Kein digitales Zugangsrecht – Gewerkschaft scheitert mit Klage gegen Adidas
Spätestens seit der Corona-Pandemie erfreut sich das Home-Office großer Beliebtheit: Rund ein Viertel aller Erwerbstätigen in Deutschland arbeitet zumindest teilweise aus dem Home-Office. Doch während das mobile Arbeiten sowohl für Arbeitnehmer als auch Arbeitgeber eine Reihe von Vorteilen mit sich bringt, stellt es die – ohnehin über Mitgliederschwund klagenden – Gewerkschaften vor zunehmende Herausforderungen: Potenzielle Gewerkschaftsmitglieder, die von zu Hause aus arbeiten und nicht physisch auf dem Betriebsgelände erscheinen, sind schlicht schwieriger zu erreichen als ihre Kollegen, die täglich zur Arbeitsstätte pendeln und von den Gewerkschaften auf dem Firmenparkplatz angeworben werden können.
Die Industriegewerkschaft Bergbau, Chemie, Energie (IG BCE) nahm genau diese Herausforderung nun zum Anlass, von Adidas die Herausgabe der dienstlichen E-Mail-Adressen seiner Mitarbeitenden, Zugang zum konzernweiten sozialen Netzwerk Viva Engage sowie die Verlinkung ihrer Homepage auf der Startseite des Intranets des Sportartikelherstellers zu verlangen. In einer in der vergangenen Woche ergangenen Entscheidung erteilte das Bundesarbeitsgericht den Gewerkschaftsforderungen und damit einem „digitalen Zugangsrecht“ jedoch eine Absage.
In seiner Entscheidung (BAG, Urt. v. 28.01.2025, Az. 1 AZR 33/24) stellte der erste Senat um die Präsidentin des Bundesarbeitsgerichts Inken Gallner klar, dass Arbeitgeber weder hinsichtlich bereits beschäftigter Arbeitnehmer noch hinsichtlich neu hinzukommender Arbeitnehmer dazu verpflichtet seien, dienstliche E-Mail-Adressen zum Zwecke der Mitgliederwerbung an die jeweils tarifzuständige Gewerkschaft herauszugeben. Zwar gewährleiste die in Art. 9 Abs. 3 GG normierte Koalitionsfreiheit die grundsätzliche Befugnis von Gewerkschaften, betriebliche E-Mail-Adressen der Arbeitnehmer zu Werbezwecken und für deren Information zu nutzen, allerdings resultiere daraus keine Verpflichtung von Arbeitgebern, die Mitgliederwerbung durch Übermittlung der E-Mail-Adressen selbst aktiv zu unterstützen. Neben den insofern betroffenen konkurrierenden Grundrechten des Arbeitgebers aus Art. 14 GG sowie Art. 12 Abs. 1 GG und der verfassungsrechtlich garantierten wirtschaftlichen Betätigungsfreiheit seien die ebenfalls berührten Grundrechte der betroffenen Arbeitnehmer aus Art. 2 Abs. 1 i.V.m. Art. 1 Abs. 1 GG bzw. Art. 8 der Charta der Grundrechte der Europäischen Union zu berücksichtigen und mit der Koalitionsfreiheit abzuwägen. Die von der Gewerkschaft erhobene Forderung bringe die betroffenen Rechte dabei nicht in einen angemessenen Ausgleich.
Auch mit ihren Anträgen auf Zugang zum konzerninternen sozialen Netzwerk und eine Verlinkung der Gewerkschafts-Homepage auf der Startseite des firmeneigenen Intranets scheiterte die Gewerkschaft. Die damit einhergehenden Beeinträchtigungen des Arbeitgebers übersteigen dem Bundesarbeitsgericht zufolge das durch Art. 9 Abs. 3 GG geschützte Interesse der Gewerkschaft an der Durchführung solcher Werbemaßnahmen. Insbesondere die Forderung nach Verlinkung im firmeneigenen Intranet finde aktuell keine Grundlage im Gesetz und könne mangels planwidriger Regelungslücke im Betriebsverfassungsgesetz auch nicht auf § 9 Abs. 3 S. 2 BPersVG gestützt werden.
Ob der Gesetzgeber vor dem Hintergrund dieser Entscheidung tätig wird und mit der ausdrücklichen Normierung eines elektronischen Zugangsrechts auf den Wandel der Arbeitswelt reagiert, bleibt abzuwarten. Bis dahin bleibt den Gewerkschaften lediglich, auf klassischem Wege um Nachwuchs zu werben oder – wie das Bundesarbeitsgericht betont – potenzielle Mitglieder vor Ort im Betrieb nach ihrer dienstlichen E-Mail-Adresse zu fragen. Betroffene Unternehmen können bei vergleichbaren Gewerkschaftsanfragen hingegen – jedenfalls vorerst – getrost auf die Rechtsprechung aus Erfurt verweisen.
SEC’s Crypto Journey Continues
In a wide-ranging public statement entitled “The Journey Begins,” SEC Commissioner Hester Peirce previewed next steps for the SEC’s Crypto Task Force. As chair of the Crypto Task Force, Commissioner Peirce’s statement lays out a broad agenda for the SEC’s approach to cryptocurrency over the next four years.
