Valenzuela v. The Kroger Co. Chatbot Wiretapping Case Dismissed; Implications and Takeaways for Businesses
A recent noteworthy decision from a federal court in California provides helpful guidance for companies deploying chatbots and other types of tracking technology on their websites, but at the same time highlights the nuances and high wire act of safely collecting consumer information versus stepping over the line.
In Valenzuela v. The Kroger Co., the U.S. District Court for the Central District of California dismissed a proposed class action filed against the grocery chain Kroger, finding that the plaintiff did not have a viable argument under the California Invasion of Privacy Act (CIPA). Because plaintiffs’ attorneys have recently been using CIPA to bring cases against a large number of companies, this decision is potentially an important decision in privacy jurisprudence. However, the narrowness of the decision leaves open other paths for plaintiffs and demonstrates the need for companies to carefully and thoughtfully assess what online tracking they conduct in order to minimize their risk of class action litigation.
The plaintiff in the case alleged Kroger, through a third-party vendor called Emplifi, unlawfully intercepted and recorded chat-based conversations between customers and Kroger’s website (i.e., communications with a “chatbot” on the website). The central claim was that Kroger “aided and abetted” Emplifi’s allegedly wrongful conduct of allowing Meta Platforms Inc. to mine data collected through Emplifi’s chatbots (including the one deployed on Kroger’s website) to gather information about user interests and target ads to those users on Meta’s social media platforms like Facebook and Instagram.
More specifically, the case was brought under Section 631(a) of CIPA which prohibits, among other things, any person from:
Tapping or making unauthorized connections with a telegraph or telephone line;
Willfully and without consent reading the contents of communications in transit;
Using information obtained via such interception; or
“Aiding, agreeing with, employing or conspiring with” any person to commit these acts.1
After a lengthy procedural back-and-forth, the Court allowed the plaintiff to proceed only under the “aiding and abetting” theory (the fourth prong). In its ruling, the Court emphasized that to hold Kroger liable under the fourth prong, the plaintiff needed to demonstrate that Kroger knew—or plausibly should have known—of Emplifi’s alleged unlawful eavesdropping or otherwise acted with knowledge or intent to facilitate it. The plaintiff pointed to the vendor’s marketing materials and the cost and ease with which the chatbot was installed on the Kroger website, arguing that Kroger must have known Emplifi was intercepting conversations without customers’ consent. The Court rejected this argument, holding “[i]t is not a plausible inference that because Emplifi could ‘quickly and cheaply’ deploy the bot, Kroger should have known Emplifi harvested user data.”
The Court ruled that because there was not a plausible allegation that Kroger had actual or constructive knowledge of the alleged unlawful sharing of chatbot communications with social media companies, Kroger could not be held liable for “aiding and abetting” the third parties’ alleged violation of CIPA.
What the Kroger Ruling Means for Businesses
Although this decision was made at the district court level and does not have a precedential effect, the Court’s reasoning provides a roadmap of what companies should be aware of when considering integrating chatbots or other large language model enabled third-party technologies onto their websites. Of note, this case focused on section 631(a) of CIPA only, and did not involve section 638.51(a), which prohibits the installation of “pen registers” or “tap and trace” devices without appropriate approvals and which plaintiffs are regularly claiming apply to website tracking software. As a result, even if the rationale from the Kroger decision is extended to other cases by other courts, companies will continue to face the risks associated with claims brought 638.51(a). Nonetheless, there are valuable lessons to be learned from the Kroger decision and other recent court decisions:
“Knowledge” of a third party’s actions is a key to a company’s liability. This includes constructive knowledge, that a company could gain from the third-party’s documentation and marketing communications as to the capabilities of their products.
Courts will require specific, fact-based allegations showing a company’s awareness and intent regarding any purported interception of communications.
Plaintiffs with more robust support for allegations of unauthorized data collection may have more success bringing similar claims.
Additionally, and as always, litigation defense is costly and even a successful defense can be a burden on a company. Even though Kroger won in this case, it took almost three years of litigation expenses to obtain that victory. Taking proactive steps to assess website tracking tool deployment can lower the risk of litigation in the first place and avoid these costs:
Ensuring that proper notice is given to, and appropriate consent is obtained from, website visitors
When onboarding third-party software providers, businesses should conduct thorough due diligence on data collection and sharing practices.
