Ubisoft Defeats Privacy Lawsuit Over Meta Tracking Pixel: These Are the Key Compliance Takeaways You Need to Know
As privacy litigation over tracking pixels continues to surge, a recent decision out of California offers a clear win for companies that implement strong consent mechanisms.
In Lakes v. Ubisoft, Inc., 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025), Plaintiffs Trevor Lakes and Alex Rajjoub filed a class action against Defendant Ubisoft, Inc., a video game company, alleging violations of the Video Privacy Protection Act (VPPA), California’s Invasion of Privacy Act (CIPA), and the Electronic Communications Privacy Act (ECPA).
According to Plaintiffs, their claims arose when they visited Ubisoft’s website (the “Website”) to download games while logged into their respective Facebook accounts. Plaintiffs alleged that Ubisoft installed a Meta/Facebook tracking pixel on the Website, which disclosed their personally identifiable information to Meta. The allegedly disclosed information included the consumers’ unique and unencrypted Facebook ID, a cookie containing an encrypted Facebook ID, and their Video Request Data.
Plaintiffs sought to represent the following classes:
All PII Users on the Website that had their PII, search terms, and detailed webpage information improperly intercepted by and disclosed to Facebook through the use of the Pixel (the “Class”).
All PII Users, who reside and used the Website in California, that had their PII, search terms, and detailed webpage information improperly intercepted by and disclosed to Facebook through the use of the Pixel (the “California Subclass”).
Ubisoft filed a motion to dismiss and requested judicial notice of its Website and the policies publicly available on the Website, including its Privacy Policy, Cookies Settings, and Website Cookies Banner. Ubisoft contended that these were necessary for the Court to have a complete picture of a user’s journey, what the user consents to, and the policies they are provided and agree to. The request for judicial notice was granted for specific portions of the Ubisoft Website.
On the Website’s landing page, a first-time user is presented with a Cookie Banner notifying them that by clicking “OK” and “continuing to navigate on the site” they “accept the use of cookies by Ubisoft and its partners to offer advertising adapted to [their] interests.” If a user clicks on the “set your cookies” hyperlink in the banner, a pop-up appears with more detailed options to change cookie preferences.
To make any purchases on the Website, a user must first create a Ubisoft account and affirmatively accept Ubisoft’s Terms of Use, Terms of Sale, and Privacy Policy, which are all hyperlinked on the Website. Ubisoft’s Privacy Policy informs users that their information will be shared with third parties and outlines how users can withdraw their consent. After agreeing to the Privacy Policy and consenting to the sharing of data during account creation, a user is once again presented with the Privacy Policy every time they make a purchase on the Website.
In light of the above processes, Ubisoft argued that all of Plaintiffs’ claims fail because Plaintiffs were repeatedly informed of, and consented to, the use of cookies and pixels on the Website. The Court agreed, finding that Ubisoft’s disclosures clearly state that it allows partners to use cookies on the Website, that specific analytics and personalization cookies would be used, and that cookie identifiers and other similar data connected to the use of the site could be collected and shared.
In doing so, the Court rejected Plaintiffs’ assertion that a granular disclosure stating that Meta will collect Plaintiffs’ “video game titles combined with unique Facebook identifiers” was required to obtain actual consent. Here, the Privacy Policy explicitly disclosed that Ubisoft uses technologies such as cookies to collect game, login, and browsing data, and that Ubisoft allows its partners to set and access user cookies. This was found to be sufficient, because “a reasonable user would understand from the Privacy Policy that he or she is consenting to the use of cookies including by third parties.”
“[A] reasonable user would understand from the Privacy Policy that he or she is consenting to the use of cookies including by third parties.”
Therefore, the Court granted Ubisoft’s motion to dismiss the complaint in its entirety, with prejudice. The Court concluded that granting Plaintiffs leave to amend would be futile because they cannot overcome the issue of consent.
The most important takeaway here is the need for businesses to maintain proper consent and disclosure mechanisms – include a cookie disclosure on the website landing page, clearly inform users what data you collect and who you share it with, and allow users to customize non-essential cookies. Although, a Pennsylvania court held that a privacy policy contained in a browsewrap agreement gave users constructive notice of a website’s use of tracking software, affirmative consent obtained via a clickwrap agreement worked in Ubisoft’s favor here. Finally, make sure your privacy policy is accurate and up to date.
Ultimately, this ruling underscores how detailed, user-facing consent flows and transparent data-sharing policies remain critical defenses in privacy litigation.
Combatting Scams in Australia, Singapore, China and Hong Kong
Key Points:
Singapore’s Shared Responsibility Framework
Comparing scams regulation in Australia, Singapore and the UK
China’s Anti-Telecom and Online Fraud Law
Hong Kong’s Anti-Scam Consumer Protection Charter and Suspicious Account Alert Regime
The increased reliance on digital communication and online banking has created greater potential for digitally-enabled scams. If not appropriately addressed, scam losses may undermine confidence in digital systems, resulting in costs and inefficiencies across industries. In response to increasingly sophisticated scam activities, countries around the world have sought to develop and implement regulatory interventions to mitigate growing financial losses from digital fraud. So far in our scam series, we have explored the regulatory responses in Australia and the UK. In this publication, we take a look at the regulatory environments in Singapore, China and Hong Kong, and consider how they might inform Australia’s industry-specific codes.
SINGAPORE
Shared Responsibility Framework
In December 2024, Singapore’s Shared Responsibility Framework (SRF) came into force. The SRF, which is overseen by the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA), seeks to preserve confidence in digital payments and banking systems by strengthening accountability of the banking and telecommunications sectors while emphasising individuals’ responsibility for vigilance against scams.
