Mobile Workforce/Remote Worker Legislation Could Impact Your Business
Well-respected House Ways & Means-Education Committee Chair Danny Garrett (R-Trussville) has introduced HB 379, a bill designed to provide guidelines and a safe harbor for employers who have traveling employees or remote workers. The current version of the bill is based in part on the Council on State Taxation (COST)/AICPA model legislation (more on this below). COST is advocating passage of the uniform law across the country and six to seven states so far have enacted it in whole or in large part. Sen. John Thune (R-South Dakota) recently introduced federal legislation to the same end.
In short, if your traveling or remote employee is working in a state with this model act for less than 30 days in a calendar year, you (the employer) aren’t required to register with that state’s taxing authorities or withhold and remit that state’s income tax from the employee’s wages. However, if the employee works more than the safe harbor number of days, he or she is subject to income tax withholding in that state retroactively to the first day of his or her presence in that state.
Alabama is one of several states that asserts tax jurisdiction over a nonresident employer and its employees if they work in this state more than one day in a year.
We understand that Rep. Garrett has agreed to amend his bill to more closely conform with the COST/AICPA model act – and to add an exemption for employers with employees who enter this or another state to conduct disaster relief efforts. Thankfully, the Alabama Department of Revenue is working with Chairman Garrett and, like the authors, is now reviewing a proposed amendment to that end. If your business has traveling or remote workers, this bill should be important to you. Organizations supporting the bill, as amended, include the Alabama Society of CPAs, Manufacture Alabama, COST, and the AICPA.
Chairman Garrett predicts that the bill will come up for a vote in his Committee this week.
Audio file
SPECIFIC VS. GENERAL PERMISSION: Jibreal Hindi Defens His Onslaught of TCPA Class Actions Before the FCC and His Argument is Kind of Interesting
So REACH recently submitted a hard-hitting comment in support of an effort to shut down frivolous lawsuits arising from out-of-time-limitation SMS messages.
These messages generally arise when a consumer travels from one location to another and the caller is not aware of the changed location and sends messages based upon area codes that end up being inaccurate because, you know, people move around.
R.E.A.C.H.’s comment is laser focused on the language of the CFR that limits claims related to out-of-time messages to “solicitations” and the definition of “solicitations” looks only at messages sent without prior express invitation or permission. It follows that a message sent with invitation or permission may be sent outside of the TCPA’s timing limitations.
Simple.
But not so fast.
Hindi– the guy behind hundreds of recent TCPA class actions against small businesses and who also just bragged about buying a 15 seat private jet on social media–counters that the CFR is unclear whether the permission was to be general or specific in nature.
In his view of the world a consumer that gives permission to receive text messages from a business impliedly gives only limited consent; i.e. consent to receive texts WITHIN the timing limitations of the TCPA. While a consumer may ask for texts outside of the timing window such consent must be SPECIFIC as to the timing component.
Here is how he frames the issue:
The undersigned does recognize that text messages sent with “prior express invitation or permission” are not “telephone solicitations” under the TCPA and, thus, do not fall within the ambit of the Quiet Hours Provision. See 47 U.S.C. § 227(a)(4); see also 47 C.F.R. § 64.1200(c)(1). However, it bears repeating that the instant issue lies not in general invitation or permission, but rather the scope of such invitation or permission. Senders of text messages—who are in the best position to clarify the scope of invitation or permission—often leave the detail of message timing unaddressed and ambiguous by and through their own opt-in language. Indeed, in the undersigned’s experience, almost no sender of text message solicitations cares to obtain a consumer’s prior express invitation or permission to send texts “before 8 a.m. or after 9 p.m.” or at “any time.” This is a major issue for consumers, who reasonably believe they consent to messages at objectively normal hours but are instead bombarded with texts during objectively invasive hours.
Almost all consumers complain about quiet hours messages, even when they have given general express invitation or permission to receive texts. These consumers, including those without a legal background of any kind, often point out that they did not specifically consent to receiving messages “before 8 a.m. or after 9 p.m.” or “any time.” The average person is confused or, in some cases, outright enraged when they merely provide a company with their residential phone number and start receiving text messages in the middle of the night. Even Petitioners acknowledge this reality, noting that after-hours text messages can cause nuisance or annoyance for consumers.
Interesting, no?
Importantly general vs. specific consent may have BIG consequences in other TCPA arenas as well. For instance if the courts or “delete delete delete” proceedings dismantle express consent rules in the CFR we will be back to determining what “clearly and unmistakably stated” consent means for all purposes– and that might mean consumers must specifically request to hear from a caller “using an autodialer” or “using prerecorded calls” or “using AI.”
While that is not much of a shift from today’s practice for telemarketers it is a MASSIVE shift for informational calling where such specific consent is not required. So there may be bigger issues afoot here.
Regardless I thought the response here was interesting enough to merit a quick blog.
Full response here: Jibrael Hindi
DOJ Announces 90-Day Grace Period for Companies to Comply with New Data Security Rules on Foreign Adversary Access to U.S. Sensitive Data
The U.S. Department of Justice (DOJ)’s new data security rule went into effect April 8, 2025. The rule creates what are effectively export controls and requires companies to take measures to prevent U.S. sensitive personal and government-related data from falling into the hands of foreign adversaries. The rule targets transactions (including data brokerage, vendor agreements, employment agreements, and investment agreements) involving access to bulk sensitive personal data or government-related data when those transactions involve identified covered persons or countries of concern (China, Russia, Iran, North Korea, Cuba, and Venezuela).
On April 11, 2025, the DOJ’s National Security Division (NSD) issued a Compliance Guide, a Frequently Asked Questions (FAQs) document, and its Implementation and Enforcement Policy, offering critical clarity on how it will assess compliance and approach enforcement of the rule. One of the most significant elements of the policy is the DOJ’s announcement of a 90-day grace period (between April 8, 2025 and July 8, 2025) for companies making good faith efforts to comply (willful violations may still be pursued).This grace period is intended to encourage early cooperation and foster a compliance-first mindset across industries.
Companies should take action now, if they have not done so already, to engage in compliance efforts (many of which are identified by DOJ as evidence of “good faith”) such as:
Assessing datasets and datatypes that might be covered by the rule
Reviewing data flows and data transactions, particularly those that might constitute data brokerage as defined in the rule
Analyzing vendor agreements to determine the need for new contractual terms; renegotiation of agreements; and potential transfer of products and services to new vendors
Instituting vendor due diligence practices aligned with the rule
Evaluating employee access and potentially modifying roles, responsibilities, or work locations
Assessing investments and investment agreements relating to countries of concern or covered persons
Revising or creating internal policies and procedures
Implementing security controls as set forth in the requirements established by the Cybersecurity and Infrastructure Agency (CISA)
The DOJ guidance confirms the effective dates in the rule and expectation for full compliance with initial requirements after the 90-day grace period. While the core rule took effect April 8, 2025, additional compliance obligations (e.g., audits, reporting, due diligence) must be in place by October 6, 2025.
Organizations that collect, store, or transmit sensitive personal data—especially with cross-border implications—should begin engaging in the activities listed above. The rule is effectively a form of national security data control and applies to a broad array of actors, from data brokers and cloud infrastructure providers to businesses with international partnerships or data transfers.
TO ADVERTISE OR NOT TO ADVERTISE: Court Holds Fax to Pharmacy May Cross the Line
A new TCPA suit highlights the tension over what constitutes an “advertisement” under the statute. In Mills Cashaway Pharmacy, Inc. v. Change Healthcare Inc. (M.D. Ten., Apr. 10, 2025) the plaintiff pharmacy alleged that it received an unsolicited fax from defendant Change Healthcare promoting the prescription drug Xarelto. Change Healthcare moved to dismiss, arguing the fax was purely informational. The court, however, found the complaint plausibly alleged that the fax constitutes an unsolicited advertisement under the TCPA, and allowed the case to proceed.
