provides her number she is actually signing up for a recurring text program.
What result?
According to the court in Thompson v. Vintage Stock, 2025 WL 385681 (E.D. Mo Feb. 3, 2025) the consent provided by the consumer trumps and the resulting messages are legal.
Let’s dive in.
Plaintiff’s phone number is on the DNC list. She visited a store called Vintage Stock and made a purchase.
The sales lady apparently told her that she needed to enter her number on the POS system because it would be needed in case Plaintiff wanted to return an item.
Plaintiff tells sales lady “I don’t want to receive any advertisements” but goes ahead and enters her number in the POS anyway.
On the POS is a display reading: ““Enter your phone # to receive coupons and sales notices. Message and data rates may apply.”
As a result Plaintiff received at least four promotional text messages sent to her phone.
Plaintiff sued claiming Vintage Stock violated the DNC rules of the TCPA. Even though she entered her phone number Plaintiff claims she did not provide her prior express invitation of permission because she told the sales lady she did not want advertising and because the POS language was too vague– for instance it didn’t mention text messages and it didn’t specifically authorize Vintage Stock to send anything to her phone.
VS moved for summary judgment and the court sided with it.
In the Court’s view Plaintiff’s submission of her number on the POS was sufficient to constitute “prior express invitation” to receive further messages–a lower standard than prior express written consent.
Here’s the analysis:
When visiting Vintage Stock’s store, Sheila entered her number into the VeriFone system. Doc. 72 at ¶ 9. That system clearly stated that one should enter her phone number to receive coupons and sales notices, and it warned that “[m]essage and data rates may apply.” Doc. 68-2 at 2. If one entered her phone number into this system, she would undoubtedly expect a few things. One, she would receive coupons and sales notices from Vintage Stock. Two, Vintage Stock would send those coupons and sales notices to the phone number she entered. Three, the coupons and sales would arrive in, at least, message format. (Because this case does not involve a phone call, the Court need not address whether one would expect to receive phone calls regarding coupons or sales notices.)
Hmmm. Maybe.
The disclosure did not actually tell the consumer she would receive anything on a phone number but I see where the Court is coming from here. Still this is the most relaxed application of prior express invitation we have seen yet.
On the failure to mention text messages piece the Court mysteriously determined it didn’t need to address that issue because it related to “permission” rather than “invitation” but it is not clear why that is.
Now the really fun issue– Plaintiff claiming she was tricked by a sales lady.
The Court was unmoved by this argument and determined, in essence, that whatever happened between Plaintiff and the sales girl was irrelevant to the issue of whether invitation was given to the text program. Here the Court took a very limited view of the language used: “expressing a lack of desire to receive advertisements does not counter expressly requesting coupons and sales notices to be sent to you.”
Hmmm.
At bottom the case was dismissed and Vintage Stock walked away clean.
Very very interesting case here– and truthfully Vintage Stock could have lost this case easily. Indeed, 8 out of 10 times these folks lose this motion. There are a bunch of interesting issues here and it is, frankly, stunning to me that Vintage Stock is walking away unscathed. I suspect an appeal is likely here.
But notice this is the third POS text club case we have discussed in the last two weeks!:
Circle K is stuck in a case because it included advertising in its opt ins;
7-Eleven is sued because it sent text messages outside of call time hours; and now
Vintage Stock barely gets away with very thin language on a POS.
Again, if you are a retailer launching a consent/preference center or managing POS messaging GET ASSISTANCE FROM QUALIFIED COUNSEL. My goodness.
Some take away here:
This case applies to loosest application of “prior express invitation” we have seen yet. Remember this is the standard applicable to calls and texts to numbers on the DNC– it does NOT apply to calls made using regulated technology, that requires a HIGHER standard (Troutman 9);
Generally consent is only valid so long as the texter does not have reason to know it was limited. Here VS’ agent knew of an intent to limit consent. So this is a case it probably should have lost (on an individual basis– now way this is a class issue tho)
POS disclosures should definitely mention the word “text” or “SMS” when enrolling in a text club and should use language indicating permission is being given like “authorize” or “permit.” Yes, I know VS got away with one here but don’t let their mistake become your bad habit.
VS couldn’t leverage the 18 month EBR defense here because it continued texting long after the consumer stopped visiting VS. Retailers should consider stopping text programs 18 months after a consumer’s last visit. One, these folks may have changed phone numbers– very bad. Two, these folks seemingly aren’t interested and continued texting might draw a claim similar to the one VS faced. Just something to think about.
False Claims Act: 2024 Year in Review
In 2024, the government and whistleblowers were party to 558 False Claims Act (“FCA”) settlements and judgments, just slightly fewer cases than last year’s record. As a result, collections under the FCA exceeded $2.9 billion, confirming that the FCA remains one of the government’s most important tools to root out fraud, safeguard government programs, and ensure that public funds are used appropriately. As in recent years, the healthcare industry was the primary focus of FCA enforcement, with over $1.67 billion recovered from matters involving managed care providers, hospitals, pharmacies, physicians, laboratories, and long-term acute care facilities. Other areas of focus in 2024 were government procurement fraud, pandemic fraud, and enforcement through the government’s Cyber-Fraud Initiative.
To keep you apprised of the current enforcement trends and the status of the law, Bradley’s Government Enforcement and Investigations Practice Group is pleased to present the False Claims Act: 2024 Year in Review, our thirteenth annual review of significant FCA cases, developments, and trends.
Giovanni P. Giarratana, Gregory G. Marshall, Jack W. Selden, Erin K. Sullivan, Rico Falsone, Lyndsay E. Medlin, Tara S. Sarosiek, Anna M. Lashley, Ocasha O. Musah, Brianna Rhymes, and Virginia C. Wright contributed to this article.
New EPA Administrator, Same Freeze on EPA Activity
On January 29, 2025, Lee Zeldin was confirmed as the 17th Environmental Protection Agency (EPA) Administrator. After a week on the job, Zeldin continued to maintain several policies that had been put in place immediately after the Trump administration took office. Some of these policies are summarized below. While these actions are generally expected when a new administration begins, there is a sense that additional, significant changes are around the corner.
