Reminder: Data Protection Impact Assessments May Be Required Under New State Privacy Laws
As we settle in to 2025, and five additional state privacy laws have or are about to go into effect, we wanted to put on your radar the obligation to conduct data protection impact assessments (DPIAs). In general, a DPIA should contain:
a systematic description of potential processing operations and the purpose of the processing, including where applicable, the legitimate interest pursued by the controller;
an assessment of the necessity and proportionality of the processing operations in relation to the purpose;
an assessment of the risks to the rights and freedoms of consumers; and
potential measures to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data.
As a reminder, most of the new state privacy laws require businesses to complete DPIAs if you do any of the following:
Cookies and pixels (i.e., browser-based targeted advertising)
Custom and lookalike audience (i.e., CRM-based targeted advertising)
CAPI (i.e., server-based targeted advertising)
App advertising (i.e., SDK-based targeted advertising)
Find-a-store (i.e., precise geolocation collection)
Other sensitive information collection (e.g., race, ethnicity, health, etc.)
Selling of personal data
Adaptive pricing (i.e., profiling that may cause financial injury)
Collecting credit cards number (New Jersey privacy statute only)
HHS Security Rule NPRM Proposes Makeover for Administrative Safeguard Compliance for Regulated Entities
In this week’s installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we are exploring the proposed updates to the HIPAA Security Rule’s administrative safeguards requirement (45 C.F.R. § 164.308).
Background
Currently, HIPAA regulated entities must generally implement nine standards for administrative safeguards protecting electronic protected health information (ePHI):
Security Management Process
Assigned Security Responsibility
Workforce Security
Information Access Management
Security Awareness and Training
Security Incident Procedures
Contingency Plan
Evaluation
Business Associate Contracts and Other Arrangements
Entities are already familiar with these requirements and their implementation specifications. The existing requirements either do not identify the specific control methods or technologies to implement or are otherwise “addressable” as opposed to “required” in some circumstances for regulated entities. As noted throughout this series, HHS has proposed removing the distinction between “required” and “addressable” implementation specifications, providing for specific guidelines for implementation with limited exceptions for certain safeguards, as well as introducing new safeguards.
New Administrative Safeguard Requirements
The NPRM proposes updates to the following administrative safeguards: risk analyses, workforce security, and information access management. HHS also introduced a new administrative safeguard, technology inventory management and mapping. These updated or new administrative requirements are summarized here:
Asset Inventory Management – The HIPAA Security Rule does not explicitly mandate a formal asset inventory, but HHS informal guidance and audits suggest that inventorying assets that create, receive, maintain, or transmit ePHI is a critical step in evaluating security risks. The NPRM proposes a new administrative safeguard provision requiring regulated entities to conduct and maintain written inventories of any technological assets (e.g., hardware, software, electronic media, data, etc.) capable of creating, receiving, maintaining, or transmitting ePHI, and to illustrate a network map showing the movement of ePHI throughout the organization. HHS would require these inventories and maps to be periodically reviewed and updated at least once every 12 months andwhen certain events prompt changes in how regulated entities protect ePHI, such as new, or updates to, technological assets; new threats to ePHI; transactions that impact all or part of regulated entities; security incidents; or changes in laws.
Risk Analysis – While conducting a risk analysis has always been a required administrative safeguard, the NPRM proposes more-detailed content specifications around items that need to be addressed in the written risk assessment, including reviewing the technology asset inventory; identifying reasonably anticipated threats and vulnerabilities; documenting security measures, policies and procedures for documenting risks and vulnerabilities to ePHI systems; and making documented “reasonable determinations” of the likelihood and potential impact of each threat and vulnerability identified.
Workforce Security and Information Access Management – The NPRM proposes that, with respect to its ePHI or relevant electronic information systems, regulated entities would need to establish and implement written procedures that (1) determine whether access is appropriate based on a workforce member’s role; (2) authorize access consistent with the Minimum Necessary Rule; and (3) grant and revise access consistent with role-based access policies. Under the NPRM, these administrative safeguard specifications would no longer be “addressable,” as previously classified, meaning these policies and procedures would now be mandatory for regulated entities. In addition, the NPRM develops specific standards for the content and timing for training workforce members of Security Rule compliance beyond the previous general requirements.
Texas’ Power Transmission Infrastructure: Addressing Growing Demand from Data Centers and Crypto Mining
Texas is facing a rapidly evolving energy landscape, driven in part by the surging power demands of data centers and cryptocurrency mining operations. As the digital economy expands, the state’s existing power transmission infrastructure must adapt to ensure grid reliability, affordability and sustainability. However, the growing demand for electricity raises critical challenges, including the need for additional transmission capacity, grid resilience, and fair cost allocation for new infrastructure investments.
Rising Energy Demand from Data Centers and Crypto Mining
Texas has become a prime location for data centers and cryptocurrency mining operations due to its deregulated energy market, favorable business climate and relatively low electricity costs. Data centers, which support cloud computing, artificial intelligence (AI), and financial transactions, require vast amounts of power, often operating 24/7. Similarly, cryptocurrency mining facilities run continuously, consuming significant amounts of electricity to maintain blockchain networks.
The Electric Reliability Council of Texas (ERCOT) projects that power demand from these industries will grow substantially in the coming years. Consumption of electricity from large flexible loads such as data centers and crypto mining facilities is projected to account for 10% of ERCOT’s total forecasted electricity consumption in 2025. ERCOT currently expects power demand to nearly double by 2030. Without strategic infrastructure upgrades, this demand would likely strain the grid, increase congestion and lead to higher electricity prices for consumers.