Contractual provisions should clarify that any data recording or sharing be done in compliance with all applicable laws, and that providers will indemnify the business if violations arise.
Footnotes
[1] The plaintiff in this matter also sought to bring a claim under §632.7 of CIPA (illegal interception of cellular communications for individuals who used the chatbot from their internet-enabled smartphones). That claim was dismissed with prejudice in March of 2024 with the Court finding that section of CIPA only applies to communications between two or more cellular phones and not between a cellular phone and a website.
AI Governance: The Problem of Shadow AI
If you hang out with CISOs like I do, shadow IT has always been a difficult problem. Shadow IT refers to refers to “information technology (IT) systems deployed by departments other than the central IT department, to bypass limitations and restrictions that have been imposed by central information systems. While it can promote innovation and productivity, shadow IT introduces security risks and compliance concerns, especially when such systems are not aligned with corporate governance.”
Shadow IT has been a longstanding problem as IT professionals can’t implement security measures and guidelines when they are unaware of its use.
Now that artificial intelligence (AI) is widely used for purposes including work, it is imperative that organizations address its governance, as they previously addressed employees’ use of IT assets. Otherwise, employees will use AI tools without the organization’s knowledge and outside of its acceptable use policies, exacerbating the problem of shadow AI in the organization.
A recent TechRadar article concluded that “you almost certainly have a shadow AI problem.” The risks of having shadow AI in the organization include: “the leakage of sensitive or proprietary data, which is a common issue when employees upload documents to an AI service such as ChatGPT, for example, and its contents become available to users outside of the company. But it could also lead to serious data quality problems where incorrect information is retrieved from an unapproved AI source which may then lead to bad business decisions.” And don’t forget about the problem of hallucinations.
Implementing an AI Governance Program is one way to address the shadow AI problem. AI Governance programs differ depending on business needs, but all of them address who owns the program, AI tools usage, what tools are sanctioned, how AI tools can be used, guardrails around the risks of data loss, data integrity and accuracy, and user training and education. Governing the use of AI tools in an organization is similar to governing the use of IT assets. The most important thing is to get started before shadow AI gets out of hand.
Privacy Tip #436 – Microsoft Warns of Crypto Wallet Scanning Malware StilachiRAT
A Microsoft blog post reported that incident response researchers uncovered a remote access trojan in November 2024 (dubbed StilachiRAT) that “demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data.”
According to Microsoft, the StilachiRAT threat actors use different methods to steal information from the victim, including credentials stored in the browser, scans for digital wallet information, system information, and data stored on the clipboard.
Once inside the victim’s system, StilachiRAT scans the configuration data of 20 cryptocurrency wallet extensions for the Google Chrome browser, extracting and decrypting saved credentials from Google Chrome. The 20 cryptocurrency wallet extensions targeted are listed in the blog article. The article also lists recommended mitigations.
One takeaway from the article is to not store critical credentials in Chrome, a common and simple security measure. If a threat actor gains access to these credentials, multiple applications could be at risk. You may wish to consider which passwords you are saving in Chrome and refrain from saving the credentials for any banking or cryptocurrency platforms, as well as for access to your employer’s system. These are credentials worth memorizing.
Reminder: New York Cybersecurity Reporting Deadline April 15, 2025; New Regulations Effective May 1, 2025
Covered entities regulated by the New York State Department of Financial Services (NYDFS) must submit cybersecurity compliance forms by April 15, 2025. New sets of requirements for system monitoring and access privileges, enacted as part of 2023 amendments to the NYDFS cybersecurity regulations, will take effect on May 1 and November 1, 2025.
Quick Hits
Covered entities in New York must submit their annual cybersecurity compliance forms to the NYDFS by April 15, 2025, either certifying material compliance or acknowledging material noncompliance.
Starting May 1, 2025, new requirements will be implemented, including enhanced access management protocols, vulnerability management through automated scans, and improved monitoring measures to protect against cybersecurity threats.
In November 2023, NYDFS amended its comprehensive cybersecurity regulations with the changes set to take effect on a rolling basis over the following two years. Several amendments went into effect on November 1, 2024, and several more are set to take effect on May 1 and November 1, 2025.