Freeze on External Actions
On January 24, 2025, the then acting EPA Administrator ordered a temporary halt on all environmental lawsuits to review and possibly change the agency’s stance on these issues. The Department of Justice’s (DOJ) Environment and Natural Resources Division, which enforces environmental protection laws, has also been ordered to freeze all activities. This included stopping pending court filings and delaying new complaints, with pending Comprehensive Environmental Response, Compensation, and Liability Act negotiations also on hold for an undetermined time.
This was followed by an internal memorandum instructing EPA staff to halt external communications (e.g., press releases, blog updates, and social media posts), except for discussions with state and federal agencies not related to enforcement, necessary communications regarding imports, and as related to the carrying out of inspections.
The EPA also announced delays for several finalized environmental rules from the prior administration. This includes rules regarding air pollution and the regulation of trichloroethylene (TCE).
The duration of each of these “freezes” is not clear at this time, but it seems aimed at helping the new administration evaluate what can be changed and likely beginning that change.
Staffing
As federal agencies implement a presidential order to limit telework and remote work, EPA employees must return to the office full-time next month. The EPA stated that regular telework and remote work agreements will be canceled to follow the recent Executive Order on the subject. EPA staff are expected to be in the office daily by February 24, unless they have a disability, medical condition, or other significant reasons certified by their supervisor.
It was also recently reported that the EPA is expected to cut over 1,000 employees who joined the agency within the past year, with a focus on those working on climate change, air pollution, and environmental regulation programs. Additionally, several senior civil service managers in the DOJ’s Environment and Natural Resource Division have reportedly been reassigned to focus on immigration matters rather than environmental issues.
FTC Finalizes Orders Against Data Brokers Over Sensitive Location Data
On January 14, 2025, the Federal Trade Commission (“FTC”) announced that it had issued final orders against data brokers Gravy Analytics, Inc. (“Gravy Analytics”) and Mobilewalla, Inc. (“Mobilewalla”). The FTC’s announcement follows a series of recent FTC actions concerning data brokers’ collection and sale of consumer precise geolocation data. Our blog posts covering these prior actions can be viewed here and here.
Gravy Analytics
According to the FTC’s complaint, Gravy Analytics is a data broker that does not have a direct relationship with consumers. Instead, it purchases consumer data (including precise geolocation data) from its data suppliers and sells such consumer data to its customers, which include both commercial and government entities. The FTC alleged that Gravy Analytics and its subsidiary violated Section 5 of the FTC Act by (1) failing to verify that its data suppliers obtained consent from consumers to collect, use and share their precise geolocation data for the purposes used by Gravy Analytics; (2) selling consumers’ precise geolocation data that revealed consumers’ visits to sensitive locations; and (3) creating and selling inferences derived from location data drawn about consumers based on sensitive characteristics, such as medical conditions, political activities and religious beliefs According to the complaint, the precise geolocation data obtained by Gravy Analytics, associated with other unique consumer identifiers licensed, used and sold by the data broker, could be used to track consumers to sensitive locations, including places of religious worship, domestic abuse shelters, homeless shelters, medical facilities, political rallies, and places that could be used to infer an LGBTQ+ status. Gravy Analytics used this data to create audience segments that categorized consumers into groups based on health or medical decisions made by consumers (e.g., “pharmacy visitor during COVID quarantine”), family status (e.g., “having children,” “getting married”), religion (e.g., based on a consumer’s visit to a particular church) and political activity (e.g., identifying a consumer as a member of a particular party based on attendance at political events). Additionally, the complaint alleged that Gravy Analytics used geofencing to create a virtual geographic boundary to identify consumers who visited certain sensitive locations and subsequently categorized these consumers into audience segments based on inferred sensitive characteristics from their visits, such as medical conditions, sexual orientation, political activities and religious beliefs. Its customers could then use these segments to serve targeted ads to consumers in these groups.
The final order requires Gravy Analytics and its subsidiary to stop selling, disclosing or using sensitive location data within 90 days of the order’s effective date, unless the companies: (1) have a direct relationship with the consumer related to the sensitive location data; (2) have obtained affirmative opt-in consent from the consumer and (3) are using sensitive location data solely to provide a service directly requested by the consumer.
Key provisions from the final order also include requirements to:
maintain a sensitive location data program to identify a list of sensitive locations, and prevent the disclosure of consumers’ visits to those locations;
establish and maintain policies and procedures to prevent the companies from (1) associating consumer precise geolocation data with locations predominantly providing services to LGBTQ+ individuals or locations of political or social demonstrations, marches, and protests and (2)using consumer precise geolocation data to determine the identity or location of an individual’s home;
submit a report to the FTC within 30 days of making a determination that a third party shared consumers’ precise geolocation data in violation of a contractual requirement, including a description of the incident and the number of consumers affected by the disclosure;
delete all historic precise geolocation data and any data products developed using this data;
maintain a supplier assessment program to ensure consumers have provided consent for the collection and use of their precise geolocation data; and
not misrepresent the extent to which the companies (1) review data suppliers’ compliance and consent frameworks, consumer disclosures, sample notices, and opt-in controls; (2) collect, use, maintain, disclose, or delete any information by the final order; or (3) de-identify the data they collect, use, maintain, or disclose.
Relatedly, days before the FTC finalized its order against Gravy Analytics, the company was reported to have experienced a data breach. The company currently faces a proposed class action lawsuit in the US District Court for the District of New Jersey, alleging that it failed to adequately secure sensitive consumer location data.
Mobilewalla
In its complaint against Mobilewalla, the FTC alleged that the company collected consumer information, without consent, from real-time bidding exchanges (“RTB ad exchanges”), which data included consumers’ mobile advertising identifiers (“MAID”) and precise geolocation data. The FTC alleged that Mobilewalla then shared this information with third parties. This FTC action is the first to focus on the collection and use of consumer data through RTB ad exchanges.