Mills Cashaway Pharmacy, Inc. (“Mills”), a pharmacy based in Parks, Louisiana, filed suit on August 9, 2024, asserting a single claim for violation of the TCPA. The complaint alleges that, in September 2020, Mills received an unsolicited fax on its dedicated fax line. The fax, purportedly sent by Change Healthcare, contained the name and prescription number of one of Mills’ patients and directed the reader to “visit Xarelto.com” for more information about the drug, including safety and side effect details.
Mills alleges that the fax was designed to promote a 90-day supply of Xarelto over a 30-day supply or a different drug altogether, encouraging recipients like the pharmacy to influence patient behavior and drive demand for the product. According to the complaint, the fax falsely stated that the patient’s insurance plan would cover the 90-day supply. Mills asserts there was no preexisting business relationship between the parties and notes that the fax lacked the statutorily required opt-out notice.
The TCPA prohibits sending a fax that is an “unsolicited advertisement” unless, among other requirements, the fax has a satisfactory opt-out notice. There is a private right of action for recipients of unsolicited advertisements with statutory damages of $500 per violation. Here, the parties did not dispute that the fax Change Healthcare sent to Mills was unsolicited and lacked an opt-out provision. The sole issue at dispute was whether the fax qualified as an advertisement within the meaning of the TCPA. Change Healthcare argued it did not, asserting that it merely provided information to a patient already prescribed Xarelto
The Mills court observed that under the TCPA, an “unsolicited advertisement” is defined as any material that promotes the commercial availability or quality of goods or services, sent without the recipient’s prior consent. The Court discussed several cases interpreting the TCPA’s definition of “advertisement”:
S.A.S.B. Corp. v. Johnson & Johnson Health Care Sys. Inc. (D.N.J. 2024): The court ruled that a fax about Xarelto was not an ad, as it targeted patients already prescribed the drug and didn’t contain pricing or overt promotional content. The “overall thrust” of the message was deemed informational.
Michigan Urgent Care & Primary Care Physicians, P.C. v. Medical Security Card Co. (E.D. Mich. 2020): In contrast, the court found a fax promoting a “free” prescription savings card to be an advertisement. Even though the program was free, the court determined that the fax supported the defendant’s business model, which depended on broad usage of the card, potentially impacting defendant’s profits.
Matthew N. Fulton, D.D.S., P.C. v. Enclarity, Inc. (6th Cir. 2020): A fax requesting updated contact information was ruled to be an advertisement because it was a pretext for future marketing efforts. The Sixth Circuit emphasized that courts must look beyond the face of the fax to its intent and commercial purpose.
In light of the above precedent, the Mills Court rejected Change Healthcare’s argument that the fax contained purely informational messaging. First, the Court noted that although the fax appeared to reference a specific patient, it was sent to the pharmacy—not the patient. Second, the message encouraged a switch to a 90-day supply, which the court found could reasonably be construed as promoting the commercial availability of Xarelto.
The court emphasized that determining whether a fax is an advertisement is not always obvious from its face. Citing Enclarity and Michigan Urgent Care, it reiterated that a defendant’s intent and the broader context may render an ostensibly informational fax commercial in nature. The complaint plausibly alleged that the fax was designed to increase sales of Xarelto by encouraging pharmacies to influence patient prescriptions—conduct that could be motivated by profits.
While the Change Healthcare argued the purpose was merely to notify patients of coverage and convenience, the court found that the plaintiff’s allegations and the content of the fax were sufficient, at this stage, to proceed under the TCPA’s definition of an advertisement.
The court’s ruling underscores a key principle in TCPA litigation: the determination of whether a fax is an “advertisement” often hinges not only on explicit language but also on the context, purpose, and business model underlying the message. Even materials presented as purely informational can support a TCPA claim if they plausibly serve a commercial aim.
Digital Policy: Highlights of the German Coalition Agreement 2025
The newly published German Coalition Agreement 2025 (CA 2025), German language version available here, outlines a digital agenda of the new German government, aimed at strengthening Germany’s position as a leader in digital innovation, data protection, and technological sovereignty. This GT Alert provides an overview of key digital policy areas that the CA 2025 addresses, highlighting the new government’s priorities and potential implications for businesses operating in Germany.
1. Data Protection
The coalition emphasizes the importance of harmonizing and simplifying data protection standards while promoting innovation and economic growth. Key measures include:
Simplification for SMEs and Non-Commercial Activities: The new government plans to leverage the GDPR’s flexibility to simplify compliance for small and medium-sized enterprises (SMEs). On an EU level, the coalition wants to exclude SMEs, non-commercial organizations, and “low risk activities” from the GDPR’s scope (lines 2103 et seqq.).
Centralized Oversight: The Federal Data Protection Commissioner would be empowered (and renamed) to oversee data protection, data usage, and information freedom, consolidating responsibilities for greater efficiency (lines 2248 et seqq.).
Opt-out Instead of Consent: Burdensome consent requirements would be replaced by opt-out solutions “in accordance” with EU laws (lines 2096 et seqq.).
2. Data Sharing
The CA 2025 promotes a culture of data sharing to foster innovation while safeguarding individual rights. Highlights include:
Public Money, Public Data: Commitment to making data from publicly funded institutions openly accessible, with robust data trustee mechanisms to foster trust and quality (lines 2243 et seqq.).
Comprehensive Data Framework: Aim to develop modern regulations on data access and data economy for promoting data ecosystems in a comprehensive framework (lines 2238 et seqq.).
3. Online Platforms and Social Networks
The coalition underscores the need for fair competition and user protection, particularly from disinformation, in the digital space.
Platform Regulation: General commitment to supporting the EU’s Digital Services Act and Digital Markets Act to ensure platforms address systemic risks like disinformation and remove illegal content (line 2285).
Transparency and Accountability: Online platforms would be required to comply with existing obligations on transparency and content moderation. Even stricter liability for user content is being considered (lines 3926 et seqq.).
Possible Bot Identification Measures: The introduction of mandatory bot identification provisions for digital players is “being considered” (lines 2290 et seqq.).
4. Digital Infrastructure
The coalition prioritizes expanding Germany’s digital infrastructure to support economic growth and digital transformation.
Data Center Hub: The coalition aims to make Germany Europe’s leading data center hub, with a focus on energy-efficient operations and integration into district heating systems (lines 2192 et seqq.).
Nationwide Fiber Optic Rollout: The new government commits to accelerating the deployment of fiber-optic networks and ensuring high-speed internet access for all households (lines 2201 et seqq.).
Mobile Coverage and Satellite Technology: Efforts would be made to enhance mobile network coverage and explore satellite technology for underserved areas (lines 2201 et seqq., 2279 et seqq.).
5. Public Sector Digitalization
The coalition envisions a user-centric, fully digital public administration.
Restructuring Government Bureaucracy: The new government promises to reduce administrative staff in general and, in particular, wants to reduce the total number of federal authorities (lines 1811 et seqq.). At the same time, a new federal ministry for digitization and state modernization would be created (line 4564), which underscores the coalition’s focus on digitization topics.
Simplifying Administrative Processes: The new government intends to eliminate unnecessary formalities to simplify administrative processes for businesses (lines 339 et seqq., 1798 et seqq., 2171 et seqq.). Particularly, with the adoption of a new general clause, the written form requirement is to be abolished “wherever possible” (lines 2177 et seqq.). Administrative processes would be streamlined and automated, with a focus on eliminating the need for physical paperwork (lines 2155 et seqq.).
