Blockchain+ Bi-Weekly; Highlights of the Last Two Weeks in Web3 Law: March 27, 2025
The past two weeks brought some notable progress for the industry, though it still often feels like “regulation by lack of enforcement” rather than a truly proactive approach. The SEC clarified that most proof-of-work mining activities do not amount to securities transactions—a welcomed statement for miners but limited in scope. Meanwhile, Ripple announced a potential settlement that would end the SEC’s appeal, continuing a trend of non-fraud crypto cases winding down without generating long-term clarity. On Capitol Hill, the Senate’s markup of its own stablecoin act signals a significant step forward yet also highlights a lack of consensus necessary for any final bill. Finally, in a notable display of bipartisan alignment, both chambers of Congress overwhelmingly passed legislation overturning the IRS’s crypto broker reporting rules, demonstrating the possibility of constructive actions in areas where consensus can be reached.
These developments and a few other brief notes are discussed below.
SEC Clarifies That Most Proof-of-Work Mining Activities Are Not Securities Transactions: March 20, 2025
Background: The SEC’s Division of Corporation Finance released a statement clarifying its view that most proof-of-work (“PoW”) mining activities do not qualify as securities transactions under federal securities laws. The statement applies specifically to “Protocol Mining” activities involving “Covered Crypto Assets”, which are defined as crypto assets tied to the functioning of a public, permissionless PoW network. According to the release, whether through self-mining or pooled mining, miners perform the essential “work” themselves. Under the Howey test, one crucial element for a transaction to be deemed a security is that profits must flow primarily from the “managerial or entrepreneurial efforts of others.” Because PoW miners generate rewards by contributing their own computational power, the SEC concluded that these returns are not derived from someone else’s management. Thus, PoW mining generally fails this aspect of the Howey test, placing it outside the scope of federal securities laws.
Analysis: It’s important to note that releases like these do not create binding law and each set of facts can differ and may yield different legal results, which may make certain PoW mining fall outside of this safe-harbor-like guidance. Still, the statement signals that, under typical PoW mining arrangements, participants who merely contribute computational power to validate transactions and receive rewards likely do not cross into securities territory, including through pooling arrangements. This may allow more risk-averse entities to contribute compute to mining or provide services to mining pools, which only serves to strengthen network resilience and efficiency.
Ripple CEO Announces Pending Settlement With SEC: March 19, 2025
Background: Ripple has announced that the SEC will drop its appeal of the portion of the ruling against it in Ripple. This will bring an end to at least part of the case originally brought in 2020 during Jay Clayton’s term as Chairman of the SEC. This will still need to be approved at the next meeting of the commissioners, and it is unclear what this dismissal will entail. Representatives of Ripple have stated that they are evaluating what to do with their own cross-appeal relating to institutional investor sales. Still, there wouldn’t be an announcement like this if a deal was not in place, so now it is just a waiting game to see the details.
Analysis: Ripple was one of the few digital asset issuers from the ICO boom that had the resources to fully litigate against the SEC, and it has been doing so for half a decade. And litigate they did, with over 25 filings related to the “Hinman Speech” documents alone. Combined with the dismissal of the Coinbase matter and its pending appeal, there is still no binding precedent from higher courts on the applicability of the Howey test to digital assets.
Stablecoin Senate Markup Developments: March 13, 2025
Background: The Senate Banking Committee had a markup of the GENIUS Act, which is the Senate’s version of a stablecoin bill. Even before the markup and vote, there were some changes made due to bipartisan efforts to reach an agreement on how stablecoins should be registered and monitored in the U.S. The bill passed through committee on an 18-6 vote, with five Democrats (Warner-VA, Kim-NJ, Gallego-AZ, Rochester-DE and Alsobrooks-MD) voting in favor, meaning the 4 most junior Democrats on the committee (along with Warner) crossed party lines to vote in favor of the GENIUS Act.
Analysis: Senator Warren predictably tried to propose amendments that would have killed the viability of the bill (to the delight of traditional banks), but all those proposals failed. It can be expected there will be closed door work on the bill to address the concerns of Democrats who want some changes to the bill to help it receive as much bipartisan support as possible. The House is also working on its own bill, holding a hearing on stablecoins and CBDCs this week, and the Senate Banking Committee also passed a bill regarding debanking that went along party lines.
House Votes to Overturn IRS Crypto Broker Reporting Rules: March 11, 2025
Background: The House voted overwhelmingly in favor of repealing the IRS broker rule change, which was adopted in the final months of President Biden’s term, which would have made all self-custodial wallet providers, DeFi protocols and even arguably internet service providers themselves reporting entities for any digital asset transaction. The vote was 292-132 in the House and 70-28 in the Senate. It will go to the Senate again before being signed by President Trump, who has stated he intends to sign as soon as it hits his desk.
Analysis: The IRS broker rule, as finalized, was overly broad and aggressive, potentially capturing industry participants like self-hosted wallet providers, automated market makers, validators and possibly even ISPs. This might be a “played yourself” moment because some classes of entities in the digital asset space could logically be included as reporting entities under broker reporting rules. If the bill goes into law as expected, any such rule will need to come from Congress now.
Briefly Noted:
SEC Likely to Abandon Reg ATS Rule Changes for Crypto: Acting Sec Chair Mark Uyeda gave a speech saying he directed staff to kick the tires on (i.e., abandon) a proposed rule change that would expand the definition of an “exchange” in a way that might have looped in certain DeFi protocols and service providers.
Geofenced Airdrop Costs to Americans: Dragonfly released its State of Airdrops report for 2025, which shows that Americans missed out on as much as $2.6 billion in potential revenue (and the U.S. missed out on taxing that revenue) by policies that resulted in Americans being disqualified from those airdrops.
Leadership Changes at Crypto Policy Leaders: Amanda Tuminelli is taking over as CEO of industry advocacy group DeFi Education Fund. Meanwhile, Cody Carbone deserves congratulations on his recent promotion to CEO of the Digital Chamber. Those organizations are in great hands under their leadership.
