Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
Montana recently amended its privacy law through Senate Bill 297, effective October 1, 2025, strengthening consumer protections and requiring businesses to revisit their privacy policies that apply to citizens of Montana. Importantly, it lowered the threshold for applicability to persons and businesses who control or process the personal data of 25,000 or more consumers (previously 50,000), unless the controller uses that data solely for completing payments. For those who derive more than 25% of gross revenue from the sale of personal data, the threshold is now 15,000 or more consumers (previously 25,000).
With the amendments, nonprofits are no longer exempt unless they are set up to detect and prevent insurance fraud. Insurers are now similarly exempt.
When a consumer requests confirmation that a controller is processing their data, the controller can no longer disclose but must identify possession of: (1) social security numbers, (2) ID numbers, (3) financial account numbers, (4) health insurance or medical identification numbers, (5) passwords, security questions, or answers, or (6) biometric data.
Privacy notices must now include: (1) personal data categories, (2) controller’s purpose in possessing personal data, (3) categories controller sells or shares with third parties, (4) categories of third parties, (5) contact information for the controller, (6) explanation of rights and how to exercise them, and (7) the date privacy notice was last updated. Privacy notices must be accessible to and usable to people with disabilities and available in each language in which the controller provides a product or service. Any material changes to the controller’s privacy notice or practices require notices to affected consumers and the opportunity to withdraw consent. Notices need not be Montana-specific, but controllers must conspicuously post them on websites, in mobile applications, or through whatever medium the controller interacts with customers.
The amendments further clarified information the attorney general must publicly provide, including an online mechanism for consumers to file complaints. Further, the attorney general may now issue civil investigative demands and need not issue any notice of violation or provide a 60-day period for the controller to correct the violation.
OIG Favorable Advisory Opinion on Physician Practice’s Arrangement with Telehealth Platform and Recent Corporate Practice of Medicine Developments
On June 11, 2025, the Department of Health and Human Services Office of Inspector General (OIG) issued a favorable advisory opinion on a proposed arrangement where a physician practice managed by a management services organization (MSO) would engage telehealth-based practices and platforms (collectively, Telehealth Companies) to provide telehealth services, including leasing health care professionals and maintaining the telehealth platform. The physician practice would submit claims for the telehealth services under its own private and government payor contracts. This advisory opinion addresses an increasingly common telehealth delivery model aimed at increasing the availability of health plan coverage for telehealth services, particularly in recent years with the rise in popularity of GLP-1 drugs for managing obesity.
The Proposed Arrangement
The advisory opinion was requested by an MSO and a physician practice wholly owned by a physician shareholder whose underlying arrangement was presumably designed to comply with state prohibitions on the corporate practice of medicine (CPOM). State CPOM provisions generally bar a business corporation from practicing medicine or employing physicians to provide medical services. Under the proposed arrangement, the physician practice would engage the Telehealth Companies, which would (i) lease health care professionals to the physician practice for the provision of professional telehealth services; (ii) provide accounting services (e.g., collecting patients’ copays); (iii) provide online marketing services; and (iv) maintain the telehealth platform. The physician practice would pay hourly rates to lease the health care professionals and an administrative fee for the non-clinical services provided by the Telehealth Companies. The requesters certified that the fees were consistent with fair market value as established by a third-party valuator and that the physician practice would pay the fees regardless of whether the practice was ultimately reimbursed by payors for the telehealth services.
The requestors noted that the Telehealth Companies often have limited in-network contracts with health plans, which can result in reduced access to covered telehealth services and higher out-of-pocket costs for patients—especially those in rural and underserved communities. To address this, the arrangement allows for referrals between the Telehealth Companies and the physician practice when both maintain contracts with the same payor. For example, a Telehealth Company may serve patients in one state, while referring patients from another state to the physician practice, thereby expanding access to in-network care.
OIG’s Analysis
The OIG determined that the arrangement would implicate the federal Anti-Kickback Statute (AKS) since the physician practice would pay remuneration in the form of service fees and the physician practice would receive patient referrals from the Telehealth Companies. But ultimately, the OIG reached a favorable determination based on the requesters’ certification that the proposed arrangement would fully satisfy the AKS’s personal services and management contracts safe harbor including outcomes-based payment arrangements. This safe harbor protects service arrangements meeting certain requirements, including that the methodology for determining the compensation related to the services is set in advance, the compensation is consistent with fair market value in arms-length transactions, and the compensation does not take into account the volume or value of any referrals or other business generated between the parties for which payment may be made by federal health care programs.
GLP-1 Manufacturers’ Lawsuits Against Telehealth Companies
The types of medical services contemplated under the proposed arrangement include obesity management care and the arrangement is reminiscent of the models adopted by a number of telehealth companies focused on managing obesity using drugs commonly known as GLP-1s. In recent years, there has been a rise in telehealth companies partnering with compounding pharmacies, physician practices and/or med spas to compound, prescribe, and distribute compounded versions of GLP-1s. The Food and Drug Administration (FDA) temporarily permitted the compounding of GLP-1s during a nationwide shortage that lasted for about two years and ended by mid-March 2025.
