Telecom Alert: 6th Circuit Net Neutrality Decision; Updated Application Fees; January Open Meeting; Rip and Replace Funding; RMD Filing Requirements [Volume XXII, Issue 2]
6th Circuit Overturns Net Neutrality Order
The 6th Circuit issued an opinion on January 2nd rejecting FCC arguments to uphold its statutory authority to impose net-neutrality policies and declaring that commercial broadband providers are not “telecommunications services” subject to Title II regulations under the Communications Act. The Court, relying on “the traditional tools of statutory construction,” instead classified broadband providers as offering an “information service” which escapes common-carrier regulations. The Court also rejected once long-standing deference to the FCC’s technical and policy expertise under the Chevron doctrine, citing the recent Loper Bright decision which permits courts to use their own judgment to interpret laws.
FCC Announces 2025 Application Fee Schedule
The FCC adopted rule changes to its Schedule of Application Fees at the end of the year to reflect Consumer Price Index (CPI) changes in even-numbered years. Commissioner Carr noted that the CPI increased by 17.41% since the last adjustment in 2022, which in part was related to rising inflation. While the rule changes do not implement proposed fee alterations in open rulemakings, the Order raised fees for Section 214 authorizations and cable landing licenses, wireless and experimental licensing, among other applications.
FCC Announces January Open Meeting
FCC Chairwoman Rosenworcel announced the Commission will hold an Open Meeting on January 15, 2025. In contrast to past meetings, the upcoming Open Meeting will have four panels attended by different bureaus, each providing summaries on their accomplishments over the past administration, as well as goals for the future. Topics from the bureaus will include expanding connectivity and access, competition in the marketplace, national security and public safety initiatives, and the future of communications.
FCC Proposes Auction Rules to Fund Rip and Replace Program
Following the passage of the National Defense Authorization Act, the FCC now has authority to fully fund its Rip and Replace Program, designed to reimburse companies for replacing equipment and services manufactured by entities deemed threats to national security. Within the NDAA, the Spectrum and Secure Technology and Innovation Act allows the FCC to borrow up to $3.08 billion to fund the program. To repay the borrowed funds, Chairwoman Rosenworcel hopes the Commission will expedite consideration of a Notice of Proposed Rulemaking updating the competitive bidding rules for the AWS-3 spectrum bands, whose proceeds will be directed to the Rip and Replace Program.
FCC Adopts New Filing Requirements for Robocall Mitigation Database
In efforts to combat illegal robocalls on voice service provider networks, the FCC has adopted new filing requirements for providers on its Robocall Mitigation Database (RMD). The RMD is an extensive public database which tracks provider compliance with STIR/SHAKEN and robocall mitigation rules. The new rules now require providers to annually re-certify the accuracy of their mitigation plans and pay a $100 filing fee. Additionally, a new reporting mechanism for deficient filings as well as enhanced two-factor authentication will be implemented and managed by the Wireline Competition Bureau.
Casey Lide, Thomas B. Magee, Tracy P. Marshall, Sean A. Stokes, and Wesley K. Wright also contributed to this article.
WRONG PERSON: Arbitration Denied in TCPA Suit As Camping World Looks to Have Texted a Reassigned Number– But Why?
Another day, another difficult TCPA ruling involving an online webform submission.
This time arbitration was denied in a putative TCPA class action arising out of a webform submission on campingworld.com.
In Conrad v. Camping World Holdings, 2025 WL 66689 (N.D. Al. Jan, 9, 2025) the defendant moved to compel arbitration contending Plaintiff had signed up for a recurring text program on its website, supplied his phone number and agreed to arbitration in the process.
Just one little problem– the Plaintiff claims he did not even own the phone number at the time the form was submitted. So–in his view–it would be impossible for him to have filled out the form.
The Court agreed and determined given camping world’s lack of evidence that Conrad himself filled out the form arbitration must be denied. (This also means any consent disclosure on the website would also not apply to Plaintiff!)
Conrad once again highlights the trouble with online web submissions– you never really know who is filling out the form. But the Camping World flow apparently did not collect the name of the submitted party–just relying on a double opt in to assure TCPA compliance. That is a somewhat risky maneuver.
The real risk, however, is in reassigned numbers. The number was subscribed onto the text program in 2022 but plaintiff received the texts after he obtained the number in September, 2023. This suggests to me the number changed hands and the texts went to the wrong number.
The simply way to avoid such issues is just to use the FCC’s reassigned numbers database!
If you are sending text messages on a recurring basis to numbers you obtained more than 90 days ago you simply must be using this database to avoid inevitable TCPA risk when numbers change hands.
SEC Priorities for 2025: What Investment Advisers Should Know
The US Securities and Exchange Commission (SEC) recently released its priorities for 2025. As in recent years, the SEC is focusing on fiduciary duties and the development of compliance programs as well as emerging risk areas such as cybersecurity and artificial intelligence (AI). This alert details the key areas of focus for investment advisers.
1. Fiduciary Duties Standards of Conduct
The Investment Advisers Act of 1940 (Advisers Act) established that all investment advisers owe their clients the duties of care and loyalty. In 2025, the SEC will focus on whether investment advice to clients satisfies an investment adviser’s fiduciary obligations, particularly in relation to (1) high-cost products, (2) unconventional investments, (3) illiquid assets, (4) assets that are difficult to value, (5) assets that are sensitive to heightened interest rates and market conditions, and (6) conflicts of interests.
For investment advisers who are dual registrants or affiliated with broker-dealers, the SEC will focus on reviewing (1) whether investment advice is suitable for a client’s advisory accounts, (2) disclosures regarding recommendations, (3) account selection practices, and (4) disclosures regarding conflicts of interests.