Challenges with Existing Transmission Infrastructure
Texas operates its own independent power grid, which provides flexibility but also limits its ability to import electricity from neighboring states during periods of high demand. The state’s transmission infrastructure has already faced challenges in keeping up with rapid population growth and extreme weather events. In 2021, Winter Storm Uri exposed vulnerabilities in the grid, leading to widespread outages and highlighting the need for greater investment in both generation and transmission capacity.
One major challenge is that much of Texas’ renewable energy generation—especially wind and solar—is located in rural areas, far from major load centers like Dallas, Houston and Austin. Without sufficient transmission capacity, this clean energy cannot be efficiently delivered to where it is needed. The addition of high-energy-consuming industries like data centers and crypto mining exacerbates this challenge by increasing congestion on existing transmission lines.
The Need for Additional Transmission Infrastructure
To accommodate the growing energy needs, Texas must significantly expand its high-voltage transmission network. New transmission lines are necessary to:
Relieve Grid Congestion – increasing transmission capacity reduces bottlenecks that can drive up energy prices and cause reliability concerns.
Enhance Grid Resilience – strengthening transmission infrastructure can help prevent widespread outages during extreme weather events.
Support Renewable Integration – more transmission lines will allow Texas to take full advantage of its abundant wind and solar resources by connecting them to high-demand areas.
Ensure Reliability for Data Centers and Crypto Mining – dedicated infrastructure planning can ensure that new energy-intensive operations do not disrupt service for residential and commercial consumers.
The Costs of Transmission Expansion
One of the biggest questions surrounding transmission expansion is funding. Historically, Texas has used a mix of ratepayer contributions, state incentives, and private investments to build and maintain its power infrastructure. There are several potential funding mechanisms for new transmission lines:
• Ratepayer Contributions – transmission costs are often passed on to consumers through electricity bills. However, increasing rates to fund expansion may face resistance, especially if residential and small-business customers bear a disproportionate burden of the cost.
• ERCOT Transmission Cost Recovery – ERCOT has a cost allocation model that spreads transmission investments across various market participants. This approach ensures that those benefiting from the upgrades contribute to the costs.
• Direct Charges on Large Energy Consumers – one potential policy solution is to require data centers and crypto mining companies to pay a larger share of transmission infrastructure costs. Special tariffs or direct infrastructure investment agreements could be established to ensure that these industries contribute fairly.
• Public-Private Partnerships – collaboration between the state government, utilities, and private investors could help finance large-scale transmission projects. In some cases, tax incentives or low-interest financing options could encourage private sector investment in critical infrastructure.
• Federal Funding and Grants – the federal government has recently made funding available for grid modernization projects through the Infrastructure Investment and Jobs Act. The new administration has called some of this into question. Texas could leverage these funds to supplement state and private investments.
Balancing Growth and Grid Reliability
Expanding transmission infrastructure is essential, but it must be done in a way that balances economic growth with grid reliability. Policymakers must ensure that the costs are distributed equitably and that the grid remains stable during periods of high demand. Additionally, investments in energy storage, smart grid technology, and demand response programs can complement transmission expansion by improving overall efficiency.
Texas has long been a leader in energy innovation, and addressing these transmission challenges will be critical to the state maintaining that position. By implementing forward-thinking policies and funding strategies, the state can support its growing digital economy while ensuring a reliable and affordable power supply for all consumers.
Employers Should Plan for the Impact of Evolving Social Policy on Their Workforce
Even before the 2024 presidential election and the recent wave of executive orders, employers were evaluating their positions on various social issues.
Whether taking a formal stand, abstaining from a position, or landing somewhere in between, employers often consider external stakeholders and the court of public opinion. But they frequently forget about a critical and impactful audience—their employees.
Below are a few key areas where evolving social policies intersect with employee considerations.
Environmental, Social, and Governance (ESG) Policies: Regulations around diversity, equity, and inclusion; sustainability; the environment; and financial investments can differ across federal, state, and local jurisdictions, and certain rules apply only to government contractors. Aside from legal concerns, employers may face public and private questions about their actions or policies from employees. As such, employers should make sure that their ESG policies are current, thoughtful, and well communicated, especially in light of changing public sentiment, regulations, and legislation.
Social Media and Freedom of Speech: Employer policies on social media, recording/filming in the workplace (and online), volunteerism, non-solicitation, and whistleblowing should be updated to ensure that they reflect the latest laws, regulations, and guidance by applicable agencies and regulatory bodies. Management should also be trained on these policies, including how to respond to situations when the company’s employees choose to speak out on issues.
Benefit Programs: Employees might question their employer’s benefit policies relating to health care coverage provisions, benefit subsidies, time off/leave and holidays, and even voluntary benefit choices. Do these programs appear to favor certain employees over others? Employers should regularly evaluate these programs not only for compliance but also through the lens of their employees’ needs and expectations, which may differ based on location.
Labor Negotiations: An employer’s social advocacy and related positions impact its employees and the labor unions that currently—or may in the future—represent them. Therefore, employers should make sure that they have a strategy that supports this relationship and is in compliance with applicable labor laws, as well as labor contracts that are in place.