Types of Scams Covered
Unlike reforms in the UK and Australia, the SRF explicitly excludes scams involving authorised payments by the victim to the scammer. Rather, the SRF seeks to address phishing scams with a digital nexus. To fall within the scope of the SRF, the transaction must satisfy the following elements:
The scam must be perpetrated through the impersonation of a legitimate business or government entity;
The scammer (or impersonator) must use a digital messaging platform to obtain the account user’s credentials;
The account user must enter their credentials on a fabricated digital platform; and
The fraudulently obtained credentials must be used to perform transactions that the account user did not authorise.
Duties of Financial Institutions
The SRF imposes a range of obligations on financial institutions (FIs) in order to minimise customers’ exposure to scam losses in the event their account information is compromised. These obligations are detailed in table 1 below.
Table 1
Obligation
Description
12-hour cooling off period
Where an activity is deemed “high-risk”, FIs must impose a 12-hour cooling off period upon activation of a digital security token. During this period, no high-risk activities can be performed.
An activity is deemed to be “high-risk” if it might enable a scammer to quickly transfer a large sum of money to a third party without triggering a customer alert. Examples include:
Addition of new payee to the customer’s account;
Increasing transaction limits;
Disabling transaction notification alerts; and
Changing contact information.
Notifications for activation of digital security tokens
FIs must provide real-time notifications when a digital security token is activated or a high-risk activity occurs. When paired with the cooling off period, this obligation increases the likelihood that unauthorised account access is brought to the attention of the customer before funds can be stolen.
Outgoing transaction alerts
FIs must provide real-time alerts when outgoing transactions are made.
24/7 reporting channels with self-service kill switch
FIs must have in place 24/7 reporting channels which allow for the prompt reporting of unauthorised account access or use. This capability must include a self-service kill-switch enabling customers to block further mobile or online access to their account, thereby preventing further unauthorised transactions.
Duties of Telecommunications Providers
In addition to the obligations imposed on FIs, the SRF creates three duties for telecommunications service providers (TSPs). These duties are set out in table 2 below.
Table 2
Obligation
Description
Connect only with authorised alphanumeric senders
In order to safeguard customers against scams, any organisation wishing to send short message service (SMS) messages using an alphanumeric sender ID (ASID) must be registered and licensed. TSPs must block the sending of SMS messages using ASIDs if the sending organisation is not appropriately registered and licensed.
Block any message sent using an unauthorised ASID
Where the ASID is not registered, the TSP must prevent the message from reaching the intended recipient by blocking the sender.
Implement anti-scam filters
TSPs must implement anti-scam filters which scan each SMS for malicious elements. Where a malicious link is detected, the system must block the SMS to prevent it from reaching the intended recipient.
Responsibility Waterfall
Similar to the UK’s Reimbursement Rules explored in our second article, the SRF provides for the sharing of liability for scam losses. However, unlike the UK model, the SRF will only require an entity to reimburse the victim where there has been a breach of the SRF. The following flowchart outlines how the victim’s loss will be assigned.
HOW DOES THE SRF COMPARE TO THE MODELS IN AUSTRALIA AND THE UK?
Scam Coverage
The type of scams covered by Singapore’s SRF differ significantly to those covered by the Australian and UK models. In Australia and the UK, scams regulation targets situations in which customers have been deceived into authorising the transfer of money out of their account. In contrast, Singapore’s SRF expressly excludes any scam involving the authorised transfer of money. The SRF instead targets phishing scams where the perpetrator obtains personal details in order to gain unauthorised access to the victim’s funds.
Entities Captured
Australia’s Scams Prevention Framework (SPF) covers the widest range of sectors, imposing obligations on entities operating within the banking and telecommunications sectors as well as any digital platform service providers which offer social media, paid search engine advertising or direct messaging services. The explanatory materials note an intention to extend the application of the SPF to new sectors as the scams environment continues to evolve.
In contrast, the UK’s Reimbursement Rules only apply to payment service providers using the faster payments system with the added requirement that the victim or perpetrator’s account be held in the UK. Any account provided by a credit union, municipal bank or national savings bank will be outside the scope of the Reimbursement Rules.
Falling in-between these two models is Singapore’s SRF which applies to FIs and TSPs.
Liability for Losses
Once again, the extent to which financial institutions are held liable for failing to protect customers against scam losses in Singapore lies somewhere between the Australian and UK approaches. Similar to Singapore’s responsibility waterfall, a financial institution in Australia will be held accountable only if the institution has breached its obligations under the SPF. However, unlike the requirement to reimburse victims for losses in Singapore, Australia’s financial institutions will be held accountable through the imposition of administrative penalties. In contrast, the UK’s Reimbursement Rules provide for automatic financial liability for 100% of the customer’s scam losses, up to the maximum reimbursable amount, to be divided equally where two financial institutions are involved.
CHINA
Anti-Telecom and Online Fraud Law of the People’s Republic of China
China’s law on countering Telecommunications Network Fraud (TNF) requires TSPs, Banking FIs and internet service providers (ISPs) to establish internal mechanisms to prevent and control fraud risks. Entities failing to comply with their legal obligations may be fined the equivalent of up to approximately AU$1.05 million. In serious cases, business licences or operational permits may be suspended until an entity can demonstrate it has taken corrective action to ensure future compliance.
Scope
China’s anti-scam regulation defines TNF as the use of telecommunication network technology to take public or private property by fraud through remote and contactless methods. Accordingly, it extends to instances in which funds are transferred without the owner’s authorisation. To fall within the scope of China’s law, the fraud must be carried out in mainland China or externally by a citizen of mainland China, or target individuals in mainland China.
Obligations of Banking FIs
Banking FIs are required to implement risk management measures to prevent accounts being used for TNF. Appropriate policies and procedures may include:
Conducting due diligence on all new clients;
Identifying all beneficial owners of funds:
Requiring frequent verification of identity for high-risk accounts:
Delaying payment clearance for abnormal or suspicious transactions: and
Limiting or suspending operation of flagged accounts.