The regulations apply to NYDFS-regulated entities, which include financial institutions, insurance companies, insurance agents and brokers, banks, trusts, mortgage banks, mortgage brokers and lenders, money transmitters, and check cashers. Certain large companies regulated by NYDFS (Class A companies) have additional requirements, while certain small businesses are exempt from specific regulations.
April 15 Annual Compliance Reporting Deadline
The NYDFS cybersecurity regulations require financial services companies and other covered entities to file annual notices of compliance to the superintendent of NYDFS by April 15, 2025, covering the prior calendar year. Under the amended regulations, covered entities must submit either a certification of material compliance with the cybersecurity requirements or an acknowledgment of noncompliance. In the acknowledgment of noncompliance, covered entities must (1) acknowledge the entity did not materially comply, (2) identify all sections of the regulations with which the entity has not complied, and (3) provide a “remediation timeline or confirmation that remediation has been completed.”
Covered entities must submit the certification or acknowledgment electronically using the NYDFS portal and the form on the NYDFS website.
New Requirements Effective May 1, 2025
Several requirements of the amended NYDFS cybersecurity regulations take effect on May 1, 2025, for nonexempt covered entities. Class A companies are subject to additional requirements that are not addressed below.
Access Privileges and Management
The amended regulations will require covered entities to limit user access privileges based on job function, limit the number and use of privileged accounts, periodically (but at least annually) review user access privileges, disable or securely configure protocols that permit remote control of devices, and “promptly” terminate accounts after a user’s departure. The regulations further require covered entities to implement a written password policy that meets industry standards.
Vulnerability Management
In addition to penetration testing, the amended regulations will require covered entities to perform “automated scans of information systems” and manual review of systems not covered by such scans to determine potential vulnerabilities.
System Monitoring
The amended regulations will require covered entities to implement “risk-based controls designed to protect against malicious code.” This includes monitoring and filtering web traffic and email to block malicious code.
New Requirements Effective November 1, 2025
The final batch of requirements under the amended cybersecurity regulations take effect on November 1, 2025. Covered entities will be required to implement multifactor authentication for all individuals to access the entity’s information systems. If the entity has a chief information security officer (CISO), the CISO “may approve in writing the use of reasonably equivalent or more secure compensating controls,” which must be reviewed at least annually.
Additionally, covered entities will be required to “implement written policies and procedures designed to produce and maintain a complete, accurate and documented asset inventory of the covered entity’s information systems.” The policies will be required to include methods to track information for each asset and “the frequency required to update and validate” the entity’s asset inventory.
Next Steps
Covered entities may want to take steps to comply with the April 15 compliance reporting deadline and the next round of cybersecurity requirements, which will take effect on May 1, 2025. Additional requirements for certain written policies and procedures and the implementation of multifactor authentication are set to take effect on November 1, 2025.
FBI Warns of Hidden Threats in Remote Hiring: Are North Korean Hackers Your Newest Employees?
The Federal Bureau of Investigation (FBI) recently warned employers of increasing security risks from North Korean workers infiltrating U.S. companies by obtaining remote jobs to steal proprietary information and extort money to fund activities of the North Korean government. Companies that rely on remote hires face a tricky balancing act between rigorous job applicant vetting procedures and ensuring that new processes are compliant with state and federal laws governing automated decisionmaking and background checks or consumer reports.
Quick Hits
The FBI issued guidance regarding the growing threat from North Korean IT workers infiltrating U.S. companies to steal sensitive data and extort money, urging employers to enhance their cybersecurity measures and monitoring practices.
The FBI advised U.S. companies to improve their remote hiring procedures by implementing stringent identity verification techniques and educating HR staff on the risks posed by potential malicious actors, including the use of AI to disguise identities.
Imagine discovering your company’s proprietary data posted publicly online, leaked not through a sophisticated hack but through a seemingly legitimate remote employee hired through routine practices. This scenario reflects real threats highlighted in a series of recent FBI alerts: North Korean operatives posing as remote employees at U.S. companies to steal confidential data and disrupt business operations.
On January 23, 2025, the FBI issued another alert updating previous guidance to warn employers of “increasingly malicious activity” from the Democratic People’s Republic of Korea, or North Korea, including “data extortion.” The FBI said North Korean information technology (IT) workers have been “leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime.”