The statement begins by criticizing the SEC’s past approach to crypto, noting:
it took us a long time to get into this mess, and it is going to take us some time to get out of it. The Commission has engaged with the crypto industry in one form or another for more than a decade. The first bitcoin exchange-traded product application hit our doorstep in 2013, and the Commission brought a fraud case that had a tangential crypto element that same year. In 2017, we issued the DAO Section 21(a) report, which reflected the first application of the Howey test in this context. Since then, there have been many enforcement actions, a number of no-action letters, some exemptive relief, endless talk about crypto in speeches and statements, lots of meetings with crypto entrepreneurs, many inter-agency and international crypto working groups, discussion of certain aspects of crypto in rulemaking proposals, consideration of crypto-related issues in reviews of registration statements and other filings, and approval of numerous SRO proposed rule changes to list crypto exchange-traded products.
Commissioner Peirce also sought to manage expectations about the timing and complexity of future SEC action:
Throughout this time, the Commission’s handling of crypto has been marked by legal imprecision and commercial impracticality. Consequently, many cases remain in litigation, many rules remain in the proposal stage, and many market participants remain in limbo. Determining how best to disentangle all these strands, including ongoing litigation, will take time. It will involve work across the whole agency and cooperation with other regulators. Please be patient. The Task Force wants to get to a good place, but we need to do so in an orderly, practical, and legally defensible way.
The statement hits libertarian notes, proclaiming, “In this country, people generally have a right to make decisions for themselves, but the counterpart to that wonderful American liberty is the equally wonderful American expectation that people must decide for themselves, not look to Mama Government to tell them what to do or not to do, nor to bail them out when they do something that turns out badly.” But Commissioner Peirce also warned that “SEC rules will not let you do whatever you want, whenever you want, however you want,” and that the SEC will not “tolerate liars, cheaters, and scammers.”
The heart of the statement lays out a 10-point, nonexclusive agenda for the SEC Crypto Task Force:
providing greater specificity as to which crypto assets are securities;
identifying areas both within and outside the SEC’s jurisdiction;
considering temporary regulatory relief for prior coin or token offerings;
modifying future paths for registering securities token offerings;
updating policies for special purpose broker-dealers transacting in crypto;
improving crypto custody options for investment advisers;
providing clarity around crypto lending and staking programs;
revisiting SEC policies regarding crypto exchange-traded products;
engaging with clearing agencies and transfer agents transacting in crypto; and
considering a cross-border sandbox for limited experimentation.
Commissioner Peirce’s statement concludes with instructions on how to engage with the Crypto Task Force, both in writing and in person.
NAD Recommends Revolve Upgrade Disclosures When Gifting Items to Influencers
In a recent decision, the National Advertising Division (NAD) of BBB National Programs recommended that Revolve Group, Inc., a clothing company with an extensive influencer network, modify influencer posts to more clearly disclose the material connections between Revolve and influencers in its product gifting program.
Make It Crystal: Revolve’s Brand Ambassador Posts Not Clear Enough
Revolve had engaged the two influencers through a product-gifting relationship in which the company offered a clothing credit towards their merchandise in exchange for a certain number of social media posts about the Revolve brand. The posts in question, flagged by NAD’s routine monitoring program, directed viewers to Revolve’s social media account and featured a hashtag used typically by Revolve customers to identify Revolve clothing featured in social media posts. Despite the mention of Revolve in the posts, the NAD found that the tags — @Revolve and #revolveme — failed to disclose the nature of the connection between Revolve and the influencers.
Revolve’s Influencer Guidelines Missed the Mark on Ensuring Disclosure
During its inquiry, the NAD found that the guidelines Revolve provided to brand ambassadors were insufficient in instructing how to properly make material connections known to consumers or comply with the FTC’s Endorsement Guides. Although Revolve did inform its partners how to conspicuously disclose the gifted-clothing relationship with the company, the NAD found the instructions could be easily missed because they were listed at the bottom of a bulleted list.
In response, Revolve updated it guidelines to provide its influencers with examples of hashtags and language to make their material connections with Revolve explicit in the first line of any sponsored post. Moreover, Revolve revised its Checkout Terms for influencers to clarify disclosure requirements for any posts made under the agreement and provided visual examples of conforming material connection disclosures. Finally, Revolve pledged to more closely monitor advertising posts to ensure compliance.
Still Not Clear Enough: NAD Deems Ambiguities in Revised Posts Do Not Conform to the FTC Endorsement Guide
Even after certain posts were updated to include the more robust disclosures (e.g., #Sponsored and #giftedbyresolve), the NAD found aspects of those posts to continue to fall flat. First, hashtags used by influencers that run words together, such as #giftedbyrevolve, make it difficult for customers to understand that a brand is sponsoring the post. The FTC’s “What People Are Asking” makes clear that hashtags made of several words can be confusing to consumers, and assert that disclosures about a sponsorship relationship must be easily noticed and understood. Second, including the hashtag “#sponsored” may be inadequate when multiple brands are tagged in the post. In one instance, a post with the caption “Wearing @revolve @loversfriendsla #sponsored” did not make it clear to the consumer which entity was sponsoring the post.
The Bottom Line: Social Media Posts Must Make Material Connections Unambiguous and Obvious
It bears repeating (see here and here) that brands should carefully craft their influencer guidelines, making clear and prominent the full requirements NAD and the FTC would expect. Brands should also monitor influencer posts, even those that are part of gifting and ambassador programs.
California’s Kids’ Social Media Law Wrangling Continues, and Maryland Too!
The Ninth Circuit continued the pause on California’s SB 976 (Protecting Our Kids from Social Media Addiction Act) as of late January 2025. The law was signed by Governor Newsom in September 2024, and challenged by NetChoice shortly thereafter.