2. Effectiveness of Advisers Compliance Programs
The Compliance Rule, Rule 206(4)-7, under the Advisers Act requires investment advisers to (1) implement written policies reasonably designed to prevent violations of the Advisers Act, (2) designate a Chief Compliance Officer, and (3) annually review such policies for adequacy and effectiveness.
In 2025, the SEC will focus on a variety of topics related to the Compliance Rule, including marketing, valuation, trading, investment management, disclosure, filings, and custody, as well as the effectiveness of annual reviews.
Among its top priorities is evaluating whether compliance policies and procedures are reasonably designed to prevent conflicts of interest. Such examination may include a focus on (1) fiduciary obligations related to outsourcing investment selection and management, (2) alternative sources of revenue or benefits received by advisers, and (3) fee calculations and disclosure.
Review under the Compliance Rule is fact-specific, meaning it will vary depending on each adviser’s practices and products. For example, advisers who utilize AI for management, trading, marketing, and compliance will be evaluated to determine the effectiveness of compliance programs related to the use of AI. The SEC may also focus more on advisers with clients that invest in difficult-to-value assets.
3. Examinations of Private Fund Advisers
The SEC will continue to focus on advisers to private funds, which constitute a significant portion of SEC-registered advisers. Specifically, the SEC will prioritize reviewing:
Disclosures to determine whether they are consistent with actual practices.
Fiduciary duties during volatile markets.
Exposure to interest rate fluctuations.
Calculations and allocations of fees and expenses.
Disclosures related to conflicts of interests and investment risks.
Compliance with recently adopted or amended SEC rules, such as Form PF (previously discussed here).
4. Never Examined Advisers, Recently Registered Advisers, and Advisers Not Recently Examined
Finally, the SEC will continue to prioritize recently registered advisers, advisers not examined recently, and advisers who have never been examined.
Key Takeaways
Investment advisers can expect SEC examinations in 2025 to focus heavily on fiduciary duties, compliance programs, and conflicts of interest. As such, advisers should review their policies and procedures related to fiduciary duties and conflicts of interest as well as evaluating the effectiveness of their compliance programs.
Game On: How the CFPB’s EFTA and Regulation E Changes Could Shape Video Game and Online Marketplace Transactions
The Electronic Fund Transfer Act (EFTA) and Regulation E apply to an electronic fund transfer (EFT) that authorizes a “financial institution” to debit or credit a consumer’s account. While a “financial institution” traditionally refers to a bank, credit union, or savings association, it is well established that “financial institutions” can also include non-bank entities that directly or indirectly hold an account belonging to a consumer, or that issue an access device and agree with a consumer to provide EFT services. Prepaid accounts and “other consumer asset accounts” into which funds can be deposited by or on behalf of the consumer and which have features of deposit or savings accounts, also meet Regulation E’s definition of “account.” Some video game accounts used to purchase virtual items from multiple game developers or players may fall under the definition of “other consumer asset accounts.”
In April 2024, the Consumer Financial Protection Bureau (CFPB) issued a report on the banking and payment services becoming more prevalent in gaming and virtual worlds where consumers spend billions of dollars annually to purchase gaming assets—often by converting U.S. dollars to virtual currencies. The report raised concerns about consumer protections and the uncertain allocation of responsibility for errors or fraud when a customer’s digital currency or assets are lost through hacking, account theft, scams, or unauthorized transactions.
Recent Developments
Following that report, on January 10, 2025, the CFPB issued a proposed interpretive rule that aims to expand the scope of Regulation E’s coverage to video game platforms that hold consumers’ money for personal, family, or household use and treat those game platforms as if they are account holders just like a bank or credit union for Regulation E purposes.
The interpretive rule expands on what constitutes an EFT, particularly for new payment methods such as peer-to-peer payment platforms and digital wallets. This expansion includes transfers initiated through apps and payment systems tied to consumer accounts. The key is whether the funds act like or are used like money, such that they are accepted as a medium of exchange, a measure of value, or a means of payment.
The interpretive rule would also clarify that video game companies operating online marketplaces or otherwise facilitating EFTs would be subject to the consumer protection provisions under Regulation E, namely investigation and error resolution obligations. Additionally, the interpretive rule would require a video game company to disclose the terms and conditions of EFT services.
Next Steps
The CFPB is soliciting comments from the gaming community for this proposed interpretive rule, which must be sent via email to [email protected] on or before March 31, 2025.
7 Practical Tips for Preparing for the 2025 Annual Report and Proxy Season
As the 2025 proxy season approaches, public companies must gear up for an environment shaped by evolving regulations, investor expectations, and governance trends. To ensure your company is well-prepared, here are some practical tips to keep in mind:
1) Dust Off the Proxy Season Calendar and Confirm Filer Status
Start your preparations by revisiting your proxy season timeline. Ensure you know your key deadlines for Securities and Exchange Commission (SEC) filings, including the Form 10-K/20-F, proxy statement, and annual meeting. Check your filer status (e.g., large accelerated, accelerated, non-accelerated) to confirm applicable deadlines and determine whether any recent status changes affect your compliance requirements.
2) Be Aware of New SEC Disclosure Obligations
The SEC has introduced several new disclosure obligations for 2025. Among others, there are two key changes to note:
Insider Trading Policies and Procedures.
Narrative Disclosure – Item 408(b) of Regulation S-K requires a company to disclose whether it has adopted policies or procedures governing purchases, sales, or other dispositions of its securities by directors, officers, and employees or by the issuer itself and, if not, why it has not done so.
Exhibit Filing – Any insider trading policy must be filed as Exhibit 19 to the 2024 Form 10-K. If the company’s code of ethics includes such a policy, a separate exhibit filing is not required. (A similar disclosure requirement applies under Item 16J of Form 20-F.)