Specifically, the FBI warned that “[a]fter being discovered on company networks, North Korean IT workers” have extorted companies, holding their stolen proprietary data and code for ransom and have, in some cases, released such information publicly. Some workers have opened user accounts on code repositories, representing what the FBI described as “a large-scale risk of theft of company code.” Additionally, the FBI warned such workers “could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities.”
The alert came the same day the U.S. Department of Justice (DOJ) announced indictments against two North Korean nationals and two U.S. nationals alleging they engaged in a “fraudulent scheme” to obtain remote work and generate revenue for the North Korean government, including to fund its weapons programs.
“FBI investigation has uncovered a years-long plot to install North Korean IT workers as remote employees to generate revenue for the DPRK regime and evade sanctions,” Assistant Director Bryan Vorndran of the FBI’s Cyber Division said in a statement. “The indictments … should highlight to all American companies the risk posed by the North Korean government.”
Data Monitoring
The FBI recommended that companies take steps to improve their data monitoring, including:
“Practice the Principle of Least Privilege” on company networks.
“Monitor and investigate unusual network traffic,” including remote connections and remote desktops.
“Monitor network logs and browser session activity to identify data exfiltration.”
“Monitor endpoints for the use of software that allows for multiple audio/video calls to take place concurrently.”
Remote Hiring Processes
The FBI further recommended that employers strengthen their remote hiring processes to identify and screen potential bad actors. The recommendations come amid reports that North Korean IT workers have used strategies to defraud companies in hiring, including stealing the identities of U.S. individuals, hiring U.S. individuals to stand in for the North Korean IT workers, or using artificial intelligence (AI) or other technologies to disguise their identities. These techniques include “using artificial intelligence and face-swapping technology during video job interviews to obfuscate their true identities.”
The FBI recommended employers:
implement processes to verify identities during interviews, onboarding, and subsequent employment of remote workers;
educate human resources (HR) staff and other hiring managers on the threats of North Korean IT workers;
review job applicants’ email accounts and phone numbers for duplicate contact information among different applicants;
verify third-party staffing firms and those firms’ hiring practices;
ask “soft” interview questions about specific details of applicants’ locations and backgrounds;
watch for typos and unusual nomenclature in resumes; and
complete the hiring and onboarding process in person as much as possible.
Legal Considerations
New vendors have entered the marketplace offering tools purportedly seeking to solve such remote hiring problems; however, companies may want to consider the legal pitfalls—and associated liability—that these processes may entail. These considerations include, but are not limited to:
Fair Credit Reporting Act (FCRA) Implications: If a third-party vendor evaluates candidates based on personal data (e.g., scraping public records or credit history), it may be considered a “consumer report.” The Consumer Financial Protection Bureau (CFPB) issued guidance in September 2024 taking that position as well, and to date, that guidance does not appear to have been rolled back.
Antidiscrimination Laws: These processes, especially as they might pertain to increased scrutiny or outright exclusion of specific demographics or countries, could disproportionately screen out protected groups in violation of Title VII of the Civil Rights Act of 1964 (e.g., causing disparate impact based on race, sex, etc.), even if unintentional. This risk exists regardless of whether the processes involve automated or manual decisionmaking; employers may be held liable for biased outcomes from AI just as if human decisions caused them—using a third-party vendor’s tool is not a defense.
Privacy Laws: Depending on the jurisdiction, companies’ vetting processes may implicate transparency requirements under data privacy laws, such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in the European Economic Area (EEA), when using third-party sources for candidate screening. Both laws require clear disclosure to applicants about the types of personal information collected, including information obtained from external background check providers, and how this information will be used and shared.
Automated Decisionmaking Laws: In the absence of overarching U.S. federal legislation, states are increasingly filling in the gap with laws regarding automated decisionmaking tools, covering everything from bias audits to notice, opt-out rights, and appeal rights. If a candidate is located in a foreign jurisdiction, such as in the EEA, the use of automated decisionmaking tools could trigger requirements under both the GDPR and the recently enacted EU Artificial Intelligence Act.