The People’s Bank of China and the State Council body are responsible for the oversight and management of Banking FIs. The anti-scams law provides for the creation of inter-institutional mechanisms for the sharing of risk information. All Banking FIs are required to provide information on new account openings as well as any indicators of risk identified when conducting initial client due diligence.
Obligations of TSPs and ISPs
TSPs and ISPs are similarly required to implement internal policies and procedures for risk prevention and control in order to prevent TNF. This includes an obligation to implement a true identity registration system for all telephone/internet users. Where a subscriber identity module (SIM) card or internet protocol (IP) address has been linked to fraud, TSPs/ISPs must take action to verify the identity of the owner of the SIM/IP address.
HONG KONG
Hong Kong lacks legislation which specifically deals with scams. However, a range of non-legal strategies have been adopted by the Hong Kong Monetary Authority (HKMA) in order to address the increasing threat of digital fraud.
Anti-Scam Consumer Protection Charter
The Anti-Scam Consumer Protection Charter (Charter) was developed in collaboration with the Hong Kong Association of Banks. The Charter aims to guard customers against digital fraud such as credit card scams by committing to take protective actions. All 23 of Hong Kong’s card issuing banks are participating institutions.
Under the Charter, participating institutions agree to:
Refrain from sending electronic messages containing embedded hyperlinks. This allows customers to easily identify that any such message is a scam.
Raise public awareness of common digital fraud.
Provide customers with appropriate channels to allow them to make enquiries for the purpose of verifying the authenticity of communications and training frontline staff to provide such support.
More recently, the Anti-Scam Consumer Protection Charter 2.0 was created to extend the commitments to businesses operating in a wider range of industries including:
Retail banking;
Insurance (including insurance broking);
Trustees approved under the Mandatory Provident Fund Scheme; and
Corporations licensed under the Securities and Futures Ordinance.
Suspicious Account Alerts
In cooperation with Hong Kong’s Police Force and the Association of Banks, the HKMA rolled out suspicious account alerts. Under this mechanism, customers have access to Scameter which is a downloadable scam and pitfall search engine. After downloading the Scameter application to their device, customers will receive real-time alerts of the fraud risk of:
Bank accounts prior to making an electronic funds transfer;
Phone numbers based on incoming calls; and
Websites upon launch of the site by the customer.
In addition to receiving real-time alerts, users can also manually search accounts, numbers or websites in order to determine the associated fraud risk.
Scameter is similar to Australia’s Scamwatch, which provides educational resources to assist individuals in protecting themselves against scams. Users can access information about different types of scams and how to avoid falling victim to these. Scamwatch also issues alerts about known scams and provides a platform for users to report scams they have come across.
KEY TAKEAWAYS
Domestic responses to the threat of scams appear to differ significantly. Legal approaches explored so far in this series target financial and telecommunications sectors, seeking to influence entities in these industries to adopt proactive measures to prevent, detect and respond to scams. While the UK aims to achieve this by placing the financial burden of scam losses on banks, China and Australia adopt a different approach by imposing penalties on entities failing to comply with their legal obligations. Singapore has opted for a blended approach whereby entities which have failed to comply with the legal obligations under the SRF will be required to reimburse customers who have fallen victim to a scam. However, where the entities involved have met their legal duties, the customer will continue to bear the loss.
Look out for our next article in our scams series.
The authors would like to thank graduate Tamsyn Sharpe for her contribution to this legal insight.
CONSORTIUM OF PRIVACY REGULATORS: Eight States Announce Bipartisan Consumer Privacy Initiative
Eight state regulators have announced a bipartisan initiative to coordinate the implementation and enforcement of their privacy laws. The Consortium of Privacy Regulators includes the California Privacy Protection Agency (“CPPA”) and state Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.
According to an announcement on the CPPA’s website, the Consortium’s goals include facilitating discussions on privacy law and protecting consumer privacy across jurisdictions. The CPPA notes that although each state has its own consumer privacy law, they share certain fundamental features such as rights to access, delete, and stop the sale of personal information, and similar obligations on businesses to protect consumer data.
“We’re proud to collaborate with states across the country to advance consistent, streamlined enforcement of privacy protections to address real-world privacy harms. The Consortium reflects this shared commitment—now and for the future.” – Michael Macko, CPPA’s head of enforcement
The CPPA has been one of the most active state agencies in the privacy arena. While this new initiative certainly signals more enforcement actions on the horizon, an inter-state coordinated effort may lead to some amount of uniformity and predictability amidst a patchwork regulatory framework.
You can read the CPPA’s announcement here: State Regulators Form Bipartisan Consortium to Collaborate on Privacy Issues
Powering Africa’s Digital Future: The Challenge of Energy for Data Center Development
As the global economy increasingly digitizes, the infrastructure supporting this shift must evolve accordingly. In Africa, where the demand for digital services is surging — fueled by mobile penetration, fintech innovation, and a young, connected population — the case for expanding data center capacity is clear. However, the continent’s potential is hindered by underdeveloped energy infrastructure, presenting a significant bottleneck.
Why Data Centers Matter
Data centers form the backbone of digital transformation, underpinning cloud storage, AI applications, e-commerce platforms, and digital government services. According to the International Energy Agency (IEA), global electricity consumption by data centers is projected to exceed 800 TWh by 2026, up from 460 TWh in 2022. A significant portion of this demand comes from generative AI and machine learning applications, which consume up to 10 times more energy than traditional searches.
Africa, despite being one of the fastest-growing regions for digital adoption, accounts for less than 1% of the world’s data center capacity. The Africa Data Centres Association estimates that the continent requires at least 1,000 MW of new capacity across 700 facilities to meet demand. Yet, meeting this need will depend not only on digital infrastructure investments but also on solving a persistent and costly energy challenge.
The Energy Challenge: Costs, Capacity, and Volatility
Data center development will play a pivotal role in ensuring digital sovereignty and fostering a resilient, domestically-driven digital economy in Africa.