A federal judge first enjoined the law until February 1, 2025. The case continued in the courts, and most recently the Ninth Circuit blocked the law until April of 2025. At that time, it will examine substantively whether the law infringes free speech rights. This delay will impact the AG’s drafting of rules for the law.
This is not NetChoice’s first attempt to stop kid-focused social media laws. It took similar steps in Utah in 2024, and has challenged similar laws in Arkansas, Ohio, Mississippi, Texas, and most recently, as of Maryland’s similar Age Appropriate Design Code Act.
Putting it into Practice: These decisions are a reminder that the social media laws being passed at a state level are continuing to be challenged. We will be continuing to monitor them for further developments.
James O’Reilly also contributed to this article.
Listen to this post
Looking Back at the False Claims Act in 2024 as the Government Keeps its Sights on Cybersecurity in 2025
In 2024, the government and whistleblowers were party to 558 settlements and judgments collecting over $2.9 billion. The government continued its effort to combat cybersecurity threats through its Civil Cyber-Fraud Initiative, which is dedicated to using the FCA to ensure that federal contractors and grantees are compliant with cybersecurity requirements. Settlements in 2024 included allegations against companies for their failure to provide secure systems to customers, failure to provide secure hosting of personal information, and failing to properly maintain, patch, and update the software systems. The Justice Department has made clear that cybersecurity is one of its key enforcement priorities in 2025 and moving forward, meaning all federal contractors must be particularly mindful of federal cybersecurity requirements. To keep you apprised of the current enforcement trends and the status of the law, Bradley’s Government Enforcement & Investigations Practice Group is pleased to present the False Claims Act: 2024 Year in Review, our 13th annual review of significant FCA cases, developments, and trends.
Listen to this post
VINTAGE: Court Throws Out TCPA Class Action Against Vintage Stock and This One Is Sure to Stand the Test of Time
Wow.
This one is a remarkable ruling folks.
Lady visits a retail store. She is asked for her phone number and told it is necessary for her to return goods. She tells the employee she does not want to receive any advertisements. But when she provides her number she is actually signing up for a recurring text program.
What result?
According to the court in Thompson v. Vintage Stock, 2025 WL 385681 (E.D. Mo Feb. 3, 2025) the consent provided by the consumer trumps and the resulting messages are legal.
Let’s dive in.
Plaintiff’s phone number is on the DNC list. She visited a store called Vintage Stock and made a purchase.
The sales lady apparently told her that she needed to enter her number on the POS system because it would be needed in case Plaintiff wanted to return an item.
Plaintiff tells sales lady “I don’t want to receive any advertisements” but goes ahead and enters her number in the POS anyway.
On the POS is a display reading: ““Enter your phone # to receive coupons and sales notices. Message and data rates may apply.”
As a result Plaintiff received at least four promotional text messages sent to her phone.
Plaintiff sued claiming Vintage Stock violated the DNC rules of the TCPA. Even though she entered her phone number Plaintiff claims she did not provide her prior express invitation of permission because she told the sales lady she did not want advertising and because the POS language was too vague– for instance it didn’t mention text messages and it didn’t specifically authorize Vintage Stock to send anything to her phone.
VS moved for summary judgment and the court sided with it.
In the Court’s view Plaintiff’s submission of her number on the POS was sufficient to constitute “prior express invitation” to receive further messages–a lower standard than prior express written consent.
Here’s the analysis:
When visiting Vintage Stock’s store, Sheila entered her number into the VeriFone system. Doc. 72 at ¶ 9. That system clearly stated that one should enter her phone number to receive coupons and sales notices, and it warned that “[m]essage and data rates may apply.” Doc. 68-2 at 2. If one entered her phone number into this system, she would undoubtedly expect a few things. One, she would receive coupons and sales notices from Vintage Stock. Two, Vintage Stock would send those coupons and sales notices to the phone number she entered. Three, the coupons and sales would arrive in, at least, message format. (Because this case does not involve a phone call, the Court need not address whether one would expect to receive phone calls regarding coupons or sales notices.)
Hmmm. Maybe.
The disclosure did not actually tell the consumer she would receive anything on a phone number but I see where the Court is coming from here. Still this is the most relaxed application of prior express invitation we have seen yet.
On the failure to mention text messages piece the Court mysteriously determined it didn’t need to address that issue because it related to “permission” rather than “invitation” but it is not clear why that is.
Now the really fun issue– Plaintiff claiming she was tricked by a sales lady.
The Court was unmoved by this argument and determined, in essence, that whatever happened between Plaintiff and the sales girl was irrelevant to the issue of whether invitation was given to the text program. Here the Court took a very limited view of the language used: “expressing a lack of desire to receive advertisements does not counter expressly requesting coupons and sales notices to be sent to you.”
Hmmm.
At bottom the case was dismissed and Vintage Stock walked away clean.
Very very interesting case here– and truthfully Vintage Stock could have lost this case easily. Indeed, 8 out of 10 times these folks lose this motion. There are a bunch of interesting issues here and it is, frankly, stunning to me that Vintage Stock is walking away unscathed. I suspect an appeal is likely here.
But notice this is the third POS text club case we have discussed in the last two weeks!:
Circle K is stuck in a case because it included advertising in its opt ins;
7-Eleven is sued because it sent text messages outside of call time hours; and now
Vintage Stock barely gets away with very thin language on a POS.
Again, if you are a retailer launching a consent/preference center or managing POS messaging GET ASSISTANCE FROM QUALIFIED COUNSEL. My goodness.