“One Stop Shop” for Administrative Services: The coalition aims to enable straightforward digital administrative services via a central platform (one-stop shop). A centralized platform would enable German citizens to access government services digitally, with mandatory digital identities for all citizens (lines 1802 et seqq.).
“Once Only” Approach for Citizens: Intergovernmental data sharing commitments would ensure that citizens have to provide their data only once to the government (lines 2080 et seqq.).
Public Procurement: Consolidated procurement platforms would standardize public procurement (especially of IT services) and help reduce dependence on “monopolistic” suppliers (lines 2075 et seqq.).
6. Digital Sovereignty
The coalition aims to reduce Germany’s dependencies on non-European technologies and to strengthen its digital autonomy.
Open Source and Open Standards: The new government aims to promote open-source solutions and define open interfaces to enhance interoperability and security, without providing many details (lines 2139 et seqq., 2172 et seqq.).
Strategic Investments: Funding would be directed towards key technologies such as cloud computing, artificial intelligence (AI), and cybersecurity (lines 108 et seqq.).
7. Artificial Intelligence (AI)
AI is positioned as a cornerstone of Germany’s digital strategy.
Investments in AI and Cloud Technology: The coalition promised “massive” investments in AI and cloud technologies, without going into further detail (line 108).
“AI Gigafactory” in Germany: The coalition aims to establish at least one European “AI gigafactory” in Germany (lines 2193 et seqq., 2509 et seqq.).
Regulatory Framework: The new government wants the EU AI Act implemented in a way that fosters innovation while addressing ethical and safety concerns (lines 2256 et seqq.). Particularly, burdens on the economy resulting from the technical and legal specifications of the AI Act would be removed (lines 2268 et seqq.).
Copyright Balance: The coalition plans to ensure fair remuneration for creators in generative AI development, mandate fair revenue sharing on streaming platforms, and enhance transparency in content usage (lines 2824 et seqq.).
Conclusion
The German CA 2025 sets a vision for digital transformation, emphasizing the streamlining of regulatory and administrative hurdles, infrastructure development, and technological sovereignty. While many details remain unclear, businesses should prepare for regulatory changes and explore opportunities arising from the new government’s focus on innovation and digitization. As these policies take shape, staying informed and proactive will be key to navigating the evolving digital landscape in Germany.
DOJ Sets New Focus and Priorities in Digital Assets Enforcement
On April 7, 2025, U.S. Deputy Attorney General Todd Blanche issued a memorandum titled “Ending Regulation by Prosecution” (the “Memorandum”), which set out clear and direct enforcement priorities for the U.S. Department of Justice (“DOJ”) relating to digital assets. The Memorandum clarifies that DOJ is not a digital assets regulator and that it will not continue with what it characterizes as the prior Administration’s “regulation by prosecution” strategy. Rather, DOJ will now prioritize enforcement actions that target individual bad actors that use digital assets to perpetuate scams or are engaged in other criminal activity involving digital assets such as organized crime, narcotics, and terrorism. Importantly, the Memorandum scales back the scenarios in which DOJ will pursue enforcement actions against digital asset exchanges or other platforms (e.g., mixers or tumblers) that bad actors may use to conduct illegal activity.
In setting out the DOJ’s new enforcement priorities, the Memorandum adheres to the principles contained in Executive Order 14178 (“Strengthening American Leadership in Digital Financial Technology,” January 23, 2025), which outlines the Trump Administration’s policy of promoting “responsible growth and use of digital assets.” The Memorandum also cites Executive Order 14157 (“Designating Cartels and Other Organizations as Foreign Terrorist Organizations and Specially Designated Global Terrorists,” January 20, 2025), which reflects the U.S. government’s decision to seek the “total elimination” of certain international cartels, criminal organizations, and terrorists.
The Memorandum directs prosecutors to refrain from charging regulatory violations involving digital assets, including unlicensed money transmission, registration requirement failures, and Bank Secrecy Act (“BSA”) violations, unless the defendant “willfully” did not comply with the licensing or registration requirement. Additionally, prosecutors are instructed not to pursue charges in situations where DOJ would be required to litigate whether a digital asset is a “security” or a “commodity,” as long as there is a “an adequate alternative criminal charge available, such as mail or wire fraud.”
To carry out these new priorities, DOJ will shift its enforcement resources related to digital assets. Specifically, DOJ will disband the National Cryptocurrency Enforcement Team (“NCET”), which was established in February 2022 and has supported several recent high-profile digital assets investigations and prosecutions. Additionally, the DOJ’s Market Integrity and Major Frauds Unit will no longer enforce cryptocurrency actions and instead will focus on Trump Administration priorities such as immigration and procurement fraud. The DOJ’s Computer Crime and Intellectual Property Section will continue to liaise with the digital asset industry as needed.
Finally, the Memorandum addresses an issue relating to the way in which victims of digital asset fraud are compensated. Currently, regulations only allow victims to recover the value of their investment at the time of the fraud, rather than at the current fair market value. To rectify this issue, the Memorandum directs the Office of Legal Policy and the Office of Legislative Affairs to propose new legislation and regulations that would allow victims to recover a greater amount of their digital asset losses in situations involving fraud or theft.
Key Takeaways:
The Memorandum neither creates nor eliminates any current laws. Rather, it presents new enforcement and staffing priorities for DOJ, which are tied closely to recent Executive Orders and statements from the Trump Administration.
The DOJ is focused on prosecuting digital asset scams and the illicit, underground use of digital assets by terrorists, narcotics traffickers, and other organized crime elements. It will prioritize those cases by “seeking accountability from individuals” who perpetuate these crimes, as opposed to pursuing “regulatory violations” at digital asset companies.
Regulatory failures can still pose a legal risk for companies, however, particularly if the DOJ finds them to be “willful.” Additionally, it remains to be seen how U.S. states will react to the potential “enforcement vacuum” in the digital assets industry, and whether they will seek to fill the void with a more aggressive enforcement approach.
California AG Appeals Decision Blocking Enforcement of Age-Appropriate Design Code Act
On April 11, 2025, California Attorney General Rob Bonta appealed the U.S. District Court for the Northern District of California’s decision blocking enforcement of California’s Age-Appropriate Design Code Act (“AADC”). As we previously reported, on March 13, 2025, the Court granted a second motion for preliminary injunction in favor of the technology trade group NetChoice, enjoining the California AG from enforcing the AADC.
In announcing the appeal, AG Bonta said: “We are deeply concerned about further delay in implementing protections for children online. That is why, today, my office has appealed the Northern District of California’s decision blocking enforcement of the Age-Appropriate Design Code.”
Regulatory Update and Recent SEC Actions: April 2025
Recent SEC Administration Changes
Senate Confirms Paul Atkins as SEC Chairman
The Senate, on April 9, 2025, confirmed Paul Atkins as the Chairman of the Securities and Exchange Commission (“SEC”). Atkins takes over the Chairman role from the current Acting Chair, Mark T. Uyeda, who was appointed in January 2025 to serve in the interim until Atkins was confirmed. Atkins previously served as a Commissioner from 2002 to 2008, and most recently served as CEO and founder of risk-management firm Patomak Global Partners. He also served as co-chairman of the Digital Chamber’s Token Alliance, where he led industry efforts to develop best practices for digital asset issuances and trading platforms.
Recent SEC Staff Departures
In addition to the departures of SEC Chairman Gary Gensler and Commissioner Jaime Lizarriga on January 20 and January 17, respectively:
Paul Munter, Chief Accountant;
Jessica Wachter, Chief Economist and Director of the Division of Economic and Risk Analysis;
Sanjay Wadhwa, Acting Director of the Division of Enforcement;
Scott Schneider, Director of the Office of Public Affairs;
Amanda Fischer, Chief of Staff;
YJ Fischer, Director of the Office of International Affairs; and
Megan Barbero, General Counsel.