Sub-Saharan Africa exemplifies both the promise and the challenges of this transformation. While demand for digital services is accelerating, access to reliable energy remains a major obstacle. Many countries across the region grapple with limited energy access, high electricity costs, and outdated infrastructure characterized by frequent outages and heavy reliance on imported fuel sources.
This interplay of costs and reliability poses significant challenges for energy-intensive data centers. According to recent industry analysis, energy supply has emerged as the single most critical issue facing digital infrastructure investors. As demand for electricity rises—driven by AI, cloud computing, and the digitization of public services—grid expansion is struggling to keep pace. As a result, securing reliable, affordable power is now a top strategic priority for data center developers and investors alike.
Despite these challenges, several sub-Saharan countries—including Côte d’Ivoire, Gabon, and Senegal—are making significant progress. While legacy grid issues persist, these countries are actively investing in renewable energy projects that could create the enabling environment needed for sustainable data center growth.
Côte d’Ivoire: In June 2023, the country launched its largest solar power plant in Boundiali, delivering 37.5 MWp of capacity with an expansion target of 83 MWp by 2025. This project aligns with Côte d’Ivoire’s national goal to source 45% of its electricity from renewable energy by 2030.
Senegal: The Taiba N’Diaye Wind Farm, commissioned in 2021, is West Africa’s largest wind energy project, with a total capacity of 158 MW. It plays a central role in Senegal’s broader strategy to diversify its energy mix and reduce dependence on imported fossil fuels.
Gabon: Though less frequently spotlighted, Gabon is actively positioning itself as a renewable energy leader in Central Africa. In 2021, the government launched a hydropower development strategy to boost clean energy capacity. Notably, the Kinguélé Aval Hydroelectric Project, co-financed by the African Development Bank and IFC, will add 35 MW of capacity upon completion and help stabilize electricity supply in the Estuaire province, home to Libreville—the capital and potential hub for digital infrastructure. Gabon has also attracted investment in solar hybrid systems for rural electrification, aiming to reduce diesel reliance and support the decentralization of energy access. These initiatives create a more stable power framework suitable for future data center deployment.
Lessons from Leading Data Center Markets
Morocco is emerging as a pivotal player in North Africa’s data center market, driven by international energy investments and its strategic position connecting Europe, Africa, and the Middle East. Major global tech companies, including Oracle, Microsoft, Google, and Amazon Web Services (AWS), are drawn to Morocco’s rapidly expanding digital economy and its modern infrastructure. The country is fostering a favorable environment for data center growth through government-backed initiatives that enhance ICT infrastructure, making Morocco an attractive destination for both local and international data center operators.
The country’s stability and investments in renewable energy further position it as a sustainable choice for data center operations. With projects like those from Africa Data Centres, Gulf Data Hub, and N-ONE Datacenters, Morocco’s growing data center ecosystem is poised to meet the increasing demand for cloud computing and data storage across North Africa and beyond. By 2028, Morocco is expected to be a key hub for digital services, offering world-class data center facilities.
Looking to other pioneers in the continent, countries like Kenya and South Africa offer valuable lessons. Kenya, rich in geothermal resources, has attracted significant investments such as a $1 billion geothermal-powered data center from Microsoft and G42. This clean, non-intermittent energy solution provides a reliable power source for data centers. Similarly, South Africa is leading solar integration, with projects like the 12 MW solar farm being developed by Africa Data Centres and Distributed Power Africa, designed to power critical centers like Johannesburg and Cape Town. Such initiatives showcase the potential for public-private partnerships to address challenges of grid unreliability and position Africa as a growing leader in sustainable data center infrastructure.
These examples underscore the importance of strategic planning, infrastructure investment, and the integration of renewable energy sources in building resilient, sustainable data centers.
Policy and Legal Implications
From a legal perspective, developing a data center project requires meticulous contractual structuring. Long-term Power Purchase Agreements (PPAs) and Behind-the-Meter (BtM) agreements introduce project-specific risks — notably, the risk that delays in one part of the project (either the power plant or the data center) could lead to disruptions. Legal advisors must anticipate and address potential regulatory challenges, grid permitting complexities, and the need for future-proofing clauses to safeguard the project’s viability.
A comprehensive review of existing legislation, identification of key obstacles, and potential time-consuming issues (such as securing land) are crucial steps in ensuring the project’s success. Moreover, structuring energy supply projects to support data center operations is fundamental for ensuring the project’s bankability.
Conclusion: A Call to Action
Africa stands at a crossroads: with the right investments in both digital and energy infrastructure, the continent could leapfrog into a new era of economic autonomy and technological resilience. However, if energy bottlenecks are not addressed head-on, Africa risks falling behind just as the world accelerates into a data-driven future.
The roadmap is clear: invest in renewables, embrace innovative models like BtM PPAs, partner across sectors, and establish clear regulatory frameworks. Energy is no longer a background concern for digital infrastructure investors — it is the cornerstone. Data center growth and power sector development must now proceed hand-in-hand.
For Africa, this is not just a technical challenge — it is a strategic imperative.
Cross-Border Catch-Up: The Growing Global Trend of the Right to Disconnect [Podcast]
In this episode of our Cross-Border Catch-Up podcast series, Lina Fernandez (Boston) and Kate Thompson (New York/Boston) discuss the growing trend of “right to disconnect” laws that permit employees to disengage from work-related communications and activities during non-working hours. Kate and Lina explore how right-to-disconnect legislation is being implemented in various countries, including Spain, Peru, Colombia, Thailand, and Canada. Lina and Kate also highlight the importance for global employers to stay informed and compliant with these evolving regulations.
TRAPPED: Appellate Court Holds Realtor.Com Cannot Compel Arbitration in TCPA Class Action On Lead Gen Form Sold to Subsidiary
Really important case for everyone in leadgen to pay attention to.
The lead generation industry continues to create TCPA risk for lead buyers– and even seemingly valid leads can cause a bunch of trouble if lead buyers don’t handle data correctly.