Some take away here:
This case applies to loosest application of “prior express invitation” we have seen yet. Remember this is the standard applicable to calls and texts to numbers on the DNC– it does NOT apply to calls made using regulated technology, that requires a HIGHER standard (Troutman 9);
Generally consent is only valid so long as the texter does not have reason to know it was limited. Here VS’ agent knew of an intent to limit consent. So this is a case it probably should have lost (on an individual basis– now way this is a class issue tho)
POS disclosures should definitely mention the word “text” or “SMS” when enrolling in a text club and should use language indicating permission is being given like “authorize” or “permit.” Yes, I know VS got away with one here but don’t let their mistake become your bad habit.
VS couldn’t leverage the 18 month EBR defense here because it continued texting long after the consumer stopped visiting VS. Retailers should consider stopping text programs 18 months after a consumer’s last visit. One, these folks may have changed phone numbers– very bad. Two, these folks seemingly aren’t interested and continued texting might draw a claim similar to the one VS faced. Just something to think about.
False Claims Act: 2024 Year in Review
In 2024, the government and whistleblowers were party to 558 False Claims Act (“FCA”) settlements and judgments, just slightly fewer cases than last year’s record. As a result, collections under the FCA exceeded $2.9 billion, confirming that the FCA remains one of the government’s most important tools to root out fraud, safeguard government programs, and ensure that public funds are used appropriately. As in recent years, the healthcare industry was the primary focus of FCA enforcement, with over $1.67 billion recovered from matters involving managed care providers, hospitals, pharmacies, physicians, laboratories, and long-term acute care facilities. Other areas of focus in 2024 were government procurement fraud, pandemic fraud, and enforcement through the government’s Cyber-Fraud Initiative.
To keep you apprised of the current enforcement trends and the status of the law, Bradley’s Government Enforcement and Investigations Practice Group is pleased to present the False Claims Act: 2024 Year in Review, our thirteenth annual review of significant FCA cases, developments, and trends.
Giovanni P. Giarratana, Gregory G. Marshall, Jack W. Selden, Erin K. Sullivan, Rico Falsone, Lyndsay E. Medlin, Tara S. Sarosiek, Anna M. Lashley, Ocasha O. Musah, Brianna Rhymes, and Virginia C. Wright contributed to this article.
New EPA Administrator, Same Freeze on EPA Activity
On January 29, 2025, Lee Zeldin was confirmed as the 17th Environmental Protection Agency (EPA) Administrator. After a week on the job, Zeldin continued to maintain several policies that had been put in place immediately after the Trump administration took office. Some of these policies are summarized below. While these actions are generally expected when a new administration begins, there is a sense that additional, significant changes are around the corner.
Freeze on External Actions
On January 24, 2025, the then acting EPA Administrator ordered a temporary halt on all environmental lawsuits to review and possibly change the agency’s stance on these issues. The Department of Justice’s (DOJ) Environment and Natural Resources Division, which enforces environmental protection laws, has also been ordered to freeze all activities. This included stopping pending court filings and delaying new complaints, with pending Comprehensive Environmental Response, Compensation, and Liability Act negotiations also on hold for an undetermined time.
This was followed by an internal memorandum instructing EPA staff to halt external communications (e.g., press releases, blog updates, and social media posts), except for discussions with state and federal agencies not related to enforcement, necessary communications regarding imports, and as related to the carrying out of inspections.
The EPA also announced delays for several finalized environmental rules from the prior administration. This includes rules regarding air pollution and the regulation of trichloroethylene (TCE).
The duration of each of these “freezes” is not clear at this time, but it seems aimed at helping the new administration evaluate what can be changed and likely beginning that change.
Staffing
As federal agencies implement a presidential order to limit telework and remote work, EPA employees must return to the office full-time next month. The EPA stated that regular telework and remote work agreements will be canceled to follow the recent Executive Order on the subject. EPA staff are expected to be in the office daily by February 24, unless they have a disability, medical condition, or other significant reasons certified by their supervisor.
It was also recently reported that the EPA is expected to cut over 1,000 employees who joined the agency within the past year, with a focus on those working on climate change, air pollution, and environmental regulation programs. Additionally, several senior civil service managers in the DOJ’s Environment and Natural Resource Division have reportedly been reassigned to focus on immigration matters rather than environmental issues.
FTC Finalizes Orders Against Data Brokers Over Sensitive Location Data
On January 14, 2025, the Federal Trade Commission (“FTC”) announced that it had issued final orders against data brokers Gravy Analytics, Inc. (“Gravy Analytics”) and Mobilewalla, Inc. (“Mobilewalla”). The FTC’s announcement follows a series of recent FTC actions concerning data brokers’ collection and sale of consumer precise geolocation data. Our blog posts covering these prior actions can be viewed here and here.