It is becoming increasingly clear that multinational employers cannot adopt a one-size-fits-all vetting algorithm. Instead, companies may need to calibrate their hiring tools to comply with the strictest applicable laws or implement region-specific processes. For instance, if a candidate is in the EEA, GDPR and EU AI Act requirements (among others) apply to the candidate’s data even if the company is U.S.-based, which may necessitate, at a minimum, turning off purely automated rejection features for EU applicants and maintaining separate workflows and/or consent forms depending on the candidate’s jurisdiction.
Next Steps
The FBI’s warning about North Korean IT workers infiltrating U.S. companies is the latest involving security risks from foreign governments and foreign actors to companies’ confidential data and proprietary information. Earlier this year, the U.S. Department of Homeland Security published new security requirements restricting access to certain transactions by individuals or entities operating in six “countries of concern,” including North Korea.
Employers, particularly those hiring remote IT workers, may want to review their hiring practices, identity-verification processes, and data monitoring, considering the FBI’s warnings and recommendations. Understanding and addressing these risks is increasingly vital, especially as remote hiring continues to expand across industries.
California AG Announces New CCPA Enforcement Sweep Targeting Location Data Industry
California Attorney General Rob Bonta recently announced a new enforcement sweep targeting the location data industry’s compliance with the CCPA. Specifically, the California AG sent letters to (1) mobile app providers that collect precise geolocation data about California consumers and (2) data brokers and advertising networks with whom such data is shared. The focus of the sweep is to investigate how businesses comply with the CCPA’s requirements to offer consumers the right to opt out of the sale and sharing of their personal information and to limit the use of their sensitive personal information, including geolocation data. The announcement also provides guidance to consumers on how to limit mobile device tracking features for Apple and Android users.
SEC Marketing Rule FAQs Yield New Guidance
On 19 March 2025, the Securities and Exchange Commission staff issued updated frequently asked questions (FAQs) relating to Rule 206(4)-1 under the Investment Advisers Act of 1940 (the Marketing Rule) (available here). Broadly, the updated FAQs permit the use of extracted performance (including for individual positions) and certain performance-related characteristics on a gross basis in advertisements without also showing corresponding net-of-fee information, subject to certain conditions.
This guidance comes as a welcome relief to investment advisers who have been struggling with how to present this type of information on a net-of-fee basis.
Background
The Marketing Rule, adopted in 2021, included new standardized performance presentation requirements, including that gross “performance” must always be presented with equal prominence as net-of-fees performance for the same time period. This requirement has created uncertainty for investment advisers about the presentation of information related to or derived from performance information (e.g., yield, coupon rate, contribution to return, volatility, sector or geographic returns, attribution analyses, and other similar metrics) (Performance-Related Characteristics), as “performance” is not defined in the Marketing Rule. Specifically, investment advisers were often unsure whether a given Performance-Related Characteristic was or was not “performance” for the purposes of the Marketing Rule, and, in many circumstances, there was no clear appropriate methodology to calculate net-of-fees performance for many Performance-Related Characteristics.
In addition, under the prior version of the FAQs from 11 January 2023, the staff had taken the view that the performance of any subset of a portfolio, including a single security or position, would be considered “extracted performance” under the Marketing Rule and therefore subject to the requirement that gross performance information be accompanied by net-performance information. This requirement also created challenges for investment advisers, as it was not clear how fees and expenses should be applied to a single investment and resulted in divergent industry practices.
The new FAQs clarify the circumstances in which investment advisers may present Performance-Related Characteristics and extracted performance (e.g., the performance of individual investments) on a gross-of-fees basis without also showing the corresponding net-of-fees performance, subject to the following conditions, which are the same for both FAQs:
The Performance-Related Characteristic or extracted performance is clearly identified as being calculated on a gross basis without the deduction of fees and expenses;
The Performance-Related Characteristic or extracted performance is accompanied by a presentation of the total portfolio’s gross and net performance consistent with the requirements of the rule;
The total portfolio’s gross and net performance is presented with at least equal prominence to, and in a manner designed to facilitate comparison with, the gross Performance-Related Characteristic or extracted performance; and
The gross and net performance of the total portfolio is calculated over a period that includes the entire period over which the Performance-Related Characteristic or extracted performance is calculated.