The case against Realtor.com involving leads sold by a website operator to Opcity, Inc.–a subsidiary of Move.com who operates as Realtor–is a great example.
In Faucett v. Move,Inc. 2025 WL 1112935 (9th Cir. 2025) the Court of Appeals upheld a district court’s ruling refusing to enforce an arbitration provision in favor of Move.com.
The underlying facts are pretty straightforward.
Guy allegedly visited HudHomesUSA.org and filled out a consent form and accepted an arbitration agreement.
The consent form included Opcity and the website operator sold the lead to Opcity (not clear if it was sold directly or through aggregators.) However the arbitration agreement operated only in favor of the website operator and its “affiliates.”
Opcity somehow allegedly transferred the lead to Move.com who allegedly made outbound calls to Plaintiff in reliance on the lead.
Plaintiff sued Move.com who tried to enforce the arbitration agreement arguing it was an “affiliate” of the website operator. The lower court and appellate courts both disagreed.
The courts determined Opcity was likely not an affiliate of the website operator because the terms implied a corporate relationship in this context and none existed. But even if one did exist via contract between Opcity and the website operator, Move.com had no such relationship and it was a separate entity from Opcity.
Further although Opcity was on the lead form that was not sufficient to expand the reach of the arbitration agreement to it, and even if OpCity could be viewed as a third-party beneficiary of the consent form–unclear–Move.com certainly could not be because it was not on the consent form.
So the take away here is that arbitration clauses in leadgen forms likely DO NOT extend to all marketing partners on a hyperlink and DEFINITELY DO NOT extend to entities related to those marketing partners.
To avoid results like these lead buyers should REQUIRE lead sellers to NAME THEM not just on marketing partners pages but also on arbitration provisions. Stated alternatively, the arbitration and consent provisions on lead generation websites should be co-extensive. So the parties bound by arbitration provisions on lead generation websites should include all marketing partners on the list!
TCPA REVOCATION LESSON: Cenlar’s $714,000.00 TCPA Revocation Settlement Arrives Just In Time to Crystalize Risk
So last Friday the FCC’s new TCPA revocation order went into effect.
While the nastiest parts of the ruling were stayed for one year thanks in large part to the major banks–thanks ABA/MBA and the rest of you!–a good portion of the rule did go into effect.
For those who are not on their revocation game and properly tracking requests the final approval order in a new TCPA class settlement arrives just in time to help you change your ways!
In Kamrava v. Cenlar 2025 WL 1116851 (C.D. Cal April 14, 2025) the court granted final approval to Cenlar’s settlement of a TCPA class involving servicing calls made after revocation of consent.
In many ways this was a throw back case as revocation classes have fallen by the wayside in recent years– leading to less focus on getting it right in some circles. Indeed, the case was filed way back in 2020 and is something of an oddity in today’s TCPAWorld landscape. However, the FCC’s new ruling supercharges risk here, which is why the settlement is so important.
The classes in Kamrava are as follows:
All persons within the United States who received an automated call to their cellular telephone, after revocation of consent, within the TCPA Class Period from defendant or a loan servicer on whose behalf Defendant was sub-servicing, its employees or its agents (the “TCPA Settlement Class”).and
All persons with addresses within the State of California who requested in writing that Defendant or the loan servicer on whose behalf Defendant was sub-servicing to stop contacting them and thereafter (i) received a letter asking them to sign and return a form confirming their cease-and-desist request or (ii) received at least one subsequent telephone call within the RFDCPA Sub-Class Period (the “RFDCPA Settlement Sub-Class”).
I was not involved in the case but I would guess what happened here is Cenlar was only temporarily stopping calls in response to an oral revocation request and then sending out a written letter which, if not returned within a certain timeframe, would result in calls beginning anew.
Thee claims arise between tension between TCPA and FDCPA/RFDCPA revocation rules. Under the debt collection statutes only written requests to stop calls must be honored. But under the TCPA any reasonable means of conveying a revocation is effective– so calls using regulated technology must stop immediately, even if manually launched calls may continue.
Its all part of a thicket of arcane TCPA requirements that can twist an ankle or skin a knee. And in this case Cenlar got snagged for nearly three quarters of a million dollars.
Whistleblower Alleges Disturbing Data Breach Risks at the NLRB Involving Musk-Linked “DOGE” Team
A recent report from National Public Radio (NPR) has detailed alarming allegations of data mishandling and security breaches at the National Labor Relations Board (NLRB). The whistleblower, Daniel Berulis, an information technology (IT) employee with the NLRB, alleges a series of alarming actions taken by Elon Musk’s “Department of Government Efficiency” (DOGE) team. Mr. Berulis’s complaint describes multiple instances of unauthorized system access, suspicious data exportation, and attempts to conceal DOGE’s activities within the NLRB systems. The allegations raise serious concerns about the security of sensitive labor data and the potential for conflicts of interest involving Mr. Musk.
Details of the Whistleblower Allegations
According to the whistleblower, the DOGE team arrived at the agency in March 2025 demanding and receiving “tenant owner level” access to the NLRB’s internal computer systems, granting them virtually unrestricted permission to view, copy, and alter data.
Mr. Berulis reports that this data includes “information about ongoing contested labor cases, lists of union activists, internal case notes, personal information from Social Security numbers to home addresses, proprietary corporate data and more information that never gets published openly.”
Because DOGE received this high-level access without the common security constraints that monitor network activity, Mr. Berulis had limited ability to track any potential breaches in real time. However, Mr. Berulis was later able to put together “puzzle pieces” to track a significant increase of data leaving the NLRB’s network, potentially including sensitive information about union organizing efforts, ongoing legal cases, and confidential corporate secrets. Even when external parties are granted access to such data, it almost never leaves the NLRB system. Additionally, the IT team detected suspicious login attempts from a Russian IP address using one of the newly created DOGE accounts “within minutes” of DOGE accessing the NLRB’s systems, raising further concerns about a potential breach.