Come in and Register: Now that crypto firms can actually have a dialog with the SEC without fear that opening the dialog will lead to investigations and hostile actions, a record number are filing for various approvals at the agency. Crazy how that works.
CFTC Withdraws Swap Exchange Letter: The CFTC withdrew its prior Staff Advisory Swap Execution Facility Registration Requirement which arguably required DeFi participants to register with the agency and which 3 DeFi platforms were charged with disobeying in 2023. This may signal an intent to ease the prosecution of decentralized platforms for failing to register as swap execution facilities.
OFAC Removes Tornado Cash Designations: In another huge industry development, OFAC has finally removed protocol addresses from its sanctions list, which is a huge win for software developers and privacy advocates everywhere.
SEC Hosts First Crypto Roundtable: The SEC’s first crypto roundtable is available to view. Not many major takeaways, but it’s good to see these conversations occurring in public forums. This is ahead of the expected SEC Chair Atkins’ hearing before the Senate.
Stablecoin Legislation Update: Ro Khanna (D-CA) said he believes stablecoin and market structure legislation gets done this year at the Digital Assets Summit on March 18, 2025, stating there are 70 to 80 Democrats in the House who view this as an important issue to maintain American dollar dominance and influence. Bo Hines also stated stablecoin legislation will get done in the next few months.
SEC Permits Some Rule 506(c) Self-Certification: Rule 506(c), which allows for sales of securities to accredited investors while using general advertising and solicitation, historically has required independent verification of accredited investor status, such as through getting broker letters or tax returns. In a new no-action letter, the SEC clarified that issuers can rely on self-certifications of accredited investor status as long as the minimum purchase price is high enough and certain other qualifications are met.
Conclusion:
Although not legally binding, the SEC’s acknowledgment that most proof-of-work mining activities are not securities transactions remains a welcomed development for the industry. Meanwhile, the potential conclusion of the SEC’s appeal against Ripple carries both positive and negative implications. On one hand, it suggests that the SEC may follow through on ending non-fraud crypto litigations; on the other, it underscores the ongoing uncertainty in crypto rulemaking absent further regulatory clarity. As the Senate and House each work through their own crypto bills and rules, legislative activity around digital assets is likely to remain robust in the near future.
China Releases New Rules Regarding the Use of Facial Recognition Technology
On March 21, 2025, the Cyberspace Administration of China and the Ministry of Public Security jointly released the Security Management Measures for the Application of Facial Recognition Technology (the “Measures”), which will become effective on June 1, 2025. Below is a summary of the scope and certain of the key requirements of the Measures.
Scope of Application of the Measures
The Measures apply to activities using facial recognition technology to process facial information to identify an individual in China. However, the Measures do not apply to activities using facial recognition technology for research or algorithm training purposes in China.
Facial information refers to biometric information of facial features recorded electronically or by other means, relating to an identified or identifiable natural person, excluding information that has been anonymized.
Facial recognition technology refers to individual biometric recognition technology that uses facial information to identify an individual’s identity.
Specific Processing Requirements for Facial Recognition Technology
The Measures include specific processing requirements which must be complied with when activities are in scope of the Measures. These include:
Storage: The facial information should be stored in the facial recognition device and prohibited from external transmission through the Internet, unless the data handler obtains separate consent from the data subject or is otherwise permitted by applicable laws and regulations.
Privacy Impact Assessment (“PIA”): The data handler should conduct a PIA before processing the data.
Public Places: Facial recognition devices can be installed in public places, subject to the data handler establishing the necessity for maintenance of public security. The data handler shall reasonably determine the facial information collection area and display prominent warning signs.
Restriction: The data handler should not use facial recognition as the only verification method if there is any other technology that may accomplish the same purpose or meet the equivalent business requirements.
Filing Requirement: If the data handler processes facial information of more than 100,000 individuals through facial recognition technology, it should conduct a filing with the competent Cyberspace authority at the provincial level or higher within 30 business days upon reaching that threshold. The filing documents should include, amongst other things, basic information of the data handler, the purpose and method of processing facial information, the security protection measures taken, and a copy of the PIA. In cases of any substantial changes of the filed information, the filing shall be amended within 30 business days from the date of change. If the use of facial recognition technology is terminated, the data handler shall cancel the filing within 30 business days from the date of termination, and the facial information involved shall be processed in accordance with the law.
Mexico’s New Personal Data Protection Law: Considerations for Businesses
On March 20, 2025, Mexico’s new Federal Law on the Protection of Personal Data held by Private Parties (FLPPDPP) published in the Official Gazette of the Federation. Effective March 21, the new law replaces the FLPPDPP published in July 2010.
Among the key changes the decree and new FLPPDPP introduce is the dissolution of the National Institute of Transparency, Access to Information, and Protection of Personal Data (INAI). Before the decree’s publication, INAI served as an autonomous regulatory and oversight authority for matters related to transparency, information access, and personal data protection. As of March 21, 2025, these responsibilities will be transferred to the Ministry of Anticorruption and Good Governance (Ministry), a governmental body reporting directly to the executive branch. The Ministry will now supervise, oversee, and regulate personal data protection matters.
Related to personal data protection, companies may wish to consider the following points when preparing to comply with the new FLPPDPP:
The definition of “personal data” is amended to remove the previous limitation to natural persons, expanding the scope to any identifiable individual—when their identity can be determined directly or indirectly through any information.
The law now requires that the data subject give consent “freely, specifically, and in an informed manner.”
Public access sources are now limited to those the law explicitly authorizes for consultation, provided no restrictions apply, and are only subject to the payment of the applicable consultation fee.
The scope of personal data processing expands to encompass “any operation or set of operations performed through manual or automated procedures applied to personal data, including collection, use, registration, organization, preservation, processing, communication, dissemination, storage, possession, access, handling, disclosure, transfer, or disposal of personal data.”