Outsourced, Offshore/Nearshore Workforce: When a company’s contingent and contract labor works side by side with the company’s employees, it’s essential that policies and programs account for this important and sometimes significant part of the workforce. Vendor contracts and communication strategies should also be aligned with these efforts.
Immigration Policies: Most industries and their employees are affected by immigration policy. A legal immigrant workforce will likely be concerned about their own status and that of their families during this uncertain time. Employers must review their policies and programs for these valuable workers and consider what supports, policies, and communications they should provide.
Mandatory Training programs: Employers should annually review mandatory training programs against changing regulations and expectations, as well as current strategies related to advocacy and ESG.
The bottom line: An employer’s stand on social issues and related policies, investments, programs, and trainings affects its workforce. A company’s employees are its face to customers and the public, so employees’ engagement and alignment matters. Because laws and regulations affecting ESG are continually changing, employees will be more engaged and better ambassadors for their employer if it has a well-considered strategy and communication plan addressing these topics.
Michelle Wright also contributed to this post
SO IT GOES: Lead Buyer Out of ATDS Claim But Hooked on DNC and Texas Registration Claim in TCPA Class Action
Pretty common factual scenario.
Lead generator makes outbound calls and talks to consumer.
Consumer either pretends to be interested or actually is interested and then is transferred to a lead buyer who can actually provide the good or service the consumer wants.
But then consumer sues lead buyer for making the illegal call–even though the lead buyer did not make the call at all and likely had no idea the call was illegal.
It happens literally every day in TCPAWorld and it remains the biggest problem/risk with buying third-party leads.
Well in Ortega v. Ditommaso 2025 WL 440278 (W.D. Tx. Feb 6, 2025) a lead buyer walked away from a piece of a TCPA case–defeating the ATDS component.
In Ortega a call center run by Meridian Services, LLC allegedly contacted plaintiff to try to sell a business loan. Plaintiff stayed on the line and pretended to be interested to find out who was calling. As a result the call was transferred to Ditommaso, Inc. who tried to sell a loan.
Plaintiff sued Meridian and Ditomasso for the calls alleging they were made using an ATDS and violated his DNC rights since they were made without consent.
Ditomasso moved to dismiss and the court threw out part of the case.
As to the ATDS component the court adopted the narrow ATDS definition accepted in the Second and Ninth Circuit’s and determined that because there were no allegations establishing the calls were placed at random an ATDS was not used. (Careful with this folks because some courts apply a different standard.) Regardless, nice win for the defense on this piece.
Next Defendant asked the court to toss the case because only one call was placed to the Plaintiff and the follow up texts were only sent because he stated he was interested in the product. But the evidence of the flow of calls and texts was not on the face of the complaint so the court would not consider it and denied the motion on that basis.
The Court also found the vicarious liability allegations were sufficient because Meridian was alleged to be an agent of Ditomasso for purposes of making the calls.
The Court also determined Ditomasso could be vicariously liable for the Texas Business and Commerce Code § 302.101 violation–even though it was not itself required to register as a marketer in the state.
So, some good, some bad. But better than nothing.
Take aways here:
Buying third-party leads is dangerous;
Make sure you are working with only registered marketers in Texas;
Some courts will toss ATDS claims if calls are made from a list– but not all;
You cannot introduce evidence of consent at the pleadings stage (unless you are challenging standing, which Defendant did not do.)
SEC Grants Further Relief From Including Personally Identifiable Information in CAT Reporting
On February 10, the Securities and Exchange Commission (SEC) granted relief exempting industry members from reporting a natural person’s name, address, and year of birth to the Consolidated Audit Trail (CAT). Industry members must still report transformed social security numbers (SSNs) or individual taxpayer identification numbers (ITINs) for natural persons and, to the extent applicable, Larger Trader IDs (LTIDs) and Legal Entity Identifiers (LEIs). This exemptive relief builds on the SEC’s 2020 relief that exempted industry members from reporting actual SSNs/ITINs and full birth dates to CAT (but then requiring year-of-birth reporting) and developed the system for transforming SSNs/ITINs, which are then used to generate CAT Customer-ID (CCIDs).
The SEC’s relief acknowledges the ongoing concerns of industry members and trade associations that the wholesale collection of customer information created cybersecurity risks, as such sensitive customer information was vulnerable to hacking by cybercriminals. Particularly when such customer information could be paired with the full inventory of historical securities transactions effected by that customer maintained in the CAT transaction database, cybercriminals could further use compromised information to impersonate customers or regulators, take over or otherwise compromise customer accounts, or otherwise engage in fraud or other bad acts affecting customers or the markets. The SEC’s action largely tracks a recommendation from FINRA President and CEO Robert Cook last month (https://www.finra.org/media-center/blog/cat-should-be-modified-to-cease-collecting-personal-information-on-retail-investors), perhaps anticipating inevitable CAT reform by a Republican-led Commission.
Regulators will still be able to obtain customer-specific information regarding individual transactions, but they will have to do so by requesting do so by requesting such information from broker-dealers through Bluesheet and other regulatory requests. Both the SEC’s exemptive order and FINRA’s proposal highlighted reverting to such a “request-response” system.
The SEC’s exemptive order is available at https://www.sec.gov/files/rules/sro/nms/2025/34-102386.pdf.
NYDFS Fines PayPal $2 Million for Cybersecurity Failures
On January 23, 2025, the New York Department of Financial Services (“NYDFS”) announced a $2 million civil fine against PayPal, Inc. (“PayPal”) for alleged cybersecurity failures that resulted in the unauthorized exposure of customers’ personal information.