SEC Restructuring and Hiring Freeze
The Trump administration, on January 20, 2025, issued a memorandum that implemented a federal hiring freeze across the executive branch, including the SEC. Further, the SEC plans to restructure the Enforcement and Exams divisions by removing the top leaders at its 10 regional offices across the country and replace them with deputy directors, Katherine Zoladz, Nekia Jones, and Antonia Apps, who will oversee one of three regions–West, Southeast, and Northeast. There will also be a deputy director for specialized units. Additionally, the SEC announced the closures of Los Angeles and Philadelphia offices and a review of the lease for the SEC’s Chicago Regional Office.
SEC Rulemaking
SEC Issues Temporary Exemption from Exchange Act Rule 13f-2 and Related Form SHO
The SEC announced on February 7, 2025, it was providing a temporary exemption from compliance with Rule 13f-2 under the Securities Exchange Act of 1934, as amended (the “Exchange Act”) and from reporting on Form SHO, which generally requires certain institutional investment managers to report short positions and daily trading activity for equity securities exceeding certain thresholds. The effective date for Rule 13f-2 and Form SHO was January 2, 2024, and the compliance date for such rule and form was January 2, 2025, with initial Form SHO filings originally due by February 14, 2025. The exemption, for certain institutional investment managers that meet or exceed certain specified thresholds, pushes the due date for the initial Form SHO reports to February 17, 2026.
SEC Announces Exemption from Reporting of Certain Personally Identifiable Information to Consolidation Audit Trail
The SEC, on February 10, 2025, announced it was providing an exemption from the requirement to report certain personally identifiable information (“PII”) – names, addresses, and years of birth – to the Consolidated Audit Trail (“CAT”) for natural persons. CAT was established by the SEC to track trading activity for National Market System securities including stocks and options, allowing regulators to monitor trading activity. The SEC has justified the exemption because the inclusion of this information may allow bad actors to impersonate a customer or broker-dealer and gain access to a customer’s account.
SEC Extends Compliance Dates for Funds Name Rule Amendment and Updates FAQ
The SEC announced, on March 14, 2025, a six-month extension of the compliance dates for amendments adopted in September 2023 to the “Names Rule” (Rule 35d-1) under the Investment Company Act of 1940, as amended (the “Investment Company Act”). The compliance date for larger fund groups is extended from December 11, 2025 to June 11, 2026, and the compliance date for smaller fund groups is extended from June 11, 2026 to December 11, 2026. The SEC indicated that the extension is designed to balance the investor benefit of the amended Names Rule framework with funds’ needs for additional time to implement the amendments properly, develop and finalize their compliance systems, and test their compliance plans. The Commission further indicated that the compliance dates have been aligned with the timing of certain annual disclosure and reporting obligations that are tied to the end of a fund’s fiscal year in order to help funds avoid additional costs when coming into operational compliance with the Names Rule amendments.
Additionally, the SEC has updated the Names Rule FAQ, releasing a new 2025 Names Rule FAQ on January 8, 2025. Key clarifications include:
Shareholder approval is not required for a fund to add or revise a fundamental 80 percent investment policy unless the change would permit a “deviation from the existing policy or some other existing fundamental policy;”
The 2025 FAQ expanded the SEC staff’s note that the term “tax-sensitivity” indicates a fund’s strategy instead of a focus on particular types of investments to terms “similar” to tax-sensitive (such as “tax-advantaged” or “tax-efficient”); and
The use of the term “income” in a fund’s name does not refer to “fixed-income” securities, and instead is used to emphasize an investment goal of generating current income. As such, the use of the term “income” in a fund’s name would not alone require the adoption of an 80 percent investment policy.
SEC Votes to End Defense of Climate Disclosure Rules
The SEC, on March 27, 2025, voted to end its defense of the rules requiring disclosure of climate-related risks and greenhouse gas emissions. The rules, adopted by the SEC on March 6, 2024, required registrants to provide certain climate-related information in their registration statements and annual reports. Following the SEC’s vote, the SEC staff sent a letter to the Eighth Circuit (who was hearing Iowa v. SEC, No 24-1522 (8th Cir.) evaluating the legality of the rules) stating that the SEC withdraws its defense of the rules and that the SEC counsel are no longer to authorized to advance the arguments in the brief filed on behalf of the SEC. SEC Acting Chairman Mark T. Uyeda stated that “[t]he goal of today’s Commission action and notification to the court is to cease the Commission’s involvement in the defense of the costly and unnecessarily intrusive climate change disclosure rules.”
The SEC did not, however, withdraw the actual climate disclosure rules. Commissioner Caroline Crenshaw issued a statement challenging the decision, that if the SEC chose not to defend the rules, then it should ask the court to stay the litigation while the agency comes up with a rule that it is prepared to defend and that if not, the court should hire counsel to defend the rules. Although the SEC is no longer defending the rules, 20 democratic attorney generals (the “AGs”) have intervened in the lawsuit to defend them. In April 2025, the court ruled that the AGs, led by those from Massachusetts and the District of Columbia, can themselves defend the rules.
SEC Enforcement Actions and Other Cases
Airline Faulted for ESG Focus in 401(k) Plan
A Texas judge issued a 70-page finding of fact and conclusion of law that an international airline company (the “Defendant”) violated federal benefits law by emphasizing environmental, social, and governance factors (“ESG”) in its 401(k) plan decisions. The judge found that the Defendant’s corporate commitment to ESG, the influence and conflicts of interests with the investment manager, and the lack of separation between the corporate and fiduciary roles all attributed to the fiduciary lapse. Despite finding the Defendant breached the Employee Retirement Income Security Act’s (“ERISA”) duty of loyalty, the judge determined the Defendant had not breached ERISA’s fiduciary duty of prudence because the practices fell within the prevailing industry standards.
12 Firms to Pay More Than $63 Million Combined to Settle SEC’s Charges in Connection with Off-Channel Communications
In its continued focus on off-channel communications, the SEC announced charges against nine investment advisers and three broker-dealers (each a “Firm” and collectively, the “Firms”) on January 13, 2025. The charges are for failures by the Firms and their personnel to maintain and preserve electronic communications, in violation of recordkeeping provisions of the federal securities laws. The Firms admitted to the facts set out in their respective SEC orders and have begun implementing improvements to their compliance policies and procedures to address these violations. One Firm self-reported and, as a result, paid significantly lower civil penalties.
“In order to effectively carry out their oversight responsibilities, the Commission’s Examinations and Enforcement Divisions must, and indeed do, rely heavily on registrants complying with the books and records requirements of the federal securities laws. When firms fall short of those obligations, the consequences go far beyond deficient document productions; such failures implicate the transparency and the integrity of the markets and their participants, like the firms at issue here,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement. “In today’s actions, while holding firms responsible for their recordkeeping failures, the Commission once more recognized and credited a registrant’s self-report, demonstrating yet again that there are tangible benefits to be gained from proactive cooperation.”
SEC Charges Advisory Firm with Misrepresenting its Anti-Money Laundering Procedures to Investors
The SEC charged a Connecticut-based investment adviser (the “Adviser”) with making misrepresentations about its anti-money laundering (“AML”) procedures and related compliance failures. The SEC’s order finds that the Adviser’s offering documents stated that the Adviser was voluntarily complying with AML due diligence laws despite those laws not applying to investment advisers. However, according to the order, the Adviser did not always conduct due diligence with respect to an entity owned by an individual who was publicly reported to have suspected connections to money laundering activities. The order further found that the Adviser failed to adopt and implement written policies and procedures reasonably designed to ensure the accuracy of offering and other documents provided to prospective and existing investors.