As a general rule, the data subject’s tacit consent is deemed sufficient for data processing, unless the law expressly requires obtaining prior explicit consent.
Regarding the privacy notice, the new FLPPDPP requires data controllers to specify the purposes of processing that require the data subject’s consent. Additionally, the express obligation to disclose data transfers the controller carries out is eliminated.
Resolutions the Ministry issues may be challenged through amparo proceedings before specialized judges and courts.
Takeaways
1.
Although this amendment does not introduce substantial changes with respect to the obligations of those responsible for processing personal data, companies should review their privacy notice and, if necessary, adjust it to the provisions of the FLPPDPP including, where appropriate, replacing references to the INAI.
2.
If any data protection proceedings were initiated before the INAI while the previous law was in effect, the provisions of the prior law will continue to govern such proceedings, with the exception that the Ministry will now handle them.
3.
The executive branch will have 90 days to issue the necessary amendments to the new FLPPDPP regulations. Companies should monitor for the amendments’ publication to identify changes that may impact their compliance obligations under the new law.
Read in Spanish/Leer en español.
SEC Staff Clarifies Stance on Crypto Mining
On March 20, 2025, the U.S. Securities and Exchange Commission took a step towards clarifying its position on crypto mining activities. In a recent statement, the SEC’s Division of Corporation Finance provided non-binding guidance on the application of federal securities laws to proof-of-work (PoW) mining activities, stating that such activities are beyond the SEC’s purview. This move aims to offer greater clarity to the market amidst ongoing regulatory uncertainties surrounding crypto assets.
The statement addresses crypto asset mining on public, permissionless networks using the PoW consensus mechanism. PoW mining involves using computational resources to validate transactions and add new blocks to a blockchain network. Miners are rewarded with newly minted crypto assets for their efforts.
The Division of Corporation Finance concluded that PoW mining activities do not involve the offer and sale of securities under the Securities Act or the Exchange Act, although it qualified its conclusion with footnoted statements indicating that any specific determination remains reliant on the facts and circumstances of a particular arrangement.
The statement applies the Howey test to determine whether general mining activities constitute investment contracts. The test evaluates whether there is an investment of money in an enterprise with a reasonable expectation of profits derived from others’ efforts. The SEC found that PoW mining does not meet these criteria, as miners rely on their own efforts to earn rewards. The statement further explained that combining computational resources in mining pools does not change the nature of the activity, as miners in pools still rely on their own efforts to earn rewards, not on others’ efforts. Therefore, participants in these activities do not need to register such transactions with the SEC under the Securities Act or fall within its exemptions.
Lone Democrat Commissioner Caroline Crenshaw expressed concerns about the statement, cautioning against interpreting it as a “wholesale exemption for mining.” She emphasized that the statement employs arguably circular reasoning, is non-binding, and that the SEC will continue to evaluate mining activities on a case-by-case basis. Crenshaw compared the mining statement to a previous statement on meme coins, which she believed was also misinterpreted as a broad exemption.
As the crypto industry continues to evolve, regulatory clarity remains crucial for fostering innovation while protecting investors. Crypto enthusiasts may believe the SEC’s latest statement is a step in the right direction, but market participants should remain vigilant and stay informed about ongoing regulatory developments.
Will Texas Become the First State to Enact a “Mini-CFIUS” Review Process?
On March 13, 2025, the Texas Legislature introduced HB 5007, which, if enacted, could establish the first US state regime tasked with screening foreign investments on national security grounds.[1]
To be sure, this is not the first attempt by Texas to regulate acquisitions by foreign buyers within the state. The Lone Star Infrastructure Protection Act[2] (LIPA), which took effect in June 2021, prohibits Texas businesses from contracting with entities owned or controlled by individuals from China, Russia, North Korea and Iran if the contracting relates to critical infrastructure.[3] In addition, many other states have passed legislation limiting certain foreign investments into agricultural land within their borders.[4] Others are debating similar legislation.
HB 5007 is wholly different. It calls for the formation of a Texas Committee on Foreign Investment (TCFI). Modeled on the federal government’s interagency Committee on Foreign Investment in the United States or CFIUS, TCFI would be comprised of representatives from various Texas state agencies and charged with overseeing the pre-closing review and regulation of foreign acquisitions effecting “critical infrastructure” in Texas, agricultural land in Texas, or the sensitive personal data of Texas residents.[5] Subject to a monetary threshold to be determined by the governor, such transactions would require notification to the Texas Attorney General at least 90 days before closing, with penalties for non-compliance of up to $50,000 per violation.
While there is still uncertainty on whether and when Texas may implement the TCFI, companies considering transactions not only in Texas, but in other states rapidly enacting similar laws, should make sure to perform the necessary due diligence to identify and comply with these regulations, and also build in adequate time for closing delays based on mandatory notification periods that may vary by state.
———————————————————
[1] TX HB5007, accessible at: https://capitol.texas.gov/BillLookup/History.aspx?LegSess=89R&Bill=HB5007
[2] Lone Star Infrastructure Protection Act, 87th Leg., R.S., S.B. 2116 (codified as Tex. Bus. & Com. Code § 113.001, et seq.)
[3] LIPA defines critical infrastructure as: 1) communication infrastructure systems; 2) cybersecurity system; 3) electric grid; 4) hazardous waste treatment systems; and 5) water treatment facilities.
[4] https://nationalaglawcenter.org/state-compilations/aglandownership/
[5] “Critical infrastructure” is defined more broadly under HB 5007 than LIPA and includes, among other categories: critical manufacturing, dams, defense industrial bases, emergency services, communications facilities, energy, health care, food, financial services, information technology, transportation systems, nuclear materials, water systems, and government facilities.