Gravy Analytics
According to the FTC’s complaint, Gravy Analytics is a data broker that does not have a direct relationship with consumers. Instead, it purchases consumer data (including precise geolocation data) from its data suppliers and sells such consumer data to its customers, which include both commercial and government entities. The FTC alleged that Gravy Analytics and its subsidiary violated Section 5 of the FTC Act by (1) failing to verify that its data suppliers obtained consent from consumers to collect, use and share their precise geolocation data for the purposes used by Gravy Analytics; (2) selling consumers’ precise geolocation data that revealed consumers’ visits to sensitive locations; and (3) creating and selling inferences derived from location data drawn about consumers based on sensitive characteristics, such as medical conditions, political activities and religious beliefs According to the complaint, the precise geolocation data obtained by Gravy Analytics, associated with other unique consumer identifiers licensed, used and sold by the data broker, could be used to track consumers to sensitive locations, including places of religious worship, domestic abuse shelters, homeless shelters, medical facilities, political rallies, and places that could be used to infer an LGBTQ+ status. Gravy Analytics used this data to create audience segments that categorized consumers into groups based on health or medical decisions made by consumers (e.g., “pharmacy visitor during COVID quarantine”), family status (e.g., “having children,” “getting married”), religion (e.g., based on a consumer’s visit to a particular church) and political activity (e.g., identifying a consumer as a member of a particular party based on attendance at political events). Additionally, the complaint alleged that Gravy Analytics used geofencing to create a virtual geographic boundary to identify consumers who visited certain sensitive locations and subsequently categorized these consumers into audience segments based on inferred sensitive characteristics from their visits, such as medical conditions, sexual orientation, political activities and religious beliefs. Its customers could then use these segments to serve targeted ads to consumers in these groups.
The final order requires Gravy Analytics and its subsidiary to stop selling, disclosing or using sensitive location data within 90 days of the order’s effective date, unless the companies: (1) have a direct relationship with the consumer related to the sensitive location data; (2) have obtained affirmative opt-in consent from the consumer and (3) are using sensitive location data solely to provide a service directly requested by the consumer.
Key provisions from the final order also include requirements to:
maintain a sensitive location data program to identify a list of sensitive locations, and prevent the disclosure of consumers’ visits to those locations;
establish and maintain policies and procedures to prevent the companies from (1) associating consumer precise geolocation data with locations predominantly providing services to LGBTQ+ individuals or locations of political or social demonstrations, marches, and protests and (2)using consumer precise geolocation data to determine the identity or location of an individual’s home;
submit a report to the FTC within 30 days of making a determination that a third party shared consumers’ precise geolocation data in violation of a contractual requirement, including a description of the incident and the number of consumers affected by the disclosure;
delete all historic precise geolocation data and any data products developed using this data;
maintain a supplier assessment program to ensure consumers have provided consent for the collection and use of their precise geolocation data; and
not misrepresent the extent to which the companies (1) review data suppliers’ compliance and consent frameworks, consumer disclosures, sample notices, and opt-in controls; (2) collect, use, maintain, disclose, or delete any information by the final order; or (3) de-identify the data they collect, use, maintain, or disclose.
Relatedly, days before the FTC finalized its order against Gravy Analytics, the company was reported to have experienced a data breach. The company currently faces a proposed class action lawsuit in the US District Court for the District of New Jersey, alleging that it failed to adequately secure sensitive consumer location data.
Mobilewalla
In its complaint against Mobilewalla, the FTC alleged that the company collected consumer information, without consent, from real-time bidding exchanges (“RTB ad exchanges”), which data included consumers’ mobile advertising identifiers (“MAID”) and precise geolocation data. The FTC alleged that Mobilewalla then shared this information with third parties. This FTC action is the first to focus on the collection and use of consumer data through RTB ad exchanges.
During RTB ad exchanges, online publishers (i.e., websites and apps) auction off their empty ad space so that advertisers can submit bids for an ad placement. To conduct the exchange, an app or website uses a software development kit (SDK) or cookie to collect consumers’ personal information from their devices and passes it along to participating advertisers, so that they can bid to place advertisements based on the consumer information contained in the bid request. As a result, advertisers can obtain consumer information from the bid request process, even if they do not win the bid for an ad placement. In its complaint, the FTC alleged that when Mobilewalla bid to place an advertisement through an RTB ad exchange, it collected and retained the consumer information contained in the bid request, even when it did not have a winning bid. The FTC also alleged that Mobilewalla collected information from other data brokers without verifying whether consumers consented to Mobilewalla’s collection and use of their information.
Key provisions in the FTC’s final order against Mobilewalla include requirements to:
stop collecting, purchasing or acquiring personal information covered in the order during online advertising auctions for any other purpose other than participating in such auctions;
stop selling, sharing, or disclosing sensitive location data;
maintain a sensitive location data program to identify a list of sensitive locations and prevent the disclosure of sensitive location data; and
maintain a supplier assessment program to ensure consumers have provided consent for the collection and use of location data.
Employer Guidance for Workplace Interactions with ICE
The new presidential administration’s efforts to prioritize immigration law enforcement has resulted in increased activity by U.S. Immigration and Customs Enforcement (ICE) and an uptick of questions from employers about how to handle ICE investigations. This Alert provides guidance to employers for potential interactions with or inspections by ICE at the workplace, including preliminary actions, suggested steps during an ICE visit (whether announced or unannounced), and follow-up recommendations.
There is a common misconception that only employers that specifically seek or intentionally hire unauthorized workers are at risk of a visit from ICE. However, there are multiple avenues by which a generally law-abiding employer may find itself unknowingly employing an unauthorized worker. For example, an individual may have presented the employer with fraudulent documentation for the Form I-9 employment eligibility verification, and the employer may not have realized the document was inauthentic. Or an employer may have lawfully hired a noncitizen with proper employment paperwork but later may forget to reverify the worker’s Form I-9; in this instance, the individual’s work authorization could lapse or expire without the employer noticing.
To the extent an employer’s office or work facility is private property, employers have certain legal rights when faced with an ICE arrival. Employers should become familiar with their rights and best practices in the event of an ICE visit to minimize the risk of inordinate disruption to the workforce or operations, or the unauthorized seizure of company property and information. Employers should seek to balance (1) lawful compliance and cooperation with (2) private property rights and a general duty of care for employees.