“This case reinforces the fundamental duty of investment advisers to say what they do and do what they say,” said Tejal D. Shah, Associate Regional Director of the SEC’s New York Regional Office. “Here, [the Adviser] failed to follow the AML due diligence procedures that it said it would, thus misleading investors about the level of risk they were undertaking.”
SEC Charges Two Affiliated Investment Advisers for Failing to Address Known Vulnerabilities in its Investment Models
The SEC announced, on January 16, 2025, that it had settled charges against two affiliated New York-based investment advisers (the “Advisers”) for breaching their fiduciary duties by failing to reasonably address known vulnerabilities in their investment models and for related compliance and supervisory failures, as well as violating the SEC’s whistleblower protection rule. According to the SEC’s order, around March 2019, the Advisers’ employees identified and recognized vulnerabilities in certain investment models that could negatively impact clients’ investment returns, but did not take any action to remedy the situation until August 2023. The Advisers failed to adopt and implement written policies and procedures to address these vulnerabilities and failed to supervise an employee who made unauthorized changes to more than a dozen models. Further, the Advisers required departing individuals to state as a fact—in separate written agreements—that they had not filed a complaint with any governmental agency. The SEC’s order finds that the Advisers willfully violated the antifraud provisions of the Investment Advisers Act of 1940, as amended (the “Advisers Act”), the Advisers Act’s compliance rule, as well as Rule 21F-17(a) under the Exchange Act.
SEC Charges Advisory Firms with Compliance Failures Relating to Cash Sweep Programs
The SEC, on January 17, 2025, settled charges against two affiliated registered investment advisers and a third unaffiliated investment adviser (collectively, the “Advisers”) for failing to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and the rules thereunder relating to the Advisers’ cash sweep programs. According to the SEC’s order, the Advisers offered their own bank deposit sweep programs as the only cash sweep options for most advisory clients and received a significant financial benefit from advisory client cash in the bank deposit program. The order finds that the Advisers failed to adopt and implement reasonably designed policies and procedures (1) to consider the best interest of clients when evaluating and selecting which cash sweep program options to make available to clients and (2) concerning the duties of financial advisors in managing client cash in advisory accounts.
SEC Charges Dually Registered Broker-Dealer/Investment Adviser with Anti-Money Laundering Violations
The SEC announced charges against a firm that is registered as both a broker-dealer and investment adviser (the “Firm”) with multiple failures related to its AML program. According to the SEC’s order, from at least May 2019 through December 2023, the Firm experienced longstanding failures in its customer identification program, including a failure to timely close accounts for which it had not properly verified the customer’s identity. Furthermore, the Firm failed to close or restrict thousands of high-risk accounts that were prohibited under the Firm’s AML policies.
Financial Institution to Pay More than $100 Million to Resolve Violations Related to Target Date Funds
The SEC announced on January 17, 2025, that an institutional investment management company (the “Company”) has agreed to settle charges for misleading statements related to capital gains distributions and tax consequences for retail investors who held the Company’s Investor Target Retirement Funds (“Investor TRFs”) in taxable accounts. The SEC’s order finds that in December 2020, the Company announced that the minimum initial investment amount of the Company’s Institutional Target Retirement Funds (“Institutional TRFs”) would be lowered from $100 million to $5 million. A substantial number of plan investors redeemed their Investor TRFs and switched to Institutional TRFs due to the latter having lower expenses. The retail investors of the Investor TRFs who did not switch and continued to hold their fund shares in taxable accounts, faced historically large capital gains distributions and tax liabilities due to the large number of redemptions. The order also finds that the Investor TRFs’ prospectuses, effective and distributed in 2020 and 2021, were materially misleading because they failed to disclose the potential for increased capital gains distributions resulting from redemptions of fund shares by newly eligible investors switching from the Investor TRFs to the Institutional TRFs.
“Materially accurate information about capital gains and tax implications is critical to investors saving for their retirements,” said Corey Schuster, Chief of the Division of Enforcement’s Asset Management Unit. “Firms must ensure that they are accurately describing to investors the potential risks and consequences associated with their investments.”
SEC Charges Investment Adviser and Two Officers for Misuse of Fund and Portfolio Company Assets
The SEC filed settled charges on March 7, 2025, against a registered investment adviser (the “Adviser”), former managing partner (the “Managing Partner”) and its former chief operating officer and partner (the “COO”) for breaches of the fiduciary duties for their misuse of fund and portfolio company assets. According to the SEC’s orders, from at least August 2021 through February 2024, the COO misappropriated approximately $223,000 from portfolio companies of a private fund managed by the Adviser. This included transactions for vacations, personal expenses, and the payment of compensation in excess of the COO’s salary. The SEC order states that the Managing Partner failed to reasonably supervise the COO despite red flags of misappropriation and that they caused the fund to pay a business debt that should have been paid by an entity the Managing Partner and COO controlled, resulting in an unearned benefit to the entity of nearly $350,000. Additionally, the order finds the Adviser failed to adopt and implement adequate policies and procedures and to have the fund audited as required.
SEC Charges New Jersey Investment Adviser and His Firm with Fraud and Other Violations
The SEC, on March 17, 2025, announced it filed charges against an individual investment adviser and his advisory firm (collectively, the “Adviser”) for misconduct and for investing more than 25 percent of a mutual fund’s assets in a single company over multiple years, causing losses of $1.6 million. In November 2021, the Adviser settled charges that the Adviser violated its policy by investing more than 25 percent of a fund’s assets in one industry between July 2017 and June 2020, committing fraud and breaching its fiduciary duties. Despite being ordered to stop the conduct, the Adviser continued violating its 25 percent industry concentration limit and making associated misrepresentations about it between November 2021 and June 2024. The SEC’s complaint alleges the defendant Adviser engaged in further misconduct during this same period by operating the fund’s board without the required number of independent trustees and misrepresenting the independence of one board member in filings. The complaint also alleges that the Adviser failed to provide or withheld key information from the board and hired an accountant for the fund without the required vote by the board.
“As alleged, the defendants not only ran the fund contrary to its fundamental investment policies, but they actively misled investors and the fund’s board about their conduct,” said Corey Schuster, Chief of the Division of Enforcement’s Asset Management Unit. “Undeterred by their prior SEC settlement involving these very same issues, we allege that the defendants repeatedly violated fundamental rules designed to protect investors in mutual funds.”
Business Development Company and Directors Sued for Causing Fund’s Value to Decline
Directors of a business development company (the “BDC”) have been sued for allegedly approving fraudulent valuations, and the BDC’s investment adviser (the “Adviser”) is accused of extracting millions of dollars in fees from the BDC while its assets dipped. According to the complaint, the Adviser caused the BDC’s $200 million portfolio to decline while extracting nearly $30 million in fees and concealed the decline from shareholders through fraudulent, inflated asset valuations that the directors repeatedly approved before the fund went into liquidation in 2023. When shareholders proposed ways for the shareholders to realize value (such as a tender offer or merger), the complaint alleges that the Directors amended the BDC’s bylaws to illegally restrict shareholder voting powers. The lawsuit seeks a trial and alleges violations of Section 10(b) and Section 20 of the Exchange Act, breach of fiduciary duty by the directors, aiding and abetting a breach of fiduciary duty, and breach of contract.