Subsequently, manufacturers of FDA-approved GLP-1s have filed lawsuits against multiple Telehealth Companies alleging that the Telehealth Companies are making compounded versions of their drugs illegally and without approval from FDA. Moreover, in two lawsuits filed by Eli Lilly in April 2025, the manufacturer introduced a novel argument that the Telehealth Companies are violating California’s CPOM law by unduly controlling or influencing prescribing decisions. Both Telehealth Companies are structured as MSOs managing physician-owned physician practices. To comply with state CPOM laws, physician practices must maintain autonomy over clinical decision-making and MSOs must refrain from exercising control over clinical decision-making. However, in both lawsuits, Eli Lilly alleges that the Telehealth Companies (and not the physician practices) provide insufficiently “personalized” medical advice to patients and switch patients’ dosages in violation of California’s CPOM statute.
The advisory opinion in support of, and the lawsuits challenging, these common MSO arrangements have emerged against a backdrop of increased interest in CPOM enforcement by the states. As discussed in another recent post, Oregon and Massachusetts are the latest examples of states aiming to impose additional restrictions on the MSO model.
OIG Green Lights MSO Model Arrangement for Telehealth Platforms in New Advisory Opinion
On June 11, 2025, the Department of Health and Human Services Office of Inspector General (OIG) published Advisory Opinion 25-03 (the Advisory Opinion), in which OIG approved of a proposed arrangement under which a management support organization and a physician-owned professional corporation (the Requestors) would enter into an arrangement involving the leasing of clinical employees and provision of certain administrative services related to payor contracting to support the delivery of telehealth services through online platforms. OIG determined that the proposal was protected by a safe harbor under the federal anti-kickback statute (AKS), and therefore the fees payable between the parties thereunder did not constitute prohibited remuneration under the AKS.
Background
Parties Involved
The Requestors include a management support organization that provides non-clinical support services (Requestor MSO), and a physician-owned professional corporation that maintains provider network participation contracts with commercial, Medicare Advantage, and Medicaid plans (Requestor PC) but does not otherwise employ or engage with clinical staff.
Proposed Telehealth Services Platform Arrangement
Under the proposal (Proposed Arrangement), the Requestors would contract with third-party online telehealth platforms – comprised of management services organizations that furnish management services to telehealth providers (Platform MSOs) and telehealth provider entities (Platform PCs) to lease clinicians from the Platform PCs and obtain certain administrative services from the Platform MSOs. According to the Advisory Opinion, the Proposed Arrangement is intended to expand access to in-network services for patients of the Platform PCs, many of whom are “negatively impacted by limited access to insurance-covered telehealth services furnished by Platform PCs” especially in underserved and rural areas. The Requestor PC would credential the clinicians leased from the Platform PCs, and such leased clinicians would furnish services to their patients under Requestor PC’s contracted plans. In conjunction with this clinical arrangement, the Platform MSOs would provide ancillary administrative services to Requestor PC, including accounting (which OIG characterizes as including the collection of patient cost-sharing amounts for services rendered), marketing, administrative support (e.g., support for scheduling of clinical visits), and IT services (e.g., provision of a HIPAA-compliant online platform for receipt of synchronous telehealth services). Requestor PC would pay hourly fees for the leased clinicians and an administrative fee for the non-clinical administrative services, which would be consistent with fair market value for the services rendered as determined by a third-party valuation consultant.
As part of their request for the Advisory Opinion, Requestor MSO and Requestor PC certified that the Proposed Arrangement would meet all conditions of the AKS safe harbor for personal services and management contracts and outcomes-based payment arrangements, including by noting that the methodology for determining the fees would be set in advance and not take into account volume/value of any referrals or other business generated between the parties. Additionally, the fees would be payable regardless of whether Requestor PC was reimbursed by a payor for the visit.
OIG Analysis
Federal Anti-Kickback Statute
The OIG explained that because the Requestor PC offers and pays remuneration to the Platform PC and/or Platform MSO for services rendered, the AKS is implicated whenever the Platform PC refers a patient to Requestor PC. The OIG therefore evaluated whether the Proposed Arrangement could violate the AKS, which prohibits offering, paying, accepting, or soliciting remuneration in exchange for referrals of items or services paid for by federal programs, or in exchange for the purchasing, leasing, ordering of, or arranging for the order of any good, facility, service, or item reimbursed under a federal health care program. Remuneration under the AKS can include anything of value, and violators of the AKS are subject to criminal and civil sanctions, including imprisonment, fines, civil monetary penalties, and exclusion from federal health care programs.
AKS Safe Harbor Requirements and Further Structural Safeguards
The broad scope of the AKS is subject to certain statutory and regulatory safe harbors, which establish protections from scrutiny thereunder for arrangements that meet all required criteria of a safe harbor. As OIG notes, safe harbor compliance “is voluntary” and “arrangements that do not comply with a safe harbor are evaluated on a case-by-case basis.”
In this Advisory Opinion, OIG affirmed that the Proposed Arrangement satisfies the requirements of the “personal services and management contracts and outcomes-based payment arrangements” safe harbor codified at 42 C.F.R. § 1001.952(d), after reviewing the key elements of the Proposed Arrangement and the criteria necessary to comply with such safe harbor.