Upon reporting his concerns to Congress, the U.S. Office of Special Counsel, which investigates complaints by federal government whistleblowers, and internally to the NLRB, Mr. Berulis experienced suspected acts of retaliation, including someone “physically taping a threatening note” to his door that included sensitive personal information and a photo of him walking his dog.
A Chilling Effect for Workers… and Employers
The possibility that NLRB records may have been copied and exported from the agency may create a severe chilling effect for employees everywhere who turn to the agency for protection.
One expert commented to NPR that these breaches were so severe that if this were “a publicly traded company, I would have to report this [breach] to the Securities and Exchange Commission. The timeline of events demonstrates a lack of respect for the institution and for the sensitivity of the data that was exfiltrated. There is no reason to increase the security risk profile by disabling security controls and exposing them, less guarded, to the internet. They didn’t exercise the more prudent standard practice of copying the data to encrypted and local media for escort.”
The NPR report notes that in addition to creating risks for individuals trying to organize, leaked data may also reveal internal business planning for companies who are facing unfair labor practice complaints, or even trade secrets.
Potential Conflicts of Interest
The report raised that concerns of potential conflicts of interest between Musk and the NLRB, including an ongoing lawsuit between Musk’s company, SpaceX, and the agency in which SpaceX challenges the constitutionality of the NLRB’s structure.
Several lawsuits have been filed DOGE’s activities at other agencies related to its management of Americans’ data, including Social Security information, IRS records, and other agency records.
Help is available for whistleblowers
The Whistleblower Protection Act (WPA) protects federal government employees from certain adverse employment actions that occur because they disclosed information relating to unlawful activities or “gross mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety.”
China Publishes Q&A on Administrative Policies for the Security of Cross-border Transfers
On April 9, 2025, the Cyberspace Administration of China (“CAC”) published a Q&A related to administrative policies on the security of cross-border transfers. Below is a list of certain of the questions published by the CAC each with a summary of the response from the CAC.
How can consistency of the criteria for the negative lists in different Pilot Free Trade Zones (“Pilot FTZs”) be ensured?
Pursuant to the Provisions on Facilitating and Regulating Cross-border Data Flow (the “Provisions”), the Pilot FTZs may each formulate their own negative list under the framework of the data classification and categorization protection. If a Pilot FTZ has issued a negative list, other Pilot FTZs in the same industry can adopt the issued negative list to avoid duplication. Currently, the negative list has covered 17 industries including automobile, drug, retail, civil aviation, re-insurance, deep sea field and seed industry
How should the necessity of cross-border transfers be understood and determined?
Pursuant to Articles 6 and 19 of the Personal Information Protection Law, the considerations for determining “necessity” include whether the processing of personal information:
is directly related to the purpose of the processing;
has minimal impact on individuals rights;
is limited to the minimum scope necessary to achieve the purpose; and
the retention period is limited to the shortest time necessary to achieve the purpose.
Therefore, an assessment on the necessity of a cross-border transfer must focus on the necessity of the cross-border transfer itself, the number of individuals impacted, and the necessity of the scope of data elements of the transfer. The CAC and the relevant competent industrial authorities intend to jointly refine and clarify the business scenarios of cross-border transfers in specific industries and provide more detailed guidelines in the future.
Can important data be transferred outside of China?
Yes, important data can be transferred outside of China if a security assessment determines that the transfer will not harm national security or public interest. As of March 2025, the CAC had completed 298 applications for security assessment on cross-border transfers, of which 44 applications involved important data and seven applications failed, which means the failure rate is only 15.9%. In these 44 applications, there are total 509 important data elements, among which 325 elements were approved for transfer and the pass rate is 64.9%.
Are there any more convenient channels for cross-border transfers between group companies?
If the scenarios for the cross-border transfers for multiple Chinese subsidiaries belonging to one group company are similar, it is permitted for the group company, as the applicant, to submit one consolidated application for security assessment or one consolidated filing of the standard contract (“SC”) for cross-border transfers.
Alternatively, if either of the Chinese affiliate and the oversea recipient obtains the certification for cross-border transfer, the relevant entities can carry out the data transfer activities within the certified scope. If a group company obtains such certification, it is permitted to transfer data within the group without concluding separate SCs with the affiliates in each country/region.
Is there a specific process for extending the validity period of cross-border data transfer related security assessment results?
The Provisions extend the validity period of the assessment results from two years to three years. Upon expiration of the validity period, if the data handler continues to carry out cross-border activities without any circumstances requiring re-application for a security assessment, it may apply to the local cyberspace administration authority for an extension 60 business days before the expiration of the validity period. The validity period of the security assessment results can then be extended for another three years. The CAC intends to revise and issue relevant policies related to the extension procedure to make conditions for cross-border transfers more convenient.
The More You Know Can Hurt You: Court Rules Financial Institutions Need ‘Actual Knowledge’ of Mismatches for ACH Scam Liability
On March 26, the US Court of Appeals for the Fourth Circuit issued a decision that has important ramifications for banks and credit unions that process millions of Automated Clearing House (ACH) and Electronic Funds Transfer (EFT) transactions daily, some of which are fraudulent or “phishing scams.” In Studco Buildings Systems US, LLC v. 1st Advantage Federal Credit Union, No. 23-1148, 2025 WL 907858 (4th Cir. amended Apr. 2, 2025), the Fourth Circuit held that financial institutions typically have no duty to investigate name and account number mismatches — commonly referred to as “misdescription of beneficiary.” Instead, they can rely strictly on the account number identified before disbursing the funds received. The financial institution will only face potential liability for the fraudulent transfer if it has “actual knowledge” that the name and the account number do not match the account into which funds are to be deposited.