Babst Calland recognizes that the topics of immigration enforcement and undocumented persons have been politicized. We therefore offer this guidance objectively, without advocating for any particular position beyond what is legally required.
Recommended Precautionary Actions Before ICE Arrives
Designate Public and Private SpacesICE agents can only be present in areas open to the public (such as parking lots, reception areas, lobbies, etc.) without a judicial warrant or specific employer consent. Therefore, employers should clearly identify the boundaries of non-public areas with signs such as “Private” or “Non-Public Area” to avoid ambiguity. Once signs are posted, management should explain these “new” boundaries or designations to the workforce, with special emphasis on its explanation to security guards, receptionists, and other public-facing employees.
Understand the Types of Documents ICE Could PresentWith a few exceptions, ICE generally cannot lawfully search persons or private spaces, or seize persons or private property, without certain documentation.[1] As explained below, employers should ensure that key personnel are trained to identify and/or differentiate these documents.
A judicial warrant provides the broadest search and/or seizure rights. A judicial warrant can be either a search warrant or an arrest warrant. A judicial warrant must be signed and dated by a judge or magistrate and it must describe with particularity the place to be searched, and/or the person or items to be seized. A judicial warrant will have the name of a court at the top of the document. Only a valid judicial warrant permits an ICE agent to enter private/non-public spaces at the workplace, and only a valid judicial warrant requires cooperation. Employers must strictly comply with judicial warrants, but it is not required to take any action to assist ICE beyond what is reasonably required by the judicial warrant. For example, an employer can be required to move an employee identified in the warrant into a contained area for questioning, but it cannot be required to sort employees into groups by citizenship status or nationality for an inspection by ICE.
An administrative warrant is much more limited than a judicial warrant. An administrative warrant is signed by an immigration officer, and it allows ICE to arrest noncitizens suspected of committing immigration violations. An administrative warrant is typically identified as a document issued by the “Department of Homeland Security” and is usually on a Form I-200 or I-205. Notably, an administrative warrant does not give an ICE agent the right to enter private/non-public spaces at the facility unless the employer consents.[2] Additionally, when faced with an administrative warrant, an employer is not required to tell ICE whether the employee named in the warrant is currently working or to bring the employee to the agent (or vice versa).
Alternatively, ICE could present an employer with a subpoena, a notice of inspection, or a notice to appear. A subpoena is a written request for information or documents that provides a certain time limit to respond and does not require immediate compliance. Like a subpoena, a notice of inspection is a document informing an employer that it must produce employees’ I-9 Forms for an audit[3] within 3 business days. A notice to appear is a document directed to an individual instructing them to appear before an immigration judge.
Assign an On-Site Response CoordinatorEmployers should assign a particular managerial or supervisory employee at each facility to be the on-site response coordinator who can serve as a single point of contact with ICE in the event that ICE arrives, as well as a back-up coordinator if the designated worker is absent or unavailable. These personnel should be trained to differentiate between the above-described documents, and to understand and be aligned with the employer’s policy for lawful compliance with visits from ICE.
Review Applicable Collective Bargaining AgreementsFor any locations that have a unionized workforce, employers should review the applicable collective bargaining agreements (CBAs) proactively to determine whether they require any additional conduct by the employer in the event of an ICE visit. For example, some CBAs might include provisions that give the union the right to be present during any ICE inspections or on-site employee interviews, or require that the employer notify all union employees when ICE agents arrive. Any additional CBA requirements should be implemented with the below recommended actions for facilities with unionized employees.
Recommended Actions If ICE Arrives
*All recommended actions below should be conducted in a calm, professional, and polite manner to prevent escalation of the interaction.*
Notify key personnel – The first steps are to immediately notify the facility supervisor, the on-site response coordinator(s), and legal counsel. Ask the agents to wait in a specific space or designated location until either a supervisor, on-site response coordinator, or legal counsel arrives to prevent disruption.
Verify agent identify – The response coordinator should clarify whether the agents are police officers or ICE agents and request their names and badge numbers.
Verify agent purpose – The response coordinator should ask the agents about the nature of their visit. Common purposes include:
Initiation of Form I-9 Audit – If ICE intends to audit a company’s Form I-9 compliance, ICE must first provide the employer with a Notice of Inspection. These notices give employers at least 3 business days to produce the requested I-9 Forms.[4] Additional productions and procedures will ensue if ICE determines that there are any Form I-9 errors, suspicious documents, or discrepancies, and employers should consult with an immigration attorney for further guidance if this occurs.
Facility Search or “Raid” – ICE can arrive without warning to investigate an employer.
Detention of specific person(s) – ICE can arrive without warning to detain specific person(s).
Fraud Detection and National Security (FDNS) visit – this is an unannounced visit related to an employer’s recent immigration petition(s) where ICE agents conduct compliance reviews to ensure the employer is complying with the terms and conditions of the petition(s). This guidance does not address such visits, as FDNS visits are only relevant for employers who have had an H-1B or L-1 intracompany transfer petition(s) adjudicated.
Verify documentation – The response coordinator should ask to see a warrant.
If a judicial warrant is provided, employers should analyze it to determine its scope and ask for a copy of it. Employers are not required to provide access to any area not specified in the warrant.
If a judicial warrant is not provided, the response coordinator can (but is not required to) state: “I’m sorry, but this is private property. It is company policy not to provide consent or permission to enter private or non-public areas of the facility or to access our information or records without a valid warrant signed by a judge.”