OIG described the following structural safeguards of the Proposed Arrangement that are compliant with the safe harbor:
The Proposed Arrangement will be memorialized in a written agreement signed by the parties, will have a term of at least one year, and the agreement will clearly describe the duties of, and services provided by all parties involved;
The payments—both for the services of the leased clinicians from each Platform PC, and for the administrative services provided by Platform MSO—are fixed in advance and in line with fair market value, not determined based on volume or value of any referrals or other business generated between the parties, and are payable regardless of whether the Requestor PC is reimbursed by payors for services rendered; and
The Proposed Arrangement would be commercially reasonable even if no referrals resulted from the Proposed Arrangement, the services contracted for are reasonably necessary to accomplish the purpose of the Proposed Arrangement, and the parties are not involved in counseling or promoting any business activity that would violate federal or state law.
The OIG cautioned that this Advisory Opinion is limited to the Proposed Arrangement only, and does not cover additional arrangements or referrals outside of the Proposed Arrangement that may exist between the Platform PC, Platform MSO, Requestor PC and Requestor MSO. The OIG further cautioned that the Advisory Opinion is binding only on the Department of Health and Human Services and not on other government agencies (e.g., the Department of Justice).
Takeaways
The Advisory Opinion is notable for the complexity of the Proposed Arrangement and potentially broad scope of its impact given the reported scope of Platform PC’s payor contracting activities (exceeding 400 payor contracts that cover 80% of all commercially covered lives and 65% of Medicare Advantage covered lives). The Advisory Opinion also acknowledges the role played by management services and support organizations in connection with care delivery, and particularly telehealth services delivered in connection with the Proposed Arrangement. The Advisory Opinion’s conclusion is also noteworthy because OIG did not determine that the arrangement could result in prohibited remuneration, but OIG would exercise discretion not to pursue it due to safeguards present, as OIG often concludes in Advisory Opinions under the AKS. OIG instead went further and determined that there was no prohibited remuneration because it met the safe harbor. It accordingly may provide a potential model for other management services and care delivery organizations to consider for arrangements. We will continue to monitor any guidance or additional advisory opinions that OIG issues on these topics.
This article was co-authored by Ivy Miller
Beyond Copyright: Reddit’s Lawsuit Against Anthropic
On June 4, 2025, Reddit, Inc. (“Reddit”) filed suit against Anthropic, PBC (“Anthropic”) in the Superior Court of California, alleging that Anthropic scraped and commercially exploited Reddit user data—including deleted posts—without consent or compensation.[1] Unlike recent enforcement efforts that have centered on establishing copyright infringement liability, Reddit’s complaint brings five causes of action—breach of contract, unjust enrichment, trespass to chattels, tortious interference, and unfair competition—reflecting a strategic choice to deploy contractual and privacy-based claims to address Anthropic’s allegedly unauthorized scraping of Reddit data.[2]
Reddit alleges that Anthropic trained its AI models (e.g., Claude) on public Reddit posts and comments scraped between December 2021 through October 2024.[3] Public statements by Anthropic researchers identify Reddit subreddits—such as r/explainlikeimfive, r/changemyview, and r/WritingPrompts—as “good samples” for fine-tuning training inputs.[4]
According to the complaint, Reddit grants licensed AI partners conditional access to its archive only through a designated “Compliance API” which alerts licensees when content has been deleted by users.[5] AI partners are then contractually required under their licenses with Reddit to cease ongoing use of such material, thereby respecting users’ privacy rights.[6] Anthropic, however, allegedly refused to enter such an agreement yet nevertheless continued unauthorized access to the Compliance API, using the data for commercial purposes, in violation of Reddit’s license terms.[7] Despite Reddit’s technological controls, including robots.txt directives and IP rate limits, Anthropic’s bots are alleged to have bypassed these defenses, generating over 100,000 unauthorized API calls and imposing significant server-capacity costs on Reddit.[8] These documented costs allegedly quantify the tangible economic injury to Reddit’s infrastructure, forming the basis for its claims for trespass to chattels, breach of contract, and unfair competition.[9] At the heart of Reddit’s breach-of-contract claim is Anthropic’s alleged violation of key provisions in the Reddit User Agreement—specifically, the prohibition on “commercially exploit[ing]” Reddit content, the restriction on unauthorized scraping, and the improper access and use of Reddit’s Compliance API to continue using deleted or restricted content without permission.[10]
Reddit’s strategy appears designed to highlight the consequences of using data without a license, while sidestepping unsettled copyright defenses in AI contexts.[11] According to Reddit’s complaint, without a license, Reddit cannot enforce deletion requests, monitor privacy compliance through its Compliance API, or restrict sensitive data (e.g., sexually explicit content) from being included in AI training sets—in contrast to the clear operational boundaries enforced with licensed partners.[12]
While Reddit did not include copyright claims in its complaint, Anthropic could still argue that Reddit’s non‑copyright claims are preempted by the Copyright Act because they concern how Anthropic allegedly “used” and “reproduced” user-generated content, which closely aligns with the exclusive rights of reproduction and distribution federal copyright law.[13] Under the copyright preemption doctrine, state-law claims are invalid if they rest on rights equivalent to those protected by copyright—meaning that breach-of-contract, unjust enrichment, and unfair-competition allegations tied to content use may fail.[14] Tortious interference, however, typically survives preemption because it addresses improper disruption of contractual or business relationships, not copying itself.[15]
For content creators, social platforms, and rightsholders, Reddit’s lawsuit illuminates a crucial reality: that technical restrictions alone may not reliably prevent scraping, commercializing, or misuse of data. While tools like API gating, robots.txt, and rate-limiting are essential and recommended, determined actors may still evade defenses. As a result, platforms should complement technical controls with legally enforceable terms and conditions, formal licensing arrangements (including compliance obligations and takedown mechanisms), real-time-monitoring of API access and usage, documentation of server impact to demonstrate tangible harm, and embedded privacy controls to respect user deletions and data rights. Moreover, having a clear escalation plan—up to litigation—ensures those protections are not just theoretical. As the legal framework for AI training continues to evolve, this case offers unique insight into the importance of proactive governance, technical diligence, and contract-backed enforcement mechanisms to preserve platform integrity and safeguard user trust.