China Releases Draft Implementation Measures for the Protection of Drug Trial Data Including Data Exclusivity for Foreign-Originated Drugs
On March 19, 2025, China’s National Medical Products Administration (NMPA) released Implementation Measures for the Protection of Drug Trial Data (Trial, Draft for Comments) (药品试验数据保护实施办法(试行,征求意见稿))and Working Procedures for the Protection of Drug Trial Data (Draft for Comments) (药品试验数据保护工作程序(征求意见稿)) that provides up to 6 years of data exclusivity of clinical trial data required to be submitted to the NMPA to prove safety and efficacy of a new drug to prevent generic drug manufacturers from relying on this data in their own applications. In contrast, the US generally provides 5 years of exclusivity. However, for foreign-originated drugs, the Chinese data protection period will be 6 years minus the time difference between the date on which the drug’s marketing authorization application in China is accepted and the date on which the drug first obtains marketing authorization overseas. Comments are due before May 18, 2025. The original documents as well as spreadsheets to submit comments are available here (Chinese only).
A translation of the Implementation Measures follows.
Article 1 (Purpose and Basis) These Measures are formulated in accordance with the Drug Administration Law of the People’s Republic of China, the Regulations for the Implementation of the Drug Administration Law of the People’s Republic of China, the Drug Registration Management Measures and other relevant regulations in order to encourage drug innovation and meet the public’s demand for medicines.
Article 2 (Management Mechanism) The State Drug Administration (hereinafter referred to as the NMPA ) is responsible for the protection of drug trial data (hereinafter referred to as data protection) and is responsible for establishing a data protection system and implementing management work in accordance with the principles of fairness, openness and impartiality.
The Drug Technical Review Center of the National Drug Administration (hereinafter referred to as the Drug Review Center) is responsible for the specific implementation of data protection.
Article 3 (Definition of Concepts) Data protection means that when drugs containing new chemical ingredients and other qualified drugs (see the attached table for details) are approved for marketing, the National Medical Products Administration shall protect the test data and other data submitted by the applicant that are obtained independently and not disclosed, and grant a data protection period of no more than 6 years.
During the data protection period, if other applicants apply for drug marketing authorization or supplementary application relying on the data in the preceding paragraph without the consent of the drug marketing authorization holder (hereinafter referred to as the holder), the National Medical Products Administration will not grant permission; unless other applicants obtain the data on their own.
During the data protection period, if other applicants submit drug registration applications using data obtained by themselves, their applications shall be approved if they meet the requirements and no longer be granted the data protection period, but the data shall not be relied upon by other subsequent applicants .
Article 4 (Conditions of protected data) Undisclosed trial data and other data refer to trial data in the complete application materials that are not disclosed in the application for drug marketing authorization for the first time in the country.
After a drug is approved, test data obtained when subsequent research work is completed in accordance with the requirements of the drug regulatory authorities will no longer be given new data protection.
Article 5 (Data Protection Related to Innovative Drugs) A six-year data protection period is granted for innovative drugs from the date of their first domestic marketing authorization.
If an original research drug that has been marketed overseas but not in China applies for marketing in China, the data protection period is 6 years minus the time difference between the date on which the drug’s marketing authorization application in China is accepted and the date on which the drug first obtains marketing authorization overseas. The data protection period is calculated from the date on which the drug obtains marketing authorization in China.
The scope of drug data protection in this clause includes all test data used in the drug marketing authorization application materials to prove the safety, efficacy and quality controllability of the drug.
For innovative drugs that have been approved for multiple indications but have the same approval number, each indication will be given data protection according to the registration category, and the scope of data protection for newly added indications will be the clinical trial data that support its marketing.
During the data protection period, the National Medical Products Administration will not approve the marketing application or supplementary application for improved new drugs, chemical generic drugs and biosimilar drugs submitted by other applicants without the consent of the holder, relying on the protected data of the holder , unless other applicants submit data obtained by themselves.
Article 6 (Protection of data related to improved new drugs) A three-year data protection period will be granted from the date of the first domestic marketing authorization for the improved new drug.
If a modified drug that has been marketed overseas but not in China applies for marketing in China, the data protection period is 3 years minus the time difference between the date on which the drug’s application for marketing authorization in China is accepted and the date on which the drug first obtains marketing authorization overseas. The data protection period is calculated from the date on which the drug obtains marketing authorization in China.
The scope of drug data protection in this clause includes new clinical trial data that demonstrates that the drug has significant clinical advantages over drugs with known active ingredients (marketed biological products), but does not include bioavailability, bioequivalence and immunogenicity data of vaccines.
During the data protection period, the National Medical Products Administration will not approve the marketing application or supplementary application for chemical generic drugs and biosimilar drugs submitted by other applicants without the holder’s consent and relying on the protected data of the holder , unless other applicants submit data obtained by themselves.
Article 7 (Data Protection Related to Generic Drugs) A three-year data protection period is granted to the first approved generic drugs (including drugs produced overseas) and biological products of original research drugs that have been marketed overseas but not in China. The data protection period is calculated from the date on which the generic drug or biological product obtains marketing authorization.
The scope of data protection for drugs in this clause includes necessary clinical trial data to support approval, but does not include bioavailability, bioequivalence and immunogenicity data of vaccines.
During the data protection period, the National Medical Products Administration will not approve the marketing application or supplementary application for chemical generic drugs and biosimilar drugs submitted by other applicants without the holder’s consent and relying on the protected data of the holder , unless other applicants submit data obtained by themselves.
Article 8 (Application and supporting documents) If the applicant intends to apply for data protection, he/she shall submit an application for data protection at the same time as submitting the application for drug marketing authorization. If there are any questions about data protection-related issues, he/she may apply for communication.
Article 9 (Technical Review) When conducting technical review of drug registration applications, the Center for Drug Evaluation shall confirm the scope and duration of data protection in accordance with the provisions of these Measures.
Article 10 (Granting of Protection Period and Publicity) For drugs that meet the data protection conditions, the National Medical Products Administration will mark the drug’s data protection information in the drug approval certificate.
The Center for Drug Evaluation has established a data protection column on its website to publish relevant information on drug data protection.