A Phishing Scam Results in Misdirected Electronic Transfers
A metal fabricator (Studco) was the victim of a phishing scam in which hackers penetrated its email systems. Once inside, the scammers impersonated Studco’s metal supplier (Olympic Steel, Inc.) and sent an email with new ACH/EFT payment instructions purporting to be those of Olympic Steel. The instructions designated Olympic’s “new account” at 1st Advantage Credit Union for all future invoice payments. The new account number, however, had no association with Olympic and was controlled by scammers in Africa.
Studco failed to recognize certain red flags in the payment instructions and sent four payments totaling over $550,000. Studco sued 1st Advantage for reimbursement, alleging the credit union negligently “fail[ed] to discover that the scammers had misdescribed the account into which the ACH funds were to be deposited.” Studco claimed that 1st Advantage was liable under Virginia’s version of UCC § 4A-207 because it completed the transfer of funds to “an account for which the name did not match the account number.” Following a bench trial, the district court entered judgment in Studco’s favor for $558,868.71, plus attorneys’ fees and costs. It found that 1st Advantage “failed to act ‘in a commercially reasonable manner or exercise ordinary care'” in posting the transfers to the account in question.
UCC § 4A-207 and Financial Institution Duties and Liability
1st Advantage appealed, and the Fourth Circuit reversed. The Court began by noting that Studco itself failed to spot warning signs in the imposter’s emails: the domain did not match Olympic’s email domain; the new account was at a credit union in Virginia, not Ohio (where Olympic was based); and there were multiple grammatical and “non-sensical” errors contained in the imposter’s instructions.
The Court then turned to 1st Advantage and whether it had a duty to act on any mismatch between the name on the payment instructions (Olympic) and the account number (a credit union customer with no obvious association to Olympic). It first noted the absence of actual knowledge by the credit union. 1st Advantage used a system known as DataSafe that monitored ACH transfers. The Court observed that the “DataSafe system generated hundreds to thousands of warnings related to mismatched names on a daily basis, but the system did not notify anyone when a warning was generated, nor did 1st Advantage review the reports as a matter of course.” The Court further noted that the DataSafe system generated a “warning of the mismatch: ‘Tape name does not contain file last name TAYLOR'” which was the name of the credit union’s account holder, not Olympic.
The Court then assessed Virginia’s version of § 4A-207(b)(1), Va. Code Ann. § 8.4A-207(b)(1), which says in relevant part: “‘If a payment order received by the beneficiary’s bank identifies the beneficiary both by name and by an identifying or bank account number and the name and number identify different persons’ and if ‘the beneficiary’s bank does not know that the name and number refer to different persons,’ the beneficiary’s bank ‘may rely on the number as the proper identification of the beneficiary of the order.'” The Court further noted that the provision states that “[t]he beneficiary’s bank need not determine whether the name and number refer to the same person.” Based upon this, the Court concluded that it “protects the beneficiary’s bank from any liability when it deposits funds into the account for which a number was provided in the payment order, even if the name does not match, so long as it “does not know that the name and number refer to different persons.” [Emphasis added.] Studco argued that constructive knowledge was sufficient or could be imputed to 1st Advantage. The Court disagreed, concluding that “knowledge means actual knowledge, not imputed knowledge or constructive knowledge” and that a “beneficiary’s bank has ‘no duty to determine whether there is a conflict’ between the account number and the name of the beneficiary, and the bank ‘may rely on the number as the proper identification of the beneficiary.'”
In the concurring opinion, however, one judge disagreed that there was no evidence of actual knowledge because 1st Advantage may have received actual knowledge of the misdescription when an investigation of a Federal Office of Foreign Asset Control (OFAC) alert led to a review of the transfers at issue. Because the first two (of four) overseas transfers from the infiltrated 1st Advantage account triggered an OFAC alert, 1st Advantage opened an ongoing investigation into the wires, including a review of the member’s account history. Thus, the concurrence noted that a “factfinder could infer that [the officer’s] investigation led to a [credit union] employee obtaining actual knowledge of a misdescription between account name and number prior to Studco’s two November deposits.”
Lessons Learned Post-Studco
In the age of ubiquitous cyber and other sophisticated scams running throughout the US financial system, the financial services industry surely welcomes this Fourth Circuit decision. The trial court in Studco ruled that 1st Advantage was liable for scam-related ACH transfers in excess of a half-million dollars because 1st Advantage’s core system had triggered a warning regarding the name and account discrepancy, which 1st Advantage did not review or investigate. The fact that 1st Advantage did not undertake to review warnings from its core system appears to have saved 1st Advantage as the Court concluded that “actual knowledge” of the discrepancy was a prerequisite to liability. There was no proof of actual knowledge in this case.
On April 9, 2025, Studco petitioned the Fourth Circuit for rehearing, and alternatively, rehearing en banc with the full court. Studco argues that the panel erred in holding that there was no actual knowledge, pointing out that “1st Advantage opened the scammer’s account and reviewed the account at least 33 times over an approximate 40-day period – each time related to the scammers conducting a suspicious transaction.” Studco argues that a full en banc hearing should be permitted because the application of “UCC Article 4A-207 presents a question of exceptional importance.”
In the end, Studco stands as a warning to banks and credit unions alike that the more they know about the name mismatch issue for any particular transaction, the more liability they may take on. Banks and credit unions should consult their bank counsel to discuss their ACH and EFT review processes and ensure that their processes do not tip into “actual knowledge” and potential liability for transfers rooted in fraud.
CMS Releases FY 2026 Hospital Inpatient Prospective Payment System (IPPS) Proposed Rule
On April 11, 2025, the Centers for Medicare & Medicaid Services (CMS) issued the fiscal year (FY) 2026 Medicare Hospital Inpatient Prospective Payment System (IPPS) and Long-Term Care Hospital (LTCH) Prospective Payment System proposed rule. The proposed rule would update Medicare fee-for-service payment rates and policies for inpatient hospitals and LTCHs for FY 2026. Comments on the proposed rule are due on June 10, 2025. A fact sheet is available here. The proposed rule notably does not include anticipated provisions on hospital conditions of participation related to gender-affirming care.