Revenue Sharing Ruling Struck Down by First Circuit Court of Appeals
In 2019, the SEC initiated an enforcement action against a dually registered broker-dealer and investment adviser (the “Adviser”). The SEC alleged that, from July 2014 through December 2018, the Adviser failed to adequately disclose that its revenue sharing agreement with a national brokerage and custody service provider (the “Provider”) created a conflict of interest by incentivizing the Adviser to direct its clients’ investments (through client representatives) to mutual fund share classes that produced revenue-sharing income for the Adviser. At the close of evidence, the district court granted partial summary judgment for the SEC which included an order for the firm to pay $93.3 million (including disgorgement of nearly $65.6 million in revenue-sharing related profits), which the Adviser appealed. On April 1, 2025, the United States Court of Appeals for the First Circuit, finding that there was a material issue of fact to be decided by a jury, reversed the order and remanded it back to district court to be heard by a jury. Applying the “total mix” test from Basic Inc. v. Levinson, the Court of Appeals concluded that a “reasonable jury could find” that the additional disclosure about the Adviser’s conflict of interest would not have “so significantly altered the ‘total mix’ of information made available, that summary judgment was appropriate.” Importantly, the Court of Appeals noted that the district court relied on cases predating the U.S. Supreme Court’s decision in SEC v. Jarkesy, decision which held that the Seventh Amendment right to a jury trial applies to SEC enforcement actions of its administrative orders. Additionally, the Court of Appeals found that the SEC failed to adequately show a reasonable approximation or casual connection sufficient to support the district court’s disgorgement award.
Other Industry Highlights
SEC Announces Record Enforcement Actions Brought in First Quarter of Fiscal Year 2025
The SEC announced on January 17, 2025, that, based on preliminary results, it filed 200 total enforcement actions in the first quarter of fiscal year 2025, which ran from October through December 2024, including 118 standalone enforcement actions. This is the most actions filed in the respective period since at least 2000. The SEC filed more than 40 enforcement actions from January 1, 2025, through January 17, 2025, indicating that the Division’s high level of enforcement activity continues into the second quarter of fiscal year 2025.
DRAO Issues Observations Relating to Website Posting Requirements
The Division of Investment Management’s Disclosure Review and Accounting Office (“DRAO”) is responsible for reviewing fund disclosures. As part of this effort, the staff recently observed several issues relating to the website posting requirements under various Commission rules and certain exemptive orders, including those related to the use of summary prospectuses, exchange-traded funds (“ETFs”), and money market funds (“MMFs”). Some of the DRAO’s observations include:
Summary Prospectuses
Some summary prospectuses did not include a website address that investors could use to obtain the required online documents, while other addresses were generic links to the registrant’s homepage.
A number of registrants did not include any links from the summary prospectus to the statutory prospectus and the Statement of Additional Information, or only partially satisfied the linking requirement.
ETFs
Some ETFs failed to include their daily holdings information, expressed their premiums and discounts as a dollar figure rather than as a percentage, or used alternative terminology when referring to premiums and discounts that have potential to confuse investors.
Some ETFs did not disclose timely historic premium and discount information on their websites, or the information was not easily accessible on the website.
Some ETFs used alternative terminology when referring to the 30-day median bid-ask spread, by omitting the term “30-day,” such that the nature of the figure presented may be unclear to investors.
MMFs
Several MMFs did not post on their websites the required link to the Commission’s website where a user may obtain the most recent 12 months of publicly available information filed by the MMF on Form N-MFP.
Acting Chairman Uyeda Announces Formation of New Crypto Task Force
SEC Acting Chairman Mark Uyeda, on January 21, 2025, launched a crypto task force dedicated to developing a comprehensive and clear regulatory framework for crypto assets. The SEC announced that Commissioner Hester Peirce will lead the task force with a focus on drawing clear regulatory lines, providing realistic paths to registration, crafting disclosure frameworks, and deploying enforcement resources. With the disbandment of the Crypto Asset and Cyber Unit, the task force will be the Commissioners’ primary adviser on matters related to Crypto. On March 3, 2025, Commissioner Peirce announced the members of the Crypto Task Force staff.
Executive Order Halts All Pending Regulations
The Trump administration issued an executive order on January 20, 2025, freezing all pending regulations. The order also suggests that agencies should postpone the effective date for any regulations that have been published in the Federal Register for 60 days. Additionally, the order states that federal agencies should withdraw any regulations that have been sent to the Office of the Federal Register but have not yet been published. Finally, the order recommends that agencies should consider reopening comment periods for pending regulations and should not propose or issue any new regulations until a department or agency head appointed by President Trump has reviewed and approve such regulations.
New Executive Order Imposes Increased Presidential Oversight and Control of Independent Regulatory Agencies
The Trump administration, on February 18, 2025, issued a new Executive Order, “Ensuring Accountability for All Agencies,” (the “Executive Order”) that seeks to increase presidential oversight of independent regulatory agencies. The Executive Order imposes new constraints on independent regulatory agencies, like the SEC, including:
The independent regulatory agencies must submit “significant regulatory actions” to the White House’s Office of Information and Regulatory Affairs before publication in the Federal Register;
The Director of the White House’s Office of Management and Budget (“OMB”) will establish performance standards and management objectives of independent agency heads, like the Commissioners of the SEC, and for OMB to report to the President on the agencies’ performance and efficiency;
The Director of OMB will review the agencies’ obligations for “consistency with the President’s policies and priorities” and will change an agencies’ activity or objective, as necessary, to advance the “President’s policies and priorities;”
Chairs of independent regulatory agencies must now meet with and coordinate policies and priorities with the White House, including establishing a position of White House Liaison and submitting strategic plans to OMB for clearance; and
Members of independent regulatory agencies cannot “advance an interpretation of the law” that vary from the president and the attorney general’s authoritative interpretation of the law including, but not limited to, interpretations of regulations, guidance, and positions advanced in litigation (which may include enforcement actions).
SEC Announces Cyber and Emerging Technologies Unit
The SEC announced, on February 20, 2025, the creation of the Cyber and Emerging Technologies Unit (“CETU”) to focus on combatting cyber-related misconduct and to protect retail investors from bad actors in the emerging technologies space. Specifically, the CETU will focus on the following priority areas:
Fraud committed using emerging technologies, such as artificial intelligence and machine learning;
Use of social media, the dark web, or false websites to perpetrate fraud;
Hacking to obtain material nonpublic information;
Takeovers of retail brokerage accounts;
Fraud involving blockchain technology and crypto assets;
Regulated entities’ compliance with cybersecurity rules and regulations; and
Public issuer fraudulent disclosure relating to cybersecurity.
CETU replaces the SEC Enforcement Division’s Crypto Asset and Cyber Unit, which brought more than 100 enforcement actions. CETU’s establishment is a part of a series of initiatives highlighting the SEC’s new, more positive, approach to crypto products. See Acting Chairman Uyeda Announces Formation of New Crypto Task Force above.
ICI Issues Recommendations for Reform and Modernization of the 1940 Act
The Investment Company Institute (“ICI”), on March 17, 2025, issued key recommendations for the reform and modernization of the 1940 Act, titled Reimagining the 1940 Act: Key Recommendations for Innovation and Investor Protection. The ICI worked closely with its members and Independent Directors Council members over three years to develop their “blueprint” to reform the 1940 Act. The 19 recommendations focus on fostering ETF innovation, expanding retail investors’ access to private markets, eliminating unnecessary regulatory costs and burdens, and leveraging the expertise and independence of Fund directors. The ICI has called for the SEC to address these recommendations, including to:
Enable a new or existing fund to offer both mutual fund and ETF share classes;
Allow closed-end funds to more flexibly invest in private funds;
Create more flexibility for closed-end funds to provide repurchase opportunities to their investors;
Adopt electronic delivery of information as the default delivery option;
Update requirements for in-person voting by directors;
Permit streamlined board approval of new sub-advisory contracts and annual renewals;
Revise the “interested person” standard;
Permit fund boards to appoint a greater number of new independent directors; and
Update fund board responsibility with respect to auditor approval.