The FAQs also provide the following important clarifications:
The staff noted that it was not taking a position on whether any particular Performance-Related Characteristic is “performance” under the Marketing Rule, and that nonperformance characteristics would not be subject to the Marketing Rule’s conditions on performance. In other words, nonperformance characteristics do not need to be shown on a gross basis. At the same time, however, the staff made clear that total return, time-weighted return, return on investment, internal rate of return, multiple on invested capital, and total value to paid-in capital are considered “performance” under the Marketing Rule, regardless of how they are labeled.
Gross and net performance of the total portfolio does not need to be shown on the same page as the Performance-Related Characteristics or extracted performance so long as the presentation facilitates a comparison of that information with the gross and net performance of the total portfolio (e.g., presented on a page prior to the Performance-Related Characteristics).
Advisers may present Performance-Related Characteristics calculated from the gross performance of a representative account without showing the representative account’s net performance if accompanied by the gross and net performance of the representative account’s composite.
Performance-Related Characteristics and extracted performance are not required to be calculated under the one-, five-, and 10-year (or since inception) periods, provided the information presented is calculated over a single, clearly disclosed period.
Going Forward
Advisers seeking to avail themselves of this new flexibility should review the presentation of Performance-Related Characteristics and extracted performance in their advertisements and update their disclosure and policies and procedures to ensure that their advertisements align with the new conditions.
Kentucky Amends Consumer Privacy Law to Exempt Certain HIPAA-Covered Data
On March 15, 2025, Kentucky Governor Andy Beshear signed into law HB 473. The bill amends the Kentucky Consumer Data Protection Act (“KCDPA”) to exempt from the law’s application (1) information collected by health care providers acting as covered entities under HIPAA that maintain protected health information in accordance with HIPAA; and (2) information maintained in limited data sets by HIPAA covered entities in accordance with HIPAA’s relevant requirements. The KCDPA as amended will go into effect on January 1, 2026.
European Commission Proposes to Extend UK Adequacy Decisions
On March 18, 2025, the European Commission proposed to adopt an extension of the two adequacy decisions with the UK for a period of six months. The adequacy decisions permit the transfer of data subject to the EU General Data Protection Regulation and to the EU Law Enforcement Directive to the UK without restriction. The adequacy decisions were each granted for a period of four years, expiring on June 27, 2025, unless extended. The extensions have been proposed to allow the UK time to finalize the legislative process regarding the draft Data (Use and Access) Bill. Once finalized, the European Commission will assess whether the UK continues to provide an adequate level of protection for personal data under the new regime. If that assessment is positive, the European Commission will propose to renew the UK adequacy decisions.
The draft extension decisions will now be transmitted to the European Data Protection Board for its opinion, as part of the adoption procedure. Once approved, the extension will be valid until December 27, 2025.
BEAD Reform Raises a Number of Policy Issues and Potentially Adds Delay
Even before taking office, incoming members of the Trump Administration and some Republican members of Congress criticized various regulatory requirements in the $42.5 billion BEAD program as being unnecessarily burdensome and contributing to a perceived slow rollout of BEAD funding. The Commerce Department and Congress have now begun efforts to streamline and reform the BEAD program. The changes raise a number of questions, and if implemented as expected, will significantly impact and may delay the program.
Commerce Department Reviewing BEAD Program Rules
Last week, newly appointed Commerce Secretary Howard Lutnick announced that he has directed NTIA to launch a “rigorous review” of the BEAD program. According to Secretary Lutnick, NTIA “is ripping out the Biden Administration’s pointless requirements” and “revamping the BEAD program to take a tech-neutral approach,” which is clearly intended to eliminate the current funding preference for end-to-end fiber optic projects and pave the way for much more of the BEAD funding going to low-earth orbit (LEO) satellite or unlicensed fixed wireless broadband. NTIA is expected to release details of such rule changes in the coming days.
House Introduces “SPEED for BEAD Act”
Also last week, Congressman Richard Hudson (R-NC), Chairman of the House Communications and Technology Subcommittee, introduced legislation to revise and expedite the deployment of the BEAD program to get “shovels into the ground as soon as possible.”[1] H.R. 1870, The Streamlining Program Efficiency and Expanding Deployment (“SPEED”) for BEAD Act would eliminate certain BEAD requirements that are viewed by the bill’s supporters as being politically driven, overly bureaucratic, and not tied to the underlying goals of deploying broadband infrastructure.