Option Award Granting Policies and Procedures (402(x) of Regulation S-K):
Narrative Disclosure – Under new Item 402(x), a company must provide narrative disclosure discussing its policies and practices regarding the timing of awards of stock options, stock appreciation rights (SARs) and similar option-like instruments in relation to the disclosure of material nonpublic information (MNPI), including how the board determines when to grant these awards. In addition, a company must disclose whether the board or compensation committee takes MNPI into account when determining the timing and terms of applicable awards, and, if so, how and whether the company has timed the disclosure of MNPI for the purpose of affecting the value of executive compensation.
Potential New Tabular Disclosure – New Item 402(x) also requires detailed tabular disclosure if, during the last completed fiscal year, stock options, SARs or similar option-like instruments were awarded to a named executive officer (NEO) within a period starting four business days before and ending one business day after the filing of a Form 10-K or 10-Q, or the filing or furnishing of a Current Report on Form 8-K that discloses MNPI (including earnings information).
3) Revisit Cybersecurity Disclosure in Light of SEC Comment Letters and Trends
On July 26, 2023, the SEC adopted final rules requiring (i) the disclosure of material cybersecurity incidents in Form 8-K, and (ii) new cybersecurity risk management, strategy, and governance disclosures in Form 10-K and 20-F. All public companies were required to comply with these disclosure requirements for the first time beginning with their annual reports on Form 10-K or 20-F for the fiscal year ending on or after Dec. 15, 2023. As a result, calendar fiscal year companies included these disclosures for the first time in their respective annual report filings last annual reporting cycle.
With the passage of time, we are beginning to see SEC comment letters issued on filings related to the new cybersecurity disclosure rules. We believe it is prudent to be familiar with these comment letter trends to assess whether any improvements might apply to a company’s first-year disclosures.
Here is an SEC comment exchange related to a company’s Item 1C cybersecurity disclosures (with the SEC comment in bold and the response following):
“We note your senior leadership team consisting of your CEO and his direct reports (SLT) is responsible for setting the tone for strategic growth, effective operations and risk mitigation at the management level, as well as, the overall managerial responsibility for confirming that the information security program functions in a manner that meets the needs of Equifax. We also note that you described the relevant expertise of your CISO but not of the other members of the SLT. Please revise future filings to discuss the relevant expertise of such members of senior management as required by Item 106(c)(2)(i) of Regulation S-K.
We respectfully acknowledge the Staff’s comment above. While our senior leadership team (“SLT”) has responsibility for risk management at the managerial level and overall managerial responsibility for the various programs of the Company, including information security, our Chief Information Security Officer (“CISO”) is the management position responsible for assessing and managing material risks from cybersecurity threats under Item 106(c)(2)(i) of Regulation S-K. In future filings, we will clarify that the CISO is the management position responsible for assessing and managing material risks from cybersecurity threats.”
It appears the SEC staff accepted the reporting person’s explanation in the above-referenced exchange, as there were no follow-up letters made public. A link to the actual letter is here.
4) Be Aware of Proxy Advisory and Institutional Shareholder Policy Updates
Both Glass Lewis and ISS have updated their guidelines for 2025, which take effect for meetings held after Jan. 1, 2025 for Glass Lewis and on or after Feb. 1, 2025 for ISS. Below are a few key takeaways from their updates:
Board Oversight of AI
Given the rise in the use of artificial intelligence (AI), Glass Lewis has noted the importance of boards’ awareness of and policies surrounding the use of such technologies and the potential associated risks. If the company has not suffered any material incidents related to its use or management of AI, Glass Lewis will generally not make voting recommendations on the basis of its oversight of AI-related issues, but if there has been a material incident, Glass Lewis will review the company’s AI-related policies to ensure sufficient oversight and adequate response to such incidents and may recommend against certain directors in light thereof.
Defensive Profile and Reincorporation.
Glass Lewis revised its stance on reincorporating the company in different states to clarify that it will take these on a case-by-case basis, depending on the shareholder rights, financial benefits, and other corporate governance provisions of the laws of the state or country of reincorporation.
ISS votes case by case when it comes to poison pills with a term of one year or less, but this year it added several factors to its list of items it takes into consideration, including the context in which the pill was adopted and the company’s overall track record regarding corporate governance. This allows for a more holistic approach in ISS’s evaluation.
Executive Compensation.
In the aftermath of the first full year of pay versus performance disclosures, Glass Lewis has clarified it will continue to evaluate executive compensation programs holistically and not in accordance with a predetermined scorecard. While there are some factors that may lead to a recommendation against or for a say-on-pay vote, Glass Lewis said it will evaluate each program in the context of its whole, rather than its parts.
Board Responsiveness to Shareholders.
Both advisors included discussion about the board’s willingness and ability to respond to shareholders in its updates for this year. Glass Lewis has added to its discussion on board responsiveness a recommendation that shareholder proposals that received significant support but did not pass (generally more than 30 percent but less than a majority) should illicit board engagement with shareholders to address the issue and then provide disclosure of those efforts. Additionally, in its evaluation of whether to recommend a vote for or against a short-term poison pill, ISS states it will include the board’s responsiveness to shareholders in its review of the company’s corporate governance practices.
Expansion of Environmental Focus.
ISS revised its guidance on what used to be its section on general environmental and community impact proposals to include all natural capital-related matters. This includes topics like biodiversity, deforestation and related ecosystem loss, and other areas that group under the theme “natural capital.”
SPACs
ISS revised its stance on proposals for special purpose acquisition companies (SPAC) extensions from a case-by-case model with a variety of factors at play, including length of the request, prior requests for extension, and acquisition transactions pending in the pipeline, to a general support of extensions of up to one year from the original termination date.
In addition to ISS and Glass Lewis, in December 2024 BlackRock released its updated U.S. proxy voting guidelines for benchmark policies.