Article 11 (Acceptance, Review and Approval) After a drug obtains data protection, other applicants can submit drug marketing applications and supplementary applications that rely on the protected data within one year before the expiration of the data protection period . The Drug Evaluation Center will suspend the review time after completing the technical review, and the relevant drugs will be approved for marketing after the data protection period expires.
an applicant claims that the data was obtained independently when submitting a drug marketing application and a supplementary application , but it is discovered during the technical review process that the application relies on protected data of other applicants, the application will not be approved.
Article 12 (Termination of Data Protection) Data protection shall terminate if the drug approval document is revoked, suspended, or cancelled, if the holder voluntarily waives data protection, or in other circumstances prescribed by laws and regulations.
If data protection is terminated, the National Medical Products Administration will issue a notice on the termination of data protection, and the Drug Evaluation Center will update the relevant information in the data protection column based on the notice. From the date on which the National Medical Products Administration issues the notice on the termination of data protection, it can accept or approve drug registration applications submitted by other applicants that rely on the protected data.
Article 13 ( Incompliance with data protection information ) If, during the review process, it is found that the documents proving the first overseas marketing authorization for drugs submitted by the applicant in accordance with Articles 5 and 6 of these Measures do not match the actual situation , data protection will not be granted; if data protection has already been granted, the data protection will be cancelled.
Article 14 (Data Protection Procedure) The specific working procedures for data protection will be separately formulated by the Drug Evaluation Center.
Article 15 (Effective Date) This regulation shall come into force from now on.
Schedule 1
Chemical Drug Registration Classification and Data Protection Period
Classification
content
Data protection period
Category 1
Innovative drugs that have not been launched in the domestic or overseas markets.
6 years
Category 2
Improved new drugs that have not been marketed domestically or abroad.
3 years
Category 3
Domestic applicants copy original drugs that are marketed overseas but not in China.
3 years
Category 4
Domestic applicants copy original drugs that have been marketed domestically.
none
Category 5
Drugs that have been marketed overseas can apply for domestic marketing approval.
5.1
Original research drugs that have been marketed overseas apply for domestic marketing.
6 years – (domestic acceptance time – overseas listing time)
Improved drugs that have been marketed overseas may apply for domestic marketing approval.
3 years – (domestic acceptance time – overseas listing time)
5.2
Generic drugs that have been marketed overseas apply for domestic marketing.
3 years
Schedule 2
Registration classification and data protection period for preventive biological products
Classification
content
Data protection period
Category 1
Innovative vaccines
6 years
Category 2
Improved vaccines
3 years
Category 3
3.1 Application for listing of vaccines produced overseas and marketed overseas but not marketed domestically
6 years – (domestic acceptance time – overseas listing time)
3.2 Vaccines that have been marketed overseas but not in China can be produced and marketed in China
3 years
3.3 Vaccines already on the market in China
none
Massachusetts Court Denies Certification of Privacy Class Action for Failure to Meet Ascertainability Requirement
On February 14, 2025, in Therrien v. Hearst Television, Inc., the District of Massachusetts denied a motion for class certification due to the plaintiff’s failure to meet the implied ascertainability requirement of Rule 23. The court concluded that the named plaintiff’s claims for unlawful disclosure of personally identifiable information could not be maintained on a class-wide basis because the proposed method for identifying proposed class members was “administratively infeasible” and raised due process concerns.
Therrien’s Video Privacy Protection Act Claim Based on Geolocation Data
Charles Therrien brought this case on his own behalf and other similarly situated individuals against Hearst Television, Inc. (“HTV”) for allegedly unlawfully disclosing his personally identifiable information to third parties in violation of the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710. The VPPA prohibits a videotape service provider from knowingly disclosing personally identifiable information concerning any of its consumers.
HTV is a news and weather broadcaster that offers mobile phone apps on which users can read articles and watch associated videos. The apps collect users’ geolocation data. To send push and email updates, HTV utilizes Braze, a third-party software-as-a-service-provider. Although users have the option to enable or disable sharing geolocation data, when it is enabled, users’ geolocation data is shared with Braze.
In addition, HTV also uses Google Ad Manager to send targeted advertisements to its apps’ users. Like Braze, if a user has enabled geolocation services, the geolocation data is shared with Google.
Thus, Therrien claimed that, because his geolocation data was shared with third parties, HTV violated the VPPA.
Therrien’s Proposed Class Definition of Mobile App Users
Therrien sought certification for this class action claim, for which he was required to establish the four threshold requirements of Rule 23(a) — numerosity, commonality, typicality, and adequacy — as well as the two additional prerequisites of Rule 23(b)(3) – predominance and superiority.
Although not one of the four threshold requirements of Rule 23(a), ascertainability is an implicit requirement that a plaintiff also must meet for class certification. Ascertainability requires that the class is “currently and readily identifiable based on objective criteria.” Additionally, the plaintiff’s proposed mechanism for determining class members must be both administratively feasible and protective of the defendant’s Seventh Amendment and due process rights.
To assess whether Therrien met the Rule 23 requirements, the court scrutinized the proposed class definition. In the present case, Therrien’s proposed class was defined as, “All persons in the United States that (i) downloaded one of the Class Apps onto their mobile phone, (ii) enabled location permissions for the Class App for at least 250 sessions over a period of at least one month, and (iii) watched at least ten (10) videos between May 5, 2021, and April 16, 2024 (the “Class Period”).”
Courts considering class definitions will often assess the way the definition has been drafted, but in this case, the court’s analysis did not turn on the drafting of the definition but on the validity of Therrien’s proposed mechanism for identifying class members.
Court’s Critique of Therrien’s Proposed Methodology and Denial of Certification
For purposes of identifying class members, Therrien aimed to rely on an expert witness’s methodology using geolocation data. This method would involve analyzing geolocation data points to generate names of mobile app users, followed by testimony from each user confirming that the information obtained belongs to them and is accurate.