According to the consent order, in December 2022, a PayPal security analyst identified an online post describing a security gap that allowed unauthorized parties to access Forms 1099-K available on PayPal’s online platform. The forms contained PayPal customers’ unredacted personal information, including names, dates of birth and full Social Security numbers. One day after the analyst identified the issue, PayPal’s cybersecurity team noticed activity indicative of threat actors using credential stuffing to gain access to the personal information contained in the forms.
According to NYDFS, the data became exposed when PayPal changed its data flows to make the forms available to more customers. NYDFS alleged that PayPal failed to adequately train the engineering team implementing this change to implement the company’s policies and procedures designed to protect personal information with respect to the updated data flows. NYDFS also alleged that PayPal’s failure to mandate multi-factor authentication for customer accounts contributed to the unauthorized parties’ ability to access the forms.
NYDFS charged PayPal with violations of the NYDFS Cybersecurity Regulation, including the failure to provide sufficient cybersecurity training to personnel and to maintain adequate cybersecurity policies designed to protect nonpublic information, resulting in a $2 million fine against the company. The consent order notes that PayPal had cooperated with NYDFS’s investigation and implemented several corrective measures, including mandating multi-factor authentication and conducting enhanced training programs for its cybersecurity personnel and engineers.
EuGH zur Zukunft der (Datenschutz-)Betriebsvereinbarungen: Was ändert sich?
Der Europäische Gerichtshof (EuGH) hat festgestellt, dass Kollektivvereinbarungen (wie bspw. Betriebsvereinbarungen) nur dann eine rechtliche Grundlage für die Verarbeitung von Beschäftigtendaten darstellen können, wenn sie strenge Kriterien erfüllen. Wir stellen Ihnen die EuGH-Entscheidung vom 19. Dezember 2024 (Aktenzeichen C-65/23) im Folgenden genauer dar.
Warum ist das wichtig?
Das Urteil betrifft eine der großen Fragen im Beschäftigtendatenschutz der letzten Jahre: Nach Art. 88 DSGVO, § 26 Abs. 4 können personenbezogene Daten von Beschäftigten auch auf Grundlage von Kollektivvereinbarungen (z.B. Betriebsvereinbarungen) verarbeitet werden. Unklar war bisher jedoch, ob und ggf. welcher Spielraum den Betriebsparteien bei der Gestaltung der Betriebsvereinbarung (und damit der Verarbeitung personenbezogener Daten) zusteht. Kann relativ frei auf spezifische Besonderheiten des Unternehmens eingegangen werden oder ist lediglich eine Konkretisierung der DSGVO-Vorschriften möglich, sodas der Handlungsspielraum der Betriebsparteien bei Erstellung von Betriebsvereinbarungen nur sehr begrenzt wäre?
Was sagt der EuGH?
Betriebsvereinbarungen sollen keine Umgehung der Verpflichtungen des Verantwortlichen oder gar des Auftragsverarbeiters bezwecken oder bewirken können. Anderenfalls wäre das Ziel der DSGVO, ein hohes Schutzniveau für die Beschäftigten im Fall der Verarbeitung ihrer personenbezogenen Daten im Beschäftigungskontext sicherzustellen, beeinträchtigt. Daraus folgt für den EuGH:
Ja, Betriebsvereinbarungen und Kollektivvereinbarungen können eine Rechtsgrundlage für die Verarbeitung personenbezogener Daten darstellen.
Es ist ein „Ja, aber“, denn: Der Spielraum ist sehr begrenzt, auch Betriebsvereinbarungen, so der EuGH, müssen die allgemeinen Anforderungen der Art. 5, Art. 6 Abs. 1 sowie Art. 9 Abs. 1, 2 der DSGVO erfüllen. Das bedeutet u.a., dass immer auch eine allgemeine Rechtsgrundlage nach Art. 6 Abs. 1 S. 1 DSGVO gegeben sein muss.
Insbesondere gilt dies auch für die Einhaltung des Kriteriums der Erforderlichkeit der Verarbeitung. Betriebsparteien haben einen eng umgrenzten Verhandlungsspielraum. Betriebsvereinbarungen dürfen gerade nicht dazu führen, dass die Voraussetzung der Erforderlichkeit weniger streng angewandt wird oder gar darauf verzichtet wird.
Allerdings: Die Betriebsparteien kennen ihren Betrieb, die Mitarbeiterinnen und Mitarbeiter und deren Aufgaben sowie die spezifischen Herausforderungen, die sich im Unternehmen stellen. Sie verfügen also über eine grundsätzlich gute Expertise für die Beurteilung, ob eine Verarbeitung von Beschäftigtendaten in einem konkreten beruflichen Kontext „erforderlich“ im Sinne der DSGVO ist. Insoweit besteht allerdings auch eine umfassende gerichtliche Kontrolle, um die Einhaltung aller Voraussetzungen und Grenzen der DSGVO zu gewährleisten.
Was sollten Sie jetzt beachten?