During RTB ad exchanges, online publishers (i.e., websites and apps) auction off their empty ad space so that advertisers can submit bids for an ad placement. To conduct the exchange, an app or website uses a software development kit (SDK) or cookie to collect consumers’ personal information from their devices and passes it along to participating advertisers, so that they can bid to place advertisements based on the consumer information contained in the bid request. As a result, advertisers can obtain consumer information from the bid request process, even if they do not win the bid for an ad placement. In its complaint, the FTC alleged that when Mobilewalla bid to place an advertisement through an RTB ad exchange, it collected and retained the consumer information contained in the bid request, even when it did not have a winning bid. The FTC also alleged that Mobilewalla collected information from other data brokers without verifying whether consumers consented to Mobilewalla’s collection and use of their information.
Key provisions in the FTC’s final order against Mobilewalla include requirements to:
stop collecting, purchasing or acquiring personal information covered in the order during online advertising auctions for any other purpose other than participating in such auctions;
stop selling, sharing, or disclosing sensitive location data;
maintain a sensitive location data program to identify a list of sensitive locations and prevent the disclosure of sensitive location data; and
maintain a supplier assessment program to ensure consumers have provided consent for the collection and use of location data.
Employer Guidance for Workplace Interactions with ICE
The new presidential administration’s efforts to prioritize immigration law enforcement has resulted in increased activity by U.S. Immigration and Customs Enforcement (ICE) and an uptick of questions from employers about how to handle ICE investigations. This Alert provides guidance to employers for potential interactions with or inspections by ICE at the workplace, including preliminary actions, suggested steps during an ICE visit (whether announced or unannounced), and follow-up recommendations.
There is a common misconception that only employers that specifically seek or intentionally hire unauthorized workers are at risk of a visit from ICE. However, there are multiple avenues by which a generally law-abiding employer may find itself unknowingly employing an unauthorized worker. For example, an individual may have presented the employer with fraudulent documentation for the Form I-9 employment eligibility verification, and the employer may not have realized the document was inauthentic. Or an employer may have lawfully hired a noncitizen with proper employment paperwork but later may forget to reverify the worker’s Form I-9; in this instance, the individual’s work authorization could lapse or expire without the employer noticing.
To the extent an employer’s office or work facility is private property, employers have certain legal rights when faced with an ICE arrival. Employers should become familiar with their rights and best practices in the event of an ICE visit to minimize the risk of inordinate disruption to the workforce or operations, or the unauthorized seizure of company property and information. Employers should seek to balance (1) lawful compliance and cooperation with (2) private property rights and a general duty of care for employees.
Babst Calland recognizes that the topics of immigration enforcement and undocumented persons have been politicized. We therefore offer this guidance objectively, without advocating for any particular position beyond what is legally required.
Recommended Precautionary Actions Before ICE Arrives
Designate Public and Private SpacesICE agents can only be present in areas open to the public (such as parking lots, reception areas, lobbies, etc.) without a judicial warrant or specific employer consent. Therefore, employers should clearly identify the boundaries of non-public areas with signs such as “Private” or “Non-Public Area” to avoid ambiguity. Once signs are posted, management should explain these “new” boundaries or designations to the workforce, with special emphasis on its explanation to security guards, receptionists, and other public-facing employees.
Understand the Types of Documents ICE Could PresentWith a few exceptions, ICE generally cannot lawfully search persons or private spaces, or seize persons or private property, without certain documentation.[1] As explained below, employers should ensure that key personnel are trained to identify and/or differentiate these documents.
A judicial warrant provides the broadest search and/or seizure rights. A judicial warrant can be either a search warrant or an arrest warrant. A judicial warrant must be signed and dated by a judge or magistrate and it must describe with particularity the place to be searched, and/or the person or items to be seized. A judicial warrant will have the name of a court at the top of the document. Only a valid judicial warrant permits an ICE agent to enter private/non-public spaces at the workplace, and only a valid judicial warrant requires cooperation. Employers must strictly comply with judicial warrants, but it is not required to take any action to assist ICE beyond what is reasonably required by the judicial warrant. For example, an employer can be required to move an employee identified in the warrant into a contained area for questioning, but it cannot be required to sort employees into groups by citizenship status or nationality for an inspection by ICE.
An administrative warrant is much more limited than a judicial warrant. An administrative warrant is signed by an immigration officer, and it allows ICE to arrest noncitizens suspected of committing immigration violations. An administrative warrant is typically identified as a document issued by the “Department of Homeland Security” and is usually on a Form I-200 or I-205. Notably, an administrative warrant does not give an ICE agent the right to enter private/non-public spaces at the facility unless the employer consents.[2] Additionally, when faced with an administrative warrant, an employer is not required to tell ICE whether the employee named in the warrant is currently working or to bring the employee to the agent (or vice versa).
Alternatively, ICE could present an employer with a subpoena, a notice of inspection, or a notice to appear. A subpoena is a written request for information or documents that provides a certain time limit to respond and does not require immediate compliance. Like a subpoena, a notice of inspection is a document informing an employer that it must produce employees’ I-9 Forms for an audit[3] within 3 business days. A notice to appear is a document directed to an individual instructing them to appear before an immigration judge.
Assign an On-Site Response CoordinatorEmployers should assign a particular managerial or supervisory employee at each facility to be the on-site response coordinator who can serve as a single point of contact with ICE in the event that ICE arrives, as well as a back-up coordinator if the designated worker is absent or unavailable. These personnel should be trained to differentiate between the above-described documents, and to understand and be aligned with the employer’s policy for lawful compliance with visits from ICE.
Review Applicable Collective Bargaining AgreementsFor any locations that have a unionized workforce, employers should review the applicable collective bargaining agreements (CBAs) proactively to determine whether they require any additional conduct by the employer in the event of an ICE visit. For example, some CBAs might include provisions that give the union the right to be present during any ICE inspections or on-site employee interviews, or require that the employer notify all union employees when ICE agents arrive. Any additional CBA requirements should be implemented with the below recommended actions for facilities with unionized employees.