FOOTNOTES
[1] Complaint, Reddit, Inc. v. OpenAI, Inc., No. CGC-25-625892 (Cal. Super. Ct. S.F. Cnty. June 4, 2025), https://redditinc.com/hubfs/Reddit%20Inc/Content/PDFs/Docket%20Stamped%20Complaint.pdf.
[2] See id.
[3] Complaint supra Note 1.
[4] Amanda Askell et al., A General Language Assistant as a Laboratory for Alignment, arXiv (Dec. 9, 2021), arXiv:2112.00861, at 35.
[5] Complaint supra Note 1.
[6] Id.
[7] Id.
[8] Id.
[9] See id.
[10] Complaint supra note 1.
[11] Id.
[12] Id.
[13] See id.
[14] See 17 U.S.C. § 301 (2023).
[15] Id.
Chandler Lawn also contributed to this article.
DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
Go-To Guide
The Department of Justice’s new Data Security Program (DSP), effective April 8, 2025, imposes significant restrictions on U.S. government contractors and global companies that handle sensitive U.S. personal or government-related data.
U.S. persons and organizations that transfer, share, or provide access to such data must assess whether their transactions involve designated countries of concern and covered persons.
The DSP requires new due diligence, recordkeeping, reporting, and annual auditing obligations, with full enforcement beginning July 8, 2025. Non-compliance can result in severe civil and criminal penalties.
On April 11, 2025, the DOJ’s National Security Division (NSD) issued a Compliance Guide, Implementation and Enforcement Policy, and FAQs for its Data Security Program (DSP), finalized pursuant to Executive Order 14117 and the 28 C.F.R. Part 202. The DSP is primarily designed to prevent certain cross-border data flows and transactions. Individuals and companies subject to the DSP are required to comply with new security requirements, reporting and recordkeeping duties, and due diligence rules.
The recently issued guidance makes evident NSD’s intent to make the DSP an enforcement priority for this administration. Access to Americans’ bulk sensitive or personal data or U.S. government-related data increases the ability of countries of concern to engage in a wide range of malicious activities. The DSP is currently subject to a 90-day initial enforcement period, which is a limited enforcement window to give individuals and companies additional time to bring their transactions and processes into compliance with the DSP. After July 8, 2025, NSD will implement full enforcement of the DSP.
Click here to continue reading the full GT Alert.
Workplace Strategies Watercooler 2025: A Ransomware Incident Response Simulation, Part 1 [Podcast]
In part one of our Cybersecurity installment of our Workplace Strategies Watercooler 2025 podcast series, Ben Perry (shareholder, Nashville) and Justin Tarka (partner, London) discuss key factors employers should consider when facing ransomware incidents. The speakers begin by simulating an incident response and outlining the necessary steps to take after a security breach occurs. Justin and Ben, who is co-chair of the firm’s Cybersecurity and Privacy Practice Group, discuss best practices when investigating a ransomware incident, assessing the impact of the incident, containing the situation, communicating with stakeholders, fulfilling notification requirements, and adhering to reporting obligations. The speakers also address considerations when responding to ransom requests, including performing a cost-benefit analysis regarding payment, reviewing insurance coverage, identifying potential litigation risks, fulfilling ongoing notification obligations, addressing privacy concerns, and more.
PHANTOM TCPA SETTLEMENT?: Numerous Outlets Are Reporting Credit One Has Settled a TCPA Class Action for $14MM– But Has It?
Weird one for you today.