5) Consider Hypothetical Risk Factors
On Nov. 6, 2024, the U.S. Supreme Court heard oral arguments for Facebook, Inc. v. Amalgamated Bank, a securities law case involving the 2016 Facebook (now Meta)/Cambridge Analytica’s user data scandal. Facebook investors alleged that the company, among other things, had included in its risk factor disclosures references to risks of unauthorized user data disclosures, but such risks were presented as hypothetical when in fact they had already materialized.
In its Oct. 18, 2023 opinion, the U.S. Court of Appeals for the Ninth Circuit ruled, “Because Facebook presented the prospect of a breach as purely hypothetical when it had already occurred, such a statement could be misleading even if the magnitude of the ensuing harm was still unknown.” Facebook subsequently filed a petition to the Supreme Court for a writ of certiorari. On Nov. 22, 2024, the Supreme Court dismissed the case on the grounds that the writ of certiorari was improvidently granted, affirming the Ninth Circuit’s ruling.
In light of this case and the continued hindsight focus on “hypothetical risk factors” by shareholder litigants, companies should consider reviewing their risk factors and assess whether any of them that may be deemed “hypothetical” have actually occurred, and therefore require further disclosures.
6) Familiarize Yourself With SEC Changes to EDGAR System
On Sept.27, 2024, the SEC adopted a series of rule and form amendments concerning access to and management of accounts on their Electronic Data Gathering, Analysis, and Retrieval system (EDGAR). These amendments – designed to enhance the security of EDGAR, improve the ability of filers to manage their EDGAR accounts, and modernize connections to EDGAR – are collectively referred to as EDGAR Next.
At the heart of the amendments is a shift in how filers (and appropriately permissioned third parties) access EDGAR. Presently, the SEC assigns EDGAR filers access codes; any individual in possession of a filer’s access codes may access the filer’s account, view and make changes to the information maintained therein, and transmit submissions on the filer’s behalf. EDGAR Next will retire the majority of these codes and require that EDGAR filers authorize specific individuals to perform the above-mentioned functions. Each authorized individual will verify their identity using login.gov credentials.
Enrollment in EDGAR Next opens on March 24, 2025, and all existing filers must enroll by Dec. 19, 2025.
To get a jump on preparing for enrollment, filers should take the earliest opportunity to (i) ensure that all of their existing EDGAR access codes are current and (ii) identify the individuals (e.g., employees, legal advisors, third-party filing agents) who will need access to their EDGAR accounts. Individuals who anticipate interfacing with the EDGAR Next system should obtain login.gov credentials.
7) Changes to Nasdaq Diversity Disclosure Requirement
In December 2024, the U.S. Court of Appeals for the Fifth Circuit vacated the SEC’s approval of Nasdaq’s board diversity rules. Nasdaq has stated that it will not appeal the decision. As a result, Nasdaq-listed companies will no longer need to include the previously required board diversity matrix in their proxy statement or on their website, or provide other narrative disclosure explaining why they did not have at least the minimum number of directors in specified diversity categories. There was no comparable disclosure requirement for New York Stock Exchange (NYSE) listed companies.
Notwithstanding this change, board diversity remains a continued focus for many public company boards and other considerations are still in place. For example, ISS, Glass Lewis and certain large institutional investors have their own diversity standards that may influence a company’s disclosure, and Item 407(c) of Regulation S-K may elicit diversity-related disclosures regarding a nominating committee’s consideration of director candidates. As a result, many companies are continuing to solicit such information in their directors and officers (D&O) questionnaires for the 2025 proxy season. Ultimately, each public company will need to consider relevant factors in determining whether, or to what extent, diversity factors into their SEC disclosures.
Trending in Telehealth: December 18, 2024 – January 6, 2025
Trending in Telehealth highlights state legislative and regulatory developments that impact the healthcare providers, telehealth and digital health companies, pharmacists, and technology companies that deliver and facilitate the delivery of virtual care.
Trending in the past weeks:
Reimbursement parity
Provider telehealth education
A CLOSER LOOK
Proposed Legislation & Rulemaking:
In Ohio, Senate Bill 95 passed both the House and Senate chambers. This bill will allow for remote pharmacy dispensing, as current state law prohibits the dispensing of a dangerous drug by a pharmacist through telehealth or virtual means.
In Oregon, the Oregon Health Authority, Health Systems Division: Medical Assistance Programs proposed rule amendments to clarify the telehealth rule definitions, including adding cross-references to established definitions in OAR 410-120-0000.
In New York, the Department of Public Health (DPH) proposed two new amendments to the Medicaid State Plan for non-institutional services:
To comply with the 2024-2025 enacted budget, DPH proposed a clarification to the March 27, 2024, notice provision regarding provider rates for early intervention services. This clarification includes a decrease to provider rates for early intervention services delivered via telehealth, with rate decreases as high as 20% in some regions.
DPH also proposed to reimburse Federally Qualified Health Centers and Rural Health Clinics a separate payment in lieu of the prospective payment system rate for non-visit services, such as eConsults and remote patient monitoring.
Finalized Legislation & Rulemaking Activity:
In Illinois, an amendment to the Illinois Public Aid Code went into effect on January 1, 2025. Passed in June of 2024, Senate Bill 3268 provides that the Department of Human Services will pay negotiated, agreed-upon administrative fees associated with implementing telehealth services for persons with intellectual and developmental disabilities receiving Community Integrated Living Arrangement residential services.
Also in Illinois, an amendment to the Illinois Physical Therapy Act went into effect January 1, 2025. Passed in August of 2024, House Bill 5087 significantly limits the ability of physical therapists to provide telehealth services to patients in the state. For more information on the effects of this bill, please read our article discussing its implications.
In Kentucky, Senate Bill 111 went into effect January 1, 2025. This bill requires health benefit plans, limited health service benefit plans, Medicaid and state health plans to provide coverage for speech therapy provided via telehealth.