The court highlighted that this method would be administratively infeasible and could potentially violate HTV’s due process rights, running afoul of In re Nexium Antitrust Litig. Expanding upon the infeasibility of this method, the court noted that, for addresses where there are multiunit apartment buildings with hundreds of occupants, geolocation points could not be used to identify specific unit numbers, and therefore specific users, of the HTV apps.
Thus, the generated user data could not be used to differentiate putative class members from other users, making it nearly impossible to provide notice of a pending class action. Applying the reasoning from In re Asacol Anitrust Litig., the court noted that the proposed process would likely result in thousands of class members waiting to provide testimony on individual issues, which would predominate over common ones.
Moreover, the court explained that, although affidavits may be sufficient for differentiating between individuals who were injured and who were not injured, testimony used as part of a party’s affirmative case cannot be used to certify a class, “without providing the defendant an opportunity to litigate its defenses.” Because the determination of whether HTV shared personally identifiable information with Braze and Google is an essential element of the VPPA claim, this information could not be used for the purpose of fulfilling the ascertainability requirement.
Based on the foregoing administrative hurdles and due process considerations, the court denied the motion for class certification.
The court’s analysis highlights the importance of a sound mechanism for identifying class members and the potency of an ascertainability challenge if defense counsel can effectively illustrate practical challenges for the court.
More than anything, this case makes clear that it would be imprudent for litigants to treat ascertainability as an afterthought in their Rule 23(a) analysis because, as the holding of this court illustrates, failing to meet ascertainability is fatal for class certification within the First Circuit.
Finally, the decision in Hearst Television highlights that venue can be outcome determinative in class action litigation, where there is a persistent circuit court split on whether a class representative must prove an administratively feasible method of identifying absent class members as a precondition for class certification under Rule 23, with the First Circuit aligned with the Third and Fourth Circuits and the Second, Sixth, Seventh, Eighth, Ninth, and Eleventh Circuits following a more permissive standard.
Until the Supreme Court speaks on this division that is ripe for review, litigants should continue to address ascertainability as a critical issue at the certification stage.
IMC ORDERED TO REPLY TO NATIONAL CONSUMER’S LEAGUE: Eleventh Circuit Appears to Be Proceeding with Caution in Challenge to FCC One-to-One Ruling
Day by day it seems the odds of the one-to-one rule being brought back from the dead steadily increase– even if the ruling is still VERY much dead for the time being.
With the additional scrutiny afforded by 28 AGs suddenly joining with the NCLC to “close the lead generation loophole” the pressure on the court is ramping up.
In the latest development, just minutes ago the court directed IMC to respond to an effort by several additional parties– including the NCL–to join the case.
IMC already responded to an effort by NCLC–that extra C matters!–but now they have to respond regarding the new parties as well.
The order reads:
Respondents are hereby DIRECTED to respond to the motion to intervene filed by the National Consumers League, Mark Schwanbeck, Micah Mobley, Christopher K. McNally, and Chuck Osborne. The response is due on Friday, April 4, 2025.
The order was entered by the clerk of the court “by direction”–meaning the judges wanted to hear more.
Very interesting.
We’ll keep an eye on it.
HOTLY LITIGATED: Pennsylvania Court Finds Plaintiff Implicitly Consented to Third-Party Tracking Software
A recent ruling in Popa v. Harriet Carter Gifts, Inc. (W.D. Pa. March 24, 2025) has reaffirmed the role of privacy policies in establishing user consent for online tracking. After being remanded by the Third Circuit, the Pennsylvania District Court considered a motion for summary judgement focused solely on the issue of whether the plaintiff consented to alleged interception of her data under Pennsylvania’s Wiretap Act. Applying the reasonable person standard, the Court ruled that Popa had constructive notice of the website’s privacy policy – contained in a browsewrap agreement – and therefore consented to the use of tracking software.
The Allegations
Plaintiff Ashley Popa brought a class action against Harriet Carter Gifts, Inc. and NaviStone, Inc. alleging that they violated the Pennsylvania Wiretapping and Electronic Surveillance Control Act of 1978 (“WESCA”) by unlawfully intercepting her data while she shopped on Harriet Carter’s website (the “Website”).
WESCA prohibits the interception of electronic communications without the prior consent of all parties to the communication.
The Privacy Policy
The Website had a privacy policy hyperlinked in its footer, which both parties and their experts agreed was a common practice for commercial websites. Interestingly, the parties also agreed that in 2018, it would have been a “reasonable conclusion” for a company to believe that it ought to present the privacy policy in this manner. The hyperlink was labelled “Privacy Statement” and was in white font against a blue background.
Harriet Carter’s privacy policy broadly addressed its data collection and use practices: it stated that Harriet Carter collected customer information (without addressing what information) and explained that cookies were used to keep track of shopping carts and deliver targeted content.
In a separate section titled “Who Else Has Access to the Information I provide to Harriet Carter.com?” the policy also addressed third party access to customer information through use of a cookie or pixel tag – which Harriet Carter deemed “industry standard technology”. The policy noted that no personally identifiable information would be collected through this process, but third parties may pool the information from Harriet Carter’s website with other sources of information that could include the customer’s name and mailing address.
Popa testified that she had never reviewed Harriet Carter’s privacy policy.
The Motions
In 2020, the Defendants filed a motion for summary judgement which was granted by the District Court. The Court held that there was no interception under WESCA because NaviStone, which operated the program that caused the alleged interception, was a direct party to the communications and because the alleged interception occurred outside Pennsylvania and was therefore outside the scope of WESCA. Following an appeal by Popa, the Third Circuit Court of Appeals reversed, holding that there is no sweeping direct-party exception under WESCA and that there was a genuine issue of material fact as to where the interception occurred.
The Third Circuit also noted that the issue of whether Harriet Carter posted a privacy policy and the sufficiency of the privacy policy was not addressed by the District Court and remanded this issue to the Court.