A number of outlets are reporting Credit One has settled a TCPA class action for $14MM:
https://www.fxstreet.com/analysis/credit-one-bank-sentenced-what-you-need-to-know-about-the-14-million-class-action-settlement-202506161408
https://www.msn.com/en-us/money/other/credit-one-bank-prepares-compensation-for-affected-clients-will-distribute-14-million/ar-AA1Ga67y
https://selendroid.io/credit-one-bank-settlement/
https://www.timesnownews.com/world/us/us-news/credit-one-bank-lawsuit-settlement-key-dates-eligibility-rules-and-how-to-file-a-claim-article-151726973
https://www.hindustantimes.com/world-news/us-news/credit-one-settlement-payment-heres-what-to-know-about-eligibility-amount-and-time-101747025013041.html
https://www.timesnownews.com/world/us/us-news/credit-one-bank-14m-tcpa-robocall-settlement-eligibility-and-payout-details-article-151785865
This is obviously big news. A settlement of that size is noteworthy, especially since class members are apparently to receive $1,000.00 each.
Only problem– it doesn’t seem to have actually happened.
All of these articles discuss the claims process and the amount of the settlement but NONE of them cite the court or case number.
I’ve checked the dockets and don’t see the settlement anywhere.
It appears the articles are confusing a different settlement unrelated to the TCPA and–insanely–citing back to a Reddit article from a few weeks ago as their source.
I invite my wonderful readers to look into this further. Perhaps I am missing something, but I don’t think so.
What can ya’ll dig up?
OCR Secures Two HIPAA Settlements Addressing Insider Threats and Ransomware Vulnerabilities
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced two settlements over alleged violations of the HIPAA Security Rule— one with BayCare Health System, a Florida health care provider, and the other with Comstar, LLC, a Massachusetts billing services company — underscoring the agency’s continued HIPAA enforcement focus. Both settlements emphasize the importance of HIPAA compliance, particularly with respect to implementing proper access controls, conducting HIPAA risk analyses, and maintaining comprehensive security protocols to safeguard electronic protected health information (ePHI).
In the BayCare matter, OCR investigated a complaint involving the alleged unauthorized access and disclosure of a patient’s medical records. According to OCR, a former non-clinical staff member affiliated with a physician practice accessed BayCare’s electronic medical record system and later shared images and video recordings of the complainant’s medical records. Although the physician’s practice had access to BayCare’s systems for continuity of care purposes, OCR determined that BayCare failed to appropriately restrict access to sensitive data and did not implement sufficient oversight mechanisms to monitor system activity.
OCR’s investigation revealed several potential violations of the HIPAA Security Rule. Specifically, OCR alleged that BayCare had not implemented adequate policies and procedures for authorizing access to ePHI and had not taken reasonable steps to reduce known risks and vulnerabilities. In addition, the provider allegedly failed to regularly review information system activity as required by the Security Rule. To resolve the matter, BayCare agreed to pay $800,000 and implement a two-year corrective action plan monitored by OCR. The plan requires BayCare to conduct a thorough HIPAA risk analysis, develop a risk management plan, revise its HIPAA policies and procedures as appropriate, and train its workforce on HIPAA compliance obligations related to ePHI access and data security.
In a separate action, OCR reached a settlement with Comstar, LLC, a business associate providing billing and related services to emergency ambulance services. The case arose from a ransomware breach reported in May 2022, which affected the ePHI of over 585,000 individuals. OCR determined that Comstar had not conducted a proper HIPAA risk analysis to identify potential security vulnerabilities.
The affected data in the Comstar breach included clinical information such as medical assessments and medication records. At the time of the incident, Comstar served as a business associate to more than 70 covered entities. To settle the alleged HIPAA violations, Comstar agreed to pay $75,000 and enter into a two-year corrective action plan. The plan requires Comstar to conduct a comprehensive HIPAA risk analysis, implement a risk management strategy, update its written HIPAA policies and procedures as appropriate, and ensure workforce training on HIPAA compliance.
Acting OCR Director Anthony Archeval emphasized that security failures can make HIPAA-regulated entities attractive targets. “Failure to conduct a HIPAA risk analysis can cause health care entities to be more susceptible to cyberattacks,” he said, adding that identifying and managing risks to ePHI is “effective cybersecurity, and a HIPAA Security Rule requirement.”
Taken together, these enforcement actions signal OCR’s continued focus on ensuring that both covered entities and their business associates meet the requirements of the HIPAA Security Rule, particularly with respect to authorized access and data security.
North Dakota Passes New Data Security Law for “Financial Corporations”
North Dakota recently passed a law establishing new rules for certain financial companies operating in the state – specifically “financial corporations.” The new obligations will take effect on August 1, 2025. They will apply to businesses that the North Dakota department of financial institutions regulates. Financial institutions (like banks and loan companies) and credit unions are not regulated by that entity.
Under the new requirements, covered entities must create a written information security program and designate a person to oversee that program. Covered entities must base their information security programs on a written risk assessment that identifies risks to their customers’ information. The program includes breach response and reporting provisions for incidents that impact customer information. Covered entities will also have to periodically complete new risk assessments to evaluate their security measures and monitor the efficacy of the program.
The law also creates new rules for reporting data breaches. Namely, covered financial companies must notify the North Dakota Commissioner of the Department of Financial Institutions if there is a “notification event.” A notification event occurs when an unauthorized person accesses unencrypted customer information. If this event involves the information of at least 500 customers, the company must notify the Commissioner as soon as possible, but no later than 45 days after discovering the issue. The law states that a covered entity “discovers” an event as soon as any employee, officer, or agent of the corporation learns about it.