Klar ist jetzt: Betriebsvereinbarungen sind für sich genommen keine eigenständige Rechtsgrundlage. Sie können stets nur zusammen mit einer der Rechtsgrundlagen des Art. 6 Abs. 1 S. 1 DSGVO die Verarbeitung von Beschäftigtendaten regeln. Daher sollte bei Neuverhandlungen und Überarbeitungen von (bestehenden) Betriebsvereinbarungen immer ausdrücklich aufgenommen werden, welche DSGVO-Rechtsgrundlage die Betriebsparteien für anwendbar halten. Aufgrund des Urteils des EuGH ist auch die Erforderlichkeit der Verarbeitung von Beschäftigtendaten kritisch zu hinterfragen. Die Erwägungen der Betriebsparteien, weshalb sie die Verarbeitung für erforderlich halten, sollten sich ebenfalls in der Betriebsvereinbarung wiederfinden.
Schließlich sollte auch die „Bürokratie“ rund um die Betriebsvereinbarung nicht vergessen werden. Sofern a) in den Datenschutzinformationen für Beschäftigte und b) im Verarbeitungsverzeichnis bisher allein die Betriebsvereinbarung als Rechtsgrundlage genannt ist, muss dies konsequenterweise um die zusätzliche allgemeine DSGVO-Rechtsgrundlage (z.B. Begründung, Durchführung oder Beendigung eines Arbeitsvertrages oder Wahrung berechtigter Interessen) ergänzt werden.
New Direct Mail Laws: California, Here We Come
With the all the preparation around 1:1 consent, a lot of marketers planned on moving away from telephone solicitations to direct mail assuming it was a safer choice with less restrictions.
And, generally, it is.
Except in California.
Ah, California with your beaches and your perfect weather and your strong consumer protection laws. As of January 1, 2025, there is a new restriction on “solicitations” for “consumer financial product or service” made by physical mail in California.
Per the new rule, which stemmed from State Bill 1096, physical mail solicitations must include “in at least 16-point bold type on the front of an envelope” the following language:
“THIS IS AN ADVERTISEMENT. YOU ARE NOT REQUIRED TO MAKE ANY PAYMENT OR TAKE ANY OTHER ACTION IN RESPONSE TO THIS OFFER.”
OOF, Buzz.
What is a “consumer financial product or service”? What is a “solicitation”?
A consumer financial product or service uses the California Financial Code definition of “consumer financial product or services” which broadly defines it, in pertinent part, as: “A financial product or service that is delivered, offered, or provided for use by consumers primarily for personal, family, or household purposes.”
Therefore, this is a pretty expansive definition.
A solicitation is “any advertisement or marketing communication through writing or graphics that is directed to, or likely to give the impression of being directed to, an individually identified person, residence, or business location.”
But, it does not include mass advertisements such as catalogs, websites, or broadcast messages. It also does not include “communication via…mail..that was initiated by a consumer.” Or credit solicitations that fit the disclosure requirements under the Fair Credit Reporting Act for credit solicitations using a consumer’s credit file.
Those are pretty broad exceptions.
Essentially, completely unsolicited blind mailings are covered by this new rule if they are for a “consumer financial product or service”. For instance, if you wanted to send a mailing to everyone in a certain zip code about mortgages, then that would likely be covered.
While direct mail can be “easier” to comply with for consumer outreach, there are pitfalls. Companies that are new to direct mail should not ignore the compliance responsibilities around direct mail.
CFPB Shaken Up While Courts Address Consumer Fraud Obligations Under EFTA and Convenience Fees
The new administration continues to shake up the financial services regulatory environment. The CFPB’s new acting director indicated over the weekend that the agency will not take its next draw of funding from the Federal Reserve, noting the CFPB’s current balance as being more than sufficient. Its acting director has separately told staff to “stand down” from doing work, which has prompted lawsuits by staff. In the short term, the CFPB has already moved to stay multiple pending actions that were filed under the prior administration. Whether the CFPB will resume pursuit of the Rohit Chopra agenda remains to be seen. Notably, in the final two weeks under Chopra’s lead, the CFPB, perhaps seeing the writing on the wall in terms of the Bureau’s funding and direction or even its existence, issued a report calling for the states to pursue initiatives of the agency. See Strengthening State-Level Consumer Protections, CFPB (Jan. 14, 2025).
Some state attorneys general have not needed CFPB prompting. Attorney Letitia James, the AG in New York, is currently pursuing an enforcement action seeking to apply the Electronic Fund Transfer Act (EFTA) to consumer wire transfers. It has generally been accepted that wire transfers are governed by Article 4 of the UCC and are exempt from the EFTA. In its suit, the New York AG nonetheless alleges that consumer wire transfers, which are becoming more prevalent, are subject to the EFTA and therefore banks and credit unions should be liable for fraudulent wire transfers. The defendant in that case filed a motion to dismiss, but the US District Court for the Southern District of New York denied it. In a 62-page order, the Court concluded it would be incompatible with the text and history of the EFTA to find that it did not apply to consumer-initiated wire transfers.
In another recent case, Booze v. Ocwen, the 11th Circuit held that it is a violation of the Fair Debt Collection Practices Act (FDCPA) to collect fees for loan payments (so called “convenience fees”) unless they are expressly provided for in the loan documents. The defendant in that case had contracted with a third party to process payments by phone or online and was charging customers for the privilege of making payments via the intermediary. The Booze decision follows an earlier decision out of the Fourth Circuit, Alexander v. Carrington Mortgage, and a CFPB advisory opinion issued in 2022. Even if the CFPB is not around to enforce its advisory opinion, banks and credit unions that charge convenience fees should be wary of doing so because there are now two federal circuit courts of appeal that have found they violate the FDCPA.