Recommended Actions If ICE Arrives
*All recommended actions below should be conducted in a calm, professional, and polite manner to prevent escalation of the interaction.*
Notify key personnel – The first steps are to immediately notify the facility supervisor, the on-site response coordinator(s), and legal counsel. Ask the agents to wait in a specific space or designated location until either a supervisor, on-site response coordinator, or legal counsel arrives to prevent disruption.
Verify agent identify – The response coordinator should clarify whether the agents are police officers or ICE agents and request their names and badge numbers.
Verify agent purpose – The response coordinator should ask the agents about the nature of their visit. Common purposes include:
Initiation of Form I-9 Audit – If ICE intends to audit a company’s Form I-9 compliance, ICE must first provide the employer with a Notice of Inspection. These notices give employers at least 3 business days to produce the requested I-9 Forms.[4] Additional productions and procedures will ensue if ICE determines that there are any Form I-9 errors, suspicious documents, or discrepancies, and employers should consult with an immigration attorney for further guidance if this occurs.
Facility Search or “Raid” – ICE can arrive without warning to investigate an employer.
Detention of specific person(s) – ICE can arrive without warning to detain specific person(s).
Fraud Detection and National Security (FDNS) visit – this is an unannounced visit related to an employer’s recent immigration petition(s) where ICE agents conduct compliance reviews to ensure the employer is complying with the terms and conditions of the petition(s). This guidance does not address such visits, as FDNS visits are only relevant for employers who have had an H-1B or L-1 intracompany transfer petition(s) adjudicated.
Verify documentation – The response coordinator should ask to see a warrant.
If a judicial warrant is provided, employers should analyze it to determine its scope and ask for a copy of it. Employers are not required to provide access to any area not specified in the warrant.
If a judicial warrant is not provided, the response coordinator can (but is not required to) state: “I’m sorry, but this is private property. It is company policy not to provide consent or permission to enter private or non-public areas of the facility or to access our information or records without a valid warrant signed by a judge.”
If there is an issue with the judicial warrant (i.e. it is not signed, not dated, is missing the correct workplace address, or does not sufficiently describe the premises to be searched or items to be searched for), an employer can accept the warrant but should note its objection so that counsel can challenge the search or seizure later if sufficient grounds exist. To be clear, in this instance, the search or seizure will still occur.
Ask to be provided with a list of any items seized during the search.
If an administrative warrant is provided, the response coordinator can (but is not required to) state: “I’m sorry, but this is private property. It is company policy not to provide consent or permission to enter private or non-public areas of the facility or to access our information or records without a valid warrant signed by a judge.”
Use independent judgment if considering voluntary consent.
Employers can decide to voluntarily consent to a search or seizure of employer property by ICE without a sufficient warrant. Moreover, ICE agents are permitted to make statements intended to encourage voluntary consent or to imply that giving consent is required even in circumstances where it is not (such as when the agents do not possess a judicial warrant).
If considering consenting to a search or seizure without a sufficient warrant, employers should use independent judgment to evaluate the totality of the circumstances in addition to any statements made by the agents.
Please note that non-management or non-supervisory employees do not have the authority to act on behalf of an employer to give such consent.
Be respectful, but clear, if exercising the company’s rights.
Never attempt to block an ICE agent’s movements. If an employer believes ICE is exceeding its authority, the response coordinator can voice the employer’s objection and state that the company does not consent, but they should not argue and never physically interfere with the agent’s actions.
If agents attempt to seize something that is critical to company operations (such as a computer, proprietary information, or an important file), explain why the item is critical to the company’s operations, request a more limited or targeted seizure, and/or ask to make a copy of the information before it is seized.
Employers can notify employees that they have the right to remain silent, but employers cannot instruct employees not to respond to questions. Company representatives should not be confrontational, obstructive, or evasive.
Employers and employees alike have the right to record an encounter with ICE. Consider recording interactions with ICE agents to clearly document statements and actions. Efforts to record an encounter should never interfere with the agents’ activities.
Recommended Actions After ICE Visit
Document as much as possible – The response coordinator should interview employees and make a record of the details of the event in an incident report. The report should include details such as the number of agents, a description of what they were wearing, whether the agents kept anyone from moving around the workplace freely, a detailed list of the locations of any search (including smaller spaces such as closed drawers), a detailed description of any property seized, a detailed list of statements made by the employer declining consent or asserting legal rights, and any statements made by the agents.
Follow-up notifications – employers should call legal counsel immediately to discuss next steps. If the workplace is unionized, employers should notify the union that ICE visited the workplace.
Engage and encourage open communication with and among the workforce – Employers should be open and honest with the workforce about what occurred. In addition to individual instances of absenteeism, fear of action by ICE may lead to employees discussing their concerns or voicing disagreement with the employer’s response (or potential response) to ICE. Employers must be aware that certain employee collective action (discussions, protests, other concerted activity, etc.) may be protected under the National Labor Relations Act if it relates to the terms and conditions of employment, even for non-union workers or those who may not be authorized to work in the U.S.
Provide reasonable leave – If ICE detains a worker, consider providing the worker with an unpaid leave of absence during and in the immediate aftermath of the detention. While not legally required, an employer could consider handling the matter in a manner similar to the leave that might be provided in the event of a sudden medical issue or other unexpected absence. Failure to provide such comparable leave could give rise to a claim for national origin discrimination. Employers are never, however, required to provide employees with indefinite leaves of absence.
[1] While police officers are allowed to search and arrest without a warrant in the event of different types of emergencies such as while in “hot pursuit” of a criminal suspect, ICE agents are not police officers (regardless of whether their uniforms say “Police”). ICE agents may not search and seize without a warrant if they are merely in “hot pursuit” of a suspected undocumented person. Under applicable law, this type of warrantless search or seizure is only permitted if the agent is in “hot pursuit” of an individual who “poses a public safety threat” or who the agent personally observed crossing the border.