Putting it Into Practice: Financial corporations regulated by the North Dakota department of financial institutions should take note of these changes and make updates as might be needed to their security program and incident response plan prior to August 1st.
Listen to this post
FRAUD NOTIFICATION EXEMPT?: TCPA Claim Against Lone Star Credit Union Tested In First-of-Its-Kind Ruling
The financial institution fraud exemption has been on the books now since 2015.
It permits financial entities to send fraud notifications to cell phones without consent under certain limited circumstances.
For the interested, in order to take advantage of the exemption the caller must assure the following:
Voice calls and text messages must be sent only to the wireless telephone number provided by the customer of the financial institution;
Voice calls and text messages must state the name and contact information of the financial institution (for voice calls, these disclosures must be made at the beginning of the call);
Voice calls and text messages are strictly limited to transactions and events that suggest a risk of fraud or identity theft or possible breaches of the security of customers’ personal information;
Voice calls and text messages must not include any telemarketing, cross-marketing, solicitation, debt collection, or advertising content;
Voice calls and text messages must be concise, generally one minute or less in length for voice calls (unless more time is needed to obtain customer responses or answer customer questions) or 160 characters or less in length for text messages;
A financial institution may initiate no more than three messages (whether by voice call or text message) per event over a three-day period for an affected account;
A financial institution must offer recipients within each message an easy means to opt out of future such messages; voice calls that could be answered by a live person must include an automated, interactive voice- and/or key press-activated opt out mechanism that enables the call recipient to make an opt-out request prior to terminating the call; voice calls that could be answered by an answering machine or voice mail service must include a toll-free number that the consumer can call to opt out of future calls; text messages must inform recipients of the ability to opt out by replying “STOP,” which will be the exclusive means by which consumers may opt out of such messages; and
A financial institution must honor opt-out requests immediately. 47 C.F.R. § 64.1200(a)(9)(iii)
Cool.
So in Brooks v. Lone Star Credit Union 2025 WL 1654697 (M.D. Fl. June 11, 2025) the court issued a rare ruling testing the scope of this exemption.
In Brooks the Plaintiff received a prerecorded voicemail that stated:
This is the fraud detection department for Lonestar credit union calling for Rena Sharzer[ ]. We need to verify some recent activity on your card ending…7 0 8 0[.] In order to prevent possible difficulties using your card it is important that you call us back at your earliest convenience toll-free at [phone number]. Verify this activity[.] Please reference case number 3 5 7 8 1[.] [R]eturning our call give me a call us back [24] hours a day seven days a week.
Plaintiff argued the call was made without consent and that she did not know anyone named Reza Sharzer. In other words, this is a wrong number prerecorded call case– the most dangerous TCPA class action flavor.
Lone Star responded arguing that the message was completely legal and exempted under the fraud exemption rules and moved to dismiss on that basis.
The Court DENIED the motion, but found most the factor weighed in favor of the credit union. However the court determined whether or not plaintiff was charged for the call and whether the LSCU offered an automatic opt out feature were facts that were not alleged in the complaint. Therefore the case could not be dismissed.
Recognizing the limited issues at stake, however, the court issued limited and bifurcated discovery on these two factual issues. The Court also required a more definite statement of the case to assure the factual allegations related to any other phone calls at issue were spelled out.
Really interesting case here. Very few decisions address the fraud exemption and, to my knowledge, this is the first one to do so at the pleadings stage.
The limited discovery is a good news bad news situation for the credit union in my view. The Court has essentially front-loaded the ESSENTIAL substantive issue– did the CU properly deploy its fraud messages? If so the case is gone. But if not this case seems destined to class certification given the similarities among class member experiences.
So very high stakes.
New York’s Child Data Protection Act: Key Takeaways From the Attorney General’s Implementation Guidance
In anticipation of the June 20, 2025, effective date of the New York Child Data Protection Act (NYCDPA), the Office of the New York State Attorney General (OAG) recently released implementation guidance that provides critical clarity for businesses, schools, and other organizations that collect or process the personal data of minors in New York.
Quick Hits
The New York Child Data Protection Act adopts the standards of the federal Children’s Online Privacy Protection Act (COPPA) for the collection and processing of personal data of children under the age of thirteen and imposes new requirements regarding the personal data of children aged thirteen to seventeen.
Among other terms, the guidance clarifies when an online device or service is “primarily directed” to minors and when consent to collect or process a minor’s data is not required because it is “strictly necessary” for a product or service.
The New York Office of the Attorney General will exercise discretion in pursuing enforcement actions and will take good-faith compliance efforts into account while businesses await further rules.
The NYCDPA is designed to protect the personal data of New Yorkers under the age of eighteen and applies to operators of websites, online services, online applications, mobile applications, or connected devices that are primarily directed to minors. The NYCDPA also applies when the operator actually knows they are processing data from a minor. The OAG’s guidance clarifies several aspects of the law, addresses questions raised by stakeholders, and outlines the OAG’s enforcement approach during the initial compliance period.