Missouri’s emergency rule amendments for virtual visit coverage under the Missouri Consolidated Health Care Plan took effect as of January 1, 2025. For more information on this bill, please see our related article from last month.
In New Jersey, Assembly Bill 3853 was signed into law by the governor. The legislation extends certain pay parity regarding telemedicine and telehealth until July 1, 2026, meaning that New Jersey health plans shall reimburse telehealth and telemedicine services at the same rate as in-person services.
In New York, Assembly Bill 6799, was signed into law by the governor. The legislation establishes a drug-induced movement disorder screening education program and specifically includes services provided via telehealth.
In Vermont, House Bill 861 went into effect January 1, 2025. This bill requires health insurers to reimburse telemedicine and audio-only telephone services the same as in-person visits. However, there is an exception for value-based contracts for services delivered by audio-only telephone.
Why it matters:
States are taking action to ensure reimbursement parity for telehealth services. While there is still debate surrounding reimbursement parity for telehealth services (e., mandating reimbursement at the same rate as equivalent in-person services), several states are making strides toward ensuring equal reimbursement rates for both in-person and telehealth services. Bills requiring reimbursement parity in Illinois, Kentucky, and Vermont have taken effect in 2025. Additionally, New Jersey’s decision to extend the reimbursement parity mandate for telemedicine and telehealth services until mid-2026 illustrates the push towards reimbursing healthcare services at the same rate, regardless of the delivery medium.
States are taking measures to not only recognize telehealth, but also to educate providers on telehealth as an effective care delivery method. New York’s decision to include healthcare provider educational materials for providing telehealth services for drug-induced movement disorders underscores the growing trend and importance of educating providers on the appropriate manner for providing such treatment services.
Data Privacy: Insights from the Recent FAQs on New Jersey Data Privacy Law
As organizations prepare for compliance with the New Jersey Data Privacy Law (NJDPL), set to take effect on January 15, 2025, the Division of Consumer Affairs (DCA) has released a set of 24 Frequently Asked Questions (FAQs) that provide important insights and guidance on complying with New Jersey’s robust regulatory framework. The FAQs are not binding and should not be considered a legal document or a complete explanation of the law. Rather, they are useful as a reference for persons within the entities covered by NJDPL that have a role in privacy compliance.
The FAQs specifically focus on sensitive data, children’s data, opt-out or revocation of consent from sale of personal data (including via universal opt-out signals), contracts with data processors, and data protection assessments, indicating the New Jersey DCA’s focus areas for the enforcement of the incoming law. This article explores the key takeaways from the FAQs, particularly concerning the treatment of sensitive data.
Understanding the New FAQsThe recent FAQs were published for the convenience of businesses (although the FAQs use the term “businesses,” NJDPL also applies to nonprofits). The FAQs distill and clarify several key definitions contained in the NJDPL, summarize consumer rights, define business obligations, and provide additional guidance regarding processing of sensitive data and data of minors.
Specifically, NJDPL governs the use of personal data, which the law defines as any information that is linked or reasonably linkable to an identified or identifiable person. The FAQs clarify this definition as “any information that is not publicly available and can be used to identify a specific individual.” The key difference between these definitions is in the “reasonably linkable” criteria in the statute, whereas the FAQs seem to focus on specific identifiability. Practically speaking, there are categories of data that may be linkable to an individual through context (for example, email metadata, or de-identified data combined with external data that permits reidentification, such as a fitness tracker ID combined with gym membership data) that would be within NJDPL’s scope. Differences such as these highlight that the covered entities must not rely solely on the FAQs’ definitions when building their NJDPL compliance program.
The FAQs also clarify the definitions of the key actors in the data privacy lifecycle under NJDPL:
Consumer: A New Jersey resident acting in a personal or household context
Controller: Any individual or entity that decides how and why consumers’ personal data is processed
Processor: An individual or entity that processes personal data on behalf of the controller. A processor is different than a controller because it does not have decision-making authority over personal data. A processor can only process personal data at the request and under the direction of a controller.
The FAQ clarifies that NJDPL applies to any controller that:
(1) Does business in New Jersey or produces products or services targeted to New Jersey residents and(2) During a calendar year either (a) controls or processes the personal data of at least 100,000 consumers or (b) controls or processes the personal data of at least 25,000 consumers and makes money from the sale of personal data.
The FAQs detail some of the obligations of the controllers, including to prepare a written privacy notice accurately disclosing data practices, to honor consumer rights, to enter into written contracts with vendors receiving personal data from controllers (vendors generally will be processors, see below), to conduct data protection assessments, and to process certain categories of data only with consumers’ express consent.
With respect to processors, the FAQs highlight that among other requirements, a processor must:
Follow the controller’s instructions
Help the controller meet its obligations under NJDPL
Keep personal data confidential
Enter into a contract with the controller that contains processing instructions; identifies the data that will be processed and for how long it will be processed; and requires the processor to return or delete the personal data once processing is complete.
For consumers, the FAQs summarize their rights as follows:
Confirm whether a controller processes the consumer’s data
Correct inaccuracies in the consumer’s personal data
Delete the consumer’s personal data
Say “no” (opt out) to a controller selling the consumer’s personal data or using the consumer’s personal data for targeted advertising and some types of profiling (for example, profiling to determine whether a consumer should receive a loan or mortgage, a job offer, or an insurance policy).
Controllers must provide clear and accessible mechanisms for consumers to exercise these rights. Additionally, by July 15, 2025, businesses must comply with universal opt-out signals, such as those from Global Privacy Control (users enable privacy preferences within their web browsers). A universal opt-out signal is a mechanism that allows individuals to communicate their preference to opt out of certain data processing activities, such as targeted advertising or sale of data, across multiple websites or platforms in a standardized way. It eliminates the need for consumers to manually opt out on each site individually.