On remand, Defendants filed a second motion for summary judgement, focusing solely on the issue of consent and contending that Popa was on constructive notice of Harriet Carter’s privacy policy and therefore consented to the communications being recorded as described therein.
The Court’s Analysis
In its analysis, the Court noted the objective standard to interpret the consent provisions of WESCA – whether a reasonably prudent person can be deemed to have consented under the circumstances. The Court looked to the decision in Commonwealth v. Byrd, where the Pennsylvania Supreme Court held that actual knowledge that communications may be recorded is not required to satisfy the consent requirement under WESCA.
Notably, the Court took into consideration the ubiquitous use of tracking technologies on the internet and stated that, “when determining whether a reasonable person can be deemed to consent to an interception under WESCA, it must be mindful of the reality of internet communication.” Therefore, it held that while the nature of the internet does not confer blanket implied consent to interception under WESCA, “a reasonably prudent person has a lower expectation of privacy on the internet” than on other technologies (like telephones) which do not use cookies, algorithms, and trackers.
“[A] reasonably prudent person has a lower expectation of privacy on the internet“
Next, the Court considered the scope of Harriet Carter’s privacy policy, looking specifically at whether a reasonable person could have been alerted that third parties, like NaviStone, may access information about consumers’ activities on the Website. The Court answered affirmatively – the privacy policy made clear that the Website used tracking cookies, and that Harriet Carter may share information about users’ activities with third parties. The Court also rejected Popa’s argument that privacy policy was insufficient because it did not contain details about the identity of the third parties or the specific type of cookies used, holding that such “granular details” were immaterial because WESCA focuses on the event of interception rather than the specific means of thereof.
Lastly, the Court considered whether Popa consented to NaviStone’s tracking on the Website. The central question here was not whether Popa had actual knowledge of the alleged interceptions (the record established that Popa never reviewed the privacy policy), but rather, whether a reasonable person in her position could have known of the disclosures in the privacy policy. The Court acknowledged that privacy policy on the Website was in the form of a “browsewrap agreement”, which does not require a user to click or take any affirmative action to consent to its terms. While such agreements are routinely enforced when a user has actual notice, in the absence of actual knowledge the court must look to the visibility and accessibility of the browsewrap agreement to determine whether it placed a user on inquiry notice of its terms.
The Court held that the privacy policy on Harriet Carter’s website was reasonably conspicuous based on the appearance and layout of the Website: it was labelled “Privacy Statement”, located at the center and bottom of each page, the hyperlink was in white font contrasting against a blue background, and a link to the policy could also be found in a drop-down menu on the left side of the website. These factors led the Court to find that a reasonable person in Popa’s position had constructive notice of the terms in the privacy policy, and that Popa constructively consented to the interception described in the policy. Therefore, there was no violation of WESCA.
Popa’ s contention that the presence of NaviStone’s program meant that merely visiting Harriet Carter’s website would give rise to an interception before a reasonable user had a chance to view the privacy policy was rejected. The Court analogized to someone hanging up a phone call after hearing a disclosure that the call was being recorded – there would be no interception under WESCA because WESCA only applies to “contents” of communications. Similarly, to the extent that Popa was concerned about privacy, she could have immediately reviewed the privacy policy and, if concerned, left the page, and this would not lead to the interception of “content” under WESCA.
Takeaways
Though based on a state statute, this ruling signifies a shift in the hotly litigated arena of website tracking software.
For businesses, Popa may offer some respite – while explicit clickwrap agreements remain the gold standard, this case suggests that browsewrap agreements may still hold up in court if they are reasonably conspicuous and sufficiently disclose the use of third party tracking software. As digital privacy law continues to evolve, courts are likely to place greater emphasis on reasonable user expectations, meaning online users may need to be more proactive in understanding how their data is being collected.
Perhaps most interestingly, the Pennsylvania District Court’s willingness to acknowledge the widespread (maybe even indispensable) use of cookies and trackers demonstrates a growing understanding of the “reality of internet communication”. It will be interesting to see whether a similar approach is adopted by courts states such as California, with its particularly stringent privacy laws.
HUMANA IN TROUBLE?: Company Seems to be On The Ropes in TCPA Class Action After Court Refuses to Strike Plaintiff’s Expert
So Anya Verkhovskaya is a nice enough lady.
I deposed her not long ago in connection with a case in which we just defeated certification literally yesterday.
But Humana is seemingly not going to be so lucky–although it is too early to tell.
In Elliot v. Humana, 2025 WL 897543 (W.D. Ky March 24, 2025) Humana moved to disqualify Anya arguing her methodology for identifying class members was not sound.
Her methodology boiled down to the following per the court’s ruling:
(1) Taking a list of phone numbers—identified by Humana’s own records—that received prerecorded calls from Humana but had told Humana that it had the wrong number;
(2) Confirming whether each number is assigned to a cellular telephone using third-party data processors to identify the names of all users associated with those phone numbers;
(3) Employing a historical reverse lookup process to retrieve related data associated with those users/phone numbers;
(4) Obtaining telephone carrier data to filter subscriber information (such as names, addresses, email addresses, subscription dates, and other plan-related information);
(5) Cross-referencing reverse lookup data against bulk telephone carrier data, obtained by carrier subpoena, to identify discrepancies; and
(6) Implementing a notice campaign using mail and email address information.
Ok.
Pretty low impact stuff. I probably would have recommended a rebuttal report (probably)– but I certainly would not wasted time with a Daubert motion here. (If you’re hoping to defeat certification by challenging the notice plan I’ve got news for you– you’re in trouble.)
So it looks like Humana may be in trouble.
The Court looked at Anya’s methodology and found no fault, which is sort of unsurprising because its kind of a straightforward process.
Now court’s have (rightly) rejected Anya’s reports in other cases where she makes a bunch of typos and offers opinions like “I just relied on somebody else to perform a scrub and assume their records were accurate and they did it right.”
Yeah, that’s not going to hold up.