For minors under thirteen, NYCDPA compliance aligns with COPPA.
The NYCDPA adopts COPPA as the applicable standard of data processing for covered users who are actually known by the operator to be twelve years of age or younger, or are using an online device or service primarily directed to covered users twelve years of age or younger. This includes COPPA’s general requirement for parental consent to collect, use, share, or sell the personal data of minors, as well as how such consent should be obtained.
“Primarily directed to minors” standard.
A central question for many businesses is whether their online device or service is “primarily directed” to minors. The guidance clarifies that this standard is similar, but not identical, to COPPA’s “directed to children” test. For users under thirteen years of age, the COPPA standard applies. For children ages thirteen to seventeen, the OAG recognizes that many general-interest services may have some minor users without being primarily directed or targeted to them, and the OAG interprets the NYCDPA’s “primarily directed” standard to provide more flexibility to operators regarding these users.
Processing personal data of minors aged thirteen to seventeen may be allowed without consent when “strictly necessary” for one of nine purposes.
Although the NYCDPA generally requires parental consent before an operator may process a user’s data, when the user is between the ages of thirteen and seventeen, processing may be permitted without consent if it is “strictly necessary” for one of the following purposes:
providing or maintaining a specific product or service requested by the user;
conducting the operator’s internal business. The guidance emphasizes that, unlike COPPA, this does not include any activities related to marketing, advertising, research and development, or providing products or services to third parties;
identifying and repairing technical errors;
protecting against malicious, fraudulent, or illegal activity. The guidance explains that this allows the processing of personal data to protect against fraud, such as frequency capping of advertising;
investigating, establishing, exercising, preparing for, or defending legal claims;
complying with federal, state, or local law;
responding to a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by proper authorities;
detecting, responding to, or preventing security incidents or threats; or
protecting the vital interests of a natural person. The guidance clarifies that this exception allows personal data processing associated with an online device or service’s user trust, health, and safety policies without consent.
The OAG will consider the expectations of a reasonable user when determining whether processing data is “strictly necessary.”
Importantly, the guidance introduced a new factor for whether processing is “strictly necessary” to provide or maintain a specific product or service requested by the user: the expectations of a reasonable user. It explains that users of most products or services would reasonably expect the processing of personal data to provide customer support for a product or service to be included, but would not expect operators to track more of their online activities than are necessary for the specific product or service they are using, or to use the collected personal data for purposes outside of the provision of that product or service. The guidance further warns against operators attempting to circumvent the NYCDPA simply by marketing its core service as including tracking personal data merely for behavioral advertising or creating a user profile.
Requirements for schools, educational services, and related third parties.
The guidance clarifies that the NYCDPA does not disrupt the framework in place for personally identifiable information (PII) covered by the New York Education Law, or the federal Family Educational Rights Privacy Act (FERPA), and their respective implementing regulations. It further explains that the NYCDPA applies the same standard as COPPA for when data can be collected and processed pursuant to school authorization for children under thirteen years of age. For children ages thirteen to seventeen, student educational data may be collected and processed pursuant to the requirements set forth under Section 2(d) of the New York Education Law for educational purposes without triggering separate informed consent under the NYCDPA.
Parental requests and minors’ rights.
According to the guidance, the NYCDPA does not disturb existing legal frameworks under which parents may legally agree to or enter into agreements for particular products or services on behalf of their children. In other words, the NYCDPA does not require an operator to obtain the child’s consent before processing data strictly necessary to fulfill the parent’s agreement to the product or service, including any personal data of the child provided by the parent. The guidance further clarifies that where the parent agrees to a product or service on behalf of a child, an operator may consider the parent’s expectations regarding the processing of personal data strictly necessary for permissible purposes.
Conclusion
The NYCDPA represents a significant shift in how businesses must approach the privacy of minors’ data. Businesses that operate online products or services accessible to New York minors may want to consider reviewing their data collection, processing, and consent practices to ensure compliance with this new law.
Minnesota Contractors’ Workforce Compliance Requirements, Part II: Equal Pay Certificates
The Minnesota Department of Human Rights (MDHR) recently updated several documents on its website for Minnesota government contractors. This is the second article in a series focused on the compliance responsibilities of Minnesota contractors holding workforce certificates that the MDHR issued. The first part in the series covered the workforce certificate application, affirmative action program template, annual compliance report (ACR), ACR instructions, and nondiscrimination poster. In part two, we discuss the Minnesota Equal Pay Certificate, the purpose of which is to ensure that contractors doing business with Minnesota government agencies pay men and women equal wages for equal work.
Quick Hits
Employers with contracts exceeding $500,000 with Minnesota state agencies and that have forty or more full-time employees in Minnesota or in the state of their primary place of business must obtain an equal pay certificate.
To apply for an equal pay certificate, contractors must hold a current MDHR workforce certificate, complete an online application, and pay a $250 fee.
The MDHR conducts compliance reviews of contractors holding equal pay certificates to ensure adherence to equal pay laws, with potential penalties for noncompliance including fines and revocation of the certificate.