Again, the FAQs do not repeat NJDPL’s definitions, criteria, and recitations of rights word by word, but rather aim to give organizations a general sense of what these key concepts mean. While at first blush the distinctions between the FAQ and NJDPL definitions may not seem significant in practice, as the saying goes, the devil lurks in the details. Note, for example, that personal data processed solely for the purpose of completing a payment transaction is exempted from the 100,000 consumers’ data threshold, and that receiving a discount on a price of any goods or services counts toward the “making money from personal data” threshold.
Update on Anticipated Regulations and Enforcement DeadlinesNew Jersey is one of three states to date that provide rulemaking authority under their data privacy law to the state agency; here, the DCA. The FAQs are not such regulations, but they expressly state that the DCA will be issuing regulations under NJDPL in 2025. This is a new development, as NJDPL does not provide a deadline for promulgation of rules.
While the formal regulations under NJDPL are not yet available, the FAQs expressly state that the entities obligated under NJDPL are required to comply starting on January 15, 2025. A limited opportunity to cure violations may be available until July 1, 2026: If the DCA identifies a potential violation that the controller can remedy, the DCA will send a notice to the controller to give them the chance to fix the problem within 30 days of the notice. If the violation is not remedied, the DCA can proceed with an enforcement action. While this provision is certainly beneficial for covered entities, it should not be interpreted as a license to avoid carefully thinking through and implementing the entity’s compliance obligations before the January 15, 2025, deadline. At most, this grace period should be used to remedy inadvertent mistakes in compliance.
Treatment of Sensitive DataThe FAQs explain that sensitive data is a subset of personal data that reveals a consumer’s racial or ethnic origin, religious beliefs, health condition, financial information, sexual activity or sexual orientation, immigration or citizenship status, status as transgender or non-binary, genetic or biometric data, or precise geolocation data. It also includes personal data collected from a known child. This restatement loosely tracks NJDPL’s definition. Most of the data considered sensitive in New Jersey also is recognized as sensitive under most U.S. state privacy laws. However, New Jersey includes additional types of data as sensitive, including status as transgender or non-binary and financial information, which only a handful of other states recognize as sensitive.
The sensitive financial information in New Jersey includes “a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.” Thus, not every piece of financial data will be deemed sensitive; however, NJDPL’s definition is open-ended and types of financial data not presently listed in the statute may be included in the future.
For entities operating in more than one state that are required to comply with several state data privacy laws, it is important to correctly classify data as sensitive or not sensitive to ensure compliance with each such applicable law. Each U.S. state privacy law recognizes sensitive information and imposes heightened compliance requirements for its processing. Some states require a valid consent to be obtained before collection and processing of personal data, as well as a data protection assessment. Others follow an opt-out model, giving consumers the right to limit the use of their sensitive data.
The FAQs highlight that New Jersey requires consent before sensitive data is processed and that a data protection impact assessment must be conducted. NJDPL specifies that a valid consent must be “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.” Such consent may include a written statement, including by electronic means, or any other unambiguous affirmative action. Notably, acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information will not constitute a valid consent. As such, organizations should not rely on statements such as “if you visit our website, you consent to our privacy policy” as evidence of consent to processing of sensitive information. Furthermore, hovering over, muting, pausing, or closing a given piece of content will not be considered sufficient evidence of consent.
Treatment of Children’s DataNJDPL requires businesses to obtain explicit consent for processing personal data of children under the age of 13, treating such data as sensitive. Consent also is required for processing of data of minors that are at least 13 and are younger than 17, if such processing is done for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effect on the consumer. With this latter provision, New Jersey’s law extends protections beyond federal standards under the Children’s Online Privacy Protection Act (COPPA), which only safeguards the data obtained online from children under 13.
The FAQs state that when a controller knows or should know that a consumer is between the ages of 13 and 16 (note, NJDPL uses the term “younger than 17” but the FAQ is using the 13–16 range), the controller must get the consumer’s consent before processing the consumer’s personal data. This is interesting as this statement is broader than NJDPL. First, the FAQs use the term “should know” whereas the statute requires actual knowledge or willful disregard. Second, the FAQs claim that consent is necessary for any processing of the data of minors ages 13–16, and not only when sale of data, targeted advertising, or profiling is occurring.
Businesses processing children’s data should take note and consider building a more stringent compliance regime: even where FAQs are non-binding, this is an enforcement focus area for the New Jersey regulator (and for the regulators in other states and on the federal level).
Considerations for ComplianceWith the enforcement deadline looming, organizations within the scope of NJDPL should consider the following workflow to align their compliance with the incoming law:
Review/Update Privacy Policies: Update privacy notices to clearly outline data processing activities, purposes of processing, consumer rights, and opt-out procedures, among other mandatory disclosures, to track NJDPL’s requirements.
Implement Consent Management Systems: Adopt technologies that facilitate obtaining, managing, and documenting consumer consent for sensitive data processing.
Conduct Data Protection Assessments: Regularly evaluate data handling practices to identify risks and benefits of processing activity that presents heightened risk of harm to the consumers to ensure alignment with New Jersey’s law.
Enhance Training Programs: Educate employees with data privacy responsibility in different departments (including IT, Marketing, and Customer Service, not just Legal) about NJDPL’s provisions and the importance of safeguarding consumer data and respecting consumer choices regarding their data.
Stay Informed of the Regulatory Changes: Be aware of evolving privacy regulations to anticipate and address new compliance obligations. Aside from New Jersey’s anticipated regulations, other states are poised to adopt new privacy laws or amend existing ones, promising that 2025 will be a busy year for data privacy. While the FAQs serve as an important resource for understanding the law’s practical application, highlighting the importance of explicit consent and enhanced protections for sensitive data, organizations should consider following the more precise requirements of NJDPL and the incoming regulations in aligning their practices with New Jersey’s requirements. As compliance with the NJDPL becomes mandatory, legal experts can provide tailored advice to navigate the intricacies of the law and ensure that data practices align with both state and federal regulations.