If there is an issue with the judicial warrant (i.e. it is not signed, not dated, is missing the correct workplace address, or does not sufficiently describe the premises to be searched or items to be searched for), an employer can accept the warrant but should note its objection so that counsel can challenge the search or seizure later if sufficient grounds exist. To be clear, in this instance, the search or seizure will still occur.
Ask to be provided with a list of any items seized during the search.
If an administrative warrant is provided, the response coordinator can (but is not required to) state: “I’m sorry, but this is private property. It is company policy not to provide consent or permission to enter private or non-public areas of the facility or to access our information or records without a valid warrant signed by a judge.”
Use independent judgment if considering voluntary consent.
Employers can decide to voluntarily consent to a search or seizure of employer property by ICE without a sufficient warrant. Moreover, ICE agents are permitted to make statements intended to encourage voluntary consent or to imply that giving consent is required even in circumstances where it is not (such as when the agents do not possess a judicial warrant).
If considering consenting to a search or seizure without a sufficient warrant, employers should use independent judgment to evaluate the totality of the circumstances in addition to any statements made by the agents.
Please note that non-management or non-supervisory employees do not have the authority to act on behalf of an employer to give such consent.
Be respectful, but clear, if exercising the company’s rights.
Never attempt to block an ICE agent’s movements. If an employer believes ICE is exceeding its authority, the response coordinator can voice the employer’s objection and state that the company does not consent, but they should not argue and never physically interfere with the agent’s actions.
If agents attempt to seize something that is critical to company operations (such as a computer, proprietary information, or an important file), explain why the item is critical to the company’s operations, request a more limited or targeted seizure, and/or ask to make a copy of the information before it is seized.
Employers can notify employees that they have the right to remain silent, but employers cannot instruct employees not to respond to questions. Company representatives should not be confrontational, obstructive, or evasive.
Employers and employees alike have the right to record an encounter with ICE. Consider recording interactions with ICE agents to clearly document statements and actions. Efforts to record an encounter should never interfere with the agents’ activities.
Recommended Actions After ICE Visit
Document as much as possible – The response coordinator should interview employees and make a record of the details of the event in an incident report. The report should include details such as the number of agents, a description of what they were wearing, whether the agents kept anyone from moving around the workplace freely, a detailed list of the locations of any search (including smaller spaces such as closed drawers), a detailed description of any property seized, a detailed list of statements made by the employer declining consent or asserting legal rights, and any statements made by the agents.
Follow-up notifications – employers should call legal counsel immediately to discuss next steps. If the workplace is unionized, employers should notify the union that ICE visited the workplace.
Engage and encourage open communication with and among the workforce – Employers should be open and honest with the workforce about what occurred. In addition to individual instances of absenteeism, fear of action by ICE may lead to employees discussing their concerns or voicing disagreement with the employer’s response (or potential response) to ICE. Employers must be aware that certain employee collective action (discussions, protests, other concerted activity, etc.) may be protected under the National Labor Relations Act if it relates to the terms and conditions of employment, even for non-union workers or those who may not be authorized to work in the U.S.
Provide reasonable leave – If ICE detains a worker, consider providing the worker with an unpaid leave of absence during and in the immediate aftermath of the detention. While not legally required, an employer could consider handling the matter in a manner similar to the leave that might be provided in the event of a sudden medical issue or other unexpected absence. Failure to provide such comparable leave could give rise to a claim for national origin discrimination. Employers are never, however, required to provide employees with indefinite leaves of absence.
[1] While police officers are allowed to search and arrest without a warrant in the event of different types of emergencies such as while in “hot pursuit” of a criminal suspect, ICE agents are not police officers (regardless of whether their uniforms say “Police”). ICE agents may not search and seize without a warrant if they are merely in “hot pursuit” of a suspected undocumented person. Under applicable law, this type of warrantless search or seizure is only permitted if the agent is in “hot pursuit” of an individual who “poses a public safety threat” or who the agent personally observed crossing the border.
[2] One key exception is the “in plain view” principle. With or without a warrant, ICE agents are always allowed to look at anything in “plain view,” including computer screens or papers sitting out on desks, or listen to audible conversations that can be overheard without a listening device. If what the agent sees or hears in “plain view” gives them probable cause that unlawful activity is, has, or will occur, they can search the relevant private area and seize relevant items without a warrant.
[3] The Form I-9 is a document used to verify the identity and employment eligibility of individuals within the United States. Federal law requires employers to create and maintain I-9 Forms and supporting documentation for all employees.
[4] Employers are cautioned against voluntarily consenting to a search or seizure of the Forms I-9 if ICE agents do not have a judicial warrant for this information or if the 3-day period after receiving a Notice of Inspection has not yet expired. The Form I-9 rules are nuanced and strict, and it is very common for employers to unknowingly violate a rule due to an unintended error on the forms or in record-keeping. Employers can be subject to monetary fines for substantive violations and any uncorrected technical violations regardless of whether the violation was intentional
New York Attorney General Secures $450,000 Settlement Over eufy Home Security Camera Security Concerns
New York Attorney General Letitia James announced a $450,000 settlement with three companies distributing eufy home security video cameras—Fantasia Trading LLC, Power Mobile Life LLC and Smart Innovation LLC—following an investigation into the security of their Internet-enabled video products. The settlement follows findings that, in some cases, video streams from eufy cameras were transmitted without end-to-end encryption and active video feeds could be accessed without authentication by individuals with the corresponding URL.