Who Must Obtain an Equal Pay Certificate?
Employers with contracts for goods and services exceeding $500,000 with the State of Minnesota (including its departments, agencies, colleges, and universities), and various metropolitan agencies, with forty or more full-time employees in Minnesota or in the state of their primary place of business, must obtain an equal pay certificate.
In addition, employers (wherever located) with contracts exceeding $500,000 with the University of Minnesota for a capital project funded by a general obligations bond must likewise obtain an equal pay certificate, as must employers with contracts with Minnesota cities, counties, and other political subdivisions for a capital project funded by a general obligations bond exceeding $1 million.
Some businesses are exempt by statute based on the type of contract. For example, certain contracts for healthcare services, health insurance, investment options with the State Board of Investments, and others are exempt.
Minnesota vendors must hold a current equal pay certificate to bid on or obtain Minnesota state contracts exceeding $500,000. Equal pay certificates are tied to a company, not a contract, and are valid for four years.
How to Obtain an Equal Pay Certificate
Employers seeking an equal pay certificate must first register with the Office of the Minnesota Secretary of State and must already hold a current Minnesota Department of Human Rights (MDHR) workforce certificate.
To apply for or renew an equal pay certificate, Minnesota contractors must complete an online application and pay a $250 application fee. The application must be signed by the company’s highest-ranking official (e.g., president, CEO, or board chair).
The application must include basic company information, provide a company contact name and contact information, a description of the goods and/or services provided to the Minnesota government agency or agencies, and a list of facility addresses covered by the equal pay certificate.
The application contains an equal pay compliance statement wherein the highest-ranking company official must affirm the following:
compliance with Title VII of the Civil Rights Act of 1964, the Equal Pay Act of 1963, the Minnesota Human Rights Act, the Minnesota Fair Labor Standards Act, and the Minnesota Equal Pay for Equal Work Law;
the average compensation for women is not consistently below the average compensation for men, considering mitigating factors, as reported in each major EEO-1 report job category (i.e., Officials and Managers, Professionals, Technicians, Sales, Office/Clerical, Skilled Crafts, Operatives, Laborers, and Service Workers). Mitigating factors include, for example: length of service, requirements of specific jobs, experience, skill, effort, responsibility, and working conditions of the job;
how often the company evaluates wages and benefits for compliance with federal and state law;
the methodology used by the company to determine compensation: market pricing, internal pricing, performance pay system, state prevailing wage, union contract requirement, and/or other. If “other,” the contractor must provide a description of the methodology used; and
retention and promotion decisions are made without regard to gender and do not limit employees based on gender to certain job classifications.
The highest-ranking company official must also affirm that the employer will:
furnish pertinent compensation data, analyses, records, and audit responses to MDHR upon request;
promptly correct wage, benefits, and other compensation disparities; and
retain records of employees’ names, daily hours worked, and rate(s) of pay for at least three years.
The MDHR will issue an equal pay certificate or a letter explaining why the application was rejected within fifteen days of the MDHR receiving the contractor’s application.
MDHR Compliance Reviews
Minnesota contractors holding an equal pay certificate are subject to compliance reviews by the MDHR to evaluate compliance with equal pay laws. The MDHR has broad discretion to request documents to determine compliance. In an equal pay audit, the MDHR typically requests the following information for each major EEO-1 report job category:
Number of male employees
Number of female employees
Average annualized salaries paid to male employees and to female employees
Information on performance payments, benefits, and other elements of compensation
Average length of service for male and for female employees
If the MDHR determines that a contractor is not in compliance with the equal pay laws, the MDHR may issue a variety of remedial actions, such as:
requiring the contractor to revise its policies;
obtaining wages and benefits due to employees;
issuing fines of up to $5,000 per calendar year for each contract;
revoking or suspending the equal pay certificate; and/or
seeking modification or termination of the contract.
Refusal to provide data and information requested in a compliance review may also result in suspension or revocation of the equal pay certificate and the inability to bid for or obtain Minnesota state government contracts.
Contractors may challenge an action undertaken by the MDHR by filing an appeal with the Office of Administrative Hearings.
Data Privacy
Data and information submitted as part of the application and compliance review process are kept privileged and confidential. However, the MDHR commissioner’s decision to issue, not issue, revoke, or suspend an equal pay certificate is public data. The list of equal pay certificate holders is published on the MDHR’s website. The MDHR may share information with other government agencies such as the Minnesota Attorney General’s Office, the Minnesota Department of Labor and Industry, U.S. Department of Labor, U.S. Equal Employment Opportunity Commission, and Minnesota state and local government agencies to assist in compliance investigations.
Conclusion
To make the affirmations required in the equal pay certificate application, Minnesota government contractors may want to analyze the wages of their employees expected to perform work on Minnesota contracts by EEO-1 report job category for disparities based on sex. If they identify pay disparities based on sex that are not explained by mitigating factors, then they may want to take prompt corrective action. Contractors may want to conduct these analyses regularly throughout the four-year equal pay certificate certification period. Per the MDHR’s website, contractors holding an equal pay certificate should expect to be audited by the MDHR sometime during their four-year certification period.