Navigating the New DOJ Data Security Program Compliance
On January 8, 2025, the U.S. Department of Justice (“DOJ”) issued its final rule to implement Executive Order 14117 aimed at preventing access to Americans’ bulk sensitive personal data and government-related data by countries of concern, including China, Cuba, Iran, North Korea, Russia, and Venezuela (the “Data Security Program” or “DSP”). The DSP sets forth prohibitions and restrictions on certain data transactions that pose national security risks. The regulations took effect on April 8, 2025, with additional compliance requirements for U.S. persons taking effect by October 6, 2025.
On April 11, 2025, the DOJ issued a compliance guide, along with a list of Frequently Asked Questions (FAQs) to assist entities with understanding and implementing the DSP. The DOJ also announced a 90-day limited enforcement period from April 8 to July 8, 2025, focusing on facilitating compliance rather than enforcement, provided that entities are making good faith efforts as outlined in the 90-day policy.
By July 8, 2025, entities must be fully compliant with the DSP, as the DOJ will begin enforcing the provisions more rigorously. By October 6, 2025, compliance with all aspects of the DSP, including due diligence, audit requirements, and specific reporting obligations, will be mandatory.
SCOPE OF THE DSP
The DSP applies to U.S. persons and entities engaging in transactions that provide access to Covered Data to Countries of Concern or Covered Persons.
Countries of Concern: The DSP has initially listed China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela as countries of concern. The Attorney General, along with the Secretary of State and the Secretary of Commerce, may amend such countries based on guidelines in the DSP.
Covered Persons: The DSP defines Covered Persons as entities or individuals associated with a Country of Concern, including those who are substantially owned, organized, or primarily operating within these countries, as follows:
An entity that is 50% or more owned by a Country of Concern
An entity that is organized or chartered under the laws of a Country of Concern
An entity that has its primary place of business in a Country of Concern
An entity that is 50% or more owned by a Covered Person
A foreign person, as an individual, who is an employee or contractor of a Country of Concern
A foreign person, as an individual, who is primarily a resident in the territorial jurisdiction of a country of concern
Any entity or individual that the Attorney General designates as a Covered Person subject to broad discretion set forth in the DSP
Covered Data: The DSP regulates transactions involving two primary categories of data: U.S. sensitive personal data and U.S. government-related data.
U.S. Sensitive Personal Data – applies to data that meets the “bulk” thresholds, including:
Human ‘omic Data: This includes human genomic, epigenomic, proteomic, and transcriptomic data.
Biometric Identifiers: These are measurable physical characteristics or behaviors used to recognize or verify an individual’s identity, such as facial images, voice prints, retina scans, and fingerprints.
Precise Geolocation Data: This identifies the physical location of an individual or device to within 1,000 meters.
Personal Health Data: This includes data that indicates, reveals, or describes an individual’s physical or mental health condition, healthcare provision, or payment for healthcare.
Personal Financial Data: This includes data about an individual’s financial accounts, transactions, and credit history.
Covered Personal Identifiers: These are combinations of listed identifiers, such as government ID numbers, financial account numbers, device identifiers, demographic or contact data, advertising identifiers, account authentication data, network-based identifiers, and call-detail data.
Bulk Thresholds – The “bulk” threshold is calculated from a collection or set of U.S. Sensitive Personal Data, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, over a 12-month period, whether it is one data transfer or over multiple transfers.
100+ U.S. persons
1,000+ U.S. persons
10,000+ U.S. persons
100,000+ U.S. persons
Human genomic data
– Biometric Identifiers – Human ‘omic data (other than human genomic data) – Precise geolocation data (1,000 US devices)
– Personal health data – Personal financial data
Covered personal identifiers
U.S. Government-Related Data – The DSP applies to the following categories of government related data:
Precise Geolocation Data: For locations designated by the Attorney General as posing a heightened risk of exploitation by a country of concern.
Sensitive Personal Data Linked to Government Employees: Data marketed as linked or linkable to current or former U.S. government employees or officials, including military and intelligence personnel.
COVERED TRANSACTIONS
Transactions are categorized as Prohibited, Restricted, or Exempt and receive varying degrees of restrictions.
Prohibited Transactions: Fully banned transactions include:
Data Brokerage: The sale, licensing, or similar commercial transactions involving the transfer of data from a provider to a recipient who did not collect or process the data directly is prohibited.
Human ‘Omic Data: Transactions involving access to bulk human ‘omic data (genomic, epigenomic, proteomic, and transcriptomic data) or human biospecimens from which such data could be derived are prohibited.
Restricted Transactions: Subject to the exemptions below, these transactions are types of agreements, which are allowed under the DSP subject to stringent security and compliance requirements:
Vendor Agreements: Agreements where a person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration. These transactions must comply with security requirements to prevent unauthorized access to covered data.
Employment Agreements: Agreements where an individual performs work directly for a person in exchange for payment or other consideration. This includes board service and executive-level arrangements.
Investment Agreements: Agreements where a person gains direct or indirect ownership of a U.S. legal entity or real estate. Passive investments, such as publicly traded securities, are excluded. These transactions must adhere to security measures and due diligence requirements.
Exempt Transactions: categories exempt from regulation under the DSP include:
Personal communications
Information or informational materials
Travel
Official business of the U.S. Government
Financial services
Corporate group transactions
Transactions required or authorized by U.S. federal law or international agreements, or necessary for compliance with federal law
Investment agreements subject to CFIUS action
Telecommunications services
Drug, biological product and medical authorizations
Other clinical investigations and post-marketing surveillance data
90-DAY LIMITED ENFORCEMENT PERIOD AND “GOOD FAITH EFFORTS” TO COMPLY
During the DOJ’s 90-day limited enforcement period from April 8 to July 8, 2025, the DOJ will focus on facilitating compliance rather than prioritizing enforcement actions, provided entities are making good faith efforts to comply. Good faith efforts include compliance activities described in this first 90-day policy, including:
Conducting internal reviews of sensitive data access.
Reviewing datasets for DSP applicability.
Renegotiating vendor agreements.
Transferring products to new vendors.
Conducting due diligence on new vendors.
Negotiating transfer provisions with foreign counterparts.
Adjusting employee roles or locations.
Evaluating investments from countries of concern.
Renegotiating investment agreements.
Implementing CISA Security Requirements.
LIABILITY
Violations of the DSP can lead to significant civil and/or criminal penalties, including fines up to $377,700 (adjusted for inflation) or twice transaction’s value. Intentional or willful violations can result in fines up to $1,000,000, imprisonment for up to 20 years, or both.
COMPLIANCE TIMELINE
April 8, 2025: DSP regulations take effect.
July 8, 2025: Full compliance with DSP required.
October 6, 2025: Compliance with all DSP aspects, including audits and reporting, as may be required.
ACTIONABLE ITEMS
Companies should complete the following:
Assess Data Holdings: Conduct thorough audits to identify sensitive personal data and government-related data and determine if it meets the DSP’s bulk thresholds (this includes information collected and transferred via online tracking technologies).
Review and Update Contracts: Amend contracts to cease prohibited transactions and ensure compliance with restricted transaction terms. This includes including provisions prohibiting unauthorized data brokerage.
Develop Compliance Programs for Restricted Transactions: Establish a comprehensive data compliance program by October 6, 2025.
Implement Security Measures: Apply organizational, system, and data-level security measures, using technologies like data minimization, encryption, masking, and privacy-enhancing technologies.
Conduct Annual Audits: Perform annual audits to assess DSP compliance, in line with the DSP requirements, and retain them for at least 10 years.