1. Certain BEAD Requirements Removed
Among other things, the SPEED for BEAD Act would prohibit NTIA and eligible entities (e.g., states) from conditioning or scoring BEAD subrecipient awards based on:
Prevailing wage laws;
Labor agreements;
Local hiring;
Climate change;
Regulation of network management practices, including data caps;
Open access; and
Diversity, equity, and inclusion.
2. Amend Definition of Reliable Broadband Service
Under the BEAD statute, funding will be made available for projects serving “unserved locations” and “underserved locations”[2] lacking access to “reliable broadband service.” The legislation would amend and broaden the definition of “reliable broadband service” to include “any broadband service that meets the applicable performance criteria without regard to the type of technology by which service is provided.” This would reverse the current NTIA requirements, which exclude locations “served exclusively by satellite, services using entirely unlicensed spectrum, or a technology not specified by the Commission for purposes of the Broadband DATA Maps.”[3] This will enable LEO and unlicensed fixed wireless providers to participate more broadly in the BEAD program as providers of “reliable broadband service,” if they meet certain performance requirements to be set by NTIA. It may also exclude from BEAD eligibility locations already served by such services.
3. Prohibition on Rate Regulation
The legislation would prohibit the imposition of rate regulation of broadband services provided over BEAD-funded network facilities. This includes prohibiting NTIA or any state or territory from regulating, setting, capping, or otherwise mandating the rates charged for broadband service by BEAD subrecipients, or the use of rates as part of an application scoring process. The Act does not remove the low-cost service option requirement from the BEAD statute, but instead prohibits eligibility entities from imposing specific low-cost service requirements.
4. Ability to Remove High Cost Locations From a Project Area
The legislation would provide a mechanism for subrecipients to remove locations from a project area that the subrecipient “determines would unreasonably increase costs or is otherwise necessary to remove.” The provision raises several questions as to how and when such determinations can be made by the subrecipient. States and territories would apparently award a separate subgrant to address such removed locations, presumably creating additional opportunities for BEAD-funded LEO service.
5. Elimination of LOC Requirement
The legislation would also eliminate the requirement for a BEAD subrecipient to provide a letter of credit (“LOC”) if the provider has commercially deployed a similar network using similar technologies and is either: (a) seeking funding that is less than 25% of the provider’s annual gross revenues; or (b) seeking to serve a number of locations that is less than 25% of the provider’s total number of existing service locations. These revisions would tend to benefit larger service providers, and would likely be of less benefit to new entrants or smaller providers, for whom LOC requirements often present a greater challenge.
Questions Raised by Impact of Reform Effort
While some stakeholders have already embraced a streamlining of the BEAD program rules, it must be noted that the proposed reforms are coming at a time when funding is about to be disbursed. NTIA has already approved Initial Proposal for all states and territories, and most of them have either already selected subrecipients, or are in the later stages of doing so. While the reform efforts at Commerce and in Congress are aimed at getting “shovels in the ground” as soon as possible, the reform initiatives – and resulting policy and legal questions – may well impose additional delay.
Introducing sweeping changes to BEAD at this stage raises thorny questions on whether some of the new rules can and should be applied mid-way through the award selection process, and after the application windows have closed. It should also be noted that despite concerns that the existing rules would result in low participation, many states are reporting strong bidder participation. Applicants around the country spent millions of dollars developing business plans, forging partnerships, locking down inventory, mapping out participation strategies, and developing detailed applications, all in reliance on the existing rules. Many other entities elected not to participate in BEAD based on the existing rules. Will they have any recourse to participate based on the new rules?
Finally, the broadband ecosystem is in a constant state of flux, with new privately funded networks coming online all of the time. Many state broadband offices, at the direction of NTIA, have been hesitant to revise their BEAD maps to remove locations after the “challenge” period. If there are now going to be additional delays in BEAD awards, what will be the impact on the existing maps? Will NTIA allow states to revise eligible locations to account for new deployments based on new updated data reported in the next Broadband Data Collection?
While targeted reforms aimed at enabling BEAD to better meet its underlying goal of providing all Americans with robust broadband connectivity make sense, care must be taken to ensure that such reforms do not themselves cause undue delays or undermine state processes that are working reasonably well.