Top Tips for Companies to Prepare for an Immigration Visit
Here are our top tips to assist companies and institutions in preparing for visits by immigration officials. The second Trump administration has set robust enforcement of the immigration laws as a top-level priority. On January 20, 2025, President Trump issued an executive order that directed all executive branch departments and agencies to “employ all lawful means” to ensure “total and efficient” enforcement of federal immigration laws. As an initial step, the Department of Homeland Security (DHS) terminated its prior “sensitive location” policy that prevented immigration enforcement activities in or near areas such as schools, medical facilities, places of worship, social service centers, daycare centers, or shelters without agency headquarters approval or exigent circumstances. In commenting on the new policy, the DHS spokesperson stated, “Criminals will no longer be able to hide in America’s schools and churches to avoid arrest. The Trump Administration will not tie the hands of our brave law enforcement, and instead trusts them to use common sense.” While we have not heard any confirmed reports of enforcement in these spaces since the rescinding of the Biden-era guidance, it would be prudent for businesses to be prepared and have a lawful response plan for visits from immigration authorities, including local police authorities, U.S. Immigration and Customs Enforcement (ICE), U.S. Customs and Border Protection (CBP), and other agencies empowered to enforce the immigration laws.
Review Your Policies. Keep in mind that immigration authorities are specialized law enforcement. Many companies already will have policies in place that instruct employees how to respond generally to inquiries by law enforcement. Therefore, companies should ensure employees are properly trained on company policies concerning how to interact with ICE or other immigration enforcement agents. If your company does not have such a policy and is in a category of spaces no longer protected as “sensitive locations,” now may be the time to study and potentially adopt appropriate policies. Companies should consider appointing “liaisons,” or other point persons at each company location, who are specially trained and authorized to interact with law enforcement. This will ensure consistency of process and help relieve stress of others who may be directly impacted by these immigration encounters.
Identify Public versus Private Areas. Companies should decide whether they want to have policies or procedures indicating a clear delineation between their public and private spaces. Immigration agents generally do not need permission to enter public areas of a business. Public spaces are general areas that are accessible not only to clients, staff, patients, or students but are accessible and available to the general public. These can include parking lots, waiting areas, hallways, lobbies, or entrances. Areas that are not open and accessible to the public are generally considered private areas, where law enforcement is accordingly not permitted without legal authority. To go beyond these public spaces into private areas, enforcement agents may need to show a warrant (more on this below), not only to apprehend a person but also to enter and search any non-public spaces of a business absent permission from the business. Given that the previous guidance prevented enforcement near protected areas without agency headquarters approval or exigent circumstances, enforcement agents likely will take advantage of accessing public spaces before seeking access to private spaces. Businesses should consider whether they wish to specifically designate public and private areas to help manage engagement with law enforcement.
Review the Warrant. If the enforcement agent is seeking access to a private space and the company decides not to consent voluntarily to such access, then an employee will need to ask to see the warrant; if the agent presents a warrant, the best place to start is to read the scope and wording of the warrant. There are several different types of warrants that can be used in immigration enforcement situations, so a lawyer or trained layperson may need to review the warrant to know what type of warrant the enforcement officer is presenting to gain access. (Samples are included at the end of this piece.)
Judicial Warrant: This is a formal written order, issued by a judicial officer, that authorizes law enforcement to make an arrest or conduct a search. This is issued by a court — typically a federal court — so you will see something like “U.S. District Court” at the top of the warrant and a signature from a judge or magistrate judge at the bottom. Pay close attention to whether the warrant allows for (1) just an arrest of a person named in the warrant, (2) a search for items on the identified person’s body, or (3) a search of a location for listed items or persons. An arrest warrant does not give law enforcement permission to enter a particular private space but does permit the agent to arrest someone listed in the warrant. A search warrant, by contrast, permits the specified enforcement agency to search a specified area (including public and private spaces) for papers, data, property, or persons and seize such listed items or identified persons. Companies should be observant during law enforcement activities on their premises, and carefully and thoroughly document law enforcement actions at all times while they are on company premises.
Administrative Warrant: An administrative warrant authorizes a law enforcement officer from a federal agency, such as ICE or CBP, to make an arrest or remove/deport someone from the country, depending on the type of administrative warrant utilized. This type of warrant is issued by a federal agency, such as ICE, not a court, and can therefore be signed by an “immigration judge” or “immigration official.” Importantly, this warrant does not authorize a search of a private area. Practically speaking, an administrative warrant does not allow agents to enter a private area to apprehend a person named in the warrant or to search an area or seize private property or information, even if the agents reasonably believe the person to be located in that area. Absent changes to the law, administrative warrants cannot be used to search premises.
“Blackie’s” Warrant: This judicial warrant, named after the case Blackie’s House of Beef v. Castillo, is a specific type of judicial warrant that does not always name or even describe the person or people sought. A Blackie’s warrant is a civil search warrant issued by a magistrate judge, which authorizes immigration agents to enter private premises for the purpose of enforcing the civil/administration provisions of law relating to exclusion and deportation. While this warrant has fallen out of favor in many jurisdictions, we may begin to see more of its use going forward. Again, this warrant may provide legal authority for enforcement agents to search a private space, without the owner’s consent, for persons unlawfully in the United States.