HHS Proposed Rule Would Increase Cybersecurity Requirements for Electronic Health Data
The U.S. Department of Health and Human Services (HHS) recently released a proposed rule to better protect electronic health data from cybersecurity threats. The proposed rule would apply to health plans, healthcare providers, healthcare clearinghouses, and their business associates, such as billing companies, third-party administrators, and pharmacy benefit managers.
Quick Hits
HHS has proposed a rule to shore up cybersecurity protections for electronic health records under the Health Insurance Portability and Accountability Act (HIPAA).
The new rules would apply to HIPAA-regulated entities, such as healthcare providers, hospitals, and others that handle electronic medical data.
The public can submit comments on the proposed rule until March 7, 2025.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule has not undergone a major overhaul since 2013. However, in response to rising cybersecurity threats across the healthcare industry, on January 6, 2025, HHS published a proposed rule that would update and bolster cybersecurity protections for personal health information that’s collected by healthcare providers, hospitals, insurers, and other companies. The public has until March 7, 2025, to submit comments on the proposal.
If finalized, these changes would apply to all HIPAA-covered entities and their business associates, imposing stricter requirements around risk assessments, data encryption, multifactor authentication, and more. Importantly, the proposed rule would eliminate the distinction between “required” and “addressable” implementation specifications, making all implementation specifications required. This shift would remove much of the discretion that HIPAA-regulated entities presently have in determining whether to implement “addressable” measures, instead introducing more granular, prescriptive requirements to ensure compliance with all security standards.
The proposed rule also would require:
written documentation of policies, procedures, plans, and analyses related to complying with the HIPAA Security Rule;
covered entities to develop and update a technology asset inventory and a network map that illustrates the movement of electronic health information throughout the electronic information system;
covered entities to conduct a more robust risk analysis than under the current rule, including incorporation of the entity’s technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of electronic health information; and an assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each threat will exploit vulnerabilities;
encryption of electronic health information at rest and in transit;
the use of multifactor authentication;
covered entities to use anti-malware protections and remove extraneous software from electronic information systems;
an audit at least once per year to confirm compliance with the HIPAA Security Rule;
covered entities at least once per year to obtain written certification from business associates that they have deployed the technical safeguards required by the HIPAA Security Rule;
covered entities to review and test the effectiveness of certain security measures at least once every twelve months;
vulnerability scanning at least every six months and penetration testing at least once every twelve months;
network segmentation and separate technical controls for backup and recovery of electronic health information and electronic information systems;
covered entities to establish written procedures to restore the loss of certain electronic information systems and data within seventy-two hours, and document how employees should report security incidents and how the regulated entity will respond to security incidents. Business associates would have to notify covered entities upon activating their security contingency plans no later than twenty-four hours after activation;
covered entities to cut off a former employee’s access to personal health information no later than one hour after the employment has been terminated; and
group health plans to include in their plan documents requirements for their plan sponsors to comply with the administrative, physical, and technical safeguards of the HIPAA Security Rule.
Next Steps
Employers and the public have until March 7, 2025, to submit comments about the proposed rule. The final rule would take effect sixty days after being published in the Federal Register. The existing HIPAA Security Rule remains in effect while the rulemaking is underway.
HIPAA-covered entities (and employers that sponsor them) may wish to review their cybersecurity practices and policies as they relate to electronic health information and evaluate gaps between existing practices and documentation and the rules as proposed. While some of the proposed changes reflect common security measures already implemented by many HIPAA-covered entities, if the proposed rule takes effect, employers can expect to incur extra costs to align their practices with those outlined by the proposed rules. This is especially true for large employers that offer self-insured health plans to their workers, since employers are generally responsible for HIPAA compliance for the self-insured health plans they sponsor.
U.S. Cyber Trust Mark Program at Hand After White House Launch Announcement
The Biden Administration has announced the rollout of the “cybersecurity label for interconnected devices, known as the U.S. Cyber Trust Mark.” The voluntary program, which will allow providers of certain such devices to label their products with the Mark, comes after the Federal Communications Commission (FCC) approved final rules and implementing framework that will govern the procedures for obtaining and using the Mark’s distinctive shield logo.
What’s In Program Scope – Per the FCC, the program applies to consumer wireless Internet of Things (IoT) products – radio frequency devices clearly within its jurisdiction under Section 302 of the Communications Act. Examples of eligible products include internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors.
What Is Not – On the other hand, the program does not include items outside the FCC’s regulatory jurisdiction, such as medical devices regulated by the Food and Drug Administration and motor vehicles and equipment regulated by the National Highway Traffic Safety Administration. Also excluded are wired devices; products primarily used for manufacturing, industrial control or enterprise applications; equipment on the FCC’s Covered List and equipment produced by an entity on the covered list; IoT products from a company on other lists addressing national security; and IoT products produced by entities banned from Federal procurement.
Process And Standards – Products must be tested at an FCC-recognized accredited laboratory (CyberLAB) for evaluation against the program’s cybersecurity criteria. Those criteria are based on standards developed by the National Institute of Standards and Technology (NIST) and other expert guidance intended to ensure that certified devices have robust cybersecurity protections, including, for example, implementation of strong encryption protocols and requirements for user authentication before granting access to device settings or data.
Program Management and Compliance Enforcement – The FCC will manage the program but also rely on Cybersecurity Labeling Administrators (CLA), who will evaluate the post-testing applications for approval to use the Mark; the FCC has already approved a number of these CLAs.