Prepare for Annual Reporting: Ensure records are being generated in anticipation of providing timely submission of annual reports for entities engaged in restricted transactions involving cloud-computing services in which 25% or more of its equity is owned, directly or indirectly, by a country of concern or a covered person,
Monitor Transactions: Regularly monitor data transactions and report any violations to the DOJ within 14 days.
Train Employees: Implement training programs to ensure understanding and compliance with DSP regulations.
CONCLUSION
The DSP signifies a significant effort to protect U.S. sensitive personal and government-related data from foreign threats. Compliance is a legal necessity and a strategic measure to safeguard business operations and reputation. By understanding the DSP’s scope and implementing the steps outlined in this alert, businesses can ensure they are well-prepared to meet compliance requirements.
Best Foot Forward? Rack Room’s Privacy Policy Not Clear Enough For Dismissal
It’s becoming clear that companies that don’t treat their privacy policies as a living document are taking huge risks.
Rack Room Shoes had to learn this the hard way in a recent case out of the Northern District of California. In Smith v. Rack Room Shoes, Inc. (2025 WL 1085169 April 4, 2025), Rack Room lost a motion to dismiss regarding whether or not the Plaintiff gave consent to “the disclosures of their data by continuing to use Rack Room’s website after being notified of Rack Room’s privacy policy…The privacy policies at issue, however, contain ambiguities that prevent a finding of consent as a matter of law.”
Essentially, Rack Room had embedded code of third-party companies onto their website, including both the Meta Pixel and the Attentive Tag. The Meta Pixel would, among other things, record the user’s search queries, items viewed and placed in cart, and hashed values containing the personal information of the user. The Attentive Tag would “send messages that can contain the full URL string visited, the product purchased, and the unencrypted phone number and email that the visitor entered when making a purchase.”
These are normal use cases for these sorts of cookies and generally not a problem. However, Rack Room’s privacy policy explicitly stated that while they use cookies and beacons on their site “none of the information collected through cookies or beacons is personally identifiable.”
Oops.
Additionally, Rack Room argued that their privacy policy allows them to collect voluntarily personally identifiable information and sharing that PII with marketing partners. But, the plaintiffs argued the disclosure of PII was not in isolation, but combined with the browsing and purchase information was violative of the privacy policy. The Court agreed “Plaintiffs plausibly allege…that a reasonable user would not understand Rack Room’s privacy policy to authorize such a disclosure.” Therefore, the Court denied the motion to dismiss all claims based on consent.
The Plaintiffs also made CIPA claims which Rack Room moved to dismiss, but the Court denied those motions as well. Rack Room tried to argue that Meta and Attentive were acting as extensions, but the Court relied on Ambriz v. Google (discussed earlier on CIPAWorld). Because Rack Room knew that the Meta Pixel and the Attentive Tag intercepts personal information, the Court denied the motion to dismiss.
Just multiple misses on behalf of Rack Room in this case, but the main takeaway is companies can get consent to sharing personal information. But, the consent must accurately reflect the practices of the company. General sweeping privacy policy language is no longer effective.
And I get it, people change pixels and tags on their site often. But, that is not going to be an excuse. When companies change pixels and other tracking, there needs to be a process in place to ensure either those pixels/cookies match the privacy policy or the privacy policy needs to be updated.
‘I AM GOING TO ASK YOU NOT TO CALL MY HOUSE AGAIN”: Documents in TCPA Class Action Against Molina Healthcare Sealed– But It Doesn’t Seem Like that Will Help
So Molina Healthcare is facing a pretty serious TCPA class action up in Washington state.
At issue are claims a lady was tricked or duped or confused into switching to Molina from Aetna and then Molina kept calling her even after she said “I am going to ask you not to call my house again”–which is pretty clear in my view.
Plus Molina was using prerecorded calls which are automatically actionable when sent for marketing purposes without consent to either a cell phone or landline–not good for Molina.
Perhaps even worse news for Molina, they have #biglaw defending them against Avi Kaufman–one of the best class action attorneys in the nation. So I have a feeling I know where this is headed.
I mean, you can’t say BIG LOSS without big law…
But who knows, maybe they’ll pull off a big win. We’ll see.
The Plaintiff’s class certification effort is now fully briefed and the Court just issued an order sealing some of the material designated confidential by the parties. This means nosy operators of TCPA blogs can’t comb through all the records.
Too bad.
Sealing order is Ramey v. Molina, 2025 WL 1100632 (W.D. Wash March 20, 2025).
But what we do know is Molina (or someone acting on its behalf) allegedly called the Plaintiff and duped her into switching healthcare plans away from Aetna. When Plaintiff figured that out she switched back to Aetna but Molina kept calling. No way to know for sure if those facts are true.
Then again, according to Plaintiff’s expert Molina made hundreds of prerecorded calls to numbers within a sample set that were on the company’s internal DNC list. Plaintiff extrapolates there will be over 22,000 individuals in the full set who received approximately 200,000 prerecorded calls AFTER being asked to stop calling. Eesh.
No idea if any of this is true, of course, and a lot of the record is sealed but it seems Molina could be facing $1BB or so in exposure here. Eesh.
We’ll see what happens next.
But its just another example of how dangerous TCPAWorld can be folks. If you are using prerecorded calls to contact consumers you need to make absolutely sure your internal DNC practices are in great condition and be sure to retain TOP NOTCH TCPA counsel to defend any resulting class litigation.
Sixth Circuit Creates Circuit Split on Who is a “Consumer” Under Video Privacy Protection Act
The Video Privacy Protection Act (VPPA) is a federal law aimed at prohibiting the unauthorized disclosure of a person’s video viewing history. While the VPPA was originally enacted to prevent disclosure of information regarding an individual’s video rental history from businesses like Blockbuster in 1988, the explosion of the internet in the decades since has greatly expanded its potential reach, giving rise to countless lawsuits targeting businesses’ websites. One such case, involving the alleged disclosure of the plaintiff’s video viewing history through use of Meta’s data-tracking Pixel, was recently decided by the United States Court of Appeals for the Sixth Circuit, in a decision that serves to narrow the reach of the VPPA.
In a published opinion, the Sixth Circuit addressed the issue of who can be considered a “consumer” – and thus able to bring a claim – under the VPPA. The VPPA defines the term “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Citing longstanding canons of statutory construction, the Sixth Circuit reasoned that, when read in context of its surrounding text, the phrase “goods and services” is limited to audiovisual goods and services. The plaintiff, a subscriber to 247Sports.com’s newsletter which contained links to videos that were accessible to anyone on the website, failed to allege that the newsletter itself was audiovisual material, and thus was not protected under the VPPA.
Notably, the Sixth Circuit’s decision was contrary to the conclusions previously reached by other Federal Courts of Appeals, specifically the Second and Seventh Circuits. Those courts had endorsed a broader interpretation of the term, considering a subscriber of any of the provider’s goods or services to be a “consumer” under the VPPA, regardless of whether the subscription was specifically for audiovisual materials. By defying this trend, the Sixth Circuit creates a circuit split that may be resolved by the Supreme Court of the United States. The defendant in the Second Circuit case on this issue has petitioned the Supreme Court to review the decision. Now, with a circuit split apparent, the Supreme Court may be more likely to intervene.
Against this uncertain backdrop, and with the wave of Meta Pixel and similar lawsuits continuing, businesses will need to carefully evaluate the operation of their websites and whether they may be subjected to a VPPA claim. The review should also include an analysis of the effectiveness of any consent provisions that the business may be relying on to avoid liability. Businesses should be aware of the risks presented by the entities they acquire or merge with whose data sharing practices may implicate the VPPA. To mitigate the risk of liability, due diligence in any such transaction should include a thorough review of the target company’s data practices, compliance with privacy regulations, and any ongoing or potential lawsuits tied to the use of tracking technology.