[2] One key exception is the “in plain view” principle. With or without a warrant, ICE agents are always allowed to look at anything in “plain view,” including computer screens or papers sitting out on desks, or listen to audible conversations that can be overheard without a listening device. If what the agent sees or hears in “plain view” gives them probable cause that unlawful activity is, has, or will occur, they can search the relevant private area and seize relevant items without a warrant.
[3] The Form I-9 is a document used to verify the identity and employment eligibility of individuals within the United States. Federal law requires employers to create and maintain I-9 Forms and supporting documentation for all employees.
[4] Employers are cautioned against voluntarily consenting to a search or seizure of the Forms I-9 if ICE agents do not have a judicial warrant for this information or if the 3-day period after receiving a Notice of Inspection has not yet expired. The Form I-9 rules are nuanced and strict, and it is very common for employers to unknowingly violate a rule due to an unintended error on the forms or in record-keeping. Employers can be subject to monetary fines for substantive violations and any uncorrected technical violations regardless of whether the violation was intentional
New York Attorney General Secures $450,000 Settlement Over eufy Home Security Camera Security Concerns
New York Attorney General Letitia James announced a $450,000 settlement with three companies distributing eufy home security video cameras—Fantasia Trading LLC, Power Mobile Life LLC and Smart Innovation LLC—following an investigation into the security of their Internet-enabled video products. The settlement follows findings that, in some cases, video streams from eufy cameras were transmitted without end-to-end encryption and active video feeds could be accessed without authentication by individuals with the corresponding URL.
The Office of the Attorney General (OAG) initiated the investigation after a November 2022 disclosure by a security researcher raised concerns about the accuracy of eufy’s marketing claims regarding its security and encryption measures. The researcher’s findings suggested that eufy’s Internet-connected security cameras, video doorbells and smart locks did not fully encrypt video data in transit, despite company assurances that consumer footage would remain private and secure.
The OAG’s investigation confirmed that, in certain circumstances:
video data was not protected by end-to-end encryption, leaving portions of the transmission unencrypted;
active video streams could be accessed without authentication if an individual had the correct URL;
some URLs could be determined without directly obtaining them from a user, increasing the risk of unauthorized access; and
the companies had not implemented sufficient security testing procedures, leading to undetected vulnerabilities.
Under the terms of the settlement, the companies must implement enhanced security measures including:
developing and maintaining a comprehensive information security program to protect consumer data;
implementing secure software development practices, including third-party security testing;
maintaining a vulnerability management program with regular penetration testing; and
enhancing encryption protocols for video storage and transmission.
This resolution highlights the importance of robust security measures for Internet-connected devices that store and transmit sensitive consumer data. Companies offering such products must ensure that their security practices align with industry standards and that their marketing claims accurately reflect their security capabilities.
I SPY!: Court Finds No Standing In Spy Pixels Case
Hi, CIPAWorld!
The District of Massachusetts just issued a huge win for the defendant in a spy pixels class action and dismissed the case altogether for lack of standing!
In Campos v. TJX Companies, Inc., No. 24-cv-11067, 2025 WL 360677 (D. Mass. Jan. 31, 2025), Plaintiff Campos filed a putative class action against Defendant TJX Companies (“TJX”), alleging that Plaintiff TJX embedded a “spy pixel” in its promotional emails which collected certain information about the email and its recipients, including the email address, the subject of the email, when it was opened and read, the recipient’s location, the length of time the recipient spent reading the email, whether it was forwarded or printed, the recipient’s email service, et cetera. Although Plaintiff conceded that she subscribed to TJX’s email list, she said that TJX nevertheless collected this information without her consent or the consent of other class members. Plaintiff claimed that this lack of consent formed the basis of TJX’s violation of the Arizona Telephone, Utility and Communication Service Records Act, which makes it a crime for a person to “[k]nowingly procure, … [a] communication service record of any resident of [Arizona] without the authorization of the customer to whom the record pertains or by fraudulent, deceptive or false means.” Id. at *1 (second and third alterations added).
In response, TJX filed, inter alia, a Rule 12(b)(1) motion to dismiss for lack of standing, arguing that the Plaintiff could not establish an injury-in-fact. To determine whether Plaintiff suffered an injury-in-fact based on a violation of privacy, as claimed here, the Court explained that there must be a “‘close relationship’ between, on one hand, Defendant’s alleged procurement of Plaintiff’s data relating to her opening of promotional emails and, on the other hand, a traditionally actionable harm under common law.” Id. at *3 (internal citation omitted).
The Plaintiff first likened her injuries to the tort of intrusion upon seclusion, which requires an intentional intrusion and one that “would be highly offensive to a reasonable person.” Id. The cause of action is aimed at protecting deeply personal, private, or confidential matters. The Court, however, wasn’t buying it:
Some of this information clearly does not implicate Plaintiff’s privacy or seclusion. For instance, Plaintiff’s email address was certainly not private, given that she provided it to Defendant when she consented to receive the promotional emails. Nor was there anything particularly privacy about the email’s subject or other content, as Defendant authored the email and therefore would have known the subject and content with or without the pixels and thus without any impact on any privacy interest asserted by Plaintiff.
Id. at *4 (emphasis added). While the Court found that the individualized data about whether, when, where, and for how long Plaintiff read TJX’s emails presented a closer question, the Court still found this distinguishable from the idea of covert surveillance. Specifically, it explained that “a glimpse into Plaintiff’s email inbox is a far cry from peeking into her upstairs window, particularly where she voluntarily subscribed to Defendant’s emails and where there is no allegation that the spy pixels intruded into any other private area of her email inbox or computer.” Id. (emphasis added).