But a process for identifying class members that is essentially just “find cell phone numbers in a file, send subpoenas, wait for results, send emails” is… well, child’s play.
Again, however, that SHOULDN’T be the focus of Humana’s efforts here. But… we’ll just have to wait and see how the bigger battle over certification turns out.
2024 Trends in First Circuit Class Actions
We are pleased to present our final 2024 update to the New England and First Circuit Class Action Tracker, which focuses on class action filings in state and federal courts within the boundaries of the First Circuit in New England.
In 2024, there were 444 total state and federal filings, representing a sustained trend of increased class action filings, and exceeding pre-pandemic levels for the first time. If this trend continues into 2025, historical high points for class action filings in New England may soon become the norm.
Cybersecurity and Data Privacy Litigation Continues to Grow
Federal class action cases in New England reflect a continued onslaught of cybersecurity and data privacy litigation arising from data breaches and the alleged unauthorized disclosure and/or use of consumer information, including TCPA claims.
The most asserted theories underlying data security and privacy class action claims were the exposure of personally identifiable information in a data breach and the receipt of unsolicited telephone calls and text messages.
The vast majority of these cases filed in federal courts have targeted professional services, health care, and retail/manufacturing industries, but there were also a significant number of filings targeting defendants in the technology and biotech/pharma services industries.
These record levels of federal cybersecurity and privacy litigation filings in New England are remarkable, because our totals do not include cases that were transferred and consolidated into the lead case In re: MOVEit Customer Data Security Breach Litigation (1:23-md-03083) pursuant to the transfer order from the Judicial Panel on Multidistrict Litigation dated October 4, 2023 transferring all listed actions to the District of Massachusetts and assigning them to Judge Allison D. Burroughs for consolidated pretrial proceedings.
In 2024 alone, 93 new cases were filed in connection with that multidistrict litigation and are not counted among the 213 federal district court filings in the District of Massachusetts in 2024.
Also notable, but not captured in our 2024 filing totals, is the removal of many previously filed wiretap class actions from Massachusetts state superior court to the District of Massachusetts in late 2024, following the Massachusetts Supreme Judicial Court’s ruling in Vita v. New England Baptist Hospital et al, SJC-13542.
If state court removals and multidistrict litigation filings had been included in our tabulation of cybersecurity and data privacy class actions in 2024, already notable high filing levels would have skyrocketed even more dramatically.
Most Federal Cases Filed in Massachusetts District Courts
The overwhelming majority of federal class action cases in New England filed in 2024—nearly 80%—were filed in the District of Massachusetts, followed by the District of Rhode Island, the District of Maine, and the lowest levels of filings in the District of New Hampshire. This trend is consistent with prior years.
Securities and Antitrust Filings Up Year Over Year
Securities class action filings have increased by 50%, and antitrust class action complaints have nearly doubled over prior years, marking two very active areas of litigation. Securities filings increased most prominently in the District of Massachusetts, while antitrust class action cases rose primarily in the District of Rhode Island.
Industries Targeted are Consistent with Prior Years
As in prior years, the financial/professional services, manufacturing/retail, health care, technology, and pharmaceutical/biotechnology industries continued to be the most frequent targets of class action complaints in the First Circuit throughout 2024.
2025 Likely to Continue as Record Year for Class Action Filings
With 2024 filings at their highest level in years, we expect the class action boom in the First Circuit to continue, along with the trend of class actions against health care and technology industry defendants. As these trends continue, we see the evolution to include the addition of financial, legal, and educational institution defendants. We will continue to monitor these developments as 2025 progresses.
Oregon’s Privacy Law: Six Month Update, With Six Months to End of Cure Period
Oregon’s Attorney General released a new report this month, summarizing the outcomes since Oregon’s “comprehensive” privacy law took effect six months ago. A six-month report isn’t new: Connecticut released a six month report in February of last year to assess how consumers and businesses were responding to its privacy law.
The report summarizes business obligations under the law, and highlights differences between the Oregon law and other, similar state laws. It also summarizes the education and outreach efforts conducted by the state’s Department of Justice. This includes a “living document” set of FAQs answering questions about the law. The report also summarizes the 110 consumer complaints received to-date, and enforcement the Privacy Unit has taken since the law went into effect. On the enforcement side, Oregon reports that it has initiated and closed 21 privacy enforcement matters, with companies taking prompt steps to cure the issues raised.
As a reminder, these actions are being brought during the law’s “cure” period, which gives companies a 30-day period to fix violations after receiving the Privacy Unit’s notice. The Oregon cure provision sunsets on January 1, 2026. Other states with a cure period are Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Tennessee, Texas, Utah, Virginia. (Of these, Minnesota, New Hampshire, New Jersey, Oregon, Delaware, Maryland, and Montana will expire, with varying expiration dates between December 31, 2025 (Delaware) and April 1, 2027 (Maryland). Those without or where the cure period has expired are California, Colorado, Connecticut, and Rhode Island. For an overview of US state “comprehensive” privacy laws, visit our tracker.
Common business deficiencies identified by Oregon in the enforcement notices included:
Disclosure issues: This included not giving consumers a notice of their rights under the law.Also, of concern, has been insufficiently informing Oregon consumers about their rights under the law, specifically the list of third parties to whom their data has been sold.
Confusing privacy notices: By way of example, Oregon pointed to -as confusing- notices that name some states in the “your state rights” section of the privacy policy, but not specifically name Oregon. This, the report posits, gives consumers the impression that privacy rights are only available to people who live in those named states.
Lacking or burdensome rights mechanisms: In other words, not including a clear and conspicuous link to a webpage enabling consumers to opt out, request their privacy rights, or inappropriately difficult authentication requirements.
Putting it into Practice: This report is a reminder to companies to look at their disclosures around consumer rights. It also sets out the state’s expectations around drafting notices that are “clear” and “accessible” to the “average consumer.” Companies have six months before the cure period in Oregon sunsets.