[1] Chairman Hudson’s Opening Statement at Subcommittee on Communications and Technology Hearing on Rural Broadband
[2] Defined respectively as, a location lacking access to “reliable broadband service” of 25/3Mbps, with latency of less than 100ms, and a location lacking access to reliable broadband service of 100/20 Mbps, with latency of less than 100ms.
[3] NTIA BEAD Notice of Funding Opportunity
ALERT: Delete, Delete, Delete—FCC Calls for Comment on Which Rules Should be Eliminated
On March 12th, 2024, the Federal Communications Commission (FCC) issued a Public Notice (“Notice”) seeking comment on which FCC rules should be repealed or modified to alleviate “unnecessary regulatory burdens” and enhance investment and innovation in telecommunications networks. Along with inviting general feedback on which rules to eliminate, the Notice also urges commenters to consider several policy factors in their analysis, including:
Cost-Benefit Considerations: Commenters should consider whether the costs of a regulation exceed its benefits, and whether eliminating or modifying a rule could result in greater benefits.
Experience Gained from Implementation: Commenters should consider whether experience from implementing a rule indicates that it is unnecessary or ineffective in achieving its intended objectives.
Marketplace and Technological Changes: Commenters should consider whether changes in the marketplace or technology have rendered existing rules unnecessary or outdated.
Regulation as a Barrier to Entry: Commenters should consider whether certain regulations potentially hinder competition by imposing unequal costs on large and small businesses.
Changes in the Broader Regulatory Context: Commenters should consider whether changes in other regulatory frameworks or the adoption of industry standards make certain FCC rules unnecessary or inappropriate.
Changes in the Governing Legal Framework: Commenters should consider reviewing rules in light of changes to the statutory provisions they implement or recent legal decisions, such as the Supreme Court’s Loper Bright decision.
Other Considerations: Commenters should consider situations where case-by-case review would be more appropriate than applying a bright line rule to meet regulatory objectives. Commenters should also consider rules that are no longer operative and rules that are sunsetting or awaiting further review.
Comments are due April 11, 2025 and reply comments are due April 28, 2025.
Taiye Kolawole also contributed to this article.
California AG Again Enjoined from Implementing California Age Appropriate Design Code Act
On March 13, 2025, the U.S. District Court for the Northern District of California granted a second motion for preliminary injunction in favor of the technology trade group NetChoice. The injunction once again enjoins the California Attorney General from enforcing the California Age Appropriate Design Code Act (the “AADC” or “Code”), which was originally intended to take effect on July 1, 2024. The District Court determined that NetChoice is likely to succeed on claims raised in its amended complaint that the AADC is facially invalid under the First Amendment guarantee of free speech. As a result, the California AG is immediately enjoined from enforcing the Code during the pendency of the litigation.
The claims of free speech infringement stem primarily from the Code’s requirement for covered businesses to perform a data protection impact assessment (“DPIA”) to identify material risks to children under the age of 18, document and mitigate those risks before such children access an online service, product or feature and provide the DPIA to the California Attorney General upon written request. NetChoice asserts that on this basis the Code violates the expressive rights of NetChoice, its members and is void for vagueness under the First Amendment.
An injunction previously granted by the District Court in respect of the Act’s 2023 implementation was partially upheld by a Ninth Circuit panel in August of 2024, with respect to the DPIA requirement and provisions of the Code not grammatically severable from the DPIA requirement, including notice and cure provisions with respect to non-compliance. The Ninth Circuit vacated the rest of the district court’s first ruling and remanded the case to assess other provisions of the Code in more detail and consider whether the law’s unconstitutional provisions are severable from the remainder of the law.
The District Court determined that the AADC is not sufficiently narrowly tailored (under the strict scrutiny standard) to achieve its interest in protecting children online. On the basis that NetChoice has a colorable First Amendment claim, it would suffer irreparable harm if the Code were to take effect. The District Court also found that the enjoined DPIA provisions are not volitionally severable from the remainder of the AADC, though they are functionally severable.
The District Court determined, on the other hand, that NetChoice had not shown that it is likely to succeed on certain other claims, such as that the AADC was pre-empted by the federal Communications Decency Act or by the Children’s Online Privacy Protection Act.