In a footnote, the Court noted that “Plaintiff’s allegation that the spy pixel tracked whether the email was forwarded gives the Court some pause, as it comes the closes to tracking ‘unrelated personal messages.’” Id. at *6, n.3 (emphasis added). However, it dismissed this issue because Plaintiff did not allege that the pixels could track the recipient or the content of the forwarded message. Indeed, “the simple act of forwarding, without more, does not rise to the level of substantial intrusion into Plaintiff’s private affairs.” Id.
Plaintiff also attempted to liken her harm to other privacy statutes which give rise to standing, but to no avail. First, she analogized her harm to cases under the TCPA. The Court rejected this argument on the basis that plaintiffs in TCPA cases received unconsented to and unsolicited communication, whereas Plaintiff subscribed to TJX’s messages and frequently opened them. Second, it found that Plaintiff’s reliance on the Video Privacy Protection Act, which prohibits disclosure of an individual’s rental and sale records, was misplaced because Plaintiff did not allege any such disclosure. And finally, it found that the information protected by the Illinois Biometric Information Privacy Act—a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry—to be decidedly more personal than the information at issue in Plaintiff’s Complaint.
Accordingly, the Court dismissed Plaintiff’s complaint for lack of standing. Plaintiff’s allegations just didn’t cut it—without a concrete injury, there’s no standing, and without standing, there’s no case. This ruling reinforces that not every data collection claim fits within traditional privacy harms, especially when the user voluntarily engages with the service. It’s a significant win for defendants facing similar claims and one to keep an eye on moving forward.
BIG BROTHER OR BIG BUSINESS?: E! Entertainment’s Fashion Police Might Need Troutman Amin Instead
Greetings CIPAWorld! Twice in one day? You know it must be big. This case is an absolute must-read for data privacy professionals and law students looking to break into the field. If you’re studying privacy law or tech policy or just want to see how cutting-edge legal arguments are shaping the future of digital rights, this one’s for you. Brace yourselves because we are about to dive deep into this well-drafted Complaint recently filed. A California resident has filed a sweeping class action lawsuit against E! Entertainment Television, alleging the media company’s website secretly tracks and monetizes visitor data without consent—turning users into unwitting participants in a vast digital advertising machine. See Weiler v. E! Ent. Television, LLC, No. 25STCV02509 (Cal. Super. Ct. filed Jan. 29, 2025). The Complaint, filed in Los Angeles Superior Court by Plaintiff, provides an unprecedented look into the complex web of online tracking, data brokerage, and real-time ad auctions that powers many popular websites. Plaintiff, who has regularly visited the website from 2016 through October 2024, represents potentially thousands of California residents who have had their data collected without consent.
When visitors access eonline.com, the website allegedly automatically installs two powerful tracking systems on their browsers—the Bounce Exchange Tracker operated by data broker Wunderkind and the ADNXS Tracker run by Microsoft. These trackers immediately start collecting visitors’ IP addresses, which reveal their approximate physical location, along with detailed device information like browser type, operating system, and other identifying characteristics that create a unique digital fingerprint.
Let me simplify this. Think of it like a digital license plate—once a site tags you, your activity can be traced across the web, even if you think you’re browsing anonymously. Much like a telephone number guides a call to its destination, an IP address routes data packets between devices on the internet. The traditional IPv4 format offers approximately 4.3 billion unique addresses, while the newer IPv6 system provides vastly more combinations to accommodate the growing internet.
I know I’m geeking out with these technical sophistications here, but this is fascinating as technology advances! Public IP addresses assigned by Internet Service Providers are globally unique and can reveal a user’s approximate location, while private IP addresses are used only within local networks. This distinction is essential to address, no pun intended, because private IP addresses don’t reveal geolocation, while public ones do and are extensively used in advertising.
The trackers also collect what’s known as “Device Fingerprint Information,” which includes the user-agent string (detailing precise browser and system specifications), device capabilities, supported image formats, compression methods, and persistent identifiers like PUID, GUID, UID, and PSVID. If cookies are the old-school way of tracking you, device fingerprinting is the cutting-edge upgrade—harder to delete, more invasive, and nearly impossible to avoid. Under California’s Invasion of Privacy Act (“CIPA”) § 638.50(b), these trackers qualify as “pen registers” because they capture “routing, addressing, or signaling information” without obtaining required court approval. What’s more, the lawsuit argues that these trackers also function as “trap and trace devices” under CIPA because they don’t just track outbound signals—they monitor inbound data as well, identifying where users connect from, which could further bolster the claim that E! Entertainment is violating privacy laws by monitoring user activity without disclosure.
Wunderkind’s technology goes far beyond simple data collection. According to the Complaint, it “analyze[s] everything about visitor behavior, from purchase history to traffic sources to engagement patterns to even the moment a visitor is abandoning a site using its patented exit-intent technology.” In other words, it’s not just watching—it’s waiting for the exact moment you hesitate before clicking away to push you toward engagement. Black Mirror episode, anyone? The company maintains what it calls “the largest first-party data set out of comparable solutions on the market,” using this vast collection of information to track users across multiple devices and platforms. This means that Wunderkind isn’t just tracking user behavior on E! Online—it’s enriching Microsoft’s bidstream data with additional details, allowing advertisers to bid on pre-profiled users rather than just generic ad impressions.
The lawsuit explains how this data collection feeds into a sophisticated advertising ecosystem called “real-time bidding” (“RTB”), where users’ personal data is turned into a commodity in a split-second auction. Imagine a stock market for human attention—except you don’t get a say in who’s buying or selling access to you. At the center of this system is Microsoft’s ADNXS Tracker, which functions as a “demand-side platform” (“DSP”). Its “impression bus” system processes ad requests, applies user data, and manages the entire bidding process. When someone visits E! Online, Microsoft’s ADNXS system doesn’t just load a webpage—it launches a high-speed digital auction. First, a “Supply Side Platform” sends user data to Microsoft’s Advertising Exchange, which includes device identifiers, IP address, zip/postal code, GPS location, browsing history, and other personal information, collectively known as “bidstream data.” Microsoft’s system then overlays segment data from its server-side cookie store, accumulating information through Microsoft Advertising segment pixels and client-uploaded data files.