Consider Privacy Laws. To the extent the company is a covered entity or business associate subject to the Health Insurance Portability and Accountability Act (HIPAA), or a similar entity subject to state laws, the company will need to review a law enforcement request to ensure compliance with applicable privacy laws. Protected health information can be disclosed under HIPAA and state law in limited circumstances. HIPAA permits (but does not require) disclosing protected health information in compliance with, and as limited by the relevant requirements of, a court order or court-ordered warrant, a subpoena, or a summons. HIPAA also permits disclosure pursuant to administrative requests for which response is required by law, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law provided all of the following are true: (1) the information sought is relevant and material to the law enforcement agency, (2) requested information is specific and limited in scope as reasonably practicable, and (3) de-identified information could not be reasonably used. There also are federal and state privacy protections in place for certain sensitive types of health information. State law can be more restrictive, so make sure your policies on responding to law enforcement take into account any relevant state law(s). The company’s existing policies and procedures should address the production of this type of information in response to law enforcement requests.
Triage. The company should request from law enforcement a reasonable amount of time to review and perform an initial assessment of the warrant, to appropriately escalate to legal counsel or a point person as needed. If it is something new or unfamiliar, seek advice from legal counsel, who should carefully review the warrant to determine the company’s obligations in interacting with law enforcement. Provide training to staff and leadership to ensure they read any paperwork provided and triage the situation. Again, appointing “liaisons” at each worksite who are specially trained and designated with authority to interact with enforcement agencies may be advisable.
Avoid Obstructing Law Enforcement. Importantly, employees should avoid obstructing law enforcement’s activities. Even if such activities appear to go beyond the scope of the warrant, interfering is not helpful and can risk criminal charges. Legal remedies for law enforcement overstepping, including unlawful searches and seizures, can be addressed later in the process. Interfering with law enforcement while they are onsite often will serve only to escalate the situation.
The immigration landscape is quickly changing under the Trump administration, but preparing for potential enforcement in advance and training employees on these issues can help your company know how best to respond to unfamiliar situations. Constitutional law provides companies with important protections from unreasonable searches and seizures by law enforcement, so consultation with legal counsel to understand those rights and obligations is critical to ensuring compliance with the law.
Please contact a member of Foley’s Immigration, Government Enforcement or Labor & Employment teams with questions for help preparing for immigration enforcement action on site or for further information about the federal government’s new immigration-related policies.
Samples of Warrants
Judicial Warrant for a search:
Judicial Warrant for an arrest only:
Administrative Warrant (Warrant of Removal/Deportation)
Administrative Warrant (Warrant for Arrest)
Final Rule Implementing ICTS Supply Chain Executive Order 13873 In Effect
On May 15, 2019, President Trump issued Executive Order 13873 – Securing the Information and Communications Technology and Services Supply Chain (“EO” or “EO 13873”). After taking comments on a proposed implementing rule, the Department of Commerce (“DOC” or “Secretary”), on the very eve of the Biden Administration taking office, issued an Interim Final Rule implementing the EO and establishing procedures for its review of transactions involving information and communications technology and services (ICTS) designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of a “foreign adversary” that may pose undue or unacceptable risk to the US or US persons. The DOC also sought further comments on the Interim Final Rule.
Since then the DOC announced that it had initiated certain investigations under the EO and the Interim Final Rule, and there were press reports of other investigations. Despite numerous investigations however, the DOC has only issued one Final Determination pursuant to EO 13873 since adoption of the Interim Final Rule.
On December 6, 2024, nearly three years later, the DOC published its “Final Rule” guiding review of ICTS Transactions, amending and, in some cases, removing terms or concepts which experience has shown to be unnecessary, inefficient or ineffective. The Final Rule was effective February 4, 2025.
The DOC committed to continue to review its procedures and possibly consider future rulemakings to further clarify aspects of the regulations. The new Trump Administration may also bring further adjustments. To date, the new Trump Administration has not indicated that it has “paused” enforcement under the Final Rule, as it has to other areas of regulatory enforcement. (And of course, the EO on which the Final Rule is based was issued by President Trump in his first term.)
Highlights of key adjustments reflected in the Final Rule include the following:
Scope of covered ICTS transactions – First, the DOC noted that its reviews and investigations of “ICTS Transactions” have thus far involved the review of all ICTS Transactions involving the subject entity of the review, rather than individual transactions between the entity and other parties, because the provision of anyICTS by that entity was the basis of the undue or unacceptable risks. Second, the Final Rule further refines the ICTS Transactions subject to further review by listing broad technology categories to indicate that the DOC is concerned about ICTS Transactions involving:
Information and communications hardware and software
ICTS integral to data hosting, computing or storage that uses, processes or retains sensitive personal data; connected software applications
ICTS integral to critical infrastructure
ICTS integral to critical and emerging technologies
Definitional changes –In response to certain comments, the Final Rule added or clarified certain definitions. Examples:
New definition of “Dealing In” as used in the definition of “ICTS Transaction” – “The activity of buying, selling, reselling, receiving, licensing or acquiring ICTS, or otherwise doing or engaging in business involving the conveyance of ICTS.’’
New Definition of “Importation” as used in the definition of “ICTS Transaction” – ‘‘The process or activity of bringing foreign ICTS to or into the US, regardless of the means of conveyance, including via electronic transmission.’’
Revised definition of “Party or Parties to a Transaction” – ‘‘A person or persons engaged in an ICTS Transaction or class of ICTS Transactions, including but not limited to the following: designer, developer, provider, buyer, purchaser, seller, transferor, licensor, broker, acquiror, intermediary (including consignee), and end user.”