KEY TAKEAWAYS FROM THE FY 2026 IPPS PROPOSED RULE
Standardized Amount: CMS proposes a 2.4% increase in operating payment rates for general acute care hospitals paid under the IPPS that successfully participate in the Hospital Inpatient Quality Reporting Program and are meaningful electronic health record users. This reflects a projected FY 2026 hospital market basket increase of 3.2%, less a 0.8 percentage point productivity adjustment.
Medicare Severity Diagnosis-Related Group (MS-DRG) Updates: CMS proposes creating new MS-DRG 209 for complex aortic arch procedures, MS-DRG 213 for endovascular abdominal aorta and iliac branch procedures, MS-DRGs 359 and 360 for percutaneous coronary atherectomy with intraluminal device, MS-DRG 318 for percutaneous coronary atherectomy without intraluminal device, and MS-DRGs 403 and 404 for hip or knee procedures with principal diagnosis of periprosthetic joint infection. CMS proposes to delete hypertensive encephalopathy MS-DRGs 077, 078, and 079.
Transforming Episode Accountability Model (TEAM): CMS proposes several updates to TEAM, including a limited deferment for certain hospitals, neutral scoring on quality for hospitals with insufficient quality data, changes to the payment methodology and risk adjustment, and expansion of the skilled nursing facility three-day rule waiver. The basic tenets of the model remain the same: it is a five-year mandatory model that will begin on January 1, 2026.
Special Rural Designations: While Congress typically extends the Medicare-dependent hospital (MDH) program and low-volume hospital payment adjustment, both are set to expire on September 30, 2025, and Congress has not yet acted to extend them further. Because CMS could not assume the continuation of these programs for purposes of the FY 2026 proposed rule, CMS states that as of October 1, 2025, hospitals that previously qualified for MDH status will be paid based on the federal rate. On the same date, both the qualifying criteria and the payment adjustment methodology for the low-volume adjustment will revert to the statutory requirements that were in effect prior to FY 2011.
New Technology Add-On Payments: For FY 2027 and beyond, CMS proposes one minor policy change and proposes to broaden the application details publicly posted online.
Quality Reporting Programs: The rule signals future quality measures supporting the Make America Healthy Again priorities of well-being and nutrition, and proposes to remove quality measures on health equity and social determinants of health.
Wage Index: CMS proposes to discontinue the low wage index policy and to use a different transition policy to phase out the policy for affected hospitals.
Disproportionate Share Hospital Payments and Uncompensated Care Payments: The total proposed uncompensated care payment to eligible disproportionate share hospitals for FY 2026 is $7.29 billion, an increase from the $5.78 billion finalized in FY 2025.
Graduate Medical Education: CMS proposes technical changes to the calculation of full-time equivalent resident counts, caps, and three-year rolling averages for direct graduate medical education. CMS also proposes technical changes to the calculation of net nursing and allied health education costs.
Requests for Information (RFIs): CMS solicits comments on the use of the Health Level 7® Fast Healthcare Interoperability Resources® in electronic clinical quality measure reporting in various quality reporting programs. CMS also seeks public input on ways to streamline regulations, reduce administrative burdens, and identify duplicative requirements across the Medicare program. Responses to this RFI are to be submitted through a web-based form, separate from other comments on the rule.
Additional Authors: Maddie News, Simeon Niles, Kristen O’Brien, Parashar Patel, Erica Stocker, Devin Stone, and Eric Zimmerman
Video Privacy Protection Act: What’s Next After Sixth Circuit Creates Split
The Video Privacy Protection Act (VPPA) is a federal law aimed at prohibiting the unauthorized disclosure of a person’s video viewing history. While the VPPA was originally enacted to prevent disclosure of information regarding an individual’s video rental history from businesses like Blockbuster in 1988, the explosion of the internet in the decades since has greatly expanded its potential reach, giving rise to countless lawsuits targeting businesses’ websites. One such case, involving the alleged disclosure of the plaintiff’s video viewing history through use of Meta’s data-tracking Pixel, was recently decided by the United States Court of Appeals for the Sixth Circuit, in a decision that serves to narrow the reach of the VPPA.
In a published opinion, the Sixth Circuit addressed the issue of who can be considered a “consumer” – and thus able to bring a claim – under the VPPA. The VPPA defines the term “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Citing longstanding canons of statutory construction, the Sixth Circuit reasoned that, when read in context of its surrounding text, the phrase “goods and services” is limited to audiovisual goods and services. The plaintiff, a subscriber to 247Sports.com’s newsletter which contained links to videos that were accessible to anyone on the website, failed to allege that the newsletter itself was audiovisual material, and thus was not protected under the VPPA.
Notably, the Sixth Circuit’s decision was contrary to the conclusions previously reached by other Federal Courts of Appeals, specifically the Second and Seventh Circuits. Those courts had endorsed a broader interpretation of the term, considering a subscriber of any of the provider’s goods or services to be a “consumer” under the VPPA, regardless of whether the subscription was specifically for audiovisual materials. By defying this trend, the Sixth Circuit creates a circuit split that may be resolved by the Supreme Court of the United States. The defendant in the Second Circuit case on this issue has petitioned the Supreme Court to review the decision. Now, with a circuit split apparent, the Supreme Court may be more likely to intervene.
Against this uncertain backdrop, and with the wave of Meta Pixel and similar lawsuits continuing, businesses will need to carefully evaluate the operation of their websites and whether they may be subjected to a VPPA claim. The review should also include an analysis of the effectiveness of any consent provisions that the business may be relying on to avoid liability. Businesses should be aware of the risks presented by the entities they acquire or merge with whose data sharing practices may implicate the VPPA. To mitigate the risk of liability, due diligence in any such transaction should include a thorough review of the target company’s data practices, compliance with privacy regulations, and any ongoing or potential lawsuits tied to the use of tracking technology.