The Advertising Exchange then broadcasts this data to multiple DSPs, who evaluate it to determine whether to bid for their advertising clients. At this point, your data isn’t just floating around in cyberspace—it’s being assessed, categorized, and priced in milliseconds. The Complaint alleges that Microsoft’s impression bus processes and facilitates RTB transactions but also plays a broader role in Microsoft’s ad-serving infrastructure, meaning data could be stored beyond just a single ad request. The lawsuit raises a major concern: even advertisers who lose the auction still receive and retain the visitor’s data. This means that a single visit to E! Online can result in personal data being shared with countless third parties—many of whom the visitor has never even heard of.
The Federal Trade Commission (“FTC”) has raised serious concerns about this real-time bidding process. The FTC warns that RTB incentivizes websites to share as much user data as possible to get higher ad valuations, particularly location data and browsing history. The process also enables sensitive data to be transmitted across geographic borders without restriction. The FTC has previously taken enforcement action against real-time bidding companies, such as Xandr (formerly owned by AT&T and later acquired by Microsoft), highlighting the potential legal exposure of E! Entertainment’s practices.
Wunderkind, meanwhile, allegedly uses the tracking data to build highly detailed consumer profiles that follow people long after they leave E! Online. As a registered data broker in California, Wunderkind maintains vast databases of consumer information that it sells to advertisers, brands, and even other data brokers. The complaint alleges that Wunderkind’s code on E! Online captured Weiler’s browser details and transmitted this information to its servers. The lawsuit argues that by allowing this data collection without obtaining explicit consent, E! Entertainment has essentially turned its audience into a product—monetizing their personal information while keeping them in the dark.
The Complaint argues these practices violate the CIPA, prohibiting certain tracking technologies without court approval. The Complaint cites explicitly recent court decisions from 2024, including Shah v. Fandom, Inc., No. 24-CV-01062-RFL, 2024 WL 4539577, at *6 (N.D. Cal. Oct. 21, 2024) and Mirmalek v. L.A. Times Commc’ns L.L.C., No. 24-cv-01797-CRB, 2024 WL 5102709, at *3-4 (N.D. Cal. Dec. 12, 2024), which found that similar trackers constituted “pen registers” due to CIPA’s “expansive language.” If the court agrees that Microsoft’s and Wunderkind’s trackers fall under this classification, E! Entertainment could face serious legal and financial consequences—including statutory damages of up to $5,000 per violation.
As digital privacy gains continued importance and online tracking faces scrutiny, this case may significantly impact how media and entertainment companies manage visitor data. While companies like E! Entertainment may argue that data-driven advertising is necessary in today’s economy, privacy advocates see lawsuits like this as long-overdue accountability for an industry that has long operated in the shadows. This case challenges E! Entertainment, and an entire industry focused on tracking, profiling, and monetizing consumers without their knowledge.
Remember, just because you can’t see tracking happening doesn’t mean it isn’t there.
As always,
Keep it legal, keep it smart, and stay ahead of the game.
TOO LATE: 7-Eleven Sued in TCPA Class Action for Allegedly Failing to Comply With Call Time Limitations–And This Is Crazy If its True
So the other day TCPAWorld.com reported on Circle K being caught in a massive TCPA class action due to marketing content in its opt in messages.
Eesh.
Well now competitor convenience store 7-Eleven is caught in a TCPA class action of its own and it also stems from low-hanging-fruit TCPA compliance issues that should never have happened (if it did.)
Background– the TCPA imposes call time limitations om messaging in some contexts. Messages cannot be sent before 8 am or after 9 pm. In some states–such as Florida–where this case is brought–the restrictions are even tighter.
Now interestingly, my read of the TCPA is that it only restricts telephone solicitations to call time hours, which means calls made with consent or an EBR are not subject to those restrictions. That is probably what 7-11 is thinking, but I am not sure. However, these exemptions do not seem to apply to state statutes. So, keep that in mind.
Regardless in the new case of Alexander Fernandez v. 7-Eleven, Plaintiff seemingly admits signing up to a 7-Eleven text club using a keyword (an always dangerous process, but that’s a topic for another day.)
While 7-Eleven does not appear to be using a double-opt in process (also odd) it does seem to be sending messages at off hours. Plaintiff provides screen shots demonstrating messages received at 9:40 and 9:41 pm.
The plaintiff seeks to represent a class of all individuals that received messages out of compliance with call time restrictions based on the called party’s time zone. Will be very interesting to see what data sets exist around such a class.
The plaintiff seemingly intentionally does not allege her phone number, so I am curious whether the area code matches Florida– where Plaintiff apparently lives. This might be a “panhandle special” where someone living in Florida’s central time zone is receiving messages intended for the eastern time zone– resulting in a message being sent at 8:41 being received at 9:41.
Then again, since Florida’s state restriction is 8 pm that wouldn’t seem to matter anyway.
Really interesting one. We will keep an eye on it.
New DHS Security Requirements Impact Compliance for Employers with Workers in Six “Countries of Concern”
The U.S. Department of Homeland Security (DHS) recently published new security requirements for certain restricted transactions covered by the U.S. Department of Justice’s (DOJ) sensitive data export rules. The security requirements could create compliance issues for employers with workers in certain countries that have been identified as posing national security concerns, a list that currently includes China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.
Quick Hits
The U.S. Department of Homeland Security published new security requirements for restricted transactions to prevent access to covered data and systems by countries of concern and certain persons affiliated with such countries.
The security requirements, which include stricter cybersecurity policies, multifactor authentication (MFA), incident response plans, and robust encryption to prevent unauthorized access to sensitive data, were published in conjunction with a Justice Department rule implementing a Biden administration-era executive order on cybersecurity.
Companies with employees in high-risk countries may face significant challenges in ensuring compliance with the new requirements, particularly regarding access to essential networks needed for business operations.