Revised definition of “Person owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary” to exclude US citizens and permanent residents – A US citizen or permanent resident would not be considered a ‘‘person owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary’’ merely due to dual citizenship, or residency in a country controlled by a foreign adversary.”
Revised definition of “Person owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary” – “An entity may be subject to the jurisdiction of a foreign adversary if it has a principal place of business in, is headquartered in, is incorporated in or is otherwise organized under the laws of a foreign adversary or a country controlled by a foreign adversary.”
Removal of one million unit or person threshold – This Final Rule removes the previous qualification that certain ICTS Transactions that involve the use, processing or retention of sensitive personal data must include the data of more than one million US persons to be subject to review. Additionally, it removes the one-million-unit sales minimum for internet-enabled sensors, webcams or other end-point surveillance or monitoring devices; routers, modems or any other home networking device; or drones or other unmanned aerial systems. Finally, the Final Rule also removes the qualification that software designed primarily for connecting with, and communicating via the internet be in use by over one million people to be considered ICTS for the purposes of the Rule
Committee on Foreign Investment in the United States (CFIUS) exemption – The Final Rule clarifies that the DOC will not review an ICTS Transaction that is also a covered transaction or covered real estate transaction, provided that it is either under review, investigation or assessment by CFIUS or CFIUS has concluded all action under section 721 of the Defense Production Act of 1950, as amended.
10-year record keeping requirement – The Final Rule also clarifies that any records that a notified person must retain in connection with an ICTS Transaction must be retained for 10 years following issuance of a Final Determination, unless the Final Determination specifies otherwise. Previously there was no limit on the retention period.
Details on information provided in an Initial Determination –The Final Ruleprovides thatthe Initial Determination will provide parties with information regarding the factual basis supporting the DOC’s decision to either prohibit an ICTS Transaction or permit the ICTS Transaction with mitigation measures. As to publication of an Initial Determination, in consideration of the comments about publication of Initial Determinations, under the Final Rule the DOC retains discretion to publish a notice of an Initial Determination— rather than the full text of an Initial Determination—in the Federal Register.
Response and mitigation timing – TheFinal Rule does not establish a maximum timespan for imposed mitigations because the DOC continues to believe that such an across-the-board maximum would hinder the department in fully evaluating any implemented mitigations, resulting in national security vulnerabilities. The Final Rule allows an initial 30 days to respond to an Initial Determination and allows parties to seek, and the Secretary to allow for good cause shown, an extension of another 30 days. In total, parties may receive up to 60 days to respond to an Initial Determination (30 days initially with a potential 30-day extension).
Timing imposed on interagency consultation for Final Determinations – With respect to the requirement that the Secretary seek concurrence of all appropriate agency heads before issuing a Final Determination, the Secretary may presume concurrence if no response is received within 14 days from one of the appropriate agency heads or the designee of appropriate agency heads. The Final Rule also clarifies that if an agency objects to the Final Determination, the objection must be received by the Secretary within the 14 days and the objection must come from the agency’s Deputy Secretary or equivalent level.
Final Determination timeline – The Final Rule changes certain timing associated with the Final Determination process but continues to rely on the 180-day time limit despite calls to shorten the review period. To improve clarity, it revises the 180-day time limit so that it begins when a party or parties to a transaction are served a copy of an Initial Determination and grants the Secretary sole discretion to extend this timeline. The DOC refused to establish an appeals process, but reconsideration may be warranted in some cases. The Secretary is not obliged to adopt the least restrictive means to address a determined “unacceptable risk.” The Secretary is now obligated to issue a Final Determination in every case in which the Secretary has previously issued an Initial Determination. Under the Interim Final Rule, a Final Determination was only required if the Initial Determination proposed to prohibit an ICTS Transaction. Finally, Publication in the Federal Register is now mandatory in any case where there is a Final Determination, not just where it is a Final Determination prohibiting a transaction.
Penalties – The Final Rule now provides a list of activities that may lead to civil or crimination penalties. Persons can be held responsible for assisting in the violation of a Final Determination to mitigate an ICTS Transaction, through a mitigation agreement between the US Government and identified parties to an ICTS Transaction, if they have knowledge that such a mitigation agreement exists. Activities that are prohibited for those with knowledge of the existence of a mitigation agreement include aiding and abetting violations, commanding a violation, procuring a product that is prohibited and other prohibited activities. Finally, providing false information to the DOC in connection with an ICTS Transaction under review is also prohibited.
Still no licensing regime – The DOC did not establish a licensing regime for transactions (e.g., a type of pre-clearance option contemplated by the initial rule), but it is still considering the concepts related to providing licenses.
Still no blanket exempt categories – The Final Rule applies to types of ICTS transactions most affecting US national security and does not exempt categories of industries, sectors or entities.
What is next? –The new Secretary of Commerce has yet to take his position. Nothing that he said in his nomination hearing before the Senate Commerce Committee indicated that the changes in the Final Rule would be reconsidered or rescinded, or that existing investigations would be terminated. The Secretary’s further employment of the authority embodied in the Final Rule remains to be seen, as his and the Bureau of Industry Security agenda unfolds. However, it seems unlikely that this tool in securing the ICTS supply chain will be abandoned. As such, more enforcement in this area is expected.