Among other things, CLAs will be responsible for ensuring that users comply with applicable FCC rules. In adopting the regulatory framework for the program, the agency decided that it would “rely on a combination of administrative remedies and civil litigation to address non-compliance.” The FCC “direct[ed] the CLAs to conduct post-market surveillance…to ensure that the integrity of the Cyber Trust Mark is maintained.”
Further, “random audits” will be coupled with such surveillance. Identified products that fail to comply with applicable technical regulations for that product could be stripped of approval to display the Mark.
In the interest of the integrity of the Mark, the Commission also made clear that it will “pursue all available means to prosecute entities who improperly or fraudulently use the FCC IoT Label, which may include, but are not limited to, enforcement actions, legal claims of deceptive practices prosecuted through the FTC, and legal claims for trademark infringement or breach of contract.”
Further Notice of Proposed Rulemaking: National Security – In an ongoing effort to address potential hidden national security threats, the FCC’s Further Notice of Proposed Rulemaking focuses on such threats contained in consumer products bearing the IoT Label. To that end, the FCC seeks comments on “additional declarations intended to provide consumers with assurances that the products bearing the IoT Label do not contain hidden vulnerabilities from high risk countries [e.g., China], that data collected by the product does not sit within or transit high-risk countries and that products cannot be remotely controlled by servers located within high-risk countries.”
Incoming Chairman Carr, who has voiced a strong interest in addressing national security concerns, is sure to support these initiatives on an ongoing basis.
5 Trends to Watch: 2025 EU Data Privacy & Cybersecurity
Full Steam Ahead: The European Union’s (EU) Artificial Intelligence (AI) Act in Action — As the EU’s landmark AI Act officially takes effect, 2025 will be a year of implementation challenges and enforcement. Companies deploying AI across the EU will likely navigate strict rules on data usage, transparency, and risk management, especially for high-risk AI systems. Privacy regulators are expected to play a key role in monitoring how personal data is used in AI model training, with potential penalties for noncompliance. The interplay between the AI Act and the General Data Protection Regulation (GDPR) may add complexity, particularly for multinational organizations.
Network and Information Security Directive (NIS2) Matures: A New Era of Cybersecurity Regulation — The EU’s NIS2 Directive will enter its enforcement phase, expanding cybersecurity obligations for critical infrastructure and key sectors. Companies must adapt to stricter breach notification rules, risk management requirements, and supply-chain security mandates. Regulators are expected to focus on cross-border coordination in response to major incidents, with early cases likely setting important precedents. Organizations will likely face increasing scrutiny of their cybersecurity disclosures and incident response protocols.
The Evolution of Data Transfers: Toward a Unified Framework — After years of turbulence, 2025 may mark a turning point for transatlantic and global data flows. The EU-U.S. Data Privacy Framework will face ongoing reviews by the European Data Protection Board (EDPB) and potential legal challenges, but it offers a clearer path forward. Meanwhile, the EU may continue striking adequacy agreements with key trading partners, setting the stage for a harmonized approach to cross-border data transfers. Companies will need robust mechanisms, such as Standard Contractual Clauses and emerging Transfer Impact Assessments (TIAs), to maintain compliance.
Consumer Rights Expand Under the GDPR’s Influence — The GDPR continues to set the global benchmark for privacy laws, and 2025 will see the ripple effect of its influence as EU member states refine their own data protection frameworks. Enhanced consumer rights, such as the right to explanation in algorithmic decision-making and stricter opt-in requirements for data use, are anticipated. Regulators are also likely to target dark patterns and deceptive consent mechanisms, driving companies toward greater transparency in their user interfaces and data practices.
Digital Markets Act Meets GDPR: Privacy in the Platform Economy — The Digital Markets Act (DMA), fully enforceable in 2025, will bring sweeping changes to large online platforms, or “gatekeepers.” Interoperability mandates, restrictions on data combination across services, and limits on targeted advertising will intersect with GDPR compliance. The overlap between DMA and GDPR enforcement will challenge platforms to adapt their practices while balancing privacy obligations. This regulatory synergy may reshape data monetization strategies and set a precedent for digital market governance worldwide.
INCARCERTATION STATION: Failing to Respond to TCPA Subpoenas Is Leading to Threats of Jail Time and It is a Little Scary
In Ford v. Glutality, 2025 WL 52850 (W.D. MO Jan. 8, 2024) a lead supplier was sent a subpoena seeking lead records and communications. The supplier apparently failed to adequately respond and the plaintiff moved to compel records.
The Court ordered the production to take place and added a chilling one liner that should be a reminder to everyone of the stakes involved with civil subpoenas:
If Mr. Weiss fails to fully comply with the subpoena, the Court may hold Mr. Weiss in contempt of Court. A finding of contempt may include sanctions, including an award of attorneys’ fees and incarceration.
Incarceration. Eesh.
TCPA is as dangerous as can be folks–even if you are just responding to a subpoena. But jail time is just one risk when responding to a subpoena. Failing to assert proper objections might lead to a needless deposition or an extremely burdensome production that turns your company inside out!
If you receive a subpoena be sure to retain qualified counsel right away to help walk you through the response, assert proper objections and negotiate to prevent making a bigger (and more burdensome) production than necessary.
New Jersey Division of Consumer Affairs Publishes Privacy Law FAQs
On January 6, 2025, the New Jersey Division of Consumer Affairs Cyber Fraud Unit published a set of frequently asked questions and answers (“FAQs”) on the New Jersey Data Privacy Law (“NJDPL”). The FAQs are intended for the convenience of business that may be subject to the law and cover topics such as “What is ‘personal data’?” and “What rights does the NJDPL protect?”. The FAQs reiterate that small businesses and non-profits are subject to the NJDPL if they meet the law’s applicability thresholds. The FAQs also state that the Division of Consumer Affairs will issue regulations in 2025. The NJDPL becomes effective January 15, 2025.