On January 3, 2025, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) released finalized security requirements for restricted transactions pursuant to Executive Order (EO) 14117, “Preventing Access to American’s Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” issued in February 2024 by then-President Joe Biden. The requirements were developed in conjunction with a DOJ final rule, which was published in the Federal Register on January 8, 2025, implementing EO 14117.
The CISA security requirements apply to certain restricted transactions identified by the DOJ that involve “bulk sensitive personal data or United States Government-related data” as defined by the DOJ and EO 14117 or that are of a class of transaction determined by the DOJ to pose an unacceptable risk to national security because it may enable certain “countries of concern or covered persons to access bulk sensitive personal data or United States Government-related data.”
The DOJ has identified six “countries of concern”: (1) China, including the special administrative regions of Hong Kong and Macau, (2) Cuba, (3) Iran, (4) North Korea, (5) Russia, and (6) Venezuela. A “covered person” is an individual or entity associated with a country of concern, and the term includes: (1) entities that are controlled or owned by one or more countries of concern, (2) entities that are controlled by “one or more persons” affiliated with a country of concern, (3) individuals who are “employee[s] or contractor[s] of a country of concern,” or (4) an entity controlled by a country of concern, and individuals the attorney general determines may be controlled by or act on behalf of a country of concern or other “covered person.”
Existing laws and regulations surrounding international data transfers, which are often transaction- or sector-specific, did not comprehensively address bulk data transfers to countries of concern. And, with respect to the personal data of U.S. citizens, certain common data processing principles are unequally applied given the existing patchwork of state and sectoral privacy laws. Accordingly, in an effort to fill the gap, the security requirements articulated by the DHS cover (1) organizational and system-level requirements for covered systems and (2) data-level requirements for data that is the subject of a restricted transaction.
Organizational- and System-Level Requirements
The security requirements state that entities must require that “basic organizational cybersecurity policies, practices, and requirements” are implemented with respect to any covered system (i.e., information systems used to interact with covered data in connection with restricted transactions). These steps include:
maintaining an inventory of covered system assets and ensuring the “inventory is updated on a recurring basis”;
designating an organizational level individual, such as a Chief Information Security Officer, who will be “responsible and accountable” for cybersecurity and governance, risk, and compliance (GRC) functions;
remediating any known exploited vulnerabilities (KEVs);
documenting vendor/supplier agreements for covered systems;
developing an “accurate network topology of the covered system”;
adopting policies that require approval of new hardware or software before it is deployed in a covered system; and
developing and maintaining incident response plans.
The requirements further call for entities to implement “logical and physical access controls” to protect access to data by covered persons or countries of concern, including the use of multifactor authentication (MFA) to prevent inappropriate access to data or, in the limited circumstances where MFA is not possible, stringent password requirements. Entities will wish to consider paying close attention to their processes for evaluating the sufficiency of the their security protocols on an ongoing basis, including through the issuance and management of identities and credentials associated with authorized users, services, and hardware, and the prompt revocation of credentials of individuals who leave or change roles.
The requirements likewise mandate the ongoing collection and storage of logs that relate to access to covered systems and the security of the same. Additional technical specifications include the default denial of connections. Finally, the requirements direct entities to conduct internal data risk assessments and evaluate, on an ongoing basis, whether an entity’s approach to security is sufficient to prevent access to covered data.
Data-Level Requirements
The CISA security requirements direct entities to implement data-level measures to “fully and effectively prevent access to covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology” by the covered person, employee, or vendor, or the governments of countries of concern. The requirements call for:
applying data minimization and masking strategies, which must include the preparation of and adherence to written data retention and deletion policies, and processing restrictions geared toward transforming the data such that it is no longer considered to be covered data or such that it is unlikely to be linked to an American person;
utilizing compulsory encryption techniques to protect data;
applying “privacy enhancing technologies” or “differential privacy techniques” during the course of any processing activities associated with covered data; and
configuring identity and access management techniques to deny access to covered systems by covered persons or countries of concern.
Next Steps
The CISA security requirements may have major implications for global companies with employees in countries of concern, such as China, and are likely to raise concerns about whether such employees will be able to access networks and information that are critical for them to do their jobs.
However, employers with substantial operations in potentially impacted countries may want to take note that while the security requirements discussed above are being implemented pursuant to a Biden administration EO, it remains to be seen whether the Trump administration will roll back the security measures as part of the administration’s ongoing deregulation focus, particularly to the extent the requirements may have the practical impact of restricting work in China. Moreover, President Trump has issued a “Regulatory Freeze Pending Review,” which could delay the April 8, 2025, effective date of the DOJ’s final rule.
In the meantime, employers may want to take steps to prepare for the CISA security requirements and DOJ regulations regarding countries of concern and covered persons. To do so, companies may want to assess the extent to which they employ covered persons in countries of concern or have entered into contracts with vendors who rely upon personnel based in such countries. If they determine this to be the case, they may wish to assess whether they have necessary privacy and security safeguards, both technical and contractual, to prevent improper access to protected personal and U.S. government data.
EU Fines EU?!: Alleged Unlawful Data-Transfer Dust-Up
Following a German case brought against the EU Commission, the EU General Court found that the Commission had made an improper transfer of personal information to the US. The plaintiff, a German citizen, alleged (among other things) that his information was sent through the EU Commission’s website to the US through an automated social media login option when he registered for a Commission event. He further alleged that this violated the government-agency equivalent of GDPR (EUDPR), as it occurred during a period in time when the Privacy Shield had been found inadequate, and the replacement program was not yet in place.
The court noted that the Commission, in making the transfer, relied only on website terms for the US data recipient. It did not enter into a contract that included standard contractual clauses or otherwise have “appropriate safeguard[s].” The court ordered the Commission to pay the individual €400.
Putting It Into Practice: This case -brought against the EU entity that oversees GDPR compliance- is a reminder of EU concerns with data transfers to the US. As we await further developments with the Data Privacy Framework under the new administration, companies may want to re-examine the mechanisms (including standard contractual clauses + additional safeguards) EU-US data transfers.
Listen to this post