The Office of the Attorney General (OAG) initiated the investigation after a November 2022 disclosure by a security researcher raised concerns about the accuracy of eufy’s marketing claims regarding its security and encryption measures. The researcher’s findings suggested that eufy’s Internet-connected security cameras, video doorbells and smart locks did not fully encrypt video data in transit, despite company assurances that consumer footage would remain private and secure.
The OAG’s investigation confirmed that, in certain circumstances:
video data was not protected by end-to-end encryption, leaving portions of the transmission unencrypted;
active video streams could be accessed without authentication if an individual had the correct URL;
some URLs could be determined without directly obtaining them from a user, increasing the risk of unauthorized access; and
the companies had not implemented sufficient security testing procedures, leading to undetected vulnerabilities.
Under the terms of the settlement, the companies must implement enhanced security measures including:
developing and maintaining a comprehensive information security program to protect consumer data;
implementing secure software development practices, including third-party security testing;
maintaining a vulnerability management program with regular penetration testing; and
enhancing encryption protocols for video storage and transmission.
This resolution highlights the importance of robust security measures for Internet-connected devices that store and transmit sensitive consumer data. Companies offering such products must ensure that their security practices align with industry standards and that their marketing claims accurately reflect their security capabilities.
I SPY!: Court Finds No Standing In Spy Pixels Case
Hi, CIPAWorld!
The District of Massachusetts just issued a huge win for the defendant in a spy pixels class action and dismissed the case altogether for lack of standing!
In Campos v. TJX Companies, Inc., No. 24-cv-11067, 2025 WL 360677 (D. Mass. Jan. 31, 2025), Plaintiff Campos filed a putative class action against Defendant TJX Companies (“TJX”), alleging that Plaintiff TJX embedded a “spy pixel” in its promotional emails which collected certain information about the email and its recipients, including the email address, the subject of the email, when it was opened and read, the recipient’s location, the length of time the recipient spent reading the email, whether it was forwarded or printed, the recipient’s email service, et cetera. Although Plaintiff conceded that she subscribed to TJX’s email list, she said that TJX nevertheless collected this information without her consent or the consent of other class members. Plaintiff claimed that this lack of consent formed the basis of TJX’s violation of the Arizona Telephone, Utility and Communication Service Records Act, which makes it a crime for a person to “[k]nowingly procure, … [a] communication service record of any resident of [Arizona] without the authorization of the customer to whom the record pertains or by fraudulent, deceptive or false means.” Id. at *1 (second and third alterations added).
In response, TJX filed, inter alia, a Rule 12(b)(1) motion to dismiss for lack of standing, arguing that the Plaintiff could not establish an injury-in-fact. To determine whether Plaintiff suffered an injury-in-fact based on a violation of privacy, as claimed here, the Court explained that there must be a “‘close relationship’ between, on one hand, Defendant’s alleged procurement of Plaintiff’s data relating to her opening of promotional emails and, on the other hand, a traditionally actionable harm under common law.” Id. at *3 (internal citation omitted).
The Plaintiff first likened her injuries to the tort of intrusion upon seclusion, which requires an intentional intrusion and one that “would be highly offensive to a reasonable person.” Id. The cause of action is aimed at protecting deeply personal, private, or confidential matters. The Court, however, wasn’t buying it:
Some of this information clearly does not implicate Plaintiff’s privacy or seclusion. For instance, Plaintiff’s email address was certainly not private, given that she provided it to Defendant when she consented to receive the promotional emails. Nor was there anything particularly privacy about the email’s subject or other content, as Defendant authored the email and therefore would have known the subject and content with or without the pixels and thus without any impact on any privacy interest asserted by Plaintiff.
Id. at *4 (emphasis added). While the Court found that the individualized data about whether, when, where, and for how long Plaintiff read TJX’s emails presented a closer question, the Court still found this distinguishable from the idea of covert surveillance. Specifically, it explained that “a glimpse into Plaintiff’s email inbox is a far cry from peeking into her upstairs window, particularly where she voluntarily subscribed to Defendant’s emails and where there is no allegation that the spy pixels intruded into any other private area of her email inbox or computer.” Id. (emphasis added).
In a footnote, the Court noted that “Plaintiff’s allegation that the spy pixel tracked whether the email was forwarded gives the Court some pause, as it comes the closes to tracking ‘unrelated personal messages.’” Id. at *6, n.3 (emphasis added). However, it dismissed this issue because Plaintiff did not allege that the pixels could track the recipient or the content of the forwarded message. Indeed, “the simple act of forwarding, without more, does not rise to the level of substantial intrusion into Plaintiff’s private affairs.” Id.
Plaintiff also attempted to liken her harm to other privacy statutes which give rise to standing, but to no avail. First, she analogized her harm to cases under the TCPA. The Court rejected this argument on the basis that plaintiffs in TCPA cases received unconsented to and unsolicited communication, whereas Plaintiff subscribed to TJX’s messages and frequently opened them. Second, it found that Plaintiff’s reliance on the Video Privacy Protection Act, which prohibits disclosure of an individual’s rental and sale records, was misplaced because Plaintiff did not allege any such disclosure. And finally, it found that the information protected by the Illinois Biometric Information Privacy Act—a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry—to be decidedly more personal than the information at issue in Plaintiff’s Complaint.
Accordingly, the Court dismissed Plaintiff’s complaint for lack of standing. Plaintiff’s allegations just didn’t cut it—without a concrete injury, there’s no standing, and without standing, there’s no case. This ruling reinforces that not every data collection claim fits within traditional privacy harms, especially when the user voluntarily engages with the service. It’s a significant win for defendants facing similar claims and one to keep an